ISP News for the week ending April29th, 2022

Cloudflare blocks a 15rps DDOs Attack.

Good news regarding the chip shortage.
“America’s ambitions to rebuild its semiconductor manufacturing industry took a step forward on Monday with the opening of a specialty chip fabrication plant in central New York.”

The United States joins 55 nations to set Internet rules

Will a re-brand of Frontier help its image?

New on Californias Net Neutrality Law
California’s net neutrality law is similar to the federal rules repealed under former FCC Chairman Ajit Pai. California prohibits ISPs from blocking or throttling lawful traffic. It also prohibits requiring fees from websites or online services to deliver or prioritize their traffic to consumers, bans paid data cap exemptions (so-called “zero-rating”), and says that ISPs may not attempt to evade net neutrality protections by slowing down traffic at network interconnection points.

Mikrotik releases 7.3Beta37
*) bonding – fixed LACP flapping for RB5009 and CCR2004-16G-2S+ devices;
*) bridge – fixed packet marking for IP/IPv6 firewall;
*) dot1x – improved server stability when using re-authentication;
*) fetch – improved full disk detection;
*) gps – fixed minor value unit typo;
*) l3hw – improved offloading for directly connected hosts on CRS305, CRS326-24G-2S+, CRS328, CRS318, CRS310;
*) led – fixed QSFP+, QSFP28 activity LEDs when using 40Gbps modules (introduced in v7.3beta33);
*) lte – disabled wait for LTE auto attach;
*) mpls – fixed MPLS MTU and path MTU selection;
*) ovpn – fixed hardware offloading support on CHR;
*) ovpn – improved Windows client disconnect procedure in UDP mode;
*) ovpn – moved authentication failure messages to “info” logging level;
*) ppp – added warning when using prefix length other than /64 for router advertisement;
*) ppp – fixed “remote-ipv6-prefix” parameter unsetting;
*) ppp – fixed issue with multiple active sessions when “only-one” is enabled;
*) routerboot – properly reset system configuration when protected bootloader is enabled and reset button used;
*) rsvp-te – improved stability when “Resv” received for non-existing session;
*) sfp – improved QSFP/SFP interface initialization for 98DXxxxx switches;
*) switch – fixed missing stats from traffic-monitor for 98DXxxxx and 98PX1012 switches;
*) system – fixed RouterOS bootup when wifiwave2 package is installed (introduced in v7.3beta34);
*) system – fixed rare partial loss of RouterOS configuration after package upgrade/downgrade/install/uninstall;
*) user-manager – improved stability when received EAP attribute with non-existing state attribute;
*) vpls – fixed “pw-l2mtu” parameter usage;

RouterOS 7 goes RC

What’s new in 7.1rc1 (2021-Aug-19 13:06):

!) added support for IPv6 NAT (CLI only);
!) added support for L2TPv3 (CLI only);
*) added “expired” user status with suggestion to change password (WinBox v3.29 required);
*) added bridge HW offload support for vlan-filtering on RTL8367 switch chip (RB4011, RB1100AHx4);
*) added password strength requirement settings;
*) added skin support for WinBox (WinBox v3.29 required);
*) fixed support for RIP (Routing Information Protocol);
*) improved general stability and performance;
*) other minor fixes and improvements;

Mikrotik adds btest.exe back

If you are looking for a way to bandwidth test from a PC through to a Mikrotik, here is your solution.

It supports RouterOS version 6.43 and newer. Advice from Mikrotik:
Please remember that Bandwidth Test uses a lot of resources. If you want to test real throughput of a router, you should run Bandwidth Test through the tested router not from or to it. To do this you need at least 3 devices connected in chain: the Bandwidth Test server, the router being tested and the Bandwidth Test client.

Mikrotik 7.1beta4 is out

What’s new in 7.1beta4 (2021-Feb-03 09:39):

*) api – added support for REST API;
*) crs3xx – fixed Layer3 hardware offloading;
*) route – routing rules improvements;
*) winbox – added support for wifiwave2;
*) winbox – updated User Manager, OSPF and BGP menus;
*) wifiwave2 – authentication and functionality improvements;
*) other fixes and improvements;

Using Splunk to monitor literally everything on Mikrotik

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon
Already a qualifying Patreon member? Refresh to access this content.

Mikrotik Connection tracking and CPU usage

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon
Already a qualifying Patreon member? Refresh to access this content.

Mikrotik RouterOS and CPU usage

There always is a lot of talk about Mikrotik RouterOS CPU usage. I wanted to take a few minutes and go over a real-world example and explain some of the ins and outs when discussing Mikrotik CPU usage.

Let’s talk about the router in question. This is a CCR1016-12s-1S+. This is a 16 core 1.2GHz per core and 2GB RAM tilex based router. It is currently pulling in 1,764,849 IPv4 routes. There are two transit provider BGP feeds, multiple direct peers, an Internet Exchange peer to dual-route servers. The router handles a little over 3 gigs of routed traffic at peak times. Most of the traffic is on VLANs coming from a Cisco switch to the SFPPlus port.

One of the first things people turn on is the overall CPU usage within winbox. I like to think of this as an overall view of the CPUs on this router. Keep in mind there are 16.

Th next thing to investigate when it comes to CPU is to open up System..resources. Once there clock on CPU.

Mikrotik System..resources

It will then bring up a screen that looks like the following.

Oh My we have 100% CPU! Must replace this router ASAP! Calm down, remember you have 16 cores. So, why is this CPU at 100% and what ramifications does this have?

Remember earlier when we talked about BGP? In Mikrotik, BGP is not a multi-core aware process. This means BGP is limited to just one core to do it’s work. Since there are always routes being withdrawn and re-added to the routing table it is a busy process. Lots of math calculations going on. The key thing is this is expected behavior on a router running multiple BGP peers such as this one. This is not a bad thing, but not ideal. Throwing more cores at BGP is not the answer. Optimizing the process, as it has been done in V7 is the way to go.

If we expand the CPU window we will notice other processes are multi-core aware and.or are spreading their load among different cores.

As you can see we are in pretty good shape. We have a few CPUs above 50% utilization but, only a few. I will keep reminding you of the fact we have 16 of them.

Closing notes:
Diagnosing CPU issues can get a little complicated because routers like the 3011 have some have the majority of their ports shared with a single CPU bus. As you can tell in the diagram there are 5 ports which share 1 Gig to the CPU.  The fact that an actual switch chip with hardware offloading is in the middle helps, but the bus is still oversold.  This is one reason consolidating routers to an actual switch will make a difference.  

Janis Megis from Mikrotik had presentation at MUM, which is a little older now, still sheds a lot of light on how Mikrotik CPU works. There is some pretty interesting stuff starting on page 14

With Mikrotik switching to ARM processors we will see huge differences with them and RotuerOS7. We will see less cores, but better utilization of those cores. The new 2004 with all SFP and 2 25 gig ports only has 4 CPU.

So the next time you look at a router, take a few moments to see how utilized the entire CPU architecture is instead of just one CPU.

#packetsdownrange #mikrotik