New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I recommend using OpenNebula for private cloud as it really is easy to setup, and very efficient cloud platform that is absolutely mouth-watering to use.
CloudStack is compatible with hostbill in theory. However, in practice, they fix bugs in 3 months or more.
We are running Cloudstack now with some 50 big servers in 4 locations, however, you need not only a good router, but also a good switch for all those VLANs if you plan to offer the full cloud with virtual router. Without the virtual router for customers, the load balancer wont work.
Oh, and make sure all virtual routers in a location are on the same node, otherwise, in case of power failure and nodes being powered up the instance will start before the router and hell breaks loose.
I think cloudstack is easier to maintain than openstack, especially if you have a few big customers, rather than many small ones.
Still too low.
I actually received all the consultation I needed from a Telia Cisco Engineer today for free. Im going to use the weekend to read up on exactly how to set everything up and hopefully my Monday I have more news. I'm going to focus more on the network setup for now and I'm a few weeks once my ASN comes and all my uplinks are up I'll focus on the hardware and server software.
@randvegeta if he has 10G pipes they won't be clogged, they will deliver 10G each to the box perfectly fine as this will likely be billed on 95% with wire rate burst.
Router is not an investment for a year. If you buy it reasonably you can get away with using the same one, with some minor upgrades, for many years. It's better to do stuff right straight away. No one asks him to buy MX960.
How do you ensure that traffic will be evenly distributed? As far as I am aware, there is no way to do this. And I have had some hellish nightmares with some ISPs related to this problem.
If you have a 10G pipe with HE.net for example, and 20G attack, if HE.net is the preferred route, it will be clogged. You can imagine if the attack is coming from another location that also has transit with HE.net, it won't go through Cogent or other routes. Of course in real life, it is probable a lot of the attack will be distributed between upstreams, especially if you are using the likes of Cogent and HE.net. Bu in HK, if you buy transit from PCCW and HE.net, 99% of Asia based traffic will flow through PCCW, and not HE.net.
Buying a bus is also an 'investment'. Again, I just think that for a newbie, money is better spent on other things. You can setup a new router to replace an old one at any time with minimal effort and hardly any additional cost. No point in making an 'investment' if there is no appreciable return. If the business fails, then good luck trying to recoup your investment (it's a lot of time and effort, and you won't get back what you paid).
It's all relative. For me redundancy is more important and suggesting to buy 1 router is like suggesting someone setup a server with 1 HDD. I've had both Juniper and Cisco routers fail on me (to great surprise) so if you want to really do things right, double the cost so you can buy 2 of everything, and make sure it's all redundant. Router failure is not fun. At the time I had no backup router (too expensive) and in order to get back up and running as quickly as possible, I setup a Vyatta router and that works well enough for a few gig.
It all depends on what the OP's expectations are. Is he going to push less than 1G on average or will he need the burst capacity? Is a DDoS attack likely? And if so, how much better can a $20k router handle it than a SW router? Again, I do not doubt that a proper hardware router can do a better job. But if you aren't going to use the capacity or functionality of the router, why not postpone the purchase until needed?
I don't know. $100 /hr for a consult seems reasonable. $50 is cheap, sure, but I did say 'minimum'. I am assuming this would be for mostly 'online' consult. For in-person consult, then you prob need a fair bit more than $100.
@randvegeta of course there's no ideal option, you can manage inbound with more specifics to limit the damage, you can also inject RTBH, but what's the point in this when your router kernel panicks due to high number of interrupts before ? Or if you can't login to it because the control plane is not separated?
I know a guy who charges $200/hour by phone and IRC consultation and the place I used to work at paid him that amount. He also came for a few days in person at iirc $2000/day. This was not for cloud platforms; it was for something unrelated. But I get the impression this cloud stuff costs even more because of the amount of companies clamoring for it, and the shortage of people with any experience.
My own consulting experience is that you can charge a day rate that works out to about 2x what your base salary would be if you were doing the same thing as a full-timer for a company, up to a few weeks, after which some discounting happens (1.6x in my case). I've had some long lasting assignments like that. For hourly these days I'd try to charge 3x or 4x, though I can't say for sure if I'd get any takers.
Ahh but that would only happen if there is a DDoS attack. Which is probably not going to happen too often.
And if there is a DDoS attack, then it would need to be significantly less than 30Gbit to. If its 30Gbit or more, then the network will still be practically inaccessible.
And there are cheaper and more effective ways to combat DDoS. A subscription with any DDoS mitigation provider will take care of it. We've seen and fended off attacks as large as 200Gbit. Thanks to the mitigation, our router barely saw an increase in traffic at all so there was no load or strain.
Of course, I am thinking very much from the perspective of small providers and small networks. In HK, 10G network connections are fairly rare given they cost a small fortune. So investing in 10G routers seems like a waste of money if you are only ever going to be pushing a few hundred meg. And if you get DDoSed in Asia, just null-route. No protection out here!
You can't null route, nor route through mitigation if your router is already not responding.
And DDoS is one of many use cases.
For now I ended up picking up 2 ASR 1002 routers for $1,400 each off eBay decided to get 2 for redundancy of course as my network gets bigger and more clients come in I'll have to upgrade but for now I think these two will suffice. Once I get the network edge setup and get all the equipment needed for that I'll move onto the cloud setup. I'm still a few months out considering I still need to win the /22 auction and apply for my ASN once I have ip space.
I'm gaining a lot of knowledge from you guys talking among yourselves so I appreciate it.
What do you suppose I do for DDoS protection? I want to at least offer some sort of protection/mitigation.
I feel that if I pan the whole network situation out now it will save me problem in the long run. I can't really afford top line equipment like 22k routers and stuff like that but I want to have equipment that will last and perform you know what I mean?
I think it's a good choice to start with. Remember though that the route table continues to grow, and this model can take up to a 1m routes. (Full table around 610k now) so you'll need to change it in a couple of years likely. Meanwhile it should serve you well :-).
You can use either some automated detection with blackholing, or get some mitigationvsession with a DDoS mitigation provider, or a combination of both. Mitigation in-house is pretty expensive to do.
Hope it helps! Good luck!
Id rather keep everything inhouse the blackholing effect would I need hardware or software for that method? The reason being is I don't want to pay someone else for what I can probably build and manage myself within a data center or be paying MRC charges to another company when that can be money saved on my end.
If it's hardware I can get the hardware and hire someone locally to come show me the ropes on connecting and setting up everything so when the times comes for a fix I can be up to date on the process.
I'll take some time and google that and see where that leads me in the meantime.
So I currently have:
2xASR 1002 Routers
2xCisco 3560G Switches
2x1G uplinks Burst to 10G in the setup phase about 30 days out.
1x10G Uplink with He.Net also in the setup phase about 30 days out.
4x E5-2620v2 Machines with 4x4TB hdd and 128gb ram with 256Gb ssd in each.
/22 ip subnet in auction hopefully I win.
I would assume I'd need some better switches and a firewall and some sort of oob manager. I'm going to be using ubersmith for the manager and possibly openstack or cloudstack for the cloud manager which is still in the though process.
I guess my next question is what else do I need?
You'd need a scrubber like Arbor or A10 Networks TPS, but you wouldn't be able to confidently mitigate anything above 10G so ideally you should still have a session with a mitigation provider, even if you'd use it as a last resort. Bear in mind the kit I mentioned above costs in excess of 200k.
Blackholing is simple, you need something that will count your packets and upon triggering the threshold injects a route with blackhole communities of your upstreams.
Good luck
To mitigate reasonably well, you do not only need very good processing power and hardware, but you need a lot of traffic too, 500 Gbps+ is a start, with the right gear, but extremely expensive and other people have very cheap or free such mitigation, it wont work to sell it.
I suggest you stay away from the gameservers and hate speech world, DDoS is not fun for the people which have to keep a business up and who will actually pay for everything.
What hardware/software would be associated with this? This sounds like the basics of what I need nothing major.