RE: Routing issues to AWS environment.
Job, We have had a lot of dialog with the excellent people at NTT NOC this week, easily over a couple of hours in total. We were told to talk to AWS directly and have our customers talk to AWS. Basically, "it's not us" response. So we reached out to our buddies in NANOG. We have no way to get AWS to communicate to us, we don't directly peer with them like many other cloud providers out of the Equinix IX. We have a work around in the fact that we broke up some of our Ashburn /21 advertisements into /23 and /24 advertisements of the ones that included our customer IP assignments. The result was pushing a more specific route out our Ashburn peers versus our out of the area peers such as in Chicago is helping. That has helped resolve our direct customer issues, but leads us to believe where we have BGP peering in other regions outside of Ashburn, VA AWS isn't honoring our AS prepending. The original issue is that our local customers in the DC region get routed from our AS over NTT into AWS in Ashburn for AWS-East region environments, but AWS is sending the return traffic over to Chicago to one of our other upstream peers. For a few select customers this is breaking their applications completely with not being able to connect or severely disrupting performance and bringing the applications to a crawl. Yet, we can push iperf traffic in our own AWS instances with zero packet loss or perceivable issue other than the asymmetrical routing that is adding around 30ms to the return latency versus the typical 2ms to 3ms latency. We do have Layer2 between our POPs. Is ignoring AS prepending common? Given my example issue, what direction would you normally take? Sincerely, Nick Ellermann -Original Message- From: NANOG On Behalf Of Job Snijders Sent: Thursday, May 9, 2019 10:24 To: Chuck Church Cc: nanog@nanog.org Subject: Re: Routing issues to AWS environment. Hi Chuck, On Thu, May 09, 2019 at 06:34:21AM -0400, Chuck Church wrote: > Are you sure the problem isn’t NTT? My buddy’s WISP peers with Spirit > and had a boatload of problems with random packet loss affecting > initially just SIP and RTP (both UDP). Spirit was blaming NTT. > Problems went away when Spirit stopped peering with NTT yesterday. > Path is through Telia now to their main SIP trunk provider. I don't know the specifics of what you reference, but in a large geographically dispersed network like NTT's backbone, I can assure you there will always be something down somewhere. Issues can take on many forms: sometimes it is a customer specific issue related to a single interface, sometimes something larger is going on. It is quite rare that the whole network is on fire, so in the general case is good to investigate and consider each and every report about potential issues separately. The excellent people at the NTT NOC are always available at n...@ntt.net or the phone numbers listed in PeeringDB. Kind regards, Job
routing issues between NTT/ATT/Level3?
Starting on 9/23 and really bad over the weekend we have had issues with end points out on AT&T's US network specifically in the Texas and Michigan areas. When our end points with AT&T drop, we end up losing monitored endpoints on Level3's network as well. Really bad periods of packetloss. Both of which for us are utilizing NTT as our upstream out of Ashburn. We have opened a ticket with NTT. Anyone else seeing similar issues? Since about noon today 9/26, it's gotten a little better but still periods of packet loss and dropped customer VPN tunnels. Probably not bothering the average web surfer but killing our customers voip and vpn traffic. It's really hard to diagnose and fix other vendors' networks! Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com<mailto:nellerm...@broadaspect.com> P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Lightower (ASN:46887) RTBH community info
I would love to know which ISP's support RTBH? We have struggled to get anyone to support communities. If their website says they do, their NOC sure doesn't know it or agree... I don't want to list names here, but truly we would love RTBH capabilities with our upstreams. Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matthew Crocker Sent: Thursday, September 22, 2016 1:33 PM To: NANOG Subject: Lightower (ASN:46887) RTBH community info Hello, Does anyone know the RTBH community for Lightower? I’ve tried 46887:666 but that doesn’t work. I have a /32 I need to blackhole, Lightower is the last ISP and it doesn’t appear they support RTBH ☹ Thanks -Matt -- Matthew Crocker President – Crocker Communications matt...@corp.crocker.com<mailto:matt...@corp.crocker.com>
RE: Question on peering strategies
Reza, You maybe overthinking this one a bit. The economics are something to consider, however all public exchanges have different economics. With Equinix you pay pretty much a flat rate for a single 1Gbps/10Gbps link that includes the cost of facility cross-connect and public exchange access. It is a nice one to many connection for all those various network and content networks your end users would appreciate direct connectivity. Depending on the public exchange you either have a single BGP session or a BGP session per network you are peering. Really after that, it's just BGP routing and route management. You do need to be careful about not being too overly dependent on a single public switch link, in some cases like at Equinix you may want multiple connections to redundant public exchange switches at that site. There is a balance you want to seek of number of paid upstream network transit providers you are connected to versus how many direct peering arrangements you have setup. It's not usually practical for a smaller network to have loads of BGP peers. There are lots of good articles online about this fine balance and some good advice from experienced network operators. To your later questions. For your simple example, if AS-a and AS-b were both already on the public IX, and the link wasn't too overly critical then using the public IX switch maybe a good first step. However as that relationship matures, they most likely in a real world example may look to split the cost of the private cross-connect. If it was mutually beneficial. There is much more to public peering and transit than the technical conversation. Most of the larger networks on the public switches won't peer privately with anyone or only with extremely larger networks. To get a provider such as this to peer both privately and on the public exchange is not a technical issue, it's more of a business overhead and management issue. If you have a couple of quality upstream transit providers, they will be excellent failovers to a public switch outage. Plan for the public switch to have as many problems as any upstream provider. Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-bounces+nellermann=broadaspect@nanog.org] On Behalf Of Reza Motamedi Sent: Monday, May 16, 2016 1:46 PM To: nanog@nanog.org Subject: Question on peering strategies Dear Nanogers, I have a question about common/best network interconnection practices. Assume that two networks (let's refer to them as AS-a and AS-b) are present in a colocation facility say Equinix LA. As many of you know, Equininx runs an IXP in LA as well. So AS-as and AS-b can interconnct 1) using private cross-connect 2) through the public IXP's switching fabric. Is it a common/good practice for the two networks to establish connections both through the IXP and also using a private cross-connect? I was thinking considering the cost of cross-connects (my understanding is that the colocation provider charges the customers for each cross-connect in addition to the rent of the rack or cage or whatever), it would not be economically reasonable to have both. Although, if the cross-connect is the primary method of interconnection, and the IXP provides a router-server the public-peering over IXP would essentially be free. So it might makes sense to assume that for the private cross-connect, there exists a back-up connection though the IXP. Anyway, I guess some discussion may give more insight about which one is more reasonable to assume and do. Now my last question is that if the two connections exist (one private cross-connect and another back-up through the IXP), what are the chances that periodically launched traceroutes that pass the inter-AS connection in that colo see both types of connection in a week. I guess what I'm asking is how often back-up routes are taken? Can the networks do load balancing on the two connection and essentially use them as primary routes? Best Regards Reza Motamedi (R.M) Graduate Research Fellow Oregon Network Research Group Computer and Information Science University of Oregon
RE: sub $500-750 CPE firewall for voip-centric application
Your exactly right, Mel. Dell has really turned the Sonicwall platform around in the past few year. We dropped it a year or two before Dell took them over. Back then Sonicwall was full of issues and lacked important features that our enterprise customers required. If you have budget, Palo Alto is something to look at as well, but don't overlook Sonicwall and FortiGate. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: Mel Beckman [mailto:m...@beckman.org] Sent: Thursday, May 05, 2016 2:49 PM To: Nick Ellermann Cc: Ken Chase ; nanog@nanog.org Subject: Re: sub $500-750 CPE firewall for voip-centric application I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls. The best SMB devices are definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs). Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they're Cisco-only. PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 serial ports are error-prone and slow. -mel > On May 5, 2016, at 11:39 AM, Nick Ellermann > wrote: > > We have a lot of luck for smaller VOIP customers having all of their services > run through a FortiGate 60D, or higher models. 60D is our go to solution for > small enterprise. However, if we are the network carrier for a particular > customer and they have a voip deployment of more than about 15 phones, then > we deploy a dedicated voice edge gateway, which is more about voice support > and handset management than anything. You do need to disable a couple of > things on the FortiGate such as SIP Session Helper and ALG. We never have > voice termination, origination or call quality issues because of the > firewall. > FortiGate has a lot of advanced features as well as fine tuning and > adjustment capabilities for the network engineering type and is still easy > enough for our entry level techs to support. Most of our customers have heavy > VPN requirements and FortiGates have great IPsec performance. We leverage a > lot of the network security features and have built a successful managed > firewall service with good monitoring and analytics using a third-party > monitoring platform and Fortinet's FortiAnaylzer platform. > > Worth looking at, if you haven't already. If you want to private message me, > happy to give more info. > > > Sincerely, > Nick Ellermann - CTO & VP Cloud Services BroadAspect > > E: nellerm...@broadaspect.com > P: 703-297-4639 > F: 703-996-4443 > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase > Sent: Thursday, May 05, 2016 1:54 PM > To: nanog@nanog.org > Subject: sub $500-750 CPE firewall for voip-centric application > > Looking around at different SMB firewalls to standardize on so we can start > training up our level 2/3 techs instead of dealing with a mess of different > vendors at cust premises. > > I've run into a few firewalls that were not sip or 323 friendly however, > wondering what your experiences are. Need something cheap enough (certainly > <$1k, <$500-750 better) that we are comfortable telling endpoints to toss > current gear/buy additional gear. > > Basic firewalling of course is covered, but also need port range forwarding > (not available until later ASA versions for eg was an issue), QoS (port/flow > based as well as possibly actually talking some real QoS protocols) and VPN > capabilities (not sure if many do without #seats licensing schemes which get > irritating to clients). > > We'd like a bit of diagnostic capability (say tcpdump or the like, via > shell > preferred) - I realize a PFsense unit
RE: sub $500-750 CPE firewall for voip-centric application
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform. Worth looking at, if you haven't already. If you want to private message me, happy to give more info. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises. I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear. Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients). We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.) /kc -- Ken Chase - Guelph Canada
RE: Peering Exchange
Colton, Sorry, hit send before I was done! You mentioned an enterprise, if that was the case you may want to look at Equinix's Cloud Exchange. The Equinix IX is really meant for like-minded Network operators and Content providers to exchange routes on an exchange so that we don't require multiple dedicated cross-connects to each network at Equinix which can be cost prohibitive in some cases. Each network operator has different peering criteria, and it's not likely that for example a Google or Facebook is going to peer with you on the Equinix IX if that was your end goal. The Cloud Exchange is meant for those Equinix customers wanting to connect to one or more cloud service providers. The larger Cloud providers now also have 'Direct Connect' services at Equinix as well as another option. Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colton Conor Sent: Monday, January 25, 2016 10:22 PM To: NANOG Subject: Peering Exchange If a service provider or enterprise orders collocation at an Equinix Global Internet Exchange Point, and orders a port on the exchange from Equinix, then what happens? How does a provider actually peer with the peers on the exchange? Lets assume the SP or enterprise already has an ANS, transit from multiple providers, and a BGP router that can accept and hold full routes. You can see the members of the exchange on peeringdb.com. Many of the members say their policy is Open with little to no traffic requirements. So does just ordering a port to the exchange automatically connect you with all of these open providers, or do you have to contact each on individually?
RE: Peering Exchange
Colton, We are a member on the Equinix IX. Maybe best for you to speak to an Equinix SE on the topic, but there are two main connection methods. In laymen's terms you can be a member on the switch and then build peering relationships within any other network that will have you. Meaning, you reach out to them or they reach out to you via their contacts in PeeringDB and setup a typical BGP session but usually only exchanging private routes. Therefore you are are not providing transit to the other. The other option Equinix offers is their MLPE (Multi-Lateral Peering Exchange). Essentially from what we understand you peer once to Equinix's router and all other participants and you are able to exchange traffic. It's not an all or none, you can use filtering to exclude specific ASNs. We are not a member of this service today. Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colton Conor Sent: Monday, January 25, 2016 10:22 PM To: NANOG Subject: Peering Exchange If a service provider or enterprise orders collocation at an Equinix Global Internet Exchange Point, and orders a port on the exchange from Equinix, then what happens? How does a provider actually peer with the peers on the exchange? Lets assume the SP or enterprise already has an ANS, transit from multiple providers, and a BGP router that can accept and hold full routes. You can see the members of the exchange on peeringdb.com. Many of the members say their policy is Open with little to no traffic requirements. So does just ordering a port to the exchange automatically connect you with all of these open providers, or do you have to contact each on individually?
Comcast operator?
Is there a Comcast network opts person that could reach me off list? I have a routing question that makes zero sense to us, while trying to customer's issue at their office in Leesburg, VA where Comcast is their upstream network service. It's a simple question, looking for a simple response, but I know the rabbit hole I would go down if I asked Comcast technical support since none of them really know anything about networking and just read a script. Thanks! Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com<mailto:nellerm...@broadaspect.com> P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Programmable SFP+ Transcievers
We have purchased a lot through the Solid-Optics US team. Very happy with their pricing, reliability and support. We have their multi-fiber tool and have reprogrammed optics as needed to go between MFG equipment. I can only recommend that you give them a try. Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colton Conor Sent: Monday, January 18, 2016 2:02 PM To: NANOG Subject: Programmable SFP+ Transcievers What options are out there for re-programmable SFP and SFP+ transceivers? So far I have found both https://www.flexoptix.net/en/flexbox-v3-transceiver-programmer.html and http://solid-optics.com/tools/multi-fiber-tool/so-multi-fiber-tool-id1768.html Is there anything else out there? Any opinions on these two companies? I believe they both require you to use their SFPs in order to program them, but I could be wrong.
RE: ISP marking ipsec traffic based on certificate, how is this possible?
Sure your VPN tunnel wasn't 'stuck' flowing through a less than optimal or saturated ISP upstream transit peer? Sometimes, just restarting your VPN may force the traffic through a different path in your ISP's network and clear up an issue. We manage many customer IPsec tunnels, hit similar situations where a restart works the best especially when the issue is not in under your control. Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mark Zimmer Sent: Thursday, December 17, 2015 4:29 AM To: nanog@nanog.org Subject: ISP marking ipsec traffic based on certificate, how is this possible? Hello list, I have a site-to-site ipsec vpn with strongswan. It was working well for 5-6 months then a day ago I have noticed something strange, that from Site-A to Site-B (tunnel mode) only the upload bandwidth is capped down to 20-30kbit/s inside the VPN. I have tried various apps like ftp, scp on different ports it was the same result. I also ran speedtest/wget on both endpoints just to make sure that not the entire connection of those networks are capped. Since outside parties cannot see anything from what's going on inside the tunnel, first I was thinking that they started limiting the traffic based on port (4500 udp) or based on protocol (ESP), that is easy to do. In older versions of strongswan it's not possible to change the charon nat port (probably wouldn't work anyway since most of the traffic should be ESP (protocol 50)). I have restarted the strongswan daemon on both endpoints multiple times it did not change the situation (the bandwidth limiting was still present). So my last idea was to make new vpn certificates. For my biggest surprise with the new certificates the capping was gone and the bandwidth went back to normal. I hope I don't have to put the old certs back from backup just to make a point. One of the ISPs must started tagging the ipsec traffic based on the certificate and then do traffic shaping (QoS) on it to throttle down the bandwidth. How is this even possible? I was thinking that an ipsec connection is encrypted and random from the beginning. How can they define a pattern to their whatever device to be able to mark this specific traffic? Is there a part at the beginning of the connection sequence which is always the same with using the same certificate? Do I have to worry about here that my vpn keys got compromised? Anybody ever experienced this? Thanks!
IPv4 subnets for lease?
We have customers asking to lease IP space for BGP transit with us and other peers. But they are struggling to get at a minimum even a Class C, even though they have their own ASN. We don't have large amounts of free IPv4 space to lease out to a single customer in most cases anymore. Hope to at least introduce these customers to some contacts that may be able to help. Do we know of any reputable sources that are leasing or selling IPv4 subnets as small as a /24 to satisfy their diversity needs? Thanks! Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com<mailto:nellerm...@broadaspect.com> P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Nat
What features and scale do you need? Assume with NAT you are performing some levels of firewall security and serving applications? Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-bounces+nellermann=broadaspect@nanog.org] On Behalf Of Ahmed Munaf Sent: Tuesday, December 15, 2015 1:09 PM To: nanog@nanog.org Subject: Nat Dear All, We are using cisco for natting, we'd like to change it to another brand like A10 or Citrix. Please any advice regarding the three brands and what are the advantages and disadvantages for each one? Regards,
Anyone having issues with Equinix IX out of Ashburn?
At about 4:15 am eastern we lost our bgp peers on the Ashburn IX at Equinix. Equinix is not responding to our support requests, either they are overloaded with support requests or all on holiday. Curious if others know if there are known issues at this site or is it just us. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com<mailto:nellerm...@broadaspect.com> P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Veeam Cloud Connect?
Yes. We have the Veeam Cloud Connect platform deployed in multiple data centers for our customers. It's only useful for offsite backup copies at the moment, but with version 9 there will be VM replication options added to the platform. Veeam has been a great software partner of ours for several years and we enjoy the service provider program. Message me offline if you would like to know more. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-bounces+nellermann=broadaspect@nanog.org] On Behalf Of Ryan Finnesey Sent: Tuesday, November 17, 2015 11:57 PM To: NANOG Subject: Veeam Cloud Connect? I was wondering if anyone has deployed Veeam Cloud Connect. How has Veeam been to work with? Sent from my Windows Phone
RE: EyeBall View
Dovid, What features are you thinking that would be useful? Latency, QoS, Tracert, AS Hops, etc? Many networks have the OOkla speedtest server hung off a link from their website or even some flavor of a Looking Glass site. Having yet another platform maybe difficult for the ISP to participate, even then it would be placed at or near the core of their network and not out with the end users. Maybe with some incentive you could get end users (aka the Eyeballs) to plug in something small like a Raspberry Pi device or run a software app on their computers. But if the end users on the various networks won't get anything from it, you are going to be struggling to have enough take rate to have good statistics. You may find that the only ones interested are a small set of network operators. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Dovid Bender Sent: Sunday, October 25, 2015 3:50 PM To: nanog Subject: EyeBall View All, I had an idea to create a product where we would have a host on every EyeBall network. Customers could then connect to these hosts and check connectivity back to their network. For instance you may want to see what the speed is like from CableVision in central NJ to your network in South Florida or the latency etc. I go large scale I wanted to know how much demand there was for such a service. Regards, Dovid
RE: SNMP - monitoring large number of devices
Pavel, It's all going to be how you deploy a selected polling system. Most server operating systems are going to struggle with that many transactions in a short period of time no matter the awesomeness of the polling engine. Look for a distributed polling solution. If you can spread the connection load out a bit it may be less of an issue. The worst issue will be populating your solution with that many devices and sensors to go check, look for api or import tool! What do you think the network latency between your polling location or locations to all of the cable modems? Do they respond pretty well with SNMP queries? We use PRTG and its very efficient with SNMP. One of the most efficient SNMP polling engines I have used. My quick math and experience tells me that with a PRTG core server and two or three remote PRTG probes (hardware based) you should be able to hit 6,000 snmp polls a min from each probe. PRTG will automatically attempt a multi get. Go with three probes to be safe and I think you could hit over 50,000 with buffer room. Easy platform, inexpensive compared to other licensed NMS systems. Free trial with unlimited sensors on their website. But their software engineering staff will state that this project would be stretching the design of the system and its focus. Would love to hear what you figure out works best! Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-bounces+nellermann=broadaspect@nanog.org] On Behalf Of Pavel Dimow Sent: Tuesday, September 29, 2015 4:20 PM To: NANOG Subject: SNMP - monitoring large number of devices Hi all, recently I have been tasked with a NMS project. The idea is to pool about 20 OID's from 50k cable modems in less then 5 minutes (yes, I know it's a one million OID's). Before you say check out some very professional and expensive solutions I would like to know are there any alternatives like open source "snmp framework"? To be more descriptive many of you knows how big is the mess with snmp on cable modem. You always first perform snmp walk in order to discover interfaces and then read the values for those interfaces. As cable modem can bundle more DS channels, one time you can have one and other time you can have N+1 DS channels = interfaces. All in all I don't believe that there is something perfect out there when it comes to tracking huge number of cable modems so I would like to know is there any "snmp framework" that can be exteded and how did you (or would you) solve this problem. Thank you.
Re: Dual stack IPv6 for IPv4 depletion
For a small site using a Fortigate such as a 60d, you can use equal cost load balancing very well. We use this all the time to keep a customer's backup ISP active with VPN connection back to the data center. I wouldn't want to support VOIP in the config, but works really great for VPNs and general internet access for end users. Nick Ellermann ~Sent from my iPhone~ On Jul 5, 2015, at 2:59 PM, Mel Beckman wrote: Many firewalls will do state sync across an HA link. This works fine as long as you use BGP to ensure internet routing of your IPv4 to all gateways. But then the HA link is the single point of failure. I think the best you can hope for is that the importance of IPv4 NAT will diminish over time. One day it will be just a memory, like SNA :) -mel beckman > On Jul 5, 2015, at 12:37 PM, Josh Moore wrote: > > I was hoping to find a solution that maybe utilized some kind of session sync > or something of that matter allowing for multiple entry and exit points > (asymmetric routing). > > > > > Thanks, > > Joshua Moore > Network Engineer > ATC Broadband > 912.632.3161 > >> On Jul 5, 2015, at 3:10 PM, Owen DeLong wrote: >> >> A NAT box is a central point of failure for which the only cure is to not do >> NAT. >> >> You can get clustered NAT boxes (Juniper, for example), but that just makes >> a bigger central point of failure. >> >> Owen >> >>> On Jul 5, 2015, at 11:49 , Josh Moore wrote: >>> >>> The point I am concerned about is a central point of failure. >>> >>> >>> >>> >>> Thanks, >>> >>> Joshua Moore >>> Network Engineer >>> ATC Broadband >>> 912.632.3161 >>> >>>> On Jul 5, 2015, at 2:46 PM, Owen DeLong wrote: >>>> >>>> Not necessarily. But what I am telling you is that whatever goes out NAT >>>> gateway A has to come back in through NAT gateway A. >>>> >>>> You can build whatever topology you want on either side of that and >>>> nothing says B has to be any where near A. >>>> >>>> Owen >>>> >>>>> On Jul 5, 2015, at 11:25 , Josh Moore wrote: >>>>> >>>>> So basically what you are telling me is that the NAT gateway needs to be >>>>> centrally aggregated. >>>>> >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Joshua Moore >>>>> Network Engineer >>>>> ATC Broadband >>>>> 912.632.3161 >>>>> >>>>>> On Jul 5, 2015, at 1:29 PM, Owen DeLong wrote: >>>>>> >>>>>> If you want to keep that, then you’ll need a public backbone network >>>>>> that joins all of your NATs and you’ll need to have your NATs use unique >>>>>> exterior address pools. >>>>>> >>>>>> Load balancing a single session across multiple NATs isn’t really >>>>>> possible. >>>>>> >>>>>> Owne >>>>>> >>>>>>> On Jul 5, 2015, at 08:11 , Josh Moore wrote: >>>>>>> >>>>>>> Performing the NAT on the border routers is not a problem. The problem >>>>>>> comes into play where the connectivity is not symmetric. Multiple >>>>>>> entry/exit points to the Internet and some are load balanced. We'd like >>>>>>> to keep that architecture too as it allows for very good protection in >>>>>>> an internet link failure scenario and provides BGP best path >>>>>>> connectivity. >>>>>>> >>>>>>> So traffic cones in ISP A might leave ISP B or traffic coming in ISP A >>>>>>> may come in ISP B simultaneously. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Joshua Moore >>>>>>> Network Engineer >>>>>>> ATC Broadband >>>>>>> 912.632.3161 >>>>>>> >>>>>>>> On Jul 5, 2015, at 10:43 AM, Mel Beckman wrote: >>>>>>>> >>>>>>>> WISPs have been good at solving this, as they are often deploying >>>>>>>> greenfield networks. They use private IPv4 internally and NAT IPv4 at &g
Re: OT - Small DNS "appliances" for remote offices.
Sounds coo with the pi idea. Not sure of the cache level you need but we have great success with fortigates performing firewall and local DNS host even for a small remote site that is part of an MS AD via a VPN tunnel. It can be setup and managed just like a DNS server. No extra devices to learn or manage! Nick Ellermann ~Sent from my iPhone~ On Feb 18, 2015, at 4:08 PM, Maxwell Cole wrote: +1 for the pi, The new model has a quad core and 1GB of ram which should be more than enough for a DNS. > On 2/18/15 10:03 AM, Peter Kristolaitis wrote: > Not "industrial grade", but Raspberry Pis are pretty great for this kind of > low-horsepower application. Throw 2 at each site for redundancy and you have > a low-powered, physically small, cheap, dead silent, easily replaceable > system for ~$150 per site. Same idea as the Soekris -- just ship out > replacements instead of trying to repair -- but even cheaper. > > Between having 2 (or more) at each site, plus cross-site redundancy via > anycast, it would be pretty robust (and cheap enough that you could have > cold-spares at each site). > > > >> On 02/18/2015 09:28 AM, Ray Van Dolson wrote: >> Hopefully not too far off topic for this list. >> >> Am looking for options to deploy DNS caching resolvers at remote >> locations where there may only be minimal infrastructure (FW and Cisco >> equipment) and limited options for installing a noisier, more power >> hugnry servers or appliances from a vendor. Stuff like Infoblox is >> too expensive. >> >> We're BIND-based and leaning to stick that way, but open to other >> options if they present themselves. >> >> Am considering the Soekris net6501-50. I can dump a Linux image on >> there with our DNS config, indudstrial grade design, and OK >> performance. If the thing fails, clients will hopefully not notice due >> to anycast which will just hit another DNS server somewhere else on the >> network albeit with additional latency. We ship out a replacement >> device rather than mucking with trying to repair. >> >> There's also stuff like this[1] which probably gives me more horsepower >> on my CPU, but maybe not as reliable. >> >> Maybe I'm overengineering this. What do others do at smaller remote >> sites? Also considering putting resolvers only at "hub" locations in >> our MPLS network based on some latency-based radius. >> >> Ray >> >> [1] http://www.newegg.com/Mini-Booksize-Barebone-PCs/SubCategory/ID-309
Level3 routing issues today?
Has anyone else having issues with Level3 routing traffic to the Godaddy ASN? Since about 1PM Eastern today we have had numerous customers claiming their internet was down, when it has only been a few websites they couldn't reach. It's been up and down on My FiOS link some today as well. But right Verizon seems fine they are hitting Qwest before Godaddy for where I live in VA. >From our network. (AS30259) we are going out (AS3356) and for the most part we >reach our peering router in Northern Va, the we see 4.34.191.254 before time >outs forever. Could this be a regional Level3 issues? Anyone from Level3 or GoDaddy that could comment? We have had an open Level3 ticket since about 4PM Eastern. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com<mailto:nellerm...@broadaspect.com> P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Low cost WDM gear
Mike, Look into SolidOptics. www.Solidoptics.com Great Mux and Add-drops, plus fantastic optics. We are not optical engineers so when we have had questions about new links their team has always been open about what will and what won't work based on what we are trying to accomplish. We are only using their CWDM passive mux and various optics, been extremely happy on price and performance. No issues. Sincerely, Nick Ellermann – CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett Sent: Saturday, February 07, 2015 12:42 PM To: NANOG Subject: Low cost WDM gear I know there are various Asian vendors for low cost (less than $500) muxes to throw 16 or however many colors onto a strand. However, they don't work so well when you don't control the optics used on both sides (therefore must use standard wavelengths), obviously only do a handful of channels and have a distance limitation. What solutions are out there that don't cost an arm and a leg? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Cisco IOS stable/production safe versions?
I have a Cisco IOS specific question for the group and also specifically related to the 6500 platform. We have always been very conservative with our IOS version that we run in production, we are still running a pretty old safe harbor build of 12.2.x on SUP 720 3BXLs with BGP and OSFP routing. Any advice from fellow network operators that are running the 6500 platform in the core still for versions that are considered safe for production? We are stable, but I am really wanting access to features such as Netflow v9, etc. Thanks for any advice! Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com<mailto:nellerm...@broadaspect.com> P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.