This presentation by Janis has a lot of detailed info about the current status of routing functions in v6 and the best way to fully utilise the performance of them; also what will be changed in v7! Thought you might all find it useful: http://mum.mikrotik.com/presentations/RU14/megis.pdf Cheers, Andrew Cox
Hi Andrew, Thanks for the headsup - does it include some discussion about updating large BGP tables? I understand that BGP updates use a single CPU core, and if there are lots of updates, it pegs that core at 100% pretty much constantly! ;-) I'll try to find a few moments to take a look at the recording - in the meantime, any chance of an executive summary? :-} (i.e. what are the one or two major points to your interest?) Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 11:36 AM To: MikroTik Australia Public List Subject: [MT-AU Public] CCR Tips and Tricks
This presentation by Janis has a lot of detailed info about the current status of routing functions in v6 and the best way to fully utilise the performance of them; also what will be changed in v7!
Thought you might all find it useful: http://mum.mikrotik.com/presentations/RU14/megis.pdf
Cheers, Andrew Cox _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
The slides actually condense down a lot of the major points and yes there's slides dedicated to the discussion on BGP (more info below) Couple of important ones I got from it: *Reducing Average number of rules that packet * *need to pass before it is captured can * *significantly improve your firewall performance* *● Make use of action=jump* *● New Mangle Actions “snif-tzsp”,”snif-pc” to send * *packet stream to remote sniffer. * *Layer-7 should be used only on traffic that can't be identified any different way● Layer-7 should be used only as trigger - use connection-mark or address-list to keep track of related packets or connections● Do not use direct action (like accept, drop) in Layer-7 ruleAll dynamic routing protocols in RouterOS v6.x are limited to a single core.- One BGP full feed will take 1-3min to load on CCR - Two BGP full feeds will take 6min to load on CCRAll routing protocols will be updated to multi-core for RouterOS v7* - Andrew On 11 April 2014 12:19, Mike Everest <mike@duxtel.com> wrote:
Hi Andrew,
Thanks for the headsup - does it include some discussion about updating large BGP tables? I understand that BGP updates use a single CPU core, and if there are lots of updates, it pegs that core at 100% pretty much constantly! ;-)
I'll try to find a few moments to take a look at the recording - in the meantime, any chance of an executive summary? :-}
(i.e. what are the one or two major points to your interest?)
Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 11:36 AM To: MikroTik Australia Public List Subject: [MT-AU Public] CCR Tips and Tricks
This presentation by Janis has a lot of detailed info about the current status of routing functions in v6 and the best way to fully utilise the performance of them; also what will be changed in v7!
Thought you might all find it useful: http://mum.mikrotik.com/presentations/RU14/megis.pdf
Cheers, Andrew Cox _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Thanks! Legend! :-D It seems to be mostly an excerpt from one (or more) of the official training program curriculum. Here's an interesting question for everyone: Even though we all know, in theory, how to make a firewall table most efficient (e.g. match tcp-new packets, mark the stream, and then process against the marks) hands up who has a 'perfect firewall rule table' on a production system that has been in service for more than 2 years? ;-) NOT ME! :-} Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 3:50 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] CCR Tips and Tricks
The slides actually condense down a lot of the major points and yes there's slides dedicated to the discussion on BGP (more info below) Couple of important ones I got from it:
*Reducing Average number of rules that packet * *need to pass before it is captured can * *significantly improve your firewall performance* *● Make use of action=jump*
*● New Mangle Actions “snif-tzsp”,”snif-pc” to send * *packet stream to remote sniffer. *
*Layer-7 should be used only on traffic that can't be identified any different way● Layer-7 should be used only as trigger - use connection-mark or address- list to keep track of related packets or connections● Do not use direct action (like accept, drop) in Layer-7 ruleAll dynamic routing protocols in RouterOS v6.x are limited to a single core.- One BGP full feed will take 1-3min to load on CCR - Two BGP full feeds will take 6min to load on CCRAll routing protocols will be updated to multi-core for RouterOS v7*
- Andrew
On 11 April 2014 12:19, Mike Everest <mike@duxtel.com> wrote:
Hi Andrew,
Thanks for the headsup - does it include some discussion about updating large BGP tables? I understand that BGP updates use a single CPU core, and if there are lots of updates, it pegs that core at 100% pretty much constantly! ;-)
I'll try to find a few moments to take a look at the recording - in the meantime, any chance of an executive summary? :-}
(i.e. what are the one or two major points to your interest?)
Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 11:36 AM To: MikroTik Australia Public List Subject: [MT-AU Public] CCR Tips and Tricks
This presentation by Janis has a lot of detailed info about the current status of routing functions in v6 and the best way to fully utilise the performance of them; also what will be changed in v7!
Thought you might all find it useful: http://mum.mikrotik.com/presentations/RU14/megis.pdf
Cheers, Andrew Cox _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
To be fair I haven't had the capacity passing through a CCR to warrant revision (cpu hitting 20% with 400Mbps) but its something I personally plan on addressing for my QoS trees in due course :-) -Andrew On 11/04/2014 4:48 pm, "Mike Everest" <mike@duxtel.com> wrote:
Thanks! Legend! :-D
It seems to be mostly an excerpt from one (or more) of the official training program curriculum.
Here's an interesting question for everyone: Even though we all know, in theory, how to make a firewall table most efficient (e.g. match tcp-new packets, mark the stream, and then process against the marks) hands up who has a 'perfect firewall rule table' on a production system that has been in service for more than 2 years? ;-)
NOT ME! :-}
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 3:50 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] CCR Tips and Tricks
The slides actually condense down a lot of the major points and yes there's slides dedicated to the discussion on BGP (more info below) Couple of important ones I got from it:
*Reducing Average number of rules that packet * *need to pass before it is captured can * *significantly improve your firewall performance* *● Make use of action=jump*
*● New Mangle Actions “snif-tzsp”,”snif-pc” to send * *packet stream to remote sniffer. *
*Layer-7 should be used only on traffic that can't be identified any different way● Layer-7 should be used only as trigger - use connection-mark or address- list to keep track of related packets or connections● Do not use direct action (like accept, drop) in Layer-7 ruleAll dynamic routing protocols in RouterOS v6.x are limited to a single core.- One BGP full feed will take 1-3min to load on CCR - Two BGP full feeds will take 6min to load on CCRAll routing protocols will be updated to multi-core for RouterOS v7*
- Andrew
On 11 April 2014 12:19, Mike Everest <mike@duxtel.com> wrote:
Hi Andrew,
Thanks for the headsup - does it include some discussion about updating large BGP tables? I understand that BGP updates use a single CPU core, and if there are lots of updates, it pegs that core at 100% pretty much constantly! ;-)
I'll try to find a few moments to take a look at the recording - in the meantime, any chance of an executive summary? :-}
(i.e. what are the one or two major points to your interest?)
Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 11:36 AM To: MikroTik Australia Public List Subject: [MT-AU Public] CCR Tips and Tricks
This presentation by Janis has a lot of detailed info about the current status of routing functions in v6 and the best way to fully utilise the performance of them; also what will be changed in v7!
Thought you might all find it useful: http://mum.mikrotik.com/presentations/RU14/megis.pdf
Cheers, Andrew Cox _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Heheh, That's a thought: if sloppy firewall rules cause us trouble with our 1100AHx2, throw a CCR at them - thad'll do it! :-D Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 4:52 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] CCR Tips and Tricks
To be fair I haven't had the capacity passing through a CCR to warrant revision (cpu hitting 20% with 400Mbps) but its something I personally plan on addressing for my QoS trees in due course :-)
-Andrew On 11/04/2014 4:48 pm, "Mike Everest" <mike@duxtel.com> wrote:
Thanks! Legend! :-D
It seems to be mostly an excerpt from one (or more) of the official training program curriculum.
Here's an interesting question for everyone: Even though we all know, in theory, how to make a firewall table most efficient (e.g. match tcp-new packets, mark the stream, and then process against the marks) hands up who has a 'perfect firewall rule table' on a production system that has been in service for more than 2 years? ;-)
NOT ME! :-}
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 3:50 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] CCR Tips and Tricks
The slides actually condense down a lot of the major points and yes there's slides dedicated to the discussion on BGP (more info below) Couple of important ones I got from it:
*Reducing Average number of rules that packet * *need to pass before it is captured can * *significantly improve your firewall performance* *● Make use of action=jump*
*● New Mangle Actions “snif-tzsp”,”snif-pc” to send * *packet stream to remote sniffer. *
*Layer-7 should be used only on traffic that can't be identified any different way● Layer-7 should be used only as trigger - use connection-mark or address- list to keep track of related packets or connections● Do not use direct action (like accept, drop) in Layer-7 ruleAll dynamic routing protocols in RouterOS v6.x are limited to a single core.- One BGP full feed will take 1-3min to load on CCR - Two BGP full feeds will take 6min to load on CCRAll routing protocols will be updated to multi-core for RouterOS v7*
- Andrew
On 11 April 2014 12:19, Mike Everest <mike@duxtel.com> wrote:
Hi Andrew,
Thanks for the headsup - does it include some discussion about updating large BGP tables? I understand that BGP updates use a single CPU core, and if there are lots of updates, it pegs that core at 100% pretty much constantly! ;-)
I'll try to find a few moments to take a look at the recording - in the meantime, any chance of an executive summary? :-}
(i.e. what are the one or two major points to your interest?)
Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 11:36 AM To: MikroTik Australia Public List Subject: [MT-AU Public] CCR Tips and Tricks
This presentation by Janis has a lot of detailed info about the current status of routing functions in v6 and the best way to fully utilise the performance of them; also what will be changed in v7!
Thought you might all find it useful: http://mum.mikrotik.com/presentations/RU14/megis.pdf
Cheers, Andrew Cox _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikroti k.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I'll have to pike up on that one Mike, I only ever follow the mark connection, mark packet rules, all the time, every time. I have seen lots of examples of people just marking packets, when trying to get voip traffic as streamlined as I could I committed to following those rules and it definitely makes a difference, something Andrew mentioned in the summary of that presentation about reducing the number of rules also is something I have followed closely for some time, I mark the connection, mark the packet straight after, and am very careful about the order the rules are in as well. Keep in mind though, I am a but anally retentive like that though :-) Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Friday, 11 April 2014 4:48 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] CCR Tips and Tricks Thanks! Legend! :-D It seems to be mostly an excerpt from one (or more) of the official training program curriculum. Here's an interesting question for everyone: Even though we all know, in theory, how to make a firewall table most efficient (e.g. match tcp-new packets, mark the stream, and then process against the marks) hands up who has a 'perfect firewall rule table' on a production system that has been in service for more than 2 years? ;-) NOT ME! :-} Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 3:50 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] CCR Tips and Tricks
The slides actually condense down a lot of the major points and yes there's slides dedicated to the discussion on BGP (more info below) Couple of important ones I got from it:
*Reducing Average number of rules that packet * *need to pass before it is captured can * *significantly improve your firewall performance* *● Make use of action=jump*
*● New Mangle Actions “snif-tzsp”,”snif-pc” to send * *packet stream to remote sniffer. *
*Layer-7 should be used only on traffic that can't be identified any different way● Layer-7 should be used only as trigger - use connection-mark or address- list to keep track of related packets or connections● Do not use direct action (like accept, drop) in Layer-7 ruleAll dynamic routing protocols in RouterOS v6.x are limited to a single core.- One BGP full feed will take 1-3min to load on CCR - Two BGP full feeds will take 6min to load on CCRAll routing protocols will be updated to multi-core for RouterOS v7*
- Andrew
On 11 April 2014 12:19, Mike Everest <mike@duxtel.com> wrote:
Hi Andrew,
Thanks for the headsup - does it include some discussion about updating large BGP tables? I understand that BGP updates use a single CPU core, and if there are lots of updates, it pegs that core at 100% pretty much constantly! ;-)
I'll try to find a few moments to take a look at the recording - in the meantime, any chance of an executive summary? :-}
(i.e. what are the one or two major points to your interest?)
Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Andrew Cox Sent: Friday, 11 April 2014 11:36 AM To: MikroTik Australia Public List Subject: [MT-AU Public] CCR Tips and Tricks
This presentation by Janis has a lot of detailed info about the current status of routing functions in v6 and the best way to fully utilise the performance of them; also what will be changed in v7!
Thought you might all find it useful: http://mum.mikrotik.com/presentations/RU14/megis.pdf
Cheers, Andrew Cox
participants (3)
-
Andrew Cox
-
Mike Everest
-
Paul Julian