NAT-PT or NAT64 in real life
Although it would seem that double-stack is still the preferred method of linux distribution, I want my next deployed in IPv6 only. For linux there is NAT-PT tomicki and NAT64 Viagenie. I don't have Cisco equipment although I'd like tested their NAT-PT, even if it's obsolete. Are some of you have installed one of these two implementations in production on recent versions of linux? Is it stable, secure, ... ? Regards
Re: NAT-PT or NAT64 in real life
On Wed, 19 Jan 2011, jarod smith wrote: Are some of you have installed one of these two implementations in production on recent versions of linux? Is it stable, secure, ... ? Not in production, but we've installed it for testing. We immediately ran into problems that was MTU related where viagenie mismatched the 2 byte MTU in IPv4 with 4 byte in IPv6 and didn't handle that. After reporting this we quickly received a patch that fixed the problem. They also seem to have other fixes not available in the public distribution (this was a month ago, might have changed). So my take on this is that viagenie responds well to mail and will fix things, but the software has not been widely tested and is not production quality right now. -- Mikael Abrahamssonemail: swm...@swm.pp.se
RE: Dual Homed BGP for failover
Thanks to all for the responses, certainly illuminating. I'm now more aware of what I can do and what tools are available. The following makes sense to me: - Take full routing tables and default from both ISPs and decide how I filter the routes that get installed in my routers. - Originally apply the same filters on both and monitor the links to see what the natural distribution is, when we let the BGP process decide how the traffic is routed. Need to think more about which filters to apply here, the SRX210s are quoted as having capacity for 16k routes. - Once we have a better idea of the traffic profiles start changing the filters to preference certain traffic over the higher speed link. One way this might be done, is to filter based on RIPE or ARIN addresses. We are most concerned about maintaining capacity for European traffic, so install RIPE routes on the higher capacity link and ARIN routes on the lower capacity links. - Accept that we are never going to get an ideal distribution of traffic and continue monitoring and adjusting local pref/prepends etc. as and when we need to change the distribution of traffic. Hopefully we don't need to do this that often. Thoughts? Ahmed From: Max Pierson [mailto:nmaxpier...@gmail.com] Sent: 18 January 2011 21:30 To: Jack Carrozzo Cc: Jack Bates; ayousuf0...@gmail.com; nanog group Subject: Re: Dual Homed BGP for failover Me 3's commit confirmed ... maybe someone from Cisco should be watching :) On Tue, Jan 18, 2011 at 3:21 PM, Jack Carrozzo j...@crepinc.com wrote: Yep, the great thing about IOS without 'commit confirmed' is when you remove a bgp filter, it runs out of memory, reboots, brings up peers, runs out of memory, reboots... meanwhile if you're trying to get in over a public interface you're cursing John Chamber's very existence. Not that that's ever happened to me of course... -Jack Carrozzo On Tue, Jan 18, 2011 at 4:19 PM, Jack Bates jba...@brightok.net wrote: On 1/18/2011 3:03 PM, Jack Carrozzo wrote: I don't think this is the case, on IOS at least. Some years ago I was rocking some 7500s with $not_enough ram for multiple full tables, but with a prefix list to accept le 23 they worked fine. On JunOS, I know I can view pre and post filtered bgp updates ingress and egress. I seem to recall seeing similar functionality introduced into IOS, though I'm less certain. It's still always advisable to be careful. :) Jack
Re: NAT-PT or NAT64 in real life
Thanks for your reply. In summary it's not possible to deployed IPv6 only if I want to access the whole internet :) On Wed, Jan 19, 2011 at 10:18 AM, jarod smith jarod.smo...@gmail.comwrote: Although it would seem that double-stack is still the preferred method of linux distribution, I want my next deployed in IPv6 only. For linux there is NAT-PT tomicki and NAT64 Viagenie. I don't have Cisco equipment although I'd like tested their NAT-PT, even if it's obsolete. Are some of you have installed one of these two implementations in production on recent versions of linux? Is it stable, secure, ... ? Regards
Re: Software DNS hghi availability and load balancer solution
On 01/18/2011 07:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. Thanks a lot. If you want to get fancy you could try an Anycast DNS setup, using GNU's Zebra tool to automatically alter routing tables. http://www.netlinxinc.com/netlinx-blog/45-dns/118-introduction-to-anycast-dns.html You wouldn't use Zebra; it isn't actively developed anymore and has not been updated in many years. Use Quagga instead, which is the community-based offshoot. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Software DNS hghi availability and load balancer solution
On 2011-01-19, at 08:17, Joe Greco wrote: You wouldn't use Zebra; it isn't actively developed anymore and has not been updated in many years. Use Quagga instead, which is the community-based offshoot. I don't think this is what the original post was asking about, but for the sake of completeness other alternatives to Zebra/Quagga (when using BGP between anycast origin servers and adjacent routers, e.g. with multipath configured on the routers) are OpenBGPd and BIRD. See earlier suggestions for bedtime reading, also: http://www.merit.edu/mail.archives/nanog/msg06970.html. Joe
Re: Software DNS hghi availability and load balancer solution
Am 19.01.11 01:01, schrieb david raistrick: On 01/18/2011 09:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. On Tue, 18 Jan 2011, Charles N Wyble wrote: Ha-proxy and linux virtual server are popular packages. Neither of these do DNS. He asked about DNS based loadbalancing (also known as GSLB, among other things) software packages haproxy doesnt, lvs works for dns very well, take a look at keepalived (www.keepalived.org). it supports lvs + vrrp. -- david raistrick http://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Network Simulators
You can do some switching by stuffing a virtual NM-16ESW into your faketastic 3660 in Dynamips. Then there are the built-in frame-relay and ethernet switches you could dump into the mix as well. -Ryan On Mon, Jan 17, 2011 at 10:23 AM, Brandon Kim brandon@brandontek.comwrote: James: I've been resisting GNS3 for the longest time, because I like real equipment and to get my hands a little dirty. But for the purpose of simulation, GNS3 helped me identify a BGP issue last week. If it weren't for GNS3, I would not have been able to figure it out. I will be using GNS3 in the future now for as much I can. Remember it is more router oriented than switch. So you can't do any fancy L3 switching.. Date: Mon, 17 Jan 2011 10:05:21 -0500 From: ja...@freedomnet.co.nz To: nanog@nanog.org Subject: Re: Network Simulators So far GNS3 has won out so far. It seems to work on my Mac fairly well. trying it out now. On 17/01/11 9:37 AM, Carlos Martinez-Cagnazzo wrote: I am currently researching virtual simulation environments for the Networking courses that I teach. I am now interested in user-mode linux emulators as they provide more real environments. The one that I am liking the most right now is this one: http://wiki.netkit.org/index.php/Main_Page regards Carlos On Mon, Jan 17, 2011 at 12:20 PM, Arturo Servin arturo.ser...@gmail.com wrote: GNS3 http://www.gns3.net/ This is another network simulator, mainly for academic research. NS-2 http://www.isi.edu/nsnam/ns/ And you can always setup some virtual machines with DNSs, hosts and routers with open-source software. regards, -as On 17 Jan 2011, at 11:58, James Jones wrote: Are there any good Network Simulators/Trainers out there that support IPv6? I want play around with some IPv6 setup. -- James Jones +1-413-667-9199 tel:+14136679199 ja...@freedomnet.co.nz
RE: Network Simulators
If you looking for network simulator for Cisco equipment it's been my experience that Boson (www.boson.com) has best network simulator for Cisco equipment. It behaves and process information the way real Cisco equipment does. I've tried GS3, it great for routing situations but lacks in simulating switches. Gary -Original Message- From: Ryan Shea [mailto:ryans...@google.com] Sent: Wednesday, January 19, 2011 8:37 AM To: Brandon Kim Cc: nanog group Subject: Re: Network Simulators You can do some switching by stuffing a virtual NM-16ESW into your faketastic 3660 in Dynamips. Then there are the built-in frame-relay and ethernet switches you could dump into the mix as well. -Ryan On Mon, Jan 17, 2011 at 10:23 AM, Brandon Kim brandon@brandontek.comwrote: James: I've been resisting GNS3 for the longest time, because I like real equipment and to get my hands a little dirty. But for the purpose of simulation, GNS3 helped me identify a BGP issue last week. If it weren't for GNS3, I would not have been able to figure it out. I will be using GNS3 in the future now for as much I can. Remember it is more router oriented than switch. So you can't do any fancy L3 switching.. Date: Mon, 17 Jan 2011 10:05:21 -0500 From: ja...@freedomnet.co.nz To: nanog@nanog.org Subject: Re: Network Simulators So far GNS3 has won out so far. It seems to work on my Mac fairly well. trying it out now. On 17/01/11 9:37 AM, Carlos Martinez-Cagnazzo wrote: I am currently researching virtual simulation environments for the Networking courses that I teach. I am now interested in user-mode linux emulators as they provide more real environments. The one that I am liking the most right now is this one: http://wiki.netkit.org/index.php/Main_Page regards Carlos On Mon, Jan 17, 2011 at 12:20 PM, Arturo Servin arturo.ser...@gmail.com wrote: GNS3 http://www.gns3.net/ This is another network simulator, mainly for academic research. NS-2 http://www.isi.edu/nsnam/ns/ And you can always setup some virtual machines with DNSs, hosts and routers with open-source software. regards, -as On 17 Jan 2011, at 11:58, James Jones wrote: Are there any good Network Simulators/Trainers out there that support IPv6? I want play around with some IPv6 setup. -- James Jones +1-413-667-9199 tel:+14136679199 ja...@freedomnet.co.nz
RE: Dual Homed BGP for failover
On Wed, 19 Jan 2011 10:23:47 -, Ahmed Yousuf wrote - Accept that we are never going to get an ideal distribution of traffic and continue monitoring and adjusting local pref/prepends etc. as and when we need to change the distribution of traffic. Hopefully we don't need to do this that often. ^ This. You're fighting a loosing battle with such slow links. Given the limited route capacity of your router you might as well set up statics aimed at each link and forget about BGP shaping. Just keep a floating default pointed at each peer. -Randy
Re: Network Simulators
Anything for Junipers ? On Wed, Jan 19, 2011 at 11:52 AM, Gary Gladney glad...@stsci.edu wrote: If you looking for network simulator for Cisco equipment it's been my experience that Boson (www.boson.com) has best network simulator for Cisco equipment. It behaves and process information the way real Cisco equipment does. I've tried GS3, it great for routing situations but lacks in simulating switches. Gary -Original Message- From: Ryan Shea [mailto:ryans...@google.com] Sent: Wednesday, January 19, 2011 8:37 AM To: Brandon Kim Cc: nanog group Subject: Re: Network Simulators You can do some switching by stuffing a virtual NM-16ESW into your faketastic 3660 in Dynamips. Then there are the built-in frame-relay and ethernet switches you could dump into the mix as well. -Ryan On Mon, Jan 17, 2011 at 10:23 AM, Brandon Kim brandon@brandontek.comwrote: James: I've been resisting GNS3 for the longest time, because I like real equipment and to get my hands a little dirty. But for the purpose of simulation, GNS3 helped me identify a BGP issue last week. If it weren't for GNS3, I would not have been able to figure it out. I will be using GNS3 in the future now for as much I can. Remember it is more router oriented than switch. So you can't do any fancy L3 switching.. Date: Mon, 17 Jan 2011 10:05:21 -0500 From: ja...@freedomnet.co.nz To: nanog@nanog.org Subject: Re: Network Simulators So far GNS3 has won out so far. It seems to work on my Mac fairly well. trying it out now. On 17/01/11 9:37 AM, Carlos Martinez-Cagnazzo wrote: I am currently researching virtual simulation environments for the Networking courses that I teach. I am now interested in user-mode linux emulators as they provide more real environments. The one that I am liking the most right now is this one: http://wiki.netkit.org/index.php/Main_Page regards Carlos On Mon, Jan 17, 2011 at 12:20 PM, Arturo Servin arturo.ser...@gmail.com wrote: GNS3 http://www.gns3.net/ This is another network simulator, mainly for academic research. NS-2 http://www.isi.edu/nsnam/ns/ And you can always setup some virtual machines with DNSs, hosts and routers with open-source software. regards, -as On 17 Jan 2011, at 11:58, James Jones wrote: Are there any good Network Simulators/Trainers out there that support IPv6? I want play around with some IPv6 setup. -- James Jones +1-413-667-9199 tel:+14136679199 ja...@freedomnet.co.nz -- -- = Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =
RE: Dual Homed BGP for failover
We're doing BGP to announce our PI space and make sure that our PI space is reachable through both ISPs in case one link goes down. This is the primary need to do the BGP here. Unfortunately my boss has requested that we make use of the capacity of both links, rather than pref traffic out of the higher capacity link. -Original Message- From: Randy McAnally [mailto:r...@fast-serv.com] Sent: 19 January 2011 14:00 To: Ahmed Yousuf; 'nanog group' Subject: RE: Dual Homed BGP for failover On Wed, 19 Jan 2011 10:23:47 -, Ahmed Yousuf wrote - Accept that we are never going to get an ideal distribution of traffic and continue monitoring and adjusting local pref/prepends etc. as and when we need to change the distribution of traffic. Hopefully we don't need to do this that often. ^ This. You're fighting a loosing battle with such slow links. Given the limited route capacity of your router you might as well set up statics aimed at each link and forget about BGP shaping. Just keep a floating default pointed at each peer. -Randy
RE: Dual Homed BGP for failover (Ahmed Yousuf)
On 2011/01/19 5:28 PM, nanog-requ...@nanog.org nanog-requ...@nanog.org wrote: Send NANOG mailing list submissions to nanog@nanog.org To subscribe or unsubscribe via the World Wide Web, visit https://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-requ...@nanog.org You can reach the person managing the list at nanog-ow...@nanog.org When replying, please edit your Subject line so it is more specific than Re: Contents of NANOG digest... Today's Topics: 1. Re: NAT-PT or NAT64 in real life (jarod smith) 2. Re: Software DNS hghi availability and load balancer solution (Joe Greco) 3. Re: Software DNS hghi availability and load balancer solution (Joe Abley) 4. Re: Software DNS hghi availability and load balancer solution (InterNetX - J?rgen Gotteswinter) 5. Re: Network Simulators (Ryan Shea) 6. RE: Network Simulators (Gary Gladney) 7. RE: Dual Homed BGP for failover (Randy McAnally) 8. Re: Network Simulators (Carlos Martinez-Cagnazzo) 9. RE: Dual Homed BGP for failover (Ahmed Yousuf) -- Message: 1 Date: Wed, 19 Jan 2011 13:02:33 +0100 From: jarod smith jarod.smo...@gmail.com Subject: Re: NAT-PT or NAT64 in real life To: nanog@nanog.org Message-ID: aanlkting2sossk-ynlovksps4ntrjewcq+itvwkhr...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Thanks for your reply. In summary it's not possible to deployed IPv6 only if I want to access the whole internet :) On Wed, Jan 19, 2011 at 10:18 AM, jarod smith jarod.smo...@gmail.comwrote: Although it would seem that double-stack is still the preferred method of linux distribution, I want my next deployed in IPv6 only. For linux there is NAT-PT tomicki and NAT64 Viagenie. I don't have Cisco equipment although I'd like tested their NAT-PT, even if it's obsolete. Are some of you have installed one of these two implementations in production on recent versions of linux? Is it stable, secure, ... ? Regards -- Message: 2 Date: Wed, 19 Jan 2011 07:17:07 -0600 (CST) From: Joe Greco jgr...@ns.sol.net Subject: Re: Software DNS hghi availability and load balancer solution To: p...@paulgraydon.co.uk (Paul Graydon) Cc: nanog@nanog.org Message-ID: 201101191317.p0jdh74h076...@aurora.sol.net Content-Type: text/plain; charset=us-ascii On 01/18/2011 07:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. Thanks a lot. If you want to get fancy you could try an Anycast DNS setup, using GNU's Zebra tool to automatically alter routing tables. http://www.netlinxinc.com/netlinx-blog/45-dns/118-introduction-to-anycast -dns.html You wouldn't use Zebra; it isn't actively developed anymore and has not been updated in many years. Use Quagga instead, which is the community-based offshoot. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- Message: 3 Date: Wed, 19 Jan 2011 08:23:09 -0500 From: Joe Abley jab...@hopcount.ca Subject: Re: Software DNS hghi availability and load balancer solution To: Joe Greco jgr...@ns.sol.net Cc: nanog@nanog.org Message-ID: b3aba767-d8dc-4806-a127-ad0bd5138...@hopcount.ca Content-Type: text/plain; charset=us-ascii On 2011-01-19, at 08:17, Joe Greco wrote: You wouldn't use Zebra; it isn't actively developed anymore and has not been updated in many years. Use Quagga instead, which is the community-based offshoot. I don't think this is what the original post was asking about, but for the sake of completeness other alternatives to Zebra/Quagga (when using BGP between anycast origin servers and adjacent routers, e.g. with multipath configured on the routers) are OpenBGPd and BIRD. See earlier suggestions for bedtime reading, also: http://www.merit.edu/mail.archives/nanog/msg06970.html. Joe -- Message: 4 Date: Wed, 19 Jan 2011 14:27:52 +0100 From: InterNetX - J?rgen Gotteswinter juergen.gotteswin...@internetx.de Subject: Re: Software DNS hghi availability and load balancer solution To: nanog@nanog.org Message-ID: 4d36e6d8.9000...@internetx.de Content-Type: text/plain; charset=ISO-8859-1; format=flowed Am 19.01.11 01:01, schrieb david raistrick: On 01/18/2011 09:42 AM, Sergey Voropaev
RE: Dual Homed BGP for failover
On Wed, 19 Jan 2011 14:26:32 -, Ahmed Yousuf wrote We're doing BGP to announce our PI space and make sure that our PI space is reachable through both ISPs in case one link goes down. This is the primary need to do the BGP here. Unfortunately my boss has requested that we make use of the capacity of both links, rather than pref traffic out of the higher capacity link. Understood! you would _still_ take default BGP routes, I was implying more along the lines (in cisco speak): ! Tweak as necessary to get a good balance ip route 0.0.0.0 128.0.0.0 peer1 ip route 128.0.0.0 128.0.0.0 peer2 Set up SLA tracking on the peer IPs to retract the routes if either peer goes down. Either that or get more RAM on your router and go the BGP-only method. -Randy
Re: Network Simulators
On 1/19/2011 8:27 AM, Carlos Martinez-Cagnazzo wrote: Anything for Junipers ? Olive? Do you dare? On Wed, Jan 19, 2011 at 11:52 AM, Gary Gladneyglad...@stsci.edu wrote: If you looking for network simulator for Cisco equipment it's been my experience that Boson (www.boson.com) has best network simulator for Cisco equipment. It behaves and process information the way real Cisco equipment does. I've tried GS3, it great for routing situations but lacks in simulating switches.
NANOG 51 Agenda posted
Folks, See http://www.nanog.org/meetings/nanog51/agenda.php See you in Miami, Dave (for the NANOG PC)
Re: NAT-PT or NAT64 in real life
On Wed, Jan 19, 2011 at 1:18 AM, jarod smith jarod.smo...@gmail.com wrote: Although it would seem that double-stack is still the preferred method of linux distribution, I want my next deployed in IPv6 only. For linux there is NAT-PT tomicki and NAT64 Viagenie. I don't have Cisco equipment although I'd like tested their NAT-PT, even if it's obsolete. There are some lessons learned here with NAT-PT http://www.civil-tongue.net/6and4/wiki But, i would only use NAT-PT for ... no ... i would never use NAT-PT. The implementations are really not good. Are some of you have installed one of these two implementations in production on recent versions of linux? Is it stable, secure, ... ? I have tested 3 versions of DNS64 and 4 versions of NAT64. I am not sure what i can share about them. My experience has generally been good. I feel good with taking my selected vendors to production with this feature. Users in my beta trial have been happy with the results and performance. You mentioned Cisco. Cisco has stateless support today of NAT64, but i am not sure the value of that since it is one for one. I assume they will have stateful support soon. http://www.cisco.com/en/US/docs/ios/ios_xe/ipaddr/configuration/guide/iad_stateless_nat64_xe.html aka http://tinyurl.com/4gt9s9y Juniper has stateful NAT64 today in production code, i have not looked at this one yet, but it appears promising http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/nce/nat64-ipv6-ipv4-depletion/configuring-nat64-ipv6-ipv4-depletion.pdf aka http://tinyurl.com/4qxjahk If you are talking about servers, not users, most of the commercial load balancers have NAT64 functions for the IPv6 user to IPv4 legacy server use case. Cameron == http://groups.google.com/group/tmoipv6beta == Regards
Re: NAT-PT or NAT64 in real life
Hi, I didn't use NAT-PT, but have lot of experience with NAT64/DNS64. We've deployed NAT64 with DNS64 in our test lab with last Fedora linux workstations , so far, it works fine. -- Sincerely, Mikhail Strizhov Email: striz...@netsec.colostate.edu mailto:striz...@netsec.colostate.edu On 01/19/2011 02:18 AM, jarod smith wrote: Although it would seem that double-stack is still the preferred method of linux distribution, I want my next deployed in IPv6 only. For linux there is NAT-PT tomicki and NAT64 Viagenie. I don't have Cisco equipment although I'd like tested their NAT-PT, even if it's obsolete. Are some of you have installed one of these two implementations in production on recent versions of linux? Is it stable, secure, ... ? Regards
Verizon FiOS Distribution Switch
I have a question about a Verizon FiOS business connection with an ethernet hand off and I am hoping that someone out there has done the same thing. We have a FiOS business connection coming into our building. This includes an Ethernet hand off into the usual Actiontec router as well as a block of 13 public IP addresses. The Actiontec router needs to remain in place with its current Public IP address. We have some devices from a vendor plugged into it for Internet access, as well as numerous cable boxes across the building that get their guide information through the coax interface on the router. What we want to do is take the ethernet hand off out of the WAN (RJ-45) interface on the Actiontec router and plug it into a hardened Cisco switch such as a 2950. Our goal here is to use the Cisco switch as a Internet distribution switch since we will have numerous test devices that will need to have a direct connection to the Internet. Our preference is also not to have all of the traffic from these other devices traverse the Actiontec router. I have a few concerns with this setup: Some articles I have read indicate that the hand off from the Verizon ONT may not be a direct Ethernet hand off so the interface it connects to may require a different config (Dialer or something). I am also concerned about any issues if the ONT or some down stream Verizon device may cause if it sees multiple MAC addresses coming across our link. We're not trying to cheat the system or anything, just to modify the Verizon setup to better suit our needs. Any advice or tips would be helpful. - Chris
Re: Verizon FiOS Distribution Switch
I have done this exact thing. We had a client with a block of public ips and they needed the actiontec router to stay connected for the cable boxes. Just put the switch between the ONT ethernet port and the actiontec WAN port and you should be fine. Just make sure the ethernet port is active on the ONT and that they dont just have the MoCA port active as I have seen this. If that's the case a simple phonecall to verizon should solve this... Assuming you get a capable tech on the line. Good luck. - Ed -Original Message- From: Chris Burwell cburw...@gmail.com Date: Wed, 19 Jan 2011 15:56:15 To: NANOGnanog@nanog.org Subject: Verizon FiOS Distribution Switch I have a question about a Verizon FiOS business connection with an ethernet hand off and I am hoping that someone out there has done the same thing. We have a FiOS business connection coming into our building. This includes an Ethernet hand off into the usual Actiontec router as well as a block of 13 public IP addresses. The Actiontec router needs to remain in place with its current Public IP address. We have some devices from a vendor plugged into it for Internet access, as well as numerous cable boxes across the building that get their guide information through the coax interface on the router. What we want to do is take the ethernet hand off out of the WAN (RJ-45) interface on the Actiontec router and plug it into a hardened Cisco switch such as a 2950. Our goal here is to use the Cisco switch as a Internet distribution switch since we will have numerous test devices that will need to have a direct connection to the Internet. Our preference is also not to have all of the traffic from these other devices traverse the Actiontec router. I have a few concerns with this setup: Some articles I have read indicate that the hand off from the Verizon ONT may not be a direct Ethernet hand off so the interface it connects to may require a different config (Dialer or something). I am also concerned about any issues if the ONT or some down stream Verizon device may cause if it sees multiple MAC addresses coming across our link. We're not trying to cheat the system or anything, just to modify the Verizon setup to better suit our needs. Any advice or tips would be helpful. - Chris
Re: Verizon FiOS Distribution Switch
Not that this is a requirement, but good practice none the less with this setup... Turn off cdp on the port facing the LEC... -graham - Reply message - From: Chris Burwell cburw...@gmail.com Date: Wed, Jan 19, 2011 2:56 pm Subject: Verizon FiOS Distribution Switch To: NANOG nanog@nanog.org I have a question about a Verizon FiOS business connection with an ethernet hand off and I am hoping that someone out there has done the same thing. We have a FiOS business connection coming into our building. This includes an Ethernet hand off into the usual Actiontec router as well as a block of 13 public IP addresses. The Actiontec router needs to remain in place with its current Public IP address. We have some devices from a vendor plugged into it for Internet access, as well as numerous cable boxes across the building that get their guide information through the coax interface on the router. What we want to do is take the ethernet hand off out of the WAN (RJ-45) interface on the Actiontec router and plug it into a hardened Cisco switch such as a 2950. Our goal here is to use the Cisco switch as a Internet distribution switch since we will have numerous test devices that will need to have a direct connection to the Internet. Our preference is also not to have all of the traffic from these other devices traverse the Actiontec router. I have a few concerns with this setup: Some articles I have read indicate that the hand off from the Verizon ONT may not be a direct Ethernet hand off so the interface it connects to may require a different config (Dialer or something). I am also concerned about any issues if the ONT or some down stream Verizon device may cause if it sees multiple MAC addresses coming across our link. We're not trying to cheat the system or anything, just to modify the Verizon setup to better suit our needs. Any advice or tips would be helpful. - Chris
Re: Verizon FiOS Distribution Switch
On 01/19/2011 01:28 PM, GP Wooden wrote: Not that this is a requirement, but good practice none the less with this setup... Turn off cdp on the port facing the LEC... +1 also add 'nonegotiate' and turn off spanning tree on the port while you're at it. There's a list somewhere of standard stuff when connecting to an untrusted l2 network, which is what you should treat anything (including FiOS) connecting to you that you don't own.
Is anyone Using Talari Networks WAN Optimizer?
Talari management apparently has experience at the old Routescience BGP load-balancer startup, so this warrants a closer look. Has anyone used their products?
Re: Is anyone Using Talari Networks WAN Optimizer?
We are considering them but bit concern as they do forwarding plane optimization instead of control plane in case of Route Science. thanks, Shahid On Wed, Jan 19, 2011 at 2:50 PM, Holmes,David A dhol...@mwdh2o.com wrote: Talari management apparently has experience at the old Routescience BGP load-balancer startup, so this warrants a closer look. Has anyone used their products?
Securing Border Routers
Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainlyalthough we haven't had any, I don't welcome them. Brandon
RE: Securing Border Routers
I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself. Bryan -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainlyalthough we haven't had any, I don't welcome them. Brandon
Re: Securing Border Routers
A stateful firewall outside of your router may create a new bottleneck which increases your risk of DoS. Making sure that you know (and document, and test) how to effectively contact your service providers should you be attacked would be a good idea. Find out if your service providers have BGP communities for remote triggered black hole (document and test). A denial of service will break the weakest link in the chain toward your services, so make sure you have appropriate bandwidth, a reasonable server architecture, and if you have money to burn consider a DDoS mitigation service. -Ryan On Wed, Jan 19, 2011 at 7:35 PM, Brandon Kim brandon@brandontek.comwrote: Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainlyalthough we haven't had any, I don't welcome them. Brandon
RE: Securing Border Routers
What an insightful link! Thank you, I am reading it now. From: bryan.we...@arrisi.com To: nanog@nanog.org Date: Wed, 19 Jan 2011 16:38:43 -0800 Subject: RE: Securing Border Routers I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself. Bryan -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainlyalthough we haven't had any, I don't welcome them. Brandon
Update Spamhaus DROP list from Cisco CLI (TCL)
Previous conversations made me decide this would be fun to do so I ignored all my real work today and made it happen. I built a TCL script that can be mapped to an alias (alias exec updatedrop tclsh updatedrop.tcl) that will connect to the Spamhaus DROP list and route all of the prefixes to null0. It should alsbo be able to be mapped to a kron job, but I haven't tested that and I've heard there are issues with kron+tcl unless you tie it to an EEM event. It adds a name indicator (Spamhaus_SBLX) to all of the routes to show that they come from the DROP list. You can find the script at: http://tmagill.net/cisco_networking_ccie_studies/?p=83 There is also a script to remove all of the Spamhaus_SBLX null routes. If I were to redis these into BGP they could be propagated just like the CYMRU Bogons... I plan on doing that within the next week and start testing. Does anyone see that as a useful service to be offered? Thomas Magill Network Engineer Office: (858) 909-3777 Cell: (858) 869-9685 tmag...@providecommerce.commailto:tmag...@providecommerce.com provide-commerce 4840 Eastgate Mall San Diego, CA 92121 ProFlowershttp://www.proflowers.com/ | redENVELOPEhttp://www.redenvelope.com/ | Cherry Moon Farmshttp://www.cherrymoonfarms.com/ | Shari's Berrieshttp://www.berries.com/
Re: Update Spamhaus DROP list from Cisco CLI (TCL)
On Jan 19, 2011, at 9:04 PM, Thomas Magill wrote: Previous conversations made me decide this would be fun to do so I ignored all my real work today and made it happen. I built a TCL script that can be mapped to an alias (alias exec updatedrop tclsh updatedrop.tcl) that will connect to the Spamhaus DROP list and route all of the prefixes to null0. It should alsbo be able to be mapped to a kron job, but I haven't tested that and I've heard there are issues with kron+tcl unless you tie it to an EEM event. It adds a name indicator (Spamhaus_SBLX) to all of the routes to show that they come from the DROP list. You can find the script at: http://tmagill.net/cisco_networking_ccie_studies/?p=83 There is also a script to remove all of the Spamhaus_SBLX null routes. If I were to redis these into BGP they could be propagated just like the CYMRU Bogons... I plan on doing that within the next week and start testing. Does anyone see that as a useful service to be offered? This was done once before, it was called MAPS at the time. Using BGP as a signaling mechanic for this stuff can obviously be useful. The challenge has always been balancing the trust with a 3rd party with the other operational requirements. Typically business needs push this out such that it's harder to obtain. Smaller networks may participate as the cost may be higher proportionally upon them. Larger networks just do the triage the same way they always do, with their abuse desks. The business needs/concerns are typically something like How do we trust them? Can it be hacked? etc. There are always sunsetting issues. Sometimes nobody knows that the network was peered with the bogons server, or has an old bogons list that needs to be updated. There will be a lot of fun soon as we attain the end of ipv4 allocations soon. Many people with old bogon lists will ultimately need to remove them. Some people won't notice, possibly for years. - Jared
Re: Update Spamhaus DROP list from Cisco CLI (TCL)
Did you try this http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#168 LInks to Marco d'Itri's cisco tools package - http://www.linux.it/~md/software/cisco-tools-0.2.tgz Pretty neat, can update bogons as well On Thu, Jan 20, 2011 at 7:34 AM, Thomas Magill tmag...@providecommerce.com wrote: Previous conversations made me decide this would be fun to do so I ignored all my real work today and made it happen. I built a TCL script that can be mapped to an alias (alias exec updatedrop tclsh updatedrop.tcl) that will connect to the Spamhaus DROP list and route all of the prefixes to null0. It should alsbo be able to be mapped to a kron job, but I haven't tested that and I've heard there are issues with kron+tcl unless you tie it to an EEM event. It adds a name indicator (Spamhaus_SBLX) to all of the routes to show that they come from the DROP list. You can find the script at: http://tmagill.net/cisco_networking_ccie_studies/?p=83 There is also a script to remove all of the Spamhaus_SBLX null routes. If I were to redis these into BGP they could be propagated just like the CYMRU Bogons... I plan on doing that within the next week and start testing. Does anyone see that as a useful service to be offered? Thomas Magill Network Engineer Office: (858) 909-3777 Cell: (858) 869-9685 tmag...@providecommerce.commailto:tmag...@providecommerce.com provide-commerce 4840 Eastgate Mall San Diego, CA 92121 ProFlowershttp://www.proflowers.com/ | redENVELOPEhttp://www.redenvelope.com/ | Cherry Moon Farmshttp://www.cherrymoonfarms.com/ | Shari's Berrieshttp://www.berries.com/ -- Suresh Ramasubramanian (ops.li...@gmail.com)
United Airlines Technical Contact
Does anybody have a technical contact for United Airlines? I can't seem to get in touch with any of the phone numbers or email addresses listed in whois. Regards, Nathan Charles
United Airlines Technical Contact
Does anybody have a technical contact for United Airlines? I can't seem to get in touch with any of the phone numbers or email addresses listed in whois. Regards, Nathan Charles
Re: Securing Border Routers
Using non-world routable space on interfaces makes for difficulties in some situations with PMTU-D and with troubleshooting (useless information in traceroutes for example). Owen On Jan 19, 2011, at 6:04 PM, jim deleskie wrote: Never put a firewall in front of a router, it will die first. The team CYMRU stuff is great make sure you have ACL's on your VTY and allow access only from trusted internal IPs. I also like using non world routable space on any interface I can. On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim brandon@brandontek.comwrote: What an insightful link! Thank you, I am reading it now. From: bryan.we...@arrisi.com To: nanog@nanog.org Date: Wed, 19 Jan 2011 16:38:43 -0800 Subject: RE: Securing Border Routers I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself. Bryan -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainlyalthough we haven't had any, I don't welcome them. Brandon
