IP Management Software
Hi everybody, Can anybody share his/her experience with IP Management software's? Which I can use it managing near 100K IP Address? IPPlan is not good enough, I think its covering all my need and not fully flexible. If you have discuss this before here please share me the link. Thanks -- Regards, Shahab Vahabzadeh, IP Engineer, *nix Admin and Geek
OSS Systems
Hi there, Has anybody experience about running and OSS System in enterprise level? And do you have any idea about it? For example for an ISP who is running users more than 20K or 30K, there must be some good solutions to integrate all systems like: Radius, Billing Systems and CRM For example after searching and asking friends I have some ideas about Radius to use: radiator Is there anybody who has analyse such a systems before in his ISP? Need sharing here :) Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: OSS Systems
Dear Leigh, Thanks for you answer, So you recommend radiator? What about analyses, you know always thinking about billing systems with staffs who does not have any idea about backend is hard ... You always have problems with operators and they make lots of exceptions, Is'nt it? And if you have time would you please tell me more about your load balancers? I am really confused really with designing and analysing this project :( Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter wrote: > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > wrote: > > > Hi there, > > Has anybody experience about running and OSS System in enterprise level? > > And do you have any idea about it? > > For example for an ISP who is running users more than 20K or 30K, there > > must be some good solutions to integrate all systems like: > > Radius, Billing Systems and CRM > > For example after searching and asking friends I have some ideas about > > Radius to use: radiator > > Is there anybody who has analyse such a systems before in his ISP? Need > > sharing here :) > > Thanks > > We did this a few years ago and ended up writing the while thing > ourselves. This included billing, subscriber management etc etc. > > We integrates to salesforce.com for the internal front end and the user > facing stuff we did ourselves. > > It was a big project and took a team of six about six months. But we ended > up with a perfect solution that did exactly what we needed and it was > pretty good. > > It handled within the order of users you mention, but we designed to 100k > users. > > We used radiator (highly recommended) with openldap back end. Multiple > load balanced servers etc etc. > > The worst thing we did was to build our own mail system. Not that it was > an issue, it never went wrong, but these days I'd just send people to gmail > or something. > > -- > Leigh Porter > > > __ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > __ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
"PPPoE Intermediate Agent or TR101" in Huawei MA5600
Hi Everybody, I have lots of Huawei MA5600 in my pop sites and my "display version" output is "VERSION: MA5600V300R003C05". Can any body help me to know how I can enable "PPPoE Intermediate Agent or TR101" in these DSLAM's? Or let me know if this version of DSLAM support this feature or not? I want to have port attributes too when users send to NAS and from that to Radius. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: IP Management Software
Hi, Would you please tell me what is the advantages of noc-project? It takes hours to install it and it looks like a software with lots of bugs? I have it now but many problems in their scripts, Isn't it? Thanks On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied wrote: > Try noc project > > > On Friday, December 16, 2011, Shahab Vahabzadeh > wrote: > > Hi everybody, > > Can anybody share his/her experience with IP Management software's? > Which I > > can use it managing near 100K IP Address? > > IPPlan is not good enough, I think its > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: IP Management Software
I am looking for an open source one, nocproject.org is good but it need lots of patches to be normal, I think they are not developing it too much because its internal project for them. On Sat, Jan 14, 2012 at 1:20 AM, Josh Baird wrote: > We use Men & Mice, but it is a commercial product. Solarwinds > andInfoblox also have commercial offerings that are worth looking at. > Ifyou looking at an IPAM platform with emphasis on IPv6, check > outwww.6connect.com. They offer a free product that is > prettycomprehensive. > > Josh > On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh > wrote: > > Hi, > > Would you please tell me what is the advantages of noc-project? > > It takes hours to install it and it looks like a software with lots of > bugs? > > I have it now but many problems in their scripts, Isn't it? > > Thanks > > > > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied > wrote: > > > >> Try noc project > >> > >> > >> On Friday, December 16, 2011, Shahab Vahabzadeh < > sh.vahabza...@gmail.com> > >> wrote: > >> > Hi everybody, > >> > Can anybody share his/her experience with IP Management software's? > >> Which I > >> > can use it managing near 100K IP Address? > >> > IPPlan is not good enough, I think its > >> > > >> > > > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: accessing multiple devices via a script
Like Rhys Rhaven. On Sun, Jan 15, 2012 at 11:12 PM, Rhys Rhaven wrote: > Is "full disclosure" expected on NANOG, or is it just polite? Like > mentioning that Chuck Reynolds is a salesman for QualiSystems, and not > just another network operator passing on what they might think will help? > > On 01/15/2012 01:21 PM, Chuck Reynolds wrote: > > Hi Abdullah - Have you seen the new Resource Manager product from > > QualiSystems? It has this capability built into it and out of the box to > > support large numbers of devices. > > > > Let me know off line where you are located and I can hook you up. > > > > Regards, > > > > Chuck > > > > > > -Original Message- > > From: Abdullah Al-Malki [mailto:a.almalki1...@gmail.com] > > Sent: Sunday, January 15, 2012 12:53 PM > > To: nanog@nanog.org > > Subject: accessing multiple devices via a script > > > > Hi fellows, > > I am supporting a big service provider and sometimes I face this problem. > > Sometimes I want to access my customer network and want to extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > > > Appreciate the feedback, > > Abdullah > > > > > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: OSS Systems
Hi there again, I think Leigh is not available this week, anybody else idea about such a system? Which loadbalancer is good to use? LVS or hardware one? or radius as a proxy? How database must be placed? How radius servers talk to DB? And which radius server you suggest? Radiator? Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter wrote: > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > wrote: > > > Hi there, > > Has anybody experience about running and OSS System in enterprise level? > > And do you have any idea about it? > > For example for an ISP who is running users more than 20K or 30K, there > > must be some good solutions to integrate all systems like: > > Radius, Billing Systems and CRM > > For example after searching and asking friends I have some ideas about > > Radius to use: radiator > > Is there anybody who has analyse such a systems before in his ISP? Need > > sharing here :) > > Thanks > > We did this a few years ago and ended up writing the while thing > ourselves. This included billing, subscriber management etc etc. > > We integrates to salesforce.com for the internal front end and the user > facing stuff we did ourselves. > > It was a big project and took a team of six about six months. But we ended > up with a perfect solution that did exactly what we needed and it was > pretty good. > > It handled within the order of users you mention, but we designed to 100k > users. > > We used radiator (highly recommended) with openldap back end. Multiple > load balanced servers etc etc. > > The worst thing we did was to build our own mail system. Not that it was > an issue, it never went wrong, but these days I'd just send people to gmail > or something. > > -- > Leigh Porter > > > __ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > __ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: enterprise 802.11
Any body tried "Proxim ORiNOCO AP-8000", I have them in two airport and they really sucks ;) On Sun, Jan 15, 2012 at 11:00 PM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Iran blocking essentially all encyrpted protocols
Yes I am from Iran and outgoing TCP/443 has been stoped ;) -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 On Feb 10, 2012, at 9:56 PM, Ryan Malayter wrote: > Haven't seen this come through on NANOG yet: > http://arstechnica.com/tech-policy/news/2012/02/iran-reportedly-blocking-encrypted-internet-traffic.ars > > Can anyone with the ability confirm that TCP/443 traffic from Iran has > stopped? >
Re: Iran blocking essentially all encyrpted protocols
It is not accessible to with XMPP, yahoo google none of them is not accessible from Iran. I have not try obfsproxy but as a ordinary connection we do not have https :) -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 On Feb 10, 2012, at 11:37 PM, Marshall Eubanks wrote: > And in response > > http://www.forbes.com/sites/andygreenberg/2012/02/10/as-iran-cracks-down-online-tor-tests-undetectable-encrypted-connections/ > > (quoting) : > > “Basically, say you want to look like an XMPP chat instead of SSL,” he > writes to me, referring to a protocol for instant messaging as the > decoy for the encrypted SSL communications. “Obfsproxy should start > up, you choose XMPP, and obfsproxy should emulate XMPP to the point > where even a sophisticated [deep packet inspection] device cannot find > anything suspicious.” > > Regards > Marshall > > On Fri, Feb 10, 2012 at 2:03 PM, Shahab Vahabzadeh > wrote: >> Yes I am from Iran and outgoing TCP/443 has been stoped ;) >> >> -- >> Regards, >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 >> >> On Feb 10, 2012, at 9:56 PM, Ryan Malayter wrote: >> >>> Haven't seen this come through on NANOG yet: >>> http://arstechnica.com/tech-policy/news/2012/02/iran-reportedly-blocking-encrypted-internet-traffic.ars >>> >>> Can anyone with the ability confirm that TCP/443 traffic from Iran has >>> stopped? >>> >>
nfsen and protocol analysing plugin
Hi everybody, Does any body know any plugin for nfsen which can analyse protocols and give out report for us? ( using netflow ) By default nfsen only shows TCP, UDP and ICMP traffic not detail. For example I want to show me how much "YMessenger" traffic I have, or how much "IMAP" traffic I have. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: nfsen and protocol analysing plugin
Its a port tracker and traffic analyser, the plugin I want can gather valuable data from netflow. For example "GTalk" is on port 80 and this plugin can not detect it ;) Thanks On Fri, Mar 16, 2012 at 9:36 PM, Justin M. Streiner wrote: > On Fri, 16 Mar 2012, Shahab Vahabzadeh wrote: > > Hi everybody, >> Does any body know any plugin for nfsen which can analyse protocols and >> give out report for us? ( using netflow ) >> By default nfsen only shows TCP, UDP and ICMP traffic not detail. >> For example I want to show me how much "YMessenger" traffic I have, or how >> much "IMAP" traffic I have. >> > > I think you want the PortTracker plugin. Goog for "nfsen plugins" and > you'll find it. > > jms > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Outdoor Wireless Access Point
Hi there, I asked for a wireless solution for a university, in which they want indoor wireless solution for more than 5 building (at least two floor) and outdoor wireless solution for near 160m*280m garden. As I look for maps we need at least 3 or 4 outdoor radio, I think in these networks the best solution is to have only one SSID in whole network to give mobility for the network, is this called ad-hoc? or it has an other name? I do not know if I could ask question clearly or not, suppose we have 4 radio but only one SSID is broadcasting and when you are near the radio is near to you you will get service from that one, as this solution must be implement for indoor ones too. And if there is any good company which can both indoor and outdoor solution and they have shipping to Iran too or reseller in Iran please give me the url. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Outdoor Wireless Access Point
Yes Its VoIP over wireless, mostly this university need this wireless network for their professions and students which carry their IP Phones and I care about this. Thanks On Sat, Mar 31, 2012 at 9:26 PM, Joel Maslak wrote: > On Mar 31, 2012, at 3:38 AM, Shahab Vahabzadeh > wrote: > > > As I look for maps we need at least 3 or 4 outdoor radio, I think in > these > > networks the best solution is to have only one SSID in whole network to > > give mobility for the network, is this called ad-hoc? or it has an other > > name? > > No, it's still infrastructure mode, not ad-hoc. > > Ad-hoc means "no access point". > > All you need to do is set the APs up to use the same SSID and > authentication methods, keys, etc. It's pretty simple and can even be done > with consumer gear (with less stable performance of course). If you don't > put the APs all on the same layer 3 LAN (same subnet), you'll need some > sort of controller-based solutions so that a user's IP address still makes > sense to their computer when they move from one AP to another. If you can > keep all the APs on one subnet, you won't need that. > > It gets a bit more complex if you are using radio to link buildings > together and/or backhaul to the access point. There's plenty of good > references on the internet. > > Note that the wireless handoffs aren't perfect on basic 802.11 gear. Your > laptop might not pick the best AP if it can hear multiple APs. And you > might lose a few packets when you hand-off between APs, but it's typically > no big deal. Your ssh session would stay connected across those hand-offs > just fine. > > If you plan on doing VoIP on the wireless, it gets more complex yet - you > have to worry about the time it takes handoffs and that can be more > complex. You have to implement WMM and DSCP. You need to worry about > low-speed users (1mbps, 2mbps, etc) on the same link. It's a lot harder to > build a VoIP wireless solution than a web browsing wireless solution, but > still plentty possible to do without expensive equipment. > > In summary: you probably should find a guide on how to build wireless > networks, preferably a vendor agnostic one. You will either be the hero of > your organization or the enemy, depending on how well your network works. -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Outdoor Wireless Access Point
Hi Valdis, Thanks for your time and your answer, Of course I know how to search in google or internet. But the problem is as you told to have a good network and launch the best solution. And not do wrong things once more. Thanks On Sun, Apr 1, 2012 at 4:19 AM, wrote: > On Sat, 31 Mar 2012 15:48:37 -0700, Network IP Dog said: > > I'm utterly amazed how many people give away free consultant work. > > A lot of us are quite busy with $DAYJOB and not in a position to take on a > consulting engagement - and there's no good micropayment infrastructure to > deal > with 20-minute consulting gigs anyway. So we give away 5 minute chunks of > our > time for the benefit of the networking community. It's a large chunk of > what > makes 'best common practices' evolve. (Hint - that consultant you hired? > How > much of *their* knowledge did they aquire from other people's free advice?) > > And those of us who *do* go looking for consulting gigs often need to > market > ourselves as somebody clued. You read NANOG for a while, you get a good > idea > of who is clued and who isn't. And thus you decide who gets the gig. > > > Google is your friend... ;^) > > http://www.xckd.com/979/ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Outdoor Wireless Access Point
Dear IP Dog, Thanks for your time too, but I think you are so free and you are only showing off yourself busy ;) Because your answer reflect that to us, Here is a mailing list and open community ;) So if you do not have a good answer for question please go away ;) Thanks On Sun, Apr 1, 2012 at 3:18 AM, Network IP Dog wrote: > Hi...How do I do it! > > I'm utterly amazed how many people give away free consultant work. > > We need to keep people working... not giving it away. > > Ethics... Security... etc... > > Does the university give away free diploma's? I don't think so. > > Must be another copy & paste e&^%$#?r too! > > Google is your friend... ;^) > > Cheers! > > > Ephesians 4:32 & Cheers!!! > > A password is like a... toothbrush ;^) > Choose a good one, change it regularly and don't share it. > > -Original Message- > From: Shahab Vahabzadeh [mailto:sh.vahabza...@gmail.com] > Sent: Saturday, March 31, 2012 2:39 AM > To: nanog@nanog.org > Subject: Outdoor Wireless Access Point > > Hi there, > I asked for a wireless solution for a university, in which they want indoor > wireless solution for more than 5 building (at least two floor) and outdoor > wireless solution for near 160m*280m garden. > As I look for maps we need at least 3 or 4 outdoor radio, I think in these > networks the best solution is to have only one SSID in whole network to > give > mobility for the network, is this called ad-hoc? or it has an other name? > I do not know if I could ask question clearly or not, suppose we have 4 > radio but only one SSID is broadcasting and when you are near the radio is > near to you you will get service from that one, as this solution must be > implement for indoor ones too. > And if there is any good company which can both indoor and outdoor solution > and they have shipping to Iran too or reseller in Iran please give me the > url. > Thanks > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: OSS Systems
On Mon, Jan 16, 2012 at 3:10 AM, wrote: > My personal opinion has been that we have seen great success in large > environments with FreeRadius and using radrelay for mysql synchronization > then an OpenLDAP-backend. We used FreeBSD/CARP and/or FreeVRRPd for > failover but this can be accomplished in other methods. > > FreeRadius has a built-in CLUSTERIP module which allows > clustering/load-balancing/failover or you could AnyCast the systems for > redundancy. > > As for load balancing other Radius servers which may not have it built in > - I would say a hardware solution is usually great because you get support, > etc. However, if you don't need the support then there are a ton of options > available. You could go as far as load balancing it with LVS (which I > personally do not like but MANY do :)) or software load balancers like > pen/pound/haproxy. > > Best of luck! > > -Original Message- > From: "Shahab Vahabzadeh" > Sent: Sunday, January 15, 2012 4:26pm > To: "Leigh Porter" > Cc: "nanog@nanog.org" > Subject: Re: OSS Systems > > Hi there again, > I think Leigh is not available this week, anybody else idea about such a > system? > Which loadbalancer is good to use? LVS or hardware one? or radius as a > proxy? > How database must be placed? How radius servers talk to DB? > And which radius server you suggest? Radiator? > Thanks > > On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter > wrote: > > > > > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > > wrote: > > > > > Hi there, > > > Has anybody experience about running and OSS System in enterprise > level? > > > And do you have any idea about it? > > > For example for an ISP who is running users more than 20K or 30K, there > > > must be some good solutions to integrate all systems like: > > > Radius, Billing Systems and CRM > > > For example after searching and asking friends I have some ideas about > > > Radius to use: radiator > > > Is there anybody who has analyse such a systems before in his ISP? Need > > > sharing here :) > > > Thanks > > > > We did this a few years ago and ended up writing the while thing > > ourselves. This included billing, subscriber management etc etc. > > > > We integrates to salesforce.com for the internal front end and the user > > facing stuff we did ourselves. > > > > It was a big project and took a team of six about six months. But we > ended > > up with a perfect solution that did exactly what we needed and it was > > pretty good. > > > > It handled within the order of users you mention, but we designed to 100k > > users. > > > > We used radiator (highly recommended) with openldap back end. Multiple > > load balanced servers etc etc. > > > > The worst thing we did was to build our own mail system. Not that it was > > an issue, it never went wrong, but these days I'd just send people to > gmail > > or something. > > > > -- > > Leigh Porter > > > > > > __ > > This email has been scanned by the Symantec Email Security.cloud service. > > For more information please visit http://www.symanteccloud.com > > __ > > > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > > > > Hi there again, About this solution can anybody help about the best partition layout for these machines? For such a OSS system we need these 4 machine and having best partition layout for them is important for example maybe we need a big /var/log for Radius Server and etc. 1. Load Balancer (ipvs) 2. Radius Server (radiator/freeradius) 3. Database Server (mysqld) 4. Web Server for Billing (apache2) Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
IX in Iran by TIC
Hello Everybody, I am here to announce that TIC in Iran launched Neutral Internet Exchange Points. Right now we have four in: - Tehran (tehran-ix.ir) - Shiraz (shiraz-ix.ir) - Tabriz (tabriz-ix.ir) - Mashhad (mashhad-ix.ir) Currently we have near 45Gbps traffic on it but it will increase to 100Gbps within two months. Content Providers activating their BGP peering with members one by one. Also I have something interesting for you around the world, TIC is launching a International IX in Chabahar called Chabahar IX (chabahar-ix.ir) which can be interesting for T1 ISPs or Content Providers like Akamai, Amazon, Google, Limelight, Cloudflare and etc. We are able to give anyone colocation space or ground for building their own Datacenter. As you know Iran is cheapest country in Middle East for Energy and Electricity reasons so we are the best opportunity for having a node there. Cables we have there right now are POI, FALCON and GCX. Please share this with your friends or your Business Development departments. If anyone have question regard this you can contact me via this email or peer...@tic.ir. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 1C43 988E 01A8 4D95 B662 9118 CD94 9F10 4DF4 6163
Akamai and Instagram Ranges
Hello Hello, Can anybody help me to find out IP Address Ranges of Akamai and Instagram? I wanna do some optimizations on my cache side? Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 1C43 988E 01A8 4D95 B662 9118 CD94 9F10 4DF4 6163
Re: CGNAT
Hello Ahmad,I am using F5 for CGNAT, right now 250K subscriber with 28Gbps bandwidth, I will double it with the second appliance easily soon.Its high performance and I like it.Any time Any QuestionThanks Ch, Shahab On Thu, Apr 6, 2017 at 7:41 PM +0430, "Ahmed Munaf" wrote: Hi, Any recommendation regarding CGNAT appliance who try it and which brand is the best from his perspective! The throughput which I want to pass through the CGNAT is about 40Gbits and number of subscribers are about 40,000 subscribers. Regards, Ahmed
IRNOG1 Meeting
Hello Hello, Proudly I want to announce that 1st IRNOG Meeting will launch at 24th of May in Tehran. In the first day of public announce we had near 90 people registered to attend the meeting. Hope to find this meeting useful in Iranian Community. It would be great to get your ideas about the experiences of coordinating such a meetings. http://ir-nog.com Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 1C43 988E 01A8 4D95 B662 9118 CD94 9F10 4DF4 6163
DHCP Server ACS Parameters on Huawei 5300 and 5600 DSLAM
Hello Everybody, Does any body has experience about running DHCP Server on Huawei DSLAMs? We wanna run TR069 on our network, We need a DHCP server to pass ACS parameters. Like ACS URL, ACS Username and Password. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Cisco ASR 1000 for Broadband Usage
Dear Friends, We have near 32K User with ISG support, any body has Idea for the partnumber of device? I decided to but Cisco ASR 1006 with two DC Power and two RP2 and two ESP-20G. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 1C43 988E 01A8 4D95 B662 9118 CD94 9F10 4DF4 6163
DDoS Attacks Cause of Game Servers
Hi everybody, Last two days I was under an interesting attack which comes from multiple sources to three of my ADSL users destination. The attack make router to ran out of CPU and we had to reload it to solve. I ask those three users and they said we are only game players and all of them were kids, I think they told the true, they told we are playing: http://intl.garena.com/ Attacks takes only 20 or 30 minutes and it happens only 4 times in two days. I could'nt capture any packet but this is out put of my "show ip accounting" that time: Source Destination Packets Bytes 212.180.138.90 128.141.119.209117 5148 135.62.255.246 128.141.119.209117 5148 46.136.27.13 128.141.119.209117 5148 25.181.84.74 128.141.119.209117 5148 108.0.207.17 128.141.119.209117 5148 181.95.89.1 128.141.119.2091175148 36.161.28.42 128.141.119.209117 5148 39.130.139.157 128.141.119.209117 5148 139.81.4.106 128.141.119.209117 5148 3.229.28.78 128.141.119.2091175148 115.28.11.208128.141.119.209117 5148 206.42.151.199 128.141.119.209117 5148 213.221.149.41 128.141.119.209117 5148 81.203.234.196 128.140.109.209117 5148 43.134.71.94 128.141.119.2091175148 157.69.74.39 128.141.119.2091175148 16.206.47.71 128.141.119.2091175148 77.25.17.243 128.141.119.2091175148 If you have any information in this field and you can help me to find who is behind this, please share. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: DDoS Attacks Cause of Game Servers
Those ip addresses I send were only sample, its 5 page :D and not only those addresses. And you are looking to target 128.141.X.Y its mine and I change it because of mailing list, maybe attackers are here. You must check the sources not destination. Thanks On Thu, Jan 31, 2013 at 11:06 AM, Jeroen Massar wrote: > On 2013-01-31 08:04 , Shahab Vahabzadeh wrote: > > Hi everybody, > > Last two days I was under an interesting attack which comes from multiple > > sources to three of my ADSL users destination. > > You say that it comes from multiple sources to 3 of your DSL users. > > The below source/dest though shows that the destination is from CERN in > Switzerland, you know the people who build black holes ;) > > The IP does not ping at the moment, but the whois indicates 'dyn' in the > netname thus that is not too unsurprising. > > > The attack make router to ran out of CPU and we had to reload it to > solve. > > I ask those three users and they said we are only game players and all of > > them were kids, I think they told the true, they told we are playing: > > http://intl.garena.com/ > > Looks not like a game, just another messenger / IM client. > > > Attacks takes only 20 or 30 minutes and it happens only 4 times in two > days. > > I could'nt capture any packet but this is out put of my "show ip > > accounting" that time: > > You'll be needing a bit more info than that... and 117 packets with a > total of 5148 bytes is not a lot of traffic to put anything down (unless > it is a targeted attack) > > You might though contact the CERN NOC, if you really think something is > funny there. Timestamps might be very useful to provide though, > especially if the IP is really dynamic. > > Greets, > Jeroen > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
ICMP Redirect on Resolvers
Hello everybody, I have two DNS Server (resolver) running on FreeBSD 9.0, I always see in console messages like this: icmp redirect from 192.168.140.36: 192.168.179.80 => 192.168.140.254 and lots of messages like this, mostly ip addresses not belong to me, and some times these resolvers stop working. My question is what are these messages? why they only shown in console of these servers not others? And are they cause the problems like stopping working for server/services? Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
OSPF and Forcing a Subnet
Dear Friends, I have an OSPF over GRE configuration sending you below in which I have problem. I want to force OSPF to advertise 172.16/16 range without checking anything. And as you see I have an static route for it in routing table but again OSPF do not advertise it, only it advertise when I put one /32 subnet on loopback interface. even I put "redistribute static subnets" command with/without route-map but again do not work. I think because of having my providers address range in my static routes, routers and ospf confused when wanna advertise routers. interface Tunnel0 > ip address 128.140.40.2 255.255.255.252 > tunnel source 10.20.76.2 > tunnel destination 10.20.75.2 > interface GigabitEthernet0/0 > description UPSTREAM - INTRANET > ip address 10.20.76.2 255.255.255.248 > interface GigabitEthernet0/1 > description CONNECTED ROUTER > ip address 10.20.76.9 255.255.255.248 > > router ospf 10 > log-adjacency-changes > area 10 range 172.16.0.0 255.255.0.0 > passive-interface default > no passive-interface Tunnel0 > network 172.16.0.0 0.0.255.255 area 10 > network 128.140.40.0 0.0.0.3 area 0 > ip route 0.0.0.0 0.0.0.0 10.20.76.1 > ip route 172.16.0.0 255.255.224.0 10.20.76.12 > ip route 10.20.76.0 255.255.255.0 10.20.76.12 > ip route 10.20.77.0 255.255.255.0 10.20.76.12 Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: OSPF and Forcing a Subnet
Dear Jon I have a mistake in my last email, there is a static route like this: ip route 172.16.0.0 255.255.0.0 10.20.76.12 but again it is redistributing On Sun, Jul 21, 2013 at 12:22 AM, Jon Lewis wrote: > You don't have a route for 172.16/16 in the config below, so ospf will not > advertise it. You do have a route for a subnet of 172.16/16, so either use > summary-address 172.16.0.0 255.255.0.0 or nail up a static route for > 172.16.0.0 255.255.0.0 to null0 and redistribute static subnets, and then > ospf can redistribute that static route. > > > On Sun, 21 Jul 2013, Shahab Vahabzadeh wrote: > > Dear Friends, >> I have an OSPF over GRE configuration sending you below in which I have >> problem. >> I want to force OSPF to advertise 172.16/16 range without checking >> anything. >> And as you see I have an static route for it in routing table but again >> OSPF do not advertise it, only it advertise when I put one /32 subnet on >> loopback interface. >> even I put "redistribute static subnets" command with/without route-map >> but >> again do not work. >> I think because of having my providers address range in my static routes, >> routers and ospf confused when wanna advertise routers. >> >> >> interface Tunnel0 >> >>> ip address 128.140.40.2 255.255.255.252 >>> tunnel source 10.20.76.2 >>> tunnel destination 10.20.75.2 >>> interface GigabitEthernet0/0 >>> description UPSTREAM - INTRANET >>> ip address 10.20.76.2 255.255.255.248 >>> interface GigabitEthernet0/1 >>> description CONNECTED ROUTER >>> ip address 10.20.76.9 255.255.255.248 >>> >>> router ospf 10 >>> log-adjacency-changes >>> area 10 range 172.16.0.0 255.255.0.0 >>> passive-interface default >>> no passive-interface Tunnel0 >>> network 172.16.0.0 0.0.255.255 area 10 >>> network 128.140.40.0 0.0.0.3 area 0 >>> ip route 0.0.0.0 0.0.0.0 10.20.76.1 >>> ip route 172.16.0.0 255.255.224.0 10.20.76.12 >>> ip route 10.20.76.0 255.255.255.0 10.20.76.12 >>> ip route 10.20.77.0 255.255.255.0 10.20.76.12 >>> >> >> >> >> Thanks >> >> -- >> Regards, >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> Cell Phone: +1 (415) 871 0742 >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 >> >> > --**--**-- > Jon Lewis, MCP :) | I route > | therefore you are > _ > http://www.lewis.org/~jlewis/**pgp<http://www.lewis.org/~jlewis/pgp>for PGP > public key_ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: OSPF and Forcing a Subnet
Dear Randy, Thanks for your help, but 172.16/16 belong to that region and for example 172.17/16 belong to another one and I want to ospf bring me the whole subnet not which I used. And summary-address does not to this for me. Thanks On Sun, Jul 21, 2013 at 1:21 AM, Randy wrote: > what you are seeing is the expected behavior. > > you are asking the router to generate a type 3 summary for a type 1 lsa > that doesn't exist for area 10 via the "area 10 range' command" (also, that > is why it works when you add a /32 to loopback) > > 172.16/16 is an external route. If you want to generate a type 5 aggregate > use summary-addr as Jon has pointed out. Else, leave static in place, > redist static subnets but remove "area 10 range 172.16.0.0 255.255.0.0" > from ospf config. > ./Randy > > > > > ___ > > From: Shahab Vahabzadeh > >To: Jon Lewis > >Cc: nanog > >Sent: Saturday, July 20, 2013 12:55 PM > >Subject: Re: OSPF and Forcing a Subnet > > > > > >Dear Jon I have a mistake in my last email, there is a static route like > >this: > > > >ip route 172.16.0.0 255.255.0.0 10.20.76.12 > > > >but again it is redistributing > > > > > >On Sun, Jul 21, 2013 at 12:22 AM, Jon Lewis wrote: > > > >> You don't have a route for 172.16/16 in the config below, so ospf will > not > >> advertise it. You do have a route for a subnet of 172.16/16, so either > use > >> summary-address 172.16.0.0 255.255.0.0 or nail up a static route for > >> 172.16.0.0 255.255.0.0 to null0 and redistribute static subnets, and > then > >> ospf can redistribute that static route. > >> > >> > >> On Sun, 21 Jul 2013, Shahab Vahabzadeh wrote: > >> > >> Dear Friends, > >>> I have an OSPF over GRE configuration sending you below in which I have > >>> problem. > >>> I want to force OSPF to advertise 172.16/16 range without checking > >>> anything. > >>> And as you see I have an static route for it in routing table but again > >>> OSPF do not advertise it, only it advertise when I put one /32 subnet > on > >>> loopback interface. > >>> even I put "redistribute static subnets" command with/without route-map > >>> but > >>> again do not work. > >>> I think because of having my providers address range in my static > routes, > >>> routers and ospf confused when wanna advertise routers. > >>> > >>> > >>> interface Tunnel0 > >>> > >>>> ip address 128.140.40.2 255.255.255.252 > >>>> tunnel source 10.20.76.2 > >>>> tunnel destination 10.20.75.2 > >>>> interface GigabitEthernet0/0 > >>>> description UPSTREAM - INTRANET > >>>> ip address 10.20.76.2 255.255.255.248 > >>>> interface GigabitEthernet0/1 > >>>> description CONNECTED ROUTER > >>>> ip address 10.20.76.9 255.255.255.248 > >>>> > >>>> router ospf 10 > >>>> log-adjacency-changes > >>>> area 10 range 172.16.0.0 255.255.0.0 > >>>> passive-interface default > >>>> no passive-interface Tunnel0 > >>>> network 172.16.0.0 0.0.255.255 area 10 > >>>> network 128.140.40.0 0.0.0.3 area 0 > >>>> ip route 0.0.0.0 0.0.0.0 10.20.76.1 > >>>> ip route 172.16.0.0 255.255.224.0 10.20.76.12 > >>>> ip route 10.20.76.0 255.255.255.0 10.20.76.12 > >>>> ip route 10.20.77.0 255.255.255.0 10.20.76.12 > >>>> > >>> > >>> > >>> > >>> Thanks > >>> > >>> -- > >>> Regards, > >>> Shahab Vahabzadeh, Network Engineer and System Administrator > >>> > >>> Cell Phone: +1 (415) 871 0742 > >>> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 > BF90 > >>> > >>> > >> > --**--**-- > >> Jon Lewis, MCP :) | I route > >> | therefore you are > >> _ http://www.lewis.org/~jlewis/**pgp< > http://www.lewis.org/~jlewis/pgp>for PGP public key_ > >> > > > > > > > >-- > >Regards, > >Shahab Vahabzadeh, Network Engineer and System Administrator > > > >Cell Phone: +1 (415) 871 0742 > >PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > > > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Native VLAN for Huawei MA5616 DSLAM
Dear Friends, Anybody have idea about changing native vlan on Huawei MA5616 DSLAM? I can not find the correct syntax, there is no option under "interface eth 0/0" Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Native VLAN for Huawei MA5616 DSLAM
Dear Georgi, MA5616 does not have any SCU interface... What can we do? On Sun, Aug 11, 2013 at 4:17 PM, Georgi Genov wrote: > It`s configurable under scu/scuh/giu board > > interface scu 0/9 > native-vlan 1 vlan > native-vlan 2 vlan > or > interface giu 0/19 > native-vlan 1 vlan > native-vlan 2 vlan > > On 11.8.2013 г. 09:33 ч., Shahab Vahabzadeh wrote: > >> Dear Friends, >> Anybody have idea about changing native vlan on Huawei MA5616 DSLAM? >> I can not find the correct syntax, there is no option under "interface eth >> 0/0" >> Thanks >> >> > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Native VLAN for Huawei MA5616 DSLAM
Only these interface's are available under: MA5616(config)# interface ? > adsl > emu > eponnni > eth > gponnni > h248 > loopback > meth > null > shl > vdsl > vlanif Thanks On Sun, Aug 11, 2013 at 4:55 PM, Shahab Vahabzadeh wrote: > Dear Georgi, > MA5616 does not have any SCU interface... > What can we do? > > > On Sun, Aug 11, 2013 at 4:17 PM, Georgi Genov wrote: > >> It`s configurable under scu/scuh/giu board >> >> interface scu 0/9 >> native-vlan 1 vlan >> native-vlan 2 vlan >> or >> interface giu 0/19 >> native-vlan 1 vlan >> native-vlan 2 vlan >> >> On 11.8.2013 г. 09:33 ч., Shahab Vahabzadeh wrote: >> >>> Dear Friends, >>> Anybody have idea about changing native vlan on Huawei MA5616 DSLAM? >>> I can not find the correct syntax, there is no option under "interface >>> eth >>> 0/0" >>> Thanks >>> >>> >> > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Native VLAN for Huawei MA5616 DSLAM
Dear Tina, Thanks for your reply, I have done the same example you told but there is no native-vlan command inside interface eth 0/0. here my configuration and version of device, maybe firmare does not support it. MA5616#display current-configuration > > [vlan-config] > > vlan 2 smart > port vlan 2 0/0 0 > MA5616#display board 0 > - > SlotID BoardName Status SubType0 SubType1Online/Offline > - > 0 H831CCUB Active_normalEP1A ASDA > 1 H835ADLE Auto_find > 2 H835ADLE Auto_find > 3 H835ADLE Auto_find > 4 H835ADLE Auto_find > 5 H831PDIA Normal > - > MA5616#display version > > Command: > display version > > VERSION : MA5616V800R308C01 > PATCH : SPC200 SPH508 HP2108 > PRODUCT : MA5616 > > Mainboard Running Area Information: > > Current Program Area : Area A > Current Data Area : Area A > > Program Area A Version : MA5616V800R308C01 > Program Area B Version : MA5616V800R308C01 > > Data Area A Version : MA5616V800R308C01 > Data Area B Version : MA5616V800R308C01 > > MA5616(config)#interface eth 0/0 > > MA5616(config-if-eth-0/0)#? > - > Command of eth Mode: > - > auto-neg Enable/Disable port negotiation > combo-modeSwitch working mode of COMBO port > display Display information > duplexSet duplex > flow-control Support flow control > line Line test > mdi Line-adaptive function > mirrorAdd mirror > network-role Network role > port Set TX optical power threshold > quit Exit from current mode and enter prior mode > reset Clear port statistics > returnEnter the privileged mode > shutdown Deactivate port > speed Rate > switchSwitch language mode > traffic-suppress Set port traffic suppression > undo Negate a command or set its defaults > Thanks On Mon, Aug 12, 2013 at 5:51 AM, Tina TSOU wrote: > Dear all, > Only for the uplink GE, the native VLAN can be configured, it can not be > configured for NNI EPON/GPON and UNI DSL port. > > //if the uplink port is GE, then configure a new VLAN 2 > huawei(config)#vlan 2 > //add the uplink GE 0/0 0 to VLAN 2 > huawei(config)#port vlan 2 0/0 0 > //change to uplink card interface view > huawei(config)#interface eth 0/0 > //change native vlan of uplink GE to 2 > huawei(config-if-eth-0/0)#native-vlan 0 vlan 2 > > > Thank you, > Tina > > On Aug 11, 2013, at 6:44 AM, "Shahab Vahabzadeh" > wrote: > > > Only these interface's are available under: > > > > MA5616(config)# interface ? > >> adsl > >> emu > >> eponnni > >> eth > >> gponnni > >> h248 > >> loopback > >> meth > >> null > >> shl > >> vdsl > >> vlanif > > > > > > Thanks > > > > > > On Sun, Aug 11, 2013 at 4:55 PM, Shahab Vahabzadeh > > wrote: > > > >> Dear Georgi, > >> MA5616 does not have any SCU interface... > >> What can we do? > >> > >> > >> On Sun, Aug 11, 2013 at 4:17 PM, Georgi Genov >wrote: > >> > >>> It`s configurable under scu/scuh/giu board > >>> > >>> interface scu 0/9 > >>> native-vlan 1 vlan > >>> native-vlan 2 vlan > >>> or > >>> interface giu 0/19 > >>> native-vlan 1 vlan > >>> native-vlan 2 vlan > >>> > >>> On 11.8.2013 г. 09:33 ч., Shahab Vahabzadeh wrote: > >>> > >>>> Dear Friends, > >>>> Anybody have idea about changing native vlan on Huawei MA5616 DSLAM? > >>>> I can not find the correct syntax, there is no option under "interface > >>>> eth > >>>> 0/0" > >>>> Thanks > >> > >> > >> -- > >> Regards, > >> Shahab Vahabzadeh, Network Engineer and System Administrator > >> > >> Cell Phone: +1 (415) 871 0742 > >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > Cell Phone: +1 (415) 871 0742 > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Native VLAN for Huawei MA5616 DSLAM
Dear Tina, How can I upgrade the version? main board must change or it can upgrade with changing software/firmware? Thank On Tue, Aug 13, 2013 at 6:29 AM, Tina TSOU wrote: > Dear Shahab, > > Thank you for more information. > > CCUB main board doesn’t support native-VLAN setting, only CCUE main board > supports it, the version should be upgraded to R312 above. > > ** ** > > Thank you, > > Tina > > ** ** > > *From:* Shahab Vahabzadeh [mailto:sh.vahabza...@gmail.com] > *Sent:* 2013年8月12日 0:51 > *To:* Tina TSOU; Zharov Oleg; nanog > *Cc:* Georgi Genov > > *Subject:* Re: Native VLAN for Huawei MA5616 DSLAM > > ** ** > > Dear Tina, > Thanks for your reply, > > I have done the same example you told but there is no native-vlan command > inside interface eth 0/0. > here my configuration and version of device, maybe firmare does not > support it. > > MA5616#display current-configuration > > [vlan-config] > > vlan 2 smart > port vlan 2 0/0 0 > > ** ** > > MA5616#display board 0 > - > SlotID BoardName Status SubType0 SubType1Online/Offline > - > 0 H831CCUB Active_normalEP1A ASDA > 1 H835ADLE Auto_find > 2 H835ADLE Auto_find > 3 H835ADLE Auto_find > 4 H835ADLE Auto_find > 5 H831PDIA Normal > - > > > ** ** > > MA5616#display version > > Command: > display version > > VERSION : MA5616V800R308C01 > PATCH : SPC200 SPH508 HP2108 > PRODUCT : MA5616 > > Mainboard Running Area Information: > > Current Program Area : Area A > Current Data Area : Area A > > Program Area A Version : MA5616V800R308C01 > Program Area B Version : MA5616V800R308C01 > > Data Area A Version : MA5616V800R308C01 > Data Area B Version : MA5616V800R308C01 > > > ** ** > > MA5616(config)#interface eth 0/0 > > MA5616(config-if-eth-0/0)#? > - > Command of eth Mode: > - > auto-neg Enable/Disable port negotiation > combo-modeSwitch working mode of COMBO port > display Display information > duplexSet duplex > flow-control Support flow control > line Line test > mdi Line-adaptive function > mirrorAdd mirror > network-role Network role > port Set TX optical power threshold > quit Exit from current mode and enter prior mode > reset Clear port statistics > returnEnter the privileged mode > shutdown Deactivate port > speed Rate > switchSwitch language mode > traffic-suppress Set port traffic suppression > undo Negate a command or set its defaults > > ** ** > > Thanks > > ** ** > > ** ** > > On Mon, Aug 12, 2013 at 5:51 AM, Tina TSOU > wrote: > > Dear all, > Only for the uplink GE, the native VLAN can be configured, it can not be > configured for NNI EPON/GPON and UNI DSL port. > > //if the uplink port is GE, then configure a new VLAN 2 > huawei(config)#vlan 2 > //add the uplink GE 0/0 0 to VLAN 2 > huawei(config)#port vlan 2 0/0 0 > //change to uplink card interface view > huawei(config)#interface eth 0/0 > //change native vlan of uplink GE to 2 > huawei(config-if-eth-0/0)#native-vlan 0 vlan 2 > > > Thank you, > Tina > > > On Aug 11, 2013, at 6:44 AM, "Shahab Vahabzadeh" > wrote: > > > Only these interface's are available under: > > > > MA5616(config)# interface ? > >> adsl > >> emu > >> eponnni > >> eth > >> gponnni > >> h248 > >> loopback > >> meth > >> null > >> shl > >> vdsl > >> vlanif > > > > > > Thanks > > > > > > On Sun, Aug 11, 2013 at 4:55 PM, Shahab Vahabzadeh > > wrote: > > > >> Dear Georgi, > >> MA5616 does not have any SCU interface... > >> What can we do? > >> > >> > >> On Sun, Aug 11, 2013 at 4:17 PM, Georgi Genov >wrote: > >> > >>> It`s configura
SMTP Authentication for Local Domain in Postfix
Dear friends,
I have problem with my postfix configuration, I have enable SASL for
postfix and now authentication works well for my clients but right now
anyboy can send email from my local domain to local domain without
authentication and cause of that I have lots of attacks.
How can I force that if sender is my localdomain it must authenticate?!
Here is my postfix configuration:
main.cf:
smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_client_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_pipelining,
> reject_rbl_client zen.spamhaus.org,
> smtpd_helo_restrictions =
> permit_mynetworks,
> #reject_non_fqdn_hostname,
> reject_invalid_hostname
> smtpd_sender_restriction =
> permit_mynetworks,
> permit_sasl_authenticated,
> check_sender_access hash:/etc/postfix/access_table
> reject_unknown_sender_domain,
> reject_non_fqdn_sender
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_invalid_hostname,
> reject_unauth_pipelining,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unverified_recipient,
> reject_unauth_destination,
> check_policy_service unix:private/policy-spf,
> permit
master.cf:
smtp inet n - - - - smtpd
> -o content_filter=spamassassin
> submission inet n - - - - smtpd
> -o smtpd_tls_security_level=may
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> -o content_filter=spamassassin
> smtps inet n - - - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> spamassassin
> unix - n n - - pipe
>user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender}
> ${recipient}
> policy-spf unix - n n - - spawn
> user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
access_table:
mydomain.comREJECT You're not me!
Thanks
--
Regards,
Shahab Vahabzadeh, Network Engineer and System Administrator
Cell Phone: +1 (415) 871 0742
PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
anybody from Amsterdam Internet Exchange (ams-ix) to help?
Hello Everybody, Is there anybody from Amsterdam IX here? I have some questions about concept of IXP. If anybody else have enough information about IXP's please give me message off the list. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Cisco 7606 CPU Usage Problem
Hi there, I have a Cisco 7606 with this module on it: WS-SUP32-GE-3B and I am using its own 8 port like this: 2 Port Layer two ether-channel uplink to my 4900 Cisco Switch and 1 Layer two uplink to Internet, and near 10 tunnel to my customers for internet exchange with BGP peering + some policy map for shaping tunnel interfaces. My ether-channel traffic on 600Mbps (each port 300Mbps) I get 90% cpu load and ping time problem on my router, what is the problem?? And when I run: show processs cpu sorted I get a "Unknown" process eat the cpu process... I try lots of IOS version but it does not make difference. My IOS version is: c7600s3223-adventerprisek9-mz.150-1.S1.bin and some general configuration: no ip source-route > ! > ip cef load-sharing algorithm original > no ip domain lookup > ! > ! > ! > ! > mls ip cef load-sharing full > no mls flow ip > no mls flow ipv6 > mls qos > mls cef error action reset > multilink bundle-name authenticated > ! > spanning-tree mode pvst > spanning-tree extend system-id > system flowcontrol bus auto > diagnostic bootup level minimal > port-channel load-balance src-ip > username admin secret 5 $1$g6WX$LaQbPyD3qIaHsF5qTqt8g0 > ! > redundancy > main-cpu > auto-sync running-config > mode sso > ! > ! > ! > ! > vlan internal allocation policy ascending > vlan access-log ratelimit 2000 Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
MTU Problem on Cisco 7606
Hi everybody, I have change my core router from 7206 VXR to 7606 with RSP720 since last 1 month. I had GRE Tunnel in 7206 with one of my regions with this config: interface Tunnel1 > ip mtu 1500 > ip policy route-map clear-df I have copy this config to new 7606 with the same config but now I have Problem with page load. For example yahoo.com totally does not work. I change Tunnel interface config to: interface Tunnel1 > ip tcp adjust-mss 1360 > tunnel mode ipip But again does not make difference, for example yahoo.com solve but put another site in trouble. I must notice that my region side router is 7206 VXR and we have not change that router, It is the same as before was. The question is what is different between 7600 and 7200 in MTU? I change "*system jumbomtu*" to *1526* on 7606 but it does not make any difference. Would you please help me in this field? Thanks IOS on 7606: c7600rsp72043-adventerprisek9-mz.152-4.S4a.bin IOS on 7206: > c7200p-adventerprisek9-mz.124-24.T.bin -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Zabbix Template for Cisco 7606
Hi everybody, Any body has template for zabbix for Cisco 7606? I need: - In/Out interface traffic, uptime, cpu & memory utilization, temperatures, ... - Graph and Trigger Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Attack on UDP 101
Hi there, Does any body know any report about attack on UDP Port 101 which make Layer 3 Loops? This is an example sniff: Source IP Address is : 76.164.199.86 Source port: 62946 Destination port: 101 2012-07-21 11:11:09.646757 Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Attack on UDP 101
Dear Christopher, There is no route for this host, but my users connect to this router via virtual-template interface, and in the uplink interface of the same router automatically near 300Mbps traffic is generating (output) and its looping in the same interface (no broadcast in other interfaces). I sniff the traffic on that time with tcpdump I think lots of packets like this, I thought its an attack from one of users because my netflow analyser does not show any record with this IP Address. Do you have any idea? Thanks On Sat, Jul 21, 2012 at 10:17 PM, Christopher Morrow < morrowc.li...@gmail.com> wrote: > On Sat, Jul 21, 2012 at 10:50 AM, Shahab Vahabzadeh > wrote: > > 76.164.199.86 > > is this host perhaps a bcast/network address or routed oddly at the > destination? (/32 route to something that is redirecting to another > place? or redirecting back toward 0/0?) > > also: > versaweb should fix their rwhois server: > Found a referral to rwhois.versaweb.com:4321. > > PHP Warning: PHP Startup: Unable to load dynamic library > '/usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so' - > /usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so: > cannot open shared object file: No such file or directory in Unknown > on line 0 > PHP Warning: PHP Startup: Unable to load dynamic library > '/usr/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.3.lin' - > /usr/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.3.lin: cannot > open shared object file: No such file or directory in Unknown on line > 0 > X-Powered-By: PHP/5.3.8 > Set-Cookie: UBERSID=2d6ba57f7921e7694c87b3dfe04eb745; path=/ > Expires: Thu, 19 Nov 1981 08:52:00 GMT > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > pre-check=0 > Pragma: no-cache > Content-type: text/html; charset=UTF-8 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Attack on UDP 101
Dear Stefan, I have an 7206VXR Router with this design: int gig 0/1: directly connected to 3750 switch (uplink to internet) int gig 0/2: vlan termination from PSTN centers int virtual-template1: xdsl users Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1 that there is no such a traffic in none of routers interface, but the same traffic is seen in 3750 peer interface. I try to run monitor session on 3750 and monitor port traffic which I see that packet is generating from a user and its in a loop between 3750 and 7206. When I disconnect that user, I see that that packet is in loop again, because of that I am sure its making a loop but I do not know the reseaon is that packets or not. Thanks On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant < sfou...@shortestpathfirst.net> wrote: > Can you give us more information? What do you mean it is causing Layer 3 > loops? > > Stefan Fouant > > Sent from my HTC on the Now Network from Sprint! > > > ----- Reply message - > From: "Shahab Vahabzadeh" > Date: Sat, Jul 21, 2012 10:50 am > Subject: Attack on UDP 101 > To: > > Hi there, > Does any body know any report about attack on UDP Port 101 which make Layer > 3 Loops? > This is an example sniff: > > Source IP Address is : 76.164.199.86 > Source port: 62946 Destination port: 101 > 2012-07-21 11:11:09.646757 > > Thanks > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Attack on UDP 101
Can hardware problem make something happen? On Sat, Jul 21, 2012 at 11:38 PM, Christopher Morrow < morrowc.li...@gmail.com> wrote: > On Sat, Jul 21, 2012 at 2:41 PM, Shahab Vahabzadeh > wrote: > > Dear Stefan, > > I have an 7206VXR Router with this design: > > > > int gig 0/1: directly connected to 3750 switch (uplink to internet) > > int gig 0/2: vlan termination from PSTN centers > > int virtual-template1: xdsl users > > > > Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1 > > that there is no such a traffic in none of routers interface, but the > same > > traffic is seen in 3750 peer interface. > > I try to run monitor session on 3750 and monitor port traffic which I see > > that packet is generating from a user and its in a loop between 3750 and > > 7206. > > I suspect that the 7206 and 3750 both thing the other guy has > default... and with no more specific to follow the packet just > pingpongs between the 2 devices. I would also suspect you see this for > more than one destination :( > > picking just one entry (last entry I see) from route-views.routeviews.org: > BGP routing table entry for 76.164.192.0/19, version 708055091 > Paths: (35 available, best #31, table Default-IP-Routing-Table) > ... > 4436 6939 53340 36114 > 69.31.111.244 from 69.31.111.244 (69.31.111.244) > Origin IGP, metric 0, localpref 100, valid, external > Community: 4436:21216 > > all of 36114(versaweb) traffic would seem to head through > 53340(vegasnap) on the way home, so... maybe something else is going > on like you didn't accept transit routes (or send them or something > else) from your transit? hard to say with as little info as we see > here, but :) > > > When I disconnect that user, I see that that packet is in loop again, > > because of that I am sure its making a loop but I do not know the reseaon > > is that packets or not. > > > > Thanks > > > > > > On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant < > > sfou...@shortestpathfirst.net> wrote: > > > >> Can you give us more information? What do you mean it is causing Layer > 3 > >> loops? > >> > >> Stefan Fouant > >> > >> Sent from my HTC on the Now Network from Sprint! > >> > >> > >> - Reply message - > >> From: "Shahab Vahabzadeh" > >> Date: Sat, Jul 21, 2012 10:50 am > >> Subject: Attack on UDP 101 > >> To: > >> > >> Hi there, > >> Does any body know any report about attack on UDP Port 101 which make > Layer > >> 3 Loops? > >> This is an example sniff: > >> > >> Source IP Address is : 76.164.199.86 > >> Source port: 62946 Destination port: 101 > >> 2012-07-21 11:11:09.646757 > >> > >> Thanks > >> > >> -- > >> Regards, > >> Shahab Vahabzadeh, Network Engineer and System Administrator > >> > >> Cell Phone: +1 (415) 871 0742 > >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > >> > >> > >> > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > Cell Phone: +1 (415) 871 0742 > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Provider standard ARP Timeout?
I am using arp-timeout 900 (means 15min), because of having problems with my upstream ethernet connection and everything is ok, and I have not seen any relation between MAC Address aging time and that, aging time is default 300sec for me ;) Thanks On Fri, Aug 10, 2012 at 6:53 PM, Jay Nakamura wrote: > Cisco default ARP timeout is 4 hours. Do anyone change that to > something shorter in a provider environment for customer with Ethernet > connectivity? What is a good value to set it to? > > Are there any impacts for lowering the timeout? Other than higher CPU > util for doing ARP a lot more on the router? > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Any Idea About Spectrum-DMR-104-1 ?!
Dear Friends, I wanna buy a free license radio with more that 150Mpbs capacity (full duplex), and I found a company in middle east who has Spectrum-DMR-104-1 available right now, any body has experience about that? Is it really 300Mbps radio? Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Any Idea About Spectrum-DMR-104-1 ?!
Dear Owen, Thanks for your reply, in reply to your factors: 1. 1~2 Kilometers 2. PTP 3. Directional 4. 29db Dish (single or dual) Thanks On Tue, Aug 14, 2012 at 1:13 AM, Owen DeLong wrote: > There are a lot of factors to consider when trying to use ISM band for high > bandwidth... > > 1. What kind of distance do you want to cover? > 2. Is this point to point, or point to multipoint? > 3. Directional or Omni? > 4. Antenna Height, Fresnel Zone, Noise Floor, other path > interference, etc. > > The 5.725-5.825Ghz band is used by 802.11a/n and is the only unlicensed > spectrum around 5.8Ghz. A 300Mbps symbol rate should be achievable > with wideband channels in that frequency range. As an example, an Apple > Airport Extreme can do better than 150Mbps full duplex on 802.11n/5Ghz. > > Owen > > On Aug 13, 2012, at 10:57 , Shahab Vahabzadeh > wrote: > > > Dear Friends, > > I wanna buy a free license radio with more that 150Mpbs capacity (full > > duplex), and I found a company in middle east who has Spectrum-DMR-104-1 > > available right now, any body has experience about that? Is it really > > 300Mbps radio? > > Thanks > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > Cell Phone: +1 (415) 871 0742 > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Fair Use Policy
Hello Everybody, Has any body any good and easy setup idea for "Fair Use Policy" service for my xdsl customers?! Can do this in the BRAS side and nothing done with accounting and radius? Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Fair Use Policy
Dear Owen, As you know in pick time of internet usage like midnight in which we have free-access times too, some users which really want to use internet for their daily usage and not downloading or using peer-to-peer services unfairly affecting this problem. Some companies are using some polices for users to solve this problem. Do you have any Idea? Thanks On Wed, Aug 22, 2012 at 11:22 PM, Owen DeLong wrote: > I think the first step would be to define what you mean by fair use. > > Are you talking in the DMCA sense of the term, the legal sense of the term > as applies > to IP in other areas, or something else? > > Owen > > On Aug 22, 2012, at 11:40 , Shahab Vahabzadeh > wrote: > > > Hello Everybody, > > Has any body any good and easy setup idea for "Fair Use Policy" service > for > > my xdsl customers?! > > Can do this in the BRAS side and nothing done with accounting and radius? > > Thanks > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > Cell Phone: +1 (415) 871 0742 > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Fair Use Policy
What I am talking mostly is some services like COA, in which you can change users shape time-base and periodically without disconnecting them. On Wed, Aug 22, 2012 at 11:33 PM, Owen DeLong wrote: > If you want to control usage that way, sell a metered product. Bill the > heavy users more for their usage. > > Otherwise, price your services such that you can build adequate upstream > capacity to serve your users. > > I'm not a fan of using "rateshaping" (which is what you are describing) to > cover for inadequate facilities. > > Owen > > On Aug 22, 2012, at 11:57 , Shahab Vahabzadeh > wrote: > > Dear Owen, > As you know in pick time of internet usage like midnight in which we have > free-access times too, some users which really want to use internet for > their daily usage and not downloading or using peer-to-peer services > unfairly affecting this problem. > Some companies are using some polices for users to solve this problem. > Do you have any Idea? > Thanks > > On Wed, Aug 22, 2012 at 11:22 PM, Owen DeLong wrote: > >> I think the first step would be to define what you mean by fair use. >> >> Are you talking in the DMCA sense of the term, the legal sense of the >> term as applies >> to IP in other areas, or something else? >> >> Owen >> >> On Aug 22, 2012, at 11:40 , Shahab Vahabzadeh >> wrote: >> >> > Hello Everybody, >> > Has any body any good and easy setup idea for "Fair Use Policy" service >> for >> > my xdsl customers?! >> > Can do this in the BRAS side and nothing done with accounting and >> radius? >> > Thanks >> > >> > -- >> > Regards, >> > Shahab Vahabzadeh, Network Engineer and System Administrator >> > >> > Cell Phone: +1 (415) 871 0742 >> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 >> >> > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Fair Use Policy
I am using Cisco 7206 VXR with NPE-G2 as my BRAS's. On Wed, Aug 22, 2012 at 11:40 PM, Alastair Johnson wrote: > Depends on your BRAS. Some support time-of-day or other threshold based > policy changes. > > Generally speaking though you would be better going to an external policy > engine. > > -Original Message- > From: Shahab Vahabzadeh > Date: Wed, 22 Aug 2012 23:36:40 > To: Owen DeLong > Cc: > Subject: Re: Fair Use Policy > > What I am talking mostly is some services like COA, in which you can change > users shape time-base and periodically without disconnecting them. > > On Wed, Aug 22, 2012 at 11:33 PM, Owen DeLong wrote: > > > If you want to control usage that way, sell a metered product. Bill the > > heavy users more for their usage. > > > > Otherwise, price your services such that you can build adequate upstream > > capacity to serve your users. > > > > I'm not a fan of using "rateshaping" (which is what you are describing) > to > > cover for inadequate facilities. > > > > Owen > > > > On Aug 22, 2012, at 11:57 , Shahab Vahabzadeh > > wrote: > > > > Dear Owen, > > As you know in pick time of internet usage like midnight in which we have > > free-access times too, some users which really want to use internet for > > their daily usage and not downloading or using peer-to-peer services > > unfairly affecting this problem. > > Some companies are using some polices for users to solve this problem. > > Do you have any Idea? > > Thanks > > > > On Wed, Aug 22, 2012 at 11:22 PM, Owen DeLong wrote: > > > >> I think the first step would be to define what you mean by fair use. > >> > >> Are you talking in the DMCA sense of the term, the legal sense of the > >> term as applies > >> to IP in other areas, or something else? > >> > >> Owen > >> > >> On Aug 22, 2012, at 11:40 , Shahab Vahabzadeh > >> wrote: > >> > >> > Hello Everybody, > >> > Has any body any good and easy setup idea for "Fair Use Policy" > service > >> for > >> > my xdsl customers?! > >> > Can do this in the BRAS side and nothing done with accounting and > >> radius? > >> > Thanks > >> > > >> > -- > >> > Regards, > >> > Shahab Vahabzadeh, Network Engineer and System Administrator > >> > > >> > Cell Phone: +1 (415) 871 0742 > >> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 > BF90 > >> > >> > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > Cell Phone: +1 (415) 871 0742 > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > > > > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Fair Use Policy
Dear Owen, Would you please describe this some how more in my bussiness plan? I have both limited and unlimited users. For example I have these services in my package: 512Kb-5GB-1Month 256Kb-Unlimit-1Month And like this. Thanks On Thu, Aug 23, 2012 at 12:02 AM, Owen DeLong wrote: > Right... more specific aspect of the same coin. If you have adequate > facilities, you don't need to shape users. > If you have users that are overconsuming for your pricing model, there are > two good solutions: > > 1. Raise the prices enough for everyone that you can absorb these users. > 2. Implement usage-based charges (or usage based charges above a certain > usage tier) that cause these users to either self-regulate or pay for the > necessary > upgrades to your infrastructure. > > Claiming to deliver "unlimited" service and then shaping it is, IMHO, a > questionable business practice at best. > > Owen > > On Aug 22, 2012, at 12:06 , Shahab Vahabzadeh > wrote: > > What I am talking mostly is some services like COA, in which you can > change users shape time-base and periodically without disconnecting them. > > On Wed, Aug 22, 2012 at 11:33 PM, Owen DeLong wrote: > >> If you want to control usage that way, sell a metered product. Bill the >> heavy users more for their usage. >> >> Otherwise, price your services such that you can build adequate upstream >> capacity to serve your users. >> >> I'm not a fan of using "rateshaping" (which is what you are describing) >> to cover for inadequate facilities. >> >> Owen >> >> On Aug 22, 2012, at 11:57 , Shahab Vahabzadeh >> wrote: >> >> Dear Owen, >> As you know in pick time of internet usage like midnight in which we have >> free-access times too, some users which really want to use internet for >> their daily usage and not downloading or using peer-to-peer services >> unfairly affecting this problem. >> Some companies are using some polices for users to solve this problem. >> Do you have any Idea? >> Thanks >> >> On Wed, Aug 22, 2012 at 11:22 PM, Owen DeLong wrote: >> >>> I think the first step would be to define what you mean by fair use. >>> >>> Are you talking in the DMCA sense of the term, the legal sense of the >>> term as applies >>> to IP in other areas, or something else? >>> >>> Owen >>> >>> On Aug 22, 2012, at 11:40 , Shahab Vahabzadeh >>> wrote: >>> >>> > Hello Everybody, >>> > Has any body any good and easy setup idea for "Fair Use Policy" >>> service for >>> > my xdsl customers?! >>> > Can do this in the BRAS side and nothing done with accounting and >>> radius? >>> > Thanks >>> > >>> > -- >>> > Regards, >>> > Shahab Vahabzadeh, Network Engineer and System Administrator >>> > >>> > Cell Phone: +1 (415) 871 0742 >>> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 >>> BF90 >>> >>> >> >> >> -- >> Regards, >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> Cell Phone: +1 (415) 871 0742 >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 >> >> >> > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Fair Use Policy
Thanks about every ones speech in this topic but I think I can not describe my problem clearly, let me explain it some how more: You know I have two kind of ADSL services, Limited and Unlimited. Limited Like: 512Kb-4GB-3Month 1024Kb-4GB-3Month 2048Kb-6GB-3Month 4096Kb-8GB-3Month Unlimited Like: 128Kb-1Month 256Kb-1Month and etc. But when a customer is in our sales department they do not know he will download more or he will have a normal usage? Is he heavy peer-to-peer service downloader or not he is a doctor that he want to check his emails only, and he want this service always. Our problem cause midnights because in the middle of the night in 2:00 AM till 8:00 AM and at this time we do not have any traffic counting for users. Means they can download free at this time, and if we buy more bandwidth only for this time for users it will be unusable in other times like mornings. I want a logical way to solve this problem technically or sales techniques, We must control users usage and I can not do any thing to them they love free-times and they want to download, but they are going to make me ran out of bandwidth that time, so what about that doctor? and his emails? You know no manager will accept increasing bw only for nights :D Thanks On Thu, Aug 23, 2012 at 9:51 AM, Mikael Abrahamsson wrote: > On Wed, 22 Aug 2012, Sean Harlow wrote: > > As far as I can tell, the actual cost of the bits being transferred is so >> minuscule as to be practically irrelevant for anyone who's not at the scale >> to be dealing directly with Tier 1 carriers. Capacity costs money, but >> once it's there utilization is nothing. >> > > The problem the OP is probably dealing with is an incumbant who they are > buying capacity from at hugely inflated prices, so all of a sudden the cost > of capacity is a significant part of total operating cost. > > There are still markets in the world where a megabit/s of capacity can > cost hundreds of dollars per month (even when buying tens of them). This is > usually due to politics and/or law and thus regulatory problems, but it's > still a situation some have to operate in. > > -- > Mikael Abrahamssonemail: swm...@swm.pp.se > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Cisco 7206 IOS for PPPoE Termination
Hello everybody, I am using C7206 VXR NPE-G2 routers as BRAS in my network and the current IOS is *c7200p-adventerprisek9-mz.124-24.T.bin* on them. Also their memory upgraded to 2GB instead of 1GB. And I have near 6500 online user on each of my BRAS and there is no speciefic feature except aaa with radius and ordinary features. There router is also terminating dot1q too because my PSTN centers traffic comes through dot1q vlans to BRAS es. I think I have some problem with current IOS, My CPU Usage is abnormal and Its near %70 or %80. And when I have a network problem and some of PSTN centers goes down CPU go to %99 and it gets problem to recovery. Do you know any good IOS for me as a service provider to use? I heard that some service providers have near 8000 online user on 7206. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Cisco 7206 IOS for PPPoE Termination
Which software you used before for them? On Sun, Sep 23, 2012 at 10:43 PM, Rinse Kloek wrote: > 6000 PPP users on a NPE-G2 is way too much imho. Currently we do no more > than 3000 users on a NPE-G2 with PPPoA. (Max cpu 50%). > 5 years ago, we did about 5000 users on a NPE-G2, but as traffic ratio's > grow each year the maximum users a NPE-G2 can handle will drop each year. > Don't forget an NPE-G2 is a software based plaform, so traffic forwarding > is done in software CPU. > > regards, > Rinse Kloek > Op 23-9-2012 20:51, Shahab Vahabzadeh schreef: > >> Hello everybody, >> I am using C7206 VXR NPE-G2 routers as BRAS in my network and the current >> IOS is *c7200p-adventerprisek9-mz.**124-24.T.bin* on them. >> >> Also their memory upgraded to 2GB instead of 1GB. >> And I have near 6500 online user on each of my BRAS and there is no >> speciefic feature except aaa with radius and ordinary features. >> There router is also terminating dot1q too because my PSTN centers traffic >> comes through dot1q vlans to BRAS es. >> I think I have some problem with current IOS, My CPU Usage is abnormal and >> Its near %70 or %80. >> And when I have a network problem and some of PSTN centers goes down CPU >> go >> to %99 and it gets problem to recovery. >> Do you know any good IOS for me as a service provider to use? >> I heard that some service providers have near 8000 online user on 7206. >> Thanks >> >> -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Cisco 7206 IOS for PPPoE Termination
Dear Paul, Thanks for you reply, May I have those optimization knobs for virtual-template and throttles? Maybe looking into your configurations help me in this field. I will look for the service provider image too. Thanks On Sun, Sep 23, 2012 at 11:17 PM, PC wrote: > For this application, you may wish to consider the service provider images. > > The latest 15.x(S) image works, as it is the derivative of what was > formerly the service-provider oriented 12.2(SRx) images. > > However, it's unlikely to drop steady state CPU, but it may contain some > optimizations for concurrent PPP (re)negotiations on the G2 platform during > session recovery. > > PPPoE will generally handle more users on ethernet as it is easier to push > packets on when not dealing with the ATM encapsulations, but to what extent > this holds true on the 7200, I can't tell you for sure. > > I'd also read the broadband aggregation guide under the IOS documentation > on cisco.com, and tune all the knobs that may help you, there are some > pointers on what items on virtual-templates are punitive in performance, > other optional items such as disabling SNMP counters on virtual access > interfaces to reduce cpu usage, and other items that may help little by > little. There are also various knobs to throttle PPPoE renegotiation rates > during recovery. > > I wish you luck (and consider getting another and/or bigger router to > split the load). > > On Sun, Sep 23, 2012 at 1:23 PM, Shahab Vahabzadeh < > sh.vahabza...@gmail.com> wrote: > >> Which software you used before for them? >> >> On Sun, Sep 23, 2012 at 10:43 PM, Rinse Kloek > >wrote: >> >> > 6000 PPP users on a NPE-G2 is way too much imho. Currently we do no more >> > than 3000 users on a NPE-G2 with PPPoA. (Max cpu 50%). >> > 5 years ago, we did about 5000 users on a NPE-G2, but as traffic ratio's >> > grow each year the maximum users a NPE-G2 can handle will drop each >> year. >> > Don't forget an NPE-G2 is a software based plaform, so traffic >> forwarding >> > is done in software CPU. >> > >> > regards, >> > Rinse Kloek >> > Op 23-9-2012 20:51, Shahab Vahabzadeh schreef: >> > >> >> Hello everybody, >> >> I am using C7206 VXR NPE-G2 routers as BRAS in my network and the >> current >> >> IOS is *c7200p-adventerprisek9-mz.**124-24.T.bin* on them. >> >> >> >> >> Also their memory upgraded to 2GB instead of 1GB. >> >> And I have near 6500 online user on each of my BRAS and there is no >> >> speciefic feature except aaa with radius and ordinary features. >> >> There router is also terminating dot1q too because my PSTN centers >> traffic >> >> comes through dot1q vlans to BRAS es. >> >> I think I have some problem with current IOS, My CPU Usage is abnormal >> and >> >> Its near %70 or %80. >> >> And when I have a network problem and some of PSTN centers goes down >> CPU >> >> go >> >> to %99 and it gets problem to recovery. >> >> Do you know any good IOS for me as a service provider to use? >> >> I heard that some service providers have near 8000 online user on 7206. >> >> Thanks >> >> >> >> >> >> >> -- >> Regards, >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> Cell Phone: +1 (415) 871 0742 >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 >> > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Cisco 7206 IOS for PPPoE Termination
why joking Mark? On Mon, Sep 24, 2012 at 12:19 AM, Mark Gauvin wrote: > You are joking I hope > > Sent from my iPhone > > On 2012-09-23, at 3:38 PM, "Shahab Vahabzadeh" > wrote: > > > Dear Paul, > > Thanks for you reply, May I have those optimization knobs for > > virtual-template and throttles? > > Maybe looking into your configurations help me in this field. > > I will look for the service provider image too. > > Thanks > > > > On Sun, Sep 23, 2012 at 11:17 PM, PC wrote: > > > >> For this application, you may wish to consider the service provider > images. > >> > >> The latest 15.x(S) image works, as it is the derivative of what was > >> formerly the service-provider oriented 12.2(SRx) images. > >> > >> However, it's unlikely to drop steady state CPU, but it may contain some > >> optimizations for concurrent PPP (re)negotiations on the G2 platform > during > >> session recovery. > >> > >> PPPoE will generally handle more users on ethernet as it is easier to > push > >> packets on when not dealing with the ATM encapsulations, but to what > extent > >> this holds true on the 7200, I can't tell you for sure. > >> > >> I'd also read the broadband aggregation guide under the IOS > documentation > >> on cisco.com, and tune all the knobs that may help you, there are some > >> pointers on what items on virtual-templates are punitive in performance, > >> other optional items such as disabling SNMP counters on virtual access > >> interfaces to reduce cpu usage, and other items that may help little by > >> little. There are also various knobs to throttle PPPoE renegotiation > rates > >> during recovery. > >> > >> I wish you luck (and consider getting another and/or bigger router to > >> split the load). > >> > >> On Sun, Sep 23, 2012 at 1:23 PM, Shahab Vahabzadeh < > >> sh.vahabza...@gmail.com> wrote: > >> > >>> Which software you used before for them? > >>> > >>> On Sun, Sep 23, 2012 at 10:43 PM, Rinse Kloek < > rinse.kl...@isp.solcon.nl > >>>> wrote: > >>> > >>>> 6000 PPP users on a NPE-G2 is way too much imho. Currently we do no > more > >>>> than 3000 users on a NPE-G2 with PPPoA. (Max cpu 50%). > >>>> 5 years ago, we did about 5000 users on a NPE-G2, but as traffic > ratio's > >>>> grow each year the maximum users a NPE-G2 can handle will drop each > >>> year. > >>>> Don't forget an NPE-G2 is a software based plaform, so traffic > >>> forwarding > >>>> is done in software CPU. > >>>> > >>>> regards, > >>>> Rinse Kloek > >>>> Op 23-9-2012 20:51, Shahab Vahabzadeh schreef: > >>>> > >>>>> Hello everybody, > >>>>> I am using C7206 VXR NPE-G2 routers as BRAS in my network and the > >>> current > >>>>> IOS is *c7200p-adventerprisek9-mz.**124-24.T.bin* on them. > >>> > >>>>> > >>>>> Also their memory upgraded to 2GB instead of 1GB. > >>>>> And I have near 6500 online user on each of my BRAS and there is no > >>>>> speciefic feature except aaa with radius and ordinary features. > >>>>> There router is also terminating dot1q too because my PSTN centers > >>> traffic > >>>>> comes through dot1q vlans to BRAS es. > >>>>> I think I have some problem with current IOS, My CPU Usage is > abnormal > >>> and > >>>>> Its near %70 or %80. > >>>>> And when I have a network problem and some of PSTN centers goes down > >>> CPU > >>>>> go > >>>>> to %99 and it gets problem to recovery. > >>>>> Do you know any good IOS for me as a service provider to use? > >>>>> I heard that some service providers have near 8000 online user on > 7206. > >>>>> Thanks > >>>>> > >>>>> > >>> > >>> > >>> -- > >>> Regards, > >>> Shahab Vahabzadeh, Network Engineer and System Administrator > >>> > >>> Cell Phone: +1 (415) 871 0742 > >>> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 > BF90 > >>> > >> > >> > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > Cell Phone: +1 (415) 871 0742 > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Cisco 7206 IOS for PPPoE Termination
I know how to use Google dear Mark, but I mean which configuration is working succesfully in their network. I am currently using this config: bba-group pppoe TEST virtual-template 1 sessions per-mac limit 2 sessions per-vlan limit 5000 sessions per-vc throttle 15 30 300 sessions per-mac throttle 15 30 300 sessions auto cleanup On Mon, Sep 24, 2012 at 4:32 AM, Sean Lazar wrote: > http://lmgtfy.com/?q=site%3Acisco.com+ios+broadband+aggregation+guide > > On 9/23/12 1:50 PM, Shahab Vahabzadeh wrote: > > why joking Mark? > > > > On Mon, Sep 24, 2012 at 12:19 AM, Mark Gauvin wrote: > > > >> You are joking I hope > >> > >> Sent from my iPhone > >> > >> On 2012-09-23, at 3:38 PM, "Shahab Vahabzadeh" > > >> wrote: > >> > >>> Dear Paul, > >>> Thanks for you reply, May I have those optimization knobs for > >>> virtual-template and throttles? > >>> Maybe looking into your configurations help me in this field. > >>> I will look for the service provider image too. > >>> Thanks > >>> > >>> On Sun, Sep 23, 2012 at 11:17 PM, PC wrote: > >>> > >>>> For this application, you may wish to consider the service provider > >> images. > >>>> The latest 15.x(S) image works, as it is the derivative of what was > >>>> formerly the service-provider oriented 12.2(SRx) images. > >>>> > >>>> However, it's unlikely to drop steady state CPU, but it may contain > some > >>>> optimizations for concurrent PPP (re)negotiations on the G2 platform > >> during > >>>> session recovery. > >>>> > >>>> PPPoE will generally handle more users on ethernet as it is easier to > >> push > >>>> packets on when not dealing with the ATM encapsulations, but to what > >> extent > >>>> this holds true on the 7200, I can't tell you for sure. > >>>> > >>>> I'd also read the broadband aggregation guide under the IOS > >> documentation > >>>> on cisco.com, and tune all the knobs that may help you, there are > some > >>>> pointers on what items on virtual-templates are punitive in > performance, > >>>> other optional items such as disabling SNMP counters on virtual access > >>>> interfaces to reduce cpu usage, and other items that may help little > by > >>>> little. There are also various knobs to throttle PPPoE renegotiation > >> rates > >>>> during recovery. > >>>> > >>>> I wish you luck (and consider getting another and/or bigger router to > >>>> split the load). > >>>> > >>>> On Sun, Sep 23, 2012 at 1:23 PM, Shahab Vahabzadeh < > >>>> sh.vahabza...@gmail.com> wrote: > >>>> > >>>>> Which software you used before for them? > >>>>> > >>>>> On Sun, Sep 23, 2012 at 10:43 PM, Rinse Kloek < > >> rinse.kl...@isp.solcon.nl > >>>>>> wrote: > >>>>>> 6000 PPP users on a NPE-G2 is way too much imho. Currently we do no > >> more > >>>>>> than 3000 users on a NPE-G2 with PPPoA. (Max cpu 50%). > >>>>>> 5 years ago, we did about 5000 users on a NPE-G2, but as traffic > >> ratio's > >>>>>> grow each year the maximum users a NPE-G2 can handle will drop each > >>>>> year. > >>>>>> Don't forget an NPE-G2 is a software based plaform, so traffic > >>>>> forwarding > >>>>>> is done in software CPU. > >>>>>> > >>>>>> regards, > >>>>>> Rinse Kloek > >>>>>> Op 23-9-2012 20:51, Shahab Vahabzadeh schreef: > >>>>>> > >>>>>>> Hello everybody, > >>>>>>> I am using C7206 VXR NPE-G2 routers as BRAS in my network and the > >>>>> current > >>>>>>> IOS is *c7200p-adventerprisek9-mz.**124-24.T.bin* on them. > >>>>>>> Also their memory upgraded to 2GB instead of 1GB. > >>>>>>> And I have near 6500 online user on each of my BRAS and there is no > >>>>>>> speciefic feature except aaa with radius and ordinary features. > >>>>>>> There router is also terminating dot1q too because my PSTN centers > >>>>> traffic > >>>>>>> comes through dot1q vlans to BRAS es. > >>>>>>> I think I have some problem with current IOS, My CPU Usage is > >> abnormal > >>>>> and > >>>>>>> Its near %70 or %80. > >>>>>>> And when I have a network problem and some of PSTN centers goes > down > >>>>> CPU > >>>>>>> go > >>>>>>> to %99 and it gets problem to recovery. > >>>>>>> Do you know any good IOS for me as a service provider to use? > >>>>>>> I heard that some service providers have near 8000 online user on > >> 7206. > >>>>>>> Thanks > >>>>>>> > >>>>>>> > >>>>> > >>>>> -- > >>>>> Regards, > >>>>> Shahab Vahabzadeh, Network Engineer and System Administrator > >>>>> > >>>>> Cell Phone: +1 (415) 871 0742 > >>>>> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 > >> BF90 > >>>> > >>> > >>> -- > >>> Regards, > >>> Shahab Vahabzadeh, Network Engineer and System Administrator > >>> > >>> Cell Phone: +1 (415) 871 0742 > >>> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 > BF90 > > > > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Attacking on Source Port 0 (ZERO)
Hi everybody, Does any body know what kind of attack can be come to port 0? I see such a logs in my routers which make high cpu loads: MYROUTERIP:0 *41.78.77.178:2816* MYROUTERIP:0 *217.160.5.153:2816* Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Attacking on Source Port 0 (ZERO)
Hi there, It was TCP and I think it was not a DDoS attack because the traffic was not heavy. But I see abnormal cpu usage (%99) in my BRAS's which are Cisco 7206 VXR. I think it act like a warm or some attacks which cause high CPU load in some IOS. Thanks On Sun, Oct 14, 2012 at 5:13 PM, Dobbins, Roland wrote: > > On Oct 14, 2012, at 4:48 PM, Shahab Vahabzadeh wrote: > > > Does any body know what kind of attack can be come to port 0? > > If it's protocol 0, instead of port 0, it's likely a packet-flooding DDoS > attack. > > If it's port 0, you may be incorrectly blocking non-initial fragments. > Alternately, it could represent a fragmented DDoS attack, either > non-initial fragments fired directly against something on your network or > as the result of a DNS reflection/amplification attack against something on > your network. > > The log fragment you posted doesn't provide enough detail to make an > informed judgement. Also, you should not place servers behind a stateful > firewall, anyways. > > --- > Roland Dobbins // <http://www.arbornetworks.com> > > Luck is the residue of opportunity and design. > >-- John Milton > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: IP tunnel MTU
>> > Yes; I was aware of this. But, what I want to get to is > >> > setting the tunnel MTU to infinity. > >> > > >> >> This isn't a new issue; it's been around ever since tunneling > >> technologies > >> >> have been around, and tons have been written on this topic. Look at > >> your > >> >> various router/switch vendor Web sites, archives of this list and > >> others, > >> >> etc. > >> > > >> > Sure. I've written a fair amount about it too over the span > >> > of the last ten years. What is new is that there is now a > >> > solution near at hand. > >> > > >> >> So, it's been known about, dealt with, and documented for a long > time. > >> In > >> >> terms of doing something about it, the answer there is a) to allow > the > >> >> requisite ICMP for PMTU-D to work to/through any networks within your > >> span > >> >> of administrative control and b) > >> > > >> > That does you no good if there is some other network further > >> > beyond your span of administrative control that does not allow > >> > the ICMP PTBs through. And, studies have shown this to be the > >> > case in a non-trivial number of instances. > >> > > >> >> b) adjusting your own tunnel MTUs to > >> >> appropriate values based upon experimentation. > >> > > >> > Adjust it down to what? 1280? Then, if your tunnel with the > >> > adjusted MTU enters another tunnel with its own adjusted MTU > >> > there is an MTU underflow that might not get reported if the > >> > ICMP PTB messages are lost. An alternative is to use IP > >> > fragmentation, but recent studies have shown that more and > >> > more operators are unconditionally dropping IPv6 fragments > >> > and IPv4 fragmentation is not an option due to wrapping IDs > >> > at high data rates. > >> > > >> > Nested tunnels-within-tunnels occur in operational scenarios > >> > more and more, and adjusting the MTU for only one tunnel in > >> > the nesting does you no good if there are other tunnels that > >> > adjust their own MTUs. > >> > > >> >> Enterprise endpoint networks are notorious for blocking *all* ICMP > (as > >> >> well as TCP/53 DNS) at their edges due to 'security' misinformation > >> >> propagated by Confused Information Systems Security Professionals and > >> >> their ilk. Be sure that your own network policies aren't part of the > >> >> problem affecting your userbase, as well as anyone else with a need > to > >> >> communicate with properties on your network via tunnels. > >> > > >> > Again, all an operator can control is that which is within their > >> > own administrative domain. That does no good for ICMPs that are > >> > lost beyond their administrative domain. > >> > > >> > Thanks - Fred > >> > fred.l.temp...@boeing.com > >> > > >> >> > --- > >> >> Roland Dobbins // <http://www.arbornetworks.com > > > >> >> > >> >> Luck is the residue of opportunity and design. > >> >> > >> >> -- John Milton > >> >> > >> > > >> > > >> > >> > >> > >> -- > >> Ray Patrick Soucy > >> Network Engineer > >> University of Maine System > >> > >> T: 207-561-3526 > >> F: 207-561-3531 > >> > >> MaineREN, Maine's Research and Education Network > >> www.maineren.net > > > > -- > Ray Patrick Soucy > Network Engineer > University of Maine System > > T: 207-561-3526 > F: 207-561-3531 > > MaineREN, Maine's Research and Education Network > www.maineren.net > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: Interesting google redirects.
mine is redirecting to google.com.hk too :) On Wed, Mar 9, 2011 at 2:19 PM, Gavin Pearce wrote: > Sure you all know this already: > http://google.com/ncr > > Temp fix for getting the .com version. > > G > > -Original Message- > From: Mark Keymer [mailto:m...@viviotech.net] > Sent: 04 March 2011 06:14 > To: Raymond Macharia > Cc: nanog@nanog.org > Subject: Re: Interesting google redirects. > > On this same subject. My techs have been complaining lately about our > new VPS's we are making going to google.vm. Is there anything I can do > on my end to get this corrected? > > Sincerely, > > Mark Keymer > > > Raymond Macharia wrote: > > >Noticed the same thing to the .com.hk > >Raymond Macharia > > > > > >On Thu, Mar 3, 2011 at 8:04 PM, Wayne Lee > wrote: > > > > > > > >>>>also some EU customers are getting redirected to .au domain > >>>> > >>>> > >>Mine got redirected to google.be for a while. > >> > >> > >> > >> > > > > -- Regards, Shahab Vahabzadeh, IP Engineer, *nix Admin and Geek Phone:+1 (405) 5184491 Blog: http://blog.shahabv.com PGP Key Fingerprint: 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
