Slashdot Mirror

Most of the people posting here have no idea what volume of traffic you are looking at. Even more alarming is that you think your servers aren't worth more than 100$ of protection, you need to get a better perspective on the big picture.

I hate working with colleges, it is the worst environment technically and politically you can imagine. I really don't envy you on this one!

You should probably also look at the new Enterprise QoS guidelines in the SRND at http://www.cisco.com/go/srnd/ for information on scavenger class starvation of less than best effort traffic.

Having worked on very large networks, you can tap feeds where millions of emails go by per hour, do you really think anybody is going to take the time to track down your email? The key word in that quote is flows if you are going to try and get anything useful out of high speed links something like NetFlow is one of the best ways. Botnets are very easy to track this way as you are looking for lots of sources contacting a few destinations. There are not alot of systems on the network that maintain tens of thousands of sustained connections from remote systems scattered around the globe. They would stand out for that reason, email, web etc... they are all connect, grab what you want, and disconnect. With most of the botnets the compromised hosts "idle" in the botnet channels either providing information from the compromised hosts or waiting for commands from the owners of the network.

I've been in a similar situation before. I never really found many ISP-specific resources. There's discussion boards that pertain to ISPs but mainly I used that resources that broke it down by specific service or task. ie spam filtering, virus prevention, network redundancy, security, bonus user services, administration ease, etc. An ISP has to encompass all of that and more, much more so than any other IT shop. Plus you have to do it on a budget and you have to not piss off the paying customers, all while attracting more paying customers. It's a challenging environment. Best of luck.

I've been in a similar situation before. I never really found many ISP-specific resources. There's discussion boards that pertain to ISPs but mainly I used that resources that broke it down by specific service or task. ie spam filtering, virus prevention, network redundancy, security, bonus user services, administration ease, etc. An ISP has to encompass all of that and more, much more so than any other IT shop. Plus you have to do it on a budget and you have to not piss off the paying customers, all while attracting more paying customers. It's a challenging environment. Best of luck.

This is one of the simpler intros to Multicast that I could find.

Also you would need VOIP and Video conferencing from CISCO or an implementing Partners.

Some examples here. The examples are heavy on Corporate speak, but you were asking about a large Web/Content architecture, right?

I kinda wonder about this sometimes. As a for instance, here is an excellent example of how to write an SMTP client in the TCL shell included in recent IOS versions. Of course, getting the shell to start out with is left as an exercise to the reader, but routers operate more and more heavily on the data that passes through them and arrives at them. On a modern IOS router, you have a bunch of routing processes handling routing protocols, as you would expect, and then you've also got a telnet server, an ssh server, a couple of small tcp/udp services (if for who knows what reason you've decided to turn them on), snmp support, a web server with the capability of executing scripted code directly on the router... In short, there's a lot that's potentially explotiable there.

Of course, I completely agree with your basic assertion that the leak of the source code isn't a particularly big deal, from a security standpoint. The best evidence of this, for me, is the fact that I don't feel at all insecure with the linux-based routers I use, and (sarcasm) I understand the source code to linux got leaked quite a while ago. (/sarcasm)

First Linksys and now this! Cisco says; "All your VoIP base are belong to us!".

how long this will last now that Cisco bought Sipura.... cf: http://newsroom.cisco.com/dlls/2005/corp_042605.ht ml?CMP=ILC-001

In your case study: "Cisco focused on larger cells and extending the RF signal around campus." And it goes on mentioning Cisco throughout the article.

Cisco provides the core switching and routing, the VoIP, etc.

Man thats the first time I've had to say RTFA/RTFM in ages.

Qos can be used for setting NBAR policies for worm identification and policing

http://www.cisco.com/en/US/netsol/ns340/ns394/ns17 1/ns128/networking_solutions_white_paper09186a0080 1e120c.shtml

PoE uses either the unused or the data pairs. PoE over GigE is supported. Cisco has a switch that supports both.

Without IP people would be free to use GPL code any way they want, without contributing back.

Without IP, nobody would be able to download the GPL code in the first place; they'd have to rely on tape drives or CD burners.

Or did you mean "copyright"? In that case, without copyright, people would be free to use executable computer programs any way they want, including contributing commented decompilations to the community.

ah-eumh ... surely csco doesn't have a GUI on routers, href="http://www.cisco.com/warp/public/473/61.html #createclusters">switches , pix, call mngr express

ah-eumh ... surely csco doesn't have a GUI on routers, href="http://www.cisco.com/warp/public/473/61.html #createclusters">switches , pix, call mngr express

ah-eumh ... surely csco doesn't have a GUI on routers, href="http://www.cisco.com/warp/public/473/61.html #createclusters">switches , pix, call mngr express

http://www.cisco.com/en/US/products/hw/modules/ps2 706/prod_presentation0900aecd80117c9c.html

http://www.savetz.com/mbone/ch9.html
http://www.cisco.com/warp/public/674/4.html

broadcast IP

actually no. cisco makes heavy duty routers which take 48VDC. they eat lots of current, easily more than your typical server.

for example the as5800 and mgx 8200 have options to run off 48vdc. the mgx 8200 power requirements state 1000W !

actually no. cisco makes heavy duty routers which take 48VDC. they eat lots of current, easily more than your typical server.

for example the as5800 and mgx 8200 have options to run off 48vdc. the mgx 8200 power requirements state 1000W !

Layer 3 switching is a relatively new term, which has been ?extended? by a numerous vendors to describe their products. For example, one school uses this term to describe fast IP routing via hardware, while another school uses it to describe Multi Protocol Over ATM (MPOA). For the purpose of this discussion, Layer 3 switches are superfast rout-ers that do Layer 3 forwarding in hardware. In this article, we will mainly discuss Layer 3 switching in the context of fast IP routing, with a brief discussion of the other areas of application.

The University where I work has introduced
1) Censorship of the Web, using Websense http://ww2.websense.com/global/en/.
2) Throttling bandwidth on network ports using Storm Control http://www.cisco.com/en/US/products/hw/switches/ps 708/products_configuration_guide_chapter09186a0080 160a9f.html
3) Filtering out spam using Ironmail http://www.ciphertrust.com/products/index.php
Each these measures have had a negative impact on genuine study and research.

Our Computer Centre Director, who is in the invidious position of having to balance academic freedom against meeting JANET http://www.ja.net/ regulations, released this message which I reproduce here to show what Universities are dealing with.

-END OF QUOTE-
The introduction of restrictions is not something
that we have come to lightly. We certainly have
no desire to apply censorship to our users;
however, unlike Internet Service Providers,
we have somewhat more legal responsibility for
the material that is carried over or stored
within our network. In particular, the University
can be held 'vicariously liable' for a number
of offences relating to, for example, the
display or storage of pornography. Similarly,
material relating to religion or race that is
capable of offending is a potential threat, in
a legal sense, to the University. There are others.

On the matter of websites that just plainly offer
no business value to the University, we need to
strike the right balance between the various
interests. We have real concerns about the
capacity of our network and to compromise academic
and business activity on the network because we
are hosting a flood of dubious traffic does not
make good sense. However, under this specific
concern, clearly there may be scope for relaxing
restrictions outside the 'working day'.
-END OF QUOTE-

Anatomy of NATs

NATs are not an answer. NATs are problems. The above is a detailed analysis of the good, the bad and the ugly of NATs. I recommend actually reading all of that article.

Western Union commented on the situation, stating at this time it's the only way they know how to authenticate the call.

Not to mention the Cisco Unity Express (CME) voicemail blade that you can pop into a router. A few more Cisco products that have Linux support:

Aironet

VPN Concentrator Clients

Heh, Sourceforge has a thing to say about Cisco and Linux as well:
http://rpmfind.net/linux/RPM/Cisco_Linux.ht ml

Best quote of all:
"It takes a company approximately one desktop administrator to support 40 Windows PCs, while one administrator can support between 200 and 400 Linux desktops." says Cisco IT Manager

This is from Feb 17th, 2005.

Not to mention the Cisco Unity Express (CME) voicemail blade that you can pop into a router. A few more Cisco products that have Linux support:

Aironet

VPN Concentrator Clients

Heh, Sourceforge has a thing to say about Cisco and Linux as well:
http://rpmfind.net/linux/RPM/Cisco_Linux.ht ml

Best quote of all:
"It takes a company approximately one desktop administrator to support 40 Windows PCs, while one administrator can support between 200 and 400 Linux desktops." says Cisco IT Manager

This is from Feb 17th, 2005.

Not to mention the Cisco Unity Express (CME) voicemail blade that you can pop into a router. A few more Cisco products that have Linux support:

Aironet

VPN Concentrator Clients

Heh, Sourceforge has a thing to say about Cisco and Linux as well:
http://rpmfind.net/linux/RPM/Cisco_Linux.ht ml

Best quote of all:
"It takes a company approximately one desktop administrator to support 40 Windows PCs, while one administrator can support between 200 and 400 Linux desktops." says Cisco IT Manager

This is from Feb 17th, 2005.

You can actually get a faster upload then 2mbps I think, but I am not totally sure. Either way you get a T-1 for way less than the business cost.

You can definitely get uploads faster than 2mbps. I am one of the lucky ones in my area to have fiber and they use some Cisco equipment that is 100Mbps to each customer (assuming most of this bandwidth is for TV service). The great thing about this equipment, as noted in the press release, is that they can upgrade it fairly cheap (atleast by Cisco standards I guess) to Gigabit Ethernet to each customer. My service is currently 10Mbps both ways. I actually have more like 12Mbps upload and 10Mbps download. The only problem with the service is they have a 40GB monthly cap, although they don't enforce it very strictly. The cap is kind of lame, but I guess if they didn't atleast institute the policy, then alot of people would heavily abuse it. Anyways, I hope more companies pop up doing stuff like this (other than the giants).

This is exactly what my company does for VoIP, including Asterisk and SER. Our customers are mostly ISPs and companies replacing PBXs. It can be a tough sell at times, but getting easier as these products mature and more and more ISPs want to offer VoIP to their customers.

However, we still have a quite a customers who want something commercial, such as Cisco Call Manager.

I just had to do some research to find out what "bulk data" meant. So for all you other network engineers, here's what I'm assuming this change brings...

By bulk data they're setting the packets DiffServ, I presume according to RFC 2597. I still use good old IP Precedence rather than DiffServ, but after seeing RFC 2597 I have to say Assured Forwarding looks like a great standard for setting up DiffServ. Cisco has a decent article on DiffServ and QoS which has a great table showing off Assured Forwarding's model for traffic control.

The recommended setting for Bulk Data is AF11. "Excess" bulk data, that is bulk data beyond whatever thresholds you've configured, is set to AF12 or AF13. So class 1 data (bulk and excess bulk) gets a certain share of bandwidth, with the excess bulk more likely to get dropped in the event of congestion.

By volunteering to mark BitTorrent traffic as AF11, there's always a chance that more sites that block BitTorrent will be more likely to just QoS it into a happy corner.

I'll let you networking folks do your own searches for more information. I've been fortunate in my current workplace that congestion is rarely an issue--since we've never had much network congestion (100 Meg to the desktop, Gig to the closet, Gig links to our remote sites, Gig Internet pipe, 4 Gig core backbone) QoS hasn't been a priority. But I'm happy to see where DiffServ is going.

Sadly, I recently had to shut down BitTorrent at our site because of a few jerks downloading movies. IRC, P2P, BitTorrent... when 99% of their use is illegal, many times it's the Legal department and not IT that decides the course of action.

It would be nice if more people used Cisco's model for IOS (outlined here) ...

My experience with Cisco is that, whatever it may have been in the past, it is now a company on the way down.

What often happens is that the non-technical manager inherits a technically strong company, and the inertia carries him along until the company falls apart. That's apparently what happened to Apple under John Sculley, for example.

Certainly one could get the feeling that Cisco is falling apart. I was subscribed to a newsletter for some Cisco equipment, and Cisco would regularly send me poorly written email messages of more than 150,000 bytes.

Contacting Cisco technical assistance was a frustrating exercise in corporate politics. Cisco representatives would regularly talk to me using acronyms known only inside Cisco.

John Chambers, Cisco CEO, is certainly an example of a non-technical manager doing a poor job. He is presiding over his company while it seems to be rapidly on the way down.

If the past is any guide, when Cisco gets someone else, the business press, which apparently has no technically capable writers, will give some half-baked reason for the failure, and they will again run praising articles about another imperial CEO.

The 806 is a dual Ethernet router that will do a good job with QoS. It handles Low Latency Queuing for VoIP (essentially priority queuing - whenever it sees a VoIP packet - or any other type you define as high priority - it places it at the head of the output queue. It also supports Committed Access Rate (CAR) for restricting traffic rates for traffic patterns that you define (e.g. by IP address, protocol, mac address, combinations of these). Class-based traffic shaping which smooths the output rate to specified bit rates. CAR polices, shaping controls the actual rate of transmission. It also supports a number of other congestion management features along with a good deal of Cisco's higher end features.

The 831 is similar to the 806, but includes a built-in hardware accelerator for encryption that enables 3DES at rates of 2 Mbps or more.

The 1710 includes all of the above, including the encryption module, and many more features for QoS and general router functionality.

All of the above support a stateful firewall, IDS signature matching, syslog, etc., etc.

If you like/need a web GUI, then the 831 or 1710 are the way to go. Be sure and download Cisco's SDM for greatly improved web-based configuration and management.

Data sheets for the above can be found in the following locations:

806

831

1710

SDM

The 806 is a dual Ethernet router that will do a good job with QoS. It handles Low Latency Queuing for VoIP (essentially priority queuing - whenever it sees a VoIP packet - or any other type you define as high priority - it places it at the head of the output queue. It also supports Committed Access Rate (CAR) for restricting traffic rates for traffic patterns that you define (e.g. by IP address, protocol, mac address, combinations of these). Class-based traffic shaping which smooths the output rate to specified bit rates. CAR polices, shaping controls the actual rate of transmission. It also supports a number of other congestion management features along with a good deal of Cisco's higher end features.

The 831 is similar to the 806, but includes a built-in hardware accelerator for encryption that enables 3DES at rates of 2 Mbps or more.

The 1710 includes all of the above, including the encryption module, and many more features for QoS and general router functionality.

All of the above support a stateful firewall, IDS signature matching, syslog, etc., etc.

If you like/need a web GUI, then the 831 or 1710 are the way to go. Be sure and download Cisco's SDM for greatly improved web-based configuration and management.

Data sheets for the above can be found in the following locations:

806

831

1710

SDM

The 806 is a dual Ethernet router that will do a good job with QoS. It handles Low Latency Queuing for VoIP (essentially priority queuing - whenever it sees a VoIP packet - or any other type you define as high priority - it places it at the head of the output queue. It also supports Committed Access Rate (CAR) for restricting traffic rates for traffic patterns that you define (e.g. by IP address, protocol, mac address, combinations of these). Class-based traffic shaping which smooths the output rate to specified bit rates. CAR polices, shaping controls the actual rate of transmission. It also supports a number of other congestion management features along with a good deal of Cisco's higher end features.

The 831 is similar to the 806, but includes a built-in hardware accelerator for encryption that enables 3DES at rates of 2 Mbps or more.

The 1710 includes all of the above, including the encryption module, and many more features for QoS and general router functionality.

All of the above support a stateful firewall, IDS signature matching, syslog, etc., etc.

If you like/need a web GUI, then the 831 or 1710 are the way to go. Be sure and download Cisco's SDM for greatly improved web-based configuration and management.

Data sheets for the above can be found in the following locations:

806

831

1710

SDM

The 806 is a dual Ethernet router that will do a good job with QoS. It handles Low Latency Queuing for VoIP (essentially priority queuing - whenever it sees a VoIP packet - or any other type you define as high priority - it places it at the head of the output queue. It also supports Committed Access Rate (CAR) for restricting traffic rates for traffic patterns that you define (e.g. by IP address, protocol, mac address, combinations of these). Class-based traffic shaping which smooths the output rate to specified bit rates. CAR polices, shaping controls the actual rate of transmission. It also supports a number of other congestion management features along with a good deal of Cisco's higher end features.

The 831 is similar to the 806, but includes a built-in hardware accelerator for encryption that enables 3DES at rates of 2 Mbps or more.

The 1710 includes all of the above, including the encryption module, and many more features for QoS and general router functionality.

All of the above support a stateful firewall, IDS signature matching, syslog, etc., etc.

If you like/need a web GUI, then the 831 or 1710 are the way to go. Be sure and download Cisco's SDM for greatly improved web-based configuration and management.

Data sheets for the above can be found in the following locations:

806

831

1710

SDM

A Google search turned up this document that shows that the Cisco VPN client is cabable of split tunneling.

The AskSlashdotter needs to RTFM.

Sera

Cisco DistributedDirector efficiently distributes Internet services among globally dispersed Internet server sites by leveraging the intelligence built into the Internet router-based infrastructure, standard Domain Name Services (DNS), and the Hypertext Transfer Protocol (HTTP). With DistributedDirector, customers can optimize server load distribution resulting in superior end-to-end server access performance.

The PCI Express Mini Card specifically targets addressing system manufacturers' needs for build-to-order (BTO) and configure-to-order (CTO) applications rather than providing a general end-user-replaceable module. This form factor has characteristics more typical of an "embedded" application including the platform integration of the media interfaces such as communications connectors or wireless antennas.

The Cisco MPI350 cannot be sold as an aftermarket adapter because ... Regulatory certification is based on the MPI350 being coupled with a particular antenna. Although modular regulatory approvals are available, they only apply to the original equipment manufacturer (OEM), who is responsible for embedding similar antennas in different devices. Modular regulatory approval does not eliminate the restriction on aftermarket sales since the end user might embed the adapter in devices with unapproved antennas.

you are right.

I was goign to explain duplex to you a little but Cisco saved em the trouble,

Ethernet Technologies

missing link : Cisco Clean Access

Actually, NAP is the Microsoft quarantine solution. Cisco's solution is NAC.

NAP is not a security feature, it's a client health feature.

It might have something to do with Cisco's logo.

Their PIX firewall is no competition to the other popular vendors. It lacks both the performance and features of Netscreen/Junpier and has a shoddy security record.

Their IDS is less sensitive than Snort and its VMS manager software is slow, hideously bloated and buggy.

For several years, Cisco have been promoting an insecure combination of IPSEC shared-secret with xauth. Despite being documented as dangerous on their own website, it was still the taught and recommended way of configuring "convenient" secure remote access VPNs. Only in the last six months have they fixed this.

Their NAC/self-deluding-network initiative is broken as proposed. All enforcement is performed in the wrong place: routers off in the edge of the network. Right now, there is no way to deploy NAC on a switch or even a MSFC.

Cisco need to stop their marketing droids from directing their product development and get back to competing on technology.

out.

I believe that is correct. Though it's rather expensive, I've been very happy with the features and performance it has provided. I've used a 7960 at my desk for a while now and my cellphone shares the exact same profile. All my extensions, missed calls, received calls, voicemail, speed dials, etc are shared between the 2 no matter where I am in the township.

I work in IT for a large (35 sites) K-12 campus. We have Wi-Fi spanning most of the area and I use a Cisco 7920 to make/receive calls anywhere, internal and external.

Granted we're running Call Manager for this to work, but it's pretty sweet none the less.

Cisco seem to recommend autonegotiation; Sun recommend forcing the speed/duplex.

We've had problems in the past with Sun's "ce" fibre cards and Cisco Catalyst switches. It's not that either implementation is "wrong", the specs simply are not specific enough.
Sorry, can't find the detail in the spec which causes the problem