Re: Network Configuration Management Practices
I posted our software (doing this) onto http://snmpstat.sf.net (named as CCR - Cisco Configuration Repository). It is 100% WEB configured and supports IOS, CatOS, PIX and some old VPN devices (they all have different commands to save config). - Original Message - From: Joe Shen [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED]; Scott Weeks [EMAIL PROTECTED]; Carl W.Kalbfleisch [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 1:59 AM Subject: Re: Network Configuration Management Practices There has been some public available software for backing up Cisco router configuration. The backup is not in CVS but in plain file. Joe --- Alexei Roudnev [EMAIL PROTECTED] wrote: Hmm, there are many approaches, starting with _what is primary_ (in Moscow's ISP files was primary, in enterprise here configs are primary). In my case, I use some hard rules: - no matter what is primary, configurations should be stored into CVS or simular system, and made available (for network engineers) on the internal web (with restricted access); - system should collect all changes automatically (or update configs from files automatically), make diffs and send change reports. - In any case, I must be able to see real configuration and see all changes, applying for last few weeks, without telnetting to the box. Without such things, I am blind ( I feel myself blind, when I come to the new network, and they have not such things in their system, making changes _on live servers_ and making 'telnet' to evaluate configuration). Few tools (opensource and commercial) allows to automate this job. One more thing. We tried to review _proposed changes_ and _changed applied_. Practice showed, that it is impossible to see errors in proposed updates, even if 3 - 4 engineers review it (not design flaws, but syntac and semantics errors), so we did not got many use from pre-change reviews (except design ones). But we got extremely high profit from post-change reviews (verifying, what really changed on the router / firewall after maintanance window) - it allows to see some unwanted changes and avoid few possible service disruptions. - Original Message - From: Scott Weeks [EMAIL PROTECTED] To: Carl W.Kalbfleisch [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 14, 2004 3:08 PM Subject: Re: Network Configuration Management Practices On Tue, 14 Sep 2004, Carl W.Kalbfleisch wrote: : I am doing some independent research on Network Configuration : Management Practices. I am trying to get information from service : providers and enterprises on how they handle this function. I have the : following specific questions: : : 1) What configuration issues most affect the performance and : reliability of your network? Fingers... ;-) scott __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: Open-Source Network Management Tools
I always tried to avoid any deal with SNMP TRAPS as most unreliable and unconvenient way of alerting (unfortunately, it can not be avoided totally). We use 'syslog' (syslog-ng + home written syslog analyzers + copmmercial soft, sometimes) when possible. - Original Message - From: Michael Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 9:10 AM Subject: RE: Open-Source Network Management Tools -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm looking for open-source alternatives for network management, such as Nagios or Big Brother. We are currently using WhatsUp Gold, and would like to move to something more flexible (and not running on a Windows platform). Something that has email/paging capabilities, and can process SNMP traps would be a plus for us as well. Recommendations? Thanks. I'd like to expand the question by asking, what Open-Source applications do people use for SNMP Trap collecting and alarming? We're very happy with Nagios for polling, but we have a lot of optical components that send information via Traps that then needs to be culled, trimmed and analyzed. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUhq+Zzgx7Y34AxGEQJP6gCgh1KW5vvq2fRh4WBSik1Q7Ay31okAoIAh ZKUgPFi9PZhDpOGIAXXOIY9W =oD9A -END PGP SIGNATURE-
Re: Network Configuration Management Practices
It I have frequent changes, I always automate them so that: - operator enter data into the database; - operator click 'UPDATE' - operator review proposed update and click APPLY - tier-3 receive change report and review it. We did such thing (analyzing configs, creating schemas and posting it all @ internal WEB) when I woprked in ISP in MOscow, but we never (!) allowed anyone to configure routers manually, except very unusual changes. Everything other (interfaces, E1 channels, access lists, BGP filters, route maps and so on) was generated and updated automatically. When I saw tier-1 people doing 'conf t' here in USA, I think _oh, they have so many money that they can allow people to touch configs manually' -:). /Unfortunately, Cisco is not old Cisco now, with a lot of skilled and helpful developers, so no one hope that they will help in such automation/. - Original Message - From: Austin Schutz [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED] Cc: Scott Weeks [EMAIL PROTECTED]; Carl W.Kalbfleisch [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 2:25 AM Subject: Re: Network Configuration Management Practices On Wed, Sep 15, 2004 at 12:27:20AM -0700, Alexei Roudnev wrote: One more thing. We tried to review _proposed changes_ and _changed applied_. Practice showed, that it is impossible to see errors in proposed updates, even if 3 - 4 engineers review it (not design flaws, but syntac and semantics errors), so we did not got many use from pre-change reviews (except design ones). But we got extremely high profit from post-change reviews (verifying, what really changed on the router / firewall after maintanance window) - it allows to see some unwanted changes and avoid few possible service disruptions. This doesn't seem to scale too well. When you have frequent changes (i.e. many access devices) the diff load becomes unmanageably large. My ideal would be to have a network monitoring tool which compares the actual network against a configured baseline. The presumption would be that if the network matches what have been set forth as engineering rules, I don't really care what the specific settings are. Currently we do something sort of halfway: archive the actual configs and then run audit scripts against them, which parse the configs. Definitely not ideal but it helps catch simpler errors. One of these days when I have extra cycles.. (yeah, right) Austin
Building a network and system management open source tool
Since several folks showed interest in this, I have posted the slides for the design talk at: http://sourceforge.net/projects/nexb -- Cheers Philippe philippe ombredanne | nexB - Open IT Asset Management 1 650 799 0949 | pombredanne at nexb.com http://www.nexb.com
RE: Multi-link Frame Relay OR Load Balancing
3 quick notes-- Neither MLFR/FRF.16 (MCI's implementation) nor the corresponding CPE require external DSUs. The service may utilize internal DSUs (whether on Cisco CPE or Tasman) just as a tiered/fractional DS3 would. ATM-IMA could be considered wasteful of bandwidth as you would have to live with the ATM cell tax reducing usable bandwidth by about 25%. FRF.16 allows for much lower overhead through frame relay encapsulation. FRF.16 also allows for losing circuits within a bundle or even designating a threshold number of circuits for when to consider a link down (useful in failover scenarios). Another minor point is that DS3s are tiered by many large providers through timing at the provider edge DSU/linecard vs. CIR (even though FR encaps may be used). Given all that, a fraction DS3 may still be a better option if the telco loop is reasonable... Bryant Rump Advanced Internetworking Booz Allen Hamilton [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kell Sent: Thursday, September 16, 2004 10:55 PM To: Scott McGrath Cc: Bryce Enevoldson; [EMAIL PROTECTED] Subject: Re: Multi-link Frame Relay OR Load Balancing Scott McGrath wrote: In my experience the breakeven point for a Frame Relay DS3 is 6 DS1 circuits. DS3's tend to be more reliable than DS1's as the ILEC usually installs a MUX at your site instead of running to the nearest channel bank and running the T1's over copper with a few repeaters thrown in for good measure. I'll second that. Our ILEC extended our existing SONET node (for the PBX in another building) to our machine room (couldn't push DS3 over copper that far). Now, if they'd just terminate the old T1s at the new node and not push them over local copper from there to the machine room, we would be sitting pretty. Another nice thing about DS3's is that it is easy to scale bandwidth in the future by modifying the CIR on your link. Another feature is that since the link is faster the serialization delay is lower which will give you better latency and last but not least PA3+ for Cisco 7[2|5]xx routers are inexpensive and give you one call for service not a separate call for the CSU/DSU's and the serial line card you need to support a multilink solution. Ditto. We have one in a 7204 with a CIR of 30Mb. Handles it quite nicely, replaced 5 T1s on load-sharing per-packet link. Jeff
The Cidr Report
This report has been generated at Fri Sep 17 21:44:13 2004 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table History Date PrefixesCIDR Agg 10-09-04143329 98595 11-09-04143556 98696 12-09-04143474 98684 13-09-04143397 98654 14-09-04143451 98833 15-09-04143615 98857 16-09-04143660 98839 17-09-04143628 98794 AS Summary 17981 Number of ASes in routing system 7313 Number of ASes announcing only one prefix 1386 Largest number of prefixes announced by an AS AS7018 : ATTW ATT WorldNet Services 86646016 Largest address span announced by an AS (/32s) AS721 : DNIC DoD Network Information Center Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 17Sep04 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 143741988424489931.2% All ASes AS18566 7397 73299.1% CVAD Covad Communications AS4134 783 172 61178.0% CHINANET-BACKBONE No.31,Jin-rong Street AS4323 773 212 56172.6% TWTC Time Warner Telecom AS7018 1386 958 42830.9% ATTW ATT WorldNet Services AS7843 489 100 38979.6% ADELPH-13 Adelphia Corp. AS22773 398 21 37794.7% CXA Cox Communications Inc. AS27364 395 36 35990.9% ARMC Armstrong Cable Services AS6467 385 30 35592.2% ACSI e.spire Communications, Inc. AS701 1244 897 34727.9% UU UUNET Technologies, Inc. AS22909 366 45 32187.7% CMCS Comcast Cable Communications, Inc. AS1239 950 634 31633.3% SPRN Sprint AS6197 718 404 31443.7% BNS-14 BellSouth Network Solutions, Inc AS9929 337 33 30490.2% CNCNET-CN China Netcom Corp. AS11172 355 52 30385.4% Alestra AS17676 348 45 30387.1% JPNIC-JP-ASN-BLOCK Japan Network Information Center AS6347 399 99 30075.2% SAVV SAVVIS Communications Corporation AS6478 358 71 28780.2% ATTW ATT WorldNet Services AS4355 381 99 28274.0% ERSD EARTHLINK, INC AS21502 2683 26598.9% ASN-NUMERICABLE NUMERICABLE is a cabled network in France, AS4766 530 266 26449.8% KIXS-AS-KR Korea Telecom AS14654 2596 25397.7% WAYPOR-3 Wayport AS9443 359 110 24969.4% INTERNETPRIMUS-AS-AP Primus Telecommunications AS6140 364 116 24868.1% IMPSA ImpSat AS2386 829 596 23328.1% ADCS-1 ATT Data Communications Services AS25844 244 16 22893.4% SASMFL-2 Skadden, Arps, Slate, Meagher Flom LLP AS9583 530 308 22241.9% SIFY-AS-IN Sify Limited AS6198 429 210 21951.0% BNS-14 BellSouth Network Solutions, Inc AS721713 507 20628.9% DNIC DoD Network Information Center AS6327 228 29 19987.3% SHAWC-2 Shaw Communications Inc. AS22291 261 69 19273.6% CC04 Charter Communications Total 15818 6151 966761.1% Top 30 total Possible Bogus Routes 24.138.80.0/20 AS11260 AHSICHCL Andara High Speed Internet c/o Halifax Cable Ltd. 24.246.0.0/17AS7018 ATTW ATT WorldNet Services 24.246.38.0/24 AS25994 NPGCAB NPG Cable, INC 24.246.128.0/18 AS7018 ATTW ATT WorldNet Services 64.46.4.0/22 AS11711 TULARO TULAROSA COMMUNICATIONS 64.46.27.0/24AS8674 NETNOD-IX Netnod Internet Exchange Sverige AB 64.46.34.0/24AS3408 64.46.63.0/24AS7850 IHIGHW iHighway.net, Inc. 64.83.96.0/19AS26956 NETFR
sprint.net Email problems?
Hi, depending on the IP address space from where I'm trying to reach the two MX for @sprint.net, I'm getting either: - no TCP connection at all (Connection refused) - a TCP session, but not even a SMTP greeting banner - a SMTP session, but as response to RCPT TO a 550 Access denied For the third case, doesn't seem to matter which email address I try (did ipv6-support@, rrockell@ and postmaster@). This is persistant now for over 12 hours... Best regards, Daniel
Re: Open-Source Network Management Tools
Just curious, what kind of commercial/opensource software do you use for syslog analysis and alerting? I also run syslog-ng and have some filters written to ignore some of the more mundane syslog messages. Also have swatch half implemented and semi working, but I'm looking for a cleaner, and more manageable tool for syslog based alerting. On Fri, 2004-09-17 at 03:53, Alexei Roudnev wrote: I always tried to avoid any deal with SNMP TRAPS as most unreliable and unconvenient way of alerting (unfortunately, it can not be avoided totally). We use 'syslog' (syslog-ng + home written syslog analyzers + copmmercial soft, sometimes) when possible. - Original Message - From: Michael Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 9:10 AM Subject: RE: Open-Source Network Management Tools -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm looking for open-source alternatives for network management, such as Nagios or Big Brother. We are currently using WhatsUp Gold, and would like to move to something more flexible (and not running on a Windows platform). Something that has email/paging capabilities, and can process SNMP traps would be a plus for us as well. Recommendations? Thanks. I'd like to expand the question by asking, what Open-Source applications do people use for SNMP Trap collecting and alarming? We're very happy with Nagios for polling, but we have a lot of optical components that send information via Traps that then needs to be culled, trimmed and analyzed. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUhq+Zzgx7Y34AxGEQJP6gCgh1KW5vvq2fRh4WBSik1Q7Ay31okAoIAh ZKUgPFi9PZhDpOGIAXXOIY9W =oD9A -END PGP SIGNATURE-
Re: Open-Source Network Management Tools
Chris Allermann wrote: Just curious, what kind of commercial/opensource software do you use for syslog analysis and alerting? http://www.l0t3k.net/tools/Loganalysis/lire-1.4.tar.gz http://www.sawmill.net/features.html
Re: Open-Source Network Management Tools
What makes syslog so much more reliable in your opinion? There's no ability to find lost messages or have guaranteed delivery. At least not on 514/udp. If you can toss a trap, you can toss a syslog message. That is, unless I've lost my mind this morning and need to go get more coffee. On 9/17/04 3:53 AM, Alexei Roudnev [EMAIL PROTECTED] wrote: I always tried to avoid any deal with SNMP TRAPS as most unreliable and unconvenient way of alerting (unfortunately, it can not be avoided totally). We use 'syslog' (syslog-ng + home written syslog analyzers + copmmercial soft, sometimes) when possible. - Original Message - From: Michael Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 9:10 AM Subject: RE: Open-Source Network Management Tools -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm looking for open-source alternatives for network management, such as Nagios or Big Brother. We are currently using WhatsUp Gold, and would like to move to something more flexible (and not running on a Windows platform). Something that has email/paging capabilities, and can process SNMP traps would be a plus for us as well. Recommendations? Thanks. I'd like to expand the question by asking, what Open-Source applications do people use for SNMP Trap collecting and alarming? We're very happy with Nagios for polling, but we have a lot of optical components that send information via Traps that then needs to be culled, trimmed and analyzed. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUhq+Zzgx7Y34AxGEQJP6gCgh1KW5vvq2fRh4WBSik1Q7Ay31okAoIAh ZKUgPFi9PZhDpOGIAXXOIY9W =oD9A -END PGP SIGNATURE- * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. 113
Re: Open-Source Network Management Tools
On Tuesday, September 14, 2004 3:48 PM, Tom Claydon wrote: I'm looking for open-source alternatives for network management, such as Nagios or Big Brother. We are currently using WhatsUp Gold, and would Argus: The World's Most Advanced Monitoring System: http://argus.tcp4me.com/ Jeremy Kister http://jeremy.kister.net/
RE: Multi-link Frame Relay OR Load Balancing
Depending on your area, DS3 isn't necessarily cheaper than 8 T1s. I know in some markets, I have to buy 16 T1s from Bell before it matches their DS3 cost. It just depends on the tariffs. I've never used MLF before, just MLPPP, but in my experience, MLPPP works for my customers better than load-sharing. The only problems I've seen, and I'm working one this morning, is that Cisco has its usual bug issues. I had one customer on 12.3(6) and there's about 19 known bugs between 12.3(6) and MLPPP, a lot of which aren't resolved yet. One even made you reboot if you added or deleted a T1 from the bundle or the MLPPP bundle wouldn't come back up. Diane Turley Network Engineer Xspedius Communications Co. 636-625-7178 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott McGrath Sent: Thursday, September 16, 2004 8:12 PM To: Bryce Enevoldson Cc: [EMAIL PROTECTED] Subject: Re: Multi-link Frame Relay OR Load Balancing In my experience the breakeven point for a Frame Relay DS3 is 6 DS1 circuits. DS3's tend to be more reliable than DS1's as the ILEC usually installs a MUX at your site instead of running to the nearest channel bank and running the T1's over copper with a few repeaters thrown in for good measure. Another nice thing about DS3's is that it is easy to scale bandwidth in the future by modifying the CIR on your link. Another feature is that since the link is faster the serialization delay is lower which will give you better latency and last but not least PA3+ for Cisco 7[2|5]xx routers are inexpensive and give you one call for service not a separate call for the CSU/DSU's and the serial line card you need to support a multilink solution. Scott C. McGrath On Thu, 16 Sep 2004, Bryce Enevoldson wrote: We are in the process of updating our internet connection to 8 t1's bound together. Due to price, our options have been narrowed to ATT and MCI. I have two questions: 1. Which technology is better for binding t1's: multi link frame relay (mci's) or load balancing (att's) 2. Which company has a better pop in Atlanta: mci or att? We are in the Chattanooga TN area and our current connection is 6 t1's through att but they will only bond 4 so they are split 4 and 2. Bryce Enevoldson Information Processing Southern Adventist University
AS22534 Leaking, anybody alive their?
All attemps to reach them are have failed. Ticket open with MFN to request that maybe put a prefix-list on this customer..or maybe even max-prefixes.. Seems they're leaking their level3 transit routes to mfn: eg: prefix: 64.12.0.0/16 (AOL) 6461 22534 3356 1668 8176 I MFN in turn seems to be leaking it to all (or atleast most) peers. Sigh.
Re: AS22534 Leaking, anybody alive their?
On Fri, Sep 17, 2004 at 11:25:05AM -0500, Matt Levine wrote: All attemps to reach them are have failed. Ticket open with MFN to request that maybe put a prefix-list on this customer..or maybe even max-prefixes.. Seems they're leaking their level3 transit routes to mfn: eg: prefix: 64.12.0.0/16 (AOL) 6461 22534 3356 1668 8176 I MFN in turn seems to be leaking it to all (or atleast most) peers. This is actually the 2nd major leak from MFN in the past couple of days. It would be nice if they would knock it off. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
My Worm is Bigger Than Yours
To give others further information on this sdbot.worm (continuing from my previous post http://www.merit.edu/mail.archives/nanog/msg01241.html) here are the main characteristics I've found on almost all variants I've come across. Obviously it seems to be a polymorphic form of worm meaning its characteristics are changing. Before I begin though I would hope no one would think its off topic since there may be one variant of this worm flooding your network with randomly generated MAC addresses, not good on those switches. Also I wouldn't think it's off topic since most of you are likely already seeing, or will be seeing more traffic generated on ports 445, 80, and 82. There seems to be one main executable, but I haven't found out which one this is. The names I've come across so far for most of the executables are somewhat synomous with standard Windows programs. Microsoft program Worm's program serv.exe serv32.exe services.exe services32.exe lsass.exe lsass32.exe The following is a list of the names of the executables I've come across which meet the criteria of this annoyance. Setver32.exe Regsrv32.exe Wmmon32.exe Mswinc.exe Mswincv.exe Mswinc32.exe Systemiom.exe Bling.exe Rzqodp.exe ftpd.exe Other programs have garbled names e.g., wetyr.exe, oiure.exe These programs typically tend to reside in: C:\temp C:\tmp c:\Windows c:\Windows\tmp c:\Windows\system32 c:\Windows\system32\config\systemprofile Along with the usual MSIE cache folder. The programs have been appearing in Windows' registry as follows: HKLM\SOFTWARE\MICROSOFT\OLE HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES HKLM\SYSTEM\CONTROLSET001\CONTROL\LSA Easiest thing to sort of do is ctrl-f for the names and you will usually seem them bundled, but if you have to remove it, you want to search for each individually since some mix things up. Name Data Setver32.exe Windows Secure Regserv32.exe Reg Service Mswinc.exeRemote Procedure Calls Mswinc32.exe Remote Procedure Calls Systemiom.exe System Updater Others have no Data associated with them. Now the I haven't managed to zero in on which is sending our random MAC addresses yet but eventually I will try maybe an antivirus company can do so before me. So let me explain a few quick oddities I've seen so far . Get a complain student is not connected, go to dorm, repunch his port, no dice, open the closet no dice. What was happening with his machine was his connection would come up, then go down the second it came up, then come right back up the second it went down. Same happened with a colleague Bizarre, bizarre. Another student I can't get my Interweb . Same thing repunch her, repatch her machine with the latest Microsoft Fixitall Service Pack 7354738245 still no dice. Run through reinstalling drivers, swapping Ethernet cards, nothing. Redid some tweaks and she gets connected. Second she did get connected. IP ADDRESS CONFLICT WITH FOO MAC Only thing was after searching the network no MAC addresses with the number it was posting existed. This particular issue with the MAC spoofing if you want to call it that, I prefer random MAC generation, was being flooded out through ports 80, and 82. So what will happen if some worm has the characteristics built in to generate MAC's when it tries to send out your router's or servers MAC address? You do the math. (NOTE: Still looking into this port 80 82 issue so could be a false alarm but nevertheless I've come across some odd things this past week which I'd never seen.) Most of the worms that open the port 445 connections, tend to open up hundreds if not thousands of requests more than likely to infected machines. After the first few occurrences I came across, I would see a machine pop open a few hundred connections after seconds of their machine obtaining an address. The first thing I would notice via netstats would be some form of IRC connection going out, so the possibilities would be either a DdoS slave, or it's sending information somewhere. Bling is supposedly set to send ALL_THINGS_RELATED_TO_LOGINS as well as Paypal information to some server, if it is sending information I can't find where it would be storing it. Keep in mind the prior code I was able to find regarding this annoyance where it modified antivirus software to either kill it, or to avoid detection, as well as kill your ability to use regedit, taskmgr, and other tools. There is the possibility it is storing something somewhere, I haven't come across it yet. Finally (I think) the ftpd.exe which always seems to piggyback with the others, this little piggie more than likely may be the one turning the infected machine to a TFTP server whereby other infected machines ensure they stay infected. This seems to create a file called bla.txt This text file lists the following: Open 10.192.41.87
Re: Open-Source Network Management Tools
Syslog is a text protocol, so system developer can always write any message. SNMPTRAP is '1.2.3.4.5.6.7.8 'something happen blablabla' type of messages. They are the same in other properties, I do agree - that;s why we detect everything we can by 'polling'. There are many tools, converting one to another, so take it easy -:). - Original Message - From: Christian Kuhtz [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED]; Michael Smith [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, September 17, 2004 6:32 AM Subject: Re: Open-Source Network Management Tools What makes syslog so much more reliable in your opinion? There's no ability to find lost messages or have guaranteed delivery. At least not on 514/udp. If you can toss a trap, you can toss a syslog message. That is, unless I've lost my mind this morning and need to go get more coffee. On 9/17/04 3:53 AM, Alexei Roudnev [EMAIL PROTECTED] wrote: I always tried to avoid any deal with SNMP TRAPS as most unreliable and unconvenient way of alerting (unfortunately, it can not be avoided totally). We use 'syslog' (syslog-ng + home written syslog analyzers + copmmercial soft, sometimes) when possible. - Original Message - From: Michael Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 9:10 AM Subject: RE: Open-Source Network Management Tools -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm looking for open-source alternatives for network management, such as Nagios or Big Brother. We are currently using WhatsUp Gold, and would like to move to something more flexible (and not running on a Windows platform). Something that has email/paging capabilities, and can process SNMP traps would be a plus for us as well. Recommendations? Thanks. I'd like to expand the question by asking, what Open-Source applications do people use for SNMP Trap collecting and alarming? We're very happy with Nagios for polling, but we have a lot of optical components that send information via Traps that then needs to be culled, trimmed and analyzed. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUhq+Zzgx7Y34AxGEQJP6gCgh1KW5vvq2fRh4WBSik1Q7Ay31okAoIAh ZKUgPFi9PZhDpOGIAXXOIY9W =oD9A -END PGP SIGNATURE- * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. 113
RE: Open-Source Network Management Tools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Alexei Roudnev [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 12:53 AM To: Michael Smith; [EMAIL PROTECTED] Subject: Re: Open-Source Network Management Tools I always tried to avoid any deal with SNMP TRAPS as most unreliable and unconvenient way of alerting (unfortunately, it can not be avoided totally). We use 'syslog' (syslog-ng + home written syslog analyzers + copmmercial soft, sometimes) when possible. Unfortunately, SNMP TRAPS are what is available on the SONET transport side of the network. There is no useful data to be gotten from polling. In addition, the fact that TRAPS are proactive instead of reactive means I have am immediately aware of network events whereas I might miss something with a poll. In addition, we have dry contact closures on these devices that TRAP only, no polling. Thankfully, the number of these events is small enough that syslog functions quite well. Syslog has not been up to the task of working with the sheer volume of TRAPS generated when there is a significant event on the optical network. Sometimes we see the notification but not the resolution, sometimes we see all but the last line of a TRAP message, and sometimes we get nothing. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUscOZzgx7Y34AxGEQK3oQCgg6bP3O4Pt5GyOPXsi+1tSvLrt2AAnjqs BeYnYocvvNjP1RqqfH2dq+HT =JrJP -END PGP SIGNATURE-
Re: Open-Source Network Management Tools
I'm looking for open-source alternatives for network management, such as Nagios or Big Brother. We are currently using WhatsUp Gold, and would like to move to something more flexible (and not running on a Windows platform). Something that has email/paging capabilities, and can process SNMP traps would be a plus for us as well. Recommendations? Thanks. Have a look at http://www.itprc.com/nms.htm - I put together a list of open source/free NMS tools a while ago, hopefully it is still somewhat current. irwin
Re: Open-Source Network Management Tools
There is another problem with TRAPS: - when I code monitoring, I always need 2 messages: - CRITICAL - REPAIRED (We have a few scripts making monitoring, and it always started with sending CRITICAL message only, and ended in sending both messages - it iis impossible to work without having information _if condition still exists or not_.) Unfortunately, no SYSLOG no SNMPTRAP have such positive notifications, which makes their use very difficult, and limit it to a very small set of really CRITICAL events. I have not such problem with POLL: - poll parameter, draw a chart; - if parameter override threshold, 'SHORT FAILURE' event raised (no paging, just show a problem); - if 'SHORT FAILURE' exists for some time, it is converted into CRITICAL and send alert; - when problem fixed, it sends RESTORED message. (See: ProactiveNetwork system; many opensource systems. Do not see - CA!, good example of terrible design. BMC is something average.) As a result, you always can see: - history of the parameter (so, if it is disk space, easy to understand, how many time do you have, for example); - history of events (when it failed and when it restored); - if someone other work this problem out. Without it... I receive a message ALERT, CRITICAL, server XXX, oid 1.2.3.4.5.6.DELL.RAID.blabla I do not know (it's impossible) where to look - there is not any parameter associated with this message. I do not know, was it short condition (may be, disk was replaced in RAID) or it still exists (DISK failed now); In retrospective, manager do not see, how fast it was fixed. It all makes SNMP TRAPS very unconvenient (not talking about possible lost of event). - Original Message - From: Michael Smith [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, September 17, 2004 10:11 AM Subject: RE: Open-Source Network Management Tools -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Alexei Roudnev [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 12:53 AM To: Michael Smith; [EMAIL PROTECTED] Subject: Re: Open-Source Network Management Tools I always tried to avoid any deal with SNMP TRAPS as most unreliable and unconvenient way of alerting (unfortunately, it can not be avoided totally). We use 'syslog' (syslog-ng + home written syslog analyzers + copmmercial soft, sometimes) when possible. Unfortunately, SNMP TRAPS are what is available on the SONET transport side of the network. There is no useful data to be gotten from polling. In addition, the fact that TRAPS are proactive instead of reactive means I have am immediately aware of network events whereas I might miss something with a poll. In addition, we have dry contact closures on these devices that TRAP only, no polling. Thankfully, the number of these events is small enough that syslog functions quite well. Syslog has not been up to the task of working with the sheer volume of TRAPS generated when there is a significant event on the optical network. Sometimes we see the notification but not the resolution, sometimes we see all but the last line of a TRAP message, and sometimes we get nothing. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUscOZzgx7Y34AxGEQK3oQCgg6bP3O4Pt5GyOPXsi+1tSvLrt2AAnjqs BeYnYocvvNjP1RqqfH2dq+HT =JrJP -END PGP SIGNATURE-
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to [EMAIL PROTECTED] If you have any comments please contact Philip Smith [EMAIL PROTECTED]. Routing Table Report 04:00 +10GMT Sat 18 Sep, 2004 Analysis Summary BGP routing table entries examined: 146980 Prefixes after maximum aggregation: 87372 Unique aggregates announced to Internet: 70140 Total ASes present in the Internet Routing Table: 18068 Origin-only ASes present in the Internet Routing Table: 15701 Origin ASes announcing only one prefix:7323 Transit ASes present in the Internet Routing Table:2367 Transit-only ASes present in the Internet Routing Table: 75 Average AS path length visible in the Internet Routing Table: 4.6 Max AS path length visible: 22 Prefixes from unregistered ASNs in the Routing Table:57 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space: 17 Number of addresses announced to Internet: 1338258084 Equivalent to 79 /8s, 196 /16s and 50 /24s Percentage of available address space announced: 36.1 Percentage of allocated address space announced: 58.3 Percentage of available address space allocated: 61.9 Total number of prefixes smaller than registry allocations: 67376 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:28143 Total APNIC prefixes after maximum aggregation: 14195 Prefixes being announced from the APNIC address blocks: 26407 Unique aggregates announced from the APNIC address blocks:14209 APNIC Region origin ASes present in the Internet Routing Table:2143 APNIC Region origin ASes announcing only one prefix:638 APNIC Region transit ASes present in the Internet Routing Table:324 Average APNIC Region AS path length visible:4.7 Max APNIC Region AS path length visible: 22 Number of APNIC addresses announced to Internet: 161969792 Equivalent to 9 /8s, 167 /16s and 118 /24s Percentage of available APNIC address space announced: 73.9 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 23552-24575 APNIC Address Blocks 58/7, 60/7, 202/7, 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes: 83808 Total ARIN prefixes after maximum aggregation:51188 Prefixes being announced from the ARIN address blocks:64163 Unique aggregates announced from the ARIN address blocks: 22757 ARIN Region origin ASes present in the Internet Routing Table: 9550 ARIN Region origin ASes announcing only one prefix:3415 ARIN Region transit ASes present in the Internet Routing Table: 926 Average ARIN Region AS path length visible: 4.4 Max ARIN Region AS path length visible: 18 Number of ARIN addresses announced to Internet: 232603392 Equivalent to 13 /8s, 221 /16s and 63 /24s Percentage of available ARIN address space announced: 69.3 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647,29695-30719, 31744-33791 ARIN Address Blocks24/8, 63/8, 64/6, 68/7, 70/7, 72/8, 198/7, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary Prefixes being announced by RIPE Region ASes: 27264 Total RIPE prefixes after maximum aggregation:19026 Prefixes being announced from the RIPE address blocks:24104 Unique aggregates announced from the RIPE address blocks: 15851 RIPE Region origin ASes present in the Internet Routing Table: 5826 RIPE Region origin ASes announcing only one prefix:3131 RIPE Region transit ASes present in the Internet Routing Table: 997 Average RIPE Region AS path length visible: 5.2 Max RIPE Region AS path length visible: 21 Number of RIPE addresses announced to Internet: 171318592 Equivalent to 10 /8s, 54 /16s and 29 /24s Percentage
RE: Multi-link Frame Relay OR Load Balancing
I am using MLFR with MCI currently. I have a Cisco 7204 VXR and it works like a champ. I have had times where one T1 circuit was down and I had no problems besides seeing the bandwidth utilization change. When it came up everything went back to normal. I am looking into an Ethernet Handoff due to cost savings, however MCI does not offer that in Cincinnati, but that is a completely different story. My T1's terminate into ATL and I am seeing great responses. Mike Walter, MCP PCD Network Solutions, Inc. 3z.net a PCD Company http://www.3z.net -Original Message- From: Peering [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 11:13 AM To: Scott McGrath; Bryce Enevoldson Cc: [EMAIL PROTECTED] Subject: RE: Multi-link Frame Relay OR Load Balancing Depending on your area, DS3 isn't necessarily cheaper than 8 T1s. I know in some markets, I have to buy 16 T1s from Bell before it matches their DS3 cost. It just depends on the tariffs. I've never used MLF before, just MLPPP, but in my experience, MLPPP works for my customers better than load-sharing. The only problems I've seen, and I'm working one this morning, is that Cisco has its usual bug issues. I had one customer on 12.3(6) and there's about 19 known bugs between 12.3(6) and MLPPP, a lot of which aren't resolved yet. One even made you reboot if you added or deleted a T1 from the bundle or the MLPPP bundle wouldn't come back up. Diane Turley Network Engineer Xspedius Communications Co. 636-625-7178 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott McGrath Sent: Thursday, September 16, 2004 8:12 PM To: Bryce Enevoldson Cc: [EMAIL PROTECTED] Subject: Re: Multi-link Frame Relay OR Load Balancing In my experience the breakeven point for a Frame Relay DS3 is 6 DS1 circuits. DS3's tend to be more reliable than DS1's as the ILEC usually installs a MUX at your site instead of running to the nearest channel bank and running the T1's over copper with a few repeaters thrown in for good measure. Another nice thing about DS3's is that it is easy to scale bandwidth in the future by modifying the CIR on your link. Another feature is that since the link is faster the serialization delay is lower which will give you better latency and last but not least PA3+ for Cisco 7[2|5]xx routers are inexpensive and give you one call for service not a separate call for the CSU/DSU's and the serial line card you need to support a multilink solution. Scott C. McGrath On Thu, 16 Sep 2004, Bryce Enevoldson wrote: We are in the process of updating our internet connection to 8 t1's bound together. Due to price, our options have been narrowed to ATT and MCI. I have two questions: 1. Which technology is better for binding t1's: multi link frame relay (mci's) or load balancing (att's) 2. Which company has a better pop in Atlanta: mci or att? We are in the Chattanooga TN area and our current connection is 6 t1's through att but they will only bond 4 so they are split 4 and 2. Bryce Enevoldson Information Processing Southern Adventist University
Re: AS22534 Leaking, anybody alive their?
On Fri, Sep 17, 2004 at 11:25:05AM -0500, Matt Levine wrote: All attemps to reach them are have failed. Am I the only person that finds this ironic? # ARIN WHOIS database, last updated 2004-09-16 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. OrgName:Proficient Networks, Inc. OrgID: PROFIC-1 Address:300 California Street, Suite 500 City: San Francisco StateProv: CA PostalCode: 94104 Country:US ASNumber: 22534 ASName: PROFICIENT ASHandle: AS22534 Comment: RegDate:2001-10-12 Updated:2002-03-21 TechHandle: IP90-ARIN TechName: Proficient Networks, Inc. TechPhone: +1-415-364-1000 TechEmail: [EMAIL PROTECTED] Ticket open with MFN to request that maybe put a prefix-list on this customer..or maybe even max-prefixes.. Generally speaking all of their customers have prefix lists, I wonder how this session got broken. --msa
NYSE
Does anyone have experience in setting up a direct connection with NYSE, specifically SIAC or SFTI? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
Re: Open-Source Network Management Tools
Nothing good exists (I tried all opensource I could find). We are developing (improving) our scripts, and I hope to make it the same quality as CCR or snmpstat and post on the sourceforge, but now it is just set of scripts - on one server, and MySQL database + set of scripts - on another, without documentatikn etc. Problem is that it should not be simple filterts; system should: - assign recipients to the host; - allow user to set up temporary BLACK and WHILE filters; - send alert first time, when it see something, and do not send it if messages are repeated (until time expired or number of messages will be to great); - allows filkters such as _too many messages of this kind_ or _logfile size too big_; - etc etc. We have CA (99% junk!) and tried ProactiveNetwork (very good, but syslog and eventlog analizers are still very primitive). I do not need software _write your own filters_, I need written filters, it is difference. (Anyway, we post all syslogs on monitoring web, in a few groups: - all todays messages in a big heap; - access logs; - errors; - logs per host; all logs are saved separately for every date (we generate web links every night, so making unnecessary file rotation) and are gzipped after some time. As a result, I have ull 2 years history of syslog on the web, easy to analyze, and have 'search' script allowing to find anything. - Original Message - From: Chris Allermann [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 17, 2004 6:25 AM Subject: Re: Open-Source Network Management Tools Just curious, what kind of commercial/opensource software do you use for syslog analysis and alerting? I also run syslog-ng and have some filters written to ignore some of the more mundane syslog messages. Also have swatch half implemented and semi working, but I'm looking for a cleaner, and more manageable tool for syslog based alerting. On Fri, 2004-09-17 at 03:53, Alexei Roudnev wrote: I always tried to avoid any deal with SNMP TRAPS as most unreliable and unconvenient way of alerting (unfortunately, it can not be avoided totally). We use 'syslog' (syslog-ng + home written syslog analyzers + copmmercial soft, sometimes) when possible. - Original Message - From: Michael Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 9:10 AM Subject: RE: Open-Source Network Management Tools -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm looking for open-source alternatives for network management, such as Nagios or Big Brother. We are currently using WhatsUp Gold, and would like to move to something more flexible (and not running on a Windows platform). Something that has email/paging capabilities, and can process SNMP traps would be a plus for us as well. Recommendations? Thanks. I'd like to expand the question by asking, what Open-Source applications do people use for SNMP Trap collecting and alarming? We're very happy with Nagios for polling, but we have a lot of optical components that send information via Traps that then needs to be culled, trimmed and analyzed. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUhq+Zzgx7Y34AxGEQJP6gCgh1KW5vvq2fRh4WBSik1Q7Ay31okAoIAh ZKUgPFi9PZhDpOGIAXXOIY9W =oD9A -END PGP SIGNATURE-
Equipment Shelter with Backup Generator
I am looking for ideas/suppliers for placing network equipment and satellite earth station equipment in remote locations. There are no suitable facilities to colocate but single phase power is available. Any ideas where to find a secure steel clad building, that fits a couple of rack, has environmenal conditioning, room for a UPS and generator backup? Thanks, Adi
BGP Load Sharing
I am hoping to learn from the great pool of experience on this list. We currently have 2 OC3 connections going to 2 seperate providers. We are using netflow statistics to balance our traffic flows (which outgoing is our major concern). Flow tools, snmp output, some custom scripts, and some bgp weighting does the trick. We are in the process of upgrading to Cisco 12012 GSRs, and adding additional connectivity. We need to find something we can use to do the same type of thing on the 12012 GSR. The custom scripts work fine.. but it appears some line cards don't support netflow. 1) Is there an open source software that will assist us in load sharing? 2) Are there specific cards we need for netflow on a 12000 series? Is the difference based on Line Card Engine (0,1,2,3,etc)? 3) Is there an alternate way to control outgoing traffic flow to multiple upstreams using bgp (besides splitting the address range up and blindly pointing chunks to each provider)? Thanks, -Chris Strandt Liquid Web Inc