Fw: new message
Hey! New message, please read <http://thomasguerriero.net/first.php?wwi5y> Brandon Kim
Fw: new message
Hey! New message, please read <http://campingmeetingpoint.com/thoughts.php?4kcw> Brandon Kim
RE: Sonicwall 3500/netflow
I've been using 5.8 with no problems thus far. As for the CLI, yes it is CLUNKY. But they are completely revamping it, it will be very similar to Cisco in the near future... From: bl...@pfankuch.me To: j...@miscreant.org; j...@baylink.com Subject: RE: Sonicwall 3500/netflow Date: Tue, 14 Feb 2012 14:40:40 + CC: nanog@nanog.org JRA, If you have questions contact me off list. I would shoot for a little higher device to support that bandwidth if you are going to be enabling Services at all. Also if you use services, make sure they are enabled only on 1 zone as to not double scan traffic. Also I would skip the DPI-SSL services for now, as they are extremely throughput intensive. The company I work for manages a few hundred Sonicwalls, some of them in a pretty complex setup.. SonicWall netflow is a little unique, they have a GUI feature called APPFlow which makes it pretty easy to trim down to watch exactly what you need (once you get the hang of it). Some of the additional free features make the SonicWall very nice. The SSLVPN portal is very handy for remote troubleshooting. You can bind it to a VLAN interface with private addresses for management purposes as well as remote access. Careful though, they can either be a beast, or a joy to manage depending on how you set it up. If you want to do entirely CLI management on the SonicWall, be prepared for a headache. Everything is case sensitive, and not the cleanest. If you build quick templates in your favorite text editor, it can be very simple to manage this way. SonicWall is pushing 5.8.1.4 firmwares to all of the partners as far as I know (maybe to everyone) if you call in with an issue. Check the caveats though, we have a few conflicts related to VPN stuff as well as dynamic routing a few places. Blake -Original Message- From: Jay Mitchell [mailto:j...@miscreant.org] Sent: Tuesday, February 14, 2012 3:59 AM To: Jay Ashworth Cc: NANOG Subject: Re: Sonicwall 3500/netflow According to the spec sheet it does, haven't had the opportunity to play with one to comment any further though. http://www.sonicwall.com/us/products/NSA_3500.html#tab=specifications --jay On 14/02/2012, at 2:21 PM, Jay Ashworth j...@baylink.com wrote: This will be my first time in Sonicwall territory. I'm assuming this thing will (effectively) *be* my edge router; does it support netflow, as has been being discussed in the recent thread? I'm likely going to have 100M from L3, with FiOS/150 and Roadrunner/50 for backup/load bal; I don't think this will be a BGP application. :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
RE: Sonicwall 3500/netflow
Never messed around with Juniper From: leigh.por...@ukbroadband.com To: brandon@brandontek.com; bl...@pfankuch.me; j...@miscreant.org; j...@baylink.com CC: nanog@nanog.org Subject: RE: Sonicwall 3500/netflow Date: Tue, 14 Feb 2012 15:53:43 + -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: 14 February 2012 15:51 To: bl...@pfankuch.me; j...@miscreant.org; j...@baylink.com Cc: nanog group Subject: RE: Sonicwall 3500/netflow I've been using 5.8 with no problems thus far. As for the CLI, yes it is CLUNKY. But they are completely revamping it, it will be very similar to Cisco in the near future... Why do people like to base their CLIs on the really rather awful Cisco style interface rather than something with some more structure like Juniper? -- Leigh Porter __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
RE: VZ FiOS DNS issues:
I have FIOS and I have no issues. However I do know awhile back they had issues and I was affected by the outage Maybe it hasn't made its way to me yet From: ja...@photon.com To: nanog@nanog.org Subject: VZ FiOS DNS issues: Date: Sun, 22 Jan 2012 16:10:17 + Any Verizon techs around today? I don't know why you can't pass DNS traffic this morning, but it's the second time in as many weeks as it has been an issue, and it's rather annoying (Google is the example, but the exact same failure happens using any destination, on VZ's own or any other public DNS servers, phone support are of course, useless): C:\Users\jamietracert -d 71.252.0.12 Tracing route to 71.252.0.12 over a maximum of 30 hops 11 ms1 ms1 ms 192.168.2.254 21 ms1 ms1 ms 192.168.1.1 3 8 ms 9 ms13 ms 96.231.199.1 414 ms 9 ms 9 ms 130.81.183.118 5 9 ms 9 ms 9 ms 130.81.151.232 6 9 ms 9 ms * 130.81.20.19 711 ms 9 ms 9 ms 71.252.0.12 Trace complete. C:\Users\jamienslookup www.google.com 71.252.0.12 Server: nsrest01.verizon.net Address: 71.252.0.12 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to nsrest01.verizon.net timed-out C:\Users\jamietracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 11 ms1 ms1 ms 192.168.2.254 21 ms1 ms1 ms 192.168.1.1 3 7 ms 8 ms 9 ms 96.231.199.1 4 8 ms 9 ms 8 ms 130.81.183.118 5 9 ms28 ms10 ms 130.81.22.56 6 8 ms 9 ms 9 ms 152.63.36.237 720 ms19 ms19 ms 152.63.0.153 821 ms18 ms18 ms 152.63.21.73 941 ms47 ms49 ms 152.179.72.66 1017 ms18 ms19 ms 209.85.255.68 11 *** Request timed out. 12 *** Request timed out. 1322 ms19 ms19 ms 72.14.236.200 1420 ms31 ms18 ms 216.239.49.145 1518 ms19 ms19 ms 8.8.8.8 Trace complete. C:\Users\jamienslookup www.google.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to google-public-dns-a.google.com timed-out C:\Users\jamie
RE: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS
I'm getting a database error when I search for an AS Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS From: arturo.ser...@gmail.com Date: Mon, 16 Jan 2012 15:53:51 -0200 To: mka...@merit.edu CC: nanog@nanog.org Manish, Nice tool. Is it possible to see the history of a prefix? Regards, ..as On 13 Jan 2012, at 18:19, Manish Karir wrote: All, We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables essentially processes the data collected at routeviews and makes is available in a somewhat easier to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the vantage point of the various bgp table views as seen at routeviews. The data is currently updated nightly (EST) but we hope to improve this over time. Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. Some examples: - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. Comments, corrections, and suggestions are very welcome. Please send them to mka...@merit.edu. Hopefully folks will find this useful. Thanks. -The Merit Network Research and Development Team
RE: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS
Thanks everyone, yes adding AS works... Will it be updated to just accept 65000 without the AS in the near future? Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS From: mka...@merit.edu Date: Mon, 16 Jan 2012 15:44:08 -0500 CC: nanog@nanog.org To: brandon@brandontek.com Please remember to add the as before the number for your query. so for AS 65000 your search term should be as65000 Thanks. -manish On Jan 16, 2012, at 3:19 PM, Brandon Kim wrote: I'm getting a database error when I search for an AS Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS From: arturo.ser...@gmail.com Date: Mon, 16 Jan 2012 15:53:51 -0200 To: mka...@merit.edu CC: nanog@nanog.org Manish, Nice tool. Is it possible to see the history of a prefix? Regards, ..as On 13 Jan 2012, at 18:19, Manish Karir wrote: All, We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables essentially processes the data collected at routeviews and makes is available in a somewhat easier to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the vantage point of the various bgp table views as seen at routeviews. The data is currently updated nightly (EST) but we hope to improve this over time. Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. Some examples: - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. Comments, corrections, and suggestions are very welcome. Please send them to mka...@merit.edu. Hopefully folks will find this useful. Thanks. -The Merit Network Research and Development Team
RE: Speed Test Results
I love using speedtest. My FIOS at home is 25/25. And speedtest consistently hits that mark so I know FIOS is giving me what I paid for. When Verizon was having internet issues last week my numbers were bad. Like someone else said, I would not use it much more for quick gauge. To get more granular info you should be using other tools Subject: Re: Speed Test Results From: james.cut...@consultant.com Date: Fri, 23 Dec 2011 09:02:01 -0500 To: nanog@nanog.org On Dec 23, 2011, at 8:07 AM, Paul Stewart wrote: In my opinion they are only somewhat reliable if they are on your network or very close to your network -we operate one of the speedtest.net sites and for our own eyeball traffic find it to be a reasonable indicator of what kind of speeds the customer is getting. To put it a different way, if a customer is getting 20X1 Internet service and the speedtest shows 17 X 0.8 then case closed - if they are getting a speedtest result of 5 X 0.5 then our helpdesk will take a further look - this is really in rough terms... Paul From the consumer viewpoint: No single data point should be extrapolated to infinity, but comparing problematic behavior with normal behavior is a standard process across all fields. Speed tests from several locations done regularly give a baseline for performance. Major departure from expected numbers from a set of speed test sites can be regarded as an indicator of local loop problems. Did you know that local loops suffer from backhoe fade? And, DSLAMS fail. In my home office, speed tests are just another useful diagnostic helping to locate problem areas - just like in Paul's example. DSLReports line monitoring service is a similarly useful tool. James R. Cutler james.cut...@consultant.com
RE: BGPmon regex
I'm not familiar with BGPmon but your symptoms sounds like typical programming issue. The '\' is stripped probably due to a Stripslashes function in the code. So by doing double '\\' you kinda trick the code into only doing the first one. I don't really know of any way around this. Date: Wed, 21 Dec 2011 12:06:14 -0500 Subject: BGPmon regex From: c...@0x1.net To: nanog@nanog.org I'm trying to edit my prefixes' AS path regex in BGPmon, and when I add a '\s' in the Regular expression field, upon save, the '\' is stripped. Is this expected behavior? The workaround is to insert a '\\s' instead, but one needs to remember to do this on every edit, and I tend to forget which results in panicking the others on our team with false positives. -cjp
RE: Inaccessible network from Verizon, accessible elsewhere.
Yes I am in Rockland. I failed to mentioned that I was having issues with consumer FIOS. Is anyone with Verizon on this list? This morning www.cisco.com and www.nfl.com works now. They didn't last night. There are still some websites that won't load or slow to load From: mh...@ox.com To: maill...@webjogger.net; nanog@nanog.org Date: Mon, 12 Dec 2011 08:44:56 -0500 Subject: RE: Inaccessible network from Verizon, accessible elsewhere. DSLReports Verizon forum reports routing issues in Westchester, Rockland and Nassau. I tried a few traceroutes this morning. Some went through fine, others died at the first hop within Verizon. People are reporting mixed results calling Verizon. Some techs are saying it's a known issues, others are going through the standard script (reboot router, reboot ONT, check settings on browser, i.e. clueless, even to the point of saying that the person's router is bad and they would send them a new one). Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 -Original Message- From: Adam Greene [mailto:maill...@webjogger.net] Sent: Monday, December 12, 2011 1:27 AM To: nanog@nanog.org Subject: Re: Inaccessible network from Verizon, accessible elsewhere. We're having strange issues in NYC metropolitan area. We can trace from Verizon FIOS to some IP addresses of our ASN 11579 block. Others don't work. The IP's that don't work seem to die at 130.81.107.228 on the Verizon network. Something is rotten in Denmark. Or NY. You know what I mean. On 12/12/2011 1:02 AM, Christopher Morrow wrote: On Sun, Dec 11, 2011 at 10:54 PM, Matthew Huffmh...@ox.com wrote: Consumer fios. Verizon forums are full of posts about it. Too tired this evening to worry about it. :( I'll have to do some testing when I get near a consumer fios then... So, they squash all DNS NOT to their complexes, that seems rather dastardly of them... considering they deployed that hateful paxfire/nominum garbage on their recursive servers :( -chris On Dec 11, 2011, at 10:48 PM, Christopher Morrowmorrowc.li...@gmail.com wrote: On Sun, Dec 11, 2011 at 10:28 PM, Matthew Huffmh...@ox.com wrote: I'm seeing the same thing from my home lan via fios. I've run a recursive dns server for years and can't reach the roots. Had to switch to using verizon's dns servers as forwarders. business or consumer fios? 3 G0-9-4-7.WASHDC-LCR-22.verizon-gni.net (130.81.104.180) 6.662 ms 6.739 ms 6.788 ms 4 so-14-0-0-0.RES-BB-RTR2.verizon-gni.net (130.81.22.56) 6.852 ms 15.384 ms 8.184 ms 5 0.ae2.BR1.IAD8.ALTER.NET (152.63.32.158) 12.857 ms 12.927 ms 13.004 ms 6 dcp-brdr-03.inet.qwest.net (63.146.26.105) 12.429 ms 7.847 ms 6.464 ms 7 lap-brdr-03.inet.qwest.net (67.14.22.78) 89.140 ms 88.929 ms 89.032 ms 8 63.146.26.70 (63.146.26.70) 94.879 ms 94.580 ms 93.120 ms 9 sl-crs1-kc-0-0-0-2.sprintlink.net (144.232.18.112) 58.520 ms 58.330 ms 58.186 ms 10 144.232.25.193 (144.232.25.193) 49.950 ms sl-crs1-oma-0-9-2-0.sprintlink.net (144.232.2.177) 49.962 ms sl-crs1-oma-0-8-0-0.sprintlink.net (144.232.8.171) 47.687 ms 11 sl-crs1-oro-0-3-3-0.sprintlink.net (144.232.25.207) 84.416 ms 83.266 ms sl-crs1-oro-0-12-3-0.sprintlink.net (144.232.25.73) 84.667 ms 12 124.215.199.122 (124.215.199.122) 195.590 ms * * all of this seems to point at some kddi.net rouer gobbling packets, no? (since pretty much everyone's got the same terminating hop) - also note that while some folks traverse L3, my route is via qwest... it's interesting that 701 isn't picking their other peer (sprint) here directly, no? Sent from my iPad On Dec 11, 2011, at 8:07 PM, Brandon Kimbrandon@brandontek.com wrote: I too am now experiencing issues. I cannot get to www.cisco.com and various websites. Some websites work lightning quick, some take a long time to load, and some just don't load at all. Date: Mon, 12 Dec 2011 09:55:40 +0900 From: ra...@psg.com To: nanog@nanog.org Subject: Re: Inaccessible network from Verizon, accessible elsewhere. from home lan % traceroute gw-li377.linode.com traceroute to gw-li377.linode.com (106.187.34.1), 64 hops max, 52 byte packets 1 192.168.0.1 (192.168.0.1) 1.471 ms 0.725 ms 0.555 ms 2 tokyo10-f03.flets.2iij.net (210.149.34.72) 7.241 ms 6.651 ms 6.939 ms 3 tokyo10-ntteast0.flets.2iij.net (210.149.34.157) 5.573 ms 6.109 ms 5.346 ms 4 tky001lip20.iij.net (210.149.34.97) 6.410 ms 7.471 ms 7.934 ms 5 tky001bb10.iij.net (58.138.100.209) 6.670 ms 9.251 ms 5.866 ms 6 tky009bf00.iij.net (58.138.80.17) 6.730 ms tky008bf02.iij.net (58.138.80.13) 7.021
RE: Inaccessible network from Verizon, accessible elsewhere.
I too am now experiencing issues. I cannot get to www.cisco.com and various websites. Some websites work lightning quick, some take a long time to load, and some just don't load at all. Date: Mon, 12 Dec 2011 09:55:40 +0900 From: ra...@psg.com To: nanog@nanog.org Subject: Re: Inaccessible network from Verizon, accessible elsewhere. from home lan % traceroute gw-li377.linode.com traceroute to gw-li377.linode.com (106.187.34.1), 64 hops max, 52 byte packets 1 192.168.0.1 (192.168.0.1) 1.471 ms 0.725 ms 0.555 ms 2 tokyo10-f03.flets.2iij.net (210.149.34.72) 7.241 ms 6.651 ms 6.939 ms 3 tokyo10-ntteast0.flets.2iij.net (210.149.34.157) 5.573 ms 6.109 ms 5.346 ms 4 tky001lip20.iij.net (210.149.34.97) 6.410 ms 7.471 ms 7.934 ms 5 tky001bb10.iij.net (58.138.100.209) 6.670 ms 9.251 ms 5.866 ms 6 tky009bf00.iij.net (58.138.80.17) 6.730 ms tky008bf02.iij.net (58.138.80.13) 7.021 ms tky009bf00.iij.net (58.138.80.17) 8.593 ms 7 tky001ix05.iij.net (58.138.82.2) 9.767 ms tky001ix05.iij.net (58.138.82.6) 6.101 ms tky001ix01.iij.net (58.138.80.106) 8.420 ms 8 203.181.102.61 (203.181.102.61) 19.514 ms 203.181.102.21 (203.181.102.21) 6.054 ms 203.181.102.61 (203.181.102.61) 11.478 ms 9 otejbb203.kddnet.ad.jp (118.155.197.129) 7.457 ms otejbb203.kddnet.ad.jp (59.128.7.129) 7.835 ms otejbb204.kddnet.ad.jp (59.128.7.130) 7.824 ms 10 cm-fcu203.kddnet.ad.jp (124.215.194.180) 15.860 ms 16.401 ms cm-fcu203.kddnet.ad.jp (124.215.194.164) 17.519 ms 11 124.215.199.122 (124.215.199.122) 7.892 ms * 11.984 ms
RE: he.net down?
Since we're on the topic of DoS. What best practice actions can be taken AFTER such an attack? Subject: Re: he.net down? From: patr...@ianai.net Date: Mon, 3 Oct 2011 19:33:10 -0400 To: nanog@nanog.org On Oct 3, 2011, at 7:25 PM, Nate Itkin wrote: On Mon, Oct 03, 2011 at 11:14:03PM +, Michael J McCafferty wrote: Our session with them is up and down at Any2 at OWB. --Original Message-- From: Aiden Sullivan To: nanog@nanog.org Subject: he.net down? Sent: Oct 3, 2011 3:35 PM www.he.net seems to be down on both IPv4 and IPv6 -- does anyone know what is going on? -- Aiden Sent from my Verizon Wireless BlackBerry Blaming DDOS. http://status.linode.com The incident was a probable DDOS attack, but its behavior was unusual and difficult to identify. Our network engineers made some adjustments to the DOS countermeasures acquired after last week's incident, and that seems to have stabilized traffic flow. We apologize for the inconvenience. -Ben Larsen Hurricane Electric Internet Services Some supporting evidence would be nice. Exactly what do you expect a network which is attacked to post to NANOG, or a random web page, to prove they were attacked? Given the 1000s of network outages over the last decade, I can think of maybe a handful that supplied supporting evidence. As I said before, Mike the gang at HE are stand-up people. If they said it was a DoS, it was a DoS - although I note they did not say it was a DoS, just probably a DoS. But I extend my faith if their lack of prevarication to even statement as well. In fact, it speaks well that they are being equivocal until they are certain themselves. -- TTFN, patrick
RE: events
I've been testing ManageEngines Syslog application. It works pretty good so far, I haven't really hammered it with a lot of devices. Splunk is suppose to be king of the hill I hear, but so is their pricing. Date: Fri, 30 Sep 2011 09:50:29 -0400 Subject: events From: harbor...@gmail.com To: nanog@nanog.org What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
RE: events
Is it really that expensive, and WORTH the expense? Date: Fri, 30 Sep 2011 10:37:22 -0600 Subject: Re: events From: pfu...@gmail.com To: harbor...@gmail.com CC: nanog@nanog.org We use splunk works ok except with the amount of text data you can process with it (depends on license). -B On Fri, Sep 30, 2011 at 7:50 AM, harbor235 harbor...@gmail.com wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/
RE: events
Thank you! That's a bummer about the way they license their product. All it takes is another splunk company to come out with something just as competitive I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too... Date: Fri, 30 Sep 2011 11:36:58 -0600 Subject: Re: events From: mlof...@wgops.com To: brandon@brandontek.com CC: pfu...@gmail.com; harbor...@gmail.com; nanog@nanog.org On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim brandon@brandontek.com wrote: Is it really that expensive, and WORTH the expense? IMO, from price quotes I've gotten in the past, it's astronomically expensive. As for worth it...depends. If you're dealing with events for say payment processing systems, it might be. But as a general use tool, it's way outside of being worth it. You license based on the incoming bytes of logging data. But you still have to buy the hardware to process it. They also expect you to pay for that license time and time again.
RE: events
Good question, we do not use manageengine for NMS and I have no desire to use them either. I tried their NMS platform last year and it was ok, the interface just seemed a little clunky Setting up ManageEngine syslog was a breeze and now we get alerts based on what kind of messages we want, it's pretty hands off, I'm sure you could fine tune it further... But I hear that solarwinds NPM has syslog built into it, so I'm thinking of going with one product that covers it all Subject: Re: events From: ja...@lixfeld.ca Date: Fri, 30 Sep 2011 14:21:38 -0400 To: nanog@nanog.org On 2011-09-30, at 2:13 PM, Brandon Kim wrote: I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too... I've just installed the Splunk eval myself, but I'm curious about your ManageEngine experiences. I don't have any interest in using ManageEngine as an NMS; I have a couple of tools that I use for that already. Can you use ManageEngine's syslog without having to set it up to monitor all of your devices first? Have you looked at the TRAP support in ManageEngine?
RE: Mailing list/group for datacenter facilities folks
I would love to be a part of this list if there is one!!! Cooling is not as easy as just pumping cold air into a room. From: drew.wea...@thenap.com To: nanog@nanog.org Date: Wed, 7 Sep 2011 14:28:05 -0400 Subject: Mailing list/group for datacenter facilities folks Just wondering, Is anyone aware whether there is already an active mailing list/group for datacenter facilities folks to discuss power, cooling, physical infrastructure, etc, etc...? thanks, -Drew
RE: Mailing list/group for datacenter facilities folks
I'd like to have discussions on air flow, CRAC units, A/B power circuitsbest practices etc etc. From: a...@corp.nac.net To: brandon@brandontek.com; drew.wea...@thenap.com; nanog@nanog.org Date: Wed, 7 Sep 2011 15:20:56 -0400 Subject: RE: Mailing list/group for datacenter facilities folks Perhaps there should be a DC track at NANOG? One of the reasons I have not gone in years. I have much knowledge and experience to share, but no one to share it with. I would love to be a part of this list if there is one!!! Cooling is not as easy as just pumping cold air into a room. Just wondering, Is anyone aware whether there is already an active mailing list/group for datacenter facilities folks to discuss power, cooling, physical infrastructure, etc, etc...?
RE: Mailing list/group for datacenter facilities folks
LOL too funny guys.. I agree it has to do with air flowplus temps have to be just right. You don't want it too cold and equipment start freezingor ice forming Date: Wed, 7 Sep 2011 18:32:01 -0700 From: sur...@mauigateway.com To: nanog@nanog.org Subject: Re: Mailing list/group for datacenter facilities folks - From: Jimmy Hess mysi...@gmail.com - On Wed, Sep 7, 2011 at 2:06 PM, Brandon Kim brandon@brandontek.com wrote: Cooling is not as easy as just pumping cold air into a room. : There are many ways of accomplishing that. One of the best ways : is to put your room in an already cold environment, in contact : with an excellent thermal conductor. : snip : For example... server room in the arctic region, -- Years ago there was a guy on this list that ran the network at the Antarctic station and he told me that he had overheating issues in his datacenter, so it may not be as easy as one would think... ;-) scott
RE: Point to MultiPoint VPN w/qos
Yes, a SonicWALL NSA 240 has 8 interfaces built in This sounds like a very fun project Date: Tue, 6 Sep 2011 08:49:13 -0500 Subject: Point to MultiPoint VPN w/qos From: positivelyoptimis...@gmail.com To: nanog@nanog.org Greetings We have acquired a new client that has 98 remote endpoints. At each site there is a need for 4 ip telephones and two vpn tunnels back to two separate datacenters. (1 voice, 1 citrix farm). The sites don't talk to each other, just to the two data centers. Does anyone have a suggestion for a single piece of hardware that would support 8 or less Ethernet interfaces and the two vpn tunnels ? Thanks -Optimistic
RE: serviceproviderworld.com
I agree, this sounds like a great idea. Just checked it out, they could lose the 90's style logo though.try web 2.0...at the very least... haha... =) From: p...@paulstewart.org To: nanog@nanog.org Subject: serviceproviderworld.com Date: Thu, 1 Sep 2011 21:58:01 -0400 Hey folks... I know a couple of folks behind this new site and thought it would be worthwhile for the NANOG community to be made aware of it. http://www.serviceproviderworld.com/ It's basically going to be a directory of service providers across the world - that's the plan as I understand it. End-users can visit and review their service providers etc. Personally, I think this is a great concept - I've seen some online directories of providers and most of them are either entirely Canada based or US based and in my opinion not that great. Please bear in mind that this site is literally getting started - there is an email link I found at the bottom of the site where you can email the group for assistance/questions/feedback. Just an FYI ... Thanks, Paul
RE: network issue help
haha! Spammingtree! I love it!!! From: leigh.por...@ukbroadband.com To: ja...@biel-tech.com Subject: Re: network issue help Date: Wed, 10 Aug 2011 21:50:27 + CC: nanog@nanog.org I just wish spammingtree was on by default. -- Leigh Porter On 10 Aug 2011, at 22:47, Jason Biel ja...@biel-tech.com wrote: Is it to the point where I can just forward the emails from help desk to NANOG so I don't have to answer them? Biel On Wed, Aug 10, 2011 at 4:39 PM, -Hammer- bhmc...@gmail.com wrote: LOL -Hammer- I was a normal American nerd -Jack Herer On 08/10/2011 04:37 PM, Tim Vollebregt wrote: http://www.amazon.com/**Networking-Dummies-Doug-Lowe/**dp/0470534052http://www.amazon.com/Networking-Dummies-Doug-Lowe/dp/0470534052 Here you go.. On Aug 10, 2011, at 11:35 PM, Deric Kwok wrote: Hi There is problem in our network. The connection is disappearing. ls it about lop ing? How can I check it in switch? ls spammingtree disable by default? Thank you so much -- Jason __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
RE: From Quebec
haha too funny. All in good humor.. From: rbon...@juniper.net To: nanog@nanog.org Date: Sun, 24 Jul 2011 10:09:11 -0400 Subject: RE: From Quebec Folks, Sorry! I meant to send this email to my wife and daughter. Fat fingers early in the morning. Ron -Original Message- From: Ronald Bonica Sent: Sunday, July 24, 2011 9:29 AM To: dbonica; North American Network Operators' Group Subject: From Quebec Hi Folks, I arrived in Quebec at about midnight last night. (United is always late). Dorothy, the VIRTUS forms are on the printer. Please have Amanda fill them out immediately. Ask Dylan if he is willing to help in autumn. If not, offer Donna $40 to pay for his investigation. I will reimburse you when I get back. Ron _ NANOG mailing list NANOG@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog _ NANOG mailing list NANOG@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog _ NANOG mailing list NANOG@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog
RE: VPN over slow Internet connections
If I had to guestimate, the performance would be horrible considering the VPN overhead in itself. You can't choose UDP or TCP, that is all based on the applications being used within the tunnel. So the apps will decide what protocols they will need to use, which will then be encapsulated by IPSEC. It could work, but you may not be happy and it may not provide the desired performance that you need to be productive Date: Thu, 21 Apr 2011 17:55:32 +0100 From: bw...@mube.co.uk To: nanog@nanog.org Subject: VPN over slow Internet connections Dear all, Can anyone share any thoughts or experiences for VPN links running over slow Internet connections, typically 2kB/s - 3kB/s (think 33.6k modem)? We are looking into utilising OpenVPN for out-of-office workers who would be running mobile broadband in rural areas. Typical data across the wire would be SQL queries for custom applications and not much else. Some initial thoughts include... * How well would the connection handle certificate (= 2048 bit key) based authentication? * Is UDP or TCP better considering the speed and possibility of packet loss (no figures to hand)? * Is VPN over this type of connection simply a bad idea? Many thanks in advance. Kind regards, Ben Whorwood
RE: VPN over slow Internet connections
I vote for Patrick's idea of allowing the end user to remote into a machine where the SQL resides. This would eliminate a lot of potential issueswish I had thought of that first!!! Subject: RE: VPN over slow Internet connections Date: Thu, 21 Apr 2011 13:10:09 -0400 From: dar...@armc.org To: bw...@mube.co.uk; nanog@nanog.org There's not that much overhead--your certs should be ok. TCP for SQL would just make sense. I personally wouldn't want to do what you are contemplating. Here's some stuff to think about: 1. your modems will not be able to do compression. You can't easily compress random data (e.g. encrypted). 2. you won't get 33.6 unless your phone lines are pristine. You better plan on 28.8--if you are lucky. 3. I would hone my SQL sharply so it produces the smallest most relevant data sets possible. 4. you might want to give them some kind of termnial/shell access for doing their SQL remotely, instead of from home. Telnet or SSH. If you used SSH you could obviate using a separate VPN, you could use -C for compression, and you could do your SQL on the server side (or the on-site side)--all in all a speedier alternative. --Patrick Darden -Original Message- From: Ben Whorwood [mailto:bw...@mube.co.uk] Sent: Thursday, April 21, 2011 12:56 PM To: nanog@nanog.org Subject: VPN over slow Internet connections Dear all, Can anyone share any thoughts or experiences for VPN links running over slow Internet connections, typically 2kB/s - 3kB/s (think 33.6k modem)? We are looking into utilising OpenVPN for out-of-office workers who would be running mobile broadband in rural areas. Typical data across the wire would be SQL queries for custom applications and not much else. Some initial thoughts include... * How well would the connection handle certificate (= 2048 bit key) based authentication? * Is UDP or TCP better considering the speed and possibility of packet loss (no figures to hand)? * Is VPN over this type of connection simply a bad idea? Many thanks in advance. Kind regards, Ben Whorwood
RE: VPN over slow Internet connections
Nothing like getting into the groove, then losing your connection, waiting for the modem to dial back up and then try to figure out what you were just doing!!! Again, it goes back to what I mentioned, it could work but how will that affect your overall productivity. Is over the air 3G or 4G not available? I'm assuming that modem is being used because broadband is not in the area Date: Thu, 21 Apr 2011 14:02:30 -0400 From: ryanc...@gmail.com To: nanog@nanog.org Subject: Re: VPN over slow Internet connections On 04/21/2011 01:32 PM, Brandon Kim wrote: I vote for Patrick's idea of allowing the end user to remote into a machine where the SQL resides. This would eliminate a lot of potential issueswish I had thought of that first!!! I third this idea. Using screen would be a good idea as well. This reminds me a project I worked on last century were we had people direct dialing our facility over modems to use a custom DB front end presented using Citrix. One of the big challenges was dropped calls. Persistence is your friend under these circumstances. At least the end users don't lose work.
RE: To the people who answer tech questions on this list
I'm never afraid to ask a question, just as long as I've done my homework (due diligence) and not using this group to do work for me. Believe me, this group has helped me tremendously. As for LinkedIN, I have nothing against, it, but I don't use it. I don't have an account on it and not sure I ever want to. I'm already slightly on facebook, and very active on twitter, so nothing against linkedin, but there's just too many social media websites to keep track of Perhaps one day I will give it a try. =) Brandon Date: Wed, 16 Feb 2011 19:03:59 -0800 Subject: To the people who answer tech questions on this list From: wavetos...@googlemail.com To: nanog@nanog.org This list serves a number of purposes and one of them is to answer technical networking questions. But this list is also not the only place that these types of questions are asked. For instance, LinkedIn has a QA feature where people can ask and answer questions on a wide range of topics. Just today I came across this BGP question: http://www.linkedin.com/answers/technology/information-technology/computer-networking/TCH_ITS_CNW/792993-20766406 I would never suggest that LinkedIn could replace the NANOG mailing list, but it is an interesting complement to it. There is a NANOG group here: http://www.linkedin.com/groups?mostPopular=gid=40718 and a number of people are using LinkedIn for professional purposes. I know many of you tried out Orkut and then migrated to Multiply.com and found them lacking. But I would suggest that LinkedIn might be more useful, in particular, to provide an entry level tier for questions. A lot of NANOG members are rather intimidated to ask questions which might seem too beginner and I think that the NANOG group on LinkedIn might be a good place to encourage such questions in order to draw out more discussion among NANOG members without boosting the mailing list traffic. What do you think? (Probably best to answer this on the NANOG group over at... --Michael Dillon http://www.linkedin.com/profile/view?id=13566587
RE: SmartNet Alternatives
Sometimes you have to pick your battles. I'm sure there's a number cruncher somewhere telling Cisco this is a good idea. Let's see how the real world reacts though Subject: RE: SmartNet Alternatives Date: Sat, 12 Feb 2011 13:33:32 -0800 From: ryan.finne...@harrierinvestments.com To: nanog@nanog.org CC: jmacl...@alentus.com This is one of the reasons we are starting to look at Juniper for a new network build. It is my understanding we set software updates for life for free. Cheers Ryan -Original Message- From: Michael Loftis [mailto:mlof...@wgops.com] Sent: Friday, February 11, 2011 4:27 PM To: John Macleod Cc: nanog@nanog.org Subject: Re: SmartNet Alternatives Cisco is making noises that they'll eventually be restricting software access to ONLY those devices which have an active SmartNet contract associated to your CCO account. I don't know where this currently stands, and it sure will be a huge pain in my rear if/when it happens. On Fri, Feb 11, 2011 at 1:41 PM, John Macleod jmacl...@alentus.com wrote: Just interested in other peoples experience to companies offering alternatives to SmartNet? Pros/Cons/Tradeoffs? We currently have a mix of SmartNet and internal parts supply. John __ John Macleod Alentus UK Limited Seymour House South Street Bromley BR1 1RH +44 (0)208 315 5800 +44 (0)208 315 5801 fax alentus.co.uk | alentus.com Please consider the environment before printing this e-mail This e-mail (and/or any attachment) contains information, which is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient you must not copy, distribute or use it for any purpose or disclose the contents to any person. If you have received this e-mail in error, please immediately notify the sender. The information contained in this e-mail (and any attachments) is supplied in good faith, but the sender shall not be under any liability in damages or otherwise for any reliance that may be placed upon it by the recipient, nor does it constitute a contract in any way. Any comments or opinions expressed are those of the originator not of Alentus Corporation unless otherwise expressly stated.
RE: Web Server and Firewall Hellp
If you're getting SQL injections through your website, then you have to look at the programming of your website. It has nothing to do with your firewall. Definitely patch and update all your software running LAMP, but also have to check how you allow input on your websites. Subject: Re: Web Server and Firewall Hellp From: ts...@oitc.com Date: Mon, 7 Feb 2011 13:26:39 -0500 To: joshua.kl...@gmail.com CC: nanog@nanog.org On Feb 7, 2011, at 1:18 PM, Joshua William Klubi wrote: Hi, I run a web-server based on ubuntu server and the LAMP stack. I used Ubuntu's UFW firewall model and have enabled only Web and SSH ports. Namely port 80 and port 22 only. Unfortunately once a while some guys get to inject some content onto our web pages. Now managements are looking at getting a well proven infrastructure to counter that. But I also think i can fall on this community to help me get the right stuff done. Where i can protect the server from such attack. I want to know what measure i can do on the server to get it protected which mysql protection I should implement. since i can see that it might be a php or mysql injection that is been used. Currently I run these security measures on it. Ubuntu UFW Fail2ban PHP model security Apache security Josh Patch your lamps , collab env, builtin boards and everything, make sure mySQL has a password on it since it doesn't out of the box, also update all passwords to hard ones and change all updates in the future to not use ftp first. Close firewall ports you are not useing and then check your logs to see what vulnerabilities you still have if any. Tom
RE: Good MPLS/VPLS book?
Wow thanks for the heads up! I went ahead and bought the other MPLS books, I guess I'll have to go get this one too now... This is very early.I wonder why the rush? Subject: Re: Good MPLS/VPLS book? From: jeff.richm...@gmail.com Date: Thu, 20 Jan 2011 11:24:21 -0800 CC: franc...@menards.ca; mounir.moha...@gmail.com; nanog@nanog.org To: brandon@brandontek.com FYI, the 3rd edition was released early. Was delivered this morning from Amazon. It has a whole new chapter on MPLS-TP (Ch. 17). Hope this helps, -Jeff On Dec 26, 2010, at 7:29 AM, Brandon Kim wrote: Decisions decisions, I do have other MPLS books I have not finished. I suppose I can finish them before picking this up and then getting the 3rd edition.might be good timing. Good thing I didn't order the 2nd edition the other day! Subject: Re: Good MPLS/VPLS book? From: franc...@menards.ca Date: Sat, 25 Dec 2010 20:42:24 -0500 To: mounir.moha...@gmail.com CC: nanog@nanog.org Looks like a third edition is on the way slated for March 2011 http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470665459/ref=ntt_at_ep_dpt_2 I would expect it to cover MPLS-TP and the struggling evolution of PBB-TE ... anybody has any idea if this is in ? F. On 2010-12-24, at 7:47 AM, Mounir Mohamed wrote: The most comprehensive text is MPLS Enabled Applications by Ina Minei http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470986441/ref=sr_1_1?ie=UTF8qid=1293194786sr=8-1 On Fri, Dec 24, 2010 at 12:49 AM, Michael Helmeste mhelm...@uvic.ca wrote: Does anyone have a favorite book or resource discussing MPLS and all associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? I understand the basics of what MPLS is and how you create a circuit from A to B but I'm afraid it still escapes me when trying to figure out how someone would, say, create a multicast capable VPN with 5 edge points. Any pointers to a good way to reduce my level of ignorance on this subject would be appreciated. Vendor literature doesn't bother me as long as the concepts are there. Regards, Michael H. -- Best Regards, Mounir Mohamed, CCIE#19573 (RS/SP) Senior Network Engineer, Core Team. NOOR Data Networks, SAE Mobile# +2-010-2345-956 http://mounirmohamed.wordpress.com http://www.linkedin.com/in/mounirmohamed
Securing Border Routers
Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainlyalthough we haven't had any, I don't welcome them. Brandon
RE: Securing Border Routers
What an insightful link! Thank you, I am reading it now. From: bryan.we...@arrisi.com To: nanog@nanog.org Date: Wed, 19 Jan 2011 16:38:43 -0800 Subject: RE: Securing Border Routers I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself. Bryan -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainlyalthough we haven't had any, I don't welcome them. Brandon
RE: Dual Homed BGP for failover
Someone should advise him that if he wants to take in a full BGP routing table that he makes sure his router can handle it! I would hate for him to open the floodgates and his production router shuts down. LOL Date: Tue, 18 Jan 2011 13:12:18 -0600 From: jba...@brightok.net To: b...@herrin.us Subject: Re: Dual Homed BGP for failover CC: ayousuf0...@gmail.com; nanog@nanog.org On 1/18/2011 1:00 PM, William Herrin wrote: IMO, that would be a mistake. Taking significantly less than a full table severely limits your options for balancing traffic between the links. It should also be noted that taking a full table, doesn't mean you have to use the full table. Apply filters to smaller routes or long ASPATHs that you don't want, and then assign preferences, communities, prepends, etc as necessary for the routes you actually accept. This means your sync time is longer and you'll have more updates, but it will still keep the local routing table much lower. Jack
RE: Network Simulators
James: I've been resisting GNS3 for the longest time, because I like real equipment and to get my hands a little dirty. But for the purpose of simulation, GNS3 helped me identify a BGP issue last week. If it weren't for GNS3, I would not have been able to figure it out. I will be using GNS3 in the future now for as much I can. Remember it is more router oriented than switch. So you can't do any fancy L3 switching.. Date: Mon, 17 Jan 2011 10:05:21 -0500 From: ja...@freedomnet.co.nz To: nanog@nanog.org Subject: Re: Network Simulators So far GNS3 has won out so far. It seems to work on my Mac fairly well. trying it out now. On 17/01/11 9:37 AM, Carlos Martinez-Cagnazzo wrote: I am currently researching virtual simulation environments for the Networking courses that I teach. I am now interested in user-mode linux emulators as they provide more real environments. The one that I am liking the most right now is this one: http://wiki.netkit.org/index.php/Main_Page regards Carlos On Mon, Jan 17, 2011 at 12:20 PM, Arturo Servinarturo.ser...@gmail.com wrote: GNS3 http://www.gns3.net/ This is another network simulator, mainly for academic research. NS-2 http://www.isi.edu/nsnam/ns/ And you can always setup some virtual machines with DNSs, hosts and routers with open-source software. regards, -as On 17 Jan 2011, at 11:58, James Jones wrote: Are there any good Network Simulators/Trainers out there that support IPv6? I want play around with some IPv6 setup. -- James Jones +1-413-667-9199 ja...@freedomnet.co.nz
RE: Is Cisco equpiment de facto for you?
For ISL, I know they are trying to phase that out. For the exams, they are based on dot1q. Even if I had all cisco equipment, I'd try to go with standards because you never know down the road where you may need to use another vendor. I wouldn't use EIGRP if given a choice, I'd go with OSPF or RIPv2. Date: Thu, 13 Jan 2011 08:18:00 -0500 From: c...@wpi.edu To: nanog@nanog.org Subject: Re: Is Cisco equpiment de facto for you? On Wed, Jan 12, 2011 at 11:10:16PM -0800, Scott Weeks wrote: To be fair to Cisco and maybe I'm way off here. But it seems they do come out with a way to do things first which then become a standard that they have to follow. ISL/DOT1Q HSRP/VRRP etherchannel/LACP Yes, and then they keep their proprietary implementation instead of phasing it out, and no one migrates to the standard one which leads to vendor lockin.
RE: co-location and access to your server
If you're co-locating with us, you have access to your equipment 24x7. And we are also staffed 24x7 in the event you can't get to our location for whatever reason...(vacation etc...) Colo's have their own rules I suppose, did you know about this before hosting with them? Date: Wed, 12 Jan 2011 12:24:18 -0800 From: jer...@mompl.net To: nanog@nanog.org Subject: co-location and access to your server Cruzio in Santa Cruz recently opened a little co-location facility. That makes two of such facilities in Santa Cruz (the other being got.net), which could be a good thing for competition. Their 1U offer comes with limited access to your server, only from 10AM to 6 PM. I find that not acceptable. Why wait until 10 AM when a disk breaks at 8 PM? But maybe I am being too picky. What is considered normal with regards to access to your co-located server(s)? Especially when you're just co-locating one or a few servers. Thanks, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
RE: Is Cisco equpiment de facto for you?
For anyone that is following this thread/subject from yesterday, is it me or does it seem as if Cisco really isn't the choice for most SP's? Someone has mentioned that it all really depends on your needs and what it is you want to provide. IMO, every vendor has something they are good at. I wouldn't use Cisco for everything, nor Juniper etc etc... The concern I sense is that from Cisco's POV, it's their way or the highway. Not only do you pay a premium for smartnet, but if there's an issue, they are quick to point the finger. That is not service/support that I desire Is this what everyone is sensing as well? I'm starting to look at Brocade now just to do some fair comparisons. Date: Tue, 11 Jan 2011 13:56:31 + From: jethro.bi...@strath.ac.uk To: nanog@nanog.org Subject: Re: Is Cisco equpiment de facto for you? On Mon, 10 Jan 2011, Greg Whynott wrote: Just as a pointer - one of the largest and most utilized IX (AMS-IX) has their platform built on Brocade devices. Brocade device's pre Foundry purchase correct? I can't see anyone that large using Foundry in large deployments.. Probably not as large as AMX-IX, but London Internet Exchange (LINX): both as Foundry and Brocade. Jethro. .. . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.
Is Cisco equpiment de facto for you?
Hello gents: I wanted to put this out there for all of you. Our network consists of a mixture of Cisco and Extreme equipment. Would you say that it's fair to say that if you are serious at all about being a service provider that your core equipment is Cisco based? Am I limiting myself by thinking that Cisco is the de facto vendor of choice? I'm not looking for so much fanboy responses, but more of a real world experience of what you guys use that actually work and does the job. No technical questions here, just general feedback. I try to follow the Tolly Group who compares products, and they continually show that Cisco equipment is a poor performer in almost any equipment compared to others, I find that so hard to believe. Thanks! Brandon
RE: Is Cisco equpiment de facto for you?
Wow, overall consensus is that there are quite a few that are migrating to Juniper from Cisco. I am a bit biased because I have spent an awful amount of time invested into Cisco and understanding how to configure them. But being a former business owner, I also am very much sensitive to costs and business needs. For those that have been Cisco focused, do you stay fully objective, and are you willing to pitch another vendor knowing that you will have to learn a new IOS? And that that will be your time that you'll have to spend to understand the product and support it? We have been selling HP procurves to SMB's because of the cost factor. I don't really mind them all that much. I've tried to fit Cisco switches in the mix but their pricing is just so much more as well as the smartnet costs. They really price themselves out and that is unfortunate. I will be looking at refreshing our core switches and routers soon so I will stay objective as much as I can. =) To: nanog@nanog.org Subject: Re: Is Cisco equpiment de facto for you? Date: Mon, 10 Jan 2011 10:36:24 -0600 CC: brandon@brandontek.com From: tad1...@gmail.com On Mon, 10 Jan 2011 09:31:32 -0600, Brandon Kim brandon@brandontek.com wrote: Hello gents: I wanted to put this out there for all of you. Our network consists of a mixture of Cisco and Extreme equipment. Would you say that it's fair to say that if you are serious at all about being a service provider that your core equipment is Cisco based? Am I limiting myself by thinking that Cisco is the de facto vendor of choice? I'm not looking for so much fanboy responses, but more of a real world experience of what you guys use that actually work and does the job. No technical questions here, just general feedback. I try to follow the Tolly Group who compares products, and they continually show that Cisco equipment is a poor performer in almost any equipment compared to others, I find that so hard to believe. Cisco is typically not known as the fastest or most power efficient when compared to other vendors, but they usually have some advanced feature sets that are very nice. In the ISP space this may be less helpful, but in the SMB and Enterprise space this can be very helpful. Things such as Call Manager Express, Web Content Filtering, WebEx Nodes, Server Load Balancing, Wireless Lan Controllers, etc. that are either built into IOS or available with a line card or module, are nice tools to have at your disposal, and often can mean reducing the number of devices you need in your rack. As of the Tolly group, I find whomever pays Tolly for the survey tends to be the fastest. Example: Abstract: HP commissioned Tolly to evaluate the performance, power consumption and TCO of its E5400 zl and E8200 switch series and compare those systems with the Cisco Systems Catalyst 3750-X and Catalyst 4500. This is because the Vendor is getting to pick what they want to benchmark rather than the company benchmarking them. No one is going to choose tests that their product will lose in. There isn't much in the way of Tom's Hardware Style testing of enterprise gear to my knowledge. Cisco gear is also known for long life, being very consistent, and high reliability. A walk through colos you will often see many many Cisco 12000's for those exact reasons. I feel each vendor has its strong points, price/performance may not be Cisco's but Cisco's ease of configuration and feature sets, along with reliability are definitely notable. -=Tom Thanks! Brandon -- Using Opera's revolutionary email client: http://www.opera.com/mail/
RE: Is Cisco equpiment de facto for you?
To your point Andrey, It probably works both ways too. I'm sure HP would love to finger point as well. I remember reading for my CCNP one of the thought process behind getting all Cisco is the very reason you pointed out, get all Cisco! How convenient though for Cisco to do that, I wonder if they are being sincere(sarcasm). Wouldn't it a perfect world for Cisco to just have everyone buy their stuff...I think it's a cop out though and you really should try to support your product as best you can if it is connected to another vendor. I'm sad to hear that TACACS took that route. I hope they at least tried their hardest to support you. From: khomyakov.and...@gmail.com Date: Mon, 10 Jan 2011 14:35:36 -0500 Subject: Re: Is Cisco equpiment de facto for you? To: nanog@nanog.org There have been awfully too many time when Cisco TAC would just say that since the problem you are trying to troubleshoot is between Cisco and VendorX, we can't help you. You should have bought Cisco for both sides. I had that happen when I was troubleshooting LLDP between 3750s and Avaya phones, TACACS between Cisco and tac_plus daemon, link bundling between juniper EX and Cisco, some obscure switching issues between CAT and Procurves and other examples like that just don't recall them anymore. Every time I'm reminded that if you have a lot of Cisco on the network, the rest should be cisco too, unless there is a very good technical/financial reason for it, but you should be prepared to be your own help in those cases. Vendors love to point at the other vendors for solutions. At least in my experience. My $0.02 Andrey On Mon, Jan 10, 2011 at 11:52 AM, Greg Whynott greg.whyn...@oicr.on.cawrote: I've tried to use other vendors threw out the years for internal L2/L3. Always Cisco for perimeter routing/firewalling. from my personal experience, each time we took a chance and tried to use another vendor for internal L2 needs, we would be reminded why it was a bad choice down the road, due to hardware reliability, support issues, multiple and ongoing software bugs, architectural design choices. Then for the next few years I'd regret the decision. This is not to say Cisco gear has been without its issues, but they are much fewer and handled better when stuff hits the fan. the only other vendor at this point in my career I'd fee comfortable deploying for internal enterprise switching, including HPC requirements which is not CIsco branded, would be Force10 or Extreme. it has always been Cisco for edge routing/firewalling, but i wouldn't be opposed to trying Juniper for routing, I know of a few shops who do and they have been pleased thus far.I've little or no experience with many of the other vendors, and I'm sure they have good offerings, but I won't be beta testing their firmwares anymore (one vendor insisted we upgrade our firmware on our core equipment several times in one year…). Cisco isn't a good choice if you don't have the budget for the smart net contracts. They come at a price. a little 5505 with unrestricted license and contract costs over 2k, a 5540 about 40k-70k depending on options, with a yearly renewal of about 15k or more… -g -- Andrey Khomyakov [khomyakov.and...@gmail.com]
RE: Is Cisco equpiment de facto for you?
to which they would try and play the well most people don't mix gear.. ha! Funny if you responded with, Oh really? Thanks I didn't know that, I guess I'll get all HP...who do I talk to, to return this Cisco router? From: greg.whyn...@oicr.on.ca To: brandon@brandontek.com CC: khomyakov.and...@gmail.com; nanog@nanog.org Date: Mon, 10 Jan 2011 15:20:06 -0500 Subject: Re: Is Cisco equpiment de facto for you? just a side note, HP probably was the most helpful vendor i've dealt with in relation to solving/providing inter vendor interoperability solutions. they have PDF booklets on many things we would run into during work. for example, setting up STP between Cisco and HP gear, ( http://cdn.procurve..com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf ). At the time the other vendor in this case (cisco) flat our refused to help us. this was a few years back tho, things may of changed. I'd ask support you are not telling me i'm the _only_ customer trying to do this … to which they would try and play the well most people don't mix gear.. HP's example should be the yard stick in the field. -g On Jan 10, 2011, at 3:04 PM, Brandon Kim wrote: To your point Andrey, It probably works both ways too. I'm sure HP would love to finger point as well. I remember reading for my CCNP one of the thought process behind getting all Cisco is the very reason you pointed out, get all Cisco! How convenient though for Cisco to do that, I wonder if they are being sincere(sarcasm). Wouldn't it a perfect world for Cisco to just have everyone buy their stuff...I think it's a cop out though and you really should try to support your product as best you can if it is connected to another vendor. I'm sad to hear that TACACS took that route. I hope they at least tried their hardest to support you. From: khomyakov.and...@gmail.com Date: Mon, 10 Jan 2011 14:35:36 -0500 Subject: Re: Is Cisco equpiment de facto for you? To: nanog@nanog.org There have been awfully too many time when Cisco TAC would just say that since the problem you are trying to troubleshoot is between Cisco and VendorX, we can't help you. You should have bought Cisco for both sides. I had that happen when I was troubleshooting LLDP between 3750s and Avaya phones, TACACS between Cisco and tac_plus daemon, link bundling between juniper EX and Cisco, some obscure switching issues between CAT and Procurves and other examples like that just don't recall them anymore. Every time I'm reminded that if you have a lot of Cisco on the network, the rest should be cisco too, unless there is a very good technical/financial reason for it, but you should be prepared to be your own help in those cases. Vendors love to point at the other vendors for solutions. At least in my experience. My $0.02 Andrey On Mon, Jan 10, 2011 at 11:52 AM, Greg Whynott greg.whyn...@oicr.on.cawrote: I've tried to use other vendors threw out the years for internal L2/L3. Always Cisco for perimeter routing/firewalling. from my personal experience, each time we took a chance and tried to use another vendor for internal L2 needs, we would be reminded why it was a bad choice down the road, due to hardware reliability, support issues, multiple and ongoing software bugs, architectural design choices. Then for the next few years I'd regret the decision. This is not to say Cisco gear has been without its issues, but they are much fewer and handled better when stuff hits the fan. the only other vendor at this point in my career I'd fee comfortable deploying for internal enterprise switching, including HPC requirements which is not CIsco branded, would be Force10 or Extreme. it has always been Cisco for edge routing/firewalling, but i wouldn't be opposed to trying Juniper for routing, I know of a few shops who do and they have been pleased thus far.I've little or no experience with many of the other vendors, and I'm sure they have good offerings, but I won't be beta testing their firmwares anymore (one vendor insisted we upgrade our firmware on our core equipment several times in one year…). Cisco isn't a good choice if you don't have the budget for the smart net contracts. They come at a price. a little 5505 with unrestricted license and contract costs over 2k, a 5540 about 40k-70k depending on options, with a yearly renewal of about 15k or more… -g -- Andrey Khomyakov [khomyakov.and...@gmail.com] -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender
RE: Is Cisco equpiment de facto for you?
To be fair to Cisco and maybe I'm way off here. But it seems they do come out with a way to do things first which then become a standard that they have to follow. ISL/DOT1Q HSRP/VRRP etherchannel/LACP Just some examples. I'm not aware of too many other vendors that create their own protocol, in which they then become a standard? Date: Mon, 10 Jan 2011 14:46:53 -0800 From: se...@rollernet.us To: nanog@nanog.org Subject: Re: Is Cisco equpiment de facto for you? On 1/10/2011 14:32, Jeff Kell wrote: On 1/10/2011 3:20 PM, Greg Whynott wrote: HP probably was the most helpful vendor i've dealt with in relation to solving/providing inter vendor interoperability solutions. they have PDF booklets on many things we would run into during work. for example, setting up STP between Cisco and HP gear, ( http://cdn.procurve.com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf ). Well, technically, the HP reference tells you how to convert your Cisco default PVST over to MST to match the HP preference. The handful of HP switches versus the stacks and stacks of production Cisco requiring conversion to suit them was intimidating to say the least :-) To be fair, one is Cisco proprietary while the other is IEEE 802.1Q. ~Seth
RE: Is Cisco equpiment de facto for you?
Thank you for this. I find him very honest and humble. Although he didn't mention Cisco, should I assume that he's probably thinking about Cisco without saying it? For anyone that has watched this, he has mentioned going from dual star topology to an MPLS. Perhaps one can educate me a little on how that is better off-list? It is an intresting topology. Do you guys run MPLS internally as your main topology? I was a little confused on that part Date: Tue, 11 Jan 2011 01:17:39 + From: lorddosk...@gmail.com To: nanog@nanog.org Subject: Re: Is Cisco equpiment de facto for you? http://www.youtube.com/watch?v=-aECSsfd4Wk Watch this video, now, I know that it is essentially advertisement from brocade but the guy from ams-ix says something very interesting - For us it is important to have a board-level relationship with the vendor, no matter who it is. So in the end this might be a factor in deciding which equipment to buy - whether your company will be able to have a higher-level relationship with your vendor so that you can expect appropriate treatment in case of emergency. With bigger company this would be harder, though I think the position account manager is essential this, whereas with smaller companies it is easier to build such a relationship
RE: Good MPLS/VPLS book?
Decisions decisions, I do have other MPLS books I have not finished. I suppose I can finish them before picking this up and then getting the 3rd edition.might be good timing. Good thing I didn't order the 2nd edition the other day! Subject: Re: Good MPLS/VPLS book? From: franc...@menards.ca Date: Sat, 25 Dec 2010 20:42:24 -0500 To: mounir.moha...@gmail.com CC: nanog@nanog.org Looks like a third edition is on the way slated for March 2011 http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470665459/ref=ntt_at_ep_dpt_2 I would expect it to cover MPLS-TP and the struggling evolution of PBB-TE ... anybody has any idea if this is in ? F. On 2010-12-24, at 7:47 AM, Mounir Mohamed wrote: The most comprehensive text is MPLS Enabled Applications by Ina Minei http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470986441/ref=sr_1_1?ie=UTF8qid=1293194786sr=8-1 On Fri, Dec 24, 2010 at 12:49 AM, Michael Helmeste mhelm...@uvic.ca wrote: Does anyone have a favorite book or resource discussing MPLS and all associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? I understand the basics of what MPLS is and how you create a circuit from A to B but I'm afraid it still escapes me when trying to figure out how someone would, say, create a multicast capable VPN with 5 edge points. Any pointers to a good way to reduce my level of ignorance on this subject would be appreciated. Vendor literature doesn't bother me as long as the concepts are there. Regards, Michael H. -- Best Regards, Mounir Mohamed, CCIE#19573 (RS/SP) Senior Network Engineer, Core Team. NOOR Data Networks, SAE Mobile# +2-010-2345-956 http://mounirmohamed.wordpress.com http://www.linkedin.com/in/mounirmohamed
RE: Good MPLS/VPLS book?
Looks like a good book to add to my bookshelf. Cisco's MPLS fundamentals is also a good book although I'm only halfway through it From: sfou...@shortestpathfirst.net To: mhelm...@uvic.ca; nanog@nanog.org Subject: RE: Good MPLS/VPLS book? Date: Thu, 23 Dec 2010 18:06:03 -0500 IMO the best book on the market is 'MPLS-Enabled Applications' by Ina Minei, Julian Lucek. It has the best coverage all the things you mentioned plus VPLS, P2MP LSP, draft-rosen and NG-VPN multicast architectures and the explanations are clear and concise. I wrote a review of this book a while back: http://www.shortestpathfirst.net/2009/11/30/book-review-mpls-aplications/ This book is awesome. You won't regret buying it. Stefan Fouant -Original Message- From: Michael Helmeste [mailto:mhelm...@uvic.ca] Sent: Thursday, December 23, 2010 5:49 PM To: nanog@nanog.org Subject: Good MPLS/VPLS book? Does anyone have a favorite book or resource discussing MPLS and all associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? I understand the basics of what MPLS is and how you create a circuit from A to B but I'm afraid it still escapes me when trying to figure out how someone would, say, create a multicast capable VPN with 5 edge points. Any pointers to a good way to reduce my level of ignorance on this subject would be appreciated. Vendor literature doesn't bother me as long as the concepts are there. Regards, Michael H.
Windows Encryption Software
Hey guys: This is most definitely OT so please contact me off list. (don't want to annoy anyone) I come to you all because of all your wisdom. =) I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive. I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party apps seem to do a better job than what Microsoft gives you. Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data... Thoughts?? Brandon
RE: Windows Encryption Software
Wow, sounds like TrueCrypt it is.not a single other app was suggested!!! Thank you gentlemen! Date: Thu, 9 Dec 2010 16:27:05 -0800 From: jmener...@netsuite.com To: nanog@nanog.org Subject: Re: Windows Encryption Software Truecrypt John Menerick On 12/9/2010 4:24 PM, Brandon Kim wrote: Hey guys: This is most definitely OT so please contact me off list. (don't want to annoy anyone) I come to you all because of all your wisdom. =) I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive. I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party apps seem to do a better job than what Microsoft gives you. Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data... Thoughts?? Brandon NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service.
RE: Jumbo frame Question
Where would the world be if we weren't stuck at 1500 MTU? I've always kinda thought, what if that was larger from the start We keep getting faster switchports, but the MTU is still 1500 MTU! I'm sure someone has done some testing with a 10/100 switch with jumbo frames enables versus a 10/100/1000 switch using regular 1500 MTU and compared the performance. Subject: RE: Jumbo frame Question Date: Thu, 25 Nov 2010 21:14:02 -0800 From: gbon...@seven.com To: harris@hk1.ibm.com; nanog@nanog.org Hi Does anyone have experience on design / implementing the Jumbo frame enabled network? I am working on a project to better utilize a fiber link across east coast and west coast with the Juniper devices. Based on the default TCP windows in Linux / Windows and the latency between east coast and west coast (~80ms) and the default MTU size 1500, the maximum throughput of a single TCP session is around ~3Mbps but it is too slow for us to backing-up the huge amount of data across 2 sites. There are a lot of stack tweaks you can make but the real answer is larger MTU sizes in addition to those tweaks. Our network is completely 9000 MTU internally. We don't deploy any servers anymore with MTU 1500. MTU 1500 is just plain stupid with any network 100mb ethernet. The following is the topology that we are using right now. Host A NIC (MTU 9000) --- GigLAN --- (MTU 9216) Juniper EX4200 (MTU 9216) ---GigLAN --- (MTU 9018) J-6350 cluster A (MTU 9018) --- fiber link across site --- (MTU 9018) J-6350 cluster B (MTU 9018) --- GigLAN --- (MTU 9216) Juniper EX4200 (MTU 9216) ---GigLAN --- (MTU 9000) NIC - Host B I was trying to test the connectivity from Host A to the J-6350 cluster A by using ICMP-Ping with size 8000 and DF bit set but it was failed to ping. Does anyone have experience on it? please advise. Thanks :-) You might have some transport in the path (SONET?) that can't send 8000. I would try starting at 3000 and working up to find where your limit is. Your description of fiber link across site is vague. Who is the vendor, what kind of service?
RE: mtu question
Jack brings up a good point. MTU is basically pointless since packets never traverse any real interface... So in theory the size can be anything... Date: Wed, 17 Nov 2010 15:02:22 -0600 From: jba...@brightok.net To: deric.kwok2...@gmail.com Subject: Re: mtu question CC: nanog@nanog.org On 11/17/2010 11:08 AM, Deric Kwok wrote: Hi I just see that the mtu in lo is different from standard eth 1500 Any meaning of it? You transfer huge amounts of data on loopbacks similar to sockets. Supporting large MTU's is appropriate, and given the virtual nature of loopbacks, is probably generally designed to handle the buffers that transfer the data. How about cisco / juniper loopback? Thank you so much Juniper M120: Type: Loopback, MTU: Unlimited Cisco 7206 12.2SRE: MTU 1514 bytes, BW 800 Kbit/sec, DLY 5000 usec, Jack
RE: mtu question
Thanks for the 411 Mark! Again, this NANOG list is such a valuable source of info and knowledge! Date: Thu, 18 Nov 2010 08:18:10 +1030 From: na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org To: brandon@brandontek.com CC: jba...@brightok.net; deric.kwok2...@gmail.com; nanog@nanog.org Subject: Re: mtu question On Wed, 17 Nov 2010 16:23:54 -0500 Brandon Kim brandon@brandontek.com wrote: Jack brings up a good point. MTU is basically pointless since packets never traverse any real interface... So in theory the size can be anything... Not quite. You hit packet length field limits. IPv4 packets can't be larger than 65535, and IPv6 packets also can't be larger than 65 576 (40 byte IPv6 header + 2^16 payload), unless the jumbograms and the jumbo payload extension header is supported. Last time I checked, by setting the loopback MTU 65 576, Linux, for example, doesn't support the jumbo payload extension header (or if it does, I didn't spend enough time finding out how to switch it on - a very large MTU didn't trigger it). That being said, with a 64K MTU on loopback, you can legitimately claim to get 10Gbps at home, as long as you don't mention how you're doing it ;-) Regards, Mark.
RE: OT: VM slicing and dicing
Thanks for the suggestions James! One of the issues I had, (which is why I turned to NANOG) was that I wasn't entirely sure what keywords to search for!! So thank you for that. All of the criteria's you brought up are valid and I will add them to the list of things to consider. It's awfully difficult to figure out who can do what as it's just not possible to test all the different vendors out there unless you have a large RD team and a lot of time. I think we are on the same page as far as what We think I need. But just to clarify. 1) We'd like to be able to have a web portal where new or existing clients could request servers of all types: windows, linux etc... Configure what it is that they need and in some amount of time, the VM's are provisioned. They receive some kind of email confirming that their new provisioned server is available. 2) Backend - Since we haven't invested much time into the backend, we're open to all possibilities. It doesn't need to be VMware at all. Xen seems to be extremely popular. 3) Licensing - Of course this will be all unique to each vendor but the more complicated the licensing, the more it's a turn off and difficult to keep track of. Not to plug. But so far OnApp's pricing is very straightforward. 4) Multi-Tenant - Absolutely needs to support this. I don't expect anyone here to do research for me, but I assume that being a network operator, many of us would have some input and clearly I've received great feedback. I've been in touch with numerous vendors that were given to me from this thread and I can't wait to demo/try their products One question I do have for any that actually read through this entire email (haha) is about the physical network switch. Is there a case for the switch, especially in today's high density environment to go with 1GIG switches as the minimum? It seems pretty obvious but I'm wondering if it's really a necessity? Can anyone on this list argue that 10/100 will be suffice? Thanks again! Brandon Date: Mon, 15 Nov 2010 21:13:51 -0600 Subject: Re: OT: VM slicing and dicing From: mysi...@gmail.com To: brandon@brandontek.com CC: nanog@nanog.org On Tue, Nov 9, 2010 at 10:17 AM, Brandon Kim brandon@brandontek.com wrote: I'm not looking for companies that offer this service, but the actual software engines that allow you to create VM's on the fly. So a customer goes to your website and says I want Win2008 with 8gigs of RAM and 120gigs of HDD. Just like custom configuring a new PC. How about I send you some terms to search for, using your favorite search engine... Multi-Tenant Hosting Cloud ComputingIaaS / HaaS (Infrastructure as a Service)Self-Service Provisioning Because the question is so vague, I think you need more research. If you read the documentation of portal software, you should be able to tell to what extent it would be turn key Before looking too closely at any offering... some things to think about are.. How would you go about handling virtual networks and access to them? Will you want one shared network (with requisite Layer 2 security minefield), or will your portal of choice somehow decide to permission and make certain LANs available to certain users' VMs? There will be security and performance considerations that some portal software programs allow you to answer, and some do not. So you need to decide the hard requirements for security, management flexibility, UI attractiveness/ease of use, functionality for the end user, resource management, and price :) Different portals have different options, so define requirements first. A Multi-Tenant IaaS environment (meaning different users sharing pieces of metal, storage, etc) brings in some complexity. Think about how will the resources be balanced? E.g. Will you have a portal place workloads on its own, or rely on some outside system like vmware DRS. Will the portal implement and enforce resource SLAs for Network latency/loss, limit the number of VMs per NIC or per datastore, Memory, CPU and provide I/O response delay assurances, or will machines be left underutilized / overutilized, because the portal is bad at optimizing placement on physical servers, or bad at avoiding overcommit? For an IaaS provider, underutilization eventually means you are eating more kW·h than necessary, and overutilization could be immediately detrimental. The different major virtualization software vendors each have their own Self-Service Provisioning solutions, and there are some third party programs. Most are for Enterprise internal self-provisioning; Hosting providers might have special requirements like integrated user signups and billing and no license restriction against provisioning for outside users. I would expect these to be more expensive, or include monthly per-user fees. Offhand I recall Virtuozzo [perhaps the oldest?], Enomaly / Enomalism
RE: OT: VM slicing and dicing
Thanks guys for keeping this topic alive. =) I'm leaning towards the opensource or at least the Xen side of things. I haven't yet fully evaluated vCloud Director but I get the gut feeling that anything VMware is going to be costly. Is that a fair assumption? The issue is that I'm looking for an application that is as turnkey as possible, even if it's a little bit more. That could be vCloud Director, I don't know yet But I do know that if we have to invest in writing a lot of custom scripts to get what we want, then we don't have the resources for that Subject: Re: OT: VM slicing and dicing From: nderitua...@gmail.com To: brandon@brandontek.com CC: nanog@nanog.org Date: Mon, 15 Nov 2010 23:00:52 +0300 Brandon, It really depends on the hypervisor in operation. You can take a look at vCloud Director (http://www.vmware.com/products/vcloud-director/) and BMC (http://www.bmc.com/products/product-listing/bmc-cloud-lifecycle-management.html) -Original Message- From: Brandon Kim brandon@brandontek.com To: nanog group nanog@nanog.org Subject: OT: VM slicing and dicing Date: Tue, 9 Nov 2010 11:17:50 -0500 Hey gents: As always I value your input. Best resource on the planet! =) I'm hoping this isn't too off-topic if so please respond to me offline if so. I figured since most of everyone here are operators working in a datacenter, you may or may not have experience with virtualization software that allows you to configure VM's on the fly. I'm not looking for companies that offer this service, but the actual software engines that allow you to create VM's on the fly. So a customer goes to your website and says I want Win2008 with 8gigs of RAM and 120gigs of HDD. Just like custom configuring a new PC. Does anyone here have experience or knowledge of companies that offer this type of software engine? Thanks in advance! Brandon
RE: Register.com DNS outages
Isn't using register.com considered outsourcing? In fact, I'd probably feel better not outsourcing to a big shop who is such a big target.a little security through obscurity doesn't hurt =) Subject: Re: Register.com DNS outages Date: Sun, 14 Nov 2010 14:03:27 -0500 From: esanb...@tsd-inc.com To: f...@deneb.enyo.de; brandon@brandontek.com CC: nanog@nanog.org Yes, however register.com does not allow their customers to list both their DNS servers and a customer's DNS server. End result is when the outage on their servers occurs you need to modify the config on their website so that it points back to your private DNS servers. Propagation delays are a pain - Original Message - From: Florian Weimer f...@deneb.enyo.de To: Brandon Kim brandon@brandontek.com Cc: nanog group nanog@nanog.org Sent: Sun Nov 14 13:48:55 2010 Subject: Re: Register.com DNS outages * Brandon Kim: Times like this, makes you curious what kind of infrastructure register.com has? How does one protect against DDOS? You can outsource your DNS, but you better retain a server locally on your network, so that you suffer less from that particular shared toothbrush.
RE: Register.com DNS outages
Thanks for the heads up. I just sent an email out to my companies staff to keep an eye on our own customers if they are noticing any issues. Times like this, makes you curious what kind of infrastructure register.com has? How does one protect against DDOS? Date: Sat, 13 Nov 2010 08:11:12 -0800 Subject: Register.com DNS outages From: da...@ulevitch.com To: nanog@nanog.org Good morning, Does anyone have any updates they can share on the register.com outage that has been happening since sometime yesterday? They don't seem to have any sort of explanation or status page (aside from the note on their homepage). Is there anything we can do to help? It's certainly impacting reachability to a tremendous number of domains. Thanks, David
RE: Register.com DNS outages
Well they are saying it's DDOS themselves. Straight from their website. IMPORTANT NOTICE: 3:30 PM, Saturday, November,13th - On Friday, November 12th we were hit by a distributed denial of service attack (ddos). We are actively working to mitigate the attack and restore services as soon as possible. Every available resource has been deployed to address this malicious attack. If you are having trouble accessing your webmail, please try the below alternative webmail access points in order: webmail01.register.com, webmail02.register.com, webmail03.register.com. Please note, only one of these 3 webmail access points will work for your specific Register.com email address. If you require further assistance please contact customer service at 1888.734.4783. We will update you as soon as we have more information. Subject: RE: Register.com DNS outages Date: Sat, 13 Nov 2010 18:23:07 -0500 From: esanb...@tsd-inc.com To: morrowc.li...@gmail.com; brandon@brandontek.com CC: nanog@nanog.org Has it been confirmed that register.com's outage was due to a DDOS? -Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Saturday, November 13, 2010 2:01 PM To: Brandon Kim Cc: nanog group Subject: Re: Register.com DNS outages On Sat, Nov 13, 2010 at 11:40 AM, Brandon Kim brandon@brandontek.com wrote: Thanks for the heads up. I just sent an email out to my companies staff to keep an eye on our own customers if they are noticing any issues. Times like this, makes you curious what kind of infrastructure register.com has? How does one protect against DDOS? this is not rocket sciencesrsly... http://www.verizonbusiness.com/Products/security/network-based/ as per usual, vzb's website is a poor excuse for a marketting tool (or sales tool, or information gathering tool.. ugh) but, bullet #2 is one option (that register.com I think actually was offered at one point in time...) is 3250/month cheaper than sla payouts from 3 days of running outages each year or so? -chris
OT: VM slicing and dicing
Hey gents: As always I value your input. Best resource on the planet! =) I'm hoping this isn't too off-topic if so please respond to me offline if so. I figured since most of everyone here are operators working in a datacenter, you may or may not have experience with virtualization software that allows you to configure VM's on the fly. I'm not looking for companies that offer this service, but the actual software engines that allow you to create VM's on the fly. So a customer goes to your website and says I want Win2008 with 8gigs of RAM and 120gigs of HDD. Just like custom configuring a new PC. Does anyone here have experience or knowledge of companies that offer this type of software engine? Thanks in advance! Brandon
RE: OT: VM slicing and dicing
Thanks everyone for your input today on this topic. I wanted to recap with a list of sites that everyone has suggested both online and offline for FYI purposes. http://www.vmware.com/products/vcloud-director/ http://www.microsoft.com/systemcenter/en/us/default.aspx http://cloud.com http://www.gogrid.com/ http://www.digitalmines.com http://www.proxmox.com/products/proxmox-ve http://www.openqrm-enterprise.com/ http://www.openstack.org/ Date: Tue, 9 Nov 2010 13:42:10 -0500 From: r...@tifosi.com To: brandon@brandontek.com Subject: Re: OT: VM slicing and dicing Brandon Kim wrote: I'm not looking for companies that offer this service, but the actual software engines that allow you to create VM's on the fly. So a customer goes to your website and says I want Win2008 with 8gigs of RAM and 120gigs of HDD. Just like custom configuring a new PC. Does anyone here have experience or knowledge of companies that offer this type of software engine? OpenStack may be (at least part) of what you're looking for. The primary development is from NASA and RackSpace: http://openstack.org/ I have no experience of my own with it yet, but am planning an eval of it. Reto -- R A Lichtensteigerr...@tifosi.com Yes, you're doing things right, but are you doing the right things? Nope. I'm just doing something dumb fast.
RE: NTP Server
Wow that is amazing and quite impressive that you even run the antenna linesinteresting..do you have to pay for the GPS service? Subject: Re: NTP Server To: brandon@brandontek.com From: jkre...@usinternet.com Date: Sun, 24 Oct 2010 15:52:03 + Internet ntp is not as reliable as local ntp due to either reachability or tampering. We run a pair of GPS ntp servers with antennas ran to the roof of the building. We make them available to our customers as well as for our own use. --Original Message-- From: Brandon Kim To: nanog@nanog.org Subject: NTP Server Sent: Oct 24, 2010 10:34 AM Hey guys: I wanted to open up this question regarding NTP server. I recalled someone had created a posting of this quite awhile back. From a service provider/ISP standpoint, does anyone think that having a local NTP server is really necessary? I've asked some of my fellow engineers at work and many of them gives me the same response, Can't we just use free ones out on the internet? 1) How necessary do you believe in local NTP servers? Do you really need the logs to be perfectly accurate? 2) If you do have a local NTP server, is it only for local internal use, or do you provide this NTP server to your clients as an added service? 3) If you do have a local NTP server, do you have a standby local NTP server or do you use the internet as your standby server? Thoughts? Thanks in advance, and this list is such a valuable wealth of resource Brandon Sent via BlackBerry from T-Mobile
RE: NTP Server
I guess what I'm trying to understand is, is having your own NTP server just a luxury? I personally would like to have my own, I just need to pitch its advantages to my company. Unless everyone here on the NANOG group clearly spells it out to me that it's a luxury. I can see it as an added service/benefit though to our customers. Date: Sun, 24 Oct 2010 17:55:22 +0200 From: eu...@leitl.org To: nanog@nanog.org Subject: Re: NTP Server On Mon, Oct 25, 2010 at 02:51:24AM +1100, Ben McGinnes wrote: How do you knew that your local NTP server knew what time it is? (for sure) By polling as many stratum 1 and 2 time servers as possible. Having your own stratum 2 server(s) beats nebulous NTP servers out in the big bad Internet every time. For those you care about that: http://leapsecond.com/time-nuts.htm
RE: NTP Server
Just for log purposes and possibly providing it to our clients as an added service at no charge of course. I don't see us needing to get very granular in the details of the times on the logs Date: Sun, 24 Oct 2010 10:09:25 -0700 From: ra...@psg.com To: brandon@brandontek.com CC: nanog@nanog.org Subject: Re: NTP Server 1) How necessary do you believe in local NTP servers? Do you really need the logs to be perfectly accurate? what is perfectly accurate? perfection is not very realistic. to what use do you put these logs? what precision and jitter are required for that use? imiho, if you are just comparing router and server log files, run off public. if you are trying to do fine-grained measurement, you are going to invest a lot in clock and propagation research. 2) If you do have a local NTP server, is it only for local internal use, or do you provide this NTP server to your clients as an added service? i would generally let customers chime off routers which are strat 2 or 3. if a customer has other needs, then they can deal. if they are really concerned, they should not bet on me anyway. 3) If you do have a local NTP server, do you have a standby local NTP server or do you use the internet as your standby server? again, depends on your needs. randy
RE: NTP Server
Looks like you have a pretty good setup. What vendor equipment are you using? You can let me know offline so it doesn't sound like you're advertising them Date: Sun, 24 Oct 2010 11:03:18 -0600 From: br...@2mbit.com To: nanog@nanog.org Subject: Re: NTP Server On 10/24/10 9:34 AM, Brandon Kim wrote: I wanted to open up this question regarding NTP server. I recalled someone had created a posting of this quite awhile back. From a service provider/ISP standpoint, does anyone think that having a local NTP server is really necessary? It may not be necessary, but it certainly is not a bad thing. Not having to depend on third parties for a service is a good thing. I've asked some of my fellow engineers at work and many of them gives me the same response, Can't we just use free ones out on the internet? 1) How necessary do you believe in local NTP servers? Do you really need the logs to be perfectly accurate? Perfectly accurate is very helpful when trying to associate several incidents going on at the same time or when trying to figure out the timeline leading up to why a machine had a kernel panic, for example. 2) If you do have a local NTP server, is it only for local internal use, or do you provide this NTP server to your clients as an added service? Our master stratum 1 GPS clock only has ipv6 access to the outside world. Our two 'public' ntp servers can talk directly to it over ipv4 or ipv6, and those are are publicly available via ipv4 or ipv6. 3) If you do have a local NTP server, do you have a standby local NTP server or do you use the internet as your standby server? If the stratum 1 becomes unavailable (its 500 miles away on a different network), the two public NTP servers are peered with one another, and both have a different outside third-party NTP server to sync with (may it be an upstream provider's ntp server, or one of the pool ones from ntp.org). Never had a problem with this setup, and its worked rather well. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
RE: NTP Server
Hi Sean: By local I meant in-house, on-site in our datacenter. As far as what applications could use our NTP service, I would leave that up to each client and what they are running. For my own personal purposes, it would just be for log purposes. (error logs, syslogs, etc etc) I have heard that routers don't make good NTP servers since they weren't designed to keep track of time. This, I have read from a Cisco source. Can't remember where though. Or maybe they were just referring to older less powerful routers like 2500 series... Brandon Date: Sun, 24 Oct 2010 14:42:24 -0400 From: s...@donelan.com To: nanog@nanog.org Subject: Re: NTP Server On Sun, 24 Oct 2010, Brandon Kim wrote: 1) How necessary do you believe in local NTP servers? Do you really need the logs to be perfectly accurate? 2) If you do have a local NTP server, is it only for local internal use, or do you provide this NTP server to your clients as an added service? 3) If you do have a local NTP server, do you have a standby local NTP server or do you use the internet as your standby server? First terminology. What do you mean by a local NTP server? Almost any Cisco/Juniper router, Unix server and some recent Windows servers have NTP server software and can synchronize clocks in your network. So you may already have a NTP server capable device. You just need to configure it, and give it a good source of time. It would be a Stratum 2 or greater NTP server because the good source of time is another NTP server. Left to itself, NTP is pretty good at keeping clocks in arbitrary networks synchronized with each other. But most people are also interested in synchronizing clocks with some official time source. The Network Time Protocol doesn't really have the notion of a standby server. It uses multiple time sources together, and works best with about four time sources. But for many end-systems, the Simple Network Time Protocol with a single time source may be sufficient. If you are in a regulated industry (stock broker, electric utility, 9-1-1 answering point, etc) there are specific time and frequency standards you must follow. On the other hand, are you are asking about a local clock receiver (radio, satellite, etc) for a stratum 1 NTP server? Clock receivers are getting cheaper, the problem is usually the antenna location. Or on the third hand, are you asking about local primary reference clock (caesium, rubium, etc) for a stratum 1 NTP server? These are still relatively expensive up to extremely expensive. Or on the fourth hand, are you a time scientist working to improve international time standards. If you are one of these folks, you already know. Most major ISPs use NTP across their router backbone, and incidently provide it to their customers. The local ISP router connected to your circuit probably has NTP enabled. Required accuracy is in the eye of the beholder. NASDAQ requires brokers to have their clocks synchronized within 3 seconds of UTC(NIST). 9-1-1 centers are required to have their clocks synchronized within 0.5 seconds of UTC. Kerberos/Active Directory requires clocks to be synchronized within 5 minutes of each other. If your log files have a resolution of 1 second, you probably won't see much benefit of sub-second clock precision or accuracy. If you are conducting distributed measurements with sub-microsecond resolution, you probably will want something more.
RE: Recommendations for Metro-Ethernet Equipment
We use quite a bit of extreme switches. I personally don't have anything against them other than their purple color and that I don't really know their IOS that well. But to be fair, they have worked just fine. In the future I hope we can migrate over to cisco switches because I'm bias. =) From: mer...@metalink.net To: nanog@nanog.org Subject: RE: Recommendations for Metro-Ethernet Equipment Date: Thu, 21 Oct 2010 15:05:37 -0400 Thanks to everyone who responded. Just got done talking with Extreme which no one really mentioned. Seems like decent gear reasonably priced. Anyone care to comment on them specifically or have them used them a metro Ethernet build? = Eric Merkel MetaLINK Technologies, Inc. Email: merkel at metalink.net -Original Message- From: Dan Armstrong [mailto:d...@beanfield.com] Sent: 2010-10-20 19:50 To: Ramanpreet Singh Cc: Jason Lixfeld; nanog@nanog.org Subject: Re: Recommendations for Metro-Ethernet Equipment I think that's what Jason just said. :-) On 2010-10-20, at 5:24 PM, Ramanpreet Singh wrote: 7600's/ASR 1k Have you looked in to Ciso ME 3600X/ME 3800X series? Without a bias these are the top notch products in the market for Metro E. -Raman On Wed, Oct 20, 2010 at 12:57 PM, Jason Lixfeld ja...@lixfeld.ca wrote: On 2010-10-20, at 11:24 AM, Eric Merkel wrote: Any suggestions, success or horror stories are appreciated. ;) I've been going through pretty much the same exercise looking for a decent PE for almost two years. Our requirements were for a PE device that had between 12-24 ports (in a perfect world, mixed mode 10/100/1000 copper + SFP), 10G uplinks, EoMPLS, MPLS VPN, DHCP server, port-protect/UNI (or similar) capabilities, DC power and a small footprint (1RU) Of all the ones we looked at (Juniper, Cisco, Extreme, Brocade, MRV, Alcatel) initially, MRV was the only contender. The rest either didn't have a product, or their offering didn't meet various points within our criteria. As such, we bought a bunch of MRVs in early 2009 and after four months of trial and error, we yanked every single one out of the network. From a physical perspective, the box was perfect. Port density was perfect, mixed-mode ports, promised a 10G uplink product soon, size was perfect, power was perfect, we thought we had it nailed. Unfortunately there are no words to describe how terrible the software was. The CLI took a little getting used to, which is pretty much par for the course when you're dealing with a new vendor, but the code itself was just absolutely broken, everywhere. Duplex issues, LDP constantly crashing taking the box with it, OSPF issues, the list went on and on. To their credit, they flew engineers up from the US and they were quite committed to making stuff work, but at the end of the day, they just couldn't make it go. We pulled the plug in May 2009 and I haven't heard a thing about their product since then, so maybe they've got it all together. While meeting with Juniper a few months later about a different project, they said they had a product that might fit our needs. The EX4200. As such, we had a few of these loaned to our lab for a few months to put through their paces, from a features and interoperability perspective. They work[1] and they seem to work well. The show stopper was provisioning[1] and size. The box is massive, albeit it is still 1U. [1] (I'm not a Juniper guy, so my recollection on specific terms and jargon may be a bit off kilter) they only support ccc, which makes provisioning an absolute nightmare. From my experience with Cisco and MRV, you only have to configure the EoMPLS vc. On the EX4200, you have to create the LSPs as well. To get a ccc working, the JunOS code block was far larger and much more involved per vc than the single line Cisco equivalent. To create the LSPs was, I believe, two more equally large sized code blocks. At the end of the day, it was just too involved. We needed something simpler. About the same time that we started to evaluate the EX4200, Cisco had pitched us on their (then alpha) Whales platform. It looked promising (MRV still had the best form factor) and we expressed our interest in getting a beta unit in as soon as we were able to. This is now known as the ME3600 and ME3800 platform and we've been testing a beta unit in our lab for the past few months. This is the platform we have chosen. It's not perfect, but our gripes have more to do with form factor (it's 1RU, but it's a bit deeper than what we'd like) and port densities (no mixed mode ports) than software or features. We've been pretty pleased with it's feature set and performance, but this hasn't seen any real world action, so who knows how that will turn out. If you're asking more about a P router or P/PE hybrid, we've also just ordered a few ASR9000s under try-and-buy as P/PEs
RE: Pica8 - Open Source Cloud Switch
Good question Nick, what is a cloud switch? Is this like VSS in cisco where you have a virtual chassis? Date: Mon, 18 Oct 2010 13:21:29 +0100 From: n...@foobar.org To: pica8@gmail.com Subject: Re: Pica8 - Open Source Cloud Switch CC: nanog@nanog.org On 18/10/2010 12:25, Lin Pica8 wrote: We are starting to distribute Pica8 Open Source Cloud Switches : Sounds interesting. What chipset does this run on? Also, what's a cloud switch? Is this a switch which forwards L2 traffic, or did I miss something? Nick
RE: Pica8 - Open Source Cloud Switch
Has our industry ever really fundamentally defined what is cloud computing? Even though MPLS is sort of a buzzword too, we can define it, how it works, it's protocol and such... But cloud computing? Subject: RE: Pica8 - Open Source Cloud Switch Date: Mon, 18 Oct 2010 08:26:29 -0600 From: matlo...@exempla.org To: n...@foobar.org; brandon@brandontek.com CC: nanog@nanog.org Because 'cloud computing' is the latest buzzword, and their marketing department thought that by attaching that buzzword to it, that would increase sales? :) Nevermind that clouds contain nothing but vapor. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: Nick Hilliard [mailto:n...@foobar.org] Sent: Monday, October 18, 2010 8:14 AM To: Brandon Kim Cc: nanog@nanog.org Subject: Re: Pica8 - Open Source Cloud Switch On 18/10/2010 14:27, Brandon Kim wrote: Good question Nick, what is a cloud switch? Is this like VSS in cisco where you have a virtual chassis? The vss is virtual management software for a virtual switch. This box looks like a piece of hardware that you can plug things into, so I'm just wondering what makes this a cloud switch and some other piece of kit not a cloud switch. Nick
RE: Pica8 - Open Source Cloud Switch
George: Nice answer. Do you think cloud services is based on an oversubscription model? Where they hope those who purchase servers don't actually max them out memory/CPU wise? Do you also believer that cloud services should never have any downtime? To me, cloud services is synonymous with redundancy Subject: RE: Pica8 - Open Source Cloud Switch Date: Mon, 18 Oct 2010 08:17:09 -0700 From: gbon...@seven.com To: brandon@brandontek.com CC: nanog@nanog.org -Original Message- From: Brandon Kim Sent: Monday, October 18, 2010 7:58 AM Cc: nanog@nanog.org Subject: RE: Pica8 - Open Source Cloud Switch Has our industry ever really fundamentally defined what is cloud computing? Even though MPLS is sort of a buzzword too, we can define it, how it works, it's protocol and such... But cloud computing? My take on cloud computing is simply the provisioning servers or virtual servers (say, VMWare or KVM) on the fly as needed. So you would have a pool of servers. When load for one application rises, more servers for that application are taken from the pool and added to the mix as needed. When load drops, that instances are removed from the rotation handling that application and returned to the pool of free (virtual) servers. Providers of network gear have been working on applications that monitor the gear in the application delivery path (e.g. metrics on load balancers) and automatically deploy instances as needed to handle that application. This would be more of interest to providers of bursty applications where they might have high load sometimes but a relatively low base load. It could also be of interest to people who serve customers in different time zones, such as the US and Europe where the US application can be turned down at night and an application serving Europe loaded up during their business day. It could also be of interest for someone who is expecting a temporary surge of activity. It leads, though, to a completely different kind of attack called the denial of sustainability attack where a cloud-based provider is hit with a flood of legitimate transactions causing the cloud management to kick in more servers to handle the additional load. If that cloud is rented, a content provider could be hit with a huge bill.
Definitive Guide to IPv6 adoption
Since we are on the topic of IPv6. I'd like to know if anyone has books/articles they recommend on fully understanding IPv6 adoption in the work place. I will need to contact ARIN shortly to request a v6 block. I'm assuming I would be asking for a /64 being an ISP. But I'd like to read up as much as possible before requesting the block I think our approach will be to use dual-stack on the routers and let the clients themselves handle how they want to use IPv6... Ultimately, it is up to them, their network, and their applications on how to use v6... Thanks guys!
RE: Definitive Guide to IPv6 adoption
Thanks everyone who responded. This list is such a valuable wealth of information. Apparently I was wrong about the /64 as that should be /32 so thanks for that correction Thanks again especially on a Saturday weekend! From: rdobb...@arbor.net To: nanog@nanog.org Date: Sat, 16 Oct 2010 16:09:43 + Subject: Re: Definitive Guide to IPv6 adoption On Oct 16, 2010, at 10:56 PM, Joel Jaeggli wrote: Then move on to the Internet which as with most things is where the most cuurent if not helpful information resides. Eric Vyncke's IPv6 security book is definitely worthwhile, as well, in combination with Schudel Smith's infrastructure security book (the latter isn't IPv6-specific, but is the best book out there on infrastructure security): http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945 http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
RE: Equinix MPLS connectivity
Hi Leo: Just trying to understand the lingo. What do you mean by buying a wave on someone's dwdm system? And what is dwdm? Thanks for the heads up! Date: Sat, 9 Oct 2010 10:24:16 -0400 Subject: Re: Equinix MPLS connectivity From: morrowc.li...@gmail.com To: leo.wo...@gmail.com CC: nanog@nanog.org On Sat, Oct 9, 2010 at 4:22 AM, Leo Woltz leo.wo...@gmail.com wrote: We are looking for some MPLS connectivity between Equinix Ashburn and Equinix San Jose who would the group recommend? why not just buy a wave on someone's dwdm system? (why mpls, I suppose, for what sounds like a ptp application)
RE: Equinix MPLS connectivity
My apologies! I was still finishing up my morning coffee so it hasn't kicked in yet. Thank you for the explanation however! =) Date: Sat, 9 Oct 2010 12:12:16 -0400 Subject: Re: Equinix MPLS connectivity From: morrowc.li...@gmail.com To: brandon@brandontek.com CC: leo.wo...@gmail.com; nanog@nanog.org On Sat, Oct 9, 2010 at 10:39 AM, Brandon Kim brandon@brandontek.com wrote: Hi Leo: since you are addressing my comment, probably you meant 'chris' there... Just trying to understand the lingo. What do you mean by buying a wave on someone's dwdm system? And what is dwdm? 'wave' - wavelength, one optical path (though a single wavelength used not many) 'dwdm' - dense wave division multiplexing, many optical transport systems today multiplex different optical wavelengths on a single fiber. Most optical transport vendors will sell you one wavelength from point to point on their system, or many waves if you need more than one wave's capacity. -chris Thanks for the heads up! Date: Sat, 9 Oct 2010 10:24:16 -0400 Subject: Re: Equinix MPLS connectivity From: morrowc.li...@gmail.com To: leo.wo...@gmail.com CC: nanog@nanog.org On Sat, Oct 9, 2010 at 4:22 AM, Leo Woltz leo.wo...@gmail.com wrote: We are looking for some MPLS connectivity between Equinix Ashburn and Equinix San Jose who would the group recommend? why not just buy a wave on someone's dwdm system? (why mpls, I suppose, for what sounds like a ptp application)
RE: router lifetime
I'm tasked to replace our core switches which run Extreme 6800's. You are right that some older gear says they support IPv6, but then you find out it's not 100% fully compliant. Our switch is about 6-8 years old I beleive so it's time to update them. We're thinking about the Cisco 6504e. Anything that is pretty modern that we feel will yield us another 6-8 years. I only have a handful of juniper firewalls laying around for lab equipment, so I don't really have that much experience with them. We also need to get IPv6 space from ARIN so that we can fully support IPv6 natively. Our plan is to dual-stack our edge routers, so it is ultimately up to the endpoints to support IPv6. We don't want to deal with any tunneling protocols like Teredo for IPV6. Date: Sun, 3 Oct 2010 00:29:27 -0700 From: fra...@genius.com To: nanog@nanog.org Subject: Re: router lifetime From: Brandon Kim brandon@brandontek.com To: fra...@genius.com, nanog@nanog.org Sent: Saturday, 2 October, 2010 6:22:27 PM Subject: RE: router lifetime Well a lot of routers even 3 years ago support IPv6. You can dual-stack pretty much any router today if you have the right IOS. But I do understand your concern, if you want to future proof your purchase, I'd think any modern router today with a good support contract will take care of you for quite some time. Make sure it's not close to EOL. What kind of router are you considering? Is this for a large network? What are the network needs? Well it is not for me really. It is a kind of a survey. In your environment, how often do you replace your gear? I found out that switch gear from cisco with layer 3 routing, which are EOL today do not do IPv6 (at layer 3). Cisco Firewalls do not support well IPv6 unless you have upgraded this year, and for load balancers, you are out of luck. So basically anything which is EOL today has IPv6 issues while still much in use in production environment. Is that a fair assessment? I found out also that some gear with fancy IPv4 stuff do not do the same in IPv6, What about Juniper? Then there is the IPv6 is not done at hardware level, because software is fast enough for the current IPv6 bandwidth, but then if you expect to keep your gear for 8 years... Will you have to replace it much earlier than expected? It seems to me on the desktop/server, IPv6 is there free of charge (enabled by default), but on the network, switching to IPv6 is not free nor trivial.
RE: router lifetime
Don't have much to add other than Heath's response is pretty much what I would have said. It really all depends on your business needs as well as policy, or standards you need to meet Date: Sun, 3 Oct 2010 00:34:40 +0100 Subject: Re: router lifetime From: hj1...@gmail.com To: fra...@genius.com CC: nanog@nanog.org How long do you keep a router in production? What is your cycle for replacement of equipment? Hi Franck It really depends on the type of network you are running, the rate at which new features bandwidth are required, and the availability of software and hardware upgrades. Also, in a lot of cases it is vendor driven - devices that are still very much in production are forced to be replaced because of vendor product lifecycle and the phasing out of support, even when serving their requirements well. Care to elaborate a little more on your planned scenario? Cheers Heath
RE: RIP Justification
I see nothing wrong with using RIPV2 for small networks as it is more dynamic and faster convergence. As for RIPv1, I think we can all say, RIP!! (no pun intended) Ok yes it was intended LOL... I think some engineers get lost in the whatever is newer is better and you don't need to use a complicated protocol for small simple networks. Now, you should think ahead if that's possible and if you do know it can get complicated, you can implement the right protocol from the start. I have not heard about RIPv3. I suppose I should start looking into it.. From: e...@egon.cc To: nanog@nanog.org Subject: Re: RIP Justification Date: Wed, 29 Sep 2010 13:53:40 -0700 On Sep 29, 2010, at 1:47 PM, Ricky Beam wrote: The 1% where it was a necessary evil... dialup networking where the only routing protocol supported was RIP (v2) [netblazers] -- static IP clients had to be able to land anywhere -- but RIP only lived on the local segment, OSPF took over network-wide. (Later MaxTNT's were setup with OSPF I remember RIP across chassis for the TotalControl bonded dialup stuff, and as you mention, static IPs, but I haven't seen it in serious use for a long time. Cheers, -j
RE: RIP Justification
Thanks Joe! You just added a new term to my vocabulary! Technical Correctness I think I'm going to go out of my way now to use this in the office... =) From: jgr...@ns.sol.net Subject: Re: RIP Justification To: patr...@ianai.net Date: Wed, 29 Sep 2010 18:24:59 -0500 CC: nanog@nanog.org where the RIP protocol is useful? Please excuse me if this is the = incorrect forum for such questions. RIP has one property no modern protocol has. It works on simplex = links (e.g. high-speed satellite downlink with low-speed terrestrial = uplink). Is that useful? I don't know, but it is still a fact. I once had cause to write a RIP broadcast daemon while on-site with a client; they had some specific brokenness with a Novell server and some other gear that was fixed by a UNIX box, a C compiler, and maybe 20 or 30 minutes of programming (mostly to remember the grimy specifics of UDP broadcast programming). I do not recall the specific routing issue, but being able to just inject a periodic spoofed packet was sufficient to repair them. While not the correct way to engineer a network, sometimes being able to bring a client's network back on-line in a crisis is more important than technical correctness. I feel reasonably certain that I would not have been able to cobble together a quick solution if they had been relying on OSPF, etc. A simple protocol can be a blessing. I concede it is more often a curse. JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: tagged vs. untagged VLAN
I'd think that going with two tagged VLAN's is the better route. You will then be forcing the customer to adhere to the VLAN's that you have specified and reserved for them. It's also a security advantage because if you go with untagged, who knows if someone might be able to vlan hop/double tag their way into someone elses network Date: Tue, 28 Sep 2010 21:27:32 -0400 Subject: tagged vs. untagged VLAN From: zeusda...@gmail.com To: nanog@nanog.org In a SP environment, you need to hand off two VLANs to a customer, is there any advantage or disadvantage in doing the following two setups? - One untagged and one tagged VLAN - Two tagged VLAN and no untagged VLAN I can't think of anything other than some equipment may not let you have no untagged VLAN. But it's bugging me that something could go wrong by not having untagged native VLAN that I can't think of.
RE: Multicast Network Monitoring
I was wondering what was going on. Kinda tired of seeing my own emails over and over Date: Tue, 20 Jul 2010 19:22:14 -0700 From: se...@rollernet.us To: nanog@nanog.org Subject: Re: Multicast Network Monitoring On 7/20/2010 06:11, Brandon Kim wrote: Interesting question, I'd like to know more about this myself. I'm so used to monitoring SNMP-based devices, never really thought about multi-casts and being able to see the pattern/tree Is it just me, or is anyone else receiving multiple copies of this same message? ~Seth
RE: Addressing plan exercise for our IPv6 course
Alex this looks great! Just printed it out and will play with it. I've spent some time learning IPv6 but when you're not looking at it daily, you begin to forget From: al...@ripe.net Subject: Addressing plan exercise for our IPv6 course Date: Wed, 21 Jul 2010 18:57:01 +0200 To: nanog@nanog.org We've been working on an exercise for the IPv6 training course we deliver for LIRs. It's aimed at people who are unfamiliar with IPv6, so the goal is to get them to the point where once they get their IPv6 /32 allocation, they have a good idea how to subdivide prefixes over their network and how to write an addressing plan. Here's a PDF with the exercise (two pages A3): http://bit.ly/c7jZRJ I'm curious to hear if you think it's clear and useful. Cheers, Alex Band RIPE NCC Trainer (Big props go to Marco Hogewoning @XS4ALL)
RE: v6 bgp peer costs?
Is dual-stacking with an edge device considered native? Or is true native when you have an edge device or any network device for that matter that's v6 only? Just curious Subject: Re: v6 bgp peer costs? From: mar...@marcoh.net Date: Wed, 21 Jul 2010 21:22:14 +0200 To: z...@zaidali.com CC: nanog@nanog.org On 21 jul 2010, at 21:08, Zaid Ali wrote: I currently have a v4 BGP session with AS 701 and recently requested a v6 BGP session to which I was told a tunnel session will be provided (Same circuit would be better but whatever!). Towards the final stage in discussions I was told that it will cost $1500. I find this quite ridiculous and it will certainly not motivate people to move to v6 if providers put a direct price tag on it. I am going through a bandwidth reseller though so I am not sure who is trying to jack me here. Has anyone here gone through a similar experience? I think the main question here would be, what they would charge for a change to a v4 session. Most likely they just decided that setting up the tunnel and configuring BGP takes time and since time is money they decided to charge for you. Seems like a reasonabe rule of business, why should it be free ? At the same time, the same set of economics will probably find you somebody who will do this for less and maybe even is happy to take your business and setup v4/v6 dual stack for free. So get a quote from a competitor, call back 701 and offer them the choice of setting up the tunnel or loose a customer. My personal preference would be to leave and find somebody who can do native all the way. MarcoH
RE: Multicast Network Monitoring
Interesting question, I'd like to know more about this myself. I'm so used to monitoring SNMP-based devices, never really thought about multi-casts and being able to see the pattern/tree Date: Tue, 20 Jul 2010 08:59:13 -0400 Subject: Multicast Network Monitoring From: rjsa...@gmail.com To: nanog@nanog.org Curious if anyone has any experience with tools specifically for monitoring multicast. Finds where the trees are, paths they are on, tracks all senders/receivers per group, handles PIM-SM, RPs, MSDP, MDT Tunnels over MPLS VPN, etc. Such as Cisco Multicast Manager, EMC Ionix Multicast Manager, CA Spectrum? The good and the bad? Worth the effort/investment? Thanks
RE: Multicast Network Monitoring
Wow that looks great! The URL has an extra dot before the SHTML though when you click on it. Easy fix though. Are there no commercial applications for this kind of monitoring? I see your graphs are powered by MRTG. =) Date: Tue, 20 Jul 2010 17:39:17 +0300 Subject: Re: Multicast Network Monitoring From: aduit...@gmail.com To: brandon@brandontek.com CC: nanog@nanog.org On Tue, Jul 20, 2010 at 4:11 PM, Brandon Kim brandon@brandontek.com wrote: Interesting question, I'd like to know more about this myself. I'm so used to monitoring SNMP-based devices, never really thought about multi-casts and being able to see the pattern/tree Shameless plug, I once developed a tool which was called multicast weathermap. You can see what remains of it here: http://netmon.grnet.gr/multicast-map.shtml (hover over the nodes and the links and you can see various useful info)(you can see the tree of a specific group by selecting from the drop down list at the bottom) and the presentation here http://tnc2004.terena.org/programme/presentations/show2c2c.html?pres_id=47 Since I too myself am into multicast, I intended to incorporate into it everything needed to know everything. But eventually it was left as it is. Apart from that, the NNM advanced used to have a multicast plugin, and it was fairly usable. You could take a look at it probably, but I don't know whether it can handle those MPLS cases you mention. Lastly, those guys at Poznan used to work on a tool called Muvi http://muvi.man.poznan.pl/You may want to take a look, although I fear it too has been abandoned. Best Regards,Athanasios Date: Tue, 20 Jul 2010 08:59:13 -0400 Subject: Multicast Network Monitoring From: rjsa...@gmail.com To: nanog@nanog.org Curious if anyone has any experience with tools specifically for monitoring multicast. Finds where the trees are, paths they are on, tracks all senders/receivers per group, handles PIM-SM, RPs, MSDP, MDT Tunnels over MPLS VPN, etc. Such as Cisco Multicast Manager, EMC Ionix Multicast Manager, CA Spectrum? The good and the bad? Worth the effort/investment? Thanks
RE: Rate Limiting on Cisco Router
Pretty funny and good stuffsince no one really acheives true 100MB speeds anyways, then a 100MB port might actually traffic shape itself naturally!!! I forget what the actual speeds truly are... is it 80% advertised speeds? I'm not sure which is cheaper but I think Juniper has some low end Netscreens you can try also that have traffic shaping features. Subject: RE: Rate Limiting on Cisco Router From: gordsla...@ieee.org To: brandon@brandontek.com CC: nanog@nanog.org Date: Fri, 9 Jul 2010 06:33:04 +0100 On Thu, 2010-07-08 at 20:01 -0400, Brandon Kim wrote: What about purchasing a low-end packetshaper to be used in between? If - 1/ budget is a problem and 2/ you have no BSD knowledge inhouse and 3/ the LAN side is all ethernet you could have a stab at using a PFsense box with two (and strictly ONLY two, for this use) physical NICs. It has a GUI to set up traffic shaping (see the sticky on the pfsense forums) PFsense 1.2.3 is current, don't go for the experimental 2.0 for production. There's a book and commercial support if you need it, free support via forums if you can't. Only two physical NICs is necessary due to shaper problems with more than two, whereas in a firewalling role the slots are the only limit (but VLANS are the norm for bucketloads of ports on a firewall PFsense box) An ITX (Littlefalls etc) mobo with 512MB RAM with an extra PCI Intel NIC added will do you fine .. PFsense has nice traffic graphs, which helps you with shaping speeds in a big way. It also has a TFTP server available for it so it's handy for unmanned sites with only a few blue boxes ;) PS - a crazy afterthough - surely just about anything with a 10/100 ethernet link running at 100 and placed inline, cannot exceed 100Mbps - and probably less if it's plastic-cased? Try a few 8-port junkers and see what happens if you fancy a walk on the dangerous side. Watch out for errors and smoke :) Gord -- The drinker you are the smoker you get
RE: Rate Limiting on Cisco Router
What about purchasing a low-end packetshaper to be used in between? I know this doesn't answer the question but could it be an option? Date: Thu, 8 Jul 2010 13:43:17 -1000 From: t...@lava.net To: jay.mur...@state.nm.us Subject: RE: Rate Limiting on Cisco Router CC: nanog@nanog.org On Thu, 8 Jul 2010, Murphy, Jay, DOH wrote: Traffic shaping produces a queue, and does not completely junk a packet. It becomes q'd, and produces a smoother output. Traffic-shaping 80Mb/s of traffic is probably not a good idea for your router cpu :) Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: t...@lava.net
RE: Broadband initiatives - impact to your network?
That is when conversations bearing sounds like mpscp and uftp begin and then someone says aw, screw it, just send them a disk. LOL Subject: RE: Broadband initiatives - impact to your network? Date: Mon, 28 Jun 2010 16:46:37 -0700 From: gbon...@seven.com To: j...@feldman.org; ra...@psg.com CC: nanog@nanog.org -Original Message- From: Jonathan Feldman Sent: Monday, June 28, 2010 4:14 PM To: Randy Bush Cc: nanog@nanog.org Subject: Re: Broadband initiatives - impact to your network? I've never claimed to be particularly bright, but I do like to challenge assumptions. It isn't only the amount of bandwidth available but also in many cases the protocols used to transmit the data. It takes smarter than the average bear to figure out how to get data across a fat pipe over a long distance at a high rate. TCP protocols are limited by the number of packets allowed to be in flight according to how the stack is configured. One might need to go to unorthodox or rather new methods to use all the available bandwidth. There are many cases of someone being stymied as to why they can't even get anywhere near 10 megabits of throughput on a GigE path from Los Angeles to London using FTP, for example. In many cases the responsibility of getting data from point A to point B is handled by people who don't bring their network operators into the discussion where problems like this can be pointed out to them. Often the first time the enterprise network group hears about it is when someone complains that the fast pipe to $continent is slow and therefore must be broken and that is generally followed by the demand that it be fixed immediately if that demand is not included in the first email. That is when conversations bearing sounds like mpscp and uftp begin and then someone says aw, screw it, just send them a disk. George
RE: Advice regarding Cisco/Juniper/HP
This situation scares me. It has HP best interest written all over it. You have expertise in competing vendors but not with HP/3Com. They could very well be easy to configure but maybe inferior when you get into the details of how they function. Then if you find out they can't support your business needs, it would cost even more to replace them. I don't think that's going to happen, I'm sure the people writing the checks will tell you to make it work, but if it can't meet the demands, it's going to hurt your business... The people writing the checks need to know this. I'm not against new companies competing with Cisco/Juniper but at the same time, you don't want to be the guinea pigs for them Date: Thu, 17 Jun 2010 09:52:13 -0400 Subject: Advice regarding Cisco/Juniper/HP From: ja...@jamesstewartsmith.com To: nanog@nanog.org I'm looking for a little insight regarding an infrastructure purchase my company is considering. We are a carrier, and we're in the process of building a DR site. Our existing production site is all Cisco equipment with a little Juniper thrown into the mix. I'd like to either get the same Cisco equipment for the DR, or the equivalent Juniper equipment. We have skill sets for both Cisco and Juniper, so neither would be a problem to manage. A business issue has come up since we have a large number of HP servers for Unix and Wintel. With HP's recent acquisition of 3Com they are pressing hard to quote on the networking hardware as well, going as far as offering prices that are way below the equivalent Cisco and Juniper models. In addition they're saying they'll cut us deals on the HP servers for the DR site to help with the decision to go for HP Networking. Obviously to the people writing the cheques this carries a lot of weight. From a technical point of view, I have never worked in a shop that used HP or 3Com for the infrastructure. Dot-com's, telco's, bank's, hosting companies...I haven't seen any of them using 3com or HP. Additionally, I'm not fond of having to deal with a third set of equipment. I'm not exactly comfortable going with HP, but I'd like some data to help resolve the debate. So my questions to the NANOG community are: Would you recommend HP over Cisco or Juniper? How is HP's functionality and performance compared to Cisco or Juniper? Does anyone have any HP networking experiences they can share, good or bad?
RE: Raised floor, Solid floor... or carpet?
Some questions: What about dust? Wouldn't the carpet hold down more dust then a regular floor, and at some point, the dust could kick back up and go right back into the servers? What about maintenance of the floor? (sweep/brooming wise) Isn't it easier to use something like iRobot on a flat floor than a carpeted one? I don't know the exact coding standards, but would it not be better to use those sound proof materials in the corner and walls around the datacenter? Wouldn't a carpet be bad for possible fires/flames or sparks? Date: Thu, 1 Apr 2010 08:55:20 -0700 Subject: Raised floor, Solid floor... or carpet? From: sc...@doc.net.au To: nanog@nanog.org Adding to the recent debate over raised v's solid floor, seem there's another option that wasn't discussed... http://www.iphouse.com/ Scott.
RE: Raised floor, Solid floor... or carpet?
hahaha I fell for it HOOK LINE AND SINKER!!! DAMN YOU GUYS Date: Thu, 1 Apr 2010 12:43:21 -0400 Subject: Re: Raised floor, Solid floor... or carpet? From: j...@crepinc.com To: michael.holst...@csuohio.edu CC: nanog@nanog.org Nice to see smaller companies take the time to put up a good April fool's joke as well. Wow I got totally owned. Retreating to my corner, -Jack Carrozzo On Thu, Apr 1, 2010 at 12:36 PM, Michael Holstein michael.holst...@csuohio.edu wrote: Adding to the recent debate over raised v's solid floor, seem there's another option that wasn't discussed... http://www.iphouse.com/ Nice to see smaller companies take the time to put up a good April fool's joke as well.
RE: Latency quesstion
Dennis, You have a massive spanning tree issuejust kiddingcheck for that though Please update us more on your situation and if the other suggestions on the list helped. Or we can communicate privately, I love troubleshooting situations like this To: nanog@nanog.org Subject: Re: Latency quesstion From: br...@2mbit.com Date: Thu, 18 Mar 2010 15:12:59 + Dennis, In large installations, I've always found it helpful when diagnosing LAN issues to isolate floors and departments first - using routers or with devices that can do transparent bridging. That way, you can walk through each dept/floor testing for the issues, and hopefully find only one location its still affecting. Its entirely likely that there's either a loop of some sort or a switch has gone off the deep end. If you'd like, let him know if he wants to drop me a mail, I can walk through details about the situation and hopefully help him narrow it down. --Original Message-- From: Dennis Dayman To: nanog@nanog.org Subject: Latency quesstion Sent: Mar 18, 2010 7:56 AM have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- Brielle Bruns http://www.sosdg.org / http://www.ahbl.org
RE: Latency quesstion
That was pretty quick. But what do you mean by spewing stuff? It would help the rest of us understand for possible future issues we may run into ourselves. Subject: Re: Latency quesstion From: dennis-li...@thenose.net Date: Thu, 18 Mar 2010 10:50:20 -0500 To: nanog@nanog.org Found a MAC address spewing stuff. looks like we have our culprit. thanks EVERYONE! -Dennis On Mar 18, 2010, at 9:56 AM, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis
RE: Latency question
Isn't it amazing that one can be so cheap it ends up biting them in the arse? There's a difference between frugal and cheap. Being cheap comes back to you, it's like Karma Date: Thu, 18 Mar 2010 11:11:09 -0500 From: larryshel...@cox.net To: nanog@nanog.org Subject: Re: Latency question On 3/18/2010 11:00, Brandon Kim wrote: That was pretty quick. But what do you mean by spewing stuff? It would help the rest of us understand for possible future issues we may run into ourselves. Good question. Without thinking about it I saw in my mind's eye a situation we used to see at $EX-EMPLOYER (who was fond of the absolute smallest-dollar-amount-per-immediate-problem solutions) who bout toy 4-port hubs by the pallet-load. These little gems had the endearing habit of spewing random bits onto the wire whenever the wall-wart failed--which they frequently did. I had MRTG graphs of every switch and router port so I could quickly determine which leg the current culprit was on. Never solved the problem of having two or three go bad, which, believe it or not, complicates the issue. But the graphs did allow me to identify the port and shut it down saving the rest of the network. Subject: Re: Latency quesstion From: dennis-li...@thenose.net Date: Thu, 18 Mar 2010 10:50:20 -0500 To: nanog@nanog.org Found a MAC address spewing stuff. looks like we have our culprit. thanks EVERYONE! -Dennis On Mar 18, 2010, at 9:56 AM, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
RE: anti-ddos test solutions ?
Hey Barry, What program do you use to simulate the DDOS Botnet? Is it a custom program or something off the shelf? From: bgre...@senki.org To: sfou...@shortestpathfirst.net; gforta...@live.com; nanog@nanog.org Subject: RE: anti-ddos test solutions ? Date: Wed, 17 Mar 2010 09:27:20 -0700 I use all the testing tools out there for DDOS testing (you name it I've most likely have used or currently have in the lab). The only way I've been able to whack anti-DDOS solutions is by build a couple of racks of servers to emulate a DDOS Botnet.
RE: IPv6 in Education Question
Will your presentation viewed anywhere like youtube? I'd like to hear or see it. From: tchrist...@springnet.net To: nanog@nanog.org Date: Wed, 17 Mar 2010 13:58:26 -0500 Subject: IPv6 in Education Question -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So Im giving an introductory talk on IPv6 for a state wide conference for tech coordinators for education. I have the usual catechism of reasons/advantages from the network side but was wondering if there were any good education specific applications of v6. My major goal is to help them understand the situation so that they can make use of the base of educators in our state to help spread the work about IPv6. Thanks in advance, Todd Todd Christell Manager Network Architecture and Support www.springnet.net http://www.springnet.net 417.831.8688 Key fingerprint = 4F26 A0B4 5AAD 7FCA 48DD 7F40 A57E 9235 5202 D508 -BEGIN PGP SIGNATURE- Version: 10.0.1 (Build 4020) Charset: iso-8859-1 wj8DBQFLoSZ1pX6SNVIC1QgRAubmAJ9jCx38cd+jEq3tUYwabyC/o/W2DgCaArb7 7BwL9r8E27sGhO2x394FgYE= =6CqS -END PGP SIGNATURE-
RE: IPv6 in Education Question
Todd, I'm sending you a link from something I blogged about on my site regarding IPv6. I'll send it offline so others don't think I'm spamming the list... From: tchrist...@springnet.net To: brandon@brandontek.com; nanog@nanog.org Date: Wed, 17 Mar 2010 15:00:51 -0500 Subject: RE: IPv6 in Education Question -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I don't know what their plans are but I'm NOT very photogenic... It is really a very basic introduction as the audience will have varied experience levels. Current IPv4 addresses, their exhaustion and why NAT is evil. Intro to the structure of an IPv6 address, beginning subnetting, getting a handle around how huge the numbers are, and why NAT64 is evil. Transition mechanisms and the inherent problems. Mostly trying to continue a grass roots effort to get things moving. When I talk to up streams and hardware vendors all I hear is We aren't getting many requests for v6. So I'm trying to change that by stirring the masses to push IPv6 requirements to the parties in question. Technically accurate, but something that they all can relate to and take home with them. That's mainly why I was looking for a few cool education-centric ideas to help instill some ownership. Todd Todd Christell Manager Network Architecture and Support www.springnet.net 417.831.8688 Key fingerprint = 4F26 A0B4 5AAD 7FCA 48DD 7F40 A57E 9235 5202 D508 - -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Wednesday, March 17, 2010 2:28 PM To: nanog@nanog.org Subject: RE: IPv6 in Education Question Will your presentation viewed anywhere like youtube? I'd like to hear or see it. From: tchrist...@springnet.net To: nanog@nanog.org Date: Wed, 17 Mar 2010 13:58:26 -0500 Subject: IPv6 in Education Question -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So Im giving an introductory talk on IPv6 for a state wide conference for tech coordinators for education. I have the usual catechism of reasons/advantages from the network side but was wondering if there were any good education specific applications of v6. My major goal is to help them understand the situation so that they can make use of the base of educators in our state to help spread the work about IPv6. Thanks in advance, Todd Todd Christell Manager Network Architecture and Support www.springnet.net http://www.springnet.net 417.831.8688 Key fingerprint = 4F26 A0B4 5AAD 7FCA 48DD 7F40 A57E 9235 5202 D508 -BEGIN PGP SIGNATURE- Version: 10.0.1 (Build 4020) Charset: iso-8859-1 wj8DBQFLoSZ1pX6SNVIC1QgRAubmAJ9jCx38cd+jEq3tUYwabyC/o/W2DgCaArb7 7BwL9r8E27sGhO2x394FgYE= =6CqS -END PGP SIGNATURE- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.791 / Virus Database: 271.1.1/2752 - Release Date: 03/17/10 02:33:00 -BEGIN PGP SIGNATURE- Version: 10.0.1 (Build 4020) Charset: utf-8 wj8DBQFLoTUVpX6SNVIC1QgRAm+0AJoCiG0gVHo0E/Fnbg/UYxnEhtSKQgCeNqHn B7aK6H4+IXA/QsWT/sIyYuo= =qK3A -END PGP SIGNATURE-
RE: IPv6 in Education Question
Jens: There some ISP's trying to push IPv6. Probably not until the masses really demand it in someway. Or if Google pushes it or some well known company. Perhaps maybe an application that is IPv6 specific NAT's and transition protocols seems to extend the life of IPv4. I'm not against them though, they have served us wellhard to let go of things that worked for you for so many years From: li...@quux.de To: nanog@nanog.org Subject: Re: IPv6 in Education Question Date: Wed, 17 Mar 2010 21:20:11 +0100 Todd Christell tchrist...@springnet.net writes: So Im giving an introductory talk on IPv6 for a state wide conference for tech coordinators for education. I have the usual catechism of reasons/advantages from the network side but was wondering if there were any good education specific applications of v6. My major goal is to help them understand the situation so that they can make use of the base of educators in our state to help spread the work about IPv6. It's not a question of if but when IPv6 will be used on large scale in the interned. So, form the educational side it's beneficial if students learn about IPv6. So much for the theory I did quite a number of presentations on IPv6 some of them in at university in Germany (not as some official talk but some user group / some students asked me too). Some quotes: We don't' have time for this. Well our network equipment is 14 years old, we don't have a budget for new stuff. We'll implement IPv6 in 13 years, it's when my colleague retires. /me: Cool. You have IPv6. Professor: I configured the tunnel myself. Our network people don't this the topic. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | -
RE: Yahoo Mail Admin
Maybe he's lonely? =) Date: Tue, 16 Mar 2010 11:40:43 -0700 Subject: Re: Yahoo Mail Admin From: li...@billfehring.com To: baldwinmat...@gmail.com CC: nanog@nanog.org On Tue, Mar 16, 2010 at 10:53, Matt Baldwin baldwinmat...@gmail.com wrote: Hi: Can a Yahoo! mail admin please contact me off-list, please? Tnx. -matt You didn't say why you believe that you need to talk directly to a Yahoo! mail admin, but if it's related to abuse, it came up a little over a month ago. http://www.merit.edu/mail.archives/nanog/threads2.html Search for Yahoo Abuse on 02/09/10.
RE: security questions
Yup, what Larry said.I wouldn't be too concerned about it. But some managers may make a big deal... Some sites use images located at a different webserver that isn't HTTPS, and sometimes there are hidden iframes that bring you info from non-secure sites. But the actual login is posted to an HTTPS server. Hope that helps. Brandon Follow me: twitter.com/brandontek Date: Sat, 13 Mar 2010 20:14:26 -0600 From: larry-li...@maxqe.com To: adriankok2...@yahoo.com.hk Subject: Re: security questions CC: nanog@nanog.org adrian kok wrote: Hi I have questions about security I am using mozila to access gmail as https://mail.google.com/mail Why mozilla prompts me the alert box? You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party. 1/ Can network software help to check? if yes. which software and how? 2/ How mozilla knows I have data not encrypted? 3/ ls https secured? If not. why it is PCI? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com This message is saying that Google is including things using http:// in the site. This is common with Images. The login is still secure, just they just are not using SSL for some things. [ ~ ] lynx --dump mail.google.com/mail|grep http\:\/\/ http://gmail.com/app. [1]Learn more 1. http://www.google.com/mobile/landing/mail.html#utm_source=gmailhpp 2. http://mail.google.com/support/bin/answer.py?answer=46346fpUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfpOnly%3D1%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fmail%252F%253Fui%253Dhtml%2526zy%253Dl%26service%3Dmail%26ltmpl%3DdefaultfuUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfuOnly%3D1%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fmail%252F%253Fui%253Dhtml%2526zy%253Dl%26service%3Dmail%26ltmpl%3Ddefaulthl=en 3. http://mail.google.com/mail/signup 4. http://mail.google.com/mail/help/intl/en/about.html 5. http://mail.google.com/mail/help/intl/en/about_whatsnew.html 6. http://www.google.com/apps/intl/en/business/gmail.html#utm_medium=etutm_source=gmail-signin-enutm_campaign=crossnav 7. http://gmailblog.blogspot.com/?utm_source=en-gmftrutm_medium=etutm_content=gmftr 8. http://mail.google.com/mail/help/intl/en/terms.html 9. http://mail.google.com/support/
RE: CRS-3
LOL! Wow that is a pretty sad comment.. But back to the CRS-3, just wow!!! Subject: RE: CRS-3 Date: Tue, 9 Mar 2010 14:54:16 -0500 From: dhubb...@dino.hostasaurus.com To: nanog@nanog.org From: Brian Feeny [mailto:bfe...@mac.com] So who is going to be the first to deploy these? http://newsroom.cisco.com/dlls/2010/prod_030910.html - Download the entire Library of Congress in just over 1 second - Stream every motion picture ever created in less than four minutes If nothing else you gotta love the Cisco Marketing machine! Brian The article about this in the tech section on CNN already has comments in it like Oh, well Cisco owns Linksys and I have a Linksys router so will my ISP be updating me to the CRS-3 so I can download at those speeds? LOL
RE: [Fwd: [members-discuss] [ncc-announce] RIPE NCC Position On The ITU IPv6 Group]
Interesting, why is it causing quite a stir? Is it because they are trying to allocate a large pool of addresses? Date: Fri, 26 Feb 2010 13:03:01 +0100 From: awa...@tuenti.com To: nanog@nanog.org Subject: [Fwd: [members-discuss] [ncc-announce] RIPE NCC Position On The ITU IPv6 Group] I didn't see this on NANOG yet, but it's caused a stir on the RIPE list. --Forwarded Message Attachment-- From: n...@ripe.net To: ncc-annou...@ripe.net Date: Thu, 25 Feb 2010 17:20:18 +0100 Subject: [Admin] [members-discuss] [ncc-announce] RIPE NCC Position On The ITU IPv6 Group Dear Colleagues, As you may be aware, the International Telecommunication Union's (ITU) Telecommunication Standardization Bureau (TSB) has convened an ITU IPv6 Group, the first meeting of which will be held on 15-16 March 2010 in Geneva, Switzerland. Information on this group is available at: http://www.itu.int/ITU-T/othergroups/ipv6/ Among the group's Terms of Reference are the following: * To draft a global policy proposal for the reservation of a large IPv6 block, taking into consideration the future needs of developing countries (as outlined in paragraph 23 of ITU document C09/29). * To further study possible methodologies and related implementation mechanisms to ensure 'equitable access' to IPv6 resource by countries. * To further study the possibility for ITU to become another Internet Registry, and propose policies and procedures for ITU to manage a reserved IPv6 block. * To further study the feasibility and advisability of implementing the CIR [Country Internet Registry] model for those countries who would request national allocations. The ITU IPv6 Group is open to ITU Member States and Sector Members of ITU-T and ITU-D. RIRs that are not members have also been extended an invitation to participate. IPv6 address policy is clearly of critical importance to the RIPE NCC membership, and the unsympathetic implementation of any of the Terms of Reference stated above would have serious impact on the global IP address distribution environment. Members of RIPE NCC staff will be participating in this meeting of the ITU IPv6 Group to represent the interests of our members and community. The position of the RIPE NCC is based on support for smooth and reliable working of the Internet globally, and for the bottom-up, open policy development process that allows for all stakeholders, including business, government and the technical community, to participate. Some of the issues addressed in the Terms of Reference listed above are a cause for concern because they could directly affect the RIPE NCC operations as a Regional Internet Registry (RIR). Therefore, the RIPE NCC position on the Terms of Reference is as follows: * The needs of developing economies in IP address policy are important. Network operators in these economies have fair and equal access to IPv6 resources from the Regional Internet Registries (RIRs), and to the Policy Development Processes in their RIR and globally. Each of the RIRs has been allocated an equal block of IPv6 to distribute to networks in their region. (eg. AfriNIC has been allocated the same sized block of IPv6 as the RIPE NCC). * IPv6 allocations made by RIRs to date amount to the equivalent of 500 times the size of the entire IPv4 address pool, allocated to networks in over 150 economies. * If a significant sector in the Internet community feels that the reservation of a large IPv6 block for the future needs of developing countries is warranted, the open, bottom-up Policy Development Processes (PDPs) of the RIRs provide an appropriate forum in which to argue that case and develop such a policy. * The RIRs, as the recognised stewards of Internet Number Resources, are working, individually, jointly, and with invited experts, to engage the ITU membership. We have closely followed discussions in the ITU to date. The RIPE NCC does not believe that there are any problems that would be solved by the shift to a country-based allocation system or the installation of the ITU as an Internet Registry. The purpose of this email is to ensure that all RIPE NCC members are informed of the RIPE NCC's participation in this ITU IPv6 Group, and our position. If you have any comments or questions regarding this information, please send an email to n...@ripe.net. Kind regards, Axel Pawlik Managing Director RIPE NCC If you don't want to receive mails from the RIPE NCC Members Discuss list, please log in to your LIR Portal account at: http://lirportal.ripe.net/ First click on General and then click on Edit. At the bottom of the Page you can add or remove addresses.
RE: Comcast IPv6 Trials Update
Wow that's great, hopefully Cablevision will do the same with their optimum online!!! From: mich...@thegrebs.com Subject: Fwd: Comcast IPv6 Trials Update Date: Fri, 26 Feb 2010 13:15:45 -0500 To: nanog@nanog.org Received this message today. They haven't updated the http://www.comcast6.net/ site yet. Mike Begin forwarded message: An Important Message From Comcast Dear Comcast Customer, Thank you for volunteering to participate in Comcast's IPv6 trials! I wanted to provide you with a quick update on what our next steps are and when you can expect to hear from us again. As you know, we have four trials described at http://www.comcast6.net. We're in detailed planning on the first three: 6RD, plus native dual-stack for residential and for commercial customers. We expect each of these to start sometime within the next 90 days or so. 6RD Trial: We anticipate having customers from around our network, not limited to any specific areas, participate. We will start the trial on a very small scale and then progressively increase the number of participants. We plan to ship a new home gateway device to each trial participant. Residential Native Dual-Stack Trial: This trial will be limited to a few areas in our network. We are in the midst of determining precisely what those areas will be, based on where we have volunteers and where the infrastructure will be ready. If trial participants do not have an IPv6-capable home gateway and cable modem, one will be provided. Commercial Native Dual-Stack Trial: This trial will be limited to a few areas in our network. We have tentatively identified these trial areas and will soon be in touch with potential trial users. Within approximately the next 30 days we will begin to contact some of our volunteers regarding each of these trials, so expect to hear from us soon. Thanks again for your interest! Regards Jason Livingood Internet Systems Engineering Comcast