Re: Network Monitoring System - Recommendations?
> I read document of these tools and find they work with > Cisco products. But, how about Juniper M160 or M320, > Unishpere's BRAS products? Where can I find Juniper's > OID on its tempreture, chassis, CPU, bandwidth ? Does They use standart MIB2 and a little of Cisco specific MIB's. As I already said, it is a good tool to view and monitor traffic, utilisation, errors, and use additional tiool to deep monitor vendor specific parameters. We use 'snmpstat' to monitor routers, switches, ports and interfaces (and bgp) and cricket to watch few additional parameters (to configure alerts, we use aliases and mhonarc mail archives with auto expiration - for alerts, warnings, reports and audits, and for 'root' and 'oracle' e-mail. > anyone have a running configuration for M160 or > Unishpere's BRAS products? CCR can work with anything which (1) allow telnet or ssh, and (2) can 'write net' config (in any syntax). You can use encrypted password file (using passphrase) if you want. Using SNMP was rejected, because it is absolutely device-specific, impossible in many cases, and we never saw it as a security problem, because all devices are restricted to allow ssh or telnet from 2 or 3 servers only, because passwords are encrypted, and because automated config reading and web access aree much more important vs very abstract possibility of hacking (in reality, problem can come from insiders, not from hackers, so no extra accounst are allowed on monitoring server). You can get configuratuion (initialize tftp transfer) using some snmp (WRITE) variable and pre-configured tftp parameters, but it works on a very few Cisco devices only. As I said, CCR uses 3 methods: - password file encrypted by public key - password file encrypted by 3des passphrase; - explicit password. In all cases, problem is with root user only - root can alway decrypt password or interseipt web session. User, who have permission to edit CCR config and know passphrase, can (in theory) see passwords as well. Other users can not, even if they know passphrase - they can only initiate config reading. Network admins do not know enable passwords, if they do not need it - they use passphrase To have automated config reading, any of first 2 methods can be used (passphrase must be written into special file, if method 2 is used, root-only readable). For manual reading, any methgod can be used, without any file with passphrase. In reality, it is not serious security problem because all devices can be accessed from a very few servers only, and because we can use 'ssh' instead of 'telnet' (CCR can be configured or select ssh/telnet automatically). You can, in turn, play with security level , but it (again) does not work on generic case (any cisco device) and is very tricky. For Juniper or other device - you can try to program 'expect' script, or use 'snmp' initiated transfer - all other things will work. > > On configuration bankup, rancid use telnet (ssh). But, > I take this a not-secure methode as it has to code > password in login script. Is there any tool to get > configuration file from read-only SNMP cumminity? > > > Joe > > > > --- Jon Lyons <[EMAIL PROTECTED]> wrote: > > > > > > Checkout http://perfparse.sourceforge.net/ lets you > > graph the data from the nagios plugins... > > > > --- Alexei Roudnev <[EMAIL PROTECTED]> wrote: > > > > > > > > I generated config for 'snmpstatd' automatically, > > > from user;'s database (it > > > was simple; all I need was Router, Interface, > > > User-name, number for this > > > user, priority). > > > > > > For automated config backups, I use CCR (fully web > > > based Cisco > > > configuration -> CVS system). > > > > > > > > > - Original Message - > > > From: "Andy Dills" <[EMAIL PROTECTED]> > > > To: "Charlie Khanna - NextWeb" > > <[EMAIL PROTECTED]> > > > Cc: <[EMAIL PROTECTED]> > > > Sent: Thursday, October 28, 2004 11:46 AM > > > Subject: Re: Network Monitoring System - > > > Recommendations? > > > > > > > > > > > > > > On Thu, 28 Oct 2004, Charlie Khanna - NextWeb > > > wrote: > > > > > > > > > Hi - I was interested in finding out what > > > software applications other > > > ISPs > > > > > are using for network monitoring? For > > example: > > > > > > > > > > > > > > > > > > > > 1) Overall network health - uptime > > reports > > > > > > > > http://www.nagios.org > > > > > > > > > 2) Backup router config automatically > > > > > > > > http://www.shrubbery.net/rancid/ > > > > > > > > > 3) Bandwidth reporting (or integration > > > with an MRTG-type app) > > > > > > > > http://cricket.sourceforge.net/ > > > > > > > > > 4) SNMP trap support (BGP/OSPF session > > > drops - emails out) > > > > > > > > http://www.snmptt.org/ > > > > http://www.nagios.org > > > > > > > > > 5) Database back end (port info into or > > > over to other apps) > > > > > > > > > > I'm just looking for something well rounded > > for > > > a small ISP. I've heard > > > > > about OpenNMS and other app
Re: IPv6 support for com/net zones on October 19, 2004
> Date: Wed, 27 Oct 2004 16:01:45 -0400 > From: Joe Abley <[EMAIL PROTECTED]> > Subject: Re: IPv6 support for com/net zones on October 19, 2004 > [ ... ] > We've had reports before of F's covering /48 (2001:500::/48) being > filtered by some people, based on the conviction that /48s were always > bad and should never be accepted by anybody. It's possible that this is > biting Verisign, too. A nice and handy tool to see if something is being propagated and/or filtered is the SixXS.net GRH Tool which allows prefix comparison(s): http://www.sixxs.net/tools/grh/compare/?when=current&format=html&a=2001:503:a83e::/48&b=2001:500::/48 (not much sense, since the AS's differ ;D) SixXS.net actively welcomes Ghost Route Hunter peers: http://www.sixxs.net/tools/grh/peering/ Regards, JP Velders
IPv6 martian filtering (some /48s should be permitted) and SiXXS GRH
On 1 Nov 2004, at 05:40, JP Velders wrote: A nice and handy tool to see if something is being propagated and/or filtered is the SixXS.net GRH Tool which allows prefix comparison(s): http://www.sixxs.net/tools/grh/compare/? when=current&format=html&a=2001:503:a83e::/48&b=2001:500::/48 (not much sense, since the AS's differ ;D) Jeroen Massar pointed me at GRH after my last post, too. Having tried some of the tools therein, I highly recommend them. F-root has its own ARIN assignment (2001:500::/48) as mentioned before, but ISC also has a separate allocation which is used for all its other activites: 2001:4f8::/32. Using that same path comparison tool to compare propagation of those two prefixes provides a good illustration of import filtering problems: http://www.sixxs.net/tools/grh/compare/?a=2001:500::/48&b=2001:4f8::/32 There are lots of GRH participants who see the /32, but who don't see the /48 at all. There are also people who see different paths for each advertisement, which suggests that they are not being allowed to propagate in the same directions. (There are also some anycast artificats in there; 2001:500::/48 is anycast from various places, and hence shorter paths for 2001:500::/48 vs. 2001:4f8::/48 are to be expected in some cases.) http://www.space.net/~gert/RIPE/ipv6-filters.html Joe
Re: why upload with adsl is faster than 100M ethernet ?
On Fri, 15 Oct 2004 00:14:11 -0800, Joe Shen wrote: >|-(ADSL)\ > customer/ --Edge_router---...---Japan Server > \-(100Methernet)-/ it is probably worth doing an experiment, by placing a target host just before the edge router, inside your net, and verify that you do not get the (bad) differential performance there. d/ -- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... www.brandenburg.com
VSNL buys Tyco submarine cable network for $130m
Rather obvious sequence of events ... * VSNL as India's former government owned monopoly telco, got exclusive rights on the FLAG cable landing in India, and kept a tight hold on it, only agreeing to sell at the most 10% of available capacity, at rather rates (add to it refusing to let its downstreams - most ISPs in India, back then, peer locally at vsnl, and so forcing all local traffic through expensive international links). * VSNL was privatized, taken over by the Tata Group .. still kept their hold on FLAG's cable landing in India. * VSNL's arch rival Reliance went one up on them and bought FLAG telecom * So, now VSNL goes and buys Tyco - another large submarine cable provider srs http://www.hinduonnet.com/thehindu/holnus/001200411020354.htm VSNL acquires Tyco for $130 mn New Delhi, Nov. 2. (PTI): Tatas-owned Videsh Sanchar Nigam Ltd on Monday decided to acquire Tyco Global Network, submarine cable system, for 130 million dollars. The acquisition, which is subject to government approval in the United States, India and other countries, would give VSNL control over a network spanning 60,000 km and three continents. "The agreement is a major step forward in our ongoing drive to offer our enterprise and carrier customers seamless, end-to-end telecommunications solutions that circle the globe," N Srinath, Director (Operations) of VSNL, said. "This coupled with the submarine cable we plan to launch shortly connecting India with Singapore," he said, adding that this will give customers a new choice in global data services. "Furthermore, the timing of this transaction is well suited to our international expansion plans," Srinath said.
Re: Network Monitoring System - Recommendations?
Hi, I googled with "CCR" but it seems nothing useful in 5 pages. Would you please do me a favor to give the URL of that tool ? I tried to set up MRTG monitoring Unishpere BRAS 1400 and M160, but I failed with data collection because wrong OID used ( CPU, mem, tempreture, BW etc ) :-( regards --- Alexei Roudnev <[EMAIL PROTECTED]> wrote: > > > > > I read document of these tools and find they work > with > > Cisco products. But, how about Juniper M160 or > M320, > > Unishpere's BRAS products? Where can I find > Juniper's > > OID on its tempreture, chassis, CPU, bandwidth ? > Does > They use standart MIB2 and a little of Cisco > specific MIB's. As I already > said, it is a good tool to view and monitor traffic, > utilisation, errors, > and use additional tiool to deep monitor vendor > specific parameters. We use > 'snmpstat' to monitor routers, switches, ports and > interfaces (and bgp) and > cricket to watch few additional parameters (to > configure alerts, we use > aliases and mhonarc mail archives with auto > expiration - for alerts, > warnings, reports and audits, and for 'root' and > 'oracle' e-mail. > > > anyone have a running configuration for M160 or > > Unishpere's BRAS products? > CCR can work with anything which (1) allow telnet or > ssh, and (2) can 'write > net' config (in any syntax). > You can use encrypted password file (using > passphrase) if you want. Using > SNMP was rejected, because it is absolutely > device-specific, impossible in > many cases, and we never saw it as a security > problem, because all devices > are restricted to allow ssh or telnet from 2 or 3 > servers only, because > passwords are encrypted, and because automated > config reading and web access > aree much more important vs very abstract > possibility of hacking (in > reality, problem can come from insiders, not from > hackers, so no extra > accounst are allowed on monitoring server). > > You can get configuratuion (initialize tftp > transfer) using some snmp > (WRITE) variable and pre-configured tftp parameters, > but it works on a very > few Cisco devices only. > > As I said, CCR uses 3 methods: > - password file encrypted by public key > - password file encrypted by 3des passphrase; > - explicit password. > > In all cases, problem is with root user only - root > can alway decrypt > password or interseipt web session. User, who have > permission to edit CCR > config and know passphrase, can (in theory) see > passwords as well. Other > users can not, even if they know passphrase - they > can only initiate config > reading. > > Network admins do not know enable passwords, if they > do not need it - they > use passphrase > > To have automated config reading, any of first 2 > methods can be used > (passphrase must be written into special file, if > method 2 is used, > root-only readable). For manual reading, any methgod > can be used, without > any file with passphrase. > > In reality, it is not serious security problem > because all devices can be > accessed from a very few servers only, and because > we can use 'ssh' instead > of 'telnet' (CCR can be configured or select > ssh/telnet automatically). You > can, in turn, play with security level , but it > (again) does not work on > generic case (any cisco device) and is very tricky. > > For Juniper or other device - you can try to program > 'expect' script, or use > 'snmp' initiated transfer - all other things will > work. > > > > > > > On configuration bankup, rancid use telnet (ssh). > But, > > I take this a not-secure methode as it has to code > > password in login script. Is there any tool to get > > configuration file from read-only SNMP cumminity? > > > > > > Joe > > > > > > > > --- Jon Lyons <[EMAIL PROTECTED]> wrote: > > > > > > > > > Checkout http://perfparse.sourceforge.net/ lets > you > > > graph the data from the nagios plugins... > > > > > > --- Alexei Roudnev <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > I generated config for 'snmpstatd' > automatically, > > > > from user;'s database (it > > > > was simple; all I need was Router, Interface, > > > > User-name, number for this > > > > user, priority). > > > > > > > > For automated config backups, I use CCR (fully > web > > > > based Cisco > > > > configuration -> CVS system). > > > > > > > > > > > > - Original Message - > > > > From: "Andy Dills" <[EMAIL PROTECTED]> > > > > To: "Charlie Khanna - NextWeb" > > > <[EMAIL PROTECTED]> > > > > Cc: <[EMAIL PROTECTED]> > > > > Sent: Thursday, October 28, 2004 11:46 AM > > > > Subject: Re: Network Monitoring System - > > > > Recommendations? > > > > > > > > > > > > > > > > > > On Thu, 28 Oct 2004, Charlie Khanna - > NextWeb > > > > wrote: > > > > > > > > > > > Hi - I was interested in finding out what > > > > software applications other > > > > ISPs > > > > > > are using for network monitoring? For > > > example: > > > > > > > > > > > > > > > > > > > > > > > > 1) Overall network health - uptime > > > reports > > > > > >
Re: why upload with adsl is faster than 100M ethernet ?
Thanks. I've done the experiments. The reason is: the 100Mbps ethernet is so fast that it could fill the buffer of bottleneck link very quickly ( Path_mtu, burstness of traffic). There may also exist ACK compression in reverse path . Joe --- Dave Crocker <[EMAIL PROTECTED]> wrote: > On Fri, 15 Oct 2004 00:14:11 -0800, Joe Shen wrote: > >|-(ADSL)\ > > customer/ > --Edge_router---...---Japan Server > > \-(100Methernet)-/ > > > it is probably worth doing an experiment, by placing > a target host > just before the edge router, inside your net, and > verify that you do > not get the (bad) differential performance there. > > > d/ > -- > Dave Crocker > Brandenburg InternetWorking > +1.408.246.8253 > dcrocker a t ... > www.brandenburg.com > > > __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Network Monitoring System - Recommendations?
ï Nagios is one of the best systems (and widely used). CCR is part of snmpstat (but separate installation tar), see http://snmpstat.sf.net - Original Message - From: J Sparacio To: Joe Shen Cc: Alexei Roudnev ; Jon Lyons ; Andy Dills ; Charlie Khanna - NextWeb ; [EMAIL PROTECTED] Sent: Monday, November 01, 2004 9:54 PM Subject: Re: Network Monitoring System - Recommendations? There's a cool one that's open source called Nagios. www.nagios.org. We (local ISP) just started using it network wide, and it rocks.On Mon, 2004-11-01 at 20:53, Joe Shen wrote: Hi, I googled with "CCR" but it seems nothing useful in 5 pages. Would you please do me a favor to give the URL of that tool ? I tried to set up MRTG monitoring Unishpere BRAS 1400 and M160, but I failed with data collection because wrong OID used ( CPU, mem, tempreture, BW etc ) :-( regards --- Alexei Roudnev <[EMAIL PROTECTED]> wrote: > > > > > I read document of these tools and find they work > with > > Cisco products. But, how about Juniper M160 or > M320, > > Unishpere's BRAS products? Where can I find > Juniper's > > OID on its tempreture, chassis, CPU, bandwidth ? > Does > They use standart MIB2 and a little of Cisco > specific MIB's. As I already > said, it is a good tool to view and monitor traffic, > utilisation, errors, > and use additional tiool to deep monitor vendor > specific parameters. We use > 'snmpstat' to monitor routers, switches, ports and > interfaces (and bgp) and > cricket to watch few additional parameters (to > configure alerts, we use > aliases and mhonarc mail archives with auto > expiration - for alerts, > warnings, reports and audits, and for 'root' and > 'oracle' e-mail. > > > anyone have a running configuration for M160 or > > Unishpere's BRAS products? > CCR can work with anything which (1) allow telnet or > ssh, and (2) can 'write > net' config (in any syntax). > You can use encrypted password file (using > passphrase) if you want. Using > SNMP was rejected, because it is absolutely > device-specific, impossible in > many cases, and we never saw it as a security > problem, because all devices > are restricted to allow ssh or telnet from 2 or 3 > servers only, because > passwords are encrypted, and because automated > config reading and web access > aree much more important vs very abstract > possibility of hacking (in > reality, problem can come from insiders, not from > hackers, so no extra > accounst are allowed on monitoring server). > > You can get configuratuion (initialize tftp > transfer) using some snmp > (WRITE) variable and pre-configured tftp parameters, > but it works on a very > few Cisco devices only. > > As I said, CCR uses 3 methods: > - password file encrypted by public key > - password file encrypted by 3des passphrase; > - explicit password. > > In all cases, problem is with root user only - root > can alway decrypt > password or interseipt web session. User, who have > permission to edit CCR > config and know passphrase, can (in theory) see > passwords as well. Other > users can not, even if they know passphrase - they > can only initiate config > reading. > > Network admins do not know enable passwords, if they > do not need it - they > use passphrase > > To have automated config reading, any of first 2 > methods can be used > (passphrase must be written into special file, if > method 2 is used, > root-only readable). For manual reading, any methgod > can be used, without > any file with passphrase. > > In reality, it is not serious security problem > because all devices can be > accessed from a very few servers only, and because > we can use 'ssh' instead > of 'telnet' (CCR can be configured or select > ssh/telnet automatically). You > can, in turn, play with security level , but it > (again) does not work on > generic case (any cisco device) and is very tricky. > > For Juniper or other device - you can try to program > 'expect' script, or use > 'snmp' initiated transfer - all other things will > work. > > > > > > > On configuration bankup, rancid use telnet (ssh). > But, > > I take this a not-secure methode as it has to code > > password in login script. Is there any tool to get > > configuration file from read-only SNMP cumminity? > > > > > > Joe > > > > > > > > --- Jon Lyons <[EMAIL PROTECTED]> wrote: > > > > > > > > > Checkout http://perfparse.sourceforge.net/ lets > you > > > graph the data from the nagios plugins... > > > > > > --- Alexei Roudnev <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > I generated config for 'snmpstatd' > automatically, > > > > from user;'s database (it > > > > was simple; all I need was Router, Interface, > > > > User-name, number for this > > > > user, priority). > > > > > > > > For automated config backups, I use CCR (fully > web > > > > based Cisco > > > > configuration -> CVS system). > > > > > > > > > > > > - Original Message - > > > > From: "Andy Dills" <[EMAIL PROTECTED]
Re: Network Monitoring System - Recommendations?
Here: http://sourceforge.net/projects/snmpstat and docs are here http://snmpstat.sourceforge.net/CCR-config.htm - Original Message - From: "Joe Shen" <[EMAIL PROTECTED]> To: "Alexei Roudnev" <[EMAIL PROTECTED]>; "Jon Lyons" <[EMAIL PROTECTED]>; "Andy Dills" <[EMAIL PROTECTED]>; "Charlie Khanna - NextWeb" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, November 01, 2004 5:53 PM Subject: Re: Network Monitoring System - Recommendations? > > Hi, > > I googled with "CCR" but it seems nothing useful in 5 > pages. Would you please do me a favor to give the URL > of that tool ? > > > I tried to set up MRTG monitoring Unishpere BRAS 1400 > and M160, but I failed with data collection because > wrong OID used ( CPU, mem, tempreture, BW etc ) :-( > > regards > > > > --- Alexei Roudnev <[EMAIL PROTECTED]> wrote: > > > > > > > > > I read document of these tools and find they work > > with > > > Cisco products. But, how about Juniper M160 or > > M320, > > > Unishpere's BRAS products? Where can I find > > Juniper's > > > OID on its tempreture, chassis, CPU, bandwidth ? > > Does > > They use standart MIB2 and a little of Cisco > > specific MIB's. As I already > > said, it is a good tool to view and monitor traffic, > > utilisation, errors, > > and use additional tiool to deep monitor vendor > > specific parameters. We use > > 'snmpstat' to monitor routers, switches, ports and > > interfaces (and bgp) and > > cricket to watch few additional parameters (to > > configure alerts, we use > > aliases and mhonarc mail archives with auto > > expiration - for alerts, > > warnings, reports and audits, and for 'root' and > > 'oracle' e-mail. > > > > > anyone have a running configuration for M160 or > > > Unishpere's BRAS products? > > CCR can work with anything which (1) allow telnet or > > ssh, and (2) can 'write > > net' config (in any syntax). > > You can use encrypted password file (using > > passphrase) if you want. Using > > SNMP was rejected, because it is absolutely > > device-specific, impossible in > > many cases, and we never saw it as a security > > problem, because all devices > > are restricted to allow ssh or telnet from 2 or 3 > > servers only, because > > passwords are encrypted, and because automated > > config reading and web access > > aree much more important vs very abstract > > possibility of hacking (in > > reality, problem can come from insiders, not from > > hackers, so no extra > > accounst are allowed on monitoring server). > > > > You can get configuratuion (initialize tftp > > transfer) using some snmp > > (WRITE) variable and pre-configured tftp parameters, > > but it works on a very > > few Cisco devices only. > > > > As I said, CCR uses 3 methods: > > - password file encrypted by public key > > - password file encrypted by 3des passphrase; > > - explicit password. > > > > In all cases, problem is with root user only - root > > can alway decrypt > > password or interseipt web session. User, who have > > permission to edit CCR > > config and know passphrase, can (in theory) see > > passwords as well. Other > > users can not, even if they know passphrase - they > > can only initiate config > > reading. > > > > Network admins do not know enable passwords, if they > > do not need it - they > > use passphrase > > > > To have automated config reading, any of first 2 > > methods can be used > > (passphrase must be written into special file, if > > method 2 is used, > > root-only readable). For manual reading, any methgod > > can be used, without > > any file with passphrase. > > > > In reality, it is not serious security problem > > because all devices can be > > accessed from a very few servers only, and because > > we can use 'ssh' instead > > of 'telnet' (CCR can be configured or select > > ssh/telnet automatically). You > > can, in turn, play with security level , but it > > (again) does not work on > > generic case (any cisco device) and is very tricky. > > > > For Juniper or other device - you can try to program > > 'expect' script, or use > > 'snmp' initiated transfer - all other things will > > work. > > > > > > > > > > > > On configuration bankup, rancid use telnet (ssh). > > But, > > > I take this a not-secure methode as it has to code > > > password in login script. Is there any tool to get > > > configuration file from read-only SNMP cumminity? > > > > > > > > > Joe > > > > > > > > > > > > --- Jon Lyons <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > Checkout http://perfparse.sourceforge.net/ lets > > you > > > > graph the data from the nagios plugins... > > > > > > > > --- Alexei Roudnev <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > I generated config for 'snmpstatd' > > automatically, > > > > > from user;'s database (it > > > > > was simple; all I need was Router, Interface, > > > > > User-name, number for this > > > > > user, priority). > > > > > > > > > > For automated config backups, I use CCR (fully > > web > > > > > based Cisco > > > > > configurati
