Re: Whats' a good product for a high-density Wireless network setup?

[Sina Owolabi]

Thanks! Everything is still in planning stage, though. Management is
leaning toward Ruckus.
Can I get suggestions for authentication and billing systems for wireless
users too?

Thanks for all the wisdom so far

On Fri, Jun 19, 2015 at 7:54 AM Bartek Krawczyk 
wrote:

> I've got really great experience with Aruba. Don't know if it fits
> your budged, though.
>
> Rebards,
>
> On 19 June 2015 at 08:24, Tyler Mills  wrote:
> > With that many users I cannot recommend Ubiquiti, Ruckus would be the way
> > to go.
> >
> > On Fri, Jun 19, 2015 at 1:58 AM Sina Owolabi 
> wrote:
> >
> >> Hi
> >>
> >> We are profiling equipment and design for an expected high user density
> >> network of multiple, close nit, residential/hostel units. Its going to
> be
> >> 8-10 buildings with possibly a over 1000 users at any given time.
> >> We are looking at Ruckus and Ubiquiti as options to get over the high
> >> number of devices we are definitely going to encounter.
> >>
> >> How did you do it, and what would you advise for product and layout?
> >>
> >> Thanks in advance!
> >>
> > --
> > Tyler W. Mills
> > Infrastructure and Network Engineer
> > Atlanta,  GA.
>
>
>
> --
> Bartek Krawczyk
>

Re: Whats' a good product for a high-density Wireless network setup?

[Faisal Imtiaz]

>>> With that many users I cannot recommend Ubiquiti, Ruckus would be the way 
>>> to go.

Really ? 
Considering you are referring to Company Names, each with a full product line 
of low end to high end products ?

I often remind folks that Chevrolet, makes both the Corvette as well as the 
Chevette

:)

Actual implementations, and deployments suggest that Companies offer products 
that can serve such an environment when implemented correctly. While they each 
have their strengths and nuances, the key is proper implementation... 


Faisal Imtiaz
Snappy Internet & Telecom

- Original Message -
> From: "Tyler Mills" 
> To: "Sina Owolabi" , "nanog@nanog.org list" 
> 
> Sent: Friday, June 19, 2015 2:24:00 AM
> Subject: Re: Whats' a good product for a high-density Wireless network setup?
> 
> With that many users I cannot recommend Ubiquiti, Ruckus would be the way
> to go.
> 
> On Fri, Jun 19, 2015 at 1:58 AM Sina Owolabi  wrote:
> 
> > Hi
> >
> > We are profiling equipment and design for an expected high user density
> > network of multiple, close nit, residential/hostel units. Its going to be
> > 8-10 buildings with possibly a over 1000 users at any given time.
> > We are looking at Ruckus and Ubiquiti as options to get over the high
> > number of devices we are definitely going to encounter.
> >
> > How did you do it, and what would you advise for product and layout?
> >
> > Thanks in advance!
> >
> --
> Tyler W. Mills
> Infrastructure and Network Engineer
> Atlanta,  GA.
> 

Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to recommend
at this point. We saw people mention this brand here on the list - people
like them. So what could we have set incorrectly ? They drop link and
re-provision on their own at odd times day or night.

We have completed everything tech support asked of us. (Really, lame
emails they respond with as if they didn't read your text - they won't
call and you can't call them). We used POE from ciscos - then changed to
their POE provided. They didn't recommend it, but we plugged them all into
APC UPSes. no difference. They all re-provision at different times
even when no one is connected or in the building at odd hours like 2am.
Each one does this 2-3 times per 24 hour period.

Has anyone else experienced this?
Anyone know what we may have set incorrectly ?
Is this normal - do people put up with the 2 mins the APs are unavailable
about 3 times a day? (UniFi support acts like it's not a big issues.)

We use the UniFi controller on mac os x. We use their EdgeMax Edge Router.
All the latest software in everything UniFi.

Thank You
Bob Evans

Re: Anycast provider for SMTP?

[Baldur Norddahl]

On 19 June 2015 at 04:18, Larry Sheldon  wrote:

> On 6/18/2015 16:40, Jonas Björk wrote:
>
>  The clients speak unicast with one single ip-helper which address is
>> shared by all the servers.
>> They can't choose which ever server to talk to.
>>
>
> One of us is confused (and it may well be me) but I thought the ip-helper
> address was only useful in the initial grope-in-the-dark for a server that
> is not on the local Ethernet broadcast domain.
>
> Thereafter the negotiations (I thought) are between the client and the
> responding server and forever after until a failure-to-renew occurred.
>


The clients will broadcast DISCOVER and this will be picked up by the DHCP
relay. The relay will also broadcast replies from DHCP servers. There might
be multiple servers and therefore multiple offers for leases. The client
will select a server and broadcast a request for lease including the
IP-address of the server in a DHCP option. The relay will pick that up and
send it to all servers. The server which finds its own IP in the server id
option will then send ACK. All other servers will notice they were not
selected and withdraw their offer for a lease (sending nothing).

But after this initial exchange, the clients will unicast renew requests
directly to the DHCP server, bypassing the DHCP relay. So Jonas is wrong
here. The client will at no point send unicast to the DHCP relay (although
the relay might send unicast to the client). The DHCP relay exists only to
transmit broadcast traffic - that is the purpose of the relay. Also it is
the clients that select what server they want to use.

That said, there exists non standard vendor solutions were the DHCP relay
does more. In our routers it is called DHCP Proxy. The proxy will act as a
DHCP server towards clients. Therefore all unicast will also be with the
proxy. The proxy is itself a client towards the real DHCP server. This
means a DHCP Proxy is stateful. A DHCP Relay is stateless.

The fact that a DHCP relay is stateless also makes it impossible for a DHCP
relay to pass on unicast to clients. The clients will only include the
server id in the first request message. All renew messages are without that
information, so the relay has no way to know which server to pass the
message to.

Everything above is for DHCPv4. Things are slightly different for DHCPv6.
The most important difference is that the DHCP servers can request that
renew is done by multicast instead of unicast and the server id is included
in all messages. This way you can force all traffic to go via the relay
including renew.

Regards,

Baldur

Re: Whats' a good product for a high-density Wireless network setup?

[Steven Miano]

> 8-10 buildings with possibly a over 1000 users at any given time.

Aerohive, easily. AP330s would thrive in a setup such as that.

On Fri, Jun 19, 2015 at 5:11 AM, Faisal Imtiaz 
wrote:

> >>> With that many users I cannot recommend Ubiquiti, Ruckus would be the
> way to go.
>
> Really ?
> Considering you are referring to Company Names, each with a full product
> line of low end to high end products ?
>
> I often remind folks that Chevrolet, makes both the Corvette as well as
> the Chevette
>
> :)
>
> Actual implementations, and deployments suggest that Companies offer
> products that can serve such an environment when implemented correctly.
> While they each have their strengths and nuances, the key is proper
> implementation...
>
>
> Faisal Imtiaz
> Snappy Internet & Telecom
>
> - Original Message -
> > From: "Tyler Mills" 
> > To: "Sina Owolabi" , "nanog@nanog.org list" <
> nanog@nanog.org>
> > Sent: Friday, June 19, 2015 2:24:00 AM
> > Subject: Re: Whats' a good product for a high-density Wireless network
> setup?
> >
> > With that many users I cannot recommend Ubiquiti, Ruckus would be the way
> > to go.
> >
> > On Fri, Jun 19, 2015 at 1:58 AM Sina Owolabi 
> wrote:
> >
> > > Hi
> > >
> > > We are profiling equipment and design for an expected high user density
> > > network of multiple, close nit, residential/hostel units. Its going to
> be
> > > 8-10 buildings with possibly a over 1000 users at any given time.
> > > We are looking at Ruckus and Ubiquiti as options to get over the high
> > > number of devices we are definitely going to encounter.
> > >
> > > How did you do it, and what would you advise for product and layout?
> > >
> > > Thanks in advance!
> > >
> > --
> > Tyler W. Mills
> > Infrastructure and Network Engineer
> > Atlanta,  GA.
> >
>



-- 
Miano, Steven M.
http://stevenmiano.com

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Jared Mauch]

I have a variety of their gear and don't have problems like this. Have you run 
a cable tester on the wiring? This sounds quite odd and is something I haven't 
seen. 

They do most of their support in their forums vs email. The email is mainly for 
RMA support. 

What version software is on your controller and the UAP-Pros?

Jared Mauch

> On Jun 19, 2015, at 6:01 AM, Bob Evans  wrote:
> 
> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to recommend
> at this point. We saw people mention this brand here on the list - people
> like them. So what could we have set incorrectly ? They drop link and
> re-provision on their own at odd times day or night.
> 
> We have completed everything tech support asked of us. (Really, lame
> emails they respond with as if they didn't read your text - they won't
> call and you can't call them). We used POE from ciscos - then changed to
> their POE provided. They didn't recommend it, but we plugged them all into
> APC UPSes. no difference. They all re-provision at different times
> even when no one is connected or in the building at odd hours like 2am.
> Each one does this 2-3 times per 24 hour period.
> 
> Has anyone else experienced this?
> Anyone know what we may have set incorrectly ?
> Is this normal - do people put up with the 2 mins the APs are unavailable
> about 3 times a day? (UniFi support acts like it's not a big issues.)
> 
> We use the UniFi controller on mac os x. We use their EdgeMax Edge Router.
> All the latest software in everything UniFi.
> 
> Thank You
> Bob Evans
> 
> 
> 
> 
> 
> 

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Mike Hammett]

I've had their gear for a few years now. It's effectively up until I upgrade 
the software. Might want to ask on their forums or on the WISPA UBNT list. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


- Original Message -

From: "Bob Evans"  
To: nanog@nanog.org 
Sent: Friday, June 19, 2015 5:01:49 AM 
Subject: Ghosts in our 6 New Ubiquity Pros - provision issues. 

Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to recommend 
at this point. We saw people mention this brand here on the list - people 
like them. So what could we have set incorrectly ? They drop link and 
re-provision on their own at odd times day or night. 

We have completed everything tech support asked of us. (Really, lame 
emails they respond with as if they didn't read your text - they won't 
call and you can't call them). We used POE from ciscos - then changed to 
their POE provided. They didn't recommend it, but we plugged them all into 
APC UPSes. no difference. They all re-provision at different times 
even when no one is connected or in the building at odd hours like 2am. 
Each one does this 2-3 times per 24 hour period. 

Has anyone else experienced this? 
Anyone know what we may have set incorrectly ? 
Is this normal - do people put up with the 2 mins the APs are unavailable 
about 3 times a day? (UniFi support acts like it's not a big issues.) 

We use the UniFi controller on mac os x. We use their EdgeMax Edge Router. 
All the latest software in everything UniFi. 

Thank You 
Bob Evans 

Re: Anycast provider for SMTP?

[James Hartig]

>
> You can achieve the above DNS trickery using various load balancers that
> other people in this thread have already mentioned. You can also install
> your own geomaps in your own nameservers and handle it yourself, or you can
> buy managed DNS service from various people that can do this kind of thing.
>

Just curious, how does DNS load balancing work if people are using
8.8.8.8/208.67.222.222 or basically any public resolvers that cache and
have a significant (relatively speaking) user-base? Is the actual percent
of requests so small that it doesn't matter?

--
James

Re: Whats' a good product for a high-density Wireless network setup?

[Bartek Krawczyk]

I've got really great experience with Aruba. Don't know if it fits
your budged, though.

Rebards,

On 19 June 2015 at 08:24, Tyler Mills  wrote:
> With that many users I cannot recommend Ubiquiti, Ruckus would be the way
> to go.
>
> On Fri, Jun 19, 2015 at 1:58 AM Sina Owolabi  wrote:
>
>> Hi
>>
>> We are profiling equipment and design for an expected high user density
>> network of multiple, close nit, residential/hostel units. Its going to be
>> 8-10 buildings with possibly a over 1000 users at any given time.
>> We are looking at Ruckus and Ubiquiti as options to get over the high
>> number of devices we are definitely going to encounter.
>>
>> How did you do it, and what would you advise for product and layout?
>>
>> Thanks in advance!
>>
> --
> Tyler W. Mills
> Infrastructure and Network Engineer
> Atlanta,  GA.



-- 
Bartek Krawczyk

Re: Anycast provider for SMTP?

[Mike Meredith]

On Thu, 18 Jun 2015 15:51:31 -0400, "Joe Abley" 
may have written:
> Since DHCP uses broadcast and multicast addresses when a client is 
> discovering a server, it's not obvious why you'd have to.

And broadcast/multicast when renewing a lease (DHCPREQUEST). You will
of course see unicast addresses on the server side if the server is
seeing requests forwarded by a udp helper.

> You can run redundant sets of isc-dhcpd servers together serving the 
> same broadcast domain and have them assign leases from the same
> address pools (at least, I've never tried it, but I was within

Indeed. Rock solid in my experience (on a "little" network).


-- 
Mike Meredith, University of Portsmouth
Principal Systems Engineer, Hostmaster, Security, and Timelord!
 

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Hal Ponton]

What version of the controller are you using, we're running 3.something at that 
works fine.

We've turned off auto update on all of the sites on the server, and Nagios 
monitors them, we certainly don't see reboots 2-3 times a day, the last time 
ours rebooted was when we lost power at our office.

Contact me off list if you want me to take a look.

Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi

Tel: 07429 979 217
Email: h...@buzcom.net

> On 19 Jun 2015, at 11:01, Bob Evans  wrote:
> 
> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to recommend
> at this point. We saw people mention this brand here on the list - people
> like them. So what could we have set incorrectly ? They drop link and
> re-provision on their own at odd times day or night.
> 
> We have completed everything tech support asked of us. (Really, lame
> emails they respond with as if they didn't read your text - they won't
> call and you can't call them). We used POE from ciscos - then changed to
> their POE provided. They didn't recommend it, but we plugged them all into
> APC UPSes. no difference. They all re-provision at different times
> even when no one is connected or in the building at odd hours like 2am.
> Each one does this 2-3 times per 24 hour period.
> 
> Has anyone else experienced this?
> Anyone know what we may have set incorrectly ?
> Is this normal - do people put up with the 2 mins the APs are unavailable
> about 3 times a day? (UniFi support acts like it's not a big issues.)
> 
> We use the UniFi controller on mac os x. We use their EdgeMax Edge Router.
> All the latest software in everything UniFi.
> 
> Thank You
> Bob Evans
> 
> 
> 
> 
> 
> 
> 

Re: Anycast provider for SMTP?

[Christopher Morrow]

On Fri, Jun 19, 2015 at 7:19 AM, James Hartig  wrote:

>
> Just curious, how does DNS load balancing work if people are using
> 8.8.8.8/208.67.222.222 or basically any public resolvers that cache and

don't know exactly, but you might get some interesting clues from the
f-root or as112 designs, eh?

Re: Anycast provider for SMTP?

[Tony Finch]

James Hartig  wrote:
>
> Just curious, how does DNS load balancing work if people are using
> 8.8.8.8/208.67.222.222 or basically any public resolvers that cache and
> have a significant (relatively speaking) user-base?

http://www.afasterinternet.com/ietfdraft.htm

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Fisher, German Bight: Northwest 4 or 5, increasing 6 at times. Slight or
moderate. Showers. Good, occasionally moderate.

RE: OPM Data Breach - Whitehouse Petition - Help Wanted

[Naslund, Steve]

I think one of their major issues is that they look at too much of the network 
at a time.  If they decided they were going to secure a particular data center 
or building, they might be much better off.  If they start with defending the 
servers from internal as well as external threats and then move toward the 
perimeter they might make progress.  I think they look at the entire 
comprehensive network and end up with a number or a project that is too big to 
fathom.  First thing would be current IDP/IDS technology so they would at least 
know where and what the threats are.

Steven Naslund
Chicago IL

18.06.2015 18:00, shawn wilson wrote:
> I'd actually be interested in a discussion of how much you can possibly
 > improve / degrade on a network that big from a management position.

Re: Anycast provider for SMTP?

[Joe Abley]

On 19 Jun 2015, at 8:12, Christopher Morrow wrote:

On Fri, Jun 19, 2015 at 7:19 AM, James Hartig  
wrote:



Just curious, how does DNS load balancing work if people are using
8.8.8.8/208.67.222.222 or basically any public resolvers that cache 
and


If the client that performs the upstream query within the 
8.8.8.8/whatever infrastructure is close to you for some meaningful 
interpretation of "close" then you still get an answer that is 
(effectively) localised for you.


If the resolver infrastructure is sufficiently far that what is good for 
it is not good for you, then the deployed (if not quite standardised) 
answer is edns-client-subnet: the resolver infrastructure you're using 
embeds your client address in its upstream query. The authority servers 
can then localise a response (and scope it) as being suitable for you, 
not the resolver in general.


  http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02

There are privacy concerns, here. But we might posit that you've already 
in the business of trading privacy for convenience if you're using a 
public resolver.



don't know exactly, but you might get some interesting clues from the
f-root or as112 designs, eh?


Root servers and AS112 servers don't steer clients towards content 
according to where they are. They give consistent answers for all 
queries, regardless of where they came from.



Joe

Re: Anycast provider for SMTP?

[Baldur Norddahl]

On 19 June 2015 at 10:39, Mike Meredith  wrote:

> On Thu, 18 Jun 2015 15:51:31 -0400, "Joe Abley" 
> may have written:
> > Since DHCP uses broadcast and multicast addresses when a client is
> > discovering a server, it's not obvious why you'd have to.
>
> And broadcast/multicast when renewing a lease (DHCPREQUEST). You will
> of course see unicast addresses on the server side if the server is
> seeing requests forwarded by a udp helper.
>


RFC 2131 section 4.4.5:

"At time T1 the client moves to RENEWING state and sends (*via unicast*) a
DHCPREQUEST message to the server to extend its lease. The client sets the
'ciaddr' field in the DHCPREQUEST to its current network address. The
client records the local time at which the DHCPREQUEST message is sent for
computation of the lease expiration time. The client MUST NOT include a
'server identifier' in the DHCPREQUEST message."

Also from section 4.3.2:

"DHCPREQUEST generated during RENEWING state: 'server identifier' MUST NOT
be filled in, 'requested IP address' option MUST NOT be filled in, 'ciaddr'
MUST be filled in with client's IP address. In this situation, the client
is completely configured, and is trying to extend its lease. This message
will be *unicast*, so *no relay agents will be involved in its transmission*.
Because 'giaddr' is therefore not filled in, the DHCP server will trust the
value in 'ciaddr', and use it when replying to the client."

If there is no reply to the unicast, the client should eventually do a
fallback to broadcast, but a great number of DHCP clients fail to implement
that. They will instead keep unicasting until the lease expire, then start
over including deconfiguring the IP stack and then send DISCOVER.

Regards,

Baldur

Re: Anycast provider for SMTP?

[Christopher Morrow]

On Fri, Jun 19, 2015 at 2:47 PM, Tony Finch  wrote:
> James Hartig  wrote:
>>
>> Just curious, how does DNS load balancing work if people are using
>> 8.8.8.8/208.67.222.222 or basically any public resolvers that cache and
>> have a significant (relatively speaking) user-base?
>
> http://www.afasterinternet.com/ietfdraft.htm

that doesn't address how packets get to the address or back though,
right? that's about the content in the packet.

Re: Anycast provider for SMTP?

[Christopher Morrow]

On Fri, Jun 19, 2015 at 3:42 PM, Joe Abley  wrote:
> On 19 Jun 2015, at 8:12, Christopher Morrow wrote:
>
>> On Fri, Jun 19, 2015 at 7:19 AM, James Hartig 
>> wrote:
>>
>>> Just curious, how does DNS load balancing work if people are using
>>> 8.8.8.8/208.67.222.222 or basically any public resolvers that cache and
>
>> don't know exactly, but you might get some interesting clues from the
>> f-root or as112 designs, eh?
>
>
> Root servers and AS112 servers don't steer clients towards content according
> to where they are. They give consistent answers for all queries, regardless
> of where they came from.

dang you jabley! I didn't see the 'if using' part :( my answer(s) are
irrelevant!

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Mel Beckman]

Bob,  I've deployed tons of Ubiquiti gear, and have seen this problem before. 
It always turns out to be poor quality cable installation. POE does not 
tolerate low quality connectors, especially in outdoor environments. There are 
many aspects to a quality cabling job, so the best thing you can do is seek out 
a qualified installer with outdoor POE experience. 

The most common problem I see is people using crimp-on RJ45 connectors directly 
on the ends of their cable runs. This is not how structured cabling is designed 
to work, in particular because most crimp-on connectors are intended for 
stranded copper wire (such as that used in very flexible patch cords, designed 
to run horizontally over only a few dozens of feet), whereas the "riser" and 
"plenum" cable used for long-distance runs has solid core wires. The tiny teeth 
in standard crimp connectors are designed to penetrate stranded wire, to make a 
solid electrical contact. With solid core wire, they just bend to the side of 
the copper core, making tenuous contact, which will conduct POE current poorly 
(resulting in the resets you see) and eventually fail altogether as the 
improper connection corrodes over time. 

The correct installation process is to use "punch-down" RJ45 jacks at each end 
of the cable run, and connect from those jacks to your equipment (radio at one 
end, POE switch at the other). On the outdoor side, the jack/plug junction 
needs to be in a NEMA weatherproof enclosure, with weathertight fittings. And, 
for human and equipment safety, you must use shielded Cat5e/6 cable anytime you 
go outdoors, grounding only one end (usually the radio end), and protecting the 
cable with an inline lightning protector between the RJ45 jack  and the radio. 

If you haven't done that, then that's the first thing to fix. 

BTW, avoid homemade patch cables whenever possible. Quality factory cables are 
hydraulically pressed and the plug is hermetically fused for a vastly superior 
connection compared to anything you can do with simple hand crimpers. And all 
outdoor cables must be UV-grade cabling with weatherproof sheathing and water 
repellant inside (so-called "flooded" cable).

 -mel beckman

> On Jun 19, 2015, at 4:54 AM, Hal Ponton  wrote:
> 
> What version of the controller are you using, we're running 3.something at 
> that works fine.
> 
> We've turned off auto update on all of the sites on the server, and Nagios 
> monitors them, we certainly don't see reboots 2-3 times a day, the last time 
> ours rebooted was when we lost power at our office.
> 
> Contact me off list if you want me to take a look.
> 
> Regards,
> 
> Hal Ponton
> 
> Senior Network Engineer
> 
> Buzcom / FibreWiFi
> 
> Tel: 07429 979 217
> Email: h...@buzcom.net
> 
>> On 19 Jun 2015, at 11:01, Bob Evans  wrote:
>> 
>> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to recommend
>> at this point. We saw people mention this brand here on the list - people
>> like them. So what could we have set incorrectly ? They drop link and
>> re-provision on their own at odd times day or night.
>> 
>> We have completed everything tech support asked of us. (Really, lame
>> emails they respond with as if they didn't read your text - they won't
>> call and you can't call them). We used POE from ciscos - then changed to
>> their POE provided. They didn't recommend it, but we plugged them all into
>> APC UPSes. no difference. They all re-provision at different times
>> even when no one is connected or in the building at odd hours like 2am.
>> Each one does this 2-3 times per 24 hour period.
>> 
>> Has anyone else experienced this?
>> Anyone know what we may have set incorrectly ?
>> Is this normal - do people put up with the 2 mins the APs are unavailable
>> about 3 times a day? (UniFi support acts like it's not a big issues.)
>> 
>> We use the UniFi controller on mac os x. We use their EdgeMax Edge Router.
>> All the latest software in everything UniFi.
>> 
>> Thank You
>> Bob Evans
>> 
>> 
>> 
>> 
>> 
>> 
>> 

RE: OPM Data Breach - Whitehouse Petition - Help Wanted

[Darden, Patrick]

Good point.  It's a massive job, and sometimes it is best to look at those 
piecemeal.  Start with small goals, and pick low hanging fruit--your example of 
the server room is good.  Set it up with and IDS, a firewall, harden the hosts 
by turning off/removing unused/unneeded services, setting up tripwire, and 
encrypt all data on the drives, then look to password policy enforcement.  Then 
start actively securing it (monthly audits, daily log checks, etc.).  Doable.  
Then pick the next lowest hanging fruit and repeat.

--patrick darden

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Naslund, Steve
Sent: Friday, June 19, 2015 8:31 AM
To: Stepan Kucherenko; nanog@nanog.org
Subject: [EXTERNAL]RE: OPM Data Breach - Whitehouse Petition - Help Wanted

I think one of their major issues is that they look at too much of the network 
at a time.  If they decided they were going to secure a particular data center 
or building, they might be much better off.  If they start with defending the 
servers from internal as well as external threats and then move toward the 
perimeter they might make progress.  I think they look at the entire 
comprehensive network and end up with a number or a project that is too big to 
fathom.  First thing would be current IDP/IDS technology so they would at least 
know where and what the threats are.

Steven Naslund
Chicago IL

18.06.2015 18:00, shawn wilson wrote:
> I'd actually be interested in a discussion of how much you can possibly
 > improve / degrade on a network that big from a management position.

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[charles]

On 2015-06-19 05:01, Bob Evans wrote:
Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to 
recommend
at this point. We saw people mention this brand here on the list - 
people

like them. So what could we have set incorrectly ? They drop link and
re-provision on their own at odd times day or night.


Drop link all the way down to layer 1? What does re-provision mean? 
Lose/re acquire DHCP lease? \


What is your network topology? What kind of switches are you using? 
What's the length of the cable runs? Have you had an electrician check 
your wiring?
How many access points are you running? How many fail? Do they fail in 
any kind of cluster/pattern?


That's just the basic questions.

Lots more information needed if you want free support from the NANOG 
hive mind :D


They have millions of satisfied customers in deployments from some of 
the worlds largest shopping malls to multi state ISPs. Different gear 
across that customer base of course.





We have completed everything tech support asked of us. (Really, lame
emails they respond with as if they didn't read your text - they won't
call and you can't call them). We used POE from ciscos - then changed 
to

their POE provided.


POE from ciscos mid span injector, or switch port?


 They didn't recommend it, but we plugged them all into

APC UPSes. no difference.


The midspan injectors you mean? H, wonder why they didn't want you 
to put them in UPS. Did they provide any explanation?



 They all re-provision at different times

even when no one is connected or in the building at odd hours like 2am.
Each one does this 2-3 times per 24 hour period.


Interesting. Any repeated offenders?





Has anyone else experienced this?
Anyone know what we may have set incorrectly ?
Is this normal - do people put up with the 2 mins the APs are 
unavailable

about 3 times a day? (UniFi support acts like it's not a big issues.)



Do they come back on their own? What's the "downtime" time window?




We use the UniFi controller on mac os x.


Mac OSX isn't a server platform. Sorry. Use Windows 2k12 or Ubuntu 
Server (or your favorite debian or Redhat flavor). I've had zero 
problems on either of those platforms.


What's the topology between the access points and your controller 
"server"?

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[charles]

On 2015-06-19 08:51, Mel Beckman wrote:

Bob,  I've deployed tons of Ubiquiti gear, and have seen this problem
before. It always turns out to be poor quality cable installation. POE
does not tolerate low quality connectors, especially in outdoor
environments. There are many aspects to a quality cabling job, so the
best thing you can do is seek out a qualified installer with outdoor
POE experience.





Yep. Networks. Layer 1 before everything else! So many bad cabling jobs 
for sure.



Are people using the tough cable? That has held up really well in the 
installations I've done. For a few years with zero issues.

RE: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Naslund, Steve]

That's possible but I if they are re-provisioning on a regular schedule I kind 
of doubt it.  It would be easy to test though.  Plug an AP directly into your 
switch with a quality pre-manufactured patch cord and see how it acts. If it 
exhibits the same symptom it is probably not cabling.   Also, have you checked 
your interface counters for any packet errors?  Don't forget to look at your 
controller because if the controller became unreachable for any length of time 
that could easily cause your APs to re-provision as they reconnect with the 
controller.  I might set up a ping every second from the site of the access 
points to the controller and make sure the availability of the controller is 
100%.  If you are on Cisco switches you should have log messages regarding PoE 
be granted on particular ports as well as up down messages on the interfaces.  
Do you see the ports going up and down?  It is important to have NTP on the APs 
and switches so that you can correlate events in time (i.e. did the AP reboot 
causing the Ethernet link to drop or did the link drop causing the reboot?)

Steven Naslund
Chicago IL


>Bob,  I've deployed tons of Ubiquiti gear, and have seen this problem before. 
>It always turns out to be poor quality cable installation. POE does not 
>tolerate low quality connectors, especially in outdoor environments. There are 
>>many aspects to a quality cabling job, so the best thing you can do is seek 
>out a qualified installer with outdoor POE experience. 
>
>The most common problem I see is people using crimp-on RJ45 connectors 
>directly on the ends of their cable runs. This is not how structured cabling 
>is designed to work, in particular because most crimp-on connectors are 
>intended for >stranded copper wire (such as that used in very flexible patch 
>cords, designed to run horizontally over only a few dozens of feet), whereas 
>the "riser" and "plenum" cable used for long-distance runs has solid core 
>wires. The tiny >teeth in standard crimp connectors are designed to penetrate 
>stranded wire, to make a solid electrical contact. With solid core wire, they 
>just bend to the side of the copper core, making tenuous contact, which will 
>conduct POE >current poorly (resulting in the resets you see) and eventually 
>fail altogether as the improper connection corrodes over time. 
>
>The correct installation process is to use "punch-down" RJ45 jacks at each end 
>of the cable run, and connect from those jacks to your equipment (radio at one 
>end, POE switch at the other). On the outdoor side, the jack/plug junction 
>>needs to be in a NEMA weatherproof enclosure, with weathertight fittings. 
>And, for human and equipment safety, you must use shielded Cat5e/6 cable 
>anytime you go outdoors, grounding only one end (usually the radio end), and 
>>protecting the cable with an inline lightning protector between the RJ45 jack 
> and the radio. 

>If you haven't done that, then that's the first thing to fix. 

>BTW, avoid homemade patch cables whenever possible. Quality factory cables are 
>hydraulically pressed and the plug is hermetically fused for a vastly superior 
>connection compared to anything you can do with simple hand crimpers. And >all 
>outdoor cables must be UV-grade cabling with weatherproof sheathing and water 
>repellant inside (so-called "flooded" cable).

> -mel beckman

RE: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Naslund, Steve]

Here is another though.  If your APs are re-provisioning every eight hours, 
what is your DHCP lease time?  Are you sure the APs are able to renew their 
leases (if not, could your scope be full)?  Do you see the IP addresses on the 
APs changing when they come back up?  These could indicate a DHCP server issue. 
 If the AP gets a new IP address it will likely have to be re-adopted to the 
controller.  You might want to static address one or more APs to test this 
theory.

Steven Naslund
Chicago IL

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Josh Luthman]

Do you want to set one of the radios to my Unifi server to confirm it is or
isn't a controller problem?

If you simply turn off your controller you can confirm as well.  The
devices will run as provisioned until told otherwise.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Jun 19, 2015 at 10:03 AM,  wrote:

> On 2015-06-19 05:01, Bob Evans wrote:
>
>> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to recommend
>> at this point. We saw people mention this brand here on the list - people
>> like them. So what could we have set incorrectly ? They drop link and
>> re-provision on their own at odd times day or night.
>>
>
> Drop link all the way down to layer 1? What does re-provision mean?
> Lose/re acquire DHCP lease? \
>
> What is your network topology? What kind of switches are you using? What's
> the length of the cable runs? Have you had an electrician check your wiring?
> How many access points are you running? How many fail? Do they fail in any
> kind of cluster/pattern?
>
> That's just the basic questions.
>
> Lots more information needed if you want free support from the NANOG hive
> mind :D
>
> They have millions of satisfied customers in deployments from some of the
> worlds largest shopping malls to multi state ISPs. Different gear across
> that customer base of course.
>
>
>
>> We have completed everything tech support asked of us. (Really, lame
>> emails they respond with as if they didn't read your text - they won't
>> call and you can't call them). We used POE from ciscos - then changed to
>> their POE provided.
>>
>
> POE from ciscos mid span injector, or switch port?
>
>
>  They didn't recommend it, but we plugged them all into
>
>> APC UPSes. no difference.
>>
>
> The midspan injectors you mean? H, wonder why they didn't want you to
> put them in UPS. Did they provide any explanation?
>
>
>  They all re-provision at different times
>
>> even when no one is connected or in the building at odd hours like 2am.
>> Each one does this 2-3 times per 24 hour period.
>>
>
> Interesting. Any repeated offenders?
>
>
>
>
>> Has anyone else experienced this?
>> Anyone know what we may have set incorrectly ?
>> Is this normal - do people put up with the 2 mins the APs are unavailable
>> about 3 times a day? (UniFi support acts like it's not a big issues.)
>>
>>
> Do they come back on their own? What's the "downtime" time window?
>
>
>
>  We use the UniFi controller on mac os x.
>>
>
> Mac OSX isn't a server platform. Sorry. Use Windows 2k12 or Ubuntu Server
> (or your favorite debian or Redhat flavor). I've had zero problems on
> either of those platforms.
>
> What's the topology between the access points and your controller "server"?
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

Thanks Jared
Cables are 3 to 6 feet long - swapped them out already. All cables
manufacture made purchased. They plug into the switch directly. Each
switch is them multi-mode fiber back to a main switch where the edgeMax
router and other gear are connected.

Bob Evans





> I have a variety of their gear and don't have problems like this. Have you
> run a cable tester on the wiring? This sounds quite odd and is something I
> haven't seen.
>
> They do most of their support in their forums vs email. The email is
> mainly for RMA support.
>
> What version software is on your controller and the UAP-Pros?
>
> Jared Mauch
>
>> On Jun 19, 2015, at 6:01 AM, Bob Evans 
>> wrote:
>>
>> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to
>> recommend
>> at this point. We saw people mention this brand here on the list -
>> people
>> like them. So what could we have set incorrectly ? They drop link and
>> re-provision on their own at odd times day or night.
>>
>> We have completed everything tech support asked of us. (Really, lame
>> emails they respond with as if they didn't read your text - they won't
>> call and you can't call them). We used POE from ciscos - then changed to
>> their POE provided. They didn't recommend it, but we plugged them all
>> into
>> APC UPSes. no difference. They all re-provision at different times
>> even when no one is connected or in the building at odd hours like 2am.
>> Each one does this 2-3 times per 24 hour period.
>>
>> Has anyone else experienced this?
>> Anyone know what we may have set incorrectly ?
>> Is this normal - do people put up with the 2 mins the APs are
>> unavailable
>> about 3 times a day? (UniFi support acts like it's not a big issues.)
>>
>> We use the UniFi controller on mac os x. We use their EdgeMax Edge
>> Router.
>> All the latest software in everything UniFi.
>>
>> Thank You
>> Bob Evans
>>
>>
>>
>>
>>
>>
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

Mel,
Thanks, for all the detail.

Everything is in doors and directly connected by new 3 to 6 foot
manufactured cables on a cisco switches. All cables have been changed -
even tired crossover cables - same results.

I'm thinking it has something to do with the controller
communications...All these APs shouldn't need a controller after
configuration and boot up. But we leave it up.

Thank You
Bob Evans
CTO




> Bob,  I've deployed tons of Ubiquiti gear, and have seen this problem
> before. It always turns out to be poor quality cable installation. POE
> does not tolerate low quality connectors, especially in outdoor
> environments. There are many aspects to a quality cabling job, so the best
> thing you can do is seek out a qualified installer with outdoor POE
> experience.
>
> The most common problem I see is people using crimp-on RJ45 connectors
> directly on the ends of their cable runs. This is not how structured
> cabling is designed to work, in particular because most crimp-on
> connectors are intended for stranded copper wire (such as that used in
> very flexible patch cords, designed to run horizontally over only a few
> dozens of feet), whereas the "riser" and "plenum" cable used for
> long-distance runs has solid core wires. The tiny teeth in standard crimp
> connectors are designed to penetrate stranded wire, to make a solid
> electrical contact. With solid core wire, they just bend to the side of
> the copper core, making tenuous contact, which will conduct POE current
> poorly (resulting in the resets you see) and eventually fail altogether as
> the improper connection corrodes over time.
>
> The correct installation process is to use "punch-down" RJ45 jacks at each
> end of the cable run, and connect from those jacks to your equipment
> (radio at one end, POE switch at the other). On the outdoor side, the
> jack/plug junction needs to be in a NEMA weatherproof enclosure, with
> weathertight fittings. And, for human and equipment safety, you must use
> shielded Cat5e/6 cable anytime you go outdoors, grounding only one end
> (usually the radio end), and protecting the cable with an inline lightning
> protector between the RJ45 jack  and the radio.
>
> If you haven't done that, then that's the first thing to fix.
>
> BTW, avoid homemade patch cables whenever possible. Quality factory cables
> are hydraulically pressed and the plug is hermetically fused for a vastly
> superior connection compared to anything you can do with simple hand
> crimpers. And all outdoor cables must be UV-grade cabling with
> weatherproof sheathing and water repellant inside (so-called "flooded"
> cable).
>
>  -mel beckman
>
>> On Jun 19, 2015, at 4:54 AM, Hal Ponton  wrote:
>>
>> What version of the controller are you using, we're running 3.something
>> at that works fine.
>>
>> We've turned off auto update on all of the sites on the server, and
>> Nagios monitors them, we certainly don't see reboots 2-3 times a day,
>> the last time ours rebooted was when we lost power at our office.
>>
>> Contact me off list if you want me to take a look.
>>
>> Regards,
>>
>> Hal Ponton
>>
>> Senior Network Engineer
>>
>> Buzcom / FibreWiFi
>>
>> Tel: 07429 979 217
>> Email: h...@buzcom.net
>>
>>> On 19 Jun 2015, at 11:01, Bob Evans 
>>> wrote:
>>>
>>> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to
>>> recommend
>>> at this point. We saw people mention this brand here on the list -
>>> people
>>> like them. So what could we have set incorrectly ? They drop link and
>>> re-provision on their own at odd times day or night.
>>>
>>> We have completed everything tech support asked of us. (Really, lame
>>> emails they respond with as if they didn't read your text - they won't
>>> call and you can't call them). We used POE from ciscos - then changed
>>> to
>>> their POE provided. They didn't recommend it, but we plugged them all
>>> into
>>> APC UPSes. no difference. They all re-provision at different times
>>> even when no one is connected or in the building at odd hours like 2am.
>>> Each one does this 2-3 times per 24 hour period.
>>>
>>> Has anyone else experienced this?
>>> Anyone know what we may have set incorrectly ?
>>> Is this normal - do people put up with the 2 mins the APs are
>>> unavailable
>>> about 3 times a day? (UniFi support acts like it's not a big issues.)
>>>
>>> We use the UniFi controller on mac os x. We use their EdgeMax Edge
>>> Router.
>>> All the latest software in everything UniFi.
>>>
>>> Thank You
>>> Bob Evans
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Josh Luthman]

The current ToughCable really is fantastic.  I'd only suggest the bigger
one ("carrier").  The old green stuff definitely deterred a lot of people,
understandably.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Jun 19, 2015 at 10:05 AM,  wrote:

> On 2015-06-19 08:51, Mel Beckman wrote:
>
>> Bob,  I've deployed tons of Ubiquiti gear, and have seen this problem
>> before. It always turns out to be poor quality cable installation. POE
>> does not tolerate low quality connectors, especially in outdoor
>> environments. There are many aspects to a quality cabling job, so the
>> best thing you can do is seek out a qualified installer with outdoor
>> POE experience.
>>
>>
>
>
> Yep. Networks. Layer 1 before everything else! So many bad cabling jobs
> for sure.
>
>
> Are people using the tough cable? That has held up really well in the
> installations I've done. For a few years with zero issues.
>

Re: OPM Data Breach - Whitehouse Petition - Help Wanted

[Jim Popovitch]

On Fri, Jun 19, 2015 at 9:55 AM, Darden, Patrick  wrote:
> Good point.  It's a massive job, and sometimes it is best to look at those 
> piecemeal.  Start with small goals, and pick low hanging fruit--your example 
> of the server room is good.  Set it up with and IDS, a firewall, harden the 
> hosts by turning off/removing unused/unneeded services, setting up tripwire, 
> and encrypt all data on the drives, then look to password policy enforcement. 
>  Then start actively securing it (monthly audits, daily log checks, etc.).  
> Doable.  Then pick the next lowest hanging fruit and repeat.

You left out:
Formulate Bid Solicitation team
Procure funding for Bid Solicitation team
Request Congressional approval for Bid Solicitation team
Request funding for team to win Congressional approval of Bid
Solicitation team
Receive first round funding for team to win Congressional approval.
Director retires, project status in limbo
New round of higher funding sought
Congressional recess, projects in limbo
Bid process begins, 3 of 4 are non-GSA and require further funding
for new approval process
After 2 years of paperwork, initial funding for 2 year old IDS
v1.1 (that's what was approved!) is approved.
repeat, ad nauseam

-Jim P.

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

Mike,
Good to know they are reliable.  It is an odd looking problem.
We will try the forums.
Thank You
Bob Evans



> I've had their gear for a few years now. It's effectively up until I
> upgrade the software. Might want to ask on their forums or on the WISPA
> UBNT list.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
> - Original Message -
>
> From: "Bob Evans" 
> To: nanog@nanog.org
> Sent: Friday, June 19, 2015 5:01:49 AM
> Subject: Ghosts in our 6 New Ubiquity Pros - provision issues.
>
> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to recommend
> at this point. We saw people mention this brand here on the list - people
> like them. So what could we have set incorrectly ? They drop link and
> re-provision on their own at odd times day or night.
>
> We have completed everything tech support asked of us. (Really, lame
> emails they respond with as if they didn't read your text - they won't
> call and you can't call them). We used POE from ciscos - then changed to
> their POE provided. They didn't recommend it, but we plugged them all into
> APC UPSes. no difference. They all re-provision at different times
> even when no one is connected or in the building at odd hours like 2am.
> Each one does this 2-3 times per 24 hour period.
>
> Has anyone else experienced this?
> Anyone know what we may have set incorrectly ?
> Is this normal - do people put up with the 2 mins the APs are unavailable
> about 3 times a day? (UniFi support acts like it's not a big issues.)
>
> We use the UniFi controller on mac os x. We use their EdgeMax Edge Router.
> All the latest software in everything UniFi.
>
> Thank You
> Bob Evans
>
>
>
>
>
>
>
>
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Jared Mauch]

It sounds like a PoE issue. I'm also happy to take a look. Anything in the 
controller logs?

Are your DHCP leases short? Or are you seeing the edge router reboot? What 
version on the edge router? The 1.7.0rc2 was posted and compared to 1.5 and 1.6 
it fixes a reboot issue I saw unless you disabled vlan offload. 

Jared Mauch

> On Jun 19, 2015, at 10:10 AM, Bob Evans  wrote:
> 
> Thanks Jared
> Cables are 3 to 6 feet long - swapped them out already. All cables
> manufacture made purchased. They plug into the switch directly. Each
> switch is them multi-mode fiber back to a main switch where the edgeMax
> router and other gear are connected.
> 
> Bob Evans
> 
> 
> 
> 
> 
>> I have a variety of their gear and don't have problems like this. Have you
>> run a cable tester on the wiring? This sounds quite odd and is something I
>> haven't seen.
>> 
>> They do most of their support in their forums vs email. The email is
>> mainly for RMA support.
>> 
>> What version software is on your controller and the UAP-Pros?
>> 
>> Jared Mauch
>> 
>>> On Jun 19, 2015, at 6:01 AM, Bob Evans 
>>> wrote:
>>> 
>>> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to
>>> recommend
>>> at this point. We saw people mention this brand here on the list -
>>> people
>>> like them. So what could we have set incorrectly ? They drop link and
>>> re-provision on their own at odd times day or night.
>>> 
>>> We have completed everything tech support asked of us. (Really, lame
>>> emails they respond with as if they didn't read your text - they won't
>>> call and you can't call them). We used POE from ciscos - then changed to
>>> their POE provided. They didn't recommend it, but we plugged them all
>>> into
>>> APC UPSes. no difference. They all re-provision at different times
>>> even when no one is connected or in the building at odd hours like 2am.
>>> Each one does this 2-3 times per 24 hour period.
>>> 
>>> Has anyone else experienced this?
>>> Anyone know what we may have set incorrectly ?
>>> Is this normal - do people put up with the 2 mins the APs are
>>> unavailable
>>> about 3 times a day? (UniFi support acts like it's not a big issues.)
>>> 
>>> We use the UniFi controller on mac os x. We use their EdgeMax Edge
>>> Router.
>>> All the latest software in everything UniFi.
>>> 
>>> Thank You
>>> Bob Evans
> 

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Jared Mauch]

This isn't the behavior I've seen with UBNT. They only provision on a change, 
even if disconnected for a long time.

You can check this in the UniFi logs directory. 

Jared Mauch

> On Jun 19, 2015, at 10:06 AM, Naslund, Steve  wrote:
> 
> Don't forget to look at your controller because if the controller became 
> unreachable for any length of time that could easily cause your APs to 
> re-provision as they reconnect with the controller.

RE: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Steve Mikulasik]

I run lots of these. How many APs? Have you reset them to default yet?

https://community.ubnt.com/t5/UniFi-Frequently-Asked-Questions/UniFi-How-do-I-reset-the-UAP-to-factory-default-settings/ta-p/412585

Steve Mikulasik

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Bob Evans
Sent: Friday, June 19, 2015 8:10 AM
To: Jared Mauch 
Cc: nanog@nanog.org
Subject: Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

Thanks Jared
Cables are 3 to 6 feet long - swapped them out already. All cables manufacture 
made purchased. They plug into the switch directly. Each switch is them 
multi-mode fiber back to a main switch where the edgeMax router and other gear 
are connected.

Bob Evans





> I have a variety of their gear and don't have problems like this. Have 
> you run a cable tester on the wiring? This sounds quite odd and is 
> something I haven't seen.
>
> They do most of their support in their forums vs email. The email is 
> mainly for RMA support.
>
> What version software is on your controller and the UAP-Pros?
>
> Jared Mauch
>
>> On Jun 19, 2015, at 6:01 AM, Bob Evans 
>> wrote:
>>
>> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to 
>> recommend at this point. We saw people mention this brand here on the 
>> list - people like them. So what could we have set incorrectly ? They 
>> drop link and re-provision on their own at odd times day or night.
>>
>> We have completed everything tech support asked of us. (Really, lame 
>> emails they respond with as if they didn't read your text - they 
>> won't call and you can't call them). We used POE from ciscos - then 
>> changed to their POE provided. They didn't recommend it, but we 
>> plugged them all into APC UPSes. no difference. They all 
>> re-provision at different times even when no one is connected or in 
>> the building at odd hours like 2am.
>> Each one does this 2-3 times per 24 hour period.
>>
>> Has anyone else experienced this?
>> Anyone know what we may have set incorrectly ?
>> Is this normal - do people put up with the 2 mins the APs are 
>> unavailable about 3 times a day? (UniFi support acts like it's not a 
>> big issues.)
>>
>> We use the UniFi controller on mac os x. We use their EdgeMax Edge 
>> Router.
>> All the latest software in everything UniFi.
>>
>> Thank You
>> Bob Evans
>>
>>
>>
>>
>>
>>
>

RE: OPM Data Breach - Whitehouse Petition - Help Wanted

[Naslund, Steve]

No I intentionally left those out.  Here is why.  If they would do small 
incremental work, they don’t get into the areas of congressional approval and 
GSA.  You can just do the small incremental projects under your IT operations 
budgeting. There is a big misconception that everything requires congressional 
approval or a lot of red tape to get done, it is all about thresholds.  If you 
wanted to replace an old obsolete switch or router, you don't need to go there. 
 If you propose to replace 10,000 switches and routers, then you would.

Steven Naslund
Chicago IL

>>On Fri, Jun 19, 2015 at 9:55 AM, Darden, Patrick  
>>wrote:
>> Good point.  It's a massive job, and sometimes it is best to look at those 
>> piecemeal.  Start with small goals, and pick low hanging fruit--your example 
>> of the server room is good.  Set it up with and IDS, a firewall, harden the 
>> >>hosts by turning off/removing unused/unneeded services, setting up 
>> tripwire, and encrypt all data on the drives, then look to password policy 
>> enforcement.  Then start actively securing it (monthly audits, daily log 
>> checks, etc.).  >>Doable.  Then pick the next lowest hanging fruit and 
>> repeat.

>You left out:
>Formulate Bid Solicitation team
>Procure funding for Bid Solicitation team
>Request Congressional approval for Bid Solicitation team
>Request funding for team to win Congressional approval of Bid Solicitation 
> team
>Receive first round funding for team to win Congressional approval.
>Director retires, project status in limbo
>New round of higher funding sought
>Congressional recess, projects in limbo
>Bid process begins, 3 of 4 are non-GSA and require further funding for new 
> approval process
>After 2 years of paperwork, initial funding for 2 year old IDS
>v1.1 (that's what was approved!) is approved.
>repeat, ad nauseam

>-Jim P.

RE: Re: OPM Data Breach - Whitehouse Petition - Help Wanted

[Darden, Patrick]

I believe, if the fruit is small enough, you could sneak some of this in 
through the cracks.  Bull it through via sheer determination.  But I understand 
what you mean  The more official it is, the more visible it is, the more 
difficult it is  The same for any bureaucracy, but a quantum leap here.

-- patrick darden


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jim Popovitch
Sent: Friday, June 19, 2015 9:12 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Re: OPM Data Breach - Whitehouse Petition - Help Wanted

On Fri, Jun 19, 2015 at 9:55 AM, Darden, Patrick  wrote:
> Good point.  It's a massive job, and sometimes it is best to look at those 
> piecemeal.  Start with small goals, and pick low hanging fruit--your example 
> of the server room is good.  Set it up with and IDS, a firewall, harden the 
> hosts by turning off/removing unused/unneeded services, setting up tripwire, 
> and encrypt all data on the drives, then look to password policy enforcement. 
>  Then start actively securing it (monthly audits, daily log checks, etc.).  
> Doable.  Then pick the next lowest hanging fruit and repeat.

You left out:
Formulate Bid Solicitation team
Procure funding for Bid Solicitation team
Request Congressional approval for Bid Solicitation team
Request funding for team to win Congressional approval of Bid Solicitation 
team
Receive first round funding for team to win Congressional approval.
Director retires, project status in limbo
New round of higher funding sought
Congressional recess, projects in limbo
Bid process begins, 3 of 4 are non-GSA and require further funding for new 
approval process
After 2 years of paperwork, initial funding for 2 year old IDS
v1.1 (that's what was approved!) is approved.
repeat, ad nauseam

-Jim P.

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Sam Tetherow]

The IP can change on the UniFi without having to re-adopt or 
re-provision.  APs are identified by MAC address at the UniFi protocol 
level (not layer 2).


On 06/19/2015 09:09 AM, Naslund, Steve wrote:

Here is another though.  If your APs are re-provisioning every eight hours, 
what is your DHCP lease time?  Are you sure the APs are able to renew their 
leases (if not, could your scope be full)?  Do you see the IP addresses on the 
APs changing when they come back up?  These could indicate a DHCP server issue. 
 If the AP gets a new IP address it will likely have to be re-adopted to the 
controller.  You might want to static address one or more APs to test this 
theory.

Steven Naslund
Chicago IL

Re: OPM Data Breach - Whitehouse Petition - Help Wanted

[William Herrin]

On Fri, Jun 19, 2015 at 10:43 AM, Naslund, Steve  wrote:
> No I intentionally left those out.  Here is why.  If they would do small
> incremental work, they don’t get into the areas of congressional approval
> and GSA.  You can just do the small incremental projects under your IT
> operations budgeting.

This is only possible when you take all the policies developed to
comply with both the law and executive orders and chuck them right out
the window. At that point you're operating with no authority and all
of the responsibility, which is grounds for termination even if what
you do actually works. Especially if you're a contractor as the
majority of operations folks in the Federal government are.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

RE: OPM Data Breach - Whitehouse Petition - Help Wanted

[Naslund, Steve]

Wrong.  I was a government (US Air Force) network engineer for over 10 years 
(not a contractor, a full time employee).  There is an O&M budget created for 
the day to day operation and maintenance of IT systems.  This is approved along 
with your department's budget annually.  If you classify updating equipment as 
an O&M function (which it routinely is) then you have no issues.  You purchase 
your equipment off pre-existing purchasing agreements in place with your agency 
or the GSA.  If your purchases exceeds certain threshold or the amount 
available under your O&M funding, then you need to go out and negotiate a 
project and contract it out.  Trust me I know how this works, I was also a 
contracting inspector for communications systems during my time with the US Air 
Force.

For example,  I want to connect one new building to my infrastructure including 
the installation of fiber to the building and purchasing network switches and 
routers.  The organization that wants to do this can eat that cost under their 
IT O&M budget without issue or breaking any rules.  It could also be contracted 
under the buildings construction project if it is new construction.  If I want 
to replace an existing failed or obsolete firewall with something under a 
current GSA schedule, I can do that as well.  The only thing that matters here 
is that I do not cross certain dollar thresholds (which vary per department) 
and that I can absorb the cost into my O&M funding.  These all comply with 
existing contracting law.

Let me give you another example.  The Air Force Pacific Command wanted to unify 
several disparate TDM Voice/Video/Data networks into a single ATM switched 
infrastructure on fiber rings.  The cost of that project ran to over 50 million 
dollars and was done with any additional congressional approval.  Air Force 
Pacific Commander absorbed the entire cost under their existing authorization 
for maintenance of command and control systems.  The construction of manholes 
and duct work was put out for bid to local construction companies under the Air 
Force Contracting Regulations.  If fact, the DoD was told this was being done 
(since it modified the engineering of some existing systems) and they agreed to 
commit some of their O&M dollars to it as a prototype for other commands.  None 
of that work required GSA or congressional scrutiny because it was all 
conducted under pre-existing authorizations.  Project went from concept to full 
production in under two years.

If you want new PCs, the Department of Defense negotiates contracts that you 
can purchase off of agency wide.  It is a common misconception that everything 
has to go out to bid every time.  Things that are purchased routinely (PCs, 
printers, routers, switches, etc.) are negotiated in large multiyear contracts 
that are already available to the purchaser.

You only need to go back to Congress is you are looking for money that is not 
already appropriated to you.  If my budget appropriation includes $10 million 
for IT security, I can go ahead and spend that money on IT security devices and 
services without any more approval through the existing procurement system.

In my experience it is more about some government wonk that would rather tell 
you to launch a $100 million project rather than get off his ass and do 
something small and useful.  Rather than work, just make it so hard to start 
that it never happens.

Steven Naslund
Chicago IL




>>>This is only possible when you take all the policies developed to comply 
>>>with both the law and executive orders and chuck them right out the window. 
>>>At that point you're operating with no authority and all of the 
>>>responsibility, >>>which is grounds for termination even if what you do 
>>>actually works. Especially if you're a contractor as the majority of 
>>>operations folks in the Federal government are.

>>>Regards,
>>>Bill Herrin

Re: OPM Data Breach - Whitehouse Petition - Help Wanted

[Jim Popovitch]

On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve  wrote:
> There is an O&M budget created for the day to day operation and maintenance 
> of IT systems.  This is approved along with your department's budget 
> annually.  If you classify updating equipment as an O&M function (which it 
> routinely is) then you have no issues.  You purchase your equipment off 
> pre-existing purchasing agreements in place with your agency or the GSA.  If 
> your purchases exceeds certain threshold or the amount available under your 
> O&M funding, then you need to go out and negotiate a project and contract it 
> out.  Trust me I know how this works, I was also a contracting inspector for 
> communications systems during my time with the US Air Force.

I'm fairly certain that new IDS purchases, for an org as large as OPM,
which would also include project-term Support contracts, isn't going
to fit into any pre-approved O&M day to day budget... other than maybe
an AF budget :-)

-Jim P.

RE: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

> That's possible but I if they are re-provisioning on a regular schedule I
> kind of doubt it.  It would be easy to test though.  Plug an AP directly
> into your switch with a quality pre-manufactured patch cord and see how it
> acts. If it exhibits the same symptom it is probably not cabling.   Also,
> have you checked your interface counters for any packet errors?

Yes, no packet errors crcs or frags.

> Don't
> forget to look at your controller because if the controller became
> unreachable for any length of time that could easily cause your APs to
> re-provision as they reconnect with the controller.

This is did not know - thought the controller was just to provision and
monitor. After all why would a manufacturer make one point of failure for
a campus setup that uses thier own edgerouter for the dhcp etc. Doesnt
seem correct. But will will investigate it.

> I might set up a ping
> every second from the site of the access points to the controller and make
> sure the availability of the controller is 100%.

Yes that and what the ciscos report on the port link.

>  If you are on Cisco
> switches you should have log messages regarding PoE be granted on
> particular ports as well as up down messages on the interfaces.

Yep and we get them.

> Do you
> see the ports going up and down?  It is important to have NTP on the APs
> and switches so that you can correlate events in time (i.e. did the AP
> reboot causing the Ethernet link to drop or did the link drop causing the
> reboot?)

I am sure its the APs dropping - as non of the other devices VOIP phones
etc drop in the logs.


Thanks Steven
Bob
>
> Steven Naslund
> Chicago IL
>
>
>>Bob,  I've deployed tons of Ubiquiti gear, and have seen this problem
>> before. It always turns out to be poor quality cable installation. POE
>> does not tolerate low quality connectors, especially in outdoor
>> environments. There are >many aspects to a quality cabling job, so the
>> best thing you can do is seek out a qualified installer with outdoor POE
>> experience.
>>
>>The most common problem I see is people using crimp-on RJ45 connectors
>> directly on the ends of their cable runs. This is not how structured
>> cabling is designed to work, in particular because most crimp-on
>> connectors are intended for >stranded copper wire (such as that used in
>> very flexible patch cords, designed to run horizontally over only a few
>> dozens of feet), whereas the "riser" and "plenum" cable used for
>> long-distance runs has solid core wires. The tiny >teeth in standard
>> crimp connectors are designed to penetrate stranded wire, to make a solid
>> electrical contact. With solid core wire, they just bend to the side of
>> the copper core, making tenuous contact, which will conduct POE >current
>> poorly (resulting in the resets you see) and eventually fail altogether
>> as the improper connection corrodes over time.
>>
>>The correct installation process is to use "punch-down" RJ45 jacks at
>> each end of the cable run, and connect from those jacks to your equipment
>> (radio at one end, POE switch at the other). On the outdoor side, the
>> jack/plug junction >needs to be in a NEMA weatherproof enclosure, with
>> weathertight fittings. And, for human and equipment safety, you must use
>> shielded Cat5e/6 cable anytime you go outdoors, grounding only one end
>> (usually the radio end), and >protecting the cable with an inline
>> lightning protector between the RJ45 jack  and the radio.
>
>>If you haven't done that, then that's the first thing to fix.
>
>>BTW, avoid homemade patch cables whenever possible. Quality factory
>> cables are hydraulically pressed and the plug is hermetically fused for a
>> vastly superior connection compared to anything you can do with simple
>> hand crimpers. And >all outdoor cables must be UV-grade cabling with
>> weatherproof sheathing and water repellant inside (so-called "flooded"
>> cable).
>
>> -mel beckman
>
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Mike Hammett]

The UBNT controller is only required when setting up the APs or for certain 
guest portal functions. I'd just leave it connected all of the time. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


- Original Message -

From: "Bob Evans"  
To: "Steve Naslund"  
Cc: nanog@nanog.org 
Sent: Friday, June 19, 2015 11:26:42 AM 
Subject: RE: Ghosts in our 6 New Ubiquity Pros - provision issues. 


> That's possible but I if they are re-provisioning on a regular schedule I 
> kind of doubt it. It would be easy to test though. Plug an AP directly 
> into your switch with a quality pre-manufactured patch cord and see how it 
> acts. If it exhibits the same symptom it is probably not cabling. Also, 
> have you checked your interface counters for any packet errors? 

Yes, no packet errors crcs or frags. 

> Don't 
> forget to look at your controller because if the controller became 
> unreachable for any length of time that could easily cause your APs to 
> re-provision as they reconnect with the controller. 

This is did not know - thought the controller was just to provision and 
monitor. After all why would a manufacturer make one point of failure for 
a campus setup that uses thier own edgerouter for the dhcp etc. Doesnt 
seem correct. But will will investigate it. 

> I might set up a ping 
> every second from the site of the access points to the controller and make 
> sure the availability of the controller is 100%. 

Yes that and what the ciscos report on the port link. 

> If you are on Cisco 
> switches you should have log messages regarding PoE be granted on 
> particular ports as well as up down messages on the interfaces. 

Yep and we get them. 

> Do you 
> see the ports going up and down? It is important to have NTP on the APs 
> and switches so that you can correlate events in time (i.e. did the AP 
> reboot causing the Ethernet link to drop or did the link drop causing the 
> reboot?) 

I am sure its the APs dropping - as non of the other devices VOIP phones 
etc drop in the logs. 


Thanks Steven 
Bob 
> 
> Steven Naslund 
> Chicago IL 
> 
> 
>>Bob, I've deployed tons of Ubiquiti gear, and have seen this problem 
>> before. It always turns out to be poor quality cable installation. POE 
>> does not tolerate low quality connectors, especially in outdoor 
>> environments. There are >many aspects to a quality cabling job, so the 
>> best thing you can do is seek out a qualified installer with outdoor POE 
>> experience. 
>> 
>>The most common problem I see is people using crimp-on RJ45 connectors 
>> directly on the ends of their cable runs. This is not how structured 
>> cabling is designed to work, in particular because most crimp-on 
>> connectors are intended for >stranded copper wire (such as that used in 
>> very flexible patch cords, designed to run horizontally over only a few 
>> dozens of feet), whereas the "riser" and "plenum" cable used for 
>> long-distance runs has solid core wires. The tiny >teeth in standard 
>> crimp connectors are designed to penetrate stranded wire, to make a solid 
>> electrical contact. With solid core wire, they just bend to the side of 
>> the copper core, making tenuous contact, which will conduct POE >current 
>> poorly (resulting in the resets you see) and eventually fail altogether 
>> as the improper connection corrodes over time. 
>> 
>>The correct installation process is to use "punch-down" RJ45 jacks at 
>> each end of the cable run, and connect from those jacks to your equipment 
>> (radio at one end, POE switch at the other). On the outdoor side, the 
>> jack/plug junction >needs to be in a NEMA weatherproof enclosure, with 
>> weathertight fittings. And, for human and equipment safety, you must use 
>> shielded Cat5e/6 cable anytime you go outdoors, grounding only one end 
>> (usually the radio end), and >protecting the cable with an inline 
>> lightning protector between the RJ45 jack and the radio. 
> 
>>If you haven't done that, then that's the first thing to fix. 
> 
>>BTW, avoid homemade patch cables whenever possible. Quality factory 
>> cables are hydraulically pressed and the plug is hermetically fused for a 
>> vastly superior connection compared to anything you can do with simple 
>> hand crimpers. And >all outdoor cables must be UV-grade cabling with 
>> weatherproof sheathing and water repellant inside (so-called "flooded" 
>> cable). 
> 
>> -mel beckman 
> 
> 

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

We have all APs set with static addresses. EdgeMax only hands out IPs to
clients using the APs.

This happens when people are using the APs and when no one is even in the
building  at 2am when there are no clients connected. It can happen to one
then 5 hours later it happens again...then doesn't happen again for 12
hours. Totally random no interval.

It is nice to know that others have no issues with these UniFi AP Pros.
They seem to be fine except for the 2 mins or so they randomly drop link
and reboot themselves. All are on APC UPSes and other devices in the same
switch , like voip phones, never drop the ports.

They are all new, delivered in various batches over time. We checked and
all are the latest versions.

Bob Evans




> The IP can change on the UniFi without having to re-adopt or
> re-provision.  APs are identified by MAC address at the UniFi protocol
> level (not layer 2).
>
> On 06/19/2015 09:09 AM, Naslund, Steve wrote:
>> Here is another though.  If your APs are re-provisioning every eight
>> hours, what is your DHCP lease time?  Are you sure the APs are able to
>> renew their leases (if not, could your scope be full)?  Do you see the
>> IP addresses on the APs changing when they come back up?  These could
>> indicate a DHCP server issue.  If the AP gets a new IP address it will
>> likely have to be re-adopted to the controller.  You might want to
>> static address one or more APs to test this theory.
>>
>> Steven Naslund
>> Chicago IL
>
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

Thank You Charles,
Been on NANOG a while - all the basic stuff we know well. Like, cables, 
cluster occurrences etc. Looking for the UniFi specific experience. Its
not the switches, power, cables, ports show no CRC issues etc.

We even setup another network with just 2 and it happens randomly - so its
some code or something.  Think I'm going to let one of the guys here login
the the controller and see if we missed a setting in the latest code.
NANOGs real good at having someone with specific targeted knowledge
appear.

Thank You
Bob Evans
CTO




> On 2015-06-19 05:01, Bob Evans wrote:
>> Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to
>> recommend
>> at this point. We saw people mention this brand here on the list -
>> people
>> like them. So what could we have set incorrectly ? They drop link and
>> re-provision on their own at odd times day or night.
>
> Drop link all the way down to layer 1? What does re-provision mean?
> Lose/re acquire DHCP lease? \
>
> What is your network topology? What kind of switches are you using?
> What's the length of the cable runs? Have you had an electrician check
> your wiring?
> How many access points are you running? How many fail? Do they fail in
> any kind of cluster/pattern?
>
> That's just the basic questions.
>
> Lots more information needed if you want free support from the NANOG
> hive mind :D
>
> They have millions of satisfied customers in deployments from some of
> the worlds largest shopping malls to multi state ISPs. Different gear
> across that customer base of course.
>
>
>>
>> We have completed everything tech support asked of us. (Really, lame
>> emails they respond with as if they didn't read your text - they won't
>> call and you can't call them). We used POE from ciscos - then changed
>> to
>> their POE provided.
>
> POE from ciscos mid span injector, or switch port?
>
>
>   They didn't recommend it, but we plugged them all into
>> APC UPSes. no difference.
>
> The midspan injectors you mean? H, wonder why they didn't want you
> to put them in UPS. Did they provide any explanation?
>
>
>   They all re-provision at different times
>> even when no one is connected or in the building at odd hours like 2am.
>> Each one does this 2-3 times per 24 hour period.
>
> Interesting. Any repeated offenders?
>
>
>
>>
>> Has anyone else experienced this?
>> Anyone know what we may have set incorrectly ?
>> Is this normal - do people put up with the 2 mins the APs are
>> unavailable
>> about 3 times a day? (UniFi support acts like it's not a big issues.)
>>
>
> Do they come back on their own? What's the "downtime" time window?
>
>
>
>> We use the UniFi controller on mac os x.
>
> Mac OSX isn't a server platform. Sorry. Use Windows 2k12 or Ubuntu
> Server (or your favorite debian or Redhat flavor). I've had zero
> problems on either of those platforms.
>
> What's the topology between the access points and your controller
> "server"?
>

REMINDER: LEAP SECOND

[Jay Ashworth]

The IERS will be adding a second to time again on my birthday; 

2015-06-30T23:59:59 
2015-06-30T23:59:60
2015-07-01T00:00:00

Have fun, everyone.  :-)

Cheers,
-- jra

-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: Anycast provider for SMTP?

[Bill Woodcock]

> On Jun 18, 2015, at 10:19 PM, James Hartig  wrote:
> Just curious, how does DNS load balancing work if people are using
> 8.8.8.8/208.67.222.222 or basically any public resolvers that cache and
> have a significant (relatively speaking) user-base? Is the actual percent
> of requests so small that it doesn't matter?

The percent of requests is significant, but OpenDNS and Google and the other 
significant open resolvers are, themselves, anycast, so the geographic 
correlation is preserved.  Also, there’s an RFC for passing an origin IP tag 
along to the authoritative server, but I don’t know if anyone’s actually doing 
anything with that on any global inter-provider scale.

-Bill






signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Sam Tetherow]

Only have 1 Pro on my network and it hasn't given me any issues, several 
of the original AP and AP-LR as well without issues.


What is the uptime on the AP?  You should be able to ssh into the APs 
using the controller username and password.  It is a linux base so 
'uptime' will tell you.  You can also check for ethernet errors using 
'ip -s link' on the AP side.


On 06/19/2015 11:45 AM, Bob Evans wrote:

We have all APs set with static addresses. EdgeMax only hands out IPs to
clients using the APs.

This happens when people are using the APs and when no one is even in the
building  at 2am when there are no clients connected. It can happen to one
then 5 hours later it happens again...then doesn't happen again for 12
hours. Totally random no interval.

It is nice to know that others have no issues with these UniFi AP Pros.
They seem to be fine except for the 2 mins or so they randomly drop link
and reboot themselves. All are on APC UPSes and other devices in the same
switch , like voip phones, never drop the ports.

They are all new, delivered in various batches over time. We checked and
all are the latest versions.

Bob Evans





The IP can change on the UniFi without having to re-adopt or
re-provision.  APs are identified by MAC address at the UniFi protocol
level (not layer 2).

On 06/19/2015 09:09 AM, Naslund, Steve wrote:

Here is another though.  If your APs are re-provisioning every eight
hours, what is your DHCP lease time?  Are you sure the APs are able to
renew their leases (if not, could your scope be full)?  Do you see the
IP addresses on the APs changing when they come back up?  These could
indicate a DHCP server issue.  If the AP gets a new IP address it will
likely have to be re-adopted to the controller.  You might want to
static address one or more APs to test this theory.

Steven Naslund
Chicago IL

Re: REMINDER: LEAP SECOND

[Alexander Maassen]

So you need to wait one more second before you may pop the bottle? :)

On Fri, June 19, 2015 7:06 pm, Jay Ashworth wrote:
> The IERS will be adding a second to time again on my birthday;
>
> 2015-06-30T23:59:59
> 2015-06-30T23:59:60
> 2015-07-01T00:00:00
>
> Have fun, everyone.  :-)
>
> Cheers,
> -- jra
>
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land Rover
> DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
> 1274
>

RE: OPM Data Breach - Whitehouse Petition - Help Wanted

[Naslund, Steve]

Here is their 2013 budget 
https://www.opm.gov/about-us/budget-performance/budgets/2013-budget.pdf

Glancing through it they had a 2.1B total appropriation with 90.5M dedicated to 
salaries and expenses where IT would fall. It appears that their CIO also has a 
multi-year fund around 70M separately allocated to systems modernization.  One 
telling issue is that the budget talks about their priorities and within all of 
their goals around ensuring diversity, treating their employees well, providing 
good customer service, etc; there is not one mention of IT security.

It is just about setting priorities. 

I would bet you that there are plenty of IDP contracts out there that they 
could ride on.  This saves them from the entire RFP and evaluation process by 
simply stating that their needs are equivalent and a usable contract is already 
in place.  Often in government contracts, support for a fixed period of time is 
rolled into the purchase price.  This is done because the government often 
cannot commit dollars in forward years.  So, when you buy your IDP device you 
pay for five years of support because you know you have the money this year but 
do not have next year's appropriation yet.  Most government contracts have very 
sweet support and maintenance options because vendors often differentiate 
themselves that way without laying down on the up front price and hurting cash 
flow.  They can bury the hidden costs of supporting the devices and just claim 
a huge number for sales in their current quarter.

Here is the best analogy I have ever heard about how government contracting 
really works :

***Paint is peeling on your house.  You use your own authority to buy a can of 
paint and touch it up with no other approval (your O&M budget)

***You let the peeling paint slide too long and now you need to replace all of 
your siding.  You got to your wife and she tells you to wait until next spring 
when you have the money in the budget (department level O&M money)

***You let the peeling paint slide WAY too long and now you need to rip out 
entire walls and while we are at it we might as well put in an addition.  You 
got to the bank to get a home improvement loan (congressional line item 
budgeting).  This is where they have let their systems get too.


Agency heads like to shift blame by going to congress and saying I can't do 
this because I need a huge appropriation to even start.  The correct question 
from congress is to ask that agency head why they did not ask for an IT budget 
that included enough money to support and maintain a secure infrastructure.  
They should also ask, what small steps have you taken so far within your own IT 
budget to address security concerns.  For example,  do you routinely replace 
desktops over a certain age, is your malware protection software in place and 
up to date, is your firewall on the latest code release?  If you ran a company 
would you not fire an IT director that came to you and said "we need to replace 
all of our network, servers, and PCs because they are all obsolete NOW...TODAY? 
 Wouldn't you wonder what he had been doing with the O&M budget you give to him 
every year? 

The truth of this is that most agency heads do not care about IT security, they 
just do not.  The only exception might be DoD because they are well aware that 
they have enemies that are looking to take them out and it is their primary 
responsibility to fight enemies.  Most other agencies don't have the mindset of 
having a adversary looking at them and don't care because they don't get hurt, 
the citizen who's data is lost takes the hit.  It might not change things 
immediately to fire the head of this agency but it does let other agency heads 
know that if you ignore IT you could lose your job.

Steven Naslund
Chicago IL


>>On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve  wrote:
>> There is an O&M budget created for the day to day operation and maintenance 
>> of IT systems.  This is approved along with your department's budget 
>> annually.  If you classify updating equipment as an O&M function (which it 
>> routinely >>is) then you have no issues.  You purchase your equipment off 
>> pre-existing purchasing agreements in place with your agency or the GSA.  If 
>> your purchases exceeds certain threshold or the amount available under your 
>> O&M funding, >>then you need to go out and negotiate a project and contract 
>> it out.  Trust me I know how this works, I was also a contracting inspector 
>> for communications systems during my time with the US Air Force.
>>
>>I'm fairly certain that new IDS purchases, for an org as large as OPM, which 
>>would also include project-term Support contracts, isn't going to fit into 
>>any pre-approved O&M day to day budget... other than maybe an AF budget :-)

>>-Jim P.

RE: OPM Data Breach - Whitehouse Petition - Help Wanted

[Naslund, Steve]

Here is a great quote straight out of the OPM budget of 2013.
-

Human Resources Line of Business (HR LOB)
The Human Resources Line of Business (HR LOB) leads the government-wide 
transformation of HR Information Technology by focusing on modernization, 
integration, and performance assessment. The HR LOB is a model for its 
cross-agency collaboration which achieves HR service delivery improvements and 
cost savings results.

-

I guess being the model for cross-agency collaboration means providing all of 
the employee data any Chinese agency wants :)  

Steven Naslund
Chicago IL


>>On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve  wrote:
>> There is an O&M budget created for the day to day operation and maintenance 
>> of IT systems.  This is approved along with your department's budget 
>> annually.  If you classify updating equipment as an O&M function (which it 
>> routinely >>is) then you have no issues.  You purchase your equipment off 
>> pre-existing purchasing agreements in place with your agency or the GSA.  If 
>> your purchases exceeds certain threshold or the amount available under your 
>> O&M funding, >>then you need to go out and negotiate a project and contract 
>> it out.  Trust me I know how this works, I was also a contracting inspector 
>> for communications systems during my time with the US Air Force.
>>
>>I'm fairly certain that new IDS purchases, for an org as large as OPM, which 
>>would also include project-term Support contracts, isn't going to fit into 
>>any pre-approved O&M day to day budget... other than maybe an AF budget :-)

>>-Jim P.

RE: OPM Data Breach - Whitehouse Petition - Help Wanted

[Naslund, Steve]

Here is another great document, their Strategic IT Plan 
http://www.opm.gov/about-us/budget-performance/strategic-plans/strategic-it-plan.pdf.
  I especially like this excerpt from Page 9.

-

Phase 3 – Assess (December 2014): We will baseline and begin routinely 
reporting against our performance outcomes:
• Compliance with laws, policies, and successful practices;
• User and stakeholder satisfaction with improved IT capabilities; and
• Cost per IT service or transaction.

No additional funding or manpower is required to implement these initiatives. 
Stronger IT leadership will result in cost avoidance and cost savings that will 
allow us to shift valuable, scarce resources to high priority programs.



I guess money is not the problem according to this.  I guess their "Stronger IT 
Leadership" is not strong enough.

Steven Naslund
Chicago IL


-Original Message-
From: Naslund, Steve 
Sent: Friday, June 19, 2015 12:30 PM
To: Naslund, Steve; Jim Popovitch; nanog@nanog.org
Subject: RE: OPM Data Breach - Whitehouse Petition - Help Wanted

Here is a great quote straight out of the OPM budget of 2013.
-

Human Resources Line of Business (HR LOB) The Human Resources Line of Business 
(HR LOB) leads the government-wide transformation of HR Information Technology 
by focusing on modernization, integration, and performance assessment. The HR 
LOB is a model for its cross-agency collaboration which achieves HR service 
delivery improvements and cost savings results.

-

I guess being the model for cross-agency collaboration means providing all of 
the employee data any Chinese agency wants :)  

Steven Naslund
Chicago IL


>>On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve  wrote:
>> There is an O&M budget created for the day to day operation and maintenance 
>> of IT systems.  This is approved along with your department's budget 
>> annually.  If you classify updating equipment as an O&M function (which it 
>> routinely >>is) then you have no issues.  You purchase your equipment off 
>> pre-existing purchasing agreements in place with your agency or the GSA.  If 
>> your purchases exceeds certain threshold or the amount available under your 
>> O&M funding, >>then you need to go out and negotiate a project and contract 
>> it out.  Trust me I know how this works, I was also a contracting inspector 
>> for communications systems during my time with the US Air Force.
>>
>>I'm fairly certain that new IDS purchases, for an org as large as OPM, 
>>which would also include project-term Support contracts, isn't going 
>>to fit into any pre-approved O&M day to day budget... other than maybe 
>>an AF budget :-)

>>-Jim P.

Re: REMINDER: LEAP SECOND

[Saku Ytti]

On (2015-06-19 13:06 -0400), Jay Ashworth wrote:

Hey,

> The IERS will be adding a second to time again on my birthday; 
> 
> 2015-06-30T23:59:60

Hopefully this is last leap second we'll ever see. Non-monotonic time is an
abomination and very very few programs measuring passage of time are correct.
Even those which are, usually are not portable, most languages do not even
offer monotonic time in standard libraries.
Canada, China, England and Germany, shame on you for opposing leapsecondless
UTC.

Next year hopefully GPSTIME. TAI and UTC are the same thing, with different
static offset.

-- 
  ++ytti

Re: REMINDER: LEAP SECOND

[Måns Nilsson]

Subject: REMINDER: LEAP SECOND Date: Fri, Jun 19, 2015 at 01:06:22PM -0400 
Quoting Jay Ashworth (j...@baylink.com):
> The IERS will be adding a second to time again on my birthday; 

This time around there are a number of Vendor C devices that will fail
in spectacular ways if not upgraded with a pretty new release -- Nexus
and ASR1K being the two most "interesting" among those I've reviewed. 

http://www.cisco.com/web/about/doing_business/leap-second.html#~ProductInformation

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
I'd like some JUNK FOOD ... and then I want to be ALONE --


signature.asc
Description: Digital signature

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Mel Beckman]

Have you done a network analysis for viruses or bridge loops? This could be a 
broadcast storm caused by either of those network faults.

 -mel

> On Jun 19, 2015, at 10:08 AM, Sam Tetherow  wrote:
> 
> Only have 1 Pro on my network and it hasn't given me any issues, several of 
> the original AP and AP-LR as well without issues.
> 
> What is the uptime on the AP?  You should be able to ssh into the APs using 
> the controller username and password.  It is a linux base so 'uptime' will 
> tell you.  You can also check for ethernet errors using 'ip -s link' on the 
> AP side.
> 
> On 06/19/2015 11:45 AM, Bob Evans wrote:
>> We have all APs set with static addresses. EdgeMax only hands out IPs to
>> clients using the APs.
>> 
>> This happens when people are using the APs and when no one is even in the
>> building  at 2am when there are no clients connected. It can happen to one
>> then 5 hours later it happens again...then doesn't happen again for 12
>> hours. Totally random no interval.
>> 
>> It is nice to know that others have no issues with these UniFi AP Pros.
>> They seem to be fine except for the 2 mins or so they randomly drop link
>> and reboot themselves. All are on APC UPSes and other devices in the same
>> switch , like voip phones, never drop the ports.
>> 
>> They are all new, delivered in various batches over time. We checked and
>> all are the latest versions.
>> 
>> Bob Evans
>> 
>> 
>> 
>> 
>>> The IP can change on the UniFi without having to re-adopt or
>>> re-provision.  APs are identified by MAC address at the UniFi protocol
>>> level (not layer 2).
>>> 
>>> On 06/19/2015 09:09 AM, Naslund, Steve wrote:
 Here is another though.  If your APs are re-provisioning every eight
 hours, what is your DHCP lease time?  Are you sure the APs are able to
 renew their leases (if not, could your scope be full)?  Do you see the
 IP addresses on the APs changing when they come back up?  These could
 indicate a DHCP server issue.  If the AP gets a new IP address it will
 likely have to be re-adopted to the controller.  You might want to
 static address one or more APs to test this theory.
 
 Steven Naslund
 Chicago IL
>>> 
>> 
> 

Weekly Routing Table Report

[Routing Analysis Role Account]

This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG,
CaribNOG and the RIPE Routing Working Group.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 20 Jun, 2015

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  549882
Prefixes after maximum aggregation (per Origin AS):  208354
Deaggregation factor:  2.64
Unique aggregates announced (without unneeded subnets):  267650
Total ASes present in the Internet Routing Table: 50672
Prefixes per ASN: 10.85
Origin-only ASes present in the Internet Routing Table:   36714
Origin ASes announcing only one prefix:   16279
Transit ASes present in the Internet Routing Table:6324
Transit-only ASes present in the Internet Routing Table:165
Average AS path length visible in the Internet Routing Table:   4.5
Max AS path length visible:  41
Max AS path prepend of ASN ( 12486)  32
Prefixes from unregistered ASNs in the Routing Table:  1225
Unregistered ASNs in the Routing Table: 426
Number of 32-bit ASNs allocated by the RIRs:   9896
Number of 32-bit ASNs visible in the Routing Table:7634
Prefixes from 32-bit ASNs in the Routing Table:   28027
Number of bogon 32-bit ASNs visible in the Routing Table:13
Special use prefixes present in the Routing Table:0
Prefixes being announced from unallocated address space:388
Number of addresses announced to Internet:   2772890656
Equivalent to 165 /8s, 70 /16s and 244 /24s
Percentage of available address space announced:   74.9
Percentage of allocated address space announced:   74.9
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   97.4
Total number of prefixes smaller than registry allocations:  184389

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   135535
Total APNIC prefixes after maximum aggregation:   39259
APNIC Deaggregation factor:3.45
Prefixes being announced from the APNIC address blocks:  142125
Unique aggregates announced from the APNIC address blocks:57084
APNIC Region origin ASes present in the Internet Routing Table:5072
APNIC Prefixes per ASN:   28.02
APNIC Region origin ASes announcing only one prefix:   1215
APNIC Region transit ASes present in the Internet Routing Table:878
Average APNIC Region AS path length visible:4.5
Max APNIC Region AS path length visible: 38
Number of APNIC region 32-bit ASNs visible in the Routing Table:   1502
Number of APNIC addresses announced to Internet:  750709184
Equivalent to 44 /8s, 190 /16s and 233 /24s
Percentage of available APNIC address space announced: 87.7

APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 63488-64098, 131072-135580
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:180493
Total ARIN prefixes after maximum aggregation:88365
ARIN Deaggregation factor: 2.04
Prefixes being announced from the ARIN address blocks:   182879
Unique aggregates announced from the ARIN address blocks: 85354
ARIN Region origin ASes present in the Internet Routing Table:16611
ARIN Prefixes per ASN:

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Brielle Bruns]

On 6/19/15 10:57 AM, Bob Evans wrote:

Thank You Charles,
Been on NANOG a while - all the basic stuff we know well. Like, cables,
cluster occurrences etc. Looking for the UniFi specific experience. Its
not the switches, power, cables, ports show no CRC issues etc.

We even setup another network with just 2 and it happens randomly - so its
some code or something.  Think I'm going to let one of the guys here login
the the controller and see if we missed a setting in the latest code.
NANOGs real good at having someone with specific targeted knowledge
appear.



I've got a bunch of regular UAPs spread out over multiple customers with 
various network setups including ERLs as routers, CenturyLink POS modems 
of various generations, Dink routers, etc.


My controller is hosted off-site in Tacoma in our data center.

Some issues I've run into, particularly on the consumer devices like the 
older CenturyLink/Qwest modems...


1) Broken MTU clamping/fixing on PPPoE links, causing the UAPs to have 
problems making a connection to the remote controller.


Worked around by messing with the MSS using iptables on specifically the 
tcp/8080 and tcp/8443 port on the controller end.


Other devices, had to make sure to disable the firewall feature on 
modem, in order to get it to stop eating ICMP packets (and thus breaking 
pmtu).


2) Faulty DNS server daemons on the routers.  The UAPs would have issues 
randomly resolving the controller's IP address from hostname.  Have this 
problem time to time with anyone using the built in DNS servers on the 
CenturyLink/Qwest modems.


Resolved this issue by statically defining IP and DNS servers on the 
UAPs (DNS server set to 8.8.8.8).  Also had to disable the firewall on 
one of the routers to get it to not intercept/mangle DNS packets.


These two issues alone have caused me major issues with the devices 
randomly being unable to get new configurations or download firmware 
updates.



On network switches connected to the UAPs, make sure that you've got the 
port set to whatever the switches' version of cisco 'portfast' is.


In the Site Settings under the Unifi controller, disable "Enable 
connectivity monitor and wireless uplink" and see if the problem eases 
up.  If you need to use the uplink monitor, manually set the IP you want 
to check with, and make sure the UAPs can actually ping said IP.



I'm the head mod for /r/Ubiquiti, so feel free to bounce things off of 
me privately with your Unifi setup, and I'll be happy to give you a 
hand.  I can also direct you to the unofficial Ubnt IRC channel where 
you can get a bunch more opinions.



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[charles]

On 2015-06-19 11:57, Bob Evans wrote:

Thank You Charles,
Been on NANOG a while - all the basic stuff we know well. Like, cables,
cluster occurrences etc. Looking for the UniFi specific experience. Its
not the switches, power, cables, ports show no CRC issues etc.



Sure. I've seen you around.  Always good to check the basics, start at 
layer 1 and work up. That doesn't change, no matter how experienced a 
crew is. :)


We even setup another network with just 2 and it happens randomly - so 
its

some code or something.


Wait... same controller? Or a different controller? Because if you can 
replicate across access points and controllers then you've probably 
found a bug. Well presuming you aren't fate sharing with anything else 
(like switches).


Very weird.


  Think I'm going to let one of the guys here login

the the controller and see if we missed a setting in the latest code.
NANOGs real good at having someone with specific targeted knowledge
appear.




Yes it sure is.

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[charles]

These two issues alone have caused me major issues with the devices
randomly being unable to get new configurations or download firmware
updates.



Question. Once they have connected and are "happy", do they drop off (re 
provision) like Bob is mentioning?
I'm still not entirely sure what is meant by "re provision". I've not 
seen it answered in the thread.




I'm the head mod for /r/Ubiquiti, so feel free to bounce things off of
me privately with your Unifi setup,


Didn't know that sub reddit existed. Awesome.

Re: REMINDER: LEAP SECOND

[Mel Beckman]

The universal workaround is to simply disable NTP on your devices sometime on 
Leap-Second eave. This will let the clocks free-run over the one-second push, 
an event of which they will be blissfully ignorant. When you re-enable NTP 
after The Leap, normal, non-destructive, NTP convergence will occur.

Better, if you have a master NTP site clock, you need only disable it’s 
upstream NTP feed to isolate all the subsidiary devices. If you don’t have such 
a master clock, this is an excellent time to set one up one. I have found the 
Time Machines TM1000A GPS time server very inexpensive and super reliable:

http://www.newegg.com/Product/Product.aspx?Item=0N6-001Y-7 

 -mel

> On Jun 19, 2015, at 11:08 AM, Måns Nilsson  wrote:
> 
> Subject: REMINDER: LEAP SECOND Date: Fri, Jun 19, 2015 at 01:06:22PM -0400 
> Quoting Jay Ashworth (j...@baylink.com):
>> The IERS will be adding a second to time again on my birthday; 
> 
> This time around there are a number of Vendor C devices that will fail
> in spectacular ways if not upgraded with a pretty new release -- Nexus
> and ASR1K being the two most "interesting" among those I've reviewed. 
> 
> http://www.cisco.com/web/about/doing_business/leap-second.html#~ProductInformation
> 
> -- 
> Måns Nilsson primary/secondary/besserwisser/machina
> MN-1334-RIPE +46 705 989668
> I'd like some JUNK FOOD ... and then I want to be ALONE --

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Brielle Bruns]

On 6/19/15 12:26 PM, char...@thefnf.org wrote:




These two issues alone have caused me major issues with the devices
randomly being unable to get new configurations or download firmware
updates.



Question. Once they have connected and are "happy", do they drop off (re
provision) like Bob is mentioning?
I'm still not entirely sure what is meant by "re provision". I've not
seen it answered in the thread.





Reprovisioning with Unifi happens any time you make a configuration 
change.  The next time the device does it's check-in (don't remember how 
often it checks in, but its at least once a min), the UAP will get a 
copy of its updated configuration, load it, then activate the changes 
(and reboot if necessary).


If the device never goes out of provisioning state, then it hasn't 
managed to pull its configuration or firmware properly and will likely 
keep trying.


When the device is having complete connection issues, it will show up as 
Disconnected rather then Provisioning in the controller.


Useful thing I've done - when a device is randomly having issues with 
provisioning, I'll setup the remote syslog option in the config, and 
have it remote log to my controller's syslog.  Usually, it will dump 
exactly the reason why its failing the provision to syslog, making it 
easier to diagnose.




I'm the head mod for /r/Ubiquiti, so feel free to bounce things off of
me privately with your Unifi setup,


Didn't know that sub reddit existed. Awesome.



Its not as busy as the forums, but there's sometimes good info there. 
There's also the IRC channel as well, which has a mix of users and some 
Ubnt employees.



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: REMINDER: LEAP SECOND

[Majdi S. Abbas]

On Fri, Jun 19, 2015 at 06:29:34PM +, Mel Beckman wrote:
> The universal workaround is to simply disable NTP on your devices sometime 
> on Leap-Second eave. This will let the clocks free-run over the one-second 
> push, an event of which they will be blissfully ignorant. When you re-enable 
> NTP after The Leap, normal, non-destructive, NTP convergence will occur.

I encourage all my competitors to use this
approach.

If you're more than 128 ms off when NTP is flipped back on, it
will still probably step the clock, then start slewing it.  So you've
skipped the leap per se, but your clocks will still jump forward quite
a bit.

This might isolate you from any leap second related failures,
but it does not protect you against the system clock being stepped.
If the leap pending information data persists, you might not even be
isolated from any leap second failures.  You could manage to upset
the system clock even more.

Are your time servers correctly armed for the leap?

> Better, if you have a master NTP site clock, you need only disable it’s 
> upstream NTP feed to isolate all the subsidiary devices. If you don’t 
> have such a master clock, this is an excellent time to set one up one. 
> I have found the Time Machines TM1000A GPS time server very inexpensive 
> and super reliable:
> 
> http://www.newegg.com/Product/Product.aspx?Item=0N6-001Y-7 

$20 says that doesn't leap correctly.  A lot of the inexpensive
units appear to be using NMEA speaking GPS modules, and there's no real way 
to get leap information out of them.  Many of them may ignore the
timestamps and just use the PPS, in which case they may persist a second
behind the world for quite some time.

--msa

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

This is very helpful information.
We will be implementing these steps.
Thank You
Bob Evans
CTO




> On 6/19/15 12:26 PM, char...@thefnf.org wrote:
>> 
>>
>>> These two issues alone have caused me major issues with the devices
>>> randomly being unable to get new configurations or download firmware
>>> updates.
>>>
>>
>> Question. Once they have connected and are "happy", do they drop off (re
>> provision) like Bob is mentioning?
>> I'm still not entirely sure what is meant by "re provision". I've not
>> seen it answered in the thread.
>>
>>
>
>
> Reprovisioning with Unifi happens any time you make a configuration
> change.  The next time the device does it's check-in (don't remember how
> often it checks in, but its at least once a min), the UAP will get a
> copy of its updated configuration, load it, then activate the changes
> (and reboot if necessary).
>
> If the device never goes out of provisioning state, then it hasn't
> managed to pull its configuration or firmware properly and will likely
> keep trying.
>
> When the device is having complete connection issues, it will show up as
> Disconnected rather then Provisioning in the controller.
>
> Useful thing I've done - when a device is randomly having issues with
> provisioning, I'll setup the remote syslog option in the config, and
> have it remote log to my controller's syslog.  Usually, it will dump
> exactly the reason why its failing the provision to syslog, making it
> easier to diagnose.
>
>
>>> I'm the head mod for /r/Ubiquiti, so feel free to bounce things off of
>>> me privately with your Unifi setup,
>>
>> Didn't know that sub reddit existed. Awesome.
>>
>
> Its not as busy as the forums, but there's sometimes good info there.
> There's also the IRC channel as well, which has a mix of users and some
> Ubnt employees.
>
>
> --
> Brielle Bruns
> The Summit Open Source Development Group
> http://www.sosdg.org/ http://www.ahbl.org
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

re-provisioning is to go to the controller find its config and reboot.
Thank You
Bob Evans
CTO




> 
>
>> These two issues alone have caused me major issues with the devices
>> randomly being unable to get new configurations or download firmware
>> updates.
>>
>
> Question. Once they have connected and are "happy", do they drop off (re
> provision) like Bob is mentioning?
> I'm still not entirely sure what is meant by "re provision". I've not
> seen it answered in the thread.
>
>
>> I'm the head mod for /r/Ubiquiti, so feel free to bounce things off of
>> me privately with your Unifi setup,
>
> Didn't know that sub reddit existed. Awesome.
>
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

Great details !
Going to implement now.
Thank You
Bob Evans
CTO




> On 6/19/15 10:57 AM, Bob Evans wrote:
>> Thank You Charles,
>> Been on NANOG a while - all the basic stuff we know well. Like, cables,
>> cluster occurrences etc. Looking for the UniFi specific experience. Its
>> not the switches, power, cables, ports show no CRC issues etc.
>>
>> We even setup another network with just 2 and it happens randomly - so
>> its
>> some code or something.  Think I'm going to let one of the guys here
>> login
>> the the controller and see if we missed a setting in the latest code.
>> NANOGs real good at having someone with specific targeted knowledge
>> appear.
>>
>
> I've got a bunch of regular UAPs spread out over multiple customers with
> various network setups including ERLs as routers, CenturyLink POS modems
> of various generations, Dink routers, etc.
>
> My controller is hosted off-site in Tacoma in our data center.
>
> Some issues I've run into, particularly on the consumer devices like the
> older CenturyLink/Qwest modems...
>
> 1) Broken MTU clamping/fixing on PPPoE links, causing the UAPs to have
> problems making a connection to the remote controller.
>
> Worked around by messing with the MSS using iptables on specifically the
> tcp/8080 and tcp/8443 port on the controller end.
>
> Other devices, had to make sure to disable the firewall feature on
> modem, in order to get it to stop eating ICMP packets (and thus breaking
> pmtu).
>
> 2) Faulty DNS server daemons on the routers.  The UAPs would have issues
> randomly resolving the controller's IP address from hostname.  Have this
> problem time to time with anyone using the built in DNS servers on the
> CenturyLink/Qwest modems.
>
> Resolved this issue by statically defining IP and DNS servers on the
> UAPs (DNS server set to 8.8.8.8).  Also had to disable the firewall on
> one of the routers to get it to not intercept/mangle DNS packets.
>
> These two issues alone have caused me major issues with the devices
> randomly being unable to get new configurations or download firmware
> updates.
>
>
> On network switches connected to the UAPs, make sure that you've got the
> port set to whatever the switches' version of cisco 'portfast' is.
>
> In the Site Settings under the Unifi controller, disable "Enable
> connectivity monitor and wireless uplink" and see if the problem eases
> up.  If you need to use the uplink monitor, manually set the IP you want
> to check with, and make sure the UAPs can actually ping said IP.
>
>
> I'm the head mod for /r/Ubiquiti, so feel free to bounce things off of
> me privately with your Unifi setup, and I'll be happy to give you a
> hand.  I can also direct you to the unofficial Ubnt IRC channel where
> you can get a bunch more opinions.
>
>
> --
> Brielle Bruns
> The Summit Open Source Development Group
> http://www.sosdg.org/ http://www.ahbl.org
>

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Bob Evans]

Mell,
God idea , but , yes we did - no loops all are spokes - we know cabling
and setup our switches and routers to syslog those events.
Thank You
Bob Evans
CTO




> Have you done a network analysis for viruses or bridge loops? This could
> be a broadcast storm caused by either of those network faults.
>
>  -mel
>
>> On Jun 19, 2015, at 10:08 AM, Sam Tetherow  wrote:
>>
>> Only have 1 Pro on my network and it hasn't given me any issues, several
>> of the original AP and AP-LR as well without issues.
>>
>> What is the uptime on the AP?  You should be able to ssh into the APs
>> using the controller username and password.  It is a linux base so
>> 'uptime' will tell you.  You can also check for ethernet errors using
>> 'ip -s link' on the AP side.
>>
>> On 06/19/2015 11:45 AM, Bob Evans wrote:
>>> We have all APs set with static addresses. EdgeMax only hands out IPs
>>> to
>>> clients using the APs.
>>>
>>> This happens when people are using the APs and when no one is even in
>>> the
>>> building  at 2am when there are no clients connected. It can happen to
>>> one
>>> then 5 hours later it happens again...then doesn't happen again for 12
>>> hours. Totally random no interval.
>>>
>>> It is nice to know that others have no issues with these UniFi AP Pros.
>>> They seem to be fine except for the 2 mins or so they randomly drop
>>> link
>>> and reboot themselves. All are on APC UPSes and other devices in the
>>> same
>>> switch , like voip phones, never drop the ports.
>>>
>>> They are all new, delivered in various batches over time. We checked
>>> and
>>> all are the latest versions.
>>>
>>> Bob Evans
>>>
>>>
>>>
>>>
 The IP can change on the UniFi without having to re-adopt or
 re-provision.  APs are identified by MAC address at the UniFi protocol
 level (not layer 2).

 On 06/19/2015 09:09 AM, Naslund, Steve wrote:
> Here is another though.  If your APs are re-provisioning every eight
> hours, what is your DHCP lease time?  Are you sure the APs are able
> to
> renew their leases (if not, could your scope be full)?  Do you see
> the
> IP addresses on the APs changing when they come back up?  These could
> indicate a DHCP server issue.  If the AP gets a new IP address it
> will
> likely have to be re-adopted to the controller.  You might want to
> static address one or more APs to test this theory.
>
> Steven Naslund
> Chicago IL

>>>
>>
>
>

SIP trunking providers

[Rafael Possamai]

Would anyone in the list be able to recommend a SIP trunk provider in the
Chicago area? Not a VoIP expert, so just looking for someone with previous
experience.


Thanks,
Rafael

Re: SIP trunking providers

[Dovid Bender]

Jivetel.com

--Original Message--
From: Rafael Possamai
Sender: NANOG
To: nanog@nanog.org
Subject: SIP trunking providers
Sent: Jun 19, 2015 17:40

Would anyone in the list be able to recommend a SIP trunk provider in the
Chicago area? Not a VoIP expert, so just looking for someone with previous
experience.


Thanks,
Rafael

Regards,

Dovid

Re: REMINDER: LEAP SECOND

[Harlan Stenn]

Saku Ytti writes:
> Hopefully this is last leap second we'll ever see. Non-monotonic time
> is an abomination and very very few programs measuring passage of time
> are correct.  Even those which are, usually are not portable, most
> languages do not even offer monotonic time in standard libraries.
> Canada, China, England and Germany, shame on you for opposing
> leapsecondless UTC.

It's a problem with POSIX, not UTC.

UTC is monotonic.

> Next year hopefully GPSTIME. TAI and UTC are the same thing, with different
> static offset.

The General Timestamp API that Network Time Foundation is working on can
solve this problem.  People use different timescales for different
reasons.  The Agile folks like the "pigs and chickens" analogy: in a
bacon and egg breakfast, the chicken is invested while the pig is
committed.

It's lame for a chicken to dictate to a pig.

It's lame to change an existing Standard.  Leave that one alone and
choose to follow a new/different Standard.

If you don't have a system that can properly handle leapseconds, there
are several solutions to this, including:

- implement DLM's leap second process in the kernel, described over 20
  years ago 
- use the posix-right timezone files
- help Network Time Foundation get the General Timestamp API implemented
  and deployed, which will let folks use whatever timescale they want.

-- 
Harlan Stenn 
http://networktimefoundation.org - be a member!

Re: REMINDER: LEAP SECOND

[Harlan Stenn]

Bad idea.

When restarting ntpd your clocks will likely be off by a second, which
will cause a backward step, which will force the problem you claim to be
avoiding.

There are plenty of ways to solve this problem, and you just get to
choose what you want to risk/pay.
-- 
Harlan Stenn 
http://networktimefoundation.org - be a member!

The Cidr Report

[cidr-report]

This report has been generated at Fri Jun 19 21:14:38 2015 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.

Check http://www.cidr-report.org/2.0 for a current version of this report.

Recent Table History
Date  PrefixesCIDR Agg
12-06-15557587  304085
13-06-15557180  303970
14-06-15557174  304305
15-06-15557480  304564
16-06-15557299  304777
17-06-15557521  304842
18-06-15557736  304985
19-06-15558465  305020


AS Summary
 50936  Number of ASes in routing system
 20251  Number of ASes announcing only one prefix
  3250  Largest number of prefixes announced by an AS
AS10620: Telmex Colombia S.A.,CO
  120759296  Largest address span announced by an AS (/32s)
AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street,CN


Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as 
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').

 --- 19Jun15 ---
ASnumNetsNow NetsAggr  NetGain   % Gain   Description

Table 558662   304994   25366845.4%   All ASes

AS22773 3175  169 300694.7%   ASN-CXA-ALL-CCI-22773-RDC -
   Cox Communications Inc.,US
AS6389  2791   70 272197.5%   BELLSOUTH-NET-BLK -
   BellSouth.net Inc.,US
AS17974 2697   78 261997.1%   TELKOMNET-AS2-AP PT
   Telekomunikasi Indonesia,ID
AS9394  2919  315 260489.2%   CTTNET China TieTong
   Telecommunications
   Corporation,CN
AS39891 2473   35 243898.6%   ALJAWWALSTC-AS Saudi Telecom
   Company JSC,SA
AS28573 2273  293 198087.1%   NET Serviços de Comunicação
   S.A.,BR
AS4755  2023  281 174286.1%   TATACOMM-AS TATA
   Communications formerly VSNL
   is Leading ISP,IN
AS10620 3250 1632 161849.8%   Telmex Colombia S.A.,CO
AS4766  2949 1359 159053.9%   KIXS-AS-KR Korea Telecom,KR
AS6983  1748  247 150185.9%   ITCDELTA - Earthlink, Inc.,US
AS7545  2642 1165 147755.9%   TPG-INTERNET-AP TPG Telecom
   Limited,AU
AS9808  1539   67 147295.6%   CMNET-GD Guangdong Mobile
   Communication Co.Ltd.,CN
AS20115 1887  488 139974.1%   CHARTER-NET-HKY-NC - Charter
   Communications,US
AS7303  1639  287 135282.5%   Telecom Argentina S.A.,AR
AS6147  1621  301 132081.4%   Telefonica del Peru S.A.A.,PE
AS9498  1350  121 122991.0%   BBIL-AP BHARTI Airtel Ltd.,IN
AS4323  1616  413 120374.4%   TWTC - tw telecom holdings,
   inc.,US
AS22561 1355  261 109480.7%   CENTURYLINK-LEGACY-LIGHTCORE -
   CenturyTel Internet Holdings,
   Inc.,US
AS7552  1146   58 108894.9%   VIETEL-AS-AP Viettel
   Corporation,VN
AS3356  2560 1510 105041.0%   LEVEL3 - Level 3
   Communications, Inc.,US
AS18566 2050 1019 103150.3%   MEGAPATH5-US - MegaPath
   Corporation,US
AS8402  1024   28  99697.3%   CORBINA-AS OJSC "Vimpelcom",RU
AS6849  1207  217  99082.0%   UKRTELNET JSC UKRTELECOM,UA
AS8151  1695  716  97957.8%   Uninet S.A. de C.V.,MX
AS7738   999   83  91691.7%   Telemar Norte Leste S.A.,BR
AS4538  1954 1039  91546.8%   ERX-CERNET-BKB China Education
   and Research Network
   Center,CN
AS26615 1088  178  91083.6%   Tim Celular S.A.,BR
AS38285  979  126  85387.1%   M2TELECOMMUNICATIONS-AU M2
   Telecommunications Group
   Ltd,AU
AS18881  870   33  83796.2%   Global Village Telecom,BR
AS4780  1081  270  81175.0%   SEEDNET Digital United Inc.,TW

Total  56600

BGP Update Report

[cidr-report]

BGP Update Report
Interval: 11-Jun-15 -to- 18-Jun-15 (7 days)
Observation Point: BGP Peering with AS131072

TOP 20 Unstable Origin AS
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS23752  276928  3.3%2288.7 -- NPTELECOM-NP-AS Nepal 
Telecommunications Corporation, Internet Services,NP
 2 - AS9829   233909  2.8% 135.3 -- BSNL-NIB National Internet 
Backbone,IN
 3 - AS9198   112457  1.3% 134.0 -- KAZTELECOM-AS JSC 
Kazakhtelecom,KZ
 4 - AS36947   82755  1.0% 472.9 -- ALGTEL-AS,DZ
 5 - AS54169   73772  0.9%   24590.7 -- MGH-ION-1 - Marin General 
Hospital,US
 6 - AS29049   71845  0.9% 270.1 -- DELTA-TELECOM-AS Delta Telecom 
Ltd,AZ
 7 - AS370963415  0.8%2348.7 -- NET-CITY-SA - City of San 
Antonio,US
 8 - AS12389   50484  0.6% 223.4 -- ROSTELECOM-AS OJSC Rostelecom,RU
 9 - AS45899   47800  0.6%  58.7 -- VNPT-AS-VN VNPT Corp,VN
10 - AS42337   46309  0.6% 254.4 -- RESPINA-AS Respina Networks & 
Beyond PJSC,IR
11 - AS28573   44194  0.5%  22.1 -- NET Serviços de Comunicação 
S.A.,BR
12 - AS34875   44023  0.5% 282.2 -- YANFES OJSC "Rostelecom",RU
13 - AS22059   42852  0.5%6121.7 -- -Reserved AS-,ZZ
14 - AS20852   42114  0.5% 307.4 -- ATLANT-TELECOM-AS FE 
"ALTERNATIVNAYA ZIFROVAYA SET",BY
15 - AS39891   38514  0.5%  26.1 -- ALJAWWALSTC-AS Saudi Telecom 
Company JSC,SA
16 - AS51074   37789  0.5% 229.0 -- MABNA GOSTARESH-E-ERTEBATAT-E 
MABNA COMPANY (Private Joint Stock),IR
17 - AS25563   35876  0.4%8969.0 -- WEBLAND-AS Webland AG,CH
18 - AS669735584  0.4% 237.2 -- BELPAK-AS Republican Unitary 
Telecommunication Enterprise Beltelecom,BY
19 - AS381634837  0.4%  37.3 -- COLOMBIA TELECOMUNICACIONES 
S.A. ESP,CO
20 - AS939434387  0.4%  12.2 -- CTTNET China TieTong 
Telecommunications Corporation,CN


TOP 20 Unstable Origin AS (Updates per announced prefix)
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS54169   73772  0.9%   24590.7 -- MGH-ION-1 - Marin General 
Hospital,US
 2 - AS63485   15120  0.2%   15120.0 -- PATRIOT-ASN - Patriot Web 
Solutions,US
 3 - AS3935889500  0.1%9500.0 -- MUBEA-FLO - Mubea,US
 4 - AS25563   35876  0.4%8969.0 -- WEBLAND-AS Webland AG,CH
 5 - AS22059   42852  0.5%6121.7 -- -Reserved AS-,ZZ
 6 - AS33287   10045  0.1%5022.5 -- COMCAST-33287 - Comcast Cable 
Communications, Inc.,US
 7 - AS32005   15432  0.2%3858.0 -- THE-CHURCH-PENSION-GROUP - 
CHURCH PENSION GROUP SERVICES CORPORATION,US
 8 - AS828316772  0.2%3354.4 -- COLOCLUE-AS Netwerkvereniging 
Coloclue, Amsterdam, Netherlands,NL
 9 - AS17001   14658  0.2%2931.6 -- UMANITOBA - University of 
Manitoba,CA
10 - AS2009395106  0.1%2553.0 -- LME-IRAQ Lukoil Overseas 
Service B.V.,IQ
11 - AS334409951  0.1%2487.8 -- WEBRULON-NETWORK - webRulon, 
LLC,US
12 - AS370963415  0.8%2348.7 -- NET-CITY-SA - City of San 
Antonio,US
13 - AS23752  276928  3.3%2288.7 -- NPTELECOM-NP-AS Nepal 
Telecommunications Corporation, Internet Services,NP
14 - AS45606   10037  0.1%2007.4 -- 
15 - AS566361870  0.0%1870.0 -- ASVEDARU VEDA Ltd.,RU
16 - AS557411794  0.0%1794.0 -- WBSDC-NET-IN West Bengal 
Electronics Industry Development,IN
17 - AS494266991  0.1%1747.8 -- LINTECSAS1-AS LInTeCS AS,RU
18 - AS31357   11578  0.1%1654.0 -- TOMICA-AS Tomsk Information and 
Consulting Agency,RU
19 - AS380006438  0.1%1609.5 -- CRISIL-AS [CRISIL 
Limited.Autonomous System],IN
20 - AS638741524  0.0%1524.0 -- IDNIC-BOSOWA-AS-ID PT Bosowa 
Media Utama,ID


TOP 20 Unstable Prefixes
Rank Prefix Upds % Origin AS -- AS Name
 1 - 202.70.88.0/21   137622  1.6%   AS23752 -- NPTELECOM-NP-AS Nepal 
Telecommunications Corporation, Internet Services,NP
 2 - 202.70.64.0/21   137064  1.6%   AS23752 -- NPTELECOM-NP-AS Nepal 
Telecommunications Corporation, Internet Services,NP
 3 - 105.96.0.0/22 81792  0.9%   AS36947 -- ALGTEL-AS,DZ
 4 - 204.80.242.0/24   73759  0.9%   AS54169 -- MGH-ION-1 - Marin General 
Hospital,US
 5 - 199.204.107.0/24  29118  0.3%   AS33287 -- COMCAST-33287 - Comcast Cable 
Communications, Inc.,US
 AS33659 -- CMCS - Comcast Cable 
Communications, Inc.,US
 6 - 192.245.51.0/24   27241  0.3%   AS10965 -- MRNET - MRNet,CA
 AS17001 -- UMANITOBA - University of 
Manitoba,CA
 7 - 64.34.125.0/2421840  0.2%   AS22059 -- -Reserved AS-,ZZ
 8 - 76.191.107.0/24   20992  0.2%   AS22059 -- -Reserved AS-,ZZ
 9 - 168.151.255.0/24  15964  0.2%   AS62519 -- CERTIFIEDHOST-ASN - Certified 
Host, LLC,US
10 - 170.178.152.0/22  15120  0.2%   AS63485 -- PATRIOT-ASN 

Re: REMINDER: LEAP SECOND

[Baldur Norddahl]

On 19 June 2015 at 23:58, Harlan Stenn  wrote:

> Bad idea.
>
> When restarting ntpd your clocks will likely be off by a second, which
> will cause a backward step, which will force the problem you claim to be
> avoiding.
>

If you are afraid that your routers will crash due to the leapsecond, then
it would help to disable the thing that you think will crash them. Even if
the router crashes when you enable it later on. Because then you can have
one router crash at a time and have it happen in a service window where you
are ready for it. Instead of having all routers in your whole network crash
at exactly the same time.

Regards,

Baldur

Re: Google Apps for ISPs

[Andrew Duey]

Our Google Apps for ISP's is still up and running.  We were told end of
July for end of service date.  I was under the impression though that there
were different dates for different customers originally, but I know we're
still up and running on it.

--Andrew

--Andrew Duey

WideRange Broadband LLC
Direct: 402-327-1101
andrew.d...@widerangebroadband.net
http://widerangebroadband.net

On Thu, Jun 18, 2015 at 12:26 PM, Mike Hammett  wrote:

> There was an inquiry about this just the other day. They got theirs turned
> back on. Check the archives for the Google contact.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> - Original Message -
>
> From: "Scott Helms" 
> To: "Josh Luthman" 
> Cc: "NANOG list" 
> Sent: Thursday, June 18, 2015 11:36:54 AM
> Subject: Re: Google Apps for ISPs
>
> Josh,
>
> From what I have been able to see from an outsider's point of view, they
> tore down the virtual machines that held those emails and while I doubt
> they scrubbed the hard drives, they're not available in "commercially
> reasonable way".
>
> No ISP I've worked with has been able to get access to emails, settings,
> address books, or anything else since early in June and that's not from
> lack of trying.
>
>
> Scott Helms
> Vice President of Technology
> ZCorum
> (678) 507-5000
> 
> http://twitter.com/kscotthelms
> 
>
> On Thu, Jun 18, 2015 at 12:32 PM, Josh Luthman <
> j...@imaginenetworksllc.com>
> wrote:
>
> > That's all we're after, customers' emails.
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> > On Jun 18, 2015 12:12 PM, "Scott Helms"  wrote:
> >
> >> We worked with dozens of service providers to get their email services
> >> migrated, AFAIK no one got an extension. I was told directly that it was
> >> possible to have an extension because Google was pulling down the entire
> >> system. I'd advise:
> >>
> >> 1) Make sure your domain TTL's are fairly low so you can change your MX
> >> record and have the world get that update shortly there after.
> >>
> >> 2) Find an alternative email provider, preferably someone who has done
> >> transitions to and from Google before.
> >>
> >> 3) Start communicating with your customers, AFAIK their email, address
> >> books, and calendars aren't available and won't be.
> >>
> >>
> >> Scott Helms
> >> Vice President of Technology
> >> ZCorum
> >> (678) 507-5000
> >> 
> >> http://twitter.com/kscotthelms
> >> 
> >>
> >> On Thu, Jun 18, 2015 at 11:58 AM, Josh Luthman <
> >> j...@imaginenetworksllc.com> wrote:
> >>
> >>> If anyone can message me off list it would be great.
> >>>
> >>> We were originally told the service would be shut off in July. All of
> the
> >>> accounts were disabled June 9.
> >>>
> >>> Josh Luthman
> >>> Office: 937-552-2340
> >>> Direct: 937-552-2343
> >>> 1100 Wayne St
> >>> Suite 1337
> >>> Troy, OH 45373
> >>>
> >>
> >>
>
>

Re: Whats' a good product for a high-density Wireless network setup?

[Ray Soucy]

I know you don't want to hear this answer because of cost but I've had good
luck with Cisco for very high density (about 1,000 clients in a packed
auditorium actively using the network as they follow along with the
presenter).

The thing you need to watch out for with Ubiquiti is that they don't
support DFS, so the entire U-NII-2 channel space is off limits for 5 GHz.
That's pretty significant because you're limited to 9 x 20 MHz channels or
4 x 40 MHz channels.  Keeping the power level down and creating small cells
is essential for high density, so with less channels your hands are really
tied in that case.  Also, avoid the Zero Handoff marketing nonsense they
advertise; I'm sure it can work great for a low client residential area but
it requires all APs to share a single channel and depends upon coordinating
only one active transmitter at a time, so it simply won't scale.

I don't have experience with other vendors at large scale or high density.

I don't think what you're talking about is really high density anymore
though.  That's just normal coverage.  Wireless is a lot more complicated
than selecting a vendor, though.  If you know what you're doing even
Ubiquiti could work decently, but if you don't even a Cisco solution won't
save you.  You really need to be on top of surveying correctly and having
appropriate AP placement and channel distribution.





On Fri, Jun 19, 2015 at 1:57 AM, Sina Owolabi  wrote:

> Hi
>
> We are profiling equipment and design for an expected high user density
> network of multiple, close nit, residential/hostel units. Its going to be
> 8-10 buildings with possibly a over 1000 users at any given time.
> We are looking at Ruckus and Ubiquiti as options to get over the high
> number of devices we are definitely going to encounter.
>
> How did you do it, and what would you advise for product and layout?
>
> Thanks in advance!
>



-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

Re: Google Apps for ISPs

[Josh Luthman]

Yes, demanding on your annual contract.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Jun 19, 2015 6:44 PM, "Andrew Duey" 
wrote:

> Our Google Apps for ISP's is still up and running.  We were told end of
> July for end of service date.  I was under the impression though that there
> were different dates for different customers originally, but I know we're
> still up and running on it.
>
> --Andrew
>
> --Andrew Duey
>
> WideRange Broadband LLC
> Direct: 402-327-1101
> andrew.d...@widerangebroadband.net
> http://widerangebroadband.net
>
> On Thu, Jun 18, 2015 at 12:26 PM, Mike Hammett  wrote:
>
> > There was an inquiry about this just the other day. They got theirs
> turned
> > back on. Check the archives for the Google contact.
> >
> >
> >
> >
> > -
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > - Original Message -
> >
> > From: "Scott Helms" 
> > To: "Josh Luthman" 
> > Cc: "NANOG list" 
> > Sent: Thursday, June 18, 2015 11:36:54 AM
> > Subject: Re: Google Apps for ISPs
> >
> > Josh,
> >
> > From what I have been able to see from an outsider's point of view, they
> > tore down the virtual machines that held those emails and while I doubt
> > they scrubbed the hard drives, they're not available in "commercially
> > reasonable way".
> >
> > No ISP I've worked with has been able to get access to emails, settings,
> > address books, or anything else since early in June and that's not from
> > lack of trying.
> >
> >
> > Scott Helms
> > Vice President of Technology
> > ZCorum
> > (678) 507-5000
> > 
> > http://twitter.com/kscotthelms
> > 
> >
> > On Thu, Jun 18, 2015 at 12:32 PM, Josh Luthman <
> > j...@imaginenetworksllc.com>
> > wrote:
> >
> > > That's all we're after, customers' emails.
> > >
> > > Josh Luthman
> > > Office: 937-552-2340
> > > Direct: 937-552-2343
> > > 1100 Wayne St
> > > Suite 1337
> > > Troy, OH 45373
> > > On Jun 18, 2015 12:12 PM, "Scott Helms"  wrote:
> > >
> > >> We worked with dozens of service providers to get their email services
> > >> migrated, AFAIK no one got an extension. I was told directly that it
> was
> > >> possible to have an extension because Google was pulling down the
> entire
> > >> system. I'd advise:
> > >>
> > >> 1) Make sure your domain TTL's are fairly low so you can change your
> MX
> > >> record and have the world get that update shortly there after.
> > >>
> > >> 2) Find an alternative email provider, preferably someone who has done
> > >> transitions to and from Google before.
> > >>
> > >> 3) Start communicating with your customers, AFAIK their email, address
> > >> books, and calendars aren't available and won't be.
> > >>
> > >>
> > >> Scott Helms
> > >> Vice President of Technology
> > >> ZCorum
> > >> (678) 507-5000
> > >> 
> > >> http://twitter.com/kscotthelms
> > >> 
> > >>
> > >> On Thu, Jun 18, 2015 at 11:58 AM, Josh Luthman <
> > >> j...@imaginenetworksllc.com> wrote:
> > >>
> > >>> If anyone can message me off list it would be great.
> > >>>
> > >>> We were originally told the service would be shut off in July. All of
> > the
> > >>> accounts were disabled June 9.
> > >>>
> > >>> Josh Luthman
> > >>> Office: 937-552-2340
> > >>> Direct: 937-552-2343
> > >>> 1100 Wayne St
> > >>> Suite 1337
> > >>> Troy, OH 45373
> > >>>
> > >>
> > >>
> >
> >
>

Re: REMINDER: LEAP SECOND

[Harlan Stenn]

Baldur Norddahl writes:
> On 19 June 2015 at 23:58, Harlan Stenn  wrote:
> 
> > Bad idea.
> >
> > When restarting ntpd your clocks will likely be off by a second, which
> > will cause a backward step, which will force the problem you claim to be
> > avoiding.
> 
> If you are afraid that your routers will crash due to the leapsecond,
> then it would help to disable the thing that you think will crash
> them. Even if the router crashes when you enable it later on. Because
> then you can have one router crash at a time and have it happen in a
> service window where you are ready for it. Instead of having all
> routers in your whole network crash at exactly the same time.

That' seems fair, as long as you turn off the time stuff only on your
routers, and I'm assuming this is on routers that don't have supported
software.

H

Re: Whats' a good product for a high-density Wireless network setup?

[Randy Bush]

> I know you don't want to hear this answer because of cost but I've had
> good luck with Cisco for very high density (about 1,000 clients in a
> packed auditorium actively using the network as they follow along with
> the presenter).

the ietf is repeatedly successful with cisco kit at well over 1,000
users, and i mean very active users, in the ballroom.  thanks chelliott.

but it is not simple, you need to know what you're doing and few do.
one can also screw up with any kit, as nanog keeps demonstrating.

randy

Re: Whats' a good product for a high-density Wireless network setup?

[Faisal Imtiaz]

>>>The thing you need to watch out for with Ubiquiti is that they don't support 
>>>DFS, so the entire U-NII-2 channel space is off limits for 5 GHz.

Huh 

Please verify your facts before making blanket statements which are not 
accurate ...



Faisal Imtiaz
Snappy Internet & Telecom


- Original Message -
> From: "Ray Soucy" 
> To: "Sina Owolabi" 
> Cc: "nanog@nanog.org list" 
> Sent: Friday, June 19, 2015 7:07:01 PM
> Subject: Re: Whats' a good product for a high-density Wireless network setup?
> 
> I know you don't want to hear this answer because of cost but I've had good
> luck with Cisco for very high density (about 1,000 clients in a packed
> auditorium actively using the network as they follow along with the
> presenter).
> 
> The thing you need to watch out for with Ubiquiti is that they don't
> support DFS, so the entire U-NII-2 channel space is off limits for 5 GHz.
> That's pretty significant because you're limited to 9 x 20 MHz channels or
> 4 x 40 MHz channels.  Keeping the power level down and creating small cells
> is essential for high density, so with less channels your hands are really
> tied in that case.  Also, avoid the Zero Handoff marketing nonsense they
> advertise; I'm sure it can work great for a low client residential area but
> it requires all APs to share a single channel and depends upon coordinating
> only one active transmitter at a time, so it simply won't scale.
> 
> I don't have experience with other vendors at large scale or high density.
> 
> I don't think what you're talking about is really high density anymore
> though.  That's just normal coverage.  Wireless is a lot more complicated
> than selecting a vendor, though.  If you know what you're doing even
> Ubiquiti could work decently, but if you don't even a Cisco solution won't
> save you.  You really need to be on top of surveying correctly and having
> appropriate AP placement and channel distribution.
> 
> 
> 
> 
> 
> On Fri, Jun 19, 2015 at 1:57 AM, Sina Owolabi  wrote:
> 
> > Hi
> >
> > We are profiling equipment and design for an expected high user density
> > network of multiple, close nit, residential/hostel units. Its going to be
> > 8-10 buildings with possibly a over 1000 users at any given time.
> > We are looking at Ruckus and Ubiquiti as options to get over the high
> > number of devices we are definitely going to encounter.
> >
> > How did you do it, and what would you advise for product and layout?
> >
> > Thanks in advance!
> >
> 
> 
> 
> --
> Ray Patrick Soucy
> Network Engineer
> University of Maine System
> 
> T: 207-561-3526
> F: 207-561-3531
> 
> MaineREN, Maine's Research and Education Network
> www.maineren.net
> 

Re: Whats' a good product for a high-density Wireless network setup?

[Josh Luthman]

Uhm he's not wrong...

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Jun 19, 2015 9:13 PM, "Faisal Imtiaz"  wrote:

> >>>The thing you need to watch out for with Ubiquiti is that they don't
> support DFS, so the entire U-NII-2 channel space is off limits for 5 GHz.
>
> Huh 
>
> Please verify your facts before making blanket statements which are not
> accurate ...
>
>
>
> Faisal Imtiaz
> Snappy Internet & Telecom
>
>
> - Original Message -
> > From: "Ray Soucy" 
> > To: "Sina Owolabi" 
> > Cc: "nanog@nanog.org list" 
> > Sent: Friday, June 19, 2015 7:07:01 PM
> > Subject: Re: Whats' a good product for a high-density Wireless network
> setup?
> >
> > I know you don't want to hear this answer because of cost but I've had
> good
> > luck with Cisco for very high density (about 1,000 clients in a packed
> > auditorium actively using the network as they follow along with the
> > presenter).
> >
> > The thing you need to watch out for with Ubiquiti is that they don't
> > support DFS, so the entire U-NII-2 channel space is off limits for 5 GHz.
> > That's pretty significant because you're limited to 9 x 20 MHz channels
> or
> > 4 x 40 MHz channels.  Keeping the power level down and creating small
> cells
> > is essential for high density, so with less channels your hands are
> really
> > tied in that case.  Also, avoid the Zero Handoff marketing nonsense they
> > advertise; I'm sure it can work great for a low client residential area
> but
> > it requires all APs to share a single channel and depends upon
> coordinating
> > only one active transmitter at a time, so it simply won't scale.
> >
> > I don't have experience with other vendors at large scale or high
> density.
> >
> > I don't think what you're talking about is really high density anymore
> > though.  That's just normal coverage.  Wireless is a lot more complicated
> > than selecting a vendor, though.  If you know what you're doing even
> > Ubiquiti could work decently, but if you don't even a Cisco solution
> won't
> > save you.  You really need to be on top of surveying correctly and having
> > appropriate AP placement and channel distribution.
> >
> >
> >
> >
> >
> > On Fri, Jun 19, 2015 at 1:57 AM, Sina Owolabi 
> wrote:
> >
> > > Hi
> > >
> > > We are profiling equipment and design for an expected high user density
> > > network of multiple, close nit, residential/hostel units. Its going to
> be
> > > 8-10 buildings with possibly a over 1000 users at any given time.
> > > We are looking at Ruckus and Ubiquiti as options to get over the high
> > > number of devices we are definitely going to encounter.
> > >
> > > How did you do it, and what would you advise for product and layout?
> > >
> > > Thanks in advance!
> > >
> >
> >
> >
> > --
> > Ray Patrick Soucy
> > Network Engineer
> > University of Maine System
> >
> > T: 207-561-3526
> > F: 207-561-3531
> >
> > MaineREN, Maine's Research and Education Network
> > www.maineren.net
> >
>

Re: Whats' a good product for a high-density Wireless network setup?

[William Herrin]

On Fri, Jun 19, 2015 at 1:57 AM, Sina Owolabi  wrote:
> We are profiling equipment and design for an expected high user density
> network of multiple, close nit, residential/hostel units. Its going to be
> 8-10 buildings with possibly a over 1000 users at any given time.

Hi Sina,

Quick terminology note: "high density" means you want 500+ users in a
conference hall. That's a very different solution space than 1000
users spread across 8 buildings.

High density solutions are concerned with many nodes not stomping on
each other in a small space as users wander about. Yet cables
connecting all the access points together are short and cheap.

Your situation is different. With users spread out, you have less of a
signal stomping problem and more of a signal reach problem through
various construction materials. Cross-building connections are
expensive and few enough users wander between buildings to need to
maintain their IP address when they do.

If you ask your vendors to show you high-density solutions you may not
get what you're looking for.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: SIP trunking providers

[James Laszko]

We have facilities in Chicago and LAX based on Broadsoft technology that I 
think is pretty awesome.  Would welcome answering any questions for you


Regards,


James Laszko
Mythos Technology Inc
jam...@mythostech.com
951-813-2674 direct 

Sent from my iPhone

> On Jun 19, 2015, at 14:43, Rafael Possamai  wrote:
> 
> Would anyone in the list be able to recommend a SIP trunk provider in the
> Chicago area? Not a VoIP expert, so just looking for someone with previous
> experience.
> 
> 
> Thanks,
> Rafael

Re: SIP trunking providers

[James Laszko]

Sorry, intended for off-list reply.  Sorry for noise.

James

Sent from my iPhone

> On Jun 19, 2015, at 18:37, James Laszko  wrote:
> 
> We have facilities in Chicago and LAX based on Broadsoft technology that I 
> think is pretty awesome.  Would welcome answering any questions for you
> 
> 
> Regards,
> 
> 
> James Laszko
> Mythos Technology Inc
> jam...@mythostech.com
> 951-813-2674 direct 
> 
> Sent from my iPhone
> 
>> On Jun 19, 2015, at 14:43, Rafael Possamai  wrote:
>> 
>> Would anyone in the list be able to recommend a SIP trunk provider in the
>> Chicago area? Not a VoIP expert, so just looking for someone with previous
>> experience.
>> 
>> 
>> Thanks,
>> Rafael

Re: REMINDER: LEAP SECOND

[Mel Beckman]

Harlan,

This is cisco's recommended workaround, the ultimate conclusion of an 
exhaustive study of all Cisco firmware and after detailed post mortem analysis 
of two previous Leap seconds:

 https://tools.cisco.com/bugsearch/bug/CSCut33302

GSS Leap second update
CSCut33302
Description
Symptom:
There are periodic leap second events which can add or delete a second to 
global time.

When the leap second update occurs the GSS might hang and have to be reload or 
the kernel could crash and the GSS would reboot.

Conditions:
The leap second update will be propagated via Network Time Protocol (NTP) or 
via manually setting the clock.

Workaround:
Workaround, Turn off NTP prior to leap second and turn it back on afterward.

Further Problem Description:
None

Or, in the immortal words of The IT Crowd: "Turn it off and on again!"

If you run non-IOS server software of such fragility that it can't tolerate 
time slewing, just shut it down and power back up after The Leap.

That's what your competitors are doing :)

 -mel beckman

On Jun 19, 2015, at 4:15 PM, Harlan Stenn mailto:st...@ntp.org>> 
wrote:

Baldur Norddahl writes:
On 19 June 2015 at 23:58, Harlan Stenn mailto:st...@ntp.org>> 
wrote:

Bad idea.

When restarting ntpd your clocks will likely be off by a second, which
will cause a backward step, which will force the problem you claim to be
avoiding.

If you are afraid that your routers will crash due to the leapsecond,
then it would help to disable the thing that you think will crash
them. Even if the router crashes when you enable it later on. Because
then you can have one router crash at a time and have it happen in a
service window where you are ready for it. Instead of having all
routers in your whole network crash at exactly the same time.

That' seems fair, as long as you turn off the time stuff only on your
routers, and I'm assuming this is on routers that don't have supported
software.

H

Re: SIP trunking providers

[Mike Lyon]

Flowroute.com
On Jun 19, 2015 6:42 PM, "James Laszko"  wrote:

> Sorry, intended for off-list reply.  Sorry for noise.
>
> James
>
> Sent from my iPhone
>
> > On Jun 19, 2015, at 18:37, James Laszko  wrote:
> >
> > We have facilities in Chicago and LAX based on Broadsoft technology that
> I think is pretty awesome.  Would welcome answering any questions for
> you
> >
> >
> > Regards,
> >
> >
> > James Laszko
> > Mythos Technology Inc
> > jam...@mythostech.com
> > 951-813-2674 direct
> >
> > Sent from my iPhone
> >
> >> On Jun 19, 2015, at 14:43, Rafael Possamai  wrote:
> >>
> >> Would anyone in the list be able to recommend a SIP trunk provider in
> the
> >> Chicago area? Not a VoIP expert, so just looking for someone with
> previous
> >> experience.
> >>
> >>
> >> Thanks,
> >> Rafael
>

Re: Whats' a good product for a high-density Wireless network setup?

[Faisal Imtiaz]

FCC Cert claims different. 

:) 

Faisal Imtiaz 
Snappy Internet & Telecom 
7266 SW 48 Street 
Miami, FL 33155 
Tel: 305 663 5518 x 232 

Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net 

- Original Message -

> From: "Josh Luthman" 
> To: "Faisal Imtiaz" 
> Cc: "NANOG list" , "Ray Soucy" 
> Sent: Friday, June 19, 2015 9:16:37 PM
> Subject: Re: Whats' a good product for a high-density Wireless network setup?

> Uhm he's not wrong...

> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> On Jun 19, 2015 9:13 PM, "Faisal Imtiaz" < fai...@snappytelecom.net > wrote:

> > >>>The thing you need to watch out for with Ubiquiti is that they don't
> > >>>support DFS, so the entire U-NII-2 channel space is off limits for 5
> > >>>GHz.
> 

> > Huh 
> 

> > Please verify your facts before making blanket statements which are not
> > accurate ...
> 

> > Faisal Imtiaz
> 
> > Snappy Internet & Telecom
> 

> > - Original Message -
> 
> > > From: "Ray Soucy" < r...@maine.edu >
> 
> > > To: "Sina Owolabi" < notify.s...@gmail.com >
> 
> > > Cc: " nanog@nanog.org list" < nanog@nanog.org >
> 
> > > Sent: Friday, June 19, 2015 7:07:01 PM
> 
> > > Subject: Re: Whats' a good product for a high-density Wireless network
> > > setup?
> 
> > >
> 
> > > I know you don't want to hear this answer because of cost but I've had
> > > good
> 
> > > luck with Cisco for very high density (about 1,000 clients in a packed
> 
> > > auditorium actively using the network as they follow along with the
> 
> > > presenter).
> 
> > >
> 
> > > The thing you need to watch out for with Ubiquiti is that they don't
> 
> > > support DFS, so the entire U-NII-2 channel space is off limits for 5 GHz.
> 
> > > That's pretty significant because you're limited to 9 x 20 MHz channels
> > > or
> 
> > > 4 x 40 MHz channels. Keeping the power level down and creating small
> > > cells
> 
> > > is essential for high density, so with less channels your hands are
> > > really
> 
> > > tied in that case. Also, avoid the Zero Handoff marketing nonsense they
> 
> > > advertise; I'm sure it can work great for a low client residential area
> > > but
> 
> > > it requires all APs to share a single channel and depends upon
> > > coordinating
> 
> > > only one active transmitter at a time, so it simply won't scale.
> 
> > >
> 
> > > I don't have experience with other vendors at large scale or high
> > > density.
> 
> > >
> 
> > > I don't think what you're talking about is really high density anymore
> 
> > > though. That's just normal coverage. Wireless is a lot more complicated
> 
> > > than selecting a vendor, though. If you know what you're doing even
> 
> > > Ubiquiti could work decently, but if you don't even a Cisco solution
> > > won't
> 
> > > save you. You really need to be on top of surveying correctly and having
> 
> > > appropriate AP placement and channel distribution.
> 
> > >
> 
> > >
> 
> > >
> 
> > >
> 
> > >
> 
> > > On Fri, Jun 19, 2015 at 1:57 AM, Sina Owolabi < notify.s...@gmail.com >
> > > wrote:
> 
> > >
> 
> > > > Hi
> 
> > > >
> 
> > > > We are profiling equipment and design for an expected high user density
> 
> > > > network of multiple, close nit, residential/hostel units. Its going to
> > > > be
> 
> > > > 8-10 buildings with possibly a over 1000 users at any given time.
> 
> > > > We are looking at Ruckus and Ubiquiti as options to get over the high
> 
> > > > number of devices we are definitely going to encounter.
> 
> > > >
> 
> > > > How did you do it, and what would you advise for product and layout?
> 
> > > >
> 
> > > > Thanks in advance!
> 
> > > >
> 
> > >
> 
> > >
> 
> > >
> 
> > > --
> 
> > > Ray Patrick Soucy
> 
> > > Network Engineer
> 
> > > University of Maine System
> 
> > >
> 
> > > T: 207-561-3526
> 
> > > F: 207-561-3531
> 
> > >
> 
> > > MaineREN, Maine's Research and Education Network
> 
> > > www.maineren.net
> 
> > >
> 

Re: Whats' a good product for a high-density Wireless network setup?

[Josh Luthman]

My equipment that can't do 5.4 with the latest stable or beta firmware says
you can't. Hopefully we get 5.1 "soon". :)

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Jun 19, 2015 11:36 PM, "Faisal Imtiaz"  wrote:

> FCC Cert claims different.
>
> :)
>
> Faisal Imtiaz
> Snappy Internet & Telecom
> 7266 SW 48 Street
> Miami, FL 33155
> Tel: 305 663 5518 x 232
>
> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net
>
> --
>
> *From: *"Josh Luthman" 
> *To: *"Faisal Imtiaz" 
> *Cc: *"NANOG list" , "Ray Soucy" 
> *Sent: *Friday, June 19, 2015 9:16:37 PM
> *Subject: *Re: Whats' a good product for a high-density Wireless network
> setup?
>
> Uhm he's not wrong...
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> On Jun 19, 2015 9:13 PM, "Faisal Imtiaz"  wrote:
>
>> >>>The thing you need to watch out for with Ubiquiti is that they don't
>> support DFS, so the entire U-NII-2 channel space is off limits for 5 GHz.
>>
>> Huh 
>>
>> Please verify your facts before making blanket statements which are not
>> accurate ...
>>
>>
>>
>> Faisal Imtiaz
>> Snappy Internet & Telecom
>>
>>
>> - Original Message -
>> > From: "Ray Soucy" 
>> > To: "Sina Owolabi" 
>> > Cc: "nanog@nanog.org list" 
>> > Sent: Friday, June 19, 2015 7:07:01 PM
>> > Subject: Re: Whats' a good product for a high-density Wireless network
>> setup?
>> >
>> > I know you don't want to hear this answer because of cost but I've had
>> good
>> > luck with Cisco for very high density (about 1,000 clients in a packed
>> > auditorium actively using the network as they follow along with the
>> > presenter).
>> >
>> > The thing you need to watch out for with Ubiquiti is that they don't
>> > support DFS, so the entire U-NII-2 channel space is off limits for 5
>> GHz.
>> > That's pretty significant because you're limited to 9 x 20 MHz channels
>> or
>> > 4 x 40 MHz channels.  Keeping the power level down and creating small
>> cells
>> > is essential for high density, so with less channels your hands are
>> really
>> > tied in that case.  Also, avoid the Zero Handoff marketing nonsense they
>> > advertise; I'm sure it can work great for a low client residential area
>> but
>> > it requires all APs to share a single channel and depends upon
>> coordinating
>> > only one active transmitter at a time, so it simply won't scale.
>> >
>> > I don't have experience with other vendors at large scale or high
>> density.
>> >
>> > I don't think what you're talking about is really high density anymore
>> > though.  That's just normal coverage.  Wireless is a lot more
>> complicated
>> > than selecting a vendor, though.  If you know what you're doing even
>> > Ubiquiti could work decently, but if you don't even a Cisco solution
>> won't
>> > save you.  You really need to be on top of surveying correctly and
>> having
>> > appropriate AP placement and channel distribution.
>> >
>> >
>> >
>> >
>> >
>> > On Fri, Jun 19, 2015 at 1:57 AM, Sina Owolabi 
>> wrote:
>> >
>> > > Hi
>> > >
>> > > We are profiling equipment and design for an expected high user
>> density
>> > > network of multiple, close nit, residential/hostel units. Its going
>> to be
>> > > 8-10 buildings with possibly a over 1000 users at any given time.
>> > > We are looking at Ruckus and Ubiquiti as options to get over the high
>> > > number of devices we are definitely going to encounter.
>> > >
>> > > How did you do it, and what would you advise for product and layout?
>> > >
>> > > Thanks in advance!
>> > >
>> >
>> >
>> >
>> > --
>> > Ray Patrick Soucy
>> > Network Engineer
>> > University of Maine System
>> >
>> > T: 207-561-3526
>> > F: 207-561-3531
>> >
>> > MaineREN, Maine's Research and Education Network
>> > www.maineren.net
>> >
>>
>
>

Re: Re: Whats' a good product for a high-density Wireless network setup?

[tqr2813d376cjozqap1l]

Their "airMAX" line recently got UNII approval but not their UniFi line to my 
knowledge: 
https://community.ubnt.com/t5/airMAX-Updates-Blog/airMAX-FCC-UNII-Updates-Lower-Band-Activation-Process/ba-p/1265946


20. Jun 2015 03:36 by fai...@snappytelecom.net:


> FCC Cert claims different.
>
> :)
>
> Faisal Imtiaz
> Snappy Internet & Telecom
> 7266 SW 48 Street
> Miami, FL 33155
> Tel: 305 663 5518 x 232
>
> Help-desk: (305)663-5518 Option 2 or Email: > supp...@snappytelecom.net>
>
> - Original Message -
>
>> From: "Josh Luthman" <>> j...@imaginenetworksllc.com>> >
>> To: "Faisal Imtiaz" <>> fai...@snappytelecom.net>> >
>> Cc: "NANOG list" <>> nanog@nanog.org>> >, "Ray Soucy" <>> r...@maine.edu>> 
>> >
>> Sent: Friday, June 19, 2015 9:16:37 PM
>> Subject: Re: Whats' a good product for a high-density Wireless network 
>> setup?
>> Uhm he's not wrong...
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>> On Jun 19, 2015 9:13 PM, "Faisal Imtiaz" < >> fai...@snappytelecom.net>>  
>> > wrote:
>> > >>>The thing you need to watch out for with Ubiquiti is that they don't
>> > >>>support DFS, so the entire U-NII-2 channel space is off limits for 5
>> > >>>GHz.
>>
>> > Huh 
>>
>> > Please verify your facts before making blanket statements which are not
>> > accurate ...
>>
>> > Faisal Imtiaz
>>
>> > Snappy Internet & Telecom
>>
>> > - Original Message -
>>
>> > > From: "Ray Soucy" < >> r...@maine.edu>>  >
>>
>> > > To: "Sina Owolabi" < >> notify.s...@gmail.com>>  >
>>
>> > > Cc: " >> nanog@nanog.org>>  list" < >> nanog@nanog.org>>  >
>>
>> > > Sent: Friday, June 19, 2015 7:07:01 PM
>>
>> > > Subject: Re: Whats' a good product for a high-density Wireless network
>> > > setup?
>>
>> > >
>>
>> > > I know you don't want to hear this answer because of cost but I've had
>> > > good
>>
>> > > luck with Cisco for very high density (about 1,000 clients in a packed
>>
>> > > auditorium actively using the network as they follow along with the
>>
>> > > presenter).
>>
>> > >
>>
>> > > The thing you need to watch out for with Ubiquiti is that they don't
>>
>> > > support DFS, so the entire U-NII-2 channel space is off limits for 5 
>> GHz.
>>
>> > > That's pretty significant because you're limited to 9 x 20 MHz 
>> channels
>> > > or
>>
>> > > 4 x 40 MHz channels. Keeping the power level down and creating small
>> > > cells
>>
>> > > is essential for high density, so with less channels your hands are
>> > > really
>>
>> > > tied in that case. Also, avoid the Zero Handoff marketing nonsense 
>> they
>>
>> > > advertise; I'm sure it can work great for a low client residential 
>> area
>> > > but
>>
>> > > it requires all APs to share a single channel and depends upon
>> > > coordinating
>>
>> > > only one active transmitter at a time, so it simply won't scale.
>>
>> > >
>>
>> > > I don't have experience with other vendors at large scale or high
>> > > density.
>>
>> > >
>>
>> > > I don't think what you're talking about is really high density anymore
>>
>> > > though. That's just normal coverage. Wireless is a lot more 
>> complicated
>>
>> > > than selecting a vendor, though. If you know what you're doing even
>>
>> > > Ubiquiti could work decently, but if you don't even a Cisco solution
>> > > won't
>>
>> > > save you. You really need to be on top of surveying correctly and 
>> having
>>
>> > > appropriate AP placement and channel distribution.
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > > On Fri, Jun 19, 2015 at 1:57 AM, Sina Owolabi < >> 
>> notify.s...@gmail.com>>  >
>> > > wrote:
>>
>> > >
>>
>> > > > Hi
>>
>> > > >
>>
>> > > > We are profiling equipment and design for an expected high user 
>> density
>>
>> > > > network of multiple, close nit, residential/hostel units. Its going 
>> to
>> > > > be
>>
>> > > > 8-10 buildings with possibly a over 1000 users at any given time.
>>
>> > > > We are looking at Ruckus and Ubiquiti as options to get over the 
>> high
>>
>> > > > number of devices we are definitely going to encounter.
>>
>> > > >
>>
>> > > > How did you do it, and what would you advise for product and layout?
>>
>> > > >
>>
>> > > > Thanks in advance!
>>
>> > > >
>>
>> > >
>>
>> > >
>>
>> > >
>>
>> > > --
>>
>> > > Ray Patrick Soucy
>>
>> > > Network Engineer
>>
>> > > University of Maine System
>>
>> > >
>>
>> > > T: 207-561-3526
>>
>> > > F: 207-561-3531
>>
>> > >
>>
>> > > MaineREN, Maine's Research and Education Network
>>
>> > > >> http://www.maineren.net
>>
>> > >
>> 

Re: Whats' a good product for a high-density Wireless network setup?

[Ray Soucy]

Well, I could certainly be wrong, but it's news to me if UBNT started
supporting DFS in the US.

Your first screenshot is listing the UAP for 5240 which is channel 48,
U-NII-1.  The second show 5825 which is the upper limit of U-NNI-3.  I
don't see any U-NII-2 in what you posted.

This forum post may be a bit out of date, but I haven't seen any
announcement or information on the forums to indicate the situation has
changed, and I'm pretty good at searching:

https://community.ubnt.com/t5/UniFi-Wireless/DFS/m-p/700461#M54771

>From this thread it looks like the ability to configure DFS channels in the
US was a UI bug and only showing for ZH anyway.  IIRC they actually got in
a bit of trouble with the FCC over not restricting the use of these
channels enough.

Regardless of whether or not the FCC has cleared UBNT indoor products for
U-NII-2 and U-NII-2-extended (and I haven't seen evidence of that yet),
until you can configure APs to use those channels in the controller without
violating FCC regulations I don't consider them usable.

The UAP-AC doesn't seem to support DFS channels at all even without FCC
restrictions, which kind of kills the point of AC, only 4 x 40 MHz or 2 x
80 MHz channels doesn't cut it when we're talking about density.

Note we're talking about indoor wireless and there ARE some UBNT products
for outdoor WISP use that do support DFS and have been cleared by the FCC,
but we would only be looking at the UAP-PRO or UAP-AC in this case so maybe
that's the point of confusion here.




On Fri, Jun 19, 2015 at 11:36 PM, Faisal Imtiaz 
wrote:

> FCC Cert claims different.
>
> :)
>
> Faisal Imtiaz
> Snappy Internet & Telecom
> 7266 SW 48 Street
> Miami, FL 33155
> Tel: 305 663 5518 x 232
>
> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net
>
> --
>
> *From: *"Josh Luthman" 
> *To: *"Faisal Imtiaz" 
> *Cc: *"NANOG list" , "Ray Soucy" 
> *Sent: *Friday, June 19, 2015 9:16:37 PM
>
> *Subject: *Re: Whats' a good product for a high-density Wireless network
> setup?
>
> Uhm he's not wrong...
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> On Jun 19, 2015 9:13 PM, "Faisal Imtiaz"  wrote:
>
>> >>>The thing you need to watch out for with Ubiquiti is that they don't
>> support DFS, so the entire U-NII-2 channel space is off limits for 5 GHz.
>>
>> Huh 
>>
>> Please verify your facts before making blanket statements which are not
>> accurate ...
>>
>>
>>
>> Faisal Imtiaz
>> Snappy Internet & Telecom
>>
>>
>> - Original Message -
>> > From: "Ray Soucy" 
>> > To: "Sina Owolabi" 
>> > Cc: "nanog@nanog.org list" 
>> > Sent: Friday, June 19, 2015 7:07:01 PM
>> > Subject: Re: Whats' a good product for a high-density Wireless network
>> setup?
>> >
>> > I know you don't want to hear this answer because of cost but I've had
>> good
>> > luck with Cisco for very high density (about 1,000 clients in a packed
>> > auditorium actively using the network as they follow along with the
>> > presenter).
>> >
>> > The thing you need to watch out for with Ubiquiti is that they don't
>> > support DFS, so the entire U-NII-2 channel space is off limits for 5
>> GHz.
>> > That's pretty significant because you're limited to 9 x 20 MHz channels
>> or
>> > 4 x 40 MHz channels.  Keeping the power level down and creating small
>> cells
>> > is essential for high density, so with less channels your hands are
>> really
>> > tied in that case.  Also, avoid the Zero Handoff marketing nonsense they
>> > advertise; I'm sure it can work great for a low client residential area
>> but
>> > it requires all APs to share a single channel and depends upon
>> coordinating
>> > only one active transmitter at a time, so it simply won't scale.
>> >
>> > I don't have experience with other vendors at large scale or high
>> density.
>> >
>> > I don't think what you're talking about is really high density anymore
>> > though.  That's just normal coverage.  Wireless is a lot more
>> complicated
>> > than selecting a vendor, though.  If you know what you're doing even
>> > Ubiquiti could work decently, but if you don't even a Cisco solution
>> won't
>> > save you.  You really need to be on top of surveying correctly and
>> having
>> > appropriate AP placement and channel distribution.
>> >
>> >
>> >
>> >
>> >
>> > On Fri, Jun 19, 2015 at 1:57 AM, Sina Owolabi 
>> wrote:
>> >
>> > > Hi
>> > >
>> > > We are profiling equipment and design for an expected high user
>> density
>> > > network of multiple, close nit, residential/hostel units. Its going
>> to be
>> > > 8-10 buildings with possibly a over 1000 users at any given time.
>> > > We are looking at Ruckus and Ubiquiti as options to get over the high
>> > > number of devices we are definitely going to encounter.
>> > >
>> > > How did you do it, and what would you advise for product and layout?
>> > >
>> > > Thanks in advance!
>> > >
>> >
>> >
>> >
>> > --
>> > Ray Patrick Soucy
>> >