Re: Egress filters dropping traffic
I usually do ingress acl on CE facing PE interfaces , that way I can provide one level of anti spoofing on IPs I control . I've not had the need for an egress ACL yet but then again I think it depends on network design and habits from Day 1. One use case though may be to mitigate DDOS attack on a customer facing link. Sent from my iPhone On Jun 30, 2013, at 5:34 PM, Glen Kent glen.k...@gmail.com wrote: Hi, Under what scenarios do providers install egress ACLs which could say for eg. 1. Allow all IP traffic out on an interface foo if its coming from source IP x.x.x.x/y 2. Drop all other IP traffic out on this interface. Glen
Re: ISIS and OSPF together
Ospf offered as Pe-ce protocol to L3 mpls vpn customers and Isis as IGP for MPLS Core. Sent from my iPhone On May 12, 2013, at 9:41 AM, Glen Kent glen.k...@gmail.com wrote: Hi, I would like to understand the scenarios wherein the service provider/network admin might run both ISIS and OSPF together inside their network. Is this something that really happens out there? One scenario that i can think of when somebody might run the 2 protocols ISIS and OSPF together for a brief period is when the admin is migrating from one IGP to the other. This, i understand never happens in steady state. The only time this can happen is if an AS gets merged into another AS (due to mergers and acquisitions) and the two ASes happen to run ISIS and OSPF respectively. In such instances, there is a brief period when two protocols might run together before one gets turned off and there is only one left. The other instance would be when say OSPF is used to manage the OOB network and the ISIS is used for network reachability. Is there any other scenario? Glen
Should the Facebook's, Google , Amazon's of this world operate a BGP looking glass ?
Hi All Should major social networking sites like Facebook,Google and Amazon operate an IP looking glass ? i think they should , here is a short justification write-up i did , using a real life troubleshooting scenario. http://www.slideshare.net/peterehiwe/why-major-content-providers-need-an-ip-looking-glass -- Warm Regards Peter
Re: Level3 worldwide emergency upgrade?
Also received same ... On Wed, Feb 6, 2013 at 10:58 AM, Ray Wong r...@rayw.net wrote: Does anyone have details on tonight's apparent worldwide emergency router upgrade? All I managed to get out of the portal was 30 minutes, Service Affecting (no kidding?) and the NOC line gave me the recording about it and disconnected me. -R -- Warm Regards Peter(CCIE 23782).
Re: looking glass for Level 3
I normally use the 3rd one you mentioned but they seem to be down at the moment. Rgds Peter, Sent from my Asus Transformer Pad On Dec 28, 2012 1:51 AM, Tassos Chatzithomaoglou ach...@forthnetgroup.gr wrote: Anyone have any looking glass for Level 3? The following seem not to be working http://www.level3.com/LookingGlass/ http://lg.level3.net/bgp/bgp.cgi http://lookingglass.level3.net/ -- Tassos
Re: Strict route filtering at IX?
I use a mixture of BGP communities and prefix lists and it scales very well for me . Rgds Peter, Sent from my Asus Transformer Pad On Dec 12, 2012 3:24 AM, Dan Luedtke m...@danrl.de wrote: Hi NANOGers, tl;dr What is the best practice for filtering a large number of prefixes at an internet exchange? Yesterday I ran into problems while writing new filtering rules for my peerings at a local Exchange. My workflow probably has a flaw, although it works fine for IPv6 (well, less prefixes there). After the physical link was set up I startet a BGP session with the route server of the exchange. A few minutes later some other AS imported my prefix, e.g. those listed at HE[1]. I guess they filtered less strict :) The next day the exchange's route server administrator added my AS-SET to the AS-SET of the route server. --- snip RIPE DB --- as-set: AS-KLEYREX-RS1 descr: KleyReX Internet Exchange Frankfurt [...] members:AS-NONATTACHED --- snap --- A few days have passed since then but the number of peers has not increased as expected. Is this normal? My mp-* entries look like this: --- snip RIPE DB --- aut-num:AS57821 as-name:NONATTACHED-AS [...] mp-import: afi ipv4.unicast from AS31142 accept AS-KLEYREX-RS1 mp-export: afi ipv4.unicast to AS31142 announce AS-NONATTACHED --- snap --- Yesterday I thought about importing the route servers prefixes and, of course, to filter them. Using rtconfig[2] I created a filter for BIRD[3] like this: --- snip bird.conf --- if (prefix_too_long()) then reject; @rtconfig printPrefixes if (net ~ [ %p/%l+ ]) then accept;\n filter AS-KLEYREX-RS1 reject; --- snap --- This takes about 10-20 minutes and results in an very large config file constiting of hundreds of prefixes in IPv4. The same config file for IPv6 would be smaller. However, legacy protocol IPv4 is not yet dead so I need to filter it somehow. BIRD sometimes segfaults when it is advised to read those large filters. So, here's the question: How do you filter at exchanges? Where is the error in my workflow? Is strict route filtering a myth? Thanks for helping! Dan [1] http://bgp.he.net/AS57821#_peers [2] http://irrtoolset.isc.org/wiki/RtConfig [3] http://bird.network.cz
MPLS L2VPN monitoring
Hello , For those who provide l2vpn services to customers over MPLS , what kind of tools do you use for monitoring the circuits and what kind of values do you proactively monitor I have tools in place to monitor these circuits but i want to know based on group members experiences in order to improve my monitoring platform for this circuits. Thanks a lot!
Net::Perl::SSH for MRLG
Hello All , Has anyone successfully implemented Net::perl::ssh with mrlg . If yes please unicast me. The Perl module works fine but mrlg dosent seem to be able to connect to the routers using that module . .
Re: AUT-NUM ROUTE OBJECT
This has been sorted out now. On Fri, Jun 8, 2012 at 5:59 PM, Nick Hilliard n...@foobar.org wrote: On 08/06/2012 17:55, Peter Ehiwe wrote: Authorisation for parent [as-block] using mnt-lower: not authenticated by: RIPE-NCC-RPSL-MNT http://apps.db.ripe.net/whois/lookup/ripe/mntner/RIPE-NCC-RPSL-MNT.html Nick -- Warm Regards Peter(CCIE 23782).
AUT-NUM ROUTE OBJECT
Please can any one familiar with route object creation help with understanding this error I am having a weird error with AUT-NUM object , even though i am using the correct maintainer password i keep getting this error message. Authorisation for parent [as-block] using mnt-lower: not authenticated by: RIPE-NCC-RPSL-MNT ***Info: Authorisation for [aut-num] using mnt-by: authenticated by: X -- Warm Regards
Re: VLAN Troubles
Verify what protocol the dell switch uses to tag the traffic(from the datasheet) , i have seen some switches that wont trunk .1q with cisco On Tue, Mar 6, 2012 at 5:07 PM, Alan Bryant a...@alanbryant.com wrote: I hope everyone is having a better workday so far than I am. I am trying to clean up the network for the Hospital I work for, and part of that is creating two VLAN's for two separate subnets on our network. Before, it was not separated by VLANs. We are also replacing our aged Juniper firewall with an ASA. I'm very new to VLAN's, so I am hoping this is something simple that you guys can help me out with. We have two switches that do not seem to be passing VLAN traffic. The two switches are a Dell Powerconnect 5324 a Cisco 3560G. The Cisco switch appears to be functioning fine, but the Dell switch is only passing traffic to the Cisco that is on the default untagged VLAN1. Our second VLAN is not getting passed to the Cisco at all, I am not seeing any packets tagged with the particular vlan in Wireshark. I have Port 1 on the Dell switch connected to port 29 on the Cisco switch, and port 1 on the Cisco switch connected to the ASA. I have the following config on the relevant ports on the Cisco switch: interface GigabitEthernet0/1 description ASA 5505 switchport trunk encapsulation dot1q switchport mode trunk interface GigabitEthernet0/29 description Radiology Switch switchport trunk encapsulation dot1q switchport mode trunk Here is the config for the Dell switch: interface ethernet g1 speed 1000 duplex full exit interface ethernet g2 speed 1000 duplex full exit interface ethernet g3 speed 1000 duplex full exit interface ethernet g4 speed 1000 duplex full exit interface ethernet g5 speed 1000 duplex full exit interface ethernet g7 speed 1000 duplex full exit interface ethernet g9 speed 1000 duplex full exit interface ethernet g10 speed 1000 duplex full exit interface ethernet g12 speed 1000 duplex full exit interface ethernet g14 speed 1000 duplex full exit interface ethernet g15 speed 1000 duplex full exit port jumbo-frame interface ethernet g1 switchport mode trunk exit interface ethernet g24 switchport mode trunk exit vlan database vlan 12,22 exit interface range ethernet g(2,4,7,12,14-15) switchport access vlan 12 exit interface vlan 12 name Radiology exit interface vlan 22 name Guest exit interface vlan 1 exit Anyone have any ideas or pointers? Is there more information that I need to provide? Vlan1 works just fine, of course. It is Vlan 12 that is not working. Everything on the Dell switch is communicating with each other just fine on the same subnet. -- Warm Regards Peter(CCIE 23782).
Re: VLAN Troubles
yep , verify how dell tags the vlans , it may use a proprietory tagging method for the trunk. On Tue, Mar 6, 2012 at 5:36 PM, Alan Bryant a...@alanbryant.com wrote: Thank you for the suggestions, unfortunately none of them are working. I have tried with the uplink in general trunk mode. I have allowed all vlans and allowed only the specific vlans I am using tagged and untagged, but it is still not passing vlan 12. -- Warm Regards Peter(CCIE 23782).
Re: VLAN Troubles
cool! On Tue, Mar 6, 2012 at 7:10 PM, Alan Bryant a...@alanbryant.com wrote: Just wanted to say a quick thank you to everyone who chimed in. Like I thought, it turned out to be something very simple and routine. I had not added the vlan to the Cisco switch. I had added it during testing, but I removed all testing config from the switch before I went to vlan's and did not add it back. On top of that, right before I saw the message to run sh vlan, I attempted to upgrade the firmware on the Dell switch and followed Dell's instructions to the T, but it appears that the switch is now non-functional. It is in a continuous reboot cycle and I can't even get anything over the console. Thankfully I had another switch ready and swapped it out and we are running strong with vlans. Again, thank you so much for all of your help, and hopefully one day I will be at the level to help someone else out on here. -- Warm Regards Peter(CCIE 23782).
Re: do not filter your customers
IOS-XR On 2/23/12, Randy Bush ra...@psg.com wrote: and things when further downhill from there, when telstra also did not filter what they announced to their peers, and the peers went over prefix limits and dropped bgp. Oh! so protections worked! imiho, prefix count is too big a hammer. it would have been better if optus had irr-based filters in place on peerings with telstra. then they would not have dropped the sessions and their customers could still reach telstra customers. of course, if telstra did not publish accurately in an irr instance, not much optus could do. randy -- Warm Regards Peter(CCIE 23782).
Re: IP Transit with netflow report?
Why cant you do the netflow from your end? On Mon, Feb 13, 2012 at 7:48 AM, ali baba alibaba123...@gmail.com wrote: Hi Everyone, Hope someone can help me out.. I have some IP Transit links with one of the Tier1s and I need to know the sourcedestination of traffic passing though.. My provider gives me a straight NO, we can provide this and I am wondering if anyone knows of any providers who gives out netflow report? Cheers, AB -- Warm Regards Peter(CCIE 23782).
DOS ATTACK ON BGP , LPTS ??
Hi , What is the best way to mitigate DOS attack against the bgp process of a router , is LPTS on IOS-XR enough ? Rgds Peter