Cable vs. T1? The ultimate question.

Zoomer

Ok, IT gurus I need your help again. I'm skeptical about switching over to Cable for our internet connection. It was suggested that we go with Comcast cable in order to increase our download speed. Here's a quote from another topic, but was never answered correctly.

"Given the state of "faster" broadband technologies (5 Mbps to 9 Mbps Cable) and Broadband "Business Services" catering to true business needs, etc., why would one decide to look for leased T1 connections versus, say, a business-class Cable connection? I'm looking for a pro/con list and a discussion over whether broadband can actually be considered a point-for-point replacement for a T1 in the business arena. I'm not seeing how the traditional T1 route can justify its costs any more. Maybe someone with a little more longevity in this industry or more WAN connectivity experience than I can weigh in on this.

Example: A medium-sized business needing true 24/7/365 connectivity, prividing online content to nation-wide customers. In a situation like this, things like uptime SLA's, static IP's, (possibly) hosted DNS servers, Cisco router/PIX connectivity and compatibility, etc. become true issues. Typically, a business like this might opt for the standard 1.544 Mbps T1 with a failover connection to a (gasp) ISDN 128k or something of that ilk. But why not go with redundant Cable connections now?

Other Issues:
Price?
Reliability?
Gauranteed throughput?
Multiple public IP addresses?
Customer Support turnaround times?
Supported WAN protocols?
Single points of failure?"

Now I've almost never had any problem with our T1 line which has been here for the past 7 years and worked perfectly. Any internet outages were on our part and aside from occasional lag (again on our part) our average bandwidth (SNMP installed and monitored on our router) is around 50k with spikes around 150k a second once or twice a day when someone is downloading from us. I found from Comcast they claim their connection is digital (one line, I'm guessing symmetrical Full duplex? no representative could give me a straight answer on that) no VOIP, shared connection depending on usage in our area, guarantee 8 down and 1 up. With their "powerboost" 16 down and 2 up (not guaranteed).

We're eventually looking to switch to VOIP as well as hosting our own email, we have FTP servers, and video conferencing. I've been recommended bonded T1's by at least 2 other friends who are network admins at other companies (much larger though). So, any suggestions or articles I can look to for advice? Thanks again everyone!

RTmarc

I would NOT use cable as my primary internet connection unless it was a branch office; even then I would opt for DSL. The problem with cable is that it is not a guaranteed speed; it is Best Effort. Even though you pay for 7Mbps you may only get 75% of that or less. Very seldom will you get everything you pay for. Remember, you are having to compete with everyone else in the area that uses cable for bandwidth.

Personally, I'd look at putting in a MetroE fiber connection if it is available. We put in a 20Mbps Metro a little over a month ago and it cost the same was what we were paying for our T1 connection but there was a decent amount of up-front costs associated with preparing the router and other assorted items.

EDIT: We do use cable at our primary location as a backup for our fiber but the chances of that ever needing to be used are very slim to none.

Netstudent

RTmarc wrote:

I would NOT use cable as my primary internet connection unless it was a branch office; even then I would opt for DSL. The problem with cable is that it is not a guaranteed speed; it is Best Effort. Even though you pay for 7Mbps you may only get 75% of that or less. Very seldom will you get everything you pay for. Remember, you are having to compete with everyone else in the area that uses cable for bandwidth.

Personally, I'd look at putting in a MetroE fiber connection if it is available. We put in a 20Mbps Metro a little over a month ago and it cost the same was what we were paying for our T1 connection but there was a decent amount of up-front costs associated with preparing the router and other assorted items.

EDIT: We do use cable at our primary location as a backup for our fiber but the chances of that ever needing to be used are very slim to none.

I agree and couldn't have written it better myself. We are about to switch over the Paetec's Ethernet loop service. Which is basically MetroE over Fiber, to a sonet ring. It's guaranteed, and the burstable service in the SLA is awesome.

We have a 15meg DS3 and after switching to a 20Mb/s ethernet loop, we will save 50%. With more BW and higher burstable options.

vCole

T1 used in our corporate office and DSL is used in our regional offices as well as job sites..

It all depends on the size of the office. T1 is used here, where the most employees are staffed. Regional are much smaller, so they get DSL. But never, ever use cable. There's no guarantee of speed.

JDMurray

Zoomer wrote:

Other Issues:
Price?
Reliability?
Gauranteed throughput?
Multiple public IP addresses?
Customer Support turnaround times?
Supported WAN protocols?
Single points of failure?"[/i]

How about putting Security? on that list!

Cable is a shared medium between your demarc and the cable company. Any other cable subscribers on your segment can sniff everyone else's traffic. DSL and T-carrier service gives you a private, Permanent Virtual Circuit between yourself and your Central Office. After the CO your security will be encryption, PKI, and VPN technology. If you want more bandwidth, look at the DSL and fractional T-3 offerings from the Telco in your area.

RTmarc

JDMurray wrote:

Zoomer wrote:

Other Issues:
Price?
Reliability?
Gauranteed throughput?
Multiple public IP addresses?
Customer Support turnaround times?
Supported WAN protocols?
Single points of failure?"[/i]

How about putting Security? on that list!

Cable is a shared medium between your demarc and the cable company. Any other cable subscribers on your segment can sniff everyone else's traffic. DSL and T-carrier service gives you a private, Permanent Virtual Circuit between yourself and your Central Office. After the CO your security will be encryption, PKI, and VPN technology. If you want more bandwidth, look at the DSL and fractional T-3 offerings from the Telco in your area.

I agree with the security aspect but I don't know if it is still valid. According to a cable tech I spoke with a few weeks back, this has been resolved. From what he was telling me - and I took it with a massive grain of salt - most cable companies now use a VPN to tunnel traffic from your router to their CO now. I had a lot of questions left unanswered after our brief discussion but he kinda sounded like he might be in a position to know the what for and how. That being said, the point is moot. I think we all agree, cable is not the way to go.

liven

RTmarc wrote:

JDMurray wrote:

Zoomer wrote:

Other Issues:
Price?
Reliability?
Gauranteed throughput?
Multiple public IP addresses?
Customer Support turnaround times?
Supported WAN protocols?
Single points of failure?"[/i]

How about putting Security? on that list!

Cable is a shared medium between your demarc and the cable company. Any other cable subscribers on your segment can sniff everyone else's traffic. DSL and T-carrier service gives you a private, Permanent Virtual Circuit between yourself and your Central Office. After the CO your security will be encryption, PKI, and VPN technology. If you want more bandwidth, look at the DSL and fractional T-3 offerings from the Telco in your area.

I agree with the security aspect but I don't know if it is still valid. According to a cable tech I spoke with a few weeks back, this has been resolved. From what he was telling me - and I took it with a massive grain of salt - most cable companies now use a VPN to tunnel traffic from your router to their CO now. I had a lot of questions left unanswered after our brief discussion but he kinda sounded like he might be in a position to know the what for and how. That being said, the point is moot. I think we all agree, cable is not the way to go.

I guess this is possible, but seems unlikely. Most companies have to add a decent amount of extra gear to get VPNs to work correctly. Plus it adds overhead to a network that doesn't need it. Perhaps they are speaking of business grade carriers, not the average end users.

Please understand I am not trying to argue with you, just seems unlikely to me.

RTmarc

liven wrote:

RTmarc wrote:

JDMurray wrote:

Zoomer wrote:

Other Issues:
Price?
Reliability?
Gauranteed throughput?
Multiple public IP addresses?
Customer Support turnaround times?
Supported WAN protocols?
Single points of failure?"[/i]

How about putting Security? on that list!

Cable is a shared medium between your demarc and the cable company. Any other cable subscribers on your segment can sniff everyone else's traffic. DSL and T-carrier service gives you a private, Permanent Virtual Circuit between yourself and your Central Office. After the CO your security will be encryption, PKI, and VPN technology. If you want more bandwidth, look at the DSL and fractional T-3 offerings from the Telco in your area.

I agree with the security aspect but I don't know if it is still valid. According to a cable tech I spoke with a few weeks back, this has been resolved. From what he was telling me - and I took it with a massive grain of salt - most cable companies now use a VPN to tunnel traffic from your router to their CO now. I had a lot of questions left unanswered after our brief discussion but he kinda sounded like he might be in a position to know the what for and how. That being said, the point is moot. I think we all agree, cable is not the way to go.

I guess this is possible, but seems unlikely. Most companies have to add a decent amount of extra gear to get VPNs to work correctly. Plus it adds overhead to a network that doesn't need it. Perhaps they are speaking of business grade carriers, not the average end users.

Please understand I am not trying to argue with you, just seems unlikely to me.

I, no, I totally caught your meaning and agree. I was simply relaying what was told to me. As I mentioned earlier, the tech I spoke with seemed knowledgeable in what he was saying and the fact that his company will not allow customers (business or consumer) access to the routers (ISP managed routers) tends to add a little credence. We drifted to this conversation after I began asking him how I would access the router to make specific changes to it for our environment. I was basically told that I would have to forward those changes over to the ISP for them to make even if it was as simple as port forwarding or adding a route and that lead into the security conversation of cable. Like I said, I took it with a grain of salt but what the guy was saying was plausible.

As it turns out, I have the same ISP for my cable connection at home and was told the same thing regarding the managed routers - minus the VPN conversation. So, if the VPN connection is true - and that's a big IF - it looks like they apply it to businesses and consumers alike.

liven

RTmarc wrote:

liven wrote:

RTmarc wrote:

JDMurray wrote:

Zoomer wrote:

Other Issues:
Price?
Reliability?
Gauranteed throughput?
Multiple public IP addresses?
Customer Support turnaround times?
Supported WAN protocols?
Single points of failure?"[/i]

How about putting Security? on that list!

Cable is a shared medium between your demarc and the cable company. Any other cable subscribers on your segment can sniff everyone else's traffic. DSL and T-carrier service gives you a private, Permanent Virtual Circuit between yourself and your Central Office. After the CO your security will be encryption, PKI, and VPN technology. If you want more bandwidth, look at the DSL and fractional T-3 offerings from the Telco in your area.

I agree with the security aspect but I don't know if it is still valid. According to a cable tech I spoke with a few weeks back, this has been resolved. From what he was telling me - and I took it with a massive grain of salt - most cable companies now use a VPN to tunnel traffic from your router to their CO now. I had a lot of questions left unanswered after our brief discussion but he kinda sounded like he might be in a position to know the what for and how. That being said, the point is moot. I think we all agree, cable is not the way to go.

I guess this is possible, but seems unlikely. Most companies have to add a decent amount of extra gear to get VPNs to work correctly. Plus it adds overhead to a network that doesn't need it. Perhaps they are speaking of business grade carriers, not the average end users.

Please understand I am not trying to argue with you, just seems unlikely to me.

I, no, I totally caught your meaning and agree. I was simply relaying what was told to me. As I mentioned earlier, the tech I spoke with seemed knowledgeable in what he was saying and the fact that his company will not allow customers (business or consumer) access to the routers (ISP managed routers) tends to add a little credence. We drifted to this conversation after I began asking him how I would access the router to make specific changes to it for our environment. I was basically told that I would have to forward those changes over to the ISP for them to make even if it was as simple as port forwarding or adding a route and that lead into the security conversation of cable. Like I said, I took it with a grain of salt but what the guy was saying was plausible.

As it turns out, I have the same ISP for my cable connection at home and was told the same thing regarding the managed routers - minus the VPN conversation. So, if the VPN connection is true - and that's a big IF - it looks like they apply it to businesses and consumers alike.

Very interesting.


Is the wired portion or your ISP provided connection coax or ethernet? If it is ether net you could very easily drop a tap or hub in line and sniff to see if the traffic is encrypted.

Zoomer

What's to stop someone from tapping a T1? Couldn't you do the same thing? Also, with T1 is it correct to say that you are guaranteed the 1.5mbps up and down bandwidth?

The concern is that someone had to download a 2 GB file a few weeks ago and it took a long time where they could have downloaded it from home in about 2 hours with their cable.

milliamp

Some of the comments in this thread are not accurate.

"Any other cable subscribers on your segment can sniff everyone else's traffic"

Are you talking about broadcast traffic? Because that is well, broadcasted.

For everything else, the channels are separated by frequencies, time slots etc. not unlike pretty much everything else.

You would need a custom modem that would tune to all of the individually separated channels (which would only work for your specific node) and even then the traffic is encrypted with baseline privacy (BPI, part of DOCSIS). (I own a modified modem but still can't do this BTW)

The BPI TEK (traffic encryption key) and KEK (key encryption key) are changed frequently enough that even with a very powerful computer you would not be able to hash the data in real time.

For all the remarks I have seen about how "just anyone can sniff everyone else's traffic" I have not yet seen a single proof of concept demonstrating this.

As far as "shared medium", so are the rest of the links you use on the Internet every single day. If you are running out of bandwidth between your modem and your CMTS, it isn't the medium at fault at all, it is because your ISP chose to oversubscribe the link or is asleep at the wheel and does not know it is oversubscribed.

PS. As for selecting between a T1 and cable for data, the answer to that question today is certainly cable. A T1 today is obsolete for anything but phone lines.

dynamik

Couldn't you do something like keep the T1 for critical data and then supplement that with cable for high-bandwidth traffic that isn't critical or sensitive? I believe someone suggested this in your other thread. Maybe put your servers on the T1 on workstations on cable.

RTmarc

liven wrote:

Very interesting.


Is the wired portion or your ISP provided connection coax or ethernet? If it is ether net you could very easily drop a tap or hub in line and sniff to see if the traffic is encrypted.

It's coax. I've thought about trying to place a sniffer on the line but trying to find a way to convert coax to ethernet back to coax seems more trouble than it's worth.

Zoomer

dynamik wrote:

Couldn't you do something like keep the T1 for critical data and then supplement that with cable for high-bandwidth traffic that isn't critical or sensitive? I believe someone suggested this in your other thread. Maybe put your servers on the T1 on workstations on cable.

I mentioned that, but they said one or the other. We had a large meeting with some supervisors and programmers and they said that since their home computers (cable) get much faster speeds to switch over to cable and ditch the T1. Meanwhile, other IT friends and consultents were saying bonded T1's or fiber.

I did research, but most articles I found were a few years old, but leaned towards T1. My question is [today] T1 better than cable?

RTmarc

milliamp wrote:

As far as "shared medium", so are the rest of the links you use on the Internet every single day. If you are running out of bandwidth between your modem and your CMTS, it isn't the medium at fault at all, it is because your ISP chose to oversubscribe the link or is asleep at the wheel and does not know it is oversubscribed.

PS. As for selecting between a T1 and cable for data, the answer to that question today is certainly cable. A T1 today is obsolete for anything but phone lines.

Two things. The first part of what I quoted is 100% accurate and that's what we are saying. The problem is that cable companies - and airlines for that matter - like to oversell what they actually have due to the unlikeliness of 100% utilization. Unfortunately, it happens more often than desired and data - and people - get bumped and have to wait. For my business, whether it be the corporate office or branch office, I don't want to take that chance.

One might argue that all ISPs provide a Best Effort service. DSL is dedicated until the point it reaches the CO and then is combined to travel to the main hub. Fiber is best effort in that you share the same fiber trunk as the others in your area; similar to cable. That being said, with fiber and other "high end" connections you get a guaranteed SLA and other supplemental agreements that grant a certain level of availability and performance. On the converse, you typically do not get these type of agreements with cable companies.

I also agree that a T1 is obsolete for anything but phones. Metro E connections, for example, are much more practical. For relatively the same price you get anywhere from 6 to 15 times the T1 speed on a much more reliable and advanced connection.

RTmarc

I remember reading this article a few weeks ago and think it is pertinent for this discussion:

http://arstechnica.com/news.ars/post/20080228-att-talks-serious-smack-about-cable-broadband-speeds.html

Zoomer

RTmarc wrote:

I also agree that a T1 is obsolete for anything but phones. Metro E connections, for example, are much more practical. For relatively the same price you get anywhere from 6 to 15 times the T1 speed on a much more reliable and advanced connection.

What companies can I look into providing Metro Ethernet fiber connections? Any big names?

RTmarc

Where are you located? Ours is run by AT&T.

Zoomer

20 minutes outside Chicago.

dynamik

Zoomer wrote:

What companies can I look into providing Metro Ethernet fiber connections? Any big names?

I was just going to ask that myself. Is anyone aware of anything in the metro-area of MN? I'll look into AT&T as well.

hypnotoad

Hey, we pay $40,000 a year for a bunch of T1 lines here in Iowa and it's still slower than most DSL at home. But I have to say, the T1s have never had any downtime.

JDMurray

nl wrote:

Hey, we pay $40,000 a year for a bunch of T1 lines here in Iowa and it's still slower than most DSL at home. But I have to say, the T1s have never had any downtime.

Basic T-1 service is guaranteed bandwidth from point A to point B only, not to all possible points everywhere. The T-1 lines are only between your premises and your service provider, after that you are at the mercy of the available bandwidth of the public Internet. Also, a leased T-1 line usually will not have access to ISP technology that makes the Internet seem faster than it is, such as local DNS and caching proxy servers.

liven

Just thought I would throw this out there...

Spoke with several customers of Charter Cable and they are both able to detect arps of the default gateway. Then they can nmap those IPs and see unprotected windows shares on multiple machines on their subnet.

One should use great caution if this is going to be done, because these visible hosts are probably owned to say the least.

Don't think this would happen if vpns were in use.

TechJunky

With today's technology.. If you are looking for speed go with Cable/DSL.

If you are looking into stability with ok speeds go with a leased line, IE T1, T3 etc.

Usually ISP's do system wide cable upgrades all the time. All the T1 customers we have they always schedule upgrade/updates prior with the customer.

binarysoul

JDMurray wrote:

Zoomer wrote:

Other Issues:
Price?
Reliability?
Gauranteed throughput?
Multiple public IP addresses?
Customer Support turnaround times?
Supported WAN protocols?
Single points of failure?"[/i]

How about putting Security? on that list!

Cable is a shared medium between your demarc and the cable company. Any other cable subscribers on your segment can sniff everyone else's traffic. DSL and T-carrier service gives you a private, Permanent Virtual Circuit between yourself and your Central Office. After the CO your security will be encryption, PKI, and VPN technology. If you want more bandwidth, look at the DSL and fractional T-3 offerings from the Telco in your area.

I used to work as Tier 2 of a cable company about five years ago. Cable companies, at least most of them use DOCSIS modems and from what I understand 'security implementation' a primary sub-component of DOCSIS technology. In a nutshelle, cable companies came together and created a kind of de-facto DOCSIS standard that all cable companies could use.

Having said that, I'm not sure if we can 'certainly' say that a cable connection is less secure than a DSL one. Are we saying that a DSL connection can't be sniffed into? From what I understand about DOCSIS modems, these modems do NOT communicate to any device but the headend modem at the ISP.

Overall, I believe judging a connection as secure and insecure should encompass what security measures exists on the customer side. In other words, if a customer has open and unsecured shares, any breach of security can't be blamed on the ISP, be it cable or DSL, but it's ultimatley the responsiblity of the customer.

Finally and most importantly, both DSL and cable providers make the customer responsible for securing their connection. I had to review many "Agreements", so I could convince customers that any break-in was ultimately their problem although the ISP tried 'their best' protect the network.

JDMurray

binarysoul wrote:

Are we saying that a DSL connection can't be sniffed into?

DSL can be sniffed in the same way that an telephone line can be tapped anywhere between the customer premises and the Central Office, but traffic can be seen only for that customer. Cable, on the other hand, can be sniffed from the privacy of one's own living room by putting the (older) cable box into promiscuous mode or by attaching a sniffer device directly to the cable--and you can see the traffic for all the users on the entire cable segment. Modern cable boxes, and the use of link encryption, make this much more difficult to do now than it was even five years ago.

binarysoul wrote:

Finally and most importantly, both DSL and cable providers make the customer responsible for securing their connection. I had to review many "Agreements", so I could convince customers that any break-in was ultimately their problem although the ISP tried 'their best' protect the network.

Yes, this is common for providers that are not interested in securing the "last mile" between the provider and the customer.

cacharo

dynamik wrote:

Zoomer wrote:

What companies can I look into providing Metro Ethernet fiber connections? Any big names?

I was just going to ask that myself. Is anyone aware of anything in the metro-area of MN? I'll look into AT&T as well.

Qwest and Time Warner provide that service to my floor. I am sure Verizon provides it as well.

milliamp

liven wrote:

Just thought I would throw this out there...

Spoke with several customers of Charter Cable and they are both able to detect arps of the default gateway. Then they can nmap those IPs and see unprotected windows shares on multiple machines on their subnet.

One should use great caution if this is going to be done, because these visible hosts are probably owned to say the least.

Don't think this would happen if vpns were in use.

This is incorrect.
The data between the modem and the CMTS is encrypted (and resides on a separate virtual channel), but arp is broadcasted data so it will be broadcasted. I don't mean to offend, but if you don't know the difference between unicast and broadcast maybe you shouldn't weigh in on this discussion. This would be like me walking around a hospital giving advice to cancer patients.

arp requests will allow your friend to discover some of the other IP addresses in use on his node, yes. But the fact that he can nmap them isn't unique in any way to cable.



RTmarc,
The arstechnica article you linked contained some large inaccuracies. The key point driven home in that article is that AT&T has a national backbone and cable companies don't. That is just wrong, a few of the larger cable companies in the US do have a national backbones and the ones that don't mostly just pay Level 3 communications etc. to carry traffic and they are hardly "parts of the network that ultimately throttle or manage the throughput".

Comcast has a backbone and they are a well known offender of throttling bittorrent, so I am not even sure where they were going with that point.

The make the point that speed tests were slower than the maximum capable throughput, but never gave details about how they tested. Cable is just a last mile solution, so their speeds could have been due to a number of factors. Not that I would not trust MSO speed tests from an ATT/DSL marketing document, but given the total inaccuracy of the rest of the article it would be hard to accept them as credible.



As for security, I still stand by my original point. I have yet to see a single real world example of someone intercepting their neighbors DOCSIS traffic through BPI.

People call Apache secure and there have been a few exploits for it here and there. Wireless networks get owned all the time and people still use them. Now without a single stated instance of someone capturing their neighbors traffic through DOCSIS/BPI people are going to pipe up in a technical forum and recommend against the technology because of security concerns?

I think it would actually be easier to splice into your neighbors physical fiber/dsl/cat5 line and intercept their traffic that way than it would to try and intercept their DOCSIS traffic.


Show me I'm wrong.

liven

edited because I felt my reply was rude.

liven

Had to do it again (edit my post)

I was a little miffed about the comments (milliamp) made in this article. So I posted some silly stuff. Then I realized:

1) I am human and because of that I could make a mistake
2) I am not as dumb as the person who made the comments that aggravated me thinks I am
3) I was just sharing some info I had obtained from similar discussions with other techies, thought it might be interesting

snadam

milliamp wrote:

This is incorrect.
The data between the modem and the CMTS is encrypted (and resides on a separate virtual channel), but arp is broadcasted data so it will be broadcasted. I don't mean to offend, but if you don't know the difference between unicast and broadcast maybe you shouldn't weigh in on this discussion. This would be like me walking around a hospital giving advice to cancer patients.

Milliamp, your points are well taken. But you don't have to be an a-hole about it...

Ive been finding this a very interesting discussion since Thursday; so don't ruin it by your 'holier than thou' attitude


*continue*