Re: EQUIPMENT NEEDED: PRI/SIP Gateway (Adtran)

[Bryan Holloway]

Didja plug it into 208V?

We had a customer that blew up two before realizing that those 
(inexplicably) are 120V-only, unlike anything else modern on the planet.


On 5/27/17 1:49 AM, James Laszko wrote:

Hi everyone-

Had a new Adtran TA908e going into service tonight for a customer move and 
something went wrong and it physically blew up on us.  Customer going live 
Tuesday morning, located in San Diego.  Anyone have a compatible unit we can 
rent or buy until we get a replacement?  Only really need 1 PRI with 23 SIP 
trunk capability.

I appreciate any help that may be available and Happy Memorial Day!


Thanks,


James Laszko
Mythos Technology Inc
jam...@mythostech.com



Sent from my iPhone

RE: Cisco NCS5501 as a P Router

[Aaron Gould]

Hi Radu-Adrian, have you done any MPLS PE functions on the NCS5001 ?  ...like 
MPLS/VPLS L2VPN, or L3VPN ?

I'm asking because I tried a NCS5001 in my lab about a year or 2 ago and it was 
pretty bad.  At which point I was told to only try it as a P box from a Cisco 
engineerat which point it dropped from my consideration since I needed to 
replace lots of Cisco ME3600's with mpls edge functions, and I ended up 
settling on the Juniper ACX5048.

I'm wondering if Cisco improved that NCS5001 in more recent versions of XR to 
included functional MPLS L2 and L3 vpn's.

-Aaron

Re: What happened to BGP Update Report?

[Anurag Bhatia]

Seems good.


Thanks for sharing!

On Sat, May 27, 2017 at 12:21 AM, Andrew Latham  wrote:

> Just bookmark http://bgpupdates.potaroo.net/instability/bgpupd.html if you
> like the report.
>
> On Fri, May 26, 2017 at 1:40 PM, Anurag Bhatia 
> wrote:
>
> > Hello, everyone.
> >
> >
> > I wonder if anyone is aware of what happened to BGP Update Report which
> was
> > being published to most of NOG mailing lists?
> >
> > I see the last one is from 7th Dec 2016. BGP Update Report was the one
> > which provided unstable origin ASNs etc. I still do see the weekly
> routing
> > table report with other data.
> >
> >
> >
> >
> > Thanks.
> > --
> >
> >
> > Anurag Bhatia
> > anuragbhatia.com
> >
>
>
>
> --
> - Andrew "lathama" Latham -
>



-- 


Anurag Bhatia
anuragbhatia.com

SV: Cisco NCS5501 as a P Router

[Gustav Ulander]

Hello.
We are running 5001 also and we have the same issue with it programming the 
wrong entry into the hardware. 
Interesting to hear that the issue is still in 6.1.2 since we were thinking 
about upgrading to that one to see if it fixes the issue but I think we will 
give it a pass. 
Seems the BU cant find why its happening only that it indeed is happening. They 
don’t seem to be able to duplicate it in the lab either last we heard. 

/Gustav


-Ursprungligt meddelande-
Från: NANOG [mailto:nanog-boun...@nanog.org] För Radu-Adrian Feurdean
Skickat: den 27 maj 2017 11:31
Till: nanog@nanog.org
Ämne: Re: Cisco NCS5501 as a P Router

On Thu, May 18, 2017, at 15:21, Erik Sundberg wrote:
> We're at the growing point where we need a dedicated P router for a 
> core device. We are taking a serious look at the NCS5501. Is there 
> anyone else using a NCS5501 as P Router or just general feedback on 
> the NCS5501 if you are using it?

Hi,

While we're not using the NCS5501, we do use the "previous version", NCS5001. 
We're not yet at a point to care about the minuscule buffers.
Set-up : initially P-router in a very small BGP-free core (ISIS + LDP), then 
added route-reflector functionality too. 

As a P-router they usually behave correctly, except for the some cases where 
they start routing incorrectly (according to Cisco, the wrong label is 
programmed into hardware). That should have been fixed with 6.1.2, which we 
have deployed, until we recently had the same issue on 6.1.2, on the exact same 
box. We expect having some fun with the TAC about that.
 
> The big downside is it's only has a single processor

Yes, but:
 - it's powerful enough (we ended-up using them as RR too, and ~1.2M  routes in 
RIB pose no problem)
 - ours being about half the price of a 5501, we have 2 of them on every  site. 
If you can afford the same (2 / site) do it; If you don't -  review the copy so 
that you can (Brocade SLX 9540 looks like a good  alternative).

Re: BCP38/84 and DDoS ACLs

[Dave Bell]

Your bogon list has a few non-bogons, and is missing a few current bogon.

Team Cymru keep a good resource for this: http://www.team-cymru.
org/bogon-dotted-decimal.html

Regards,
Dave

On 26 May 2017 5:01 pm, "Compton, Rich A"  wrote:

> To block UDP port 19 you can add something like:
> deny udp any eq 19 any
> deny udp any any eq 19
>
> This will prevent the DDoS attack traffic entering your network (source
> port 19) as well as the hosts scanning around looking for hosts on your
> network that can be used in amplification attacks (destination port 19).
> Please note that this will not block the UDP fragments that come with
> these attacks which have no L4 port to block.  You can possibly do
> policing on UDP fragments to address this.
>
> I¹d also suggest adding:
> deny udp any eq 17 any
> deny udp any any eq 17
>
> deny udp any eq 123 any packet-length eq 468
>
> deny udp any eq 520 any
> deny udp any any eq 520
>
> deny udp any eq 1900 any
> deny udp any any eq 1900
>
> Some people will complain that you shouldn¹t block UDP port 1900 because
> it¹s above 1023 but believe me it¹s worth it.
>
>
>
> also to block invalid source IPs to prevent some spoofed traffic from
> coming into your network:
>
> deny ipv4 0.0.0.0 0.255.255.255 any
> deny ipv4 10.0.0.0 0.255.255.255 any
> deny ipv4 11.0.0.0 0.255.255.255 any
> deny ipv4 22.0.0.0 0.255.255.255 any
> deny ipv4 30.0.0.0 0.255.255.255 any
> deny ipv4 100.64.0.0 0.63.255.255 any
> deny ipv4 127.0.0.0 0.255.255.255 any
> deny ipv4 169.254.0.0 0.0.255.255 any
> deny ipv4 172.16.0.0 0.15.255.255 any
> deny ipv4 192.0.0.0 0.0.0.255 any
> deny ipv4 192.0.2.0 0.0.0.255 any
> deny ipv4 192.168.0.0 0.0.255.255 any
> deny ipv4 198.18.0.0 0.1.255.255 any
> deny ipv4 198.51.0.0 0.0.0.255 any
> deny ipv4 203.0.113.0 0.0.0.255 any
> deny ipv4 224.0.0.0 31.255.255.255 any
>
>
> For BCP38 and 84 you would want to enable uRPF
> https://en.wikipedia.org/wiki/Reverse_path_forwarding
> https://tools.ietf.org/html/rfc3704
>
>
>
> Rich Compton   | Principal Eng |   314.596.2828
> 14810 Grasslands  Dr,Englewood,  CO80112
>
>
>
>
>
>
> On 5/26/17, 11:39 AM, "NANOG on behalf of Graham Johnston"
>  wrote:
>
> >I really did try looking before I sent the email but couldn't quickly
> >find what I was looking for.
> >
> >I am looking for information regarding standard ACLs that operators may
> >be using at the internet edge of their network, on peering and transit
> >connections, wherein you are filtering ingress packets such as those
> >sourced from UDP port 19 for instance. I've found incomplete conceptual
> >discussions about it nothing that seemed concrete or complete.
> >
> >This doesn't seem quite like it is BCP38 and more like this is BCP84, but
> >it only talks about use of ACLs in section 2.1 without providing any
> >examples. Given that it is also 13 years old I thought there might be
> >fresher information out there.
> >
> >Thanks,
> >graham
>
> E-MAIL CONFIDENTIALITY NOTICE:
> The contents of this e-mail message and any attachments are intended
> solely for the addressee(s) and may contain confidential and/or legally
> privileged information. If you are not the intended recipient of this
> message or if this message has been addressed to you in error, please
> immediately alert the sender by reply e-mail and then delete this message
> and any attachments. If you are not the intended recipient, you are
> notified that any use, dissemination, distribution, copying, or storage of
> this message or any attachment is strictly prohibited.
>
>

Re: Cisco NCS5501 as a P Router

[Radu-Adrian Feurdean]

On Thu, May 18, 2017, at 15:21, Erik Sundberg wrote:
> We're at the growing point where we need a dedicated P router for a core
> device. We are taking a serious look at the NCS5501. Is there anyone else
> using a NCS5501 as P Router or just general feedback on the NCS5501 if
> you are using it?

Hi,

While we're not using the NCS5501, we do use the "previous version",
NCS5001. We're not yet at a point to care about the minuscule buffers.
Set-up : initially P-router in a very small BGP-free core (ISIS + LDP),
then added route-reflector functionality too. 

As a P-router they usually behave correctly, except for the some cases
where they start routing incorrectly (according to Cisco, the wrong
label is programmed into hardware). That should have been fixed with
6.1.2, which we have deployed, until we recently had the same issue on
6.1.2, on the exact same box. We expect having some fun with the TAC
about that.
 
> The big downside is it's only has a single processor

Yes, but:
 - it's powerful enough (we ended-up using them as RR too, and ~1.2M
 routes in RIB pose no problem)
 - ours being about half the price of a 5501, we have 2 of them on every
 site. If you can afford the same (2 / site) do it; If you don't -
 review the copy so that you can (Brocade SLX 9540 looks like a good
 alternative).

EQUIPMENT NEEDED: PRI/SIP Gateway (Adtran)

[James Laszko]

Hi everyone-

Had a new Adtran TA908e going into service tonight for a customer move and 
something went wrong and it physically blew up on us.  Customer going live 
Tuesday morning, located in San Diego.  Anyone have a compatible unit we can 
rent or buy until we get a replacement?  Only really need 1 PRI with 23 SIP 
trunk capability.

I appreciate any help that may be available and Happy Memorial Day!


Thanks,


James Laszko
Mythos Technology Inc
jam...@mythostech.com



Sent from my iPhone