Re: remote serial console (IP to Serial)
Thanks to all who responded to me, quite the flood of suggestions and options. Found a lot of 20 Digi CM32's on ebay for 35 dollars each, overkill but can't beat the price, going to look into those to make sure they are still able to get OS updates. There will be no firewall in front of this device so it should have one itself. I like the raspberry pi idea... Would ensure perpetual security updates with the OS running on it, whereas I'm sure some of the vendors of commercial console products EOL support at some point. The fact it runs linux is inviting as we can add it to our monitoring systems. have a great day, greg On Tue, Mar 8, 2016 at 10:33 AM, Christopher Morrow wrote: > for singular serial .. there are many, do you want something that's > "appliance" or are you willing to deploy 18 raspnberry-pi-like > thingies? > > On Tue, Mar 8, 2016 at 10:30 AM, greg whynott > wrote: > > Recently I have taking over the responsibility of managing about 18 > remote > > routers and firewalls. None of these have a console port for 'out of > > band' access accessible today. > > > > Most sites has available IPs between the ISP and us (typically a /29) or > a > > backup DSL connection available for use. I'd like to purchase a IP to > > Serial port device I can use for each location in the event I lock myself > > out. The requirement would be an Ethernet port, a serial port, and > SSH. > > > > > > Anyone have any recommendations on something like this? > > > > thanks much, > > greg >
remote serial console (IP to Serial)
Recently I have taking over the responsibility of managing about 18 remote routers and firewalls. None of these have a console port for 'out of band' access accessible today. Most sites has available IPs between the ISP and us (typically a /29) or a backup DSL connection available for use. I'd like to purchase a IP to Serial port device I can use for each location in the event I lock myself out. The requirement would be an Ethernet port, a serial port, and SSH. Anyone have any recommendations on something like this? thanks much, greg
Re: RBL resource to check entire netblock
Team NANOG, I will summarize once I get to looking at things. This isn't an immediate need but with that said I expect to start on it next week. I may not evaluate all of them but what I do try I will share. My next challenge is finding a router that will forward on 4 x 1 gig interfaces (2 inside 2 outside) for less than 30k... -greg On Wed, Feb 17, 2016 at 1:32 PM, Roberto Alvarado wrote: > You can try this script: > > https://github.com/DjinnS/check-rbl > > > -i,--ip The IP or subnet to check > > I’m using it to check my subnets > > > Roberto > > > > > > > On Feb 17, 2016, at 15:25, Bernd Spiess wrote: > > > >> I find many sites where you can enter 1 IP to > >> do a check but they don't seem to accept subnets to check. > > > > Maybe this is a help? > > https://www.senderbase.org/ > > > > Bernd > >
Re: RBL resource to check entire netblock
Thank you everyone for the responses, I now have about 10 options to look at due to the many replies. greg On Wed, Feb 17, 2016 at 1:25 PM, Bernd Spiess wrote: > > I find many sites where you can enter 1 IP to > > do a check but they don't seem to accept subnets to check. > > Maybe this is a help? > https://www.senderbase.org/ > > Bernd >
RBL resource to check entire netblock
Hello, I am wanting to purchase a /22 from one of the online auction sites (Hilco). Before we move ahead with it I wanted to check the history of IPs within the allocation.I find many sites where you can enter 1 IP to do a check but they don't seem to accept subnets to check. Are you aware of any services which could tell us if a /22 is clean or not? my google foo is weak. thank you, greg
Re: 59.229.189.0/24
oh my how embarrassing is that... 15 years doing networking too... It was a typo this whole time as indicated by Jeroen and I didn't even catch it.. will 'its monday' work as an excuse? ;)58 instead of 59. I was pulling my hair on this one, the network drawing I was referencing has the wrong IP and its been like that for months. I sent support those trace routes and they didn't even catch that. I mention this only to make myself feel a weee bit better.. so sorry for wasting your time but thanks very much for it everyone. -g On Mon, Mar 24, 2014 at 5:26 PM, Paul Ferguson wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 3/24/2014 2:13 PM, Paul Ferguson wrote: > > > On 3/24/2014 1:53 PM, Christopher Morrow wrote: > > > >> On Mon, Mar 24, 2014 at 4:49 PM, greg whynott > >> wrote: > >>> 59.229.189.0 > > > >> $ whois -h whois.cymru.com 59.229.189.0 AS | IP | AS Name NA > >> | 59.229.189.0 | NA > > > >> cymru seems to think there's no route for that network. my > >> network agrees. > > > > > > > > > > > > ** > > > > Oregon Exchange BGP Route Viewer route-views.oregon-ix.net / > > route-views.routeviews.org > > > > route views data is archived on http://archive.routeviews.org > > > > This hardware is part of a grant from Cisco Systems. Please contact > > h...@routeviews.org if you have questions or comments about this > > service, its use, or if you might be able to contribute your view. > > > > This router has views of the full routing tables from several > > ASes. The list of ASes is documented under "Current Participants" > > on http://www.routeviews.org/. > > > > ** > > > > route-views.routeviews.org is now using AAA for logins. Login > > with username "rviews". See http://routeviews.org/aaa.html > > > > ** > > > > > > > > > > > > route-views>sho ip bgp 59.229.189.0 % Network not in table > > route-views> > > > > Derp. > > > Hello, this is Quagga (version 0.99.21). > Copyright 1996-2005 Kunihiro Ishiguro, et al. > > route-views2.routeviews.org> sho ip bgp 59.229.189.0/24 > % Network not in table > route-views2.routeviews.org> > route-views2.routeviews.org> > > - - ferg > > > > > - -- > Paul Ferguson > VP Threat Intelligence, IID > PGP Public Key ID: 0x54DC85B2 > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iF4EAREIAAYFAlMwox0ACgkQKJasdVTchbJgbAEAhCCMIaiacSobZY78gdh0PGHw > V33PZIZCqOsyNll3BhIA/3tdScGQaKAsW6TTzWz1X2xgrTuBMXJuUgSxxLATS/Zl > =RH8X > -END PGP SIGNATURE- > >
59.229.189.0/24
Hello, Up until today we have been able to reach hosts in the 59.229.189.0/24network via AS174, Cogent, in Toronto. Now we can not, our packets stop at 38.112.36.101. The support team at Cogent informed me that network isn't in the internet routing table. I attempted to do an AS lookup on it and sure enough it is not. Using looking glass routers in Korea indicate the same. Yet it is still reachable from other networks, I can use 'Team Viewer' and webx to connect to hosts at the remote office which sits within that /24.When on the remote site, i can do traceroutes back to our office in Toronto. This part is a bit confusing to me, from Toronto I get a 'no route to host'. So packets arriving from Korea to our network shouldn't be able to find a route back, even if its taking a different path. any guess why this network may not be advertising its routes or what is going on here? thanks in advance, greg This is the network route from Toronto to Korea: Host Loss% Snt Last Avg Best Wrst StDev 1. 10.101.2.1 0.0% 61.5 15.1 1.5 83.3 33.4 2. 10.101.111.11 0.0% 60.2 0.2 0.2 0.2 0.0 3. 10.101.101.101 0.0% 60.7 0.8 0.7 0.8 0.0 4. 38.122.184.161 0.0% 6 <-- ISP ROUTER 5. 38.20.50.130 0.0% 61.9 2.0 1.9 2.1 0.0 6. 38.112.36.101 89.0% 51.6 1.7 1.6 1.7 0.0 This is the route from Korea to Toronto, done at the same time as the above. 1<1 ms<1 ms<1 ms 192.168.0.1 2 1 ms<1 ms<1 ms 58.229.189.1 3 1 ms 1 ms 1 ms 10.254.241.205 4 1 ms 1 ms 1 ms 58.229.66.9 5 2 ms 1 ms 1 ms 58.229.66.105 6 7 ms 5 ms 3 ms 58.229.119.149 7 2 ms 2 ms 2 ms 118.221.7.34 8 144 ms 144 ms 144 ms 58.229.92.254 9 276 ms 208 ms 192 ms te-8-2.car1.SanJose2.Level3.net [4.59.0.161] 10 204 ms 162 ms 162 ms ae-2-70.edge1.SanJose3.Level3.net[4.69.152.80] 11 165 ms 165 ms 165 ms Cogent-level3-4x10G.SanJose.Level3.net[4.68.110.138] 12 156 ms 156 ms 156 ms be2000.ccr21.sjc01.atlas.cogentco.com[154.54.6.105] 13 166 ms 165 ms 165 ms be2164.ccr21.sfo01.atlas.cogentco.com[154.54.28.33] 14 187 ms 187 ms 187 ms be2256.mpd21.mci01.atlas.cogentco.com[154.54.6.90] 15 206 ms 206 ms 206 ms be2158.mpd21.ord01.atlas.cogentco.com[154.54.7.130] 16 216 ms 216 ms 216 ms be2081.ccr21.yyz02.atlas.cogentco.com[154.54.42.10] 17 221 ms 221 ms 221 ms te3-8.ccr02.yyz01.atlas.cogentco.com[154.54.5.85] 18 231 ms 230 ms 230 ms te4-1.mag03.yyz01.atlas.cogentco.com[154.54.86.82] 19 214 ms 215 ms 214 ms 38.122.184.162 <-- OUR ROUTER
Re: NFSen plugin - ddd
now both SGI and Apple will sue them! sad how apple can get a patent on curved corners... it has a nice tezro look to it. wrong color tho. On Mon, Aug 6, 2012 at 10:40 PM, Andrew Jones wrote: > I did manage to get my hands on it this morning (thanks Brandon!). > I've put it up for anyone who's interested [1], I had a couple of people > ask for a copy if I found it. > I haven't had a chance to look through the plugin yet, so take no > responsibility for it. > Cheers, > Jonesy > > [1] http://www.haqthegibson.com/files/ddd.zip > > > On Sun, 5 Aug 2012 19:08:56 -0400, Jason Hellenthal > wrote: > > Don't know if you ever recieved a reply for this but this is the best I > > have come up with to get more eyes on it. > > > > http://sourceforge.net/apps/trac/nfsen-plugins/wiki/RequestPlugin > > > > I have not submitted a request for it but if you happen to come accross > > this plugin, I would be interested. > > > > On Fri, Aug 03, 2012 at 01:55:21PM +1000, Andrew Jones wrote: > >> Hi All, > >> Does anyone have a copy of the DDoS detection plugin for NFSen called > ddd > >> that they could send to me? > >> According to a blog article [1] I read, it used to be available at [2]. > >> It's not there, and I haven't had any luck trying to track it down the > >> usual ways. If anyone is able to provide a copy, I'd appreciate it. > >> Thanks, > >> Jonesy > >> > >> > >> [1] http://www.ccieflyer.com/2010-01-JasonRowley.php > >> [2] http://www.synacknetworks.com/ddd/ddd.zip > >
Re: Advisory — D-root is changing its IPv4 address on the 3rd of January.
and ones who don't read posts before responding. On Mon, Dec 17, 2012 at 8:14 AM, Randy Bush wrote: > > Actually, I have an excellent memory also. The one thing I do NOT > > remember is this much Sturm und Drang over any of the past changes. > > increase in number of people who can't resist telling others what they > should do > > randy > >
Re: Routing study
On May 12, 2011, at 12:38 PM, Stefan Bethke wrote: > Am 12.05.2011 um 18:02 schrieb Greg Whynott: > >> helps to read before you jump! > > I think he might be referring to the fact that the prefix supposedly used to > conduct the test is his, not Georgia Tech's. > > -- > Stefan BethkeFon +49 151 14070811 > > perhaps. i should of reframed and not said anything since it added nothing. sorry bmanning. -g > Gregory Whynott Networks and Storage Ontario Institute for Cancer Research MaRS Centre, South Tower 101 College Street, Suite 800 Toronto, Ontario, Canada M5G 0A3 647-294-2813 | www.oicr.on.ca -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Routing study
On May 12, 2011, at 6:30 AM, wrote: > er… > d I would appreciate it if they > would at least notify me ahead of time if they want to futz around > with prefixes that are not registered to them. er…. isn't that exactly what they just did, notified you ahead of time? the test starts on the 18th. helps to read before you jump! -g -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
FTP is 40 years old today.
Sorry, its not operationally related but probably of interest to a few. I cant' believe its been that long, time flys. RFC 114! http://www.bit-tech.net/news/hardware/2011/04/15/ftp-is-40-years-old/ -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Switch with 10 Gig and GRE support in hardware.
Extreme 650, but not sure of the gre in hardware req. These are awesome switches, bgp support, VSS like clustering, and many other nice features. G - Original Message - From: Łukasz Bromirski [mailto:luk...@bromirski.net] Sent: Sunday, February 20, 2011 10:04 AM To: nanog@nanog.org Subject: Re: Switch with 10 Gig and GRE support in hardware. On 2011-02-18 15:37, Jeffrey Lyon wrote: >> I am looking for a switch with a minimum of 12 X 10GE ports on it, >> that can has routing protocol support and can do GRE in hardware. > Yes, Juniper EX4500. Interesting: http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/general/ex-series-l3-protocols-not-supported.html -- "There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about." John von Neumann |http://lukasz.bromirski.net -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Auto ACL blocker
send/expect? On Jan 18, 2011, at 2:12 PM, Brian R. Watters wrote: > We are looking for the following solution. > > Honey pot that collects attacks against SSH/FTP and so on > > Said attacks are then sent to a master ACL on a edge Cisco router to block > all traffic from these offenders .. > > Of course we would require a master whitelist as well as to not be blocked > from our own networks. > > Any current solutions or ideas ?? > > -- > > BRW -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: BGP route-map options
haha… yeah that is not a copy and paste but rather me just typing that out. the proper spelling in the config is being used, or the american spelling… english is the worse language… thanks again, greg On Jan 14, 2011, at 12:52 PM, Thomas Magill wrote: > Wait... > > Does the router even accept 'neighbour' instead of ' neighbor'? > > > -----Original Message- > From: Greg Whynott [mailto:greg.whyn...@oicr.on.ca] > Sent: Friday, January 14, 2011 9:00 AM > To: nanog@nanog.org list > Subject: BGP route-map options > > Following a few documents on how to use route-maps to set preference of > routes (related to my last thread regarding asymmetrical routing) all the > ones I have looked at today (about 6or so) use the below method to apply the > route map under the router section: > > router bgp YOURAS# > neighbour x.x.x.x remote-as AS# > neighbour x.x.x.x route-map MAPNAME in > > yet in the last line, "route-map" is not an option on my router, which is > an ASR1004 running the version 15 line of code. > > is there a new way to do this? > > don't you love Cisco's consistency? > > thanks much for your time again, > greg > > > > > -- > > This message and any attachments may contain confidential and/or privileged > information for the sole use of the intended recipient. Any review or > distribution by anyone other than the person for whom it was originally > intended is strictly prohibited. If you have received this message in error, > please contact the sender and delete all copies. Opinions, conclusions or > other information contained in this message may not be that of the > organization. > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: BGP route-map options
thanks Thomas, I opened a ticket with Cisco and am pestering other lists so i'm not bothering anyone with my operational issues. it does accept it under address-family, and doing a show bgp indicates something is going on: ASR1004#show bgp | inc \ \ 150\ *> 132.248.13.0/24 205.211.94.145150 0 549 26677 6509 18592 278 i but the selected path is still going out via the other provider, not 549. if your intrested it'll let you know the outcome. thanks for taking the time to respond, greg On Jan 14, 2011, at 12:51 PM, Thomas Magill wrote: > Try doing it under the 'address-family ipv4'? > > I've never seen any version of IOS not take it. > > -Original Message- > From: Greg Whynott [mailto:greg.whyn...@oicr.on.ca] > Sent: Friday, January 14, 2011 9:00 AM > To: nanog@nanog.org list > Subject: BGP route-map options > > Following a few documents on how to use route-maps to set preference of > routes (related to my last thread regarding asymmetrical routing) all the > ones I have looked at today (about 6or so) use the below method to apply the > route map under the router section: > > router bgp YOURAS# > neighbour x.x.x.x remote-as AS# > neighbour x.x.x.x route-map MAPNAME in > > yet in the last line, "route-map" is not an option on my router, which is > an ASR1004 running the version 15 line of code. > > is there a new way to do this? > > don't you love Cisco's consistency? > > thanks much for your time again, > greg > > > > > -- > > This message and any attachments may contain confidential and/or privileged > information for the sole use of the intended recipient. Any review or > distribution by anyone other than the person for whom it was originally > intended is strictly prohibited. If you have received this message in error, > please contact the sender and delete all copies. Opinions, conclusions or > other information contained in this message may not be that of the > organization. > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
BGP route-map options
Following a few documents on how to use route-maps to set preference of routes (related to my last thread regarding asymmetrical routing) all the ones I have looked at today (about 6or so) use the below method to apply the route map under the router section: router bgp YOURAS# neighbour x.x.x.x remote-as AS# neighbour x.x.x.x route-map MAPNAME in yet in the last line, "route-map" is not an option on my router, which is an ASR1004 running the version 15 line of code. is there a new way to do this? don't you love Cisco's consistency? thanks much for your time again, greg -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Is Cisco equpiment de facto for you?
at one shop were i considered using Juniper instead of a Cisco internet edge router, the cost of the Juniper was so close to the Cisco it was a non consideration.The only reason we went with Cisco that time was due to the fact most of the other gear was Cisco, and it seemed to make more sense to stay with cisco instead of introducing a new vendor/methods into the mix without good reason. The hardware alone was cheaper than the Cisco kit, but after we said we needed to hold a million BGP routes, the prices became very similar. Juniper wants to license you on the amount of routes you intend to receive, if i remember correctly. -g On Jan 13, 2011, at 2:40 PM, Chris Adams wrote: > Once upon a time, Michael Ruiz said: >> I like Cisco personally and they are cheaper than >> buying a Juniper. For example a M-series is always going to cost some >> bucks after you factor the FPC and the PICS that need to be loaded. > > We didn't find that to be the case, after you factor in all the Cisco > pieces that need to be loaded as well. Both make modular routers, so I > don't see how saying that one requires modules is a valid argument. > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Cisco Sanitization
my bad list,i'll stay on topic in the future and ensure i keep personal messages out of here and your inbox. bad bad greg… interesting how brain dead and un respectful i am till sufficiently caffeinated. On Jan 12, 2011, at 11:19 AM, Lynda wrote: > On 1/12/2011 8:04 AM, Greg Whynott wrote: > >> list, sorry for this but this is getting a little annoying. I've >> tried sending Randy email without luck.. think i'm black listed by >> his kit, so if someone would kindly forward this to him… > > Well, here it is. Perhaps you might consider getting a gmail or other > account, and posting on NANOG from there. Either that, or filter Randy > out. Personally, I find those silly disclaimers annoying, but am far too > lazy to set up a script such as Randy has. > > You don't want to be annoyed? Lose the disclaimer, use a different email > address, or filter Randy out. This is NOT the first time you've > complained about this (although we know, for sure, that Randy is going > to send this off, automagically, to anyone that has the silly disclaimer > thing going for them). Get over it. Please don't post on this again. > Thanks in advance. > > -- > Amor fati. Vale. (Seneca) > > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Cisco Sanitization
list, sorry for this but this is getting a little annoying. I've tried sending Randy email without luck.. think i'm black listed by his kit, so if someone would kindly forward this to him… Randy, I'm not trying to be difficult or annoy you. Please stop sending me this email which is considered spam by most. 30 messages of with the same unsolicited content is spam. I understand you do not like a signature which 'seems' to contain legal jargon. I understand you know everything about my environment and the policies of my company which I do not define. I undertand you would like me to use gmail and violate my company policy. I don't expect _anything_ from you, but i would appreciate it if you could take some of your apparent talent and put some logic into your proc mail recipe or whatever it is you use to to generate this message. avoid responding with this spam message every time i post to a list you happen to be on. The email was not directed to you directly. should take about someone with your skill set very little effort. thank you. greg On Jan 12, 2011, at 10:50 AM, Randy Bush wrote: > you have sent a message to me which seems to contain a legal > warning on who can read it, or how it may be distributed, or > whether it may be archived, etc. > > i do not accept such email. my mail user agent detected a legal > notice when i was opening your mail, and automatically deleted it. > so do not expect further response. > > yes, i know your mail environment automatically added the legal > notice. well, my mail environment automatically detected it, > deleted it, and sent this message to you. so don't expect a lot > of sympathy. > > and if you choose to work for some enterprise clueless enough to > think that they can force this silliness on the world, use gmail, > hotmail, ... > > randy -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Fw: Cisco Sanitization
V - Original Message - From: Greg Whynott Sent: Wednesday, January 12, 2011 09:46 AM To: 'timothy.gr...@mantech.com' Subject: Re: Cisco Sanitization Replace the flash cards. If you are really concerned about information being disclosed, formatting/deleting files will not destroy the data and it probably can be recovered. Or take the flash cards and scrub them from a pc. G - Original Message - From: Green, Timothy [mailto:timothy.gr...@mantech.com] Sent: Wednesday, January 12, 2011 09:41 AM To: nanog@nanog.org Subject: Cisco Sanitization Hey all! I'm currently creating a sanitization guide for all my hardware. When I got to my Cisco devices I noticed there are numerous ways to reset them back to the default and clear the NVRAM. Does anyone have a guide that includes sanitization information for all Cisco devices(at least switches, routers, IDS's, and ASA 5500 Series) so I don't have to recreate the wheel? Thanks, Tim -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Is Cisco equpiment de facto for you?
just to play devils advocate.. PVST is Cisco propriety. I'd rather see vendors default to an open standard as opposed to something which is closed. the lowest common denominator… in my eyes the document tells you how to make a cisco and hp switch work together, not convert. numbers alone do not denote intelligence, if so cockroaches would rule the world. 8) -g On Jan 10, 2011, at 5:32 PM, Jeff Kell wrote: > On 1/10/2011 3:20 PM, Greg Whynott wrote: >> HP probably was the most helpful vendor i've dealt with in relation to >> solving/providing inter vendor interoperability solutions. they have PDF >> booklets on many things we would run into during work. for example, >> setting up STP between Cisco and HP gear, ( >> http://cdn.procurve.com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf >> ). > > Well, technically, the HP reference tells you how to convert your Cisco > default PVST over to MST to match the HP preference. > > The handful of HP switches versus the stacks and stacks of production > Cisco requiring conversion to suit them was "intimidating" to say the > least :-) > > Foundry/Brocade on the other hand do PVST (so they say, I haven't given > it a thorough lab test). > > Jeff -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Is Cisco equpiment de facto for you?
for vendors who we were not getting the goods from, I've found calling your sales rep much more efficient than anything you can say/ask/beg/threaten the tech on the phone.Sales guys have the inside numbers to call, the clout to get things moving as they generate revenue for said vendor.his pay comes from you, you pay him, he works for 2. -g On Jan 10, 2011, at 4:14 PM, Thomas Donnelly wrote: > > On Mon, 10 Jan 2011 14:39:19 -0600, Brandon Kim > wrote: > >> >> >> to which they would try and play the "well most people don't mix gear".. >> >> >> >> ha! Funny if you responded with, "Oh really? Thanks I didn't know that, >> I guess I'll get all HP...who do I talk to, to return this Cisco router?" > > I've threatened that one against Juniper and minutes later I had an > engineer on the phone. At 3:30am. Funny how once you mention buying > another vendor they raise an eyebrow. > >> >> >> >> >> >>> From: greg.whyn...@oicr.on.ca >>> To: brandon@brandontek.com >>> CC: khomyakov.and...@gmail.com; nanog@nanog.org >>> Date: Mon, 10 Jan 2011 15:20:06 -0500 >>> Subject: Re: Is Cisco equpiment de facto for you? >>> >>> just a side note, HP probably was the most helpful vendor i've dealt >>> with in relation to solving/providing inter vendor interoperability >>> solutions. they have PDF booklets on many things we would run into >>> during work. for example, setting up STP between Cisco and HP gear, >>> ( >>> http://cdn.procurve..com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf >>> ). >>> >>> At the time the other vendor in this case (cisco) flat our refused to >>> help us. this was a few years back tho, things may of changed. I'd >>> ask support "you are not telling me i'm the _only_ customer trying to >>> do this" … to which they would try and play the "well most people >>> don't mix gear".. >>> >>> HP's example should be the yard stick in the field. >>> >>> -g >>> >>> >>> >>> On Jan 10, 2011, at 3:04 PM, Brandon Kim wrote: >>> >>>> >>>> To your point Andrey, >>>> >>>> It probably works both ways too. I'm sure HP would love to finger >>> point as well. I remember reading for my CCNP one >>>> of the thought process behind getting all Cisco is the very reason >>> you pointed out, get all Cisco! >>>> >>>> How convenient though for Cisco to do that, I wonder if they are >>> being sincere(sarcasm). >>>> >>>> Wouldn't it a perfect world for Cisco to just have everyone buy their >>> stuff...I think it's a cop out though and you really should >>>> try to support your product as best you can if it is connected to >>> another vendor. >>>> >>>> I'm sad to hear that TACACS took that route. I hope they at least >>> tried their hardest to support you. >>>> >>>> >>>> >>>>> From: khomyakov.and...@gmail.com >>>>> Date: Mon, 10 Jan 2011 14:35:36 -0500 >>>>> Subject: Re: Is Cisco equpiment de facto for you? >>>>> To: nanog@nanog.org >>>>> >>>>> There have been awfully too many time when Cisco TAC would just say >>> that >>>>> since the problem you are trying to troubleshoot is between Cisco and >>>>> VendorX, we can't help you. You should have bought Cisco for both >>> sides. >>>>> I had that happen when I was troubleshooting LLDP between 3750s and >>> Avaya >>>>> phones, TACACS between Cisco and tac_plus daemon, link bundling >>> between >>>>> juniper EX and Cisco, some obscure switching issues between CAT and >>>>> Procurves and other examples like that just don't recall them >>> anymore. >>>>> >>>>> Every time I'm reminded that if you have a lot of Cisco on the >>> network, the >>>>> rest should be cisco too, unless there is a very good >>> technical/financial >>>>> reason for it, but you should be prepared to be your own help in >>> those >>>>> cases. >>>>> >>>>> Vendors love to point at the other vendors for solutions. At least >>> in my >>>>> experience. >>>>> >>>>
Re: Is Cisco equpiment de facto for you?
just a side note, HP probably was the most helpful vendor i've dealt with in relation to solving/providing inter vendor interoperability solutions. they have PDF booklets on many things we would run into during work. for example, setting up STP between Cisco and HP gear, ( http://cdn.procurve.com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf ). At the time the other vendor in this case (cisco) flat our refused to help us. this was a few years back tho, things may of changed. I'd ask support "you are not telling me i'm the _only_ customer trying to do this" … to which they would try and play the "well most people don't mix gear".. HP's example should be the yard stick in the field. -g On Jan 10, 2011, at 3:04 PM, Brandon Kim wrote: > > To your point Andrey, > > It probably works both ways too. I'm sure HP would love to finger point as > well. I remember reading for my CCNP one > of the thought process behind getting all Cisco is the very reason you > pointed out, get all Cisco! > > How convenient though for Cisco to do that, I wonder if they are being > sincere(sarcasm). > > Wouldn't it a perfect world for Cisco to just have everyone buy their > stuff...I think it's a cop out though and you really should > try to support your product as best you can if it is connected to another > vendor. > > I'm sad to hear that TACACS took that route. I hope they at least tried their > hardest to support you. > > > >> From: khomyakov.and...@gmail.com >> Date: Mon, 10 Jan 2011 14:35:36 -0500 >> Subject: Re: Is Cisco equpiment de facto for you? >> To: nanog@nanog.org >> >> There have been awfully too many time when Cisco TAC would just say that >> since the problem you are trying to troubleshoot is between Cisco and >> VendorX, we can't help you. You should have bought Cisco for both sides. >> I had that happen when I was troubleshooting LLDP between 3750s and Avaya >> phones, TACACS between Cisco and tac_plus daemon, link bundling between >> juniper EX and Cisco, some obscure switching issues between CAT and >> Procurves and other examples like that just don't recall them anymore. >> >> Every time I'm reminded that if you have a lot of Cisco on the network, the >> rest should be cisco too, unless there is a very good technical/financial >> reason for it, but you should be prepared to be your own help in those >> cases. >> >> Vendors love to point at the other vendors for solutions. At least in my >> experience. >> >> My $0.02 >> >> Andrey >> >> On Mon, Jan 10, 2011 at 11:52 AM, Greg Whynott >> wrote: >> >>> I've tried to use other vendors threw out the years for internal L2/L3. >>> Always Cisco for perimeter routing/firewalling. >>> >>> from my personal experience, each time we took a chance and tried to use >>> another vendor for internal L2 needs, we would be reminded why it was a bad >>> choice down the road, due to hardware reliability, support issues, >>> multiple and ongoing software bugs, architectural design choices. Then >>> for the next few years I'd regret the decision. This is not to say Cisco >>> gear has been without its issues, but they are much fewer and handled >>> better when stuff hits the fan. >>> >>> the only other vendor at this point in my career I'd fee comfortable >>> deploying for internal enterprise switching, including HPC requirements >>> which is not CIsco branded, would be Force10 or Extreme. it has always >>> been Cisco for edge routing/firewalling, but i wouldn't be opposed to >>> trying Juniper for routing, I know of a few shops who do and they have been >>> pleased thus far.I've little or no experience with many of the other >>> vendors, and I'm sure they have good offerings, but I won't be beta >>> testing their firmwares anymore (one vendor insisted we upgrade our firmware >>> on our core equipment several times in one year…). >>> >>> >>> Cisco isn't a good choice if you don't have the budget for the smart net >>> contracts. They come at a price. a little 5505 with unrestricted license >>> and contract costs over 2k, a 5540 about 40k-70k depending on options, >>> with a yearly renewal of about 15k or more… >>> >>> -g >>> >>> >>> >> -- >> Andrey Khomyakov >> [khomyakov.and...@gmail.com] > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Is Cisco equpiment de facto for you?
i think it really depends on who answers your call. I've called Cisco a few times before for inter vendor issues and they gave us the " call the other vendor " finger. .. Other times they saved the day. i know some shops negotiate their support contract which precludes them from going threw the regular support escalation process. you get to speak to a more senior tech on the first 'hello'. -g On Jan 10, 2011, at 3:04 PM, Chris Adams wrote: > Once upon a time, Andrey Khomyakov said: >> There have been awfully too many time when Cisco TAC would just say that >> since the problem you are trying to troubleshoot is between Cisco and >> VendorX, we can't help you. You should have bought Cisco for both sides. > > That kind of behavior from a vendor tells me I shouldn't have bought > that vendor for either side. -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Is Cisco equpiment de facto for you?
the pro curve line is cheap and the standard support contract price can't be beat (life time free). For many ' normal ' deployments it would be a good choice.in a 10Gbit HPC or highly redundant environment I'd probably be looking at Extreme or Force 10. There is a feature on the Cisco 6500 series which is very appealing for those needing highly redundant / quick fail over, VSS. Currently you can only get it on 6500's or better, so the cost of admission is huge, and you have to have the physical space to mount the units. Extreme has a similar feature which is available threw out most of the product line, meaning you don't have to drop 6 figures for a redundant zero time fail over solution and can fit it into as little as 2Us in the rack. I recently set up a pair of Summit 650's using the virtual switch feature. I have multiple 10Gbit clients terminated to the pair. zero time fail over when a link goes down, its nice. This is what I find is the trend with features and Cisco, Cisco sticks with what is known and a bit reluctant to throw a new feature into the mix, where as a compeating vendor sees that as an opertunity.Cisco is slow and steady, where the other vendors tend to be lighter on their feet. sometimes when you are quick on your feet, you trip more often than the one walking slowly. -g On Jan 10, 2011, at 12:04 PM, Brandon Kim wrote: > > Wow, overall consensus is that there are quite a few that are migrating to > Juniper from Cisco. > > I am a bit biased because I have spent an awful amount of time invested into > Cisco and understanding how to configure them. > But being a former business owner, I also am very much sensitive to costs and > business needs. > > For those that have been Cisco focused, do you stay fully objective, and are > you willing to pitch another vendor knowing that you will > have to learn a new IOS? And that that will be your time that you'll have to > spend to understand the product and support it? > > We have been selling HP procurves to SMB's because of the cost factor. I > don't really mind them all that much. I've tried to fit Cisco switches > in the mix but their pricing is just so much more as well as the smartnet > costs. They really price themselves out and that is unfortunate. > > I will be looking at refreshing our core switches and routers soon so I will > stay objective as much as I can. > > =) > > > > >> To: nanog@nanog.org >> Subject: Re: Is Cisco equpiment de facto for you? >> Date: Mon, 10 Jan 2011 10:36:24 -0600 >> CC: brandon@brandontek.com >> From: tad1...@gmail.com >> >> On Mon, 10 Jan 2011 09:31:32 -0600, Brandon Kim >> wrote: >> >>> >>> Hello gents: >>> >>> I wanted to put this out there for all of you. Our network consists of a >>> mixture of Cisco and Extreme equipment. >>> >>> Would you say that it's fair to say that if you are serious at all about >>> being a service provider that your core equipment is Cisco based? >>> >>> Am I limiting myself by thinking that Cisco is the "de facto" vendor of >>> choice? I'm not looking for so much "fanboy" responses, but more of a >>> real world >>> experience of what you guys use that actually work and does the job. >>> >>> No technical questions here, just general feedback. I try to follow the >>> Tolly Group who compares products, and they continually show that Cisco >>> equipment >>> is a poor performer in almost any equipment compared to others, I find >>> that so hard to believe. >> >> Cisco is typically not known as the fastest or most power efficient when >> compared to other vendors, but they usually have some advanced feature >> sets that are very nice. In the ISP space this may be less helpful, but in >> the SMB and Enterprise space this can be very helpful. Things such as Call >> Manager Express, Web Content Filtering, WebEx Nodes, Server Load >> Balancing, Wireless Lan Controllers, etc. that are either built into IOS >> or available with a line card or module, are nice tools to have at your >> disposal, and often can mean reducing the number of devices you need in >> your rack. >> >> As of the Tolly group, I find whomever pays Tolly for the survey tends to >> be the fastest. >> >> Example: >> Abstract: >> >> HP commissioned Tolly to evaluate the performance, power consumption and >> TCO of its E5400 zl and E8200 switch series and compare those systems with >> the Cisco Systems Catalyst 3750-X and Catalyst 4500. >> >> This is because the Vendor is getting to pick what they want to benchmark >> rather than the company benchmarking them. No one is going to choose tests >> that their product will lose in. There isn't much in the way of "Tom's >> Hardware Style" testing of enterprise gear to my knowledge. >> >> Cisco gear is also known for long life, being very consistent, and high >> reliability. A walk through colos you will often see many many Cisco >> 12000's for those exact reasons. >> >> I feel each vendor has its strong poin
Re: Is Cisco equpiment de facto for you?
>> >> Brandon >> >> > Just as a pointer - one of the largest and most utilized IX (AMS-IX) has > their platform built on Brocade devices. > Brocade device's pre Foundry purchase correct? I can't see anyone that large using Foundry in large deployments.. -g -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Is Cisco equpiment de facto for you?
I've tried to use other vendors threw out the years for internal L2/L3. Always Cisco for perimeter routing/firewalling. from my personal experience, each time we took a chance and tried to use another vendor for internal L2 needs, we would be reminded why it was a bad choice down the road, due to hardware reliability, support issues, multiple and ongoing software bugs, architectural design choices. Then for the next few years I'd regret the decision. This is not to say Cisco gear has been without its issues, but they are much fewer and handled better when stuff hits the fan. the only other vendor at this point in my career I'd fee comfortable deploying for internal enterprise switching, including HPC requirements which is not CIsco branded, would be Force10 or Extreme. it has always been Cisco for edge routing/firewalling, but i wouldn't be opposed to trying Juniper for routing, I know of a few shops who do and they have been pleased thus far.I've little or no experience with many of the other vendors, and I'm sure they have good offerings, but I won't be beta testing their firmwares anymore (one vendor insisted we upgrade our firmware on our core equipment several times in one year…). Cisco isn't a good choice if you don't have the budget for the smart net contracts. They come at a price. a little 5505 with unrestricted license and contract costs over 2k, a 5540 about 40k-70k depending on options, with a yearly renewal of about 15k or more… -g On Jan 10, 2011, at 11:21 AM, Randy Carpenter wrote: > > We have traditionally been a Cisco shop, but we are starting to move toward > Juniper for much of our needs, and will be recommending Juniper as an > alternative for customers' needs. From a technical point of view, I find the > configurations to be simpler and easier to understand, and I like the fact > that most everything runs the same OS, with the same interface. From a > financial point of view, Juniper tends to be less expensive for more > performance, and their support contracts are much cheaper. > > All that said, and as other's have said, Cisco is always a safe choice, > particularly since many people are familiar with them. > > -Randy > > -- > | Randy Carpenter > | Vice President, IT Services > | Red Hat Certified Engineer > | First Network Group, Inc. > | (419)739-9240, x1 > > > - Original Message - >> Hello gents: >> >> I wanted to put this out there for all of you. Our network consists of >> a mixture of Cisco and Extreme equipment. >> >> Would you say that it's fair to say that if you are serious at all >> about being a service provider that your core equipment is Cisco >> based? >> >> Am I limiting myself by thinking that Cisco is the "de facto" vendor >> of choice? I'm not looking for so much "fanboy" responses, but more of >> a real world >> experience of what you guys use that actually work and does the >> job. >> >> No technical questions here, just general feedback. I try to follow >> the Tolly Group who compares products, and they continually show that >> Cisco equipment >> is a poor performer in almost any equipment compared to others, I find >> that so hard to believe. >> >> Thanks! >> >> Brandon > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: asymmetric routes/security concerns/Fortinet
Randy your assumptions are correct, all outbounds get that slapped on them, automagically. good thing you have read the same magic book and can counter! 8) I don't or ever did expect anything from you, not sure why you thought i might. do you think I should quit this organization because we do this, and not consider the good work and intentions they have? (finding a cure for cancer) I don't think the legal's deparments intention was to force anything onto the world. sounds like you have a lot of anger issues to work out. 8) take care and have a great weekend, greg On Jan 7, 2011, at 4:59 PM, Randy Bush wrote: > you have sent a message to me which seems to contain a legal > warning on who can read it, or how it may be distributed, or > whether it may be archived, etc. > > i do not accept such email. my mail user agent detected a legal > notice when i was opening your mail, and automatically deleted it. > so do not expect further response. > > yes, i know your mail environment automatically added the legal > notice. well, my mail environment automatically detected it, > deleted it, and sent this message to you. so don't expect a lot > of sympathy. > > and if you choose to work for some enterprise clueless enough to > think that they can force this silliness on the world, use gmail, > hotmail, ... > > randy -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: asymmetric routes/security concerns/Fortinet
Thanks Ken, Some good stuff there, thanks. Since my original email, i think i've come up with a partial solution not requiring the far end's involvement. If not, at least it would get us into a better position to utilize the ORION network when possible. We peer over a L2 tunnel with a router down in the states threw one of our ISP's 10G links, I'm going to see if ORION will do the same with us. This would allow us to establish a BGP session directly with the ORION router, then I could use the localpref options, which may help. this problem is intermitting, most of the time things are fine.doing the above isn't going to help if path/route conditions change, but at least we'll have done all we could within reason and have a proper config. I didn't consider the reasons you mentioned related to 'fail fast', that does make a lot of sense. this is not the reason they claim this policy is in place, it is for security reasons. we access ORION via GTAnet, they are within/part of/something to do with the UoT, and we are across the street. take care, greg @Anthony Pardini On Jan 7, 2011, at 2:45 PM, Anthony Pardini wrote: > Firewalls aren't routers and pretty much all of them > behave in the similar manner. oh! thanks. 8) On Jan 7, 2011, at 2:37 PM, Ken Chase wrote: > > It sounds like the target site has a possible misconfiguration if this is a > long term issue. If they're using the open internet to get back to you and not > ORION (when your packets arrived from ORION-based connection), then something > is misconfigured or down. The problem is a conflict in the way BGP works and > how people assume it works :) BGP is designed to get packets to where they > want to go, not drop them if they're going the wrong way. -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: asymmetric routes/security concerns/Fortinet
Thanks John for your input. You are correct, ORION is a dedicated high speed research network. Based on the fact that we access ORION via one of our ISPs (3rd party, we don't BGP/directly peer with ORION), I'm not sure if i can use this solution here. I could do that for the routes learned from that ISP, but we receive the entire internet routing table from them… I'd have to understand things more before I went down that road. perhaps I shouldn't be accepting the full table from them. the localpref is something I'll look at, thanks for that. I'm not a BGP expert by any stretch, and our requirements here are "simple". we are not a transit.I've only attempted to make the config safe, not efficient. i'd like to hear what you have to say about the original question, is there good reason in this day and age to drop traffic as described in the original post in your opinion? -g On Jan 7, 2011, at 1:15 PM, John Kristoff wrote: > On Fri, 7 Jan 2011 12:40:32 -0500 > Greg Whynott wrote: > >> we have multiple internet connections of which one is a research >> network where many medical institutions and universities are also >> connected to threw out the country. This research network (ORION) >> also has internet access but is not meant to be used as a primary >> path to the internet by its customers. Connected to the ORION >> network are many sites we exchange email with daily who also have >> multiple internet connections. One of these sites is not reachable >> by us. After investigating, it was discovered this site is >> dropping our connections as the path back to use would use a >> different interface on the firewall ( a Fortinet device) than that >> which it arrived upon. > > Correct me if I'm wrong, I'm not very familiar with ORION, but if it's > like some of the research networks in the U.S. have been built in the > past, ORION is dedicated high speed, low latency network that > interconnects research institutions together. The way these are often > used is that you localpref routes you learn from ORION participants so > that traffic between each of you goes over the research network. You'd > typically want this since the performance is good and there is plenty of > capacity available, but it is also paid for, probably through some > research grant, helping to reduce the use and expense of your commercial > transit. > > You should be sending your traffic to them via ORION and they > likewise. However, if that path is down, then it would make sense for > it to go via another route. Hence, asymmetry may happen. > > Are you not sending the traffic via ORION? If so, then I'd suggest you > both have something to fix. :-) > > John -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
asymmetric routes/security concerns/Fortinet
Hello, we have multiple internet connections of which one is a research network where many medical institutions and universities are also connected to threw out the country. This research network (ORION) also has internet access but is not meant to be used as a primary path to the internet by its customers. Connected to the ORION network are many sites we exchange email with daily who also have multiple internet connections. One of these sites is not reachable by us. After investigating, it was discovered this site is dropping our connections as the path back to use would use a different interface on the firewall ( a Fortinet device) than that which it arrived upon. The admins at this university claim this is by design and for security reasons.. My response was the entire internet is asymmetrical and while this may of been a legitimate concern in the 90's, I don't think its a real concern anymore if things are set up correctly. They suggested we add static routes to our equipment to address this… This seems like a bad idea and I am not comfortable adjusting my routing table to address one site's issues on the internet due to their (not ours) routing/security policies. am I correct here? any comments on this would be greatly appreciated as I'll be called into a meeting to discuss this further (they are digging in their heals in on this, and higher ups are getting involved now). I'd like to arm myself with a few perspectives. thanks very much for your time again, greg -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Alleged backdoor in OpenBSD's IPSEC implementation.
update.. hoax it appears. http://www.itworld.com/open-source/130820/openbsdfbi-allegations-denied-named-participant -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Over a decade of DDOS--any progress yet?
i found it funny how M$ started giving away virus/security software for its OS. it can't fix the leaky roof, so it includes a roof patch kit. (and puts about 10 companies out of business at the same time) >>> Many Windows infections >>> I've seen occur not due to the OS, but due to lack of patching of >>> applications on the OS. The system does as much as it can. which applications are home users using which are exploited more than RPC and friends? -g -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Lightning Debates at NANOG 51
> > Excuse me. Raised floor vs. overhead. ahh that makes much more sense, thanks Tom. > > I'm sure someone has an opinion… i suspect you are correct, not sure who would elect for the slower standard, considering they hit the streets fairly close to each other and I can't see there being a huge difference in cost, but i could be wrong. (the isp i'm connected to is running100G now) > >>> Optics: XFP vs. SFP+ >> Maybe you have no idea on what XFP or SFP+ is because you've been running a >> Gigabit based network and haven't made the jump to 10GE yet - i've more 10G ports than you can shake a stick at actually… my '?' was again, people debate this? as the bit rates are verbatum, the major difference which one would choose the other over from my understanding was distance to endpoint.. but again i could be wrong… wishing now i didn't send anything. 8) -g -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Lightning Debates at NANOG 51
> Cooling: Raised floor vs. Underfloor forgive me, but what is the difference between raised floor and underfloor? > > Ethernet: 40GE vs. 100GE people are debating which is better? really? > > Optics: XFP vs. SFP+ ? some interesting choices of things to debate.. are these serious debate sessions or more for fun? -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: non operational question related to IP
thanks guys. I should of paid more attention in school. interesting cisco understands what we meant. 8) -g On Nov 22, 2010, at 2:56 PM, Matlock, Kenneth L wrote: > 'Octal' (Base-8) :) > > The leading '0' is telling the box to interpret it as octal instead of > decimal or hex. > > Ken Matlock > Network Analyst > Exempla Healthcare > (303) 467-4671 > matlo...@exempla.org > > > -Original Message- > From: Greg Whynott [mailto:greg.whyn...@oicr.on.ca] > Sent: Monday, November 22, 2010 12:53 PM > To: nanog list > Subject: non operational question related to IP > > > i was pinging a host from a windows machine and made a typo which seemed > harmless. the end result was it interpreted my input differently than > what I had intended. thinking this was a m$ issue I quickly took the > opportunity to poke fun at windows as the senior m$ admin was near by. > > "look at how brain dead this os is, it can't even do simple math!" > > He is now looking at my screen scratching his head. > > "watch, i'll open a shell on os x and show you how it can add 0 +10" > > I open a shell on os x, same behavior as windows. > > " ok so apple is brain dead too, watch, it'll work on linux!" > > same deal... > > > long story short, it does work as expected on all our hardware routing > gear.still not sure what is happening here... > > > osx-gwhynott:~ gwhynott$ ping 10.010.10.1 > PING 10.010.10.1 (10.8.10.1): 56 data bytes > > > gwhyn...@ops:~$ ping 10.010.10.1 > PING 10.010.10.1 (10.8.10.1) 56(84) bytes of data. > > > CORE1>ping 10.010.10.1 > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: > ! > > > anyone happen to know how the OS's are interpreting the 010? doesn't > appear work out in base[2-10] (1010,101,22,20,14,13,12,11,10,A) > > > thanks! > > greg > > > > > > -- > > This message and any attachments may contain confidential and/or > privileged information for the sole use of the intended recipient. Any > review or distribution by anyone other than the person for whom it was > originally intended is strictly prohibited. If you have received this > message in error, please contact the sender and delete all copies. > Opinions, conclusions or other information contained in this message may > not be that of the organization. > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
non operational question related to IP
i was pinging a host from a windows machine and made a typo which seemed harmless. the end result was it interpreted my input differently than what I had intended. thinking this was a m$ issue I quickly took the opportunity to poke fun at windows as the senior m$ admin was near by. "look at how brain dead this os is, it can't even do simple math!" He is now looking at my screen scratching his head….. "watch, i'll open a shell on os x and show you how it can add 0 +10" I open a shell on os x, same behavior as windows. " ok so apple is brain dead too, watch, it'll work on linux!" same deal… long story short, it does work as expected on all our hardware routing gear. still not sure what is happening here… osx-gwhynott:~ gwhynott$ ping 10.010.10.1 PING 10.010.10.1 (10.8.10.1): 56 data bytes gwhyn...@ops:~$ ping 10.010.10.1 PING 10.010.10.1 (10.8.10.1) 56(84) bytes of data. CORE1>ping 10.010.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: ! anyone happen to know how the OS's are interpreting the 010? doesn't appear work out in base[2-10] (1010,101,22,20,14,13,12,11,10,A) thanks! greg -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: IPv6 Space Management. Tracking, not Allocating
good for you Mike, for contributing. thanks. -g >> >> Open Source world - leaching off the good will and effort of the Open Source >> community, yet give nothing in return. > then you would also want to grab > the patch I posted to the bug tracker. Enjoy, I do. > > -- > Mike Oliver, KT2T -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: IPv6 Space Management. Tracking, not Allocating
IPPlan does this fairly well for ipv4 space, and they have recently added ipv6. -g On Nov 17, 2010, at 12:22 PM, chip wrote: > There's been lots of discussion on how we should allocate space to various > bits of the network. What I haven't yet seen is how people are tracking > these allocations. Is everyone using one of the two or three commercial > applications or some OSS solution or a few large(ish) text files? Anyone > have any recommendations or feedback? > > Thanks! > > --chip > > -- > Just my $.02, your mileage may vary, batteries not included, etc Gregory Whynott Network Operations Ontario Institute for Cancer Research MaRS Centre, South Tower 101 College Street, Suite 800 Toronto, Ontario, Canada M5G 0A3 Tel: 647-294-2813 www.oicr.on.ca -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: AS path question.
thanks all, this makes sense now.and i just showed the internet how ignorant I am… i have my maxas-limit set to 10 based on an article I was reading. perhaps I should up that a bit. what sort of problems are associated to overly long AS paths? is it more of a system resource control setting? -g On Nov 10, 2010, at 3:31 PM, Nick Olsen wrote: They are prepending routes. Looks like both 43022 are prepending, As well as 47359...Multiple times... They do this to make that route look "bad" so it comes in other transit they have. Nick Olsen Network Operations (855) FLSPEED x106 [http://www.flhsi.com/files/emaillogo.jpg] ____ From: "Greg Whynott" mailto:greg.whyn...@oicr.on.ca>> Sent: Wednesday, November 10, 2010 3:23 PM To: "nanog@nanog.org<mailto:nanog@nanog.org> list" mailto:nanog@nanog.org>> Subject: AS path question. Recently I adjusted the maxas-limit option on our router, logs started reporting routes being refused because the AS path is to long. seems to work as expected. when I looked at the logs I was a bit confused at what i was looking at... why is it there are multiple AS's in the path that appear to be the same AS? I expected an AS path comprised of mostly unique ASs. instead of this: 476330: Nov 10 14:55:07.247 EDT: %BGP-6-ASPATH: Long AS path 549 26677 6939 21011 43022 43022 43022 43022 43022 47359 47359 47359 47359 47359 47359 47359 47359 received from isp router: More than configured MAXAS-LIMIT i expected it would look more like: 476330: Nov 10 14:55:07.247 EDT: %BGP-6-ASPATH: Long AS path 549 26677 6939 21011 43022 47359 received from … .. . thanks for your time again, greg -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. Gregory Whynott Network Operations Ontario Institute for Cancer Research MaRS Centre, South Tower 101 College Street, Suite 800 Toronto, Ontario, Canada M5G 0A3 Tel: 647-294-2813 www.oicr.on.ca<http://www.oicr.on.ca/> -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
AS path question.
Recently I adjusted the maxas-limit option on our router,logs started reporting routes being refused because the AS path is to long. seems to work as expected. when I looked at the logs I was a bit confused at what i was looking at... why is it there are multiple AS's in the path that appear to be the same AS? I expected an AS path comprised of mostly unique ASs. instead of this: 476330: Nov 10 14:55:07.247 EDT: %BGP-6-ASPATH: Long AS path 549 26677 6939 21011 43022 43022 43022 43022 43022 47359 47359 47359 47359 47359 47359 47359 47359 received from isp router: More than configured MAXAS-LIMIT i expected it would look more like: 476330: Nov 10 14:55:07.247 EDT: %BGP-6-ASPATH: Long AS path 549 26677 6939 21011 43022 47359 received from … .. . thanks for your time again, greg -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: VM slicing and dicing
no copper cables 10G and FC is all you need to deploy images. 8) -g On Nov 9, 2010, at 11:38 AM, Holmes,David A wrote: > We've been looking at Cisco's Unified Computing System (UCS) blade > server, which appears to have great potential. Very fast, and eliminates > almost all top-of-rack copper cabling from servers to top-of-rack > switch. Custom-built for VMWare optimization, but other virtualization > OS's will run also from what I have read. Ten GiGE and FCoE are the > entry points at the server access layer. > > -Original Message- > From: Brandon Kim [mailto:brandon@brandontek.com] > Sent: Tuesday, November 09, 2010 8:18 AM > To: nanog group > Subject: OT: VM slicing and dicing > > > Hey gents: > > As always I value your input. Best resource on the planet! =) > I'm hoping this isn't too off-topic if so please respond to me offline > if so. > > I figured since most of everyone here are operators working in a > datacenter, you may or may > not have experience with virtualization software that allows you to > configure VM's on the fly. > > I'm not looking for companies that offer this service, but the actual > software engines that allow you > to create VM's on the fly. So a customer goes to your website and says I > want Win2008 with 8gigs of RAM and 120gigs of HDD. > Just like custom configuring a new PC. > > Does anyone here have experience or knowledge of companies that offer > this type of software engine? > > Thanks in advance! > > Brandon > > > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: OT: VM slicing and dicing
if you are using KVM (or even VMware) and you can write shell scripts, you can do this in house.both have the ability to create VMs from the command line. in KVM you can create a VM with a one liner. -g On Nov 9, 2010, at 11:17 AM, Brandon Kim wrote: > > Hey gents: > > As always I value your input. Best resource on the planet! =) > I'm hoping this isn't too off-topic if so please respond to me offline if so. > > I figured since most of everyone here are operators working in a datacenter, > you may or may > not have experience with virtualization software that allows you to configure > VM's on the fly. > > I'm not looking for companies that offer this service, but the actual > software engines that allow you > to create VM's on the fly. So a customer goes to your website and says I want > Win2008 with 8gigs of RAM and 120gigs of HDD. > Just like custom configuring a new PC. > > Does anyone here have experience or knowledge of companies that offer this > type of software engine? > > Thanks in advance! > > Brandon > > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: BGP support on ASA5585-X
i couldn't disagree with this statement more than I do. they could make a box do it all if they wanted to, but it does not make business sense. On Nov 2, 2010, at 1:42 PM, Dylan Ebner wrote: > IMHO, I don't think this is a marketing issue for cisco. It's a design issue. > PIX/ASA is good at some things, and bad at others. They have never been good > as routers. You have to remember, EIGRP didn't even come to the security line > until 8.0 code and they still do not support traffic shaping. These services > use memory and cpu resources which can dramatically reduce your ability to > get through very long access lists. I am not positive on the ASAs, but I seem > to remember that the routing features on the PIX was all done in software. If > that is still true today, I can't imagine you could effectively perform > stateful inspection, access lists, maybe VPN services, and BGP for a 100Mb+ > internet connection on even a 5585. They just aren't that powerful. > > > > > > Dylan Ebner > > -Original Message- > From: srg [mailto:srgqwe...@gmail.com] > Sent: Friday, October 29, 2010 12:43 PM > To: nanog@nanog.org > Subject: BGP support on ASA5585-X > > Hi: > > At this moment we know that ASA5585-X does not support BGP. > > Does anybody know if BGP support in the ASA5585-X is in roadmap? > More precisely... MP-BGP support in the ASA5585-X? > Any "oficial" link in the Cisco website about this? (I did't find it) > > Thanks a lot and best regards > > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Token ring? topic hijack: was Re: Mystery open source switching
off topic… you recently converted from token ring to ethernet? i had no idea there was still token ring networks out there, or am i living in a bubble? -g On Oct 31, 2010, at 9:07 PM, Paul WALL wrote: > I don't know what the big deal is. I've rolled at least 20 of these > switches into my network, and not only are they more stable than the > Centillion switches that they replaced, they only cost half as much. > Most of the money I dropped was on converting my stations from token > ring to ethernet. > > > On Sun, Oct 31, 2010 at 6:59 PM, bas wrote: >> Hi, >> >> On Sat, Oct 30, 2010 at 11:26 PM, Kevin Oberman wrote: >>> I might also mention that I received private SPAM from a name we all >>> know and loath. (Hint: He's been banned from NANOG for VERY good >>> reason and his name is of French derivation.) I just added a filter to >>> block any mail mentioning pica8 and will see no more of this thread or >>> their spam. >> >> Same here. >> He harvests email addresses from peeringdb. (I have slight typo's in >> my peeringdb record to recognize harvested spams.) >> >> Bas >> >> > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
RE: BGP support on ASA5585-X
probably going out on a limb here, but i suspect you'll never see BGP support in any of Cisco's firewall products. In routers which have FW bits included, yes, but not in an ASA product. perhaps the marketing thinking is 'if you can afford an asa 558x, you can afford one of our fine router products too.' -g From: srg [srgqwe...@gmail.com] Sent: Friday, October 29, 2010 1:42 PM To: nanog@nanog.org Subject: BGP support on ASA5585-X Hi: At this moment we know that ASA5585-X does not support BGP. Does anybody know if BGP support in the ASA5585-X is in roadmap? More precisely... MP-BGP support in the ASA5585-X? Any "oficial" link in the Cisco website about this? (I did't find it) Thanks a lot and best regards -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: How to have open more than 65k concurrent connections?
this has nothing to do with ports.as others have said, think of a web server. httpd listens on tcp80 (maybe 443 too) and all the facebooker's on earth hit that port. could be hundreds of thousands, and only one port. Available memory and open files will be the limiting factor as to how many established connections you can maintain with one host, providing there are not any external limitations such as port speed. On Oct 14, 2010, at 12:42 PM, D'Arcy J.M. Cain wrote: > > Hint: That gives you 65K connections *per interface*. You can listen > on more than one interface. -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Hey Leber - you think Melissa is going to issue that refund properly or do we need to escalate this into legal actions against HE
its sad that the list apparently has become a sounding board for these 'operators' who think others care about their plights and opinions which have nothing to do with L1/2/3 issues. *i'm taking my ball and going home!* -g On Oct 12, 2010, at 12:44 PM, Kevin Oberman wrote: > Pardon me, but did I miss the announcement of "Whine on NANOG day"? > > -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Facebook down!! Alert!
> just because you don't want to play facebook games doesn't make a facebook > outage any less operationally relevant than, say, an akamai or limelight > outage. IMO which may be way off base, when akamai goes off the air, people lose potential sales/revenue. when facebook goes off the air, a greater number of companies become more efficient than those who suffer productivity loss. yes, it is worth mention, but else where, like twitter or on your wall. -g
Re: Facebook down!! Alert!
Especially for Facebook alerts.. You are propagating a false perception that everyone cares. -g On Oct 6, 2010, at 2:20 PM, christian koch wrote: > +1 > > > > On Wed, Oct 6, 2010 at 12:57 AM, Zaid Ali wrote: > >> I think the Outages mailing list is more appropriate for this. >> >> >> On 10/5/10 9:46 PM, "Mike Lyon" wrote: >> >>> Same here in SF Bay Area >>> >>> On Tue, Oct 5, 2010 at 9:44 PM, James Smith >> wrote: >>> At 1:20am here in Canada, NB our networks are showing that facebook is down. Please confirm in the USA. ~SmithwaySecurity Sent from my iPhone >> >> >> >>
Re: Anyone can share the Network card experience
Hi, most of our traffic is heading directly into memory, not hitting the local disks, on the HPC end of things. Our file servers are feeding the network with around 24 x 10Gibit (active/active clusters), and regularly run at over 80 percent on all ports during runs.. this is all HPC / file movement traffic. we have instruments which generate over 6TB of data per run, every 3 days, 7/365. we have about 20 of these instruments. so most of the data on 10Gbit is indeed static, or to/from a file server to/from HPC clusters. iSCSI we run on its own network hardware, autonomous from the 'data' network. its not in wide deployment here, only the file server is connected via 10Gbit, the hosts using iSCIS (predominately KVM and Vmware clusters) are being feed over multiple 1Gbit links for their iSCIS requirements. Our external internet servers are connected to the internet via 1Gbit links, not 10Gibt, but apparently that is coming next year. The type of traffic they'll see will not be very chatty/interactive. it'll be researchers downloading data sets ranging in size from a few hundred megs, to a few TB.. take care, -g On Oct 5, 2010, at 10:59 AM, Heath Jones wrote: >> For 10Gbit we use Intel cards for production service machines, and >> ConnextX/Intel in the HPC cluster. > > Greg - I've not been exposed to 10G on the server side.. > Does the server handle the traffic load well (even with offloading) - > that's a LOT of web requests / app queries per second! > > Or are you using 10G mainly for iSCSI / file serving / static content? > > Cheers
Re: Anyone can share the Network card experience
the question of which is better, onboard vrs plug in would in part be determined by the type (make/model) of motherboard you are speaking of. How they have IRQs allocated (which is something you may be able to adjust), where it is attached to the bus etc… Also, what comes with the main board is what you get. You can purchase option NICs with extra processors (TOE for example) which offload your main CPU. For 10Gbit we use Intel cards for production service machines, and ConnextX/Intel in the HPC cluster. -g On Oct 5, 2010, at 10:01 AM, Deric Kwok wrote: > Hi > > Anyone can share the Network card experience > > ls onborad PCI Expresscard better or Plug in slot PCI Express card good? > > How are their performance in Gig transfer rate? > > Thank you so much >
Re: Rough cost for monitoring
get a VAR involved, it'll be more efficient and accurate than asking here. things change weekly. -g On Oct 5, 2010, at 10:25 AM, Eric Gauthier wrote: > Heya, > > I'm trying to quickly pull together some very rough > budget numbers for purchasing a full monitoring > system (network, server, security, facilities). Is > there a source for rough unit costs? If not, does > anyone have recent RFI pricing that they'd be willing > to share? > > Eric :0 >
Re: do you use SPF TXT RRs? (RFC4408)
i think it was an observation they made, and suggestions to make things better. I don't think the message was "fix this or you'll be off the air one day.". if they have a 56k port speed(stuck in the 80's), there is potential there for a DoS from a large volume of spam back splatter.. 8) over all, I'm inclined to accept your assumptions. -g On Oct 4, 2010, at 2:38 PM, Suresh Ramasubramanian wrote: > On Mon, Oct 4, 2010 at 12:47 PM, Greg Whynott wrote: >> >> A partner had a security audit done on their site. The report said they >> were at risk of a DoS due to the fact they didn't have a SPF record. > > This is pure unadulterated BS from someone who doesnt understand > either DDOS mitigation, or SPF .. or more likely both. > > -- > Suresh Ramasubramanian (ops.li...@gmail.com)
Re: do you use SPF TXT RRs? (RFC4408)
it was the backskatter they were referring to, where spamers forge your domain as the source of the email. Thanks John for your comments, -g On Oct 4, 2010, at 12:54 PM, John Adams wrote: > Without proper SPF records your mail stands little chance of making it > through some of the larger providers, like gmail, if you are sending > in any high volume. You should be using SPF, DK, and DKIM signing. > > I don't really understand how your security company related SPF to DoS > though. They're unrelated, with the exception of backscatter. > > -j > > > On Mon, Oct 4, 2010 at 9:47 AM, Greg Whynott wrote: >> >> A partner had a security audit done on their site. The report said they >> were at risk of a DoS due to the fact they didn't have a SPF record. >> >> I commented to his team that the SPF idea has yet to see anything near mass >> deployment and of the millions of emails leaving our environment yearly, I >> doubt any of them have ever been dropped due to us not having an SPF record >> in our DNS. When a client's email doesn't arrive somewhere, we will hear >> about it quickly, and its investigated/reported upon. I'm not opposed >> to putting one in our DNS, and probably will now - for completeness/best >> practice sake.. >> >> >> how many of you are using SPF records? Do you have an opinion on their >> use/non use of? >> >> take care, >> greg >> >> >> >> >> >> >>
do you use SPF TXT RRs? (RFC4408)
A partner had a security audit done on their site. The report said they were at risk of a DoS due to the fact they didn't have a SPF record. I commented to his team that the SPF idea has yet to see anything near mass deployment and of the millions of emails leaving our environment yearly, I doubt any of them have ever been dropped due to us not having an SPF record in our DNS. When a client's email doesn't arrive somewhere, we will hear about it quickly, and its investigated/reported upon. I'm not opposed to putting one in our DNS, and probably will now - for completeness/best practice sake.. how many of you are using SPF records? Do you have an opinion on their use/non use of? take care, greg
Re: Facebook Issues/Outage in Southeast?
productivity in NA just sky rocketed! -g On Sep 23, 2010, at 3:39 PM, Ernie Rubi wrote: > Anyone else having trouble? We're colo'ed at the NOTA in Miami and directly > peer with them - even though our session hasn't gone down we still can't > reach them. > > Ernesto M. Rubi > Sr. Network Engineer > AMPATH/CIARA > Florida International Univ, Miami > Reply-to: erne...@cs.fiu.edu > Cell: 786-282-6783 > > > >
Re: ip block history.
Thanks for the pointers Joel! google knows all, scary isn't it? -g On Sep 14, 2010, at 5:01 PM, Joel Jaeggli wrote: > assuming the whois data has been cleaned up the next resource to look at > is: > > routeviews or ris table dumps to see where or if it was advertised in > the past, and from where. > > google and rbl lists are also worth querying in that context. > > joel > > On 9/14/10 1:51 PM, Greg Whynott wrote: >> probably an odd question … >> >> we have been assigned a few large blocks of IPs, and while configuring BGP >> i got to wondering what these block's history might be. who had them in the >> past,etc.. >> >> >> is there a publicly accessible db or similar which tracks that type of >> information, or is that liability concern? >> >> thanks! >> greg >> >> >> >> >> >
Re: ip block history.
that will show past whois records or just current? I didn't see any options for historic records on arin, thanks by the way. -g On Sep 14, 2010, at 4:56 PM, Murphy, Jay, DOH wrote: > www.Whois.net; whois.arin.net, etc. > > ~Jay Murphy > IP Network Specialist > NM State Government > "We move the information that moves your world." > “Good engineering demands that we understand what we’re doing and why, keep > an open mind, and learn from experience.” > “Engineering is about finding the sweet spot between what's solvable and what > isn't." > Radia Perlman > Please consider the environment before printing e-mail > > -Original Message- > From: Greg Whynott [mailto:greg.whyn...@oicr.on.ca] > Sent: Tuesday, September 14, 2010 2:52 PM > To: nanog@nanog.org list > Subject: ip block history. > > probably an odd question … > > we have been assigned a few large blocks of IPs, and while configuring BGP i > got to wondering what these block's history might be. who had them in the > past,etc.. > > > is there a publicly accessible db or similar which tracks that type of > information, or is that liability concern? > > thanks! > greg > > > > > > > Confidentiality Notice: This e-mail, including all attachments is for the > sole use of the intended recipient(s) and may contain confidential and > privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited unless specifically provided under the New Mexico > Inspection of Public Records Act. If you are not the intended recipient, > please contact the sender and destroy all copies of this message. -- This > email has been scanned by the Sybari - Antigen Email System. > > >
ip block history.
probably an odd question … we have been assigned a few large blocks of IPs, and while configuring BGP i got to wondering what these block's history might be. who had them in the past,etc.. is there a publicly accessible db or similar which tracks that type of information, or is that liability concern? thanks! greg
Re: iPhone updates and required bandwidth
sorry Joe if i wasn't clear, what i was trying to say is I know there is a solution to address the bandwidth issue caused by updates for OS X machines, I am unsure if they have a similar solution for their hand held devices.I am assuming they do or soon will. I'm on the road right now, when I return to the office I'll take a look at the OS X update server and see if there is any provisions for the iPhones and friends. perhaps a squid caching server in-between the device network and internet? back in the day this is how i mitigated other many to one client update issues. -g On Aug 18, 2010, at 3:07 PM, JoeSox wrote: > Interesting. > Do you have to configure the iPhone devices or just use its standard settings? > > -- > Thanks, Joe > > > On Wed, Aug 18, 2010 at 12:03 PM, Greg Whynott > wrote: >> I set up an OS X server which hosts updates for the rest of the company, so >> the OS X client machines poll/pull updates from the internal machine as >> opposed to 100 of them pulling the same updates over the internet. saves >> bucket loads of bandwidth and you can "pre ok" individual packages, so the >> client just updates without prompting. I'm not sure but I suspect they >> might have something which allows their other devices to poll this same >> source. it would seem reasonable anyway.. >> >> probably not a very useful answer but there it is. 8) >> >> >> -g >> >> >> On Aug 18, 2010, at 2:54 PM, JoeSox wrote: >> >>> Am I the only one that gets ticked off at the Apple iPhone update >>> procedure and the amount of bandwidth it needs? >>> Is there any secret I am missing to cut down on the required bandwidth >>> needed for it (caching the update somewhere etc)? I don't own an >>> iPhone (DroidX user here) and am unfamiliar with the update, all I >>> know is it uses tons of BW. >>> >>> >>> -- >>> Thanks, Joe >>> >> >> >
Re: iPhone updates and required bandwidth
I set up an OS X server which hosts updates for the rest of the company, so the OS X client machines poll/pull updates from the internal machine as opposed to 100 of them pulling the same updates over the internet. saves bucket loads of bandwidth and you can "pre ok" individual packages, so the client just updates without prompting. I'm not sure but I suspect they might have something which allows their other devices to poll this same source. it would seem reasonable anyway.. probably not a very useful answer but there it is. 8) -g On Aug 18, 2010, at 2:54 PM, JoeSox wrote: > Am I the only one that gets ticked off at the Apple iPhone update > procedure and the amount of bandwidth it needs? > Is there any secret I am missing to cut down on the required bandwidth > needed for it (caching the update somewhere etc)? I don't own an > iPhone (DroidX user here) and am unfamiliar with the update, all I > know is it uses tons of BW. > > > -- > Thanks, Joe >
RE: Lightly used IP addresses
I agree with you.the context around my statement is if the downstream believed or has some validity to a claim that they are being unjustly treated or over sighted by ARIN (or others). it wasn't about procuring blocks from a criminal, rather when ARIN says you are no longer entitled to the blocks they assigned the downstream customer, who believes they are. I'm not against ARIN, I think they have good intentions. I'd like to think so anyway. take care and have a great weekend, greg From: Jared Mauch [ja...@puck.nether.net] Sent: Friday, August 13, 2010 5:00 PM To: Greg Whynott Cc: Nathan Eisenberg; nanog@nanog.org Subject: Re: Lightly used IP addresses I know of several large providers that would stop routing such "rogue" space. Any provider that isn't prepared to deal with such a possible customer threat or problem you don't want to be associating with. They likely harbor other badness as well. It may take some time to catch up to them but we have seen more of these rogue elements end up with people refusing to sell to them or law enforcement taking some action. If your management does not realize they are buying from possible criminals, you get what you pay for. I've found a number of cases where providers are actually doing mitm and stealing SIP credentials for fraud. Make sure you actually have good controls and communication for when things hit the fan Jared Mauch On Aug 13, 2010, at 3:00 PM, Greg Whynott wrote: >> >> >> I would consider a transit provider who subverted an ARIN revocation to be >> disreputable, and seek other sources of transit. > > easy to say, but the reality is you may chose not to do so due to > logistical, monetary or management/boss reasons which trumps your > constitutionally balanced nature. > > If someone who was downstream from this provider in a similar situation, > I'd say there is a stronger propensity for them to not 'do the right thing'. > which by the way isn't a law, so who says its right?its a set of guide > lines a group of folks put together. > > > -g > > >
Re: Lightly used IP addresses
> > > I would consider a transit provider who subverted an ARIN revocation to be > disreputable, and seek other sources of transit. easy to say, but the reality is you may chose not to do so due to logistical, monetary or management/boss reasons which trumps your constitutionally balanced nature. If someone who was downstream from this provider in a similar situation, I'd say there is a stronger propensity for them to not 'do the right thing'. which by the way isn't a law, so who says its right?its a set of guide lines a group of folks put together. -g
Re: Lightly used IP addresses
how does ARIN or whomever deal with similar situations where someone is advertising un-allocated, un-assigned by ARIN IP space in NA? do they have a deal/agreement with the 'backbone' providers? -g >> > > 6.ARIN receives a fraud/abuse complaint that A's space is being used by B. > 7.ARIN discovers that A is no longer using the space in accordance with > their RSA > 8.ARIN reclaims the space and A and B are left to figure out who owes > what to whom. > >
Re: Proxy Server
I am fairly sure Squid has the concept of bandwidth pools which you can apply via ACLs within the squid conf. That may meet your proxy requirements but would not help with traffic not being proxied. Squid will also allow you to define access to the inet based on ACLs which can use various things to determine which policy will be applied to the connection. eg, client src IP, client username, time of day, regx… you may find it here: http://www.squid-cache.org/ -g On Aug 5, 2010, at 2:45 PM, Joshua William Klubi wrote: > Hi, > > Is there any one with an idea of an open source packeteer or bandwidth > management solution like Allot NetEnforcer Bandwidth Management Appliance. > Which can do proxy services and also allocate bandwidth to certain websites > and staff, prevent them from viewing certain websites > We currently have Microsoft TMG 2010 with GFI Web monitor 2009 installed on > it, we are looking for a solution possible from open source.Which can > replace it. > > I actually want it as a proxy server and use it to shape, allocate and > restrict access to certain websites of our staff. > Joshua > (Ghana)
Re: Appliance Vs Software based routers
GNS is just a front end for dynamips/qemu. ASA will run under qemu without the use of extra wrappers/tools. it will run natively under vmware too. ASA is basically an application running above a linux kernel. I forget what the internal name is, lisa or similar… -g On Aug 4, 2010, at 10:56 AM, Mike Walter wrote: > I assume the ASA's don't run natively on VMware or Xen, I assume you have to > use something like GNS3. I think that would be fine for testing, but in real > world production running an ASA on GNS3 under an another OS seems like a bad > idea. I hope Cisco will come out with Virtual Appliances for some of their > products like they did for the Nexus 1000V. > > -Mike > > > -Original Message- > From: Daryl G. Jurbala [mailto:da...@introspect.net] > Sent: Wednesday, August 04, 2010 10:54 AM > To: Xavier Beaudouin > Cc: nanog > Subject: Re: Appliance Vs Software based routers > > On Aug 4, 2010, at 9:53 AM, Xavier Beaudouin wrote: > >> >> Le 4 août 2010 à 15:14, Mirko Maffioli a écrit : >> >>> 2010/7/25 Laurens Vets : Cisco PIX: no, Cisco ASA: yes. It even runs under VMware... It's however very hackish... :) >>> >>> Cisco ASA under VMware?? :| >> >> CiscoASA is based on x86, there is no reasons you cannot run this into >> VMWare or Xen... > > If that were the only qualification, PIX builds for the 515s would run under > VMWare or XEN as well. Maybe they do, but I've never seen it. >
Re: Appliance Vs Software based routers
it works, i see folks creating networks of hosts under ESXi protected by an ASA instance.. not for production.I'm sure its not legal but Cisco doesn't seem to have a strong stand on it, I'd think as long as you are using it for educational use and not commercial, they may not care a whole bunch. What you can not do while emulating ASA is use encryption, no VPNs or otherwise. this is due to the fact the ASA units use hardware encryption, when the OS makes calls to the controller, it isn't there.. -g On Aug 4, 2010, at 9:53 AM, Xavier Beaudouin wrote: > > Le 4 août 2010 à 15:14, Mirko Maffioli a écrit : > >> 2010/7/25 Laurens Vets : >>> >>> Cisco PIX: no, Cisco ASA: yes. It even runs under VMware... It's however >>> very hackish... :) >> >> Cisco ASA under VMware?? :| > > CiscoASA is based on x86, there is no reasons you cannot run this into VMWare > or Xen... > > Xavier
virtual switches
Cisco has VSS (on 6500 class) and H3C has IRF; allowing you to virtualize 2 or more physical switches/routers in an active/active configuration where you can use all links and terminate LACP aggregates between the two devices. Is anyone using this or similar technology from another vendor? any recommendations or comments would be appreciated. thanks very much for your time! -g
Re: Vyatta as a BRAS
>> > > They are all software based, no matter who builds them. Cisco IOS, > Juniper JunOS, etc. controlling hardware asic's and fpga's. -g
Re: Advice regarding Cisco/Juniper/HP
On Jun 30, 2010, at 4:50 PM, Ricky Beam wrote: > Personally, I prefer a bit of both. same here. both have some things which I don't agree with. prime example again is adding more than X vlans to an interface, why the "add"? interface TenGigabitEthernet5/5 switchport trunk allowed vlan 20,30,40,50,60,100,121,124,125,128,334-336 switchport trunk allowed vlan add 500-505,509,510,513,515-518,530,532,540 that should all be able to go onto one line. I don't follow the logic. we could sit here all day nit picking I guess. It was more my managers rage on that fateful day that made me hate that 'method' so much. 8) >> not being able to issue commands while in config mode (without the 'do') >> is annoying as hell too.. > > This is a safety measure to keep your mind on the road. A typo in config > mode can make a seriously royal mess. I dis-agree with you on this. who might they be to determine my ability to not mess things up, and why are the so concerned?and how does this logic follow onto ASA/PIX/FWSM and WLC devices? when you are enabled and in config mode on those you can issue non elevated commands. there is much more potential for damage on an edge security device than an inter departmental switch/router I'd think. but i could be wrong…. > >> ... that woudl be the second issue, the lack of consistency between >> devices. cisco owns that one. > > No they don't. Which version of IOS are you running? Oh, right, that > switch doesn't run IOS, it runs CatOS? Wait a min, that's a 1900... it > uses a menu interface. haha. I have to agree with you there. i stand corrected. It been awhile since i used a "set" based IOS. > > I have three Cisco switches right here that are radically different. In > fact, the 2948G-L3 confused a CCIE for several weeks. :-) Until I told him > stop thinking "switch" and config it like a 48 port router. (and sadly, it > doesn't support interface ranges. :-() in closing, i have to say I love HP's "alias" command, I can rev my config and save it to a tftp server by typing "saveit" while enabled. Some IOS's allow you to do a "wr net" and get it there with a predefined tftp server, but as we discovered, this isn't available on all devices.. take care and have a great weekend, greg
Re: Advice regarding Cisco/Juniper/HP
On Jun 30, 2010, at 12:07 PM, George Bonser wrote: > if I want to > know which vlans a port is in, you look at the port config and there it > is. Other gear you need to look through each vlan configuration and > note which vlans the port appears in and hope you don't overlook one. or become familiar with some basic commands, which is after all, our job... on hp: show port vlan e1, which will show you all the vlans port E1 is a member of.. I like cisco, but i think the HP way is more logical and less prone to error. A previous poster gave an excelent example, i burnt myself not adding the "add" to a trunk config on our cisco switches. i went over the magical number (and I've no idea why you need to use another argument when you pass some threshold, it seems redundant and silly) of vlans and took out about 7 departments till I realized what I had done. thankfully you only need to do this once to learn. the trunking is more logical on HP config wise too, there is a line in the config which shows all the members and trunk type, on one line. not being able to issue commands while in config mode (without the 'do') is annoying as hell too.. its like not being able to do anything on a unix box while you are root without being asked "are you sure" every time you hit carriage return. the biggest think I don't like about the HP CLI is the lack of regx or the ablitly to string a few together on one line. some models have it, others don''t. that woudl be the second issue, the lack of consistency between devices. cisco owns that one. -g
RE:
depending on your vendor equipment you'll need an ACL or a route map to define the traffic you wish to Nat and apply it to the 'nat engine'. if you are doing this on cisco ASA or similar it might look something like this: -define the interesting traffic with an ACL: access-list 110 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.31 access-list 110 deny ip any any - create a route-map: route-map natme permit 10 match ip address 110 - apply the map: ip nat inside source route-map natme interface GigabitEthernet0/1 overload hope that helps. -g From: Mike Ruiz [mr...@lstfinancial.com] Sent: Friday, June 18, 2010 4:13 PM To: nanog@nanog.org Subject: Ok here we go. I know the subject is a little ambiguous, please allow to explain. I have a network of 192.168.1.0/24 and I need it to reach a network 10.0.1.0/27 only when it needs to be accessed by specific machines that reside on the 192.168.1.0/24 network. 192.168.1.10 à NAT à10.0.1.10 à route that packet to 10.0.1.1. I only want specific host to route to that specific /27 network . Any help would be appreciated. So far what I have gathered is only for VPN connections but I do not want to build a VPN. Thank you again in advance. Michael Ruiz Network Engineer "If you tell people where to go, but not how to get there, you'll be amazed at the results." -- General George S. Patton Jr.
RE: Advice regarding Cisco/Juniper/HP
they may require a deposit before you load their web site.. -g -Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Thursday, June 17, 2010 2:07 PM To: nanog@nanog.org Subject: Re: Advice regarding Cisco/Juniper/HP On 6/17/2010 11:01, Sandone, Nick wrote: > I would also add Brocade/Foundry to the mix as well. We've been deploying > these switches with great results. Since the IOS is very similar to Cisco's, > the transition has been quite easy. > > Do you still have to pay them to read the manual? ~Seth
Re: Advice regarding Cisco/Juniper/HP
Haven't seen these same issues either, but have seen others.. We use HP 8212's here to connect our storage and hpc devices. each 8212 has about 20 or more 10Gbit connections. Everyone is happy with them from an availability and performance perspective. Two things which I noticed, 1. Under heavy load (60% or more of 10Gbit interfaces at +80%) we have seen _all_ interfaces simultaneously drop packets and generate interface errors. this was on an early release of the firmware and I don't think we have seen this problem in awhile. 2. each module only has about 28 Gbits of bandwidth to the backplane. this means if you want non blocking 10Gbit access to the backplan you can only load up an 8212 50% of its physical port capacity with active links. Very recently they changed licensing, the 8212's use to ship with premium licenses included. this gave you OSPF, PIM VRRP and QinQ. without a product number change or other clear indication, these no longer are included but must be purchased separately. This was a bit of a let down as we use OSPF internally and was one of the items that made the 8212's interesting when deciding what we would standardize on for access switches. We also use 6509e's for our core routers, they use to be the only routers till we deployed OSPF. On the internet edge we use ASRs. The 'H3C' switches they recently acquired look nice(r). -g On Jun 17, 2010, at 12:47 PM, Tom Ammon wrote: > We've had a much different experience than what Tom is describing here. > We've used HP extensively in our networks, mostly because of the price > and warranty. For simple, flat networks, they are a great buy, in my > opinion. We've never seen the packet loss issues that were described, > and we push quite a bit of data through the 5412, 2900, and 6600 series > products. > > That said, we've never used them for much outside of basic layer 2 > services. We have a couple of c6500s for our core network, but at the > edge, we have been very happy with HP. So far, warranty service has been > flawless, although we have only replaced maybe half a dozen switches out > of about 70 total that we have installed, over the course of 5 years. > > There isn't much as far as advanced features (for example, don't expect > to get MPLS or BGP), but since we don't use those features at the edge, > we haven't been hurt by that. > > Tom > > On 06/17/2010 10:37 AM, Tom wrote: >> On Thu, 17 Jun 2010, James Smith wrote: >> >>> So my questions to the NANOG community are: Would you recommend HP over >>> Cisco or Juniper? >>> >> Pretty much never, unless you're talking about a rebadged Brocade product. >> Every time I've seen HP networking gear in production, its usually before >> it gets replaced with something else. The last install I dealt with was >> having so many problems it had a constant %10 packetloss on a simple flat >> network. >> >> >>> How is HP's functionality and performance compared to Cisco or Juniper? >>> >> Typically poor, but this varies widely with the series of HP gear. >> The software updates available also vary widely in quality, and I have >> rarely gotten a good answer from HP support on anything. >> >> >>> Does anyone have any HP networking experiences they can share, good or >>> bad? >>> >> To end on a positive note, HP does have a good warranty, is typically >> fairly low cost and provides free software updates. >> >> -Tom >> >> > > > -- > > Tom Ammon > Network Engineer > Office: 801.587.0976 > Mobile: 801.674.9273 > > Center for High Performance Computing > University of Utah > http://www.chpc.utah.edu > >
Re: 1slash8 pollution
I can confirm this, our WLC from Cisco came with a default IP setting of 1.1.1.1 for the portal. -g On Jun 14, 2010, at 2:48 PM, Jens Link wrote: > Tom writes: > >> DHCPACK from 1.2.1.3 >> >> Perhaps someone should mention this to the hotel? :) > > I've senn DHCPACK from 1.1.1.1 I was told it's the default value of a > Cisco WLAN Controller. There are more things broken in most hotel > WLANs. > > Jens > -- > - > | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | > | http://blog.quux.de | jabber: jensl...@guug.de | --- | > - >
Re: Network Naming Conventions
ours is a small network, so is ok to have fun. 8) we do use CNAMES to provide useful information(and make managers happy).. and name servers after the service the provide, eg ldap1.auth.mgt here is an example: gwhyn...@ops:~$ host rma.mgt rma.mgt.oicr.on.ca is an alias for RiserRoom5a.hp8212.rack2.mgt.oicr.on.ca. RiserRoom5a.hp8212.rack2.mgt.oicr.on.ca has address 10.3.200.35 gwhyn...@ops:~$ -g On Mar 15, 2010, at 10:08 AM, Nathan Ward wrote: > On 16/03/2010, at 2:10 AM, Adcock, Matt [HISNA] wrote: > >> I've used a Jimmy Buffett theme in test labs before. > > Naming themes are fine in test labs, because devices have a different > function/role several times per day, a name acts like an asset tag in that it > sticks with it through its lifetime. > > Same goes for those servers that sit in our networks that I can only really > think to call "bitch boxes". They do all sorts of random one-off network > hackery tasks, and never get any love. They're not supposed to scale, they > were only supposed to be there for one job 5 years ago and they're still > there. > > If I've got guys out there rolling out gear according to cookie cutter > designs, I don't want them coming up with names and using ex girlfriends or > TV shows or whatever. They're going to run out of ideas, and I don't want to > have 50 boxes called "rachel" on the network with no idea what they do. That > sort of thing works fine when you're the only person putting the names in to > boxes - like in a lab - but no good if you've grown much. > > I'm a contractor/consultant type thing, and getting my customers to use > naming schemes like the rant that follows helps me understand their network > if they do things without me, and helps anyone else who comes along too. > > > So, for production network and server gear, I like domain names built with > city and site codes: > site.city.domain > > Perhaps if I had a bigger network I'd have .country.domain on the end of that > instead. > > Hosts within each site are told to search within their site, then city, then > domain. Here's how in resolv.conf: > search site.city.domain, city.domain, domain > > This lets me refer to a host called 'access-1' as, access-1, or > access-1.site, or access-1.site.city depending on where I am. That's handy > and saves my lazy ass typing lots. It also means we can have standard configs > for lots of things. For example, we can syslog to "syslog" and it will choose > either the one in the local site if its size warrants it, or one in the city, > or a network-wide one. I'm sure you can think of other ways this can be > useful. > > It can be annoying when a box doesn't let you display a full hostname in a > prompt, or fudge it and set the "hostname" to "hostname.site.city" because > hostnames shouldn't have periods in them. YMMV, etc. The benefits outweigh > the negatives for me I think. Things can get a bit hairy when devices > identify themselves by their hostnames in some other protocols though. > Ignoring that and using DNS is encouraged, etc. > > As for hostnames themselves, I have varying ways of doing that, but I never > use a naming scheme that won't scale for.. a long time. > I always use numbers, but never use leading zeros - ie. access-1, not > access-001. It's not hard to sort numerically, come on now. > I generally try to use something that describes the devices function. > "access-[1-9][0-9]*" = access router. "core-[1-9][0-9]*" = core router. "IP" > is implied unless it's something else, ie. "(eth|atm)-access-[1-9][0-9]*" are > Ethernet or ATM switches. > > For places where I collapse functionality, ie. a small site with collapsed > core and access boxes, I call them access, because they are less to move and > hence need renaming when core boxes come in the future to support additional > access boxes. > > Interface addresses in DNS include the interface name and VLAN or some other > logical circuit details (PVC, etc.), as is common. > > Juniper boxes have re0-hostname.domain and re1-hostname.domain, and also > re-hostname.domain if I've got a moving master IP address configured. > > That's about all I can think of to write, I hope it's useful to someone, > YMMV, etc. > > -- > Nathan Ward > >
Re: Network Naming Conventions
We use confidence inspiring names here for our devices, shakey, broken, jitter, crusty G - Original Message - From: Adcock, Matt [HISNA] To: Ravi Pina ; Randy Bush Cc: nanog@nanog.org Sent: Mon Mar 15 09:10:40 2010 Subject: RE: Network Naming Conventions I've used a Jimmy Buffett theme in test labs before. Matt Adcock, Manager 334-481-6629 (w) / 334-312-5393 (m) / madc...@hisna.com 700 Hyundai Blvd. / Montgomery, AL 36105 P The average office worker uses 10,000 sheets of paper = 1.2 trees, per year By not printing this email, you’ve saved paper, ink and millions of trees From: Ravi Pina [mailto:r...@cow.org] Sent: Sat 3/13/2010 3:33 PM To: Randy Bush Cc: nanog@nanog.org Subject: Re: Network Naming Conventions On Sun, Mar 14, 2010 at 04:58:11AM +0900, Randy Bush wrote: > > On my last network I named all the routers after simpsons characters. > > scaled well? Don't forget there were 5 Snowballs... The information in this email and any attachments are for the sole use of the intended recipient and may contain privileged and confidential information. If you are not the intended recipient, any use, disclosure, copying or distribution of this message or attachment is strictly prohibited. We have taken precautions to minimize the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. If you believe that you have received this email in error, please contact the sender immediately and delete the email and all of its attachments
RE: 10GBase-t switch
I will likely never buy or recommend Foundry equipment again. In a previous gig, a HPC enviorment, they caused us many problems, support was horrible, and thier 10Gbit kit was the pits when it was first released (no idea how it is now or what they offer, its been 5 years since. burnt once, twice shy). We replaced most all our Foundry L2 gear with HP 8212s which met our expectations. Brocade is the king of license gouging, it is no surprise they want money to view a pdf. Force10 and Extreme are both having sales this month on 24 port 10Gbit switches, $20k off almost. -g From: David Hubbard [dhubb...@dino.hostasaurus.com] Sent: Thursday, March 11, 2010 1:31 PM To: nanog@nanog.org Subject: RE: 10GBase-t switch From: Malte von dem Hagen [mailto:m...@hosteurope.de] > > Hi, > > Am 11.03.10 16:29 schrieb Dylan Ebner: > > Do the Arista switches support netflow? > > nothing about it in the datasheets, and regarding documentation: > > "A registered account and a valid support contract is > required to access the > Software Download and Documentation section of the website." > > Service fail. +1 After Brocade started doing that with the Foundry docs, which hung me out to dry one night when I needed some docs I didn't have easy access to, I decided I will try to avoid buying from companies that require a support contract to read the manual. David
Bell canada CIDR
Hello, We received a /21 from ARIN a year or so ago which we have been using. At the time I noticed Bell was advertising a longer CIDR which included ours. I contacted Bell, they said it would be corrected, multiple times. Who I might contact to have this resolved? Thanks for your time, greg AS11628 ipcalc 206.108.120.0/21 => Network: 206.108.120.0/21 HostMin: 206.108.120.1 HostMax: 206.108.127.254 AS577 ipcalc 206.108.96.0/19 => Network: 206.108.96.0/19 HostMin: 206.108.96.1 HostMax: 206.108.127.254
RE: Power Analysis/Management Tools
I'd think SNMP will be what any product uses to query APC gear, even their own suite uses SNMP to collect information and receive traps. We use cacti to graph our loads on the APC power bars and UPS gear, gives you everything you need on all phases/legs, was there something in particular you were after? -g -Original Message- From: Brandon Galbraith [mailto:brandon.galbra...@gmail.com] Sent: Monday, October 26, 2009 4:59 PM To: nanog@nanog.org Subject: Power Analysis/Management Tools Not to go too off-topic, but if there is a more preferred location for me to ask, please let me know. I'm looking for recommendations on open source packages that people are using for monitoring power utilization of their network/server gear. We're using Cacti currently, pulling the data from APCs via SNMP, and I wanted to check if someone had come across a better method before I reinvented the wheel.
RE: Beware: a very bad precedent set
that is so sad makes me very angry reading this. -g From: na...@wbsconnect.com [na...@wbsconnect.com] Sent: Monday, August 31, 2009 5:35 PM To: nanog@nanog.org Subject: Beware: a very bad precedent set http://finance.yahoo.com/news/Louis-Vuitton-Awarded-324-bw-3561952192.html?x=0&.v=1 NEW YORK--(BUSINESS WIRE)--Louis Vuitton Malletier, S.A. (“Louis Vuitton”) part of LVMH, the world’s leading luxury group, today announced that it has won the lawsuit it filed in 2007 against the California based Internet hosting business of Akanoc Solutions, Inc., Managed Solutions Group, Inc., and Steven Chen (the “Akanoc Defendants”) in the United States District Court, Northern District of California (San Jose). On August 28th, the jury found the Akanoc Defendants liable for contributory trademark and copyright infringement, and awarded statutory damages in the amount of $32,400,000.00. The court is expected shortly to issue a permanent injunction banning the Akanoc Defendants from hosting websites that sell counterfeit or infringing Louis Vuitton goods. Any and all nefarious activity alleged in this lawsuit was conducted by a customer, of a customer, of a customer yet the hosting provider was found liable, not the actual criminal manufacturing and selling the fakes. We had all better watch our backs since it seems that claims of not being able to inspected tens of millions of packets per second is no longer a viable excuse.