RE: BGP conf
Participants, This thread makes me want to LAUGH and VOMIT at the same time... This guy is asking for advice and all this list can do is poke and make fun at him for trying to learn the right way to do things... We ALL need to remember...NONE of us come out of the womb being BGP experts... and anyone who says they are...are lying through their teeth. I have had to work with such people who talked a big game...but in the end didn't know their ass from a hole in the ground. And to the original post Edward...if you follow "team CYMRU" you are pretty much on the right path to being successful in your ventures... -Original Message- From: Edward avanti [mailto:edward.ava...@gmail.com] Sent: Wednesday, November 02, 2011 7:51 PM To: Holmes, David A; nanog@nanog.org" Subject: Re: BGP conf Halo, sorry, my english not so perfect, at no time I mean send to IX what Verizon send me, I'm not THAT stupid hehe I mean if destination/origin is via IX, then send THAT traffic only by IX and not Verizon. On Thu, Nov 3, 2011 at 1:54 AM, Holmes,David A wrote: > This is a perfect example of why it is crucial that inbound route filters > be scrupulously maintained in upstream BGP providers. Who knows who is out > there. > > -Original message- > From: Edward avanti > To: "nanog@nanog.org" > Sent: Wed, Nov 2, 2011 01:01:37 GMT+00:00 > Subject: BGP conf > > Halo, > First, I accept this might not really right list for request, have use nsp > cisco list but only first post to was succeed, sent several other for past > 4 day and none appear (verified by list archive) so please excuse request. > > I am in need of a cisco config for BGP setup, we have a require to include > IX peering at new location as well as our Verizon link, we like to take > full bgp from Verizon and send to IX what they send us, I spend days > reading google, and so many conflict web site example, so many example seem > insecure no prefix list so on. end result to date is only sore eyes, would > someone who do same (not need be Verizon) be kind to send us off list > working running config (yes without your password heh) or at least how to > apply to BGP router including access/prefix list and interfaces so we have > an idea on what do, if you take two full BGP feed from two transit > carrierin load share and IX, that good, because that our stage three plan, > but I can work without two transit. > > I am not ignorant with cisco 7201, but am total newby to BGP. > > Best Thanks > Edwardo > > > This communication, together with any attachments or embedded links, is > for the sole use of the intended recipient(s) and may contain information > that is confidential or legally protected. If you are not the intended > recipient, you are hereby notified that any review, disclosure, copying, > dissemination, distribution or use of this communication is strictly > prohibited. If you have received this communication in error, please notify > the sender immediately by return e-mail message and delete the original and > all copies of the communication, along with any attachments or embedded > links, from your system. >
Re: BGP conf
On 11/2/2011 9:58 PM, Jeff Wheeler wrote: > I guess ten years of watching RIRs and users de-bogon new /8s didn't > teach you why those Cymru examples are more dangerous than they are good. If you follow "all" the CYMRU examples and subscribe to the BGP bogon feed, that isn't an issue... Jeff
Re: BGP conf
On Wed, Nov 2, 2011 at 10:04 PM, Jack Bates wrote: > Have to read the current cymru bgp templates? > > ! manner. Why not consider peering with our globally distributed bogon > ! route-server project? Alternately you can obtain a current and well I'm not telling you something you don't already know, but for the novices who regard this list as a source of expertise, I will explain in greater detail why this is a really dumb idea. If you took a list of bogons over eBGP from Cymru, you would get unused /8s and similar. What you don't get is a route that matches whatever silly thing someone on the DFZ accidentally leaked: a more-specific that will still cause you to route traffic to their leaked prefix out to the Internet (and presumably, to their network.) There is nothing good about this. It's just adding unnecessary complexity for no operational benefit. There is bad about it. It adds complexity and risk. What is that risk? If you decide that the Cymru "distributed bogon route-server" is for you, and simply rewrite next-hops received on that session to Null0, it is possible that Cymru could make an error, or otherwise introduce non-bogon routes into your network as if they were bogons, causing black-holes. This is obviously too much to risk for something that has no operational benefit. The Cymru guys do many positive things. One of the more questionable things they do, though, is operate a route-server with the intention of black-holing botnet C&C IPs on a very wide scale. This is certainly a positive thing to do, but it was not done in a transparent manner; and in fact didn't even have management approval at Cogent when they configured it on their network. There was no established channel to find out why your IP address appeared on this list or to get it removed. All it took for me to get the whole idea canned at Cogent was one inquiry to management, asking why engineers had quietly started using a clandestine blackhole list operated by a third-party and would not give any answers to a customer if one of their IPs appeared on that list. The IP address I inquired about was certainly not a botnet C&C node, and how it ended up on that list is a mystery. I'm not saying there was any malicious intent, but it was a mistake at least. Trusting that "bogon" black-hole list to do something you don't even need to do anyway is not smart. It's *especially* not smart for some novice who doesn't understand the implications of his decision. This is the danger of "cut & paste engineering." -- Jeff S Wheeler Sr Network Operator / Innovative Network Concepts
Re: BGP conf
On 11/2/2011 8:58 PM, Jeff Wheeler wrote: On Wed, Nov 2, 2011 at 8:44 PM, Jack Bates wrote: Now I have the mile long monstrosity that uses BGP communities for everything, and of route-maps/policies with prefix-lists for downstream customers. You have to start somewhere. cymru secure bgp templates is probably a good beginning. I guess ten years of watching RIRs and users de-bogon new /8s didn't teach you why those Cymru examples are more dangerous than they are good. Have to read the current cymru bgp templates? " ! Team Cymru has removed all static bogon references from this template ! due to the high probability that the application of these bogon filters ! will be a one-time event. Unfortunately many of these templates are ! applied and never re-visited, despite our dire warnings that bogons do ! change. ! ! This doesn't mean bogon filtering can't be accomplished in an automated ! manner. Why not consider peering with our globally distributed bogon ! route-server project? Alternately you can obtain a current and well ! maintained bogon feed from our DNS and RADb services. Read more at the ! link below to learn how! ! ! https://www.team-cymru.org/Services/Bogons/ "
Re: BGP conf
On Wed, Nov 2, 2011 at 8:44 PM, Jack Bates wrote: > Now I have the mile long monstrosity that uses BGP communities for > everything, and of route-maps/policies with prefix-lists for downstream > customers. You have to start somewhere. > > cymru secure bgp templates is probably a good beginning. I guess ten years of watching RIRs and users de-bogon new /8s didn't teach you why those Cymru examples are more dangerous than they are good. -- Jeff S Wheeler Sr Network Operator / Innovative Network Concepts
Re: BGP conf
On 11/2/2011 7:01 PM, Jeff Wheeler wrote: What you are asking your boss/company to do is trust you to put tires on their car without the right tools or knowledge. The result of that is probably how your network will end up: "a wreck." Reminds me of the look on my original boss' face when I said, "Well, I have no BGP experience, but I think I'm going to redo this entire BGP config. It doesn't look right." I then proceeded to try every ? hierarchy under bgp in the then cisco routers and read up on every command until I understood each one. Okay, it was simple, had no route-maps, and used access-lists instead of prefix-lists. It worked for a single 7206 BGP aggregation router. Now I have the mile long monstrosity that uses BGP communities for everything, and of route-maps/policies with prefix-lists for downstream customers. You have to start somewhere. cymru secure bgp templates is probably a good beginning. Careful study of your routing platform, what it supports, and reading up on what it means. If you don't understand something, use vendor specific lists/forums/documentation/google until you do. Jack
Re: BGP conf
On Wed, Nov 2, 2011 at 7:50 PM, Edward avanti wrote: > sorry, my english not so perfect, at no time I mean send to IX what Verizon > send me, I'm not THAT stupid hehe > I mean if destination/origin is via IX, then send THAT traffic only by IX > and not Verizon. I understood what you mean. The recommendations in my earlier reply are still the best ones you've received: 1) hire a consultant to assist you both now and with any future problems or 2) do not worry about being multi-homed, because the extra complexity will do you more harm than good Imagine if you took your car to a shop and asked for new tires, and the mechanic said, "well, I have never changed tires before and I'm not sure I have the right tools, but if you give me a couple of days I think I can read about it on the Internet and figure it out." Of course you would not buy tires from him, you would go to another shop. That mechanic would quickly find that, if he wants to sell tires, he needs to learn how to install them or hire someone to do it for him. What you are asking your boss/company to do is trust you to put tires on their car without the right tools or knowledge. The result of that is probably how your network will end up: "a wreck." -- Jeff S Wheeler Sr Network Operator / Innovative Network Concepts
Re: BGP conf
Halo, sorry, my english not so perfect, at no time I mean send to IX what Verizon send me, I'm not THAT stupid hehe I mean if destination/origin is via IX, then send THAT traffic only by IX and not Verizon. On Thu, Nov 3, 2011 at 1:54 AM, Holmes,David A wrote: > This is a perfect example of why it is crucial that inbound route filters > be scrupulously maintained in upstream BGP providers. Who knows who is out > there. > > -Original Message- > From: McCall, Gabriel [mailto:gabriel.mcc...@thyssenkrupp.com] > Sent: Tuesday, November 01, 2011 7:29 PM > To: Edward avanti; nanog@nanog.org > Subject: Re: BGP conf > > Google for "team cymru secure bgp template" for a good starting point. > > > -Original message- > From: Edward avanti > To: "nanog@nanog.org" > Sent: Wed, Nov 2, 2011 01:01:37 GMT+00:00 > Subject: BGP conf > > Halo, > First, I accept this might not really right list for request, have use nsp > cisco list but only first post to was succeed, sent several other for past > 4 day and none appear (verified by list archive) so please excuse request. > > I am in need of a cisco config for BGP setup, we have a require to include > IX peering at new location as well as our Verizon link, we like to take > full bgp from Verizon and send to IX what they send us, I spend days > reading google, and so many conflict web site example, so many example seem > insecure no prefix list so on. end result to date is only sore eyes, would > someone who do same (not need be Verizon) be kind to send us off list > working running config (yes without your password heh) or at least how to > apply to BGP router including access/prefix list and interfaces so we have > an idea on what do, if you take two full BGP feed from two transit > carrierin load share and IX, that good, because that our stage three plan, > but I can work without two transit. > > I am not ignorant with cisco 7201, but am total newby to BGP. > > Best Thanks > Edwardo > > > This communication, together with any attachments or embedded links, is > for the sole use of the intended recipient(s) and may contain information > that is confidential or legally protected. If you are not the intended > recipient, you are hereby notified that any review, disclosure, copying, > dissemination, distribution or use of this communication is strictly > prohibited. If you have received this communication in error, please notify > the sender immediately by return e-mail message and delete the original and > all copies of the communication, along with any attachments or embedded > links, from your system. >
RE: BGP conf
This is a perfect example of why it is crucial that inbound route filters be scrupulously maintained in upstream BGP providers. Who knows who is out there. -Original Message- From: McCall, Gabriel [mailto:gabriel.mcc...@thyssenkrupp.com] Sent: Tuesday, November 01, 2011 7:29 PM To: Edward avanti; nanog@nanog.org Subject: Re: BGP conf Google for "team cymru secure bgp template" for a good starting point. -Original message- From: Edward avanti To: "nanog@nanog.org" Sent: Wed, Nov 2, 2011 01:01:37 GMT+00:00 Subject: BGP conf Halo, First, I accept this might not really right list for request, have use nsp cisco list but only first post to was succeed, sent several other for past 4 day and none appear (verified by list archive) so please excuse request. I am in need of a cisco config for BGP setup, we have a require to include IX peering at new location as well as our Verizon link, we like to take full bgp from Verizon and send to IX what they send us, I spend days reading google, and so many conflict web site example, so many example seem insecure no prefix list so on. end result to date is only sore eyes, would someone who do same (not need be Verizon) be kind to send us off list working running config (yes without your password heh) or at least how to apply to BGP router including access/prefix list and interfaces so we have an idea on what do, if you take two full BGP feed from two transit carrierin load share and IX, that good, because that our stage three plan, but I can work without two transit. I am not ignorant with cisco 7201, but am total newby to BGP. Best Thanks Edwardo This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments or embedded links, from your system.
Re: BGP conf
Google for "team cymru secure bgp template" for a good starting point. -Original message- From: Edward avanti To: "nanog@nanog.org" Sent: Wed, Nov 2, 2011 01:01:37 GMT+00:00 Subject: BGP conf Halo, First, I accept this might not really right list for request, have use nsp cisco list but only first post to was succeed, sent several other for past 4 day and none appear (verified by list archive) so please excuse request. I am in need of a cisco config for BGP setup, we have a require to include IX peering at new location as well as our Verizon link, we like to take full bgp from Verizon and send to IX what they send us, I spend days reading google, and so many conflict web site example, so many example seem insecure no prefix list so on. end result to date is only sore eyes, would someone who do same (not need be Verizon) be kind to send us off list working running config (yes without your password heh) or at least how to apply to BGP router including access/prefix list and interfaces so we have an idea on what do, if you take two full BGP feed from two transit carrierin load share and IX, that good, because that our stage three plan, but I can work without two transit. I am not ignorant with cisco 7201, but am total newby to BGP. Best Thanks Edwardo
Re: BGP conf
Halo, I am not, I wish all transit by Verizon, but if traffic come in from IX, it only fair I send trafic to them if they in that IX, they be closest path anyway. On Wed, Nov 2, 2011 at 11:11 AM, Mark Gauvin wrote: > Why would you want to advertise full verizon routes out to the ix? You > shoud only be advertising your own network via ix > > Sent from my iPhone > > On 2011-11-01, at 7:59 PM, "Edward avanti" > wrote: > > > Halo, > > First, I accept this might not really right list for request, have > > use nsp > > cisco list but only first post to was succeed, sent several other > > for past > > 4 day and none appear (verified by list archive) so please excuse > > request. > > > > I am in need of a cisco config for BGP setup, we have a require to > > include > > IX peering at new location as well as our Verizon link, we like to > > take > > full bgp from Verizon and send to IX what they send us, I spend days > > reading google, and so many conflict web site example, so many > > example seem > > insecure no prefix list so on. end result to date is only sore eyes, > > would > > someone who do same (not need be Verizon) be kind to send us off list > > working running config (yes without your password heh) or at least > > how to > > apply to BGP router including access/prefix list and interfaces so > > we have > > an idea on what do, if you take two full BGP feed from two transit > > carrierin load share and IX, that good, because that our stage three > > plan, > > but I can work without two transit. > > > > I am not ignorant with cisco 7201, but am total newby to BGP. > > > > Best Thanks > > Edwardo >
Re: BGP conf
On Tue, Nov 1, 2011 at 9:01 PM, Edward avanti wrote: > many example seem > insecure no prefix list so on. ... > I am not ignorant with cisco 7201, but am total newby to BGP. Your concern about a lack of any prefix-lists in the documentation / examples you have read is justified. If you are connecting to an IX it may offer route-servers which have prefix-lists maintained by the IX staff and tools. However, as you may already know, you will only receive the "best path" to each prefix from an IX route-server. This is often a motive (among others) to establish direct eBGP sessions with other IX members. Once you start doing that, you had better filter routes from those neighbors, or you will subject your network to your peers' mistakes and glitches. If you imagine that the IX has other members like yourself, who also do not know much about BGP, then you can understand why you do not want your peers' mistakes to cause outages on your network. Doing a "cut, replace, and paste" from online examples is obviously a bad idea. If I were you, I would find a local consultant (perhaps someone on the staff of the IX or another member) who can assist you with your initial configuration, and help you in the event of a severe emergency. Otherwise, frankly, you are going to be better off by just buying transit from Verizon and being single-homed. The added complexity of BGP is not an asset to an organization that doesn't have adequate expertise. -- Jeff S Wheeler Sr Network Operator / Innovative Network Concepts
Re: BGP conf
Why would you want to advertise full verizon routes out to the ix? You shoud only be advertising your own network via ix Sent from my iPhone On 2011-11-01, at 7:59 PM, "Edward avanti" wrote: > Halo, > First, I accept this might not really right list for request, have > use nsp > cisco list but only first post to was succeed, sent several other > for past > 4 day and none appear (verified by list archive) so please excuse > request. > > I am in need of a cisco config for BGP setup, we have a require to > include > IX peering at new location as well as our Verizon link, we like to > take > full bgp from Verizon and send to IX what they send us, I spend days > reading google, and so many conflict web site example, so many > example seem > insecure no prefix list so on. end result to date is only sore eyes, > would > someone who do same (not need be Verizon) be kind to send us off list > working running config (yes without your password heh) or at least > how to > apply to BGP router including access/prefix list and interfaces so > we have > an idea on what do, if you take two full BGP feed from two transit > carrierin load share and IX, that good, because that our stage three > plan, > but I can work without two transit. > > I am not ignorant with cisco 7201, but am total newby to BGP. > > Best Thanks > Edwardo
BGP conf
Halo, First, I accept this might not really right list for request, have use nsp cisco list but only first post to was succeed, sent several other for past 4 day and none appear (verified by list archive) so please excuse request. I am in need of a cisco config for BGP setup, we have a require to include IX peering at new location as well as our Verizon link, we like to take full bgp from Verizon and send to IX what they send us, I spend days reading google, and so many conflict web site example, so many example seem insecure no prefix list so on. end result to date is only sore eyes, would someone who do same (not need be Verizon) be kind to send us off list working running config (yes without your password heh) or at least how to apply to BGP router including access/prefix list and interfaces so we have an idea on what do, if you take two full BGP feed from two transit carrierin load share and IX, that good, because that our stage three plan, but I can work without two transit. I am not ignorant with cisco 7201, but am total newby to BGP. Best Thanks Edwardo
