Re: [External] Opengear alternatives that support 5g?
On Mon, Apr 29, 2024 at 07:04:25AM -0700, Warren Kumari wrote: > Michel's Banana Pi BPI-R3 suggestion seems intriguing — yes, it still > suffers from the "Now I have another "machine" to manage and patch, and > people will try and install iperf / a Quake server / nmap / ruby / 17 > different flavors of Emacs on it", but: > 1: Perhaps I can mitigate that by making much of the filesystem read-only > and > 2: it's a great excuse to buy another toy! Another option would be a RaPi Compute Module 4 with eMMC onboard. (ie. the non-Lite version does not need a SDCard) They have breakout boards for the Compute Module that have spots for 5G WAN. https://thepihut.com/products/compute-module-4-industrial-iot-base-board PiKVM does make the file system read-only, that you have to temporarily disable to do updates, config changes, etc). Potentially, you could copy what they do there. > I also like Jared and Andrew's freetserv / > https://lathama.net/Tech/Hardware/USB-32COM-RM option. I might see about > building a bunch of the freetserv boards and connecting them to a Banana > Pi…. although, more realistically, I'll likely buy a few Banana Pi's, and > add them to the ever expanding pile of backlog projects… One suggestion for freetserv boards I have would be to get a board printer like https://jlcpcb.com to also do the assembly of the surface mount components. Last time I checked, they only did one side, Not both sides.. Have them do the complex side. Pricing was very reasonable. The back non-complex side wasn't that bad overall.
Re: Standard DC rack rail distance, front to back question
On Thu, Apr 27, 2023 at 09:51:36AM -0400, Chuck Church wrote: > Hey all. Question about standard 4 post racks. We bought some that are > adjustable. Unfortunately, the posts are very flimsy, as these are some > fancy cabinets with spacing on the sides for vertical patch panels, etc. We > found that 2 post mounting of most Cisco devices (namely Cat 9500 1RU > switches) are sagging quite bad. A perpetual problem with Cisco all the way back to their 2501 routers. Sometimes they seem to come out with a better design, only to revert back to the worst design the next generation of gear. > Is there a 'standard' distance between front and back rails > that devices usually adhere to? I've got about 5 different "standard" depths in my datacenter. The most common I have is 29.5" because that is the depth of a whole bunch of fixed (ie. not adjustable) shelves I have are. I've seen 32" and 36" in use for newer setups, as the eqiupment keeps getting deeper, and deeper. Most equipment today will adjust for different depths quite readily, and stick out past the back rails (so those 1050mm or 1200mm deep cabinets really don't give you lots of empty space when the gear inside requires all that depth, then power cables take up the rest). So, ultimately the depth doesn't matter much as the rails will adjust to what you have within reason now-a-days. Gone are the days where equipment (ie. Sun, DEC) only fit in that one rack that Sun paired with that specific Sun line. And when you bought different Sun gear, you needed to buy a different rack to hold that.
Re: V6 still not supported
On Fri, Mar 25, 2022 at 02:30:26PM +0100, Jared Brown wrote: > Owen DeLong via NANOG wrote: > > When your ISP starts charging $X/Month for legacy protocol support > > Out of interest, how would this come about? It already happens, more along the lines of "Business Class" vs. "Residential Class". Ie. for Residential Class, you may get put onto CGNAT, and have no control over that. While on x level of Business Class, you get to opt out of CGNAT, and potentially even have a static IP address assigned to your connection.
Re: Log4j mitigation
On Mon, Dec 13, 2021 at 11:38:04AM -0800, Owen DeLong via NANOG wrote: > > On Dec 11, 2021, at 04:11 , Nick Hilliard wrote: ... > > https://logging.apache.org/log4j/2.x/security.html > > > > 1. upgrade log4j to 2.15.0 and restart all java apps > > 2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only) > > 3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable > > (v2.10+ only) > > 4. zip -q -d log4j-core-*.jar > > org/apache/logging/log4j/core/lookup/JndiLookup.class > > > > There's a lot of scanning going on at the moment, so if you have an exposed > > java instance running something which includes log4j2, you may already be > > compromised. > > > > Nick > > Alternatively, this incantation solved the problem on my linux server: > > rpm -e log4j12 ant-apache-log4j log4j There are many software setups that bundle their own log4j.jar without bothering to go through the OS package manager $ rpm -qa | fgrep log4j $ $ find / -name log4j*jar system/log4j/log4j/log4j/1.2.17/log4j-1.2.17.jar (obviously an old system due to the commands used and version found, and nor will it get patches available because of vendor...). Sorta like playing whack-a-mole with jquery.js (another package with lots of security history that seems to be copied _everywhere_ without registring it with the OS package manager). So, the exercise becomes _finding_ the software that uses it, and then doing the configs that defang JNDI everywhere you find it.
Re: massive facebook outage presently
On Mon, Oct 04, 2021 at 05:50:07PM -0400, b...@theworld.com wrote: > One might think in over six hours they could point facebook.com's DNS > somewhere else and put up a page with some info about the outage > there, that this would be a practiced firedrill. Perhaps, if they didn't decide to be their own registrar as well and run it all on the same network as it seems. Maybe company divisions running different parts of infrastructure should be self-hosted 100% on their own, different AS, different networking points, etc. Or don't try to be everything top down all in the same company.
Re: Rack rails on network equipment
On Mon, Sep 27, 2021 at 03:38:15PM -0400, William Allen Simpson wrote: > Anyway, wasn't the Open Compute Project supposed to fix all this? > Why not just require OCP in all RFPs? https://xkcd.com/927/
Re: Rack rails on network equipment
On Sat, Sep 25, 2021 at 12:48:38PM -0700, Andrey Khomyakov wrote: > We operate over 1000 switches in our data centers, and hardware failures > that require a switch swap are common enough where the speed of swap starts > to matter to some extent. We probably swap a switch or two a month. ... This level of failure surprises me. While I can't say I have 1000 switches, I do have hundreds of switches, and I can think of a failure of only one or two in at least 15 years of operation. They tend to be pretty reliable, and have to be swapped out for EOL more than anything.
Re: Rack rails on network equipment
On Fri, Sep 24, 2021 at 09:37:58AM -0700, Andrey Khomyakov wrote: > We selected Dell switches in part due > to Dell using "quick rails'' (sometimes known as speed rails or toolless > rails). Hmm, I haven't had any of those on any of my Dell switches, but then again, I haven't bought in in awhile. You mention about hardware lockin, but I wouldn't trust Dell to not switch out the design on their "next-gen" product, when they buy from a different OEM, as they are want to do, changing from OEM to OEM for each new product line. At least that is their past behavior over many years in the past that I've been buying Dell switches for simple things. Perhaps they've changed their tune. For me, it really doesn't take all that much time to mount cage nuts and screw a switch into a rack. Its all pretty 2nd nature to me, look at holes to see the pattern, snap in all my cage nuts all at once and go. If you are talking rows of racks of build, it should be 2nd nature? Also, I hate 0U power, for that very reason, there's never room to move devices in and out of the rack if you do rear-mount networking.
Re: IPv6 woes - RFC
On Sun, Sep 05, 2021 at 11:07:22PM +0200, Toke Høiland-Jørgensen via NANOG wrote: > Another solution that I've used on occasion is to do your own > tunnelling: find a hosting provider that can provide you a VPS with a v6 > prefix and do your own tunnelling to that. This works by virtue of being > "under the radar" of the service providers... The content providers are also _currently_ classifying IPv4 and IPv6 blocks as cloud hosting, business access, residential access, etc. You'll have to find a VPS cloud provider that is too low under the content provider's radar to have been already classified as well.
Re: shadowserver.org
On Mon, Jun 28, 2021 at 07:42:11PM +0300, Nathaniel Ferguson wrote: > I thought I'd add because it seems relevant and this is a pet peeve of my own, > but with some notable exceptions-- anymore you can more or less think of a > port > scan as generally being a network diagnostic of some sort. Most of the stuff > that says its a precursor to an attack is outdated... I'd say my public facing servers are under constant attack of some level of utility. Ie. my honeypot email servers collect 100k+ connections a day each, that don't have any MX pointing to them, their only sin is being up and listening to port 25. They can't process a single email in or out. My web servers have a constant barage of accesses that aren't hitting valid URIs. Sometimes they hit on some pattern that starts forming a small DoS on them and I have to go block or auto-block them. The white-hat scanners like Shodan or Shadowserver are a small drop in the bucket compared to the malicious scans that constantly are going on. Perhaps it is easier to find Shodan or Shadowserver as they are fairly consistant and easily identifiable, vs. the constant E2C or other fly-by-night cloud services being abused.
Re: Hulu thinks all my IP addresses are "business class", how to reach them?
On Fri, Nov 22, 2019 at 05:05:20AM +, Mike Lewinski wrote: > Question: is anyone who is currently suffering this issue also doing 1:many > NAT? Or running a proxy server that might cause multiple clients to all > appear from the same IP address? I believe NAT might be the cause of one of > our customer's complaints wrt content provider blocking. I'm the OP. We do not do CGNAT or any sort of proxying. It is straight up one public IP per access customer, with their NAT'd DSL router taking the public IP. Nor do we offer any sort of VPN services. Just because of our past history, all access customers are static IPs, so many of them have had the same IP for over a decade (ie. highly unlikely that I have a bad apple hopping a dynamic pool and ruining it for all). Furthermore, we have 3 disjoint ARIN PIR blocks. All three of them are blocked across the whole range. So, somebody at Hulu took a look at our AS, and blocked all we announce.
Re: Hulu thinks all my IP addresses are "business class", how to reach them?
On Mon, Nov 18, 2019 at 10:55:01AM -0600, Blake Hudson wrote: > Doug, out of curiosity, what does Hulu do once they have classified your > IP ranges as "business class"? Charge customers a different rate? Offer > different content? Refuse service? They won't let any of my customers connect, blocking them with a specific error number to reference by their support. When they do, Hulu is either telling them that they are using a VPN (when we don't offer any services like that), and then to whitelist them, they have to have a "residential" IP address and not the "business" IP address we are giving them, and won't go any further. Or they just say they can't connect from the "business" IP addresses. If I knew why they considered my IP addresses "business" IP addresses, I could possibly change something? But this seems to be an arbitrary decision they changed about a week and a half ago for all my netblocks.
Hulu thinks all my IP addresses are "business class", how to reach them?
I've been offering residential and business ISP services for a long time. Hulu recently blocked my customers from accessing their service, because my ARIN IP address blocks are "business class" instead of residential. I've tried to find a contact for them as I am not a customer, the supportrequ...@hulu.com address mentioned in NANOG previously is just an autoresponder that says open a ticket online (once you are logged into your account). Does anybody have a contact for them that I can discuss what they are looking at to determine if my IP addresses are "residential" vs. "business" class? Thanks.
Re: 10G-capable customer router recommendations?
On Fri, Apr 15, 2016 at 01:18:10PM -0700, David Sotnick wrote: > I was recently asked to set up networking at a VIP's home where he has > Comcast "Gigabit Pro" service, which is delivered on a 10G-SR MM port on a > Comcast-supplied Juniper ACX-2100 router. > > Which customer router would you suggest for such a setup? It needs to do > IPv4 NAT, DHCP, IPv4+IPv6 routing and have a decent L4 firewall (that also > supports IPv6). FortiNet 600D? 36Gbps throughput with dual SFP+ port and several 1Gbps ports. Specs say full NGFW throughput is 2.4Gbps (ie. you turn on all the knobs).
Re: remote serial console (IP to Serial)
On Tue, Mar 08, 2016 at 10:45:30AM -0900, Royce Williams wrote: > On Tue, Mar 8, 2016 at 10:21 AM, Hugo Slabbert wrote: > > I'm surprised no one's mentioned freetserv[1] yet. I haven't used them so > > don't consider this an endorsement, but on the surface it looks to be a > > good balance of "open / DIY" and "supportable". .. > This is great! A mainstream, patchable OS -- not locked into a half-baked > OS or roll-your-own-TCP-stack hell I've seen in some remote serial and > power devices. .. Yes, instead of a hacked together hardwareboard, or appliance with firmware that never gets updated stuck in SSH v1 days (old Cisco?).. Freetserv looks interesting, but very costly once you add up the BOM. I'd get something like a 1U ATOM server ($120 eBay) with small SSD ($18). Runup your favorite FOSS OS, and conserver. For more than the single real serialport, you can most likely fit a USB hub inside the case still, and hang a number of USB serial dongles off. Rackmountable, maintainable, and conserver works great.
Re: Question re session hijacking in dual stack environments w/MacOS
On Fri, Oct 02, 2015 at 03:46:40AM -0400, valdis.kletni...@vt.edu wrote: > On Fri, 02 Oct 2015 00:46:47 -0500, Doug McIntyre said: > > > I suspect this is OSX implementing IPv6 Privacy Extensions. Where OSX > > generates a new random IPv6 address, applies it to the interface, and then > > drops the old IPv6 addresses as they stale out. Sessions in use or not. > > Isn't the OS supposed to wait for the last user of the old address to close > their socket before dropping it? In my experience, no, it doesn't. Ie. the main reason I disable it is because my ssh sessions hung after some period of time, so ssh had sockets open, but yet the IPv6 addresses kept rotating out. Disabling it definately made the ssh sessions stable on OSX. Apple codes to the masses. Average web browser user or mail client won't care, that is all they test against. Not people that leave ssh sessions open for days to weeks at a time.
Re: Question re session hijacking in dual stack environments w/MacOS
On Tue, Sep 29, 2015 at 09:23:59AM +0200, Mark Tinka wrote: > On 26/Sep/15 16:34, David Hubbard wrote: > > Has anyone run into this? Our users on other platforms don't seem to > > have this issue; linux and MS desktops seem to just use v6 if it's > > available and v4 if not. > > I have been tracking down an issue for months where SSH'ing to some > devices (which picks IPv6 by default) from my Mac while in the office > drops the connection, forcing me to reconnect. It's random; sometimes it > happens a lot, sometimes, rarely, other times not at all. I suspect this is OSX implementing IPv6 Privacy Extensions. Where OSX generates a new random IPv6 address, applies it to the interface, and then drops the old IPv6 addresses as they stale out. Sessions in use or not. sudo sysctl -w net.inet6.ip6.use_tempaddr=0 sudo sh -c 'echo net.inet6.ip6.use_tempaddr=0 >> /etc/sysctl.conf'
Re: Any Verizon datacenter techs about?
On Thu, Jun 25, 2015 at 05:04:09PM -0500, Rafael Possamai wrote: >> On Wed, Jun 24, 2015 at 1:46 PM, John Musbach >> wrote: >> I'm a techie that recently moved to South Jersey for a tech job. To my >> astonishment, I discovered that there appears to be a Verizon >> datacenter near my house that has colocation: > Be prepared to drop a lot of money for colocation with Verizon. Also, > quoting process is rather long and you will have to sign a NDA most likely, > which just makes it even more fun. For the size of your project I'd pick a > provider that focuses on colocation for small and medium businesses and is > easier to work with. ... There was once a time we were going to colo in a VZ facility within the same building our primary datacenter was (to receive favorable rates on cross-connects, etc). There was signing of NDAs, it took the better part of half a year for build out. Then it was announced ready to move in, and we asked the procedure to get cross-connects from outside the facility in (really the whole point of even getting colo there). Oh no, you can't have a cross-connect. Umm, the only reason we're doing this is to cross-connect to the colo. The sales people knew this from the start, and was a key provision. But the site manager was adamant, nothing comes in or out. I guess VZ thought the colo was ultimately to stand alone without talking to anybody. And they are a communications company. Boggle.
Re: Cisco Routers Vulnerability
On Mon, Apr 13, 2015 at 05:03:02PM -0600, Keith Medcalf wrote: > >> It's reported by different customers in different locations so I don't > >> think it's password compromised > > >Have you checked? If the routers had vty access open (ssh or telnet) and > >the passwords were easy to guess, then it's more likely that this was a > >password compromise. You can test this out by getting a copy of one of > >the configs and decrypting the access password. Or by asking your customers > >whether their passwords were dictionary or simple words. > > or if mayhaps the passwords were listed on the list of passwords discussed a > few days ago: ... for some reason this brings up following memory of long ago. Had several people notify us in a short period that they all had been watching hackers try the "default cisco password" on several of our downstream customer's gear. Perked my interest when it got to me, umm, what default cisco password? Oh, the hackers were so successful getting in to tons of places that the researchers were watching the hackers connect to everywhere in addition to my downstreams with cisco/cisco that they had assumed it was the default.. (of course, this was long before Cisco shipped some piece of gear that actually did have default passwords (don't remember what any longer first started that)).
Re: iOS 7 update traffic
On Thu, Sep 19, 2013 at 02:42:12PM -0400, Joe Abley wrote: > Given that the code is signed, I'm surprised that iDevices that have already > upgraded the hard way don't advertise a "update available" service on local > networks. Individual devices don't care where the updates come from, so long > as the signatures are good. Going the other way, Apple will have local update caching as part of MDM for iOS 7 when it is fully upgraded and rolled out to support iOS for enterprises. But the big push with BYOD is that employees manage their own iDevices..
Re: Netsol AAAA glue
On Fri, Jul 13, 2012 at 08:52:27AM -0400, Jared Mauch wrote: > On Jul 13, 2012, at 8:43 AM, Brandon Applegate wrote: > > > So I sent an email over a week ago to ipv6...@networksolutions.com - and > > since I've only recieved the auto reply. ... > As long as you're not 1 year into a 10 year renewal, you may want to consider > just moving your domains to another registrar such as opensrs. Drawback of > using OpenSRS is they don't do DS records for dnssec, if that's a requirement > as well, I believe Dyn has a good service for this (or so I read in the > OpenSRS forums). Not sure why you'd be worried about a 10-year renewal, any registrar transfer just add on time to existing expiration, you don't lose anything. OpenSRS does (now) have online IPv6 glue-record editing. They can insert DS records by hand if you email into their support department (assuming you are the reseller and you have access to their support department, otherwise you have to work through your reseller). Still, not as nice as online access, but it is workable.
Re: VLAN Troubles
On Tue, Mar 06, 2012 at 09:32:33PM +, Jonathon Exley wrote: > If it's still not working, try capturing traffic from the Dell switches with > Wireshark and then send traffic from the Cisco switch and also capture that. > Compare the frames and check that the salient parts line up - e.g. Ethertype. He already posted his response of getting it working. But in general, Dell switches interop just fine with Cisco and Juniper switches for VLAN trunking. The CLI on the Dell switches is a royal PIA to use. Tries to be Cisco IOS, but not quite. Different enough to make you sware at it. And if you want to do something like setup many VLANs trunked to different port groups, and single ports, your config will be 1000's of lines long (depending on which switch you have. Since each of the different revs of each families seems to be made by a different OEM, or some new code base from a few OEMs).
Re: AS209/CenturyLink NOC email?
On Tue, Mar 06, 2012 at 02:54:24PM -0500, Jason Lixfeld wrote: > Anyone from AS209/CentryLink around to troubleshoot some routing weirdness? > If not, anyone have a NOC email address for them? Google-fu and RADB > searches came up empty. Qwest/CenturyLink doesn't do email. As a customer, you have to call them or use their borked ticket system. As a non-customer, you probably have to call them. http://puck.nether.net/netops/nocs.cgi You can try the email listed there, but I seriously doubt it'll go through or ever get read.
Re: not excactly on-topic Server Cabinet question
On Wed, Feb 01, 2012 at 11:05:09PM -0600, Erik Amundson wrote: > I apologize for this being off-topic in the NANOG list, but I'm hoping some > of you have experience with the particulars of what I'm looking for... > > I am looking for a server cabinet which has an electric latching mechanism on > it. I want to use my existing security system and proximity card reader, but > have a cabinet door that would open when the card reader is read. > > Does anyone sell anything like this? Chatsworth has a solution.. http://www.chatsworth.com/Products/Environmental-Monitoring-and-Security/Electronic-Locking-Systems/
Re: AW: Aqua Conduit for 10G multi-mode?
On Tue, Aug 30, 2011 at 03:11:03AM -0700, Michael J McCafferty wrote: > I want the conduit/innerduct corrugated tubing to be aqua for my aqua > fibers. There is orange conduit and innerduct corrugated tubing for > orange fibers, and yellow for yellow fiber. Carlon has HDPE Innerduct in any color you want, including (lightish) blue. Not split, and not very flexible though, not like the split loom stuff.
Re: Subnet Size for BGP peers.
On Thu, Jul 30, 2009 at 12:22:27AM -0400, Barton F Bruce wrote: > So what is wrong with a /31? We use /30s but if you are short on IP space, > look at using /31 rather than /30 links. Cuts your space usage in half. /31's are only defined for point-to-point links. Ethernet isn't considered PtP in general.. Many devices won't accept a /31 on anything but a PtP WAN media type link. (or not at all).
Re: Cisco vs Adtran vs Juniper
On Fri, Jul 18, 2008 at 11:55:44AM -0400, Paul Stewart wrote: > Still wondering if anyone knows how the Cisco lifetime warranty really > works...? You call up TAC, tell them you have a problem with your catalyst. Since the huge gray-market problem with cisco gear, they'll probably want proof that you are original owner, so you'll most likely need to dig up invoices showing buying from an authorized cisco dealer/distributer. If they are happy with your documentation, you get support. If its a security problem with the software version, they'll give you a link to download a fixed version. If you have bad hardware, you'll get it cross-shipped next-business-day. You still need Smartnet to get any version upgrade, or faster shipping than NBD.