Re: Cheap Juniper Gear for Lab
On Tue, Apr 10, 2012 at 11:57:31AM -0700, Owen DeLong wrote: > > The fact that you can't put it into flow mode. > s/flow/packet/ > (oops, wasn't awake yet) Actually, this is possible: prox@asgard> show configuration security forwarding-options { family { inet6 { mode packet-based; } mpls { mode packet-based; } } } The above is from an SRX210B, but the same configuration will work on any J-series or /branch/ SRX-series platform. Don't let the "mpls" keyword throw you off. This actually causes the box to run the inet /and/ mpls address families in packet mode. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/ signature.asc Description: Digital signature
Re: IPv6 resolvers
On Wed, Jan 04, 2012 at 09:39:39PM +0100, Seth Mos wrote: > And a similar mistake I see others respond too as well, this is > another domain with just a IPv4 record. That was not really what I was > complaining about but I was not specific enough in my email > > When requesting the DNS for the hostname with a Quad A the story is > entirely different! > > Try www.pfsense.com or www.didi.nl Still not seeing additional latency from here: (neodymium:15:44)% dig @2001:470:20::2 www.didi.nl. ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 www.didi.nl. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33979 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.didi.nl. IN ;; ANSWER SECTION: www.didi.nl.3520IN 2001:888:2087:33::132 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:06 2012 ;; MSG SIZE rcvd: 57 And if that is already cached, let's try something that should require a fresh lookup: (neodymium:15:44)% dig @2001:470:20::2 tengigabitethernet.com. ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 tengigabitethernet.com. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41662 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;tengigabitethernet.com.IN ;; ANSWER SECTION: tengigabitethernet.com. 3600IN 2001:48c8:1:104::e ;; Query time: 84 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:41 2012 ;; MSG SIZE rcvd: 68 Again, not too bad.. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/ signature.asc Description: Digital signature
Re: IPv6 resolvers
On Wed, Jan 04, 2012 at 09:00:26PM +0100, Seth Mos wrote: > I was wondering if many people are seeing horrendous latency on the > free Hurricane Electric resolvers? Looks fine to me: (neodymium:15:27)% dig @74.82.42.42 cnn.com. A ; <<>> DiG 9.7.3 <<>> @74.82.42.42 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53277 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com.299 IN A 157.166.226.26 cnn.com.299 IN A 157.166.255.19 cnn.com.299 IN A 157.166.255.18 cnn.com.299 IN A 157.166.226.25 ;; Query time: 38 msec ;; SERVER: 74.82.42.42#53(74.82.42.42) ;; WHEN: Wed Jan 4 15:27:17 2012 ;; MSG SIZE rcvd: 89 (neodymium:15:32)% dig @2001:470:20::2 cnn.com. A ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41382 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com.295 IN A 157.166.226.25 cnn.com.295 IN A 157.166.255.18 cnn.com.295 IN A 157.166.255.19 cnn.com.295 IN A 157.166.226.26 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:32:27 2012 ;; MSG SIZE rcvd: 89 That being said, keep in mind these are anycasted. I'm using 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14 [tserv4.nyc4.ipv6.he.net] according to the A record returned by whoami.akamai.net. I might not be hitting the same server you are. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/ signature.asc Description: Digital signature
Re: Route server: Route-server.ip.att.net
On Fri, Nov 04, 2011 at 03:39:43PM -0500, Michael Sabino wrote: > Could you give me the relevant configs explaining why when I > traceroute to 12.83.43.9 on route-server.ip.att.net, the first hop is > " j6300.cbbtier3.att.net (12.0.1.202)". However, when I type "show ip > route 12.83.43.9", the RIB shows, "* 12.122.83.91, from 12.122.83.91, > 7w0d ago". A couple things here: 12.122.83.91 is the BGP next-hop in the RIB. It needs to be resolved. In this case it's being resolved via a /13 static route: route-server>sho ip route 12.122.83.91 Routing entry for 12.120.0.0/13 Known via "static", distance 1, metric 0 Redistributing via bgp 65000 Advertised by bgp 65000 Routing Descriptor Blocks: * 12.0.1.1, via GigabitEthernet0/1 Route metric is 0, traffic share count is 1 In real life it'd probably be resolved via an IGP such as OSPF or IS-IS, but this is a route server, not a transit router. So, the real next-hop is 12.0.1.1. You can also verify this with the following, since it's a Cisco box: route-server>show ip cef 12.83.43.9 12.0.0.0/9 nexthop 12.0.1.1 GigabitEthernet0/1 However, you don't see 12.0.1.1 in the traceroute because it looks to be the VRRP address of the Juniper J6300 upstream router (just judging by the hostname): route-server>sho arp 12.0.1.1 Protocol Address Age (min) Hardware Addr Type Interface Internet 12.0.1.1 81 .5e00.0101 ARPA GigabitEthernet0/1 The MAC address is a giveaway that it's VRRP, since 00-00-5E-00-01 is reserved by IANA for VRRP (IPv4 only): http://tools.ietf.org/html/rfc5798#section-7.3 The Juniper router will send back ICMP TTL-exceeded messages from the real IP on its interface, which appears to be 12.0.1.202. Hope this helps. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/ signature.asc Description: Digital signature