RE: BGP Filtering
Ben, Look here. They show an example of prefix filtering on the 128.0.0.0/8 network. I would assume you could extrapolate and come up with your own rule. http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1cbgp.h tml#wp7487 Mike Walter, MCP Systems Administrator 3z.net a PCD Company http://www.3z.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Butler Sent: Tuesday, January 15, 2008 11:45 AM To: nanog@merit.edu Subject: RE: BGP Filtering Hi Jason, Fantastic news, it is possible. We are using Cisco - would you be so kind as to give me a clue into which bit of Cisco's website you would like me to read as I have already read the bits I suspected might tell me how to do this but have guessed wrong / the documentation hasn't helped - so a handy pointer would be appreciated. Kind Regards Ben -Original Message- From: Jason Dearborn [mailto:[EMAIL PROTECTED] Sent: 15 January 2008 16:35 To: Ben Butler Subject: Re: BGP Filtering That's typically a function of your router software. Juniper, Force10, and Cisco all have support for this. Check your manual. On Jan 15, 2008 8:11 AM, Ben Butler <[EMAIL PROTECTED]> wrote: > > Hi, > > Considering: > > http://thyme.apnic.net > > Total number of prefixes smaller than registry allocations: 113220 > ! > > /20:17046 /21:16106 /22:20178 /23:21229 /24:126450 > > That is saying to me that a significant number of these smaller > prefixes are due to de-aggregation of PA and not PI announcements. > > My question is - how can I construct a filter / route map that will > filter out any more specific prefixes where a less specific one exists > in the BGP table. > > If my above conclusion is correct a significant portion ~47% of the > number of the prefixes in the table could be argued to be very > unnecessary at one level or another. > > Is such a filter possible easily or would it have to be explicitly > declared, any chance of a process the automatically tracks and > publishes a list of offending specifics similar to Team Cymru's Bogon BGP feed. > > As a transit consumer - why would I want to carry all this cr*p in my > routing table, I would still be getting a BGP route to the larger > prefix anyway - let my transit feeds sort out which route they use & > traffic engineering. > > Thoughts anyone? > > > Kind Regards > > Ben >
RE: Level 3 in Ohio
I can ping 65.89.42.1 from here and it seems to be going through level3. traceroute to 65.89.42.1 (65.89.42.1), 30 hops max, 38 byte packets 1 wookie-02.core..net () 0.454 ms 0.458 ms 0.320 ms 2 wookie-01-fe-2-0.core..net (xx) 0.678 ms 0.648 ms 0.559 ms 3 ge-5-0-102.hsa2.Cincinnati1.Level3.net (63.210.xx) 0.826 ms 0.747 ms 1.742 ms 4 so-5-0-0.mpls1.Cincinnati1.Level3.net (4.68.124.241) 0.819 ms 0.858 ms 1.102 ms 5 so-2-0-1.bbr2.Chicago1.Level3.net (64.159.0.162) 7.157 ms 7.216 ms ae-0-0.bbr1.Chicago1.Level3.net (64.159.1.33) 6.998 ms 6 ae-24-52.car4.Chicago1.Level3.net (4.68.101.40) 7.449 ms ae-14-51.car4.Chicago1.Level3.net (4.68.101.8) 7.525 ms ae-14-53.car4.Chicago1.Level3.net (4.68.101.72) 7.503 ms 7 te-4-1-73.rp0-5.chcgilca.Level3.net (4.68.63.14) 8.883 ms 11.020 ms 8.155 ms 8 P5-0.a0.chcg.broadwing.net (216.140.14.109) 8.120 ms 13.737 ms 8.424 ms 9 p2-0-0.e1.chcg.broadwing.net (216.140.15.30) 8.987 ms 7.944 ms 8.161 ms 10 67.99.9.158 (67.99.9.158) 15.497 ms * 16.167 ms Mike Walter, MCP Systems Administrator 3z.net a PCD Company http://www.3z.net "When Success is the Only Solution think 3z.net" tel: 859.331.9004 fax: 859.578.3522 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marshall Eubanks Sent: Wednesday, September 19, 2007 1:34 PM To: nanog list Subject: Level 3 in Ohio Is anyone reporting Level3 outages in Ohio or DC ? One of my clients is down, and L3 is not answering the phones (!) traceroute 65.89.42.1 (From Cogent in Tyson's Corner) traceroute to 65.89.42.1 (65.89.42.1), 30 hops max, 38 byte packets 1 dmz-mct2.multicasttech.com (63.105.122.1) 0.367 ms 0.265 ms 0.238 ms 2 g0-7.na21.b002176-1.dca01.atlas.cogentco.com (38.99.206.153) 0.598 ms 0.548 ms 0.529 ms 3 g2-1-3587.core01.dca01.atlas.cogentco.com (38.20.32.13) 0.862 ms 0.834 ms 0.740 ms 4 t4-1.mpd01.dca01.atlas.cogentco.com (154.54.3.158) 0.801 ms 0.879 ms * 5 v3493.mpd01.dca02.atlas.cogentco.com (154.54.7.2) 1.328 ms 1.311 ms 1.247 ms 6 t1-4.mpd01.iad01.atlas.cogentco.com (154.54.7.162) 1.693 ms 1.598 ms 1.605 ms 7 g4-0-3490.core01.iad01.atlas.cogentco.com (154.54.3.225) 1.411 ms 1.453 ms 1.552 ms 8 oc48-6-0-2.edge2.Washington3.Level3.net (4.68.127.9) 1.577 ms 1.588 ms 16.498 ms 9 ae-44-99.car4.Washington1.Level3.net (4.68.17.198) 2.766 ms ae-24-79.car4.Washington1.Level3.net (4.68.17.70) 3.282 ms ae-34-89.car4.Washington1.Level3.net (4.68.17.134) 2.808 ms Cox Cable in Northern Virginia [TME-Laptop-2:~/Movies/NoisiVision] tme% traceroute 65.89.42.1 traceroute to 65.89.42.1 (65.89.42.1), 64 hops max, 40 byte packets 1 * * * 2 ip70-179-104-1.dc.dc.cox.net (70.179.104.1) 14.989 ms 11.563 ms 11.782 ms 3 ip68-100-1-161.dc.dc.cox.net (68.100.1.161) 18.078 ms 12.329 ms 12.036 ms 4 ip68-100-0-1.dc.dc.cox.net (68.100.0.1) 13.368 ms 12.301 ms 11.960 ms 5 mrfddsrj01-ge110.rd.dc.cox.net (68.100.0.161) 12.504 ms 11.729 ms * 6 xe-9-2-0.edge1.washington1.level3.net (4.79.228.61) 59.189 ms 12.721 ms 11.749 ms 7 ae-44-99.car4.washington1.level3.net (4.68.17.198) 13.502 ms 13.389 ms ae-34-89.car4.washington1.level3.net (4.68.17.134) 14.290 ms (Note that both trace routes appear to be flapping at the last reported hop. Regards Marshall
RE: AT&T refuses to provide PTR records?
We have a customer that has AT&T and they reassigned the IP space to our name servers to allow us to do reverse DNS for them. Mike Walter, MCP Systems Administrator 3z.net a PCD Company http://www.3z.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Hubbard Sent: Tuesday, October 17, 2006 4:21 PM To: NANOG list Subject: AT&T refuses to provide PTR records? Anyone familiar with AT&T's policies on PTR records for their customer-assigned address space? We have a customer whose website we host that has their own in-house mail server that they run off of their AT&T internet connection at their office. We handle the DNS for their domain name. AT&T is refusing to set up PTR records for them because they're not handling DNS for the domain name. Is this normal? I haven't dug through the ARIN agreements but I thought it was required to provide reverse DNS on your allocations. Thanks, David
RE: Router / Protocol Problem
Good morning everyone. I just wanted to say thanks for all the help. I did discover the problem this morning and I should be hit with a herring. I upgraded the IOS on the router with the issue to match the other router and the problem was still there. So I tested and noticed the following line in the logs, since I was on console it popped up right in front of me. Sep 7 06:50:20.697 EST: %SEC-6-IPACCESSLOGP: list 166 denied tcp 69.50.222.8(25) -> 69.4.74.14(2421), 4 packets What is this I thought? What is my ACL 166 doing this? I thought I tested removing all access-lists from interfaces with the original problem came up. Apparently not. Here is my ACL 166, the first line is what was being matched. Apparently some how this connection is being matched via NBAR for good old Code Red. access-list 166 deny ip any any dscp 1 log access-list 166 deny tcp any any eq sunrpc access-list 166 deny tcp any any eq 135 access-list 166 deny tcp any any eq 137 access-list 166 deny tcp any any eq 138 access-list 166 deny tcp any any eq 139 access-list 166 deny tcp any any eq 445 access-list 166 deny tcp any any eq 5554 access-list 166 deny tcp any any eq 9996 access-list 166 deny tcp any any eq 1025 access-list 166 deny udp any any eq 1434 access-list 166 deny udp any any eq 135 access-list 166 deny udp any any eq netbios-ns access-list 166 deny udp any any eq netbios-dgm access-list 166 deny udp any any eq netbios-ss access-list 166 deny udp any any eq 445 access-list 166 deny icmp any any redirect access-list 166 deny ip 127.0.0.0 0.255.255.255 any access-list 166 deny ip 10.0.0.0 0.255.255.255 any access-list 166 deny ip 172.16.0.0 0.15.255.255 any access-list 166 deny ip 192.168.0.0 0.0.255.255 any access-list 166 permit ip any any class-map match-any http-hacks match protocol http url "*default.ida*" match protocol http url "*cmd.exe*" match protocol http url "*root.exe*" policy-map mark-inbound-http-hacks class http-hacks set ip dscp 1 I have always had this on my FE0/0 as an outbound ACL, well atleast since Code Red came about: ip access-group 166 out. Now I have two questions. Is that not a good idea to have this on FE0/0 out? Second, why the heck would a smtp connection be matched via my http-hacks class-map? Thanks again everyone, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Dunn Sent: Wednesday, September 06, 2006 8:45 PM To: Christopher L. Morrow Cc: Rodney Dunn; Mike Walter; Hank Nussbacher; Justin M. Streiner; nanog@merit.edu Subject: Re: Router / Protocol Problem Then that proves it's not a local router problem then. :) On Wed, Sep 06, 2006 at 07:49:26PM +, Christopher L. Morrow wrote: > On Wed, 6 Sep 2006, Rodney Dunn wrote: > > > > > Get a sniffer trace. Packets on the wire prove what's going on. > > provided the packets get back to him, it seems his problem is traffic > getting back to him :( so probably no packets will be on the wire > (none in question atleast)...
RE: Router / Protocol Problem
Sorry, I am running iBGP. I just swapped out the NPE225 engine to a NPE400 and 512MB and have not seen a change yet. I am still unable to reach the sites. I am going to give it a while and sometime soon reboot the other router. I removed the single /24 today out the one connection to see if that would change anything as well. Mike -Original Message- From: Hank Nussbacher [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 12:07 PM To: Mike Walter Cc: Justin M. Streiner; nanog@merit.edu Subject: RE: Router / Protocol Problem On Wed, 6 Sep 2006, Mike Walter wrote: > > Thanks for everyone's great input. Here are answers to Justin's > questions. > > #1 - 12.3.6a - 7204VXR (NPE400) 512MB - 200+ MB free > #2 - 12.2.15T5 - cisco 7204VXR (NPE225) - 256MB (I have a NPE400 - 512MB > I want to swap in) - 23MB Free (Issue?) > > Full Routes from all peers. No internal routing protocol as of yet, all > static routes. Getting ready to implement OSPF. I have not rebooted > the routers as a test. I have CEF on both routers. I have had some > customers complaining about slowness. No internal routing protocol? Not even iBGP? How do the 2 routers exchange info? How do the internal systems know which router to exit from? Or are they both independent? I assume you are AS26241 and peer with 3356, 4323 and 6181. I also assume you should be announcing your 2 prefixes: 69.4.64.0/20 216.68.104.0/21 but you have deaggregated a single /24 - 69.4.71.0/24 which has sent 34 BGP updates in the past 24 hours (which might be ok). So, it is a bit hard to debug this with only partial info. Regards, Hank Nussbacher http://www.interall.co.il
RE: Router / Protocol Problem
Thanks for everyone's great input. Here are answers to Justin's questions. #1 - 12.3.6a - 7204VXR (NPE400) 512MB - 200+ MB free #2 - 12.2.15T5 - cisco 7204VXR (NPE225) - 256MB (I have a NPE400 - 512MB I want to swap in) - 23MB Free (Issue?) Full Routes from all peers. No internal routing protocol as of yet, all static routes. Getting ready to implement OSPF. I have not rebooted the routers as a test. I have CEF on both routers. I have had some customers complaining about slowness. Mike Walter, MCP Systems Administrator 3z.net a PCD Company http://www.3z.net "When Success is the Only Solution think 3z.net" Voice (859) 331-9004 Fax (859) 578-3522 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin M. Streiner Sent: Wednesday, September 06, 2006 9:42 AM To: nanog@merit.edu Subject: Re: Router / Protocol Problem On Wed, 6 Sep 2006, Mike Walter wrote: > I normally would not post to the group, but I am 100% stumped and have > talked with peers with no luck. > > I have (2) Cisco 7204 Routers running BGP with 3 peers and HSRP. I am > not doing anything special with BGP, pretty much a default config that > has not changed in years. Please provide details on both your default config and the hardware you're using. You say you have two Cisco 7204s - are these straight '04s, or 7204VXRs? What NPE(s) are you using, and how much memory is on them? The BGP you're getting from your peers - are you getting full routes from any of them? Do you have CEF enabled on these routers? What IOS version(s) are running on these routers? What else are they doing besides slinging BGP routes? Does the problem go away for a while if you reboot one router or the other? Without knowing any of this, it sounds like you might have NPE-225, -300, or -400 with 256 MB of RAM and you are running into memory exhaustion issues from carrying full routes. That's been a pretty popular topic on this list and others like cisco-nsp in the last 12 months :) At a minimum, what do the output of "show mem summary" and "show ip bgp sum" from each router show you? Have you seen other performance problems lately, such as things getting mysteriously slower, beyond the rachability issues you mentioned above? If so, check if CEF is still running (if it was configured in the first place). When a 7200 gets dangerously low on free memory and CEF is running, it may cannibalize the IP CEF process to try to conserve memory. Earlier 12.0 releases did this - I don't know if newer ones still do it. jms
RE: Router / Protocol Problem
One more thing, I can successfully do a tcptraceroute if that matters. Mike Walter From: tony sarendal [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 9:32 AMTo: Mike WalterCc: nanog@merit.eduSubject: Re: Router / Protocol Problem On 06/09/06, Mike Walter <[EMAIL PROTECTED]> wrote: I normally would not post to the group, but I am 100% stumped and have talked with peers with no luck. I have (2) Cisco 7204 Routers running BGP with 3 peers and HSRP. I am not doing anything special with BGP, pretty much a default config that has not changed in years. Recently with no changes to my network, I have been having problems connecting to certain websites and mail servers. I am always able to ping the sites and trace route without error. If I telnet to port 80 or port 25 it does not connect. If I login to my router and telnet sourcing my each of Internet Providers ports, I am able to get to the sites. I have talked with all the providers and none can find a problem. If I shut down one specific peer, everything works fine. So I keep thinking it was that peers problem some how. I have tested with just that peer up and I still can not connect. However, when talking with that peer, they are able to telnet from their network to the sites I can not reach. I don't know what else to check besides shutting down that peer. Which since it is under a 3 year contract, not an option. That isn't the real solution anyhow. Can anyone shed some light on or off-list? Give your peer a /32 to install on their access router, verify that return pathis via them and have them do connectivity tests to your problem sites.If that checks out you step by step through it. Ask to be moved to a differentaccess router, next change your hardware./Tony-- Tony Sarendal - [EMAIL PROTECTED]IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Router / Protocol Problem
Title: Router / Protocol Problem I normally would not post to the group, but I am 100% stumped and have talked with peers with no luck. I have (2) Cisco 7204 Routers running BGP with 3 peers and HSRP. I am not doing anything special with BGP, pretty much a default config that has not changed in years. Recently with no changes to my network, I have been having problems connecting to certain websites and mail servers. I am always able to ping the sites and trace route without error. If I telnet to port 80 or port 25 it does not connect. If I login to my router and telnet sourcing my each of Internet Providers ports, I am able to get to the sites. I have talked with all the providers and none can find a problem. If I shut down one specific peer, everything works fine. So I keep thinking it was that peers problem some how. I have tested with just that peer up and I still can not connect. However, when talking with that peer, they are able to telnet from their network to the sites I can not reach. I don't know what else to check besides shutting down that peer. Which since it is under a 3 year contract, not an option. That isn't the real solution anyhow. Can anyone shed some light on or off-list? Thanks, Mike Walter
RE: Determine difference between 2 BGP feeds
Sounds to me like one of your providers is not feeding you the full internet routing table. Have you checked with them to see if they are providing you that? Mike Walter Systems Administrator -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott "Tuc" Ellentuch at T-B-O-H Sent: Tuesday, April 18, 2006 4:13 PM To: nanog@merit.edu Subject: Determine difference between 2 BGP feeds Hi, We receive a BGP feed from different providers on two different routers. While one seems to be a reasonable amount of feeds after reviewing the CIDR report, the other is anywhere from 3K to 10K more routes. Is there a utility that I can use that will pull the routes off each router (Foundry preferred), and then compare them as best it can to see why there is such a difference? I can understand a handful of routes over what CIDR says, but a minimum of 3K more? Thanks, Tuc/TBOH
sarbanes-oxley email archiving
So, has anyone used the GFI email archiver for exchange server? Does anyone have thoughts as to other software that is similar to this product? What about software for linux email archiving? We are starting to look at this for some clients and thought the NANOGers might have some input. Feel free to email me off-list. Mike Walter, MCP PCD Network Solutions, Inc. 3z.net a PCD Company <http://www.3z.net>
RE: Multi-link Frame Relay OR Load Balancing
I am using MLFR with MCI currently. I have a Cisco 7204 VXR and it works like a champ. I have had times where one T1 circuit was down and I had no problems besides seeing the bandwidth utilization change. When it came up everything went back to normal. I am looking into an Ethernet Handoff due to cost savings, however MCI does not offer that in Cincinnati, but that is a completely different story. My T1's terminate into ATL and I am seeing great responses. Mike Walter, MCP PCD Network Solutions, Inc. 3z.net a PCD Company <http://www.3z.net> -Original Message- From: Peering [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 11:13 AM To: Scott McGrath; Bryce Enevoldson Cc: [EMAIL PROTECTED] Subject: RE: Multi-link Frame Relay OR Load Balancing Depending on your area, DS3 isn't necessarily cheaper than 8 T1s. I know in some markets, I have to buy 16 T1s from Bell before it matches their DS3 cost. It just depends on the tariffs. I've never used MLF before, just MLPPP, but in my experience, MLPPP works for my customers better than load-sharing. The only problems I've seen, and I'm working one this morning, is that Cisco has its usual bug issues. I had one customer on 12.3(6) and there's about 19 known bugs between 12.3(6) and MLPPP, a lot of which aren't resolved yet. One even made you reboot if you added or deleted a T1 from the bundle or the MLPPP bundle wouldn't come back up. Diane Turley Network Engineer Xspedius Communications Co. 636-625-7178 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott McGrath Sent: Thursday, September 16, 2004 8:12 PM To: Bryce Enevoldson Cc: [EMAIL PROTECTED] Subject: Re: Multi-link Frame Relay OR Load Balancing In my experience the breakeven point for a Frame Relay DS3 is 6 DS1 circuits. DS3's tend to be more reliable than DS1's as the ILEC usually installs a MUX at your site instead of running to the nearest channel bank and running the T1's over copper with a few repeaters thrown in for good measure. Another nice thing about DS3's is that it is easy to scale bandwidth in the future by modifying the CIR on your link. Another feature is that since the link is faster the serialization delay is lower which will give you better latency and last but not least PA3+ for Cisco 7[2|5]xx routers are inexpensive and give you one call for service not a separate call for the CSU/DSU's and the serial line card you need to support a multilink solution. Scott C. McGrath On Thu, 16 Sep 2004, Bryce Enevoldson wrote: > > We are in the process of updating our internet connection to 8 t1's > bound together. Due to price, our options have been narrowed to AT&T > and MCI. I have two questions: 1. Which technology is better for > binding t1's: multi link frame relay > (mci's) or load balancing (att's) > 2. Which company has a better pop in Atlanta: mci or att? > > We are in the Chattanooga TN area and our current connection is 6 t1's > through att but they will only bond 4 so they are split 4 and 2. > > Bryce Enevoldson > Information Processing > Southern Adventist University > > >
RE: Even you can be hacked
That is true, but only if they are placed in DeLorean because they filled with drugs. Mike -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 5:10 PM To: [EMAIL PROTECTED] Subject: RE: Even you can be hacked >>> [EMAIL PROTECTED] 6/11/04 3:02:42 PM >>> > >Now you are just getting silly, we know Flux Capacitors don't work on >earth. Sure they do, at least the ones made since 1985. I believe I remember a DeLorean that used one. John --
RE: Even you can be hacked
Now you are just getting silly, we know Flux Capacitors don't work on earth. Mike Walter -Original Message- From: Matthew McGehrin [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 5:00 PM To: nanog Subject: was: Even you can be hacked Coupled with a Flux Capacitor for the ultimate in message delivery :) - Original Message - From: "Scott Stursa" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 11, 2004 4:44 PM Subject: Re: Even you can be hacked > Ah. A tunneling implementation. > You'll need a cold fusion generator to power that.
RE: Mailserver requirements
Arnold, I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing. Mike Walter, MCP 3z.net a PCD Company <http://www.3z.net> "When Success is the Only Solution t h i n K 3z.net" -Original Message- From: Arnold Nipper [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 5:03 PM To: NANOG Subject: Mailserver requirements Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Or: if A is the IP Address of server trying to deliver mail, does mx(reverse(A)) have to exist? -- Arnold