RE: facebook lost their A-record for www.facebook.com?

[Frank Bulk]

They had issues in Europe today:
http://www.telegraph.co.uk/technology/facebook/9128716/Facebook-hit-by-two-h
our-blackout.html
http://www.washingtonpost.com/business/technology/facebook-back-up-after-eur
ope-outage/2012/03/07/gIQAJnNuwR_story.html

Frank

-Original Message-
From: Anurag Bhatia [mailto:m...@anuragbhatia.com] 
Sent: Wednesday, March 07, 2012 2:52 AM
To: Octavio Alvarez
Cc: NANOG Mailing List
Subject: Re: facebook lost their A-record for www.facebook.com?

Good point Octavio . +trace with dig is always useful when getting weird
results.

(Sent from my mobile device)

Anurag Bhatia
http://anuragbhatia.com
On Mar 7, 2012 1:19 PM, "Octavio Alvarez"  wrote:

> On Tue, 06 Mar 2012 23:43:07 -0800, Igor Ybema  wrote:
>
>  [igor@vds ~]$ host -t A  www.facebook.com ns1.facebook.com
>> Using domain server:
>> Name: ns1.facebook.com
>> Address: 204.74.66.132#53
>> Aliases:
>>
>> www.facebook.com has no A record
>>
>
> No, it's a subdomain with its A records in another server.
>
> $ host -t A www.facebook.com glb1.facebook.com.
> Using domain server:
> Name: glb1.facebook.com.
> Address: 69.171.239.10#53
> Aliases:
>
> www.facebook.com has address 69.171.224.12
>
>
> Try dig +trace www.facebook.com to see why.
>
>
>
> --
> Octavio.
>
> Twitter: @alvarezp2000 -- Identi.ca: @alvarezp
>
>



smime.p7s
Description: S/MIME cryptographic signature

Re: PLEASE don't feed the troll

[George Herbert]

Isabel -

It does not take a PhD in computer science to understand networks or
network protocol design.  It does not take a PhD to understand that
the troll's particular proposal was not a competent well-founded
contribution.


On Wed, Mar 7, 2012 at 7:25 AM, isabel dias  wrote:
> are you a PhD? otherwise you are not making sence
>
>
>
> 
>  From: Jay Ashworth 
> To: NANOG 
> Sent: Wednesday, March 7, 2012 3:17 PM
> Subject: PLEASE don't feed the troll
>
> Nuff said?
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth                  Baylink                      j...@baylink.com
> Designer                     The Things I Think                       RFC 2100
> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
> St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274



-- 
-george william herbert
george.herb...@gmail.com

RE: Digi TS8 serial console server funkiness

[George Bonser]

> 
> Other issues I've noticed..cannot use arrow keys to search command
> buffer.

This is going to be a tougher one.  Might be a difference in character 
encoding. Here is the VT100 spec:

http://www.handshake.de/infobase/dfue/prgrmmer/t322.htm

*  ESC D cursor down - at bottom of region, scroll up
*  ESC M cursor up - at top of region, scroll down

...

Arrows  Standard   Applications IBM Keypad
   UpESC [ AESC O A  Alt 9
  Down   ESC [ BESC O B  Alt 0
  Right  ESC [ CESC O C  Alt -
  Left   ESC [ DESC O D  Alt =

So you probably need to check your keyboard encoding.  It likely differs from 
VT100 escape sequences.

Also, if you have several devices connected to that terminal server, see if you 
have one that is spewing debug or other information out the console port. That 
one might be causing some buffer overrun situations or keeping the CPU busy so 
it loses characters.  Line noise can cause garbled data, too.  But I would try 
flow control first.  One thing I have seen before also is ground loops causing 
issues.  Some serial devices actually tie signal ground to chassis ground.  If 
you have a cable connecting two such devices and there is some ground potential 
difference, you can create a ground loop and introduce noise (and things like 
sparks, fire, blown fuses, etc.) if the ground potential difference is great 
enough between the two devices.

RE: Digi TS8 serial console server funkiness

[George Bonser]

> -Original Message-
> From: ML [mailto:m...@kenweb.org]
> Sent: Wednesday, March 07, 2012 5:32 PM
> To: nanog@nanog.org
> Subject: Digi TS8 serial console server funkiness
>
> Problem is when attached to a Cisco switch I had laying around I get
> seemily random garble output when accessing the console of a remote
> Cisco device. (e.g. "show run" will get a few garbled lines halfway
> through, Holding down Enter will produce some garbled text every few
> lines).
> 

Can you configure the port (on the switch and the console server) for flow 
control?  You might be experiencing an overflow issue if the CPU of the 
terminal server gets busy or a buffer gets full.  Maybe RTS/CTS (if the cable 
has the pins) or even XON/XOFF (if it doesn't).

Digi TS8 serial console server funkiness

[ML]

Hopefully someone here has wrestled with serial server oddities and can 
shed some light on this...



I've got a serial console server made by Digi (TS8 PortServer) setup in 
a fairly vanilla mode:  9600-8-N-1telnet to port 500X gets you to 
port X.  Setup for a vt100 terminal type. Other VTs I tried didn't seem 
to make a difference.


Problem is when attached to a Cisco switch I had laying around I get 
seemily random garble output when accessing the console of a remote 
Cisco device. (e.g. "show run" will get a few garbled lines halfway 
through, Holding down Enter will produce some garbled text every few lines).


When attached to a Juniper device everything appears normal.  The 
problem follows the port if I swap the Cisco device to the port the 
J-box was on.


Other issues I've noticed..cannot use arrow keys to search command buffer.

My Google-fu is failing me in coming up with the right name for the 
effect I'm seeing...


Thanks

Re: did AS174 and AS4134 de-peer?

[Michael Sinatra]

On 03/07/12 16:10, Patrick W. Gilmore wrote:

On Mar 7, 2012, at 19:06 , Jim Cowie wrote:


As a meta-comment: this "Quick Look" style of blog is an experiment we're 
trying, based on feedback that the community wanted to hear about more of these little 
events as they happen.  In a Quick Look, we're giving the facts as they are known from 
initial measurement, and a very quick summary of our preliminary analysis of the 
incident.   Then we throw the topic open to comments from those who might have the clues 
to the rest of the story ...


Well, this member of the community appreciates it.



+1

I find the combination of facts and inferences presented to be 
interesting and useful.


michael

Re: did AS174 and AS4134 de-peer?

[Patrick W. Gilmore]

On Mar 7, 2012, at 19:06 , Jim Cowie wrote:

> As a meta-comment: this "Quick Look" style of blog is an experiment we're 
> trying, based on feedback that the community wanted to hear about more of 
> these little events as they happen.  In a Quick Look, we're giving the facts 
> as they are known from initial measurement, and a very quick summary of our 
> preliminary analysis of the incident.   Then we throw the topic open to 
> comments from those who might have the clues to the rest of the story ...

Well, this member of the community appreciates it.

-- 
TTFN,
patrick

Re: did AS174 and AS4134 de-peer?

[Jim Cowie]

On Wed, Mar 7, 2012 at 6:33 PM, Patrick W. Gilmore wrote:

> On Mar 7, 2012, at 18:29 , Nick Hilliard wrote:
> >  On 7 Mar 2012, at 23:19, Darius Jahandarie 
> wrote:
> >> On Wed, Mar 7, 2012 at 17:55, Greg Chalmers 
> wrote:
> >>>
> >>> Isn't this journalism a bit yellow? No facts / based on speculation..
> >>>
> >>> - Greg
> >>
> >> Now all they need to do is link back to this NANOG thread as a source.
> >
> > That would be very irresponsible. Otoh, if someone updated the tier1
> network page on Wikipedia first...
>
> There is no change to the list.  Cogent still does not have transit.
>  Cogent sees CT through Sprint (a peer) because CT pays Sprint for transit.
>
> OTOH, Jim did say in his blog post: "This disconnection will increase
> China Telecom's transit costs"  This assumes facts not in evidence,
> namely that the CT <-> Sprint pipes were not full before the de-peering
> incident.
>
>
Heh.I think Doug was pretty clear in his summary of the observed facts,
at least.  There was a healthy, longstanding routing adjacency, observed by
all.  Right sharp at the top of the hour (10:00pm in China, 9:00am Eastern
time), that connection disappears from global view.  Afterward, the
percentage of the Renesys peer base that likes transit paths to CT through
Sprint ticks up modestly.

The real story there is hidden in that traceroute latency plot.  Look how
neatly it bifurcates post-event into paths through Sprint and paths through
Level3.  Notice that paths through Level3 tend to have slightly lower
latencies and significantly less volatility.  Infer what you will about the
congestion on the Sprint-CT pipe.

As a meta-comment: this "Quick Look" style of blog is an experiment we're
trying, based on feedback that the community wanted to hear about more of
these little events as they happen.  In a Quick Look, we're giving the
facts as they are known from initial measurement, and a very quick summary
of our preliminary analysis of the incident.   Then we throw the topic open
to comments from those who might have the clues to the rest of the story ...

cheers,   --jim

Re: did AS174 and AS4134 de-peer?

[Patrick W. Gilmore]

On Mar 7, 2012, at 18:29 , Nick Hilliard wrote:
> On 7 Mar 2012, at 23:19, Darius Jahandarie  wrote:
>> On Wed, Mar 7, 2012 at 17:55, Greg Chalmers  wrote:
>>> 
>>> Isn't this journalism a bit yellow? No facts / based on speculation..
>>> 
>>> - Greg
>> 
>> Now all they need to do is link back to this NANOG thread as a source.
> 
> That would be very irresponsible. Otoh, if someone updated the tier1 network 
> page on Wikipedia first...

There is no change to the list.  Cogent still does not have transit.  Cogent 
sees CT through Sprint (a peer) because CT pays Sprint for transit.

OTOH, Jim did say in his blog post: "This disconnection will increase China 
Telecom's transit costs"  This assumes facts not in evidence, namely that 
the CT <-> Sprint pipes were not full before the de-peering incident.

-- 
TTFN,
patrick

Re: did AS174 and AS4134 de-peer?

[Nick Hilliard]

On 7 Mar 2012, at 23:19, Darius Jahandarie  wrote:
> On Wed, Mar 7, 2012 at 17:55, Greg Chalmers  wrote:
>> 
>> Isn't this journalism a bit yellow? No facts / based on speculation..
>> 
>> - Greg
> 
> Now all they need to do is link back to this NANOG thread as a source.

That would be very irresponsible. Otoh, if someone updated the tier1 network 
page on Wikipedia first...

Nick

Re: did AS174 and AS4134 de-peer?

[Darius Jahandarie]

On Wed, Mar 7, 2012 at 17:55, Greg Chalmers  wrote:
> On Thu, Mar 8, 2012 at 9:34 AM, Jim Cowie  wrote:
>> http://www.renesys.com/blog/2012/03/cogent-depeers-china-telecom.shtml
>>
>> cheers,   --jim
>>
>
>
> Isn't this journalism a bit yellow? No facts / based on speculation..
>
> - Greg

Now all they need to do is link back to this NANOG thread as a source.

-- 
Darius Jahandarie

RE: POLL: Network and Service Status Pages

[Jason Gurtz]

>
http://www.outages.org/index.php/Anything_you_might_want_to_know_about_ab
> s_exercises

Mark V Shaney must have an account @ Outages

~JasonG

Re: did AS174 and AS4134 de-peer?

[Greg Chalmers]

On Thu, Mar 8, 2012 at 9:34 AM, Jim Cowie  wrote:

> On Wed, Mar 7, 2012 at 2:23 AM, John van Oppen  >wrote:
>
> > All -
> >
> > I was noticing that it appears from our Seattle-based full route feed
> from
> > cogent that they may have de-peered AS4134 (or vise-versa)...   anyone
> know
> > anything about this?We noticed this recently in a shift of traffic
> away
> > from cogent for traffic to and from china telecom...   Now cogent's path
> is
> > _174_1239_4134_.
> >
> >
> Indeed:
> http://www.renesys.com/blog/2012/03/cogent-depeers-china-telecom.shtml
>
> cheers,   --jim
>


Isn't this journalism a bit yellow? No facts / based on speculation..

- Greg

Re: Increase of DOS attacks using TCP src and/or dst of 0

[George Herbert]

Out of curiosity -

Is it possible it's a command and control network, rather than
directly an attack?


On Wed, Mar 7, 2012 at 2:41 PM, Chris Stone  wrote:
> On Wed, Mar 7, 2012 at 1:45 PM, Matthew Huff  wrote:
>> Anyone else see a massive increase of scanning/dos with TCP source and/or
>> dst port of 0? We started seeing a massive increase today creating some
>> issue with our firewalls.
>
> Not seeing a ton of them, but do see a few logged on most all of our
> server like:
>
> Mar  5 07:49:13 server kernel: Shorewall:logflags:DROP:IN=eth2 OUT=
> MAC=00:07:e9:0f:39:f1:00:03:31:a5:74:00:08:00 SRC=178.18.16.101
> DST=x.x.x.x LEN=56 TOS=0x00 PREC=0x00 TTL=204 ID=49665 DF PROTO=TCP
> SPT=0 DPT=0 WINDOW=37009 RES=0x14 URG ACK RST SYN FIN URGP=37422
>
>
>
>
>
> --
> Chris Stone
> AxisInternet, Inc.
> www.axint.net
>



-- 
-george william herbert
george.herb...@gmail.com

Re: Increase of DOS attacks using TCP src and/or dst of 0

[Chris Stone]

On Wed, Mar 7, 2012 at 1:45 PM, Matthew Huff  wrote:
> Anyone else see a massive increase of scanning/dos with TCP source and/or
> dst port of 0? We started seeing a massive increase today creating some
> issue with our firewalls.

Not seeing a ton of them, but do see a few logged on most all of our
server like:

Mar  5 07:49:13 server kernel: Shorewall:logflags:DROP:IN=eth2 OUT=
MAC=00:07:e9:0f:39:f1:00:03:31:a5:74:00:08:00 SRC=178.18.16.101
DST=x.x.x.x LEN=56 TOS=0x00 PREC=0x00 TTL=204 ID=49665 DF PROTO=TCP
SPT=0 DPT=0 WINDOW=37009 RES=0x14 URG ACK RST SYN FIN URGP=37422





-- 
Chris Stone
AxisInternet, Inc.
www.axint.net

Re: did AS174 and AS4134 de-peer?

[Jim Cowie]

On Wed, Mar 7, 2012 at 2:23 AM, John van Oppen wrote:

> All -
>
> I was noticing that it appears from our Seattle-based full route feed from
> cogent that they may have de-peered AS4134 (or vise-versa)...   anyone know
> anything about this?We noticed this recently in a shift of traffic away
> from cogent for traffic to and from china telecom...   Now cogent's path is
> _174_1239_4134_.
>
>
Indeed:
http://www.renesys.com/blog/2012/03/cogent-depeers-china-telecom.shtml

cheers,   --jim

Re: Increase of DOS attacks using TCP src and/or dst of 0

[Pete Carah]

On 03/07/2012 01:29 PM, Christopher Morrow wrote:
> On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff  wrote:
>> Anyone else see a massive increase of scanning/dos with TCP source and/or
>> dst port of 0? We started seeing a massive increase today creating some
>> issue with our firewalls.
> srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)
No, however I am seeing an increase in unsolicited syn-ack packets with
a wider
variety of "from" ports (many 80 still, used to be almost all) but some
22, 113, 4000, 600x,
and high "from" ports with "to" ports of 3072 and 1024, many to ip addrs
that are not
targets of A records, so appear to be indiscriminate scans...

Source IP's all over the place as expected.  Don't know if it is
tcptraceroute in a strange mode,
or OS fingerprinting attempts, or both.  Also don't know if the sources
are spoofs or not (rather hard
to tell...)  Sources don't seem to match up with syn-only packets
either, at least on the same day.

-- Pete
>

Re: Increase of DOS attacks using TCP src and/or dst of 0

[Christopher Morrow]

On Wed, Mar 7, 2012 at 3:45 PM, Matthew Huff  wrote:
> Anyone else see a massive increase of scanning/dos with TCP source and/or
> dst port of 0? We started seeing a massive increase today creating some
> issue with our firewalls.

srs/dst of 0 as measured how? (tcpdump? netflow? app logs?)

Re: Increase of DOS attacks using TCP src and/or dst of 0

[Mike Gatti]

I just scanned through the last 48 hours of logs and did not find anything. 
We are peering with Level3 (AS 3549) and Verizon (AS 11486). 

--
Michael Gatti  
main. 949.371.5474
(UTC -8)



On Mar 7, 2012, at 12:45 PM, Matthew Huff wrote:

> Anyone else see a massive increase of scanning/dos with TCP source and/or
> dst port of 0? We started seeing a massive increase today creating some
> issue with our firewalls.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Matthew Huff | 1 Manhattanville Rd
> 
> Director of Operations   | Purchase, NY 10577
> 
> OTA Management LLC   | Phone: 914-460-4039
> 
> aim: matthewbhuff| Fax:   914-460-4139
> 
> 
> 

Increase of DOS attacks using TCP src and/or dst of 0

[Matthew Huff]

Anyone else see a massive increase of scanning/dos with TCP source and/or
dst port of 0? We started seeing a massive increase today creating some
issue with our firewalls.

 

 

 



Matthew Huff | 1 Manhattanville Rd

Director of Operations   | Purchase, NY 10577

OTA Management LLC   | Phone: 914-460-4039

aim: matthewbhuff| Fax:   914-460-4139

 



smime.p7s
Description: S/MIME cryptographic signature

Re: Huawei edge routers..

[Owen DeLong]

On Mar 7, 2012, at 2:55 AM, Nick Hilliard wrote:

> On 07/03/2012 10:31, Saku Ytti wrote:
>> But again, I don't think crappy or good CLI is very important matter, when
>> using systems.
> 
> it isn't - if you're large enough that you have an automated provisioning
> system.  Most of us aren't in that category though, and for those who
> aren't, it's the L3 tech people who will be doing the product evaluation
> and who will end up loathing the kit because of the horrible cli, and who
> will then be less likely to make a recommendation to buy it, as they're the
> people who are going to end up using it the most.
> 
> Nick
> 


I disagree.  A good CLI vs. a bad one can also make a difference in the
interaction with an automated provisioning system. Sure, you can work
around the bad CLI and mask it better with an APS, but, it still causes
problems even with an APS.

Owen

Re: Huawei edge routers..

[Jack Bates]

On 3/7/2012 1:08 PM, valdis.kletni...@vt.edu wrote:

On Wed, 07 Mar 2012 10:22:56 CST, Jack Bates said:


]undo ssh server compatible-ssh1x enable

Ouch.  That's brutal. Is it true that setting isn't listed under 'display ssh 
server status'?


]ssh server compat enable
]display ssh server status
 SSH version :1.99

Appears to show it. Lists 2.0 if you turn it off.


Jack

Re: AS Connectivity Lookup

[Anurag Bhatia]

On Thu, Mar 8, 2012 at 12:41 AM, Joe Provo wrote:

> On Wed, Mar 07, 2012 at 09:29:29AM -0800, Radke, Justin wrote:
> > How can I easily view the current peering relationship of a particular
> AS?
> > Assume the AS you are researching does not have a looking glass and you
> are
> > not going to do lookups from the top 10 providers route servers to get
> some
> > glimpse of their connectivity. In my particular search
> > bgplay.routeviews.org does
> > not have any information and as-rank.caida.org is out of date. In the
> past
> > there was a great website called webtrace.info but it is no longer
> online.
> >
> > Any suggestions?
>
> Any site you reference outside/not downstream of the desired
> AS will only provide you a partial picture.  Use many to try
> and create a holistic view.  So far it seems RIPE RIS hasn't
> yet been mentioned:
> http://www.ripe.net/data-tools/stats/ris/routing-information-service


Yeah RIS is good but only minor issue with it is that its output is little
slow.

>
>
>
> --
> RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
>
>


-- 

Anurag Bhatia
anuragbhatia.com
or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
network!

Twitter: @anurag_bhatia 
Linkedin: http://linkedin.anuragbhatia.com

Re: AS Connectivity Lookup

[Joe Provo]

On Wed, Mar 07, 2012 at 09:29:29AM -0800, Radke, Justin wrote:
> How can I easily view the current peering relationship of a particular AS?
> Assume the AS you are researching does not have a looking glass and you are
> not going to do lookups from the top 10 providers route servers to get some
> glimpse of their connectivity. In my particular search
> bgplay.routeviews.org does
> not have any information and as-rank.caida.org is out of date. In the past
> there was a great website called webtrace.info but it is no longer online.
> 
> Any suggestions?

Any site you reference outside/not downstream of the desired 
AS will only provide you a partial picture.  Use many to try 
and create a holistic view.  So far it seems RIPE RIS hasn't
yet been mentioned:
http://www.ripe.net/data-tools/stats/ris/routing-information-service


-- 
 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG

Re: Huawei edge routers..

[Valdis . Kletnieks]

On Wed, 07 Mar 2012 10:22:56 CST, Jack Bates said:

> ]undo ssh server compatible-ssh1x enable

Ouch.  That's brutal. Is it true that setting isn't listed under 'display ssh 
server status'?



pgpMgrleE80ON.pgp
Description: PGP signature

Re: AS Connectivity Lookup

[Radke, Justin]

All great answers! Thank you!

-=JGR

On Wed, Mar 7, 2012 at 10:35 AM, David Walker wrote:

> On 08/03/2012, Anurag Bhatia  wrote:
> > Hi Radke
> >
> > You can try http://bgp.he.net
>
> Example:
> http://bgp.he.net/AS4739
>
> Guest login here:
> http://peeringdb.com/
>
> >
> > On Wed, Mar 7, 2012 at 10:59 PM, Radke, Justin 
> wrote:
> >
> >> How can I easily view the current peering relationship of a particular
> AS?
> >> Assume the AS you are researching does not have a looking glass and you
> >> are
> >> not going to do lookups from the top 10 providers route servers to get
> >> some
> >> glimpse of their connectivity. In my particular search
> >> bgplay.routeviews.org does
> >> not have any information and as-rank.caida.org is out of date. In the
> past
> >> there was a great website called webtrace.info but it is no longer
> online.
> >>
> >> Any suggestions?
> >>
> >
> >
> >
> > --
> >
> > Anurag Bhatia
> > anuragbhatia.com
> > or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
> > network!
> >
> > Twitter: @anurag_bhatia 
> > Linkedin: http://linkedin.anuragbhatia.com
> >
>

Re: AS Connectivity Lookup

[David Walker]

On 08/03/2012, Anurag Bhatia  wrote:
> Hi Radke
>
> You can try http://bgp.he.net

Example:
http://bgp.he.net/AS4739

Guest login here:
http://peeringdb.com/

>
> On Wed, Mar 7, 2012 at 10:59 PM, Radke, Justin  wrote:
>
>> How can I easily view the current peering relationship of a particular AS?
>> Assume the AS you are researching does not have a looking glass and you
>> are
>> not going to do lookups from the top 10 providers route servers to get
>> some
>> glimpse of their connectivity. In my particular search
>> bgplay.routeviews.org does
>> not have any information and as-rank.caida.org is out of date. In the past
>> there was a great website called webtrace.info but it is no longer online.
>>
>> Any suggestions?
>>
>
>
>
> --
>
> Anurag Bhatia
> anuragbhatia.com
> or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
> network!
>
> Twitter: @anurag_bhatia 
> Linkedin: http://linkedin.anuragbhatia.com
>

Re: AS Connectivity Lookup

[Chris Boyd]

On Mar 7, 2012, at 11:39 AM, Hank Nussbacher wrote:

> Try: http://www.fixedorbit.com/search.htm and do an ASN search.
> 
> -Hank

Is that info supposed to be current? It's wildly out of date for us (35970).  
bgp.he.net has all the correct information.

--Chris

Re: AS Connectivity Lookup

[Hank Nussbacher]

At 09:29 07/03/2012 -0800, Radke, Justin wrote:

How can I easily view the current peering relationship of a particular AS?
Assume the AS you are researching does not have a looking glass and you are
not going to do lookups from the top 10 providers route servers to get some
glimpse of their connectivity. In my particular search
bgplay.routeviews.org does
not have any information and as-rank.caida.org is out of date. In the past
there was a great website called webtrace.info but it is no longer online.

Any suggestions?


Try: http://www.fixedorbit.com/search.htm and do an ASN search.

-Hank

Re: AS Connectivity Lookup

[Anurag Bhatia]

Hi Radke

You can try http://bgp.he.net

On Wed, Mar 7, 2012 at 10:59 PM, Radke, Justin  wrote:

> How can I easily view the current peering relationship of a particular AS?
> Assume the AS you are researching does not have a looking glass and you are
> not going to do lookups from the top 10 providers route servers to get some
> glimpse of their connectivity. In my particular search
> bgplay.routeviews.org does
> not have any information and as-rank.caida.org is out of date. In the past
> there was a great website called webtrace.info but it is no longer online.
>
> Any suggestions?
>



-- 

Anurag Bhatia
anuragbhatia.com
or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
network!

Twitter: @anurag_bhatia 
Linkedin: http://linkedin.anuragbhatia.com

AS Connectivity Lookup

[Radke, Justin]

How can I easily view the current peering relationship of a particular AS?
Assume the AS you are researching does not have a looking glass and you are
not going to do lookups from the top 10 providers route servers to get some
glimpse of their connectivity. In my particular search
bgplay.routeviews.org does
not have any information and as-rank.caida.org is out of date. In the past
there was a great website called webtrace.info but it is no longer online.

Any suggestions?

Re: Huawei edge routers..

[Jack Bates]

On 3/7/2012 9:32 AM, Leigh Porter wrote:



I liked how ssh is secure-telnet, took bit head scratching to enable
ssh.
That is, of course, incorrect; there is actually a "secure telnet";
ISTR it's telnet-over-ssl?

How do you enable SSH then?

It may be incorrect terminology, but it is actually ssh on the box.

>sys
]rsa local-key-par create
]stelnet server enable
]undo ssh server compatible-ssh1x enable

]display ssh server status
 SSH version :2.0
 SSH connection timeout  :60 seconds
 SSH server key generating interval  :0 hours
 SSH Authentication retries  :3 times
 SFTP server :Disable
 Stelnet server  :Enable

]quit

>save all



Do Huawei routers even have SSH? It'd slightly ironic that there is fuss around 
getting a Juniper domestic image with SSH enabled and yet a Chinese vendor 
likely just gives it away.

See above.


So having said all that, has anybody here had good experiences of Huawei 
routers? Have they worked well in your networks and are you happy with them? 
I'm mainly looking for something small (1-2U) that will do Ethernet over MPLS, 
VPLS and L3VPN services.




My experience is limited with just keeping it running and configuring 
what I must. I have 0 documentation and it requires a lot of "?" for me 
to find the appropriately named commands for what I want to do still. I 
haven't seen the physical box. I've heard them call it an X3 and an 
NE40E. A little googling, and I'm not sure if this router is even a 
homebrew for them.


I suspect others have a lot more experience with their various platforms.


Jack

Re: Huawei edge routers..

[Aled Morris]

On 7 March 2012 15:25, Jay Ashworth  wrote:

> - Original Message -
> > From: "Saku Ytti" 
>
> > On (2012-03-07 09:46 -), Tim Franklin wrote:
> > > This does occasionally brighten up my day with gems like "rip no
> > > work" and "reset-recycle-bin", so it's not all bad :)
> >
> > I liked how ssh is secure-telnet, took bit head scratching to enable
> > ssh.
>
> That is, of course, incorrect; there is actually a "secure telnet"; ISTR
> it's telnet-over-ssl?
>
>
There's also RFC2942 for Kerberos authenticated TELNET which is "secure" in
one sense and RFC2946 for encrypted sessions though I'm not sure if this is
widely supported.  They are listed in the TELNET client on the Mac (Snow
Leopard) that I'm using so you never know...

Aled

RE: Huawei edge routers..

[Leigh Porter]

> -Original Message-
> From: Jay Ashworth [mailto:j...@baylink.com]
> Sent: 07 March 2012 15:28
> To: NANOG
> Subject: Re: Huawei edge routers..
> 
> - Original Message -
> > From: "Saku Ytti" 
> 
> > On (2012-03-07 09:46 -), Tim Franklin wrote:
> > > This does occasionally brighten up my day with gems like "rip no
> > > work" and "reset-recycle-bin", so it's not all bad :)
> >
> > I liked how ssh is secure-telnet, took bit head scratching to enable
> > ssh.
> 
> That is, of course, incorrect; there is actually a "secure telnet";
> ISTR it's telnet-over-ssl?

How do you enable SSH then?

Do Huawei routers even have SSH? It'd slightly ironic that there is fuss around 
getting a Juniper domestic image with SSH enabled and yet a Chinese vendor 
likely just gives it away.

So having said all that, has anybody here had good experiences of Huawei 
routers? Have they worked well in your networks and are you happy with them? 
I'm mainly looking for something small (1-2U) that will do Ethernet over MPLS, 
VPLS and L3VPN services. 

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: PLEASE don't feed the troll

[isabel dias]

are you a PhD? otherwise you are not making sence




 From: Jay Ashworth 
To: NANOG  
Sent: Wednesday, March 7, 2012 3:17 PM
Subject: PLEASE don't feed the troll
 
Nuff said?

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                      j...@baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

Re: Huawei edge routers..

[Jay Ashworth]

- Original Message -
> From: "Saku Ytti" 

> On (2012-03-07 09:46 -), Tim Franklin wrote:
> > This does occasionally brighten up my day with gems like "rip no
> > work" and "reset-recycle-bin", so it's not all bad :)
> 
> I liked how ssh is secure-telnet, took bit head scratching to enable
> ssh.

That is, of course, incorrect; there is actually a "secure telnet"; ISTR 
it's telnet-over-ssl?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

PLEASE don't feed the troll

[Jay Ashworth]

Nuff said?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: VLAN Troubles

[Antonio Querubin]

On Tue, 6 Mar 2012, Greg T. Grimes wrote:

pruned".  If it's not there then it's being pruned.  Also on your Dell uplink 
add the following line to the uplink port:


switchport access vlan add 12,22


Probably should be

switchport trunk allowed vlan add xxx,xxx tagged

if you're trying to limit which VLANs are passed.

Also, you may want to try 'general' mode:

switchport mode general
switchport general allowed vlan add xxx,xxx tagged

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: VLAN Troubles

[Antonio Querubin]

On Tue, 6 Mar 2012, Alan Bryant wrote:


We have two switches that do not seem to be passing VLAN traffic. The
two switches are a Dell Powerconnect 5324 & a Cisco 3560G. The Cisco
switch appears to be functioning fine, but the Dell switch is only
passing traffic to the Cisco that is on the default untagged VLAN1.
Our second VLAN is not getting passed to the Cisco at all, I am not
seeing any packets tagged with the particular vlan in Wireshark.

I have Port 1 on the Dell switch connected to port 29 on the Cisco
switch, and port 1 on the Cisco switch connected to the ASA.

I have the following config on the relevant ports on the Cisco switch:

interface GigabitEthernet0/1
description ASA 5505
switchport trunk encapsulation dot1q
switchport mode trunk

interface GigabitEthernet0/29
description Radiology Switch
switchport trunk encapsulation dot1q
switchport mode trunk


Have you verified VLANs 12 and 22 are actually defined on the Cisco?


vlan database
vlan 12,22



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: Huawei edge routers..

[Jack Bates]

On 3/7/2012 4:55 AM, Nick Hilliard wrote:
it isn't - if you're large enough that you have an automated 
provisioning system. Most of us aren't in that category though, and 
for those who aren't, it's the L3 tech people who will be doing the 
product evaluation and who will end up loathing the kit because of the 
horrible cli, and who will then be less likely to make a 
recommendation to buy it, as they're the people who are going to end 
up using it the most. Nick 


Unless they get overruled. The project I saw Huawei go into was a mixed 
environment for cellular and IP routing. The company decided to stick to 
one manufacturer. They apparently had issues with other gear handling 
their mobile stuff and Huawei came in at a good price.


Then I had to explain to their installers why they needed an area 0 
(which is funny, since I barely know anything of OSPF as I almost 
exclusively use ISIS). :(



Jack

Re: Programmers with network engineering skills

[Tei]

On 27 February 2012 23:23, Jay Ashworth  wrote:
> - Original Message -
>> From: "Owen DeLong" 
>
>> I think you're more likely to find a network engineer with (possibly
>> limited) programming skills.
>>
>> That's certainly where I would categorize myself.
>
> And you're the first I've seen suggest, or even imply, that going that
> direction instead might be more fruitful; seemed to me that the skills
> necessary to make a decent network engineer would support learning
> programming better than the other way round -- though in fact I personally
> did it the other way.

I agree.  And I am just a programmer.

Part of it, is that our job is to obscure implementation details to
these in higuer levels.  We think hard to build stuff, so other people
don't have to.  If theres a program that create a conexion, and that
conexion can break, we silently repeat the re-conexion part, so these
that use the program ignore these problems and can live happy.   A bad
programmer will show a message "Conexion break, please connect again".
 Having the human manually pressing the "connect" button again. I have
no words for how lame is that.
So we hide implementation details for us, and for others.  Programmers
that write compilers hide implementation details to others.  Designers
of CPU's microcode hide implementation details to mere assembler
programmers.

-- 
--
ℱin del ℳensaje.

Re: Huawei edge routers..

[Nick Hilliard]

On 07/03/2012 10:31, Saku Ytti wrote:
> But again, I don't think crappy or good CLI is very important matter, when
> using systems.

it isn't - if you're large enough that you have an automated provisioning
system.  Most of us aren't in that category though, and for those who
aren't, it's the L3 tech people who will be doing the product evaluation
and who will end up loathing the kit because of the horrible cli, and who
will then be less likely to make a recommendation to buy it, as they're the
people who are going to end up using it the most.

Nick

Re: Huawei edge routers..

[Saku Ytti]

On (2012-03-07 09:46 -), Tim Franklin wrote:

> This does occasionally brighten up my day with gems like "rip no work" and 
> "reset-recycle-bin", so it's not all bad :)

I liked how ssh is secure-telnet, took bit head scratching to enable ssh.
But again, I don't think crappy or good CLI is very important matter, when
using systems.
And it's not something your customers will notice, so you cannot charge
premium.


-- 
  ++ytti

Re: Huawei edge routers..

[Leigh Porter]

On 7 Mar 2012, at 09:48, "Tim Franklin"  wrote:

>> On the other hand, if you hop into other people's Huawei
>> routers via CLI you will curse and scream. As close as I
>> could tell, it handles most functionality of IOS, but
>> they tried to find a synonym for every word cisco used
>> in the cli.
> 
> This does occasionally brighten up my day with gems like "rip no work" and 
> "reset-recycle-bin", so it's not 

Oh so you have to configure it in chinglish.. Well I'll certainly be looking 
forward to that !

Somebody set up us the BGP.

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Huawei edge routers..

[Tim Franklin]

> On the other hand, if you hop into other people's Huawei
> routers via CLI you will curse and scream. As close as I
> could tell, it handles most functionality of IOS, but
> they tried to find a synonym for every word cisco used
> in the cli.

This does occasionally brighten up my day with gems like "rip no work" and 
"reset-recycle-bin", so it's not all bad :)

Regards,
Tim.

Re: IETF - Overlapping IPv4 Address Support

[Bjørn Mork]

You seem to have skipped a calendar page.


Bjørn

Re: L3 VPN Management

[Saku Ytti]

On (2012-03-07 07:07 +), Leigh Porter wrote:

> What's the nicest way of allowing the ops servers all talk to each VPN 
> instance? At the moment I just us pretty normal L3VPN techniques so that 
> every VPN sees routes tagged with the ops VPN target community and so that 
> the ops VPN sees all the other VPN routes but the division between VPNs is 
> maintained.

You might want to peek at MPLS VPN Security book by Behringer for some
ideas[0].
But personally I'd do it by having RT for MGMT servers and different RT for
addresses needing centralized MGMT. So two special-use RTs.

The NMS network would export routes with this RT:Servers (only the servers
actually poking the VPN network, not everything)
And the customer VRFs would import this RT:Servers.

The customer VRFs would export (only the nodes actually needing NSM, not
whole network) routes with RT:CPEs.
And the NMS network would import RT:CPEs.

One way to do latter part is 
JunOS: set routing-instance FOO rib FOO.inet.0 static route CPE/32 
qualified-next-hop CPE interface xe-4/2/0.42 tag 2000
  IOS: ip route vrf FOO CPE 255.255.255.255 ten4/2/0.42 CPE tag 2000

And have policy which matches to 2000 and add RT:CPE.



Annoyingly in JunOS you cannot easily import more than one RT, I hope
they'll fix it so that you can do IOS style RT + policy imports. 
So in JunOS you almost certainly want chained import policy like
'vrf-import [ VRFOO-IMPORT VRF-MGMT-IMPORT ]' where VRFOO-IMPORT is just
'from community VRFFOO; then default-action accept' and VRF-MGMT-IMPORT is
'from community RT:Servers; then default-action accept'

[0] 
http://www.amazon.co.uk/MPLS-VPN-Security-Cisco-Press/dp/8177586998/ref=sr_1_1?ie=UTF8&qid=1331110165&sr=8-1
> 
> Or, would it be nicer to have the firewall have a foot in each VPN, advertise 
> routes to ops systems to each VPN instance and receive routes from all the 
> other VPNs?
> 
> -- 
> Leigh
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __
> 

-- 
  ++ytti

Re: facebook lost their A-record for www.facebook.com?

[Anurag Bhatia]

Good point Octavio . +trace with dig is always useful when getting weird
results.

(Sent from my mobile device)

Anurag Bhatia
http://anuragbhatia.com
On Mar 7, 2012 1:19 PM, "Octavio Alvarez"  wrote:

> On Tue, 06 Mar 2012 23:43:07 -0800, Igor Ybema  wrote:
>
>  [igor@vds ~]$ host -t A  www.facebook.com ns1.facebook.com
>> Using domain server:
>> Name: ns1.facebook.com
>> Address: 204.74.66.132#53
>> Aliases:
>>
>> www.facebook.com has no A record
>>
>
> No, it's a subdomain with its A records in another server.
>
> $ host -t A www.facebook.com glb1.facebook.com.
> Using domain server:
> Name: glb1.facebook.com.
> Address: 69.171.239.10#53
> Aliases:
>
> www.facebook.com has address 69.171.224.12
>
>
> Try dig +trace www.facebook.com to see why.
>
>
>
> --
> Octavio.
>
> Twitter: @alvarezp2000 -- Identi.ca: @alvarezp
>
>

Re: facebook lost their A-record for www.facebook.com?

[graham]

On 07.03.2012 09:43, Igor Ybema wrote:

[igor@vds ~]$ host -t A  www.facebook.com ns1.facebook.com
Using domain server:
Name: ns1.facebook.com
Address: 204.74.66.132#53
Aliases:

www.facebook.com has no A record


We also picked up problems with www.facebook.com from our monitoring 
systems. Starting from 04:00 UTC there were some latency spikes and then 
from 06:15 UTC thru 07:55 UTC the site was unreachable.


www.v6.facebook.com had no issues though ;)

--
Graham Beneke

Re: L3 VPN Management

[Jeff Wheeler]

On Wed, Mar 7, 2012 at 2:07 AM, Leigh Porter
 wrote:
> What's the nicest way of allowing the ops servers all talk to each VPN 
> instance? At the moment I just us pretty normal L3VPN techniques so that 
> every VPN sees routes tagged with the ops VPN target community and so that 
> the ops VPN sees all the other VPN routes but the division between VPNs is 
> maintained.
>
> Or, would it be nicer to have the firewall have a foot in each VPN, advertise 
> routes to ops systems to each VPN instance and receive routes from all the 
> other VPNs?

I think you may pay more money for extra firewall zones and perhaps
not receive any benefit from it.

-- 
Jeff S Wheeler 
Sr Network Operator  /  Innovative Network Concepts