RE: Small Internet border router options?

[Tony Wicks]

Juniper MX204, Nokia SR1/SR1s or for the cheaper side  Mikrotik CCR2216

-Original Message-
From: NANOG  On Behalf Of Tom
Samplonius
Sent: Tuesday, May 14, 2024 6:52 AM
To: NANOG 
Subject: Small Internet border router options?


  What are using for small campus border routers?  So four to eight 10G
ports with a FIB for full scale L3?  


Tom

RE: The Reg does 240/4

[Tony Wicks]

I use a CCR2004 at home as it's one of the only devices that could handle
the 4Gb/s XGS-PON on pppoe. I've got an IPoE GPON (1000/500) failover, v4/v6
dual stack everywhere, incoming vpn and ipsec tunnels to other MT's and it
run's great. The only problem I have run into is if you run the 10G ports at
2.5G the buffering is a complete bust, so I have had to put cheap
10G/2.5G/1G switches in between the MT and 2.5G clients to achieve proper
performance. Oh, and some custom cooling fans as it gets a bit noisy once
the 10GBASET SFP's heat things up.

-Original Message-
From: NANOG  On Behalf Of Tim Howe
Sent: Wednesday, February 14, 2024 6:05 AM
To: nanog@nanog.org
Subject: Re: The Reg does 240/4

That's very disappointing.

I acquired a Mikrotik L009 router to play with recently, and it's been one
let-down after another; now this.

--TimH

RE: 202401102221.AYC Re: Streamline The CG-NAT Re: 202401100645.AYC Re: IPv4 address block

[Tony Wicks]

 

 

 

2)"... an operator clearly looking to acquire *publicly routable* space 
without being clear that this suggestion wouldn't meet their needs.  ":

 

Since 240/4 has 256M addresses while 100.64/10 has only 4M, a current 
CG-NAT cluster can be expanded 64 fold once the 240/4 is used. Looking from 
another angle, an IAP will then be able to expand the subscriber set 64 fold 
with still the original one publicly routable IPv4 address.

 

The OP asked for “Any idea please on the best way to buy IPv4 blocs and what is 
the price”. I would expect they want actual public IPv4 address blocks and not 
internal CGNAT space. While the idea of using 240/4 instead of 100.64/10 would 
certainly have some merit I don’t believe its in any way related to what this 
OP asked for.

 

regards

 

RE: Microsoft contact

[Tony Wicks]

Not unusual for random O365 blocks to appear, I especially like they way the 
reject message trys to refer the user back to their ISP as if their ISP is in 
any way involved with the internal Microsoft blocklist. “<<< 550 5.7.1 
Unfortunately, messages from [x.x.x.x] weren't sent. Please contact your 
Internet service provider since part of their network is on our block list 
(S3150).”

 

 

If you log it here “https://olcsupport.office.com/“ , in a day or two they 
normally fix it, always after saying "I do not see anything offhand with the 
IP’s (x.x.x.x) that would be preventing your mail from reaching our customers", 
then you reply to them with “well there is a problem as you are bouncing the 
email as per the bounce message”. Then they fix it. Same routine every time.

 

 

 

From: NANOG  On Behalf Of David Bass
Sent: Thursday, January 11, 2024 7:32 AM
To:  
Subject: Microsoft contact

 

Hi everyone, hope y’all had a great holidays. 

 

I’m looking for a Microsoft Office 365 contact who can help us…we’re struggling 
to get anywhere using the standard methods.  

 

We have a customer whose subnet is blacklisted, and is causing a lot of 
heartache.  We’ve proven to a couple of people at this point that Microsoft is 
blocking inbound traffic from this subnet, and so they can’t send/receive 
emails or access M365.  This is a new eyeball network, so needless to say that 
it’s painful. 

 

Appreciate the help!

 

David

{Disarmed} RE: {Disarmed} Re: {Disarmed} RE: IPv4 address block

[Tony Wicks]

 All good, when I looked back at the email it does look somewhat disingenuous, 
I should have really put, here is his details if the OP wants them.

 

From: Ben Cox  
Sent: Tuesday, January 9, 2024 10:07 AM
To: Tony Wicks 
Cc: Ben Cox ; North American Network Operators' Group 

Subject: {Disarmed} Re: {Disarmed} RE: IPv4 address block

 

Ah, apologies on my part Tony, it did look at lot like a signature block and 
thus a amusing sock puppet SNAFU

 

 

 

On Mon, Jan 8, 2024, 20:54 Tony Wicks mailto:t...@wicks.co.nz> > wrote:

No, Eddies is NOT me, I included his details to be helpful to the OP…. 

 

 

From: Ben Cox mailto:b...@benjojo.co.uk> > 
Sent: Tuesday, January 9, 2024 9:27 AM
To: Tony Wicks mailto:t...@wicks.co.nz> >
Cc: North American Network Operators' Group mailto:nanog@nanog.org> >
Subject: Re: IPv4 address block

 

Hey Tony/Eddie

 

I think your choice of email signature may have given away the game a little 
bit here

 

Regards

Ben Cartwright-Cox

 

On Mon, Jan 8, 2024, 20:00 Tony Wicks mailto:t...@wicks.co.nz> > wrote:

I have used Eddie at iptrading several times over the yearsfor IP block 
purchases and never had this sort of issue, so would count this as a 
recommendation.

 

 

 

Regards,

 

Eddie Stauble

 

ed...@iptrading.com <mailto:ed...@iptrading.com> 

855-IPTRADE (855-478-7233) Ext 107  Direct: 754-227-8423

 

 <https://iptrading.com/> From: NANOG 
 On Behalf Of John Curran
Sent: Monday, January 8, 2024 7:46 PM
To: Eric Kuhnke 
Cc: nanog@nanog.org list 
Subject: Re: IPv4 address block

 <https://iptrading.com/>  

 <https://iptrading.com/> MailScanner has detected a possible fraud attempt 
from "iptrading.com" claiming to be MailScanner has detected a possible fraud 
attempt from "iptrading.com" claiming to be On Jan 7, 2024, at 9:04 PM, Eric 
Kuhnke  wrote:

 <https://iptrading.com/>  

 <https://iptrading.com/> I might note that one of the qualified facilitators 
on the list recently "sold" me a block where the original entity which obtained 
it in the 1990s was still announcing it to all of their peers and trantsi after 
the wire transfer had been done, the ARIN process was done/ticket closed, and 
the block resided with my AS. 

 <https://iptrading.com/>  

 <https://iptrading.com/> MailScanner has detected a possible fraud attempt 
from "iptrading.com" claiming to be MailScanner has detected a possible fraud 
attempt from "iptrading.com" claiming to be Interesting.  If you believe that 
the qualified facilitator failed in their duty to you (more specifically, if 
they did not live up to an aspect of the code of conduct –  
https://www.arin.net/resources/registry/transfers/facilitators/codeofconduct/) 
then please drop ARIN a message with the specifics to 
facilitator-supp...@arin.net 

 <https://iptrading.com/>  

 <https://iptrading.com/> It took a significant amount of badgering the 
original block holder (an entity with which we had no pre-existing relationship 
or direct contacts into their engineering department) to get them to withdraw 
the announcement, which we did independently of the broker and quicker than 
they responded to us. So my message would be to do your own due diligence and 
investigation of IP space and don't trust what the "broker" tells you.

 <https://iptrading.com/>  

 <https://iptrading.com/> Absolutely - always a good idea. 

 <https://iptrading.com/>  

 <https://iptrading.com/> Thanks for feedback! 

 <https://iptrading.com/> /John

 <https://iptrading.com/>  

 <https://iptrading.com/> John Curran

 <https://iptrading.com/> President and CEO

 <https://iptrading.com/> American Registry for Internet Numbers

 <https://iptrading.com/>  

 <https://iptrading.com/>  

 <https://iptrading.com/>  

 <https://iptrading.com/>  

{Disarmed} RE: IPv4 address block

[Tony Wicks]

No, Eddies is NOT me, I included his details to be helpful to the OP…. 

 

 

From: Ben Cox  
Sent: Tuesday, January 9, 2024 9:27 AM
To: Tony Wicks 
Cc: North American Network Operators' Group 
Subject: Re: IPv4 address block

 

Hey Tony/Eddie

 

I think your choice of email signature may have given away the game a little 
bit here

 

Regards

Ben Cartwright-Cox

 

On Mon, Jan 8, 2024, 20:00 Tony Wicks mailto:t...@wicks.co.nz> > wrote:

I have used Eddie at iptrading several times over the yearsfor IP block 
purchases and never had this sort of issue, so would count this as a 
recommendation.

 

 

 

Regards,

 

Eddie Stauble

 

ed...@iptrading.com <mailto:ed...@iptrading.com> 

855-IPTRADE (855-478-7233) Ext 107  Direct: 754-227-8423

 

 <https://iptrading.com/> 

 <https://iptrading.com/> From: NANOG 
 On Behalf Of John Curran
Sent: Monday, January 8, 2024 7:46 PM
To: Eric Kuhnke 
Cc: nanog@nanog.org list 
Subject: Re: IPv4 address block

 <https://iptrading.com/>  

 <https://iptrading.com/> On Jan 7, 2024, at 9:04 PM, Eric Kuhnke 
 wrote:

 <https://iptrading.com/>  

 <https://iptrading.com/> I might note that one of the qualified facilitators 
on the list recently "sold" me a block where the original entity which obtained 
it in the 1990s was still announcing it to all of their peers and trantsi after 
the wire transfer had been done, the ARIN process was done/ticket closed, and 
the block resided with my AS. 

 <https://iptrading.com/>  

 <https://iptrading.com/> Interesting.  If you believe that the qualified 
facilitator failed in their duty to you (more specifically, if they did not 
live up to an aspect of the code of conduct –  
https://www.arin.net/resources/registry/transfers/facilitators/codeofconduct/) 
then please drop ARIN a message with the specifics to 
facilitator-supp...@arin.net 

 <https://iptrading.com/>  

 <https://iptrading.com/> It took a significant amount of badgering the 
original block holder (an entity with which we had no pre-existing relationship 
or direct contacts into their engineering department) to get them to withdraw 
the announcement, which we did independently of the broker and quicker than 
they responded to us. So my message would be to do your own due diligence and 
investigation of IP space and don't trust what the "broker" tells you.

 <https://iptrading.com/>  

 <https://iptrading.com/> Absolutely - always a good idea. 

 <https://iptrading.com/>  

 <https://iptrading.com/> Thanks for feedback! 

 <https://iptrading.com/> /John

 <https://iptrading.com/>  

 <https://iptrading.com/> John Curran

 <https://iptrading.com/> President and CEO

 <https://iptrading.com/> American Registry for Internet Numbers

 <https://iptrading.com/>  

 <https://iptrading.com/>  

 <https://iptrading.com/>  

 <https://iptrading.com/>  

RE: IPv4 address block

[Tony Wicks]

I have used Eddie at iptrading several times over the yearsfor IP block 
purchases and never had this sort of issue, so would count this as a 
recommendation.

 

 

 

Regards,

 

Eddie Stauble

 

ed...@iptrading.com  

855-IPTRADE (855-478-7233) Ext 107  Direct: 754-227-8423

 

  

From: NANOG  On Behalf Of John Curran
Sent: Monday, January 8, 2024 7:46 PM
To: Eric Kuhnke 
Cc: nanog@nanog.org list 
Subject: Re: IPv4 address block

 

On Jan 7, 2024, at 9:04 PM, Eric Kuhnke mailto:eric.kuh...@gmail.com> > wrote:

 

I might note that one of the qualified facilitators on the list recently "sold" 
me a block where the original entity which obtained it in the 1990s was still 
announcing it to all of their peers and trantsi after the wire transfer had 
been done, the ARIN process was done/ticket closed, and the block resided with 
my AS. 

 

Interesting.  If you believe that the qualified facilitator failed in their 
duty to you (more specifically, if they did not live up to an aspect of the 
code of conduct –  
https://www.arin.net/resources/registry/transfers/facilitators/codeofconduct/) 
then please drop ARIN a message with the specifics to 
facilitator-supp...@arin.net   





It took a significant amount of badgering the original block holder (an entity 
with which we had no pre-existing relationship or direct contacts into their 
engineering department) to get them to withdraw the announcement, which we did 
independently of the broker and quicker than they responded to us. So my 
message would be to do your own due diligence and investigation of IP space and 
don't trust what the "broker" tells you.

 

Absolutely - always a good idea. 

 

Thanks for feedback! 

/John

 

John Curran

President and CEO

American Registry for Internet Numbers

 

 

 

 

RE: CPE/NID options

[Tony Wicks]

The Nokia 7210 sas range has suitable devices for layer2 (sas-k5) and MPLS
(sas-k12, sas-d) edge at non totally crazy prices. They are true telco grade
edge devices - https://onestore.nokia.com/asset/184551

 

  _  

From: NANOG mailto:nanog-bounces+chris=thesysadmin...@nanog.org> > on behalf of Ross
Tajvar mailto:r...@tajvar.io> >
Sent: Thursday, November 23, 2023 3:41 PM
To: North American Network Operators' Group mailto:nanog@nanog.org> >
Subject: CPE/NID options 

 

I'm evaluating CPEs for one of my clients, a regional ISP. Currently, we're
terminating the customer's service (L3) on our upstream equipment and
extending it over our own fiber to the customer's premise, where it lands in
a Juniper EX2200 or EX2300.

 

At a previous job, I used Accedian's ANTs on the customer prem side. I like
the ANT because it has a small footprint with only 2 ports, it's passively
cooled, it's very simple to operate, it's controlled centrally, etc.
Unfortunately, when I reached out to Accedian, they insisted that the
controller (which is required) started at $30k, which is a non-starter for
us.

 

I'm not aware of any other products like this. Does anyone have a
recommendation for a simple L2* device to deploy to customer premises? Not
necessarily the exact same thing, but something similarly-featured would be
ideal.

 

*I'm not sure if the ANT is exactly "layer 2", but I don't know what else to
call it.

RE: 165 Halsey recurring power issues

[Tony Wicks]

If you have been sold "redundant" power and the DC provider has connected both 
sides to one UPS in any form they are seriously amiss. You should not be 
expected to know the internal workings of the DC UPS systems and any talk of 
battery packs (unless you are getting 48v DC) is utterly irrelevant. This DC 
provider is, in my opinion is very much out of step with reality if they think 
this is some sort of normal practice.



-Original Message-
From: NANOG  On Behalf Of Babak Pasdar
Sent: Tuesday, October 24, 2023 8:31 AM
To: James Jun 
Cc: nanog@nanog.org
Subject: Re: 165 Halsey recurring power issues

Thanks James,

At signup we asked for N+1 power, two circuits to different UPS units. I think 
they sliced it thin by connecting us to two battery packs on the same UPS. When 
the UPS controller crashed both battery packs went down. Which now raises the 
question -- is it reasonable to have to specify and expect that two UPS units 
means that they do not share any common points of failure.

Is the UPS the battery or the battery and controller combined?

Babak

RE: maximum ipv4 bgp prefix length of /24 ?

[Tony Wicks]

I am reminded of something I “saw” many years ago of a Quake server running on 
a Juniper M160, it wasn’t fast but oh the connectivity.

 

From: NANOG  On Behalf Of Tom Beecher
Sent: Saturday, September 30, 2023 11:03 AM
To: William Herrin 
Cc: nanog@nanog.org
Subject: Re: maximum ipv4 bgp prefix length of /24 ?

 

General Purpose CPU : Can run Doom.

Trio ASIC : Cannot run Doom.

 

Have a good weekend Bill. 

RE: SMTP-friendly VPS provider where I can also get a BGP feed

[Tony Wicks]

Oh, well that's fair enough then. Most engineers I know have sold off the 
goldmine that is historic IP blocks at this point. I'd doubt there is much 
advantage in using your own at this point though with Google moving to their 
highly annoying reputation based blocking. So having no email coming from an IP 
is almost as bad as having spam coming from other IP's in the block. They will 
"spam folder" email from fresh IP's until enough users "mark as not spam". I've 
taken to spending an hour or two replying to my own emails and "marking as not 
spam" if I change IP on an email host and it clears up eventually. Microsoft 
can randomly block at any time but reporting it here -  
https://olcsupport.office.com/ generally gets a human in a day or two that 
manually whitelists the IP. Google and V6 has been a total nightmare as they 
just randomly hard block for no reason and there is no way to ever have any 
human fix it (after ensuring all their guidelines are followed) so I've given 
up trying to use V6 to send email to google.




-Original Message-
From: Mel Beckman  
Sent: Wednesday, September 27, 2023 7:51 AM
To: Tony Wicks 
Cc: Daniel Corbe ; nanog@nanog.org
Subject: Re: SMTP-friendly VPS provider where I can also get a BGP feed

Tony,

BGP is helpful for email servers if you own your own clean IP space, because 
much cloud IP space is black listed. 

-mel via cell

RE: SMTP-friendly VPS provider where I can also get a BGP feed

[Tony Wicks]

I can't speak to the bgp feed as this seems like unnecessary complication to 
me, but I use https://www.racknerd.com/ for personal email/web hosting KVM VM's 
and have found them to be excellent. They have yearly black Friday specials 
(last years - https://www.racknerd.com/BlackFriday/ ) that are very attractive. 
They don't block any ports on their US/Europe VM's. I use a primary pair in one 
city and rsync everything to a backup pair in another city (as well as home 
just to make sure). Not all cities can get V6 but most do.



-Original Message-
From: NANOG  On Behalf Of Daniel Corbe
Sent: Tuesday, September 26, 2023 11:09 PM
To: nanog@nanog.org
Subject: SMTP-friendly VPS provider where I can also get a BGP feed

Hey all,

I apologize if this isn't the right place to post this; however, I thought 
maybe the NANOG community would be able to point me in the right direction.

I'm looking for a place that I can host a mailer.  My primary use case is a 
Mailman-style technical discussion list; much like NANOG but software related 
instead of network related: READ: non-commercial in nature.

I'm currently a vultr customer, but they're refusing to unblock port 25 on my 
account.  I've tried explaining my use case but no matter who I talk to over 
there they just keep pointing me to their spam policy.

Thanks!
-Daniel

RE: Lossy cogent p2p experiences?

[Tony Wicks]

Yes adaptive load balancing very much helps but the weakness is it is normally 
only fully supported on vendor silicon not merchant silicon. Much of the 
transport edge is merchant silicon due to the per packet cost being far lower 
and the general requirement to just pass not manipulate packets. Using the 
Nokia kit for example the 7750 does a great job of "adaptive-load-balancing" 
but the 7250 is lacklustre at best.

-Original Message-
From: NANOG  On Behalf Of Saku Ytti
Sent: Friday, September 1, 2023 8:51 PM
To: Eric Kuhnke 
Cc: nanog@nanog.org
Subject: Re: Lossy cogent p2p experiences?

Luckily there is quite a reasonable solution to the problem, called 'adaptive 
load balancing', where software monitors balancing, and biases the hash_result 
=> egress_interface tables to improve balancing when dealing with elephant 
flows.

RE: 100G-LR1 (DR/FR)

[Tony Wicks]

I have been using the  QSFP-100G-CWDM4 2k optics for within rack/DC for a 
couple of years now. They are about the same price as SR optics but allow the 
use of simple duplex single mode patches without blasting 10K optics at each 
other over a 2M patch. Never had one fail or any compatibility issues. 

-Original Message-
From: NANOG  On Behalf Of Mark Tinka
Sent: Monday, April 3, 2023 11:04 PM
To: nanog@nanog.org
Subject: Re: 100G-LR1 (DR/FR)



On 4/3/23 02:14, David Siegel wrote:

> At this point, I'd be happy to see others happily deploy a 
> single-lambda optic of almost any variety!  Since deploying 400G in a 
> clients network (but 100G still being the preferred connection 
> choice), any inquiry with respect to LR1, FR1 or DR+ is met with "no 
> thanks, LR4 please."
>
> If asked, I'd recommend FR1.  They're available at a great 
> price-point, and 2km reach is adequate for most applications.

Agreed.

Pricing between LR4, FR and DR is not too far apart.

The only optic that is substantially cheaper than all of them is the SR4.

So in my mind, FR is the most ideal, although I'd still use SR4 for in-rack, 
multi-mode cabling.

Mark.

RE: BCP38 For BGP Customers

[Tony Wicks]

>For large BGP customers who service many BGP downstreams, the bottom line is 
>that BCP 38 cannot be reasonably implemented. It's one of the weaknesses in 
>the system.

Yes, from personal experience BCP 38 should never be implemented buy a transit 
provider as it will inevitably cause breakage on multi-homed downstream 
customers for little to no gain and a lot of customer anger. It should be 
implemented at the customer edge AS, so for a wholesale transit provider is 
more of a customer education situation.  By all means use prefix lists to 
prevent your customer networks being received anywhere but directly from your 
customers to prevent them using your capacity without paying for it however.

RE: HE.net and BGP Communities

[Tony Wicks]

>
> I do understand the reasoning behind preferring customer routes.
> However in the case where a customer of a customer also connects to 
> you directly via peering doesn't it make sense to prefer the direct 
> connection?  or at least not prefer the customer learned routes.

So from my experience of working at transit providers over more years than I 
care to contemplate I can assure you what may seem to make sense as a customer 
does not necessarily translate to how IP routing works. IP has no concept of 
Customer or Peer it is simply designed to hand the packet to a valid next hop 
as determined by policies. As such routes are normally divided into customer, 
peer or further upstream transit if you are not one of the tier 1 providers. A 
peer provides you no income, a customer (a customer of a customer is largely 
the same thing as being a direct customer). Take the example of the customer 
buying a transit service on a 95th percentile basis. So as a transit provider I 
get paid based on how much traffic I hand to that port(s) and in turn I provide 
connectivity to all my peers, customers and upstream transits all over the 
world. I can't do this for free as then I can't pay for my network and I am a 
company not a charity. Customer X advertises his lets say a /22 to me, all 
good. But then customer X advertises his /22 and some disaggregated /24's to a 
local peering exchange that I am also connected to. If I do not both prioritise 
customer X's customer port routes AND drop any more specific routes learnt from 
customer X then I will end up handing all customer X's outgoing traffic to them 
over the peering instead of the revenue generating port. I have seen customers 
do this both through innocent and malicious intent. Sure, there are a lot of 
complex policies that I might apply to accept local traffic in one area and 
hand other traffic via the transit port but why on earth would I do that and 
likely cause all sorts of other potential routing issues while reducing the 
revenue I am entitled to?

RE: Serious Juniper Hardware EoL Announcements

[Tony Wicks]

>For those who may have forgotten:

> 

>https://cacm.acm.org/news/257742-german-factory-fire-could-worsen-global-chip-shortage/fulltext

 

>That was the *sole* supplier of extreme ultraviolet lithography machines for 
>every major chip manufacturer on the planet.

 

>Chip shortages will only get worse for the next several years.  The light at 
>the end of the tunnel is unfortunately *not* coming from an ultraviolet 
>lithography machine.  :(

 

 

>Matt

 

This video has a really good break down on the chip shortage as regards to 
everything that is not leading edge - 
https://www.youtube.com/watch?v=YJrOuBkYCMQ

RE: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[Tony Wicks]

 

*   Do you have any stats on what the average usage was before and after 
the build out? I'd expect it to go up just because but was it dramatic?

 

Well, Back in the FTTC days of ADSL/VDSL (very little cable) as an ISP I seem 
to remember the average home connection was about 1.2Mb/s. Now its about 3Mb/s 
so no, the usage itself does not jump dramatically when the bottlenecks went 
away. A great example of this is the lowest speed on the GPON network recently 
jumped from 100/20 to 300/100 across the board and as an ISP we barely noticed 
anything.  Before this the two most popular speeds were the 100/20 and 1000/500 
plans, 50% of users would order the 1000/500 plan, most without really knowing 
why but it was only about $20 different so why not. As an ISP the 1G users only 
used about 10%-20% more overall capacity than the 100/20 users.  

RE: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[Tony Wicks]

>To finish up the math here, how much did NZ's fiber buildout cost?


I'm not suggesting that the US could build such a network, just that if its 
available it certainly opens up new levels of convenience and smooth use of the 
applications. I think it was something like $2-3B USD, don't quote me on that 
though.

RE: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[Tony Wicks]

>This whole thread is about hypothetical futures, so it's not hard to imagine 
>downloads filling to available capacity. 

>Mike

 

So, a good example of how this capacity is used, In New Zealand we have a 
pretty broad fibre network covering most of the population. My niece asked me 
to share my backup copy of her wedding photo’s/video’s the other day. I have a 
4Gb/s / 4Gb/s XGSPON connection and she’s got a 1Gb/s / 500Mb/s GPON 
connection. I simply dropped a copy of the 5.1G directory into a one drive 
folder and shared it, 10 minutes later (one drive is still limited in how fast 
you can upload) she had it all and she was very happy. With these speeds its 
not even a consideration to think about capacity, everything just works.

RE: Strange behavior on the Juniper MX240

[Tony Wicks]

Dude, JunOS 10.4 end of support - 06/08/2014. You have an almost 8 years past 
end of Vendor support O/S still in production! No, just no.

 

 

 

From: NANOG  On Behalf Of Nehul Patel
Sent: Thursday, 5 May 2022 9:35 am
To: Paschal Masha 
Cc: nanog 
Subject: Re: Strange behavior on the Juniper MX240

 

JUNOS Version

 

JUNOS Base OS boot [10.4R9.2]
JUNOS Base OS Software Suite [10.4R9.2]
JUNOS Kernel Software Suite [10.4R9.2]
JUNOS Crypto Software Suite [10.4R9.2]
JUNOS Packet Forwarding Engine Support (M/T Common) [10.4R9.2]
JUNOS Packet Forwarding Engine Support (MX Common) [10.4R9.2]
JUNOS Online Documentation [10.4R9.2]
JUNOS Voice Services Container package [10.4R9.2]
JUNOS Border Gateway Function package [10.4R9.2]
JUNOS Services AACL Container package [10.4R9.2]
JUNOS Services LL-PDF Container package [10.4R9.2]
JUNOS Services PTSP Container package [10.4R9.2]
JUNOS Services Stateful Firewall [10.4R9.2]
JUNOS Services NAT [10.4R9.2]
JUNOS Services Application Level Gateways [10.4R9.2]

 

RE: V6 still not supported

[Tony Wicks]

Over here in AsiaPAC we ran out of readily available IPv4 many years ago. I’ve 
been deploying dual stack CGNAT v4 + Public V6 to ISP networks for at least 10 
years. Virtually all modern RGW’s and devices (except *** play station) have 
supported V6 transparently for many years and the customer’s have no clue they 
are using V6. V6 accounts for about 60% of customer traffic due to widespread 
support on CDN’s and this reduces the requirement for services card capacity 
(ISA/ESA on Nokia, MS-MPC on Juniper) on the CGNAT device’s. As a general rule 
if a customer actually notices and complains about CGN (again *** Playstation) 
the rule has generally been, sure here is a static v4 ip, bye now. Those 
customers who notice run at about 100 per 10,000 customers as a general rule. 
So 10K customers = a /24 for CGN pools and a /25 for static IP’s and you are 
good to go. Every customer gets a /56 of v6. While I’m not a V6 fanboy it 
really does work just fine and works well enough that the end customers have 
absolutely no clue its turned on. It takes little extra effort to enable it 
when you are deploying a new network element and there is almost universal 
device support.

 

 

 

 

 

 

From: NANOG  On Behalf Of Michael 
Thomas
Sent: Thursday, 10 March 2022 11:12 am
To: Josh Luthman 
Cc: nanog@nanog.org
Subject: Re: V6 still not supported

 

 

On 3/9/22 2:03 PM, Josh Luthman wrote:

IPv4 doesn't require NAT. 

 

But to answer your question, I would say most if not all of the complaints 
about NAT/double NAT are the Xbox saying strict nat instead of open.  These 
complaints are super rare.

CGNat -- which is the alternative -- creates a double NAT. I poked around and 
it seems that affects quite a few games. 

Mike

RE: Starlink terminals deployed in Ukraine

[Tony Wicks]

Invade America?… um, not even close to a thing

 

From: NANOG  On Behalf Of Mike
Sent: Thursday, 3 March 2022 12:39 pm
To: nanog@nanog.org
Subject: Re: Starlink terminals deployed in Ukraine

 

You guys are missing the obvious. Russia isn't going to attack starlink in 
space, they are going to take over it's command and control functions and 
deorbit the entire constellation without firing a shot. Same for China and N. 
Korea, which both already have ample motivation already to go after starlink 
because of the existential threat to the iron fisted control they exert over 
their populace and the free flow of information. So while musk may be able to 
fly 50 at a time and has his own launch capability, if the command and control 
facilities are hijacked, musk will run out of money putting it all back 
together.

RE: Starlink terminals deployed in Ukraine

[Tony Wicks]

I think you are significantly overestimating the quality, quantity and will of 
the Russians to do such a thing as shoot down another countries satellites. In 
case it wasn’t clear from the preceding week there is a significant difference 
between the image of conventional weapon strength the Russian military has been 
portraying over the last 20 years and the reality of the situation. Swatting 
down hundreds of satellites just isn’t a thing, even the US military who have 
access to hundreds of SM3/SM6/THAAD vehicles would struggle to do such a thing. 
The Russian military would struggle to knock down a dozen I would suggest and 
the retaliation would be significant for such a blatant attack on a NATO 
countries assets.

 

From: NANOG  On Behalf Of Scott 
McGrath
Sent: Wednesday, 2 March 2022 8:57 am
To: Phineas Walton 
Cc: NANOG list 
Subject: Re: Starlink terminals deployed in Ukraine

 

Starlink however forgets that Russia does have anti satellite weapons and they 
probably will not hesitate to use them which will make low earth orbit a very 
dangerous place when Russia starts blowing up the Starlink birds.I applaud 
the humanitarian aspect of providing Starlink service, unfortunately there are 
geopolitical realities like access to space which is likely to be negatively 
impacted if and when Russia starts shooting down these birds.Fortunately if 
they start shooting down the birds the debris will burn up in a year or so 
unlike geosync orbit where it would stay forever.

 

- WB6RDV

RE: Russian aligned ASNs?

[Tony Wicks]

Haha, we are like the underground cables we service. No one (apart from other 
engineers) notices or cares how much effort it takes to keep the packets 
flowing until it stops. 

--


Just imagine what it must be like trying to keep those IP networks functional 
at a time like this.  Configuring routers while under fire... 
Those engineers should get some kind of award...

scott

RE: Russian aligned ASNs?

[Tony Wicks]

I would suggest keeping the free flow of outside information to Russia would be 
the best thing we can do.

-Original Message-


What is our community doing to assist Ukraine against these attacks?

RE: New minimum speed for US broadband connections

[Tony Wicks]

It is really quite odd that arguably the heart of high tech in the world has 
such poor coverage. I remember going on a visit there 10+ years ago and being 
shocked that the head of the development team at the company I was visiting had 
the best available which was a 2meg cable plan with a data cap while here in 
New Zealand we had adsl/vdsl to the curb unlimited for about $60USD. Then about 
2 years ago we moved to 1G/500 GPON unlimited for a retail price of about 
$60USD. For the last year at home I’ve had unlimited 4Gb/s symmetric XGSPON for 
a retail price of around $105USD/month. This Fibre coverage covers something 
like 70% of the country and is rapidly rising. I would have thought Silicon 
Valley would be years ahead of a small country in the south pacific (we have to 
pay for all that sub sea connectivity to the USA and Australia as well, I have 
routers in San Jose and LA connected to Auckland). Something has gone horribly 
wrong to produce this outcome I would suggest.

 

 

 

From: NANOG  On Behalf Of Michael 
Thomas
Sent: Thursday, 17 February 2022 10:47 am
To: Josh Luthman 
Cc: nanog@nanog.org
Subject: Re: New minimum speed for US broadband connections

 

 

On 2/16/22 1:36 PM, Josh Luthman wrote:

What is the embarrassment?

That in the tech center of the world that we're so embarrassingly behind the 
times with broadband. I'm going to get fiber in the rural Sierra Nevada before 
Silicon Valley. In fact, I already have it, they just haven't installed the 
NID. 

Mike

 

 

Re: home router battery backup

[Tony Wicks]

Yep, a pair of long nose pliers and that beeper pops right off the board, real easy.

RE: Latency/Packet Loss on ASR1006

[Tony Wicks]

I mean a router without ASIC based forwarding like a Juniper MX or Nokia 7750. 
The advantage of the 1k is you don't need a services card for cgnat, but the 
large disadvantage is everything passes through the ESP processor and this 
often leads to disappointing results under load.

>I'm not sure what a CPU based box means here. ASR1k isn't using a general 
>purpose core like PQ3, INTC or AMD. Like CRS-1 and nPower, ASR1k has Cisco 
>made forwarding logic using cores from tensilica (CPP10/popey I believe was 40 
>x Tensilica DI 570T, next iteration was
64 cores).

--
  ++ytti

RE: Latency/Packet Loss on ASR1006

[Tony Wicks]

https://www.cisco.com/c/en/us/support/docs/routers/asr-1000-series-aggregation-services-routers/200674-Throughput-issues-on-ASR1000-Series-rout.html

 

So many years since I have used an asr1000 but, honestly you have an esp40 in a 
box with 10x10G interfaces? That’s a very underpowered processor for that job. 
The ESP40 was designed for a box that would have 1G interfaces and perhaps a 
couple of 10’s. The ASR1000 is a CPU based box, everything goes back to the 
processor and remember cisco math means half duplex not full.

 

From: NANOG  On Behalf Of Colin 
Legendre
Sent: Saturday, 27 November 2021 8:09 am
To: nanog 
Subject: Latency/Packet Loss on ASR1006

 

Hi,

 

We have ...

 

ASR1006  that has following cards...

1 x ESP40

1 x SIP40

4 x SPA-1x10GE-L-V2

1 x 6TGE

1 x RP2

 

We've been having latency and packet loss during peak periods...

 

We notice all is good until we reach 50% utilization on output of...

 

'show platform hardware qfp active datapath utilization summary'

 

Literally ... 47% good... 48% good... 49% latency to next hop goes from 1ms to 
15-20ms... 50% we see 1-2% packet-loss and 30-40ms latency... 53% we see 
60-70ms latency and 8-10% packet loss.

 

Is this expected... the ESP40 can only really push 20G and then starts to have 
performance issues?

 

 

 

---
Colin Legendre

RE: massive facebook outage presently

[Tony Wicks]

Back and working by the looks.

RE: massive facebook outage presently

[Tony Wicks]

Didn't write that part of the automation script and that coder left...

> I got a mail that Facebook was leaving NLIX. Maybe someone botched the 
> script so they took down all BGP sessions instead of just NLIX and now 
> they can't access the equipment to put it back... :-)

RE: IPv6 woes - RFC

[Tony Wicks]

In resource challenged regions we have been using IPv4+CGN+IPv6 dual stack for 
the last ten or so years. For 20K subs you can use one /24 of ipv4 and a /40 or 
so of ipv6. There have been available RGW’s and sufficient vendor support 
throughout this time. The only issues I have ever really seen have been with 
Sony PSN doing random ipv4 /32 blocks. Apart from that it has been working just 
fine. Over 50% of traffic now flows on the V6 side and in general end customers 
have no clue, it just works.

 

>For all I care we already have a perfect working system with IPv4+CGN+IPv6. 
>The CGN part was the most troublesome, not the IPv6.

RE: Where to get IPv4 block these day

[Tony Wicks]

List admin, this is a direct and unwarranted personal attack that is clearly 
against the list rules. I recommend this person is barred or at least 
officially warned that this is unacceptable behaviour.

 

From: NANOG  On Behalf Of Ca By
Sent: Friday, 6 August 2021 9:31 am
To: Andy Ringsmuth 
Cc: NANOG 
Subject: Re: Where to get IPv4 block these day

 

 

*sigh*

 

I know you are lazy. 

 

RE: Where to get IPv4 block these day

[Tony Wicks]

 

 

From: Ca By  
Sent: Friday, 6 August 2021 8:20 am
To: Tony Wicks 
Cc: NANOG 
Subject: Re: Where to get IPv4 block these day

 

 

*sigh* you are assuming the end user is being somehow lazy and incompetent and 
NOT also deploying IPV6? Seriously, you still need parallel deployment of IPV4 
in 99% of situations and its about time the attempted shaming of people for 
accepting the reality of the world stopped. I know we are in a post reality 
world now but at least on this list can we not descend into silly memes? 

 

 

Yep, this what it has come to. 

 

“I got a guy”

 

Just keep buying addresses and slamming in NAT boxes folks … 

 

Here is a meme

 

https://imgflip.com/i/5ipi7s

 

 

 

 

On Wed, Aug 4, 2021 at 23:35 Alex Wacker mailto:a...@alexwacker.com> > wrote:

Ipv4.global is very reliable. I’ve sold blocks there

 

On Thu, Aug 5, 2021 at 1:28 AM james jones mailto:james.v...@gmail.com> > wrote:

hey everyone,

 

Been a while since I had to deal with NetOps stuff. Was wondering, where do you 
go these days to get IPv4 blocks? It seems like getting assignments is hard due 
to exhaustion. I have found some "Auction" sites but it all feels very scammy. 
Any info would be appreciated.

 

 

-James

RE: Where to get IPv4 block these day

[Tony Wicks]

Contact eddie at   iptrading.com , I have used 
their services several times and never had any issues.

 

 

 

On Wed, Aug 4, 2021 at 23:35 Alex Wacker mailto:a...@alexwacker.com> > wrote:

Ipv4.global is very reliable. I’ve sold blocks there

 

On Thu, Aug 5, 2021 at 1:28 AM james jones mailto:james.v...@gmail.com> > wrote:

hey everyone,

 

Been a while since I had to deal with NetOps stuff. Was wondering, where do you 
go these days to get IPv4 blocks? It seems like getting assignments is hard due 
to exhaustion. I have found some "Auction" sites but it all feels very scammy. 
Any info would be appreciated.

 

 

-James

RE: 1G/10G BaseT switch recommendation

[Tony Wicks]

Nokia has the 7250-ixr-e that has 24x1/10G SFP, 8x10/25G SFP28 and 2x100G 
QSFP28 ports (300G FDX total) in a small depth 1U unit. We use a bunch of these 
and they work nicely with full MPLS features.

 

From: NANOG  On Behalf Of Adam 
Thompson
Sent: Friday, 23 July 2021 7:35 am
To: Saku Ytti 
Cc: nanog@nanog.org
Subject: RE: 1G/10G BaseT switch recommendation

 

True.  I forget carrier space often, these days.

 

RE: Technical resources for Open Access Fiber Networks?

[Tony Wicks]

In New Zealand we have a nationwide government sponsored FTTH open access 
network based on GPON and XGSPON. There are local access companies (LFC or 
Local Fibre Company) that handover double tagged layer2 that the various 
service providers (RSP or Retail Service Provider) can either pick up 
themselves in each region or pay a third party to backhaul to where they need 
to get to. This has resulted in a very competitive market to the retail 
consumer (very low margin to the retail service provider, this has resulted in 
broadband often being a “loss leader” used to bundle other 
phone/power/entertainment services).  Technically each end user has an ONT 
provided by the LFC and the RSP leases a layer2 service on a per-port basis 
that is delivered double tagged at the service provider handover point. This 
means each 1gig or 10gig port on the ONT can be used to present a different RSP 
service to the end user if desired. The handover point (10G/100G with or 
without LAG) can provide 4096x4096 possible layer2 services to end user ports.

 

The end result of this is almost ubiquitous high quality 100/20, 1000/500 up to 
4000/4000 being available to the end user. Retail for an unlimited 1000/500 
service to the end user is about 70USD/month with 4000/4000 (XGSPON) being 
about $130USD/month. Here’s a speedtest from my primary home workstation - 
https://www.speedtest.net/my-result/d/f44bc96e-ec2d-4446-8f23-d32aa6282350 

 

I work for a company that provides backhaul from the various regions around the 
country to the various retail service providers. We take the double tagged LFC 
handovers and transport them over MPLS to where the various service providers 
want them delivered to. Normally we will hand them over triple tagged with the 
third tag added to represent each handover point and the first two tags being 
preserved from the LFC handover. This works pretty well overall.

 

 

 

From: NANOG  On Behalf Of Mark Leonard
Sent: Thursday, 10 June 2021 12:16 pm
To: North American Network Operators' Group 
Subject: Technical resources for Open Access Fiber Networks?

 

Hi NANOG,

 

Not so long ago I learned about Open Access Fiber Networks.  I'm quite curious 
about how these are actually implemented.  I'm able to find boatloads of 
marketing material and management-targeted boilerplate, but I've not yet been 
able to find any technical resources.

 

My first thoughts were:

* Are these just massive VPLS networks?

* Are they just giant L2 networks?

 

I can't imagine that either of the above would scale particularly well.

 

I'm looking for any books / papers / config guides / magic tomes / etc on the 
subject.

 

Can anyone point me in the right direction?

 

Thanks,

Mark

RE: MPLS/MEF Switches and NIDs

[Tony Wicks]

PS, I don’t believe I mentioned the Nokia’s would meet any particular price 
point, just that they have some transport boxes that have a very good 
price/performance/port density (7210/7250).  YMMV depending on your supplier, 
quantities and feature requirements.

 

From: Tony Wicks  
Sent: Thursday, 10 June 2021 8:24 am
To: 'Colton Conor' 
Cc: 'NANOG' 
Subject: RE: MPLS/MEF Switches and NIDs

 

Well I can’t talk to what discounts are available, you would need to get that 
direct off Nokia. The 7210 SAS-S 24F4SFP+ is pretty affordable even with the 
stand alone MPLS licence but it makes a significant difference where you source 
Nokia devices and how many you buy. They seem to be kind of like Boeing or 
Airbus, the list price is X but the airlines never pay list.

 

From: Colton Conor mailto:colton.co...@gmail.com> > 
Sent: Thursday, 10 June 2021 8:03 am
To: Tony Wicks mailto:t...@wicks.co.nz> >
Cc: NANOG mailto:nanog@nanog.org> >
Subject: Re: MPLS/MEF Switches and NIDs

 

Tony,

 

I reached out to a couple of people, and they mentioned that there is nothing 
in the 7210 line that is around $1,000, which is what a Ciena 3924 costs for 
example. What am I missing? 

 

On Wed, May 26, 2021 at 12:14 PM Tony Wicks mailto:t...@wicks.co.nz> > wrote:

7210-sas-s or 7210-sas-sx is the low cost 24/48x1 4x10G option. These are very 
affordable and reliable MPLS transport devices. You’ll need to contact your 
local Nokia rep for pricing.

 

regards

 

From: Colton Conor mailto:colton.co...@gmail.com> > 
Sent: Thursday, 27 May 2021 5:03 am
To: Tony Wicks mailto:t...@wicks.co.nz> >
Cc: NANOG mailto:nanog@nanog.org> >
Subject: Re: MPLS/MEF Switches and NIDs

 

Tony,

 

Thanks, I wasn't aware of this model. This would compete with the ACX710 based 
on the specs (actually have a bit more ports). I guess I will have to reach 
out, but price wise where does this box come in? 

 

What is Nokia's low cost NID that has at least 4 10G ports? 

 

On Wed, May 26, 2021 at 11:49 AM Tony Wicks mailto:t...@wicks.co.nz> > wrote:

The Nokia 7250-ixr-e covers exactly the port density and price range you are 
looking for. 24x1/10, 8x10/25 and 2x100G with 300G total capacity.

 

From: NANOG mailto:wicks.co...@nanog.org> > On Behalf Of Colton Conor
Sent: Thursday, 27 May 2021 4:39 am
To: NANOG mailto:nanog@nanog.org> >
Subject: MPLS/MEF Switches and NIDs

 

 

We have used Juniper's ACX line primarily, but there is a big gap in their 
product line. The ACX2200 has only two 10G ports. The next jump up from there 
is the ACX710 with 24 10G ports. They have nothing in between that has 4-12 10G 
ports. Not to mention, Juniper is very proud price wise. We are looking for 
cost efficient 10G NIDs with at least 4 10G ports on them and aggregation boxes 
with at least 12 10G ports on them with 25g/100G uplinks. 

RE: MPLS/MEF Switches and NIDs

[Tony Wicks]

Well I can’t talk to what discounts are available, you would need to get that 
direct off Nokia. The 7210 SAS-S 24F4SFP+ is pretty affordable even with the 
stand alone MPLS licence but it makes a significant difference where you source 
Nokia devices and how many you buy. They seem to be kind of like Boeing or 
Airbus, the list price is X but the airlines never pay list.

 

From: Colton Conor  
Sent: Thursday, 10 June 2021 8:03 am
To: Tony Wicks 
Cc: NANOG 
Subject: Re: MPLS/MEF Switches and NIDs

 

Tony,

 

I reached out to a couple of people, and they mentioned that there is nothing 
in the 7210 line that is around $1,000, which is what a Ciena 3924 costs for 
example. What am I missing? 

 

On Wed, May 26, 2021 at 12:14 PM Tony Wicks mailto:t...@wicks.co.nz> > wrote:

7210-sas-s or 7210-sas-sx is the low cost 24/48x1 4x10G option. These are very 
affordable and reliable MPLS transport devices. You’ll need to contact your 
local Nokia rep for pricing.

 

regards

 

From: Colton Conor mailto:colton.co...@gmail.com> > 
Sent: Thursday, 27 May 2021 5:03 am
To: Tony Wicks mailto:t...@wicks.co.nz> >
Cc: NANOG mailto:nanog@nanog.org> >
Subject: Re: MPLS/MEF Switches and NIDs

 

Tony,

 

Thanks, I wasn't aware of this model. This would compete with the ACX710 based 
on the specs (actually have a bit more ports). I guess I will have to reach 
out, but price wise where does this box come in? 

 

What is Nokia's low cost NID that has at least 4 10G ports? 

 

On Wed, May 26, 2021 at 11:49 AM Tony Wicks mailto:t...@wicks.co.nz> > wrote:

The Nokia 7250-ixr-e covers exactly the port density and price range you are 
looking for. 24x1/10, 8x10/25 and 2x100G with 300G total capacity.

 

From: NANOG mailto:wicks.co...@nanog.org> > On Behalf Of Colton Conor
Sent: Thursday, 27 May 2021 4:39 am
To: NANOG mailto:nanog@nanog.org> >
Subject: MPLS/MEF Switches and NIDs

 

 

We have used Juniper's ACX line primarily, but there is a big gap in their 
product line. The ACX2200 has only two 10G ports. The next jump up from there 
is the ACX710 with 24 10G ports. They have nothing in between that has 4-12 10G 
ports. Not to mention, Juniper is very proud price wise. We are looking for 
cost efficient 10G NIDs with at least 4 10G ports on them and aggregation boxes 
with at least 12 10G ports on them with 25g/100G uplinks. 

RE: MPLS/MEF Switches and NIDs

[Tony Wicks]

7210-sas-s or 7210-sas-sx is the low cost 24/48x1 4x10G option. These are very 
affordable and reliable MPLS transport devices. You’ll need to contact your 
local Nokia rep for pricing.

 

regards

 

From: Colton Conor  
Sent: Thursday, 27 May 2021 5:03 am
To: Tony Wicks 
Cc: NANOG 
Subject: Re: MPLS/MEF Switches and NIDs

 

Tony,

 

Thanks, I wasn't aware of this model. This would compete with the ACX710 based 
on the specs (actually have a bit more ports). I guess I will have to reach 
out, but price wise where does this box come in? 

 

What is Nokia's low cost NID that has at least 4 10G ports? 

 

On Wed, May 26, 2021 at 11:49 AM Tony Wicks mailto:t...@wicks.co.nz> > wrote:

The Nokia 7250-ixr-e covers exactly the port density and price range you are 
looking for. 24x1/10, 8x10/25 and 2x100G with 300G total capacity.

 

From: NANOG mailto:wicks.co...@nanog.org> > On Behalf Of Colton Conor
Sent: Thursday, 27 May 2021 4:39 am
To: NANOG mailto:nanog@nanog.org> >
Subject: MPLS/MEF Switches and NIDs

 

 

We have used Juniper's ACX line primarily, but there is a big gap in their 
product line. The ACX2200 has only two 10G ports. The next jump up from there 
is the ACX710 with 24 10G ports. They have nothing in between that has 4-12 10G 
ports. Not to mention, Juniper is very proud price wise. We are looking for 
cost efficient 10G NIDs with at least 4 10G ports on them and aggregation boxes 
with at least 12 10G ports on them with 25g/100G uplinks. 

RE: MPLS/MEF Switches and NIDs

[Tony Wicks]

The Nokia 7250-ixr-e covers exactly the port density and price range you are 
looking for. 24x1/10, 8x10/25 and 2x100G with 300G total capacity.

 

From: NANOG  On Behalf Of Colton Conor
Sent: Thursday, 27 May 2021 4:39 am
To: NANOG 
Subject: MPLS/MEF Switches and NIDs

 

 

We have used Juniper's ACX line primarily, but there is a big gap in their 
product line. The ACX2200 has only two 10G ports. The next jump up from there 
is the ACX710 with 24 10G ports. They have nothing in between that has 4-12 10G 
ports. Not to mention, Juniper is very proud price wise. We are looking for 
cost efficient 10G NIDs with at least 4 10G ports on them and aggregation boxes 
with at least 12 10G ports on them with 25g/100G uplinks. 

RE: Juniper hardware recommendation

[Tony Wicks]

You really should discuss this with you local Juniper rep in the first instance 
I would suggest.

 

From: NANOG  On Behalf Of Javier 
Gutierrez Guerra
Sent: Saturday, 8 May 2021 9:28 am
To: r...@rkhtech.org; nanog@nanog.org
Subject: RE: Juniper hardware recommendation

 

I need to do MPLS (vlls), VXLAN, Multicast, full routing tables, multiple VRFs, 
q-in-q, QoS

Anything with 1Tbs of throughput should be more than enough at this time for me

I also need it to be able to support 100G interfaces, 1G and 10G  

 

Javier Gutierrez Guerra

Network Analyst

CCNA R, JNCIA

Westman Communications Group

Phone: 204-717-2827

Email:   guer...@westmancom.com

  

 



 

From: Ryan Hamel mailto:administra...@rkhtech.org> 
> 
Sent: May 7, 2021 4:23 PM
To: Javier Gutierrez Guerra mailto:guer...@westmancom.com> >; nanog@nanog.org  
Subject: RE: Juniper hardware recommendation

 

CAUTION: This email is from an external source. Do not click links or open 
attachments unless you recognize the sender and know the content is safe.

Hello!

 

We wouldn’t be able to give any sort of answer without knowing your current and 
future requirements. Each model has its own throughput classes, and sometimes a 
full on MX router isn’t required.

 

From: NANOG mailto:nanog-bounces+ryan=rkhtech@nanog.org> > On Behalf Of Javier 
Gutierrez Guerra
Sent: Friday, May 7, 2021 1:55 PM
To: nanog@nanog.org  
Subject: Juniper hardware recommendation

 

Hi, 

Just out of curiosity, what would you recommend using for a core router/switch 
from Juniper?

MX208,480,10K

Datasheets show them all as very nice and powerful devices (although they do 
use a lot of rack space and side to side airflow is painful) but I’m just 
wondering here what most people use and how good or bad of an experience you 
have with it 

Thanks,

 

Javier Gutierrez Guerra

Network Analyst

CCNA R, JNCIA

Westman Communications Group

Phone: 204-717-2827

Email:   guer...@westmancom.com

  

 



 

RE: wow, lots of akamai

[Tony Wicks]

No absolutely not, having the traffic coming from local CDN’s and the shorter 
but higher traffic is very much preferred. My comment was just to point out 
that yes there is a significant difference on ISP traffic between delivery via 
CDN/PNI/Peering than transit as in our case transit is a long way away. Local 
backhaul is plentiful and relatively cheap where as subsea wavelengths are 
extremely expensive and require months of planning. I’m not assuming transport 
just going on real world traffic affects.

 

From: NANOG  On Behalf Of Patrick W. 
Gilmore
Sent: Friday, 2 April 2021 11:32 am
To: North American Operators' Group 
Subject: Re: wow, lots of akamai

 

Just so I am clear, you are saying “I would rather have it come over my 
undersea cables than from inside the datacenter”?

 

And you are assuming TCP transport.

 

RE: wow, lots of akamai

[Tony Wicks]

This is not actually (as in yes it does matter) the case, if a file comes from 
a CDN it is often a close and low latency source that will run up to very high 
speeds. For example in our case we connect to local peering exchanges (or 
PNI’s/local caches) at 100G or Nx10G with latency to the end user in the 1-30ms 
range resulting in very large peaks of local backhaul traffic. If a file is 
delivers from source or from remote CDN’s/exchanges these are located in other 
countries with between 25ms (New Zealand to Australia) and 130-200ms (New 
Zealand to LA/SJC or Singapore) latency, this results in a much slower and 
normally barely noticeable traffic blip. Yes as an ISP we need to carry the 
traffic in both cases but the first case can result in a 20-30% local backhaul 
increase for a couple of hours and in the second case its just BAU traffic for 
a day or two. Local CDN is obviously the better option for cost and the 
consumer, but you certainly do notice the traffic in local backhaul.

 

From: NANOG  On Behalf Of Tom Beecher
Sent: Friday, 2 April 2021 10:05 am
To: Matt Erculiani 
Cc: North American Operators' Group 
Subject: Re: wow, lots of akamai

 

 

If thousands of users are downloading 50G files at the same time, it really 
doesn't matter if they are pulling from a CDN or the origin directly. The 
volume of traffic still has to be handled. Yes, it's a burden on the ISP, but 
it's a burden created by the usage created by their subscribers. 

 

 

RE: CGNAT

[Tony Wicks]

While I won't go into the costs as well, I've got actual work to do I must say 
my calculations of purchase ipv4 (@25USD/IP) vs CGNAT have always fallen 
significantly into the CGNAT camp. If you are doing a stand alone A10 or 
similar yes things would be different. If you are already buying suitable BNG's 
however the additional cost of MS-MPC cards (Juniper) or ISA2/ESA (Nokia) is 
likely to be far less than the stand alone option. While the BNG services cards 
are not cheap they do "just work" as a solution and a 10 or 20 to one ratio is 
easily achievable. Nokia 7750's with ESA "cards" are a massively scalable 
option.



-Original Message-
From: NANOG  On Behalf Of Kevin Burke
Sent: Thursday, 4 March 2021 6:42 am
To: Jared Brown ; nanog@nanog.org
Subject: Re: CGNAT

Can you share your cost comparison?  

RE: Famous operational issues

[Tony Wicks]

Many years ago I experienced a very similar thing. The DC/Integrator I worked 
for outsourced the co-location and operation of mainframe services for several 
banks and government organisations. One of these banks had a significant 
investment in AS/400's and they decided that it was so much hassle and expense 
using our datacentres that they would start putting those nice small AS/400's 
in computer rooms in their office buildings instead. One particular computer 
room contained large line printers that the developers would use to print out 
whatever it is such people print out. One Saturday morning I received a frantic 
call from the customer to say that all their primary production as/400's had 
gone offline. After a short investigation I realised that all the offline 
devices wire in this particular computer room. It turn's out that one of the 
developers had bought his six year old son to work that Saturday and upon 
retrieval of a printout said son had dutifully followed dad in to the computer 
room and was unable to resist the big red button sitting exposed on the wall by 
the door. Shortly thereafter the embarrassed customer decided that perhaps it 
was worth relocating their as/400's to our expensive datacentres.



> 
>  During my younger days, that button was used a few time by the 
> operator of a VM/370 to regain control from someone with a "curious 
> mind" *cought* *cought*...
> 
Two horror stories I remember from long ago when I was a console jockey for a 
federal space agency that will remain nameless :P

1. A coworker brought her daughter to work with her on a Saturday overtime 
shift because she couldn't get a babysitter. She parked the kid with a coloring 
book and a pile of crayons at the only table in the console room with some 
space, right next to the master console for our 3081. I asked her to make sure 
sh was well away from the console, and as she reached over to scoot the girl 
and her coloring books further away she slipped, and reached out to steady 
herself. Yep, planted her finger right down on the IML button (plexi covers? We 
don' need no STEENKIN' 
plexi covers!). MVS and VM vanished, two dozen tape drives rewound and several 
hours' worth of data merge jobs went blooey.

Re: CGNAT

[Tony Wicks]

Because then a large part of the Internet won't workFrom: NANOG  on behalf of Mark Andrews Sent: Saturday, 20 February 2021, 9:04 amTo: Steve SanerCc: nanog@nanog.orgSubject: Re: CGNATWhy not go whole hog and provide IPv4 as a service? That way you are not waiting for your customers to turn up IPv6 to take the load off your NAT box.Yes, you can do it dual stack but you have waited so long you may as well miss that step along the deployment path.-- Mark AndrewsOn 20 Feb 2021, at 01:55, Steve Saner  wrote:We are starting to look at CGNAT solutions. The primary motivation at the moment is to extend current IPv4 resources, but IPv6 migration is also a factor.We've been in touch with A10. Just wondering if there are some alternative vendors that anyone would recommend. We'd probably be looking at a solution to support 5k to 15k customers and bandwidth up to around 30-40 gig as a starting point. A solution that is as transparent to user experience as possible is a priority.Thanks-- Steve Sanerideatek HUMAN AT OUR VERY FIBERThis
 email transmission, and any documents, files or previous email messages
 attached to it may contain confidential information. If the reader of 
this message is not the intended recipient or the employee or agent 
responsible for delivering the message to the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of 
this communication is strictly prohibited. If you are not, or believe 
you may not be, the intended recipient, please advise the sender 
immediately by return email or by calling 620.543.5026. Then take all steps necessary to permanently delete the email and all attachments from your computer system.

RE: CGNAT

[Tony Wicks]

Not the Cheapest option out there but the most rock solid one I have found is 
to install the extended service/multi service cards in the BNG and do it 
locally there. We are currently using both Juniper MX480/960 with MS-MPC cards 
and Nokia 7750 SR with ISA or ESA cards. Its also well worth running dual stack 
IPv6 as you can bypass 40%+ traffic from the CGN process for all that CDN 
traffic.

 

From: NANOG  On Behalf Of Steve Saner
Sent: Friday, 19 February 2021 5:39 am
To: nanog@nanog.org
Subject: CGNAT

 

We are starting to look at CGNAT solutions. The primary motivation at the 
moment is to extend current IPv4 resources, but IPv6 migration is also a factor.

 

We've been in touch with A10. Just wondering if there are some alternative 
vendors that anyone would recommend. We'd probably be looking at a solution to 
support 5k to 15k customers and bandwidth up to around 30-40 gig as a starting 
point. A solution that is as transparent to user experience as possible is a 
priority.

 

Thanks


-- 

Steve Saner

ideatek HUMAN AT OUR VERY FIBER

This email transmission, and any documents, files or previous email messages 
attached to it may contain confidential information. If the reader of this 
message is not the intended recipient or the employee or agent responsible for 
delivering the message to the intended recipient, you are hereby notified that 
any dissemination, distribution or copying of this communication is strictly 
prohibited. If you are not, or believe you may not be, the intended recipient, 
please advise the sender immediately by return email or by calling  
 620.543.5026. Then take all steps necessary to permanently 
delete the email and all attachments from your computer system.

RE: 10g residential CPE

[Tony Wicks]

Actually the equipment vendor's build in this sort of situation is normally 
directly related to the availability of affordable chipsets from the likes of 
Broadcom. For example the chipset in my XGSPON router is a BCM6858. No vendor 
is going to spend money to produce a CPE that no one will buy. Once the likes 
of Broadcom produce an affordable solution then all the main vendors will roll 
out CPE in short order.


>If vendors saw a 10GbE CPE market, they would serve it. Obviously they don’t 
>see a market. Why don’t people insisting vendors build their hobby horse see 
>that? It’s like they’re being >deliberately obtuse :)

RE: 10g residential CPE

[Tony Wicks]

I Have an RB4011 and while it does work very well for the price it is not 
really practical for the sort of people who don't reside on this list. Firstly 
the single 10G port means you have to connect it via a separate 10G switch and 
then vlan the external connection to the ONT via another switch port. Secondly 
the physical format is great for those of us who love the idea of a passive 
cooling rack mount device but not so much the stick it on a shelf masses. 
Thirdly the interface has way too many knobs for anyone who does not know what 
MPLS stands for.



-Original Message-
From: NANOG  On Behalf Of Mark Tinka
Sent: Friday, 25 December 2020 10:56 pm
To: nanog@nanog.org
Subject: Re: 10g residential CPE



On 12/25/20 08:04, Tony Wicks wrote:

> Stand alone RGW's are hard to find, I'd be interested to hear if people have 
> found anything smaller than the Mikrotik RB4011...

Funny, that's the very unit I recommended as well in my previous post to 
Brandon :-).

As reasonably-priced devices that will have half decent working code go (for 
10Gbps, no less), it's hard to beat the Tik.

I'd still never use them in production, but for home CPE's, you bet I would.

Mark.

RE: [External] Re: 10g residential CPE

[Tony Wicks]

As a power user who now has 4Gb/s FDX at home I can definitively say as an end 
user you really can’t tell much of different from my previous 1G/0.5Gbs GPON in 
normal use. However there are a couple of areas that I have noticed a 
difference –

 

1.  Upstream. On GPON I had 500Mb/s upstream and this is intelligently 
oversubscribed by the OLT. Large uploads like cloud storage would consume the 
entire upstream for the duration. While things still worked fine for the 
duration of the uploads this does have a small affect on other normal 
operations during this time. With the XGSPON upstream is so large that nothing 
can fill it no matter what you do.
2.  1G downstream was certainly enough for everything in the house, but 
with the 4Gbs the bottlenecks are now the hard drives or local LAN connections. 
It is quite possible for those 2-400Gig Steam downloads to max a 1gig link off 
the local caches.

 

So in summary the 1G/0.5G GPON is certainly good enough for any home 
application, but a 2G/2G or higher link means no one user can practically do 
anything that will affect other users in the house, yes not necessary but it 
sure is nice. I really think 2.5GBASET in the house is a sweet spot, it is 
easily/cheaply retrofitted into any workstation with a free USB3 port and run’s 
on any existing cat5.

 

 

 

From: NANOG  On Behalf Of Michael 
Thomas
Sent: Saturday, 26 December 2020 8:28 am
To: nanog@nanog.org
Subject: Re: [External] Re: 10g residential CPE

 

 

Can I ask a really dumb question? Consider it an xmas present. I know this 
sounds like "nobody needs more than 640k", but how can household possibly need 
a gig let alone 10g? I'm still on 25mbs DSL, have cut the cord so all tv, etc 
is over the net. If I really cared and wanted 4k I could probably upgrade to a 
50mbs service and be fine. Admittedly it's just the two of us here, but throw 
in a couple of kids and I still don't see how ~100mbs isn't sufficient let 
alone 1 or 10G. Am I missing something really stupid?

Mike

RE: 10g residential CPE

[Tony Wicks]

So here in New Zealand 2/2Gbs & 4/4Gbs XGS-PON has just been rolled out in 
conjunction with the existing GPON rollout (Currently 79% of the country). CPE 
is definitely an issue and the most popular way of dealing with it is to use 
the Nokia XS-250WX-A ONT as the RGW as well. Permissions on the ONT are a 
little bit of an issue right now but this is being actively worked on and 
should be sorted in the coming few months. The ONT provides one 10GBASET and 4 
gig ports as well as 4x4AC wifi. Realistically I have found using a multigig 
switch is very much the way to go (Mikrotik CRS312-4C+8XG-RM in my case) as 
then you can use 2.5GBASET and 5GBASET to clients. 2.5G seems to work fine on 
any ratty old cat5E you already have and USB3 dongles can be had for $25 or so. 
10GBASET is real picky on cabling and I have found that 2.5G and 5G work much 
better if you are not doing a complete re-cable of the site.
Stand alone RGW's are hard to find, I'd be interested to hear if people have 
found anything smaller than the Mikrotik RB4011 or CCR's as well. People are 
using the Unify Pro's but they really don't perform at 4gig. Obviously wifi is 
not going to benefit much from XGSPON, but even then having that massive upload 
available is very nice. The biggest issue with these speeds as an ISP is trying 
to train the customers that the home setup that they have spent a bunch of 
money on is unlikely to give them pretty 4Gb/s speed tests as there are 
bottlenecks all over their personal devices.

Here is the result of using the Nokia ONT and the Mikrotik Switch - 
https://www.speedtest.net/result/c/66e1df88-7d5d-4e72-94ca-3d159d7edf53 of 
note, only my 10G connected Linux server does this, all the various other 
devices struggle to "speedtest" faster than 2-3 gig, even the high end devices.



-Original Message-
From: NANOG  On Behalf Of Brandon 
Martin
Sent: Friday, 25 December 2020 4:54 pm
To: nanog@nanog.org
Subject: Re: 10g residential CPE

On 12/24/20 7:13 PM, Steven Karp wrote:
> Copper 2.5 Gbps Multi-gig uplinks on Wifi 6 gateways are coming out in
> 2021 from most vendors.
> 
> I am using XGS PON in trials and have been impressed with the speed 
> and cost.

Pretty much this.  XGS-PON seems to be "here now" and the costs on both the CO 
and CPE side have gotten down to where it's probably worth going straight to it 
(skipping GPON) in new deployments unless you think you can get away with just 
GPON for 5+ years.  I'm not sure if it's worth overlaying existing GPON 
deployments yet, but we're getting close, and offering "multi-gig" is, while 
still not very useful from a practical point of view for most customers, a 
potential marketing advantage.

I've been only recommending GPON for new, greenfield deployments in rural 
situations where expected speeds are low to begin with, density is low, and 
there may be a desire to push the optical link budget as it is a bit better 
than typical XGS-PON systems.  That's been the case for about a year, now.

Customer facing routers are not quite there, yet.  I think Asus has one, but 
I've seen mixed reviews.  And what's out now is still limited to 2.5GBASE-T and 
often only on the WAN port (LAN ports are still
1000BASE-T) meaning in practice customers can't get any more than gigabit 
speeds to a single endpoint (not that many endpoints can keep up, anyway) for 
that all-important speed test.

One of my router vendors has been teasing me with a "true 10Gb" router due out 
1Q 2021.  I've been told to expect NBASE-T (1G, 2.5G, 5G, 10G) on both WAN and 
all LAN ports + 802.11ax "Wifi 6" with at least 5Gbps of real-world IPv4 
throughput with NAT and essentially wire-speed IPv6 without NAT or content 
inspection at a realistic price point.  I'll be interested to see what they 
actually deliver as that would make future-looking multi-gig deployments 
actually meaningful.

Of course, you can replace XGS-PON with 10G-EPON if that's your preference.  I 
actually kinda prefer the IEEE versions, but most of my vendors concentrate on 
the ITU/Bellcore stuff in North America, so GPON/XGS-PON it is.
--
Brandon Martin

RE: {Disarmed} Re: Asus wifi AP re-writing DNS packets

[Tony Wicks]

I had a similar discussion with another vendor recently while testing their 
mesh wireless systems. This vendor’s units are actually re-writing dhcp 
requests that clients make to point DNS to the primary mesh unit. This even 
happened when the mesh platform was in pure bridge mode (as opposed to router 
mode). The vendor said this was to make sure their app worked reliably. I’d say 
this sort of behaviour has quietly become common in the one app to rule it all 
world.

 

 

 

From: NANOG  On Behalf Of Anurag 
Bhatia
Sent: Thursday, 5 November 2020 7:03 am
To: NANOG Mailing List 
Subject: {Disarmed} Re: Asus wifi AP re-writing DNS packets

 

Hello

 

 

An update on this issue: 

 

Going through (long) Asus support channel, they first agreed that this was 
intentional to make router.asus.com   work but did take 
my request to make that optional. They have issued me a test firmware which so 
far seems to be working perfectly with no-rewriting rules. Hoping that it 
doesn't bring any side effects and they eventually put it in their public 
release after testing. 

 

 

 

RE: cheap MPLS router recommendations

[Tony Wicks]

Right, well in that price/performance range you either “roll your own” or this 
is your best option IMHO - https://mikrotik.com/product/CCR1072-1G-8Splus  and 
I’d pick the Mikrotik every time.

 

 

 

From: NANOG  On Behalf Of 
adamv0...@netconsultings.com
Sent: Thursday, 22 October 2020 9:28 am
To: 'Colton Conor' ; t...@pelican.org
Cc: 'NANOG' 
Subject: RE: cheap MPLS router recommendations

 

Just to clarify what cheap means, ideally  -$2000 to $4000 new 

-new is preferred as buying used kit on second hand market one is at the mercy 
of the price fluctuations and availability.

 

And the likes of the M2400 looks good 4x10G plus some 1G, unfortunately there 
are no details on the webpage (and the datasheet can’t be downloaded… ) 

 

Are there more folks out there bundling open NOS and white-box HW along with 
the support for the whole thing?

 

 

adam

RE: cheap MPLS router recommendations

[Tony Wicks]

Well, there is always the MX104 (if you want redundancy) or MX80 if you don’t. 
That will give you 80gig wire speed just don’t load it up with more than one 
full table.

 

From: adamv0...@netconsultings.com  
Sent: Saturday, 17 October 2020 10:57 am
To: 'Tony Wicks' 
Cc: nanog@nanog.org
Subject: RE: cheap MPLS router recommendations 

 

For this particular gig even the MX204 would be overkill in terms of price as 
well as performance. 

Ideally something like 204 but with only those 8 10/1G ports (i.e. without the 
4x100G ports)

 

adam

From: Tony Wicks mailto:t...@wicks.co.nz> > 
Sent: Friday, October 16, 2020 10:36 PM
To: adamv0...@netconsultings.com <mailto:adamv0...@netconsultings.com> 
Cc: nanog@nanog.org <mailto:nanog@nanog.org> 
Subject: RE: cheap MPLS router recommendations 

 

Juniper MX204, easy

RE: cheap MPLS router recommendations

[Tony Wicks]

Juniper MX204, easy

 

From: NANOG  On Behalf Of 
adamv0...@netconsultings.com
Sent: Saturday, 17 October 2020 10:31 am
To: 'Jakub Horn (jakuhorn)' ; nanog@nanog.org
Subject: RE: cheap MPLS router recommendations 

 

Yeah the XR thing would be great but NCS540 would be too expensive and too much 
throughput meaning draws too much power,

 

adam 

RE: Passive Wave Primer

[Tony Wicks]

We sell some wavelengths on passive CWDM/DWDM path's between Datacentres
(less than 80Km) to customers to spread the cost of leasing the dark fibre.
But yes, as far as long distance (apart from bespoke offerings) I'm yet to
see a productised alien wave service. If you are spending all that money on
OTN kit the extra cost of the transponders is not really significant I
suppose.

-Original Message-
From: NANOG  On Behalf Of Brandon
Martin
Sent: Wednesday, 14 October 2020 8:11 am
To: nanog@nanog.org
Subject: Re: Passive Wave Primer


I have yet to find a service provider that is actually willing to sell this
even when they have it in their service offering catalog.  The difficulties
of coordinating everything with the customer are so extreme that it seems to
usually make sense to either lease the customer dark fiber or capitalize the
transponders needed to carry it as a managed wave on the provider's
transport system.  Might make sense if you literally want half the spectrum
on a long-haul span or something.

RE: Passive Wave Primer

[Tony Wicks]

An Alien wave comes in from an external source, for an example a customer has 
WDM optics in their kit. A normal wave the “customer” connects with a normal 
10GE/100GE (or whatever is appropriate) and a line card on the OTN platform 
“grooms” that to the appropriate WDM channel.

 

From: NANOG  On Behalf Of TJ Trout
Sent: Wednesday, 14 October 2020 6:22 am
To: James Jun 
Cc: nanog 
Subject: Re: Passive Wave Primer

 

What is the difference between a normal wave and a alien wave?

 

RE: Ipv6 help

[Tony Wicks]

This is nothing new, when I first started installing CGN platforms something 
like 10 years ago there was only ever one company that caused issues, can you 
guess which? It got to the point of lawyers exchanging desist letters as PSN 
constantly told our customers that they were blocking to contact us as somehow 
the ISP has control over what Sony blocks on PSN. They're the worst service 
company I have ever had the displeasure of dealing with, the arrogance and 
attitude of we are big, you are small we don't care about your customers was 
infuriating. Never have I seen a single call related to their opposition where 
as PSN accounted for about 10-20% of helpdesk calls. I don't understand why its 
seemingly impossible for them to implement ipv6 as almost everything I have 
deployed with CGN is dual stack V6.



-Original Message-
From: NANOG  On Behalf Of Brian 
Johnson
Sent: Thursday, 27 August 2020 7:14 am
To: Mark Tinka 
Cc: nanog@nanog.org
Subject: Re: Ipv6 help

I can prove, as an ISP, that I am delivering the packets. Many providers will 
have to do this until the content moves to IPv6, so what will their excuse be? 
The provider has no choice when they have more customers than IPv4 address 
space. They will have to do something to provide access to the IPv4 Internet 
for these customers. If the ISP created a service that wasn’t NAT444 for gamers 
and charged accordingly, they would probably get drawn and quartered.

It’s a no win situation and it really is Sony that is causing this issue. PR 
campaigns and educating customers is probably the only way they can win this 
argument, when they already have the technical battle won.

Just checked with 2 of my customers who do NAT444 and no issues with PSN… YMMV.

> On Aug 26, 2020, at 2:00 PM, Mark Tinka  wrote:
> 
> 
> 
> On 26/Aug/20 20:38, Brian Johnson wrote:
> 
>> I‘m going further... They shouldn’t have to care. Sony should understand 
>> what they are delivering and the circumstance of that. That they refuse to 
>> serve some customers due to the technology they use is either a business 
>> decision or a faulty design. The end-customer (gamer) doesn’t care. They 
>> just want to play.
> 
> Sony know that when connectivity breaks because they marked a 
> NAT444'ed IP address as a DDoS source, the end-user won't complain to 
> Sony (that's a customer service blackhole). The end-user will complain to the 
> ISP.
> 
> Chain of responsibility is in the ISP's disfavour. Sony don't have to 
> do anything. It's like sending an e-mail to an abuse@ mail box. You 
> sort of know it won't get answered, and are powerless if it isn't answered.
> 
> Mark.

RE: cloud backup

[Tony Wicks]

"newbie product" NEQ "newbie user"

-Original Message-
From: John Sage  
Sent: Monday, 27 July 2020 9:45 am
To: Tony Wicks ; nanog@nanog.org
Subject: Re: cloud backup


A "newbie"?

RE: cloud backup

[Tony Wicks]

Did I miss something? Is this list now the newbie product questions list?

-Original Message-
From: NANOG  On Behalf Of 
Sent: Monday, 27 July 2020 8:40 am
To: nanog@nanog.org
Subject: Re: cloud backup

RE: Issues with deliverability to hotmail -- any Microsoft contacts?

[Tony Wicks]

Have you used this form? I feel your pain.

 

https://support.microsoft.com/en-us/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75

 

From: NANOG  On Behalf Of Brock Tice
Sent: Tuesday, 21 July 2020 4:11 am
To: nanog@nanog.org
Subject: Issues with deliverability to hotmail -- any Microsoft contacts?

 

We have been having issues delivering email to hotmail users again, no bulk 
mail, just various personal emails from a server on our network. We have signed 
up for SNDS, only identified one mail server of a customer on our network that 
was flagged as an issue, and it has been remedied, no longer showing in SNDS.

We have repeatedly requested removal of our subnet from their block list and it 
has not worked. MS has done a great job of making it impossible to contact 
anyone about this. Does anyone have pointers on what else can be done or whom 
we should contact to get this resolved?


 

Thanks,

  --Brock

 

-- 

Brock M. Tice

Co-Owner and President

Black Mesa Wireless LLC

505-852-5101

br...@bmwl.co  

RE: CGNAT Opensource with support to BPA, EIM/EIF, UPnP-PCP

[Tony Wicks]

As someone who has spent quite a long time building CGNAT solutions I have some 
good news for you, there is an easy solution to your below point that works 
exceptionally well. The solution is dual stack IPv6, its trivial to route your 
IPv6 to bypass the CGNAT device you are using and pretty much all of the major 
CDN providers are fully IPv6 enabled. In the real world this halves the amount 
of traffic your CGNAT solution has to process. Gaming companies (Not Sony) 
are also starting to support V6 so that can be a win too. I’m not one of those 
V6 is the solution to everything engineers as I live in the real world, but in 
this case it absolutely is a good workable answer.

 


- The need for detouring the traffic that doesn't need CGNAT(Internal CDNs, 
Internal Servers, etc), to stay on the license limits of those boxes, sometimes 
brings some issues.

RE: Router Suggestions

[Tony Wicks]

As someone who has used VSR (Nokia) and VMX (Juniper) I’d suggest, good luck on 
your plan to use servers for this sort of routing. If you want a cheap router 
to handle full tables and a couple of 10G interfaces worth of throughput I’d 
suggest you would be a lot better off with Mikrotik’s latest hardware offering 
- https://mikrotik.com/product/ccr2004_1g_12s_2xs 

 

Just my 2c

 

>We're also looking at going the virtual router route where we put 2-3 servers 
>in a HA cluster loaded up with 10Gb interfaces and running some sort of 
>routing software.  In case you didn't catch on, I'm fairly early in running 
>this idea through the paces, although it seems like >this is a pretty common 
>thing nowadays.

RE: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Tony Wicks]

Good luck! I’ve dealt with such PSN IP blocking issues for several years and 
have found that Sony is the absolute worst possible gaming/content provider 
I’ve ever dealt with. One company I worked at had to threaten legal action as 
PSN would block CGN IPv4 addresses on their network and then tell customers to 
contact the ISP as it’s the ISP’s fault. At the same time PSN would provide no 
useful or actionable information to the ISP as to why they has implemented 
almost random IP blocking on their network. Not once was any issue raised in 
regard to their biggest competitor. The sheer arrogance shown by their 
management at the time was infuriating, it was a you are not big enough to 
waste our precious time on attitude.

 

 

 

 

On Mon, Jan 6, 2020 at 1:27 PM Octolus Development mailto:ad...@octolus.net> > wrote:

Hi all,

 

We've been trying to get in contact with Sony and/or Akamai to resolve an IP 
blacklisting issue.

 

Support is not useful, and our customers are complaining. 

 

If anyone has a POC for somebody over at Sony or PSN who can help us resolve 
these issues, it would be much appreciated!

 

RE: Iran cuts 95% of Internet traffic

[Tony Wicks]

>Implementation specifics vary. Most rely on state control of consumer ISPs and 
>implement a variety of systems at that layer. Many also have chokepoints for 
>>international connectivity as well.

 

I guess all these governments who like to control access so tightly are going 
to be in a total tailspin over Starlink eh.

 

 

 

RE: Mx204 alternative

[Tony Wicks]

VMX (and VSR) throughput capacity pricing is excessive once you get over about 
20G from what I have seen. 

 

From: NANOG  On Behalf Of Baldur Norddahl
Sent: Friday, 9 August 2019 9:16 AM
To: nanog@nanog.org
Subject: Re: Mx204 alternative

 

Hello

 

How about Juniper vMX? 8x 10G is no problem in a 2U server. Two Intel X710 NICs 
with 4 interfaces on each.

 

I found this guide:

 

https://gbe0.com/networking/juniper/vmx/ubuntu-14-04-kvm-host-setup-for-juniper-vmx
  

 

Regards

 

Baldur

 

 

RE: Mx204 alternative

[Tony Wicks]

Yes, good point, I was under the impression that it would take the 12 port
10/1 mda-e card but on looking closer it appears it only supports the high
capacity mda-e-xp (6x100/40/10 ports or 12x100/40/10 ports) cards. This
means, as you say if you want physical 10G or lower ports then a
7210-sas-sx64 would be needed which is less than ideal. 

-Original Message-
From: NANOG  On Behalf Of Radu-Adrian Feurdean
Sent: Thursday, 8 August 2019 10:50 PM
To: nanog@nanog.org
Subject: Re: Mx204 alternative

Hi, 
SR1 (without s) is 2u high, bit it doesn't have 1G ports. It doesn't even
have "native" 10G ports. Only 40/100G, with 4x10G optics for 10G. For 1G you
would need a 7210 in sattelite mode, which is one extra U + $$$.
Otherwise very nice box... 

RE: Mx204 alternative

[Tony Wicks]

It’s a bit more expensive and higher capability (1.2tb vs 400G) than the MX204. 
But the form factor and capability is very impressive for a little box.

 

From: Mehmet Akcin  
Sent: Thursday, 8 August 2019 3:30 PM
To: Tony Wicks 
Cc: nanog 
Subject: Re: Mx204 alternative

 

Thank you! Something within 2U (max) form factor :)

 

On Wed, Aug 7, 2019 at 8:23 PM Tony Wicks mailto:t...@wicks.co.nz> > wrote:

Nokia 7750 sr-1.

 

 

From: NANOG mailto:nanog-boun...@nanog.org> > On 
Behalf Of Mehmet Akcin
Sent: Thursday, 8 August 2019 3:03 PM
To: nanog mailto:nanog@nanog.org> >
Subject: Mx204 alternative

 

Greetings,

 

I am looking for some suggestions on alternatives to mx204. 

 

Any recommendations on something more affordable which can handle full routing 
tables from two providers?

 

Prefer Juniper but happy to look alternatives.

Min 6-8 10G ports are required

1G support required

 

Thanks in advance! 

 

Mehmet

-- 

Mehmet
+1-424-298-1903

-- 

Mehmet
+1-424-298-1903

RE: Mx204 alternative

[Tony Wicks]

Nokia 7750 sr-1.

 

 

From: NANOG  On Behalf Of Mehmet Akcin
Sent: Thursday, 8 August 2019 3:03 PM
To: nanog 
Subject: Mx204 alternative

 

Greetings,

 

I am looking for some suggestions on alternatives to mx204. 

 

Any recommendations on something more affordable which can handle full routing 
tables from two providers?

 

Prefer Juniper but happy to look alternatives.

Min 6-8 10G ports are required

1G support required

 

Thanks in advance! 

 

Mehmet

-- 

Mehmet
+1-424-298-1903

RE: QFX5k question

[Tony Wicks]

I have Virtual chassis QFX5100’s running as a switching/routing core with about 
80k routes (bgp in routing-instances) and no issues. MX’s are on the upstream 
borders and downstream BNG’s. The only issue I has was I had some MPLS 
psuedowire switching on them and found a few glitches.

 

 

 

From: NANOG  On Behalf Of Joseph Jenkins
Sent: Sunday, 24 March 2019 9:43 AM
To: nanog 
Subject: Re: QFX5k question

 

I have 4 QFX51xx switches in a virtual chassis and have no problems pushing 
that much traffic through them for several hundred servers with 10GB uplinks.

 

 

On March 23, 2019 at 12:42:52 PM, Mehmet Akcin (meh...@akcin.net 
 ) wrote:

Hey there, 

 

I am trying to get my hands on some QFX5000s and I have a rather quick question.

 

In the past, I often used MX + EX where MX did routing and I connected all 
uplinks/peering and EX, and EX did switching, i connected my servers to ex.

 

in QFX, I am trying to see if I need EX or not? more importantly (besides from 
what juniper papers say) are there any known issues people run into for a small 
scale deployment. (100mbps-1gbps range 1 rack, 20 servers) 

 

my plan is to have QFX to it all, but i am worried, if this is too much for 
QFX, if you have relative experience on this , feel free to let me know

 

thanks in advance

 

mehmet

RE: Last Mile Design

[Tony Wicks]

Certainly the devil is in the details, in New Zealand the access layer (GPON 
plus local transport) is largely regulated. Then Retail service providers buy 
the access component wholesale and add layer3, national backhaul etc. Retail 
for unlimited 1G/500M internet is about $75USD/month, for 100/50 you are 
looking at about 50USD/month. Key to this was the breakup of the incumbent into 
an access plus retail provider. This was done by allowing power (lines) 
companies in a few regions to win the access component contract.





From: NANOG  On Behalf Of Baldur Norddahl
Sent: Sunday, 10 February 2019 6:21 PM
To: nanog@nanog.org
Subject: Re: Last Mile Design



The FTTH rollout in Sweden has resulted in monopoly and the prices are high. 
Anything will work if you do not need to compete and you are getting financed 
by someone with money to spend.



On 2019-02-09 18:59 CET, Mikael Abrahamsson wrote:






---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

RE: Last Mile Design

[Tony Wicks]

In New Zealand we have a mostly (any town of about 20k population or more) 
nationwide FTTH rollout underway (government/private partnership) that is 
mostly based on GPON. Both Point to Point and Dark Fibre are available as well. 
The service is layer 2 QinQ delivered to the retail service providers, (1/16 
split on the GPON) while the fibre infrastructure provider is barred from 
retail service sales. GPON speeds generally delivered are 100/50, 200/200 and 
1G/500. In general the real world result of this is a network that performs 
fantastically for both retail and SMB. Larger businesses are often delivered 
over single strand dark Fibre, but in practice the 1G/500M service works 
extremely well for most situations. 10G over the PON network is about to start 
a trial phase, but the ready availability of DF significantly reduces the 
urgency of this (8x10G over cheap CWDM fibre mux's makes for a nice solution).



>
>Agreed - we generally do not recommend the use of GPON for our Enterprise 
>customers. However, in cases where a 3rd party partner discloses their use of 
>GPON to deliver our tails, we dumb down the SLA's and >technical capabilities 
>and advise the customer accordingly.
>
>Mark.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

RE: Last Mile Design

[Tony Wicks]

It also significantly reduces the requirement to distribute active equipment 
into the field while massively reducing the feeder fibre requirement. Point to 
point has its place to be sure, but mass market FTTH is not viable without 
PON's economics.


On 02/08/2019 12:48 PM, Aaron wrote:
> I've always felt PON is a tool for people who don't know how to design a 
> proper network.

Why is that?

I always thought PON was a technology that reduced the number of active
ports, thus altering the port cost per subscriber significantly by not
actually needing dedicated ports.



--
Grant. . . .
unix || die



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

RE: Any way to collect network usage data for dial-up subscriber

[Tony Wicks]

Hi, I don't know what your scale is but setting a 15minute interim radius
update has always worked well for me. A standard freeradius server running
on SSD's would be able to handle the load from 100k users without too much
of a load issue. Above that load balancing radius requests among servers is
not really that difficult.  

 

From: NANOG  On Behalf Of aun Joe
Sent: Thursday, 24 January 2019 9:28 PM
To: NANOG 
Subject: Any way to collect network usage data for dial-up subscriber

 

NANOGers ,

 

 

 is there anyway for AAA to get special  online subscriber usage
information without enable interim accouting on BRAS?

 

Reading through RADIUS protocol , it seems that if we want to get online
subscriber information enable interim accounting on BRAS is the only way .

 But, if enable that on BRAS ,, all online subscribers accouting
infromation will be reported periodically.  that will generate too much load
on AAA , and 

we  need to monitor a small set of subscribers  only.

 

 

  thanks in advance.

 

joe sun

 

 

RE: Proofpoint Mail Delivery Issues

[Tony Wicks]

This might be helpful -

 

https://ipcheck.proofpoint.com/

 

From: NANOG  On Behalf Of Tim Donahue
Sent: Thursday, 10 January 2019 11:21 AM
To: nanog@nanog.org
Subject: Proofpoint Mail Delivery Issues

 

Hi all, 

 

Sorry for the noise, but one of my clients is getting the standard "it's the
other guy's fault" with some email delivery issues to/from Proofpoint
"Enterprise" customers.  If there is anyone from Proofpoint support
monitoring this list, some assistance troubleshooting email delivery issues
would be greatly appreciated.

 

Thank you,

 

Tim Donahue

RE: A few GPON questions...

[Tony Wicks]

I remember working for this little company called EDS... Some bright spark 
decided that ATM to the desktop was the future (not this ethernet (or even 
token ring) thing) and subsequently converted several thousand head office 
machines to E3 or OC3 to the desktop. Hell of a thing trying to make OS2 
drivers work for an OC3 card. That went very badly and the whole lot was ripped 
out again after a couple of years from memory.

-Original Message-
From: NANOG  On Behalf Of Seth Mattinen
Sent: Wednesday, 12 December 2018 9:59 AM
To: nanog@nanog.org
Subject: Re: A few GPON questions...


I've had jobs where management refused to consult with or consider suggestions 
from IT. I once was part of an office move where the modular furniture vendor 
started asking questions about cabling was entering and port locations blah 
blah. They were told by management they don't need to know that and IT will 
just figure it out later. The vendor was like no way, they need to be involved 
now or we won't proceed. Then IT was brought in at the last minute, but if the 
furniture vendor hadn't refused to proceed the plan was literally F the IT guys 
and make them figure it out all the cabling over the weekend before everyone 
was to move in. Management like that just gets worse until you line up another 
job and quit.

RE: Cheap switch with a couple 100G

[Tony Wicks]

Actually FS has SFP28 CWDM optics (1270-1330) available but they are not up on 
the website, just as an FYI.

-Original Message-
From: NANOG  On Behalf Of Tom Hill
Sent: Monday, 26 November 2018 10:41 AM
To: nanog@nanog.org
Subject: Re: Cheap switch with a couple 100G

On 25/11/2018 21:22, Baldur Norddahl wrote:
> If it is passive, you could tell them it is for 10G but use it for 25G?


The mux isn't the problem, it's that there aren't SFP28 optics commonly 
available in C/DWDM wavelengths. Yet. If they were, well maybe...

RE: PPPoE Server

[Tony Wicks]

Cisco ASR1k can support up to 64K PPPoE depending on the model/cards. Juniper 
MX and Nokia 7750 can scale up to a couple of hundred thousands depending on 
the model. The thing to bear in mind is the ASR1000 is a CPU based router, this 
means it is very flexible (NAT/L2TP etc can just turn on without extra cards) 
but throughput is limited to your processor capacity and what you turn on. The 
Juniper MX and Nokia 7750 are more hardware based routers that can massively 
scale but you need to work closely with the vendor to ensure you have 
appropriate cards for your intended application. Personally I have used all of 
these solutions and I would stray towards the Juniper. This being said the 
Nokia is also a magnificent box albeit a bit less user friendly IMHO.



-Original Message-
From: NANOG  On Behalf Of Clayton Zekelman
Sent: Thursday, 9 August 2018 8:50 AM
To: Jose Jorquera ; Mauro Gasparini 

Cc: nanog@nanog.org
Subject: Re: PPPoE Server


I'll second that. Juniper MX works well for us.  We have one router terminating 
10,000 PPPoE and 3,500 L2TP and it handles the load fine.


At 04:43 PM 08/08/2018, Jose Jorquera wrote:
>Cisco is the any option? I read about BRAS server on Juniper MX-480,can 
>you check "Juniper one day: dynamic subscriber management” for more 
>info.
>
> > El 08-08-2018, a las 15:22, Mauro Gasparini
>  escribió:
> >
> > Good afternoon people.
> > I would like to advice me some appliance or
> software (running on top level server line) which supports 20,000 
> simultaneous PPPoE connections.
> > The customer has a Cisco ASR1000 but I don't
> have any confirmed experience that can support it.
> >
> > Mauro Gasparini.
> >
> >

RE: Waste will kill ipv6 too

[Tony Wicks]

I think its time you all had a bit of a holiday break and stopped thinking
of IP networking for a little while, Just saying...

RE: Terminology Clarification - "Active Wave"

[Tony Wicks]

I would suggest they are asking if it is to be carried on an active (Powered) 
DWDM ADM (Add Drop Mux), or over passive optical Mux's (short range).



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rod Beck
Sent: Monday, 2 October 2017 9:19 AM
To: nanog@nanog.org
Subject: Terminology Clarification - "Active Wave"

A financial firm asked me if a 10 gig wave offer was an "active wave". 


LAN PHY 10 GigE, WAN PHY 10 GigE, transparent, STM64, OC192. Yes.


Active?


Roderick Beck

Director of Global Sales

United Cable Company

www.unitedcablecompany.com

85 Király utca, 1077 Budapest

rod.b...@unitedcablecompany.com

36-30-859-5144


[1467221477350_image005.png]

RE: DWDM Mux/Demux using 40G Optics

[Tony Wicks]

I think you will find the "monitor" port is most likely to be used for "lawful" 
intercept by unnamed government entities.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colton Conor
Sent: Tuesday, 20 June 2017 8:14 AM
To: Faisal Imtiaz 
Cc: nanog list 
Subject: Re: DWDM Mux/Demux using 40G Optics

Thanks for the answers. From the sounds of it, no one knows the real difference 
between the expansion port, 1310 port, and 1550 port. For real world 
applications, I would assume the monitor port would be to plug in a handheld 
meter, and see which channels are coming through that node without breaking the 
ring. Not sure if their would be a monitor port for both directions is you were 
using a OADM?

On Mon, Jun 19, 2017 at 2:38 PM, Faisal Imtiaz 
wrote:

Re: DWDM Mux/Demux using 40G Optics

[Tony Wicks]

The guys at fibrestore will point you in the right direction on all this if you 
ask them these questions. They are actually very helpful and will assign you a 
specialist to assist.

 Original message 
From: Colton Conor  
Date: 20/06/17  6:26 AM  (GMT+12:00) 
To: NANOG  
Subject: DWDM Mux/Demux using 40G Optics 

We are building a 40G metro ring using 40-Gigabit Ethernet QSFP+
Transceivers. Specifically, we are using Juniper JNP-QSFP-40G-LR4. This is
a QSFP+ Transceiver with a LC duplex head. We only have one pair of single
mode dark fibers around the ring.  Our distance between nodes around the
ring are all less than 10KM, so we can use standard optics.

We go out of one JNP-QSFP-40G-LR4 and into another JNP-QSFP-40G-LR4. There
are no passive muxes involved. This is working great for 40G.

My understanding is a JNP-QSFP-40G-LR4 is really a transceiver with a CWDM
mux built into it. The spec sheet shows it sends 4 10G channels:

https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/specifications/optical-interface-qfx-support.html

Lane wavelength
Lane 0–1264.5 nm through 1277.5 nm
Lane 1–1284.5 nm through 1297.5 nm
Lane 2–1304.5 nm through 1317.5 nm
Lane 3–1324.5 nm through 1337.5  nm


This setup is working fine, but now we want to do more than 40G around the
ring. To my knowledge there are no other 40G QSFP+ transceivers that use
four other channel/lanes than the ones already being used, so they only way
to go higher than 40G is to stack 10G or 100G channels ontop of the fiber
pair using a passive mux.

100G is too expensive for the time being, so we are looking to add 10G
channels to a ring that already have one 40G channel using the QSFP+.

I was reading this tutorial, and it mentions "there is a 1310 nm port
integrated in a 40 channels DWDM Mux/Demux system. The 1310nm added port is
a Wide Band Optic port (WBO) added to other specific DWDM wavelengths in a
module. When we run out of all channels in a DWDM Mux/Demux system, we can
add the extra optics via this 1310nm port."
http://www.fs.com/upgrade-to-500g-with-40ch-dwdm-mux-demux-system-aid-493.html

What I can't seem to understand is they are mentioning that this 1310 port
can pass QSFP+ signals, so it sounds like its really a 1270nm through
1330nm port? Is this what they mean by   Wide Band Optic port (WBO)?

We don't need 40 10G channels plus a 40G for a total of 440G. More than
likely we are looking at a 8 channel mux/demux, and 1 40G port for a total
of 120G.

I don't care if we do CWDM vs DWDM, but I assume it will be hard to find a
CWDM mux that has one LC dupluex input for  1270nm through 1330nm channels?

Maybe I should just ditch the 40G QSFP+ optics and use all 10G optics, but
the switches I am using have 48 10G SFP+ ports and 6 QSFP+ ports built in.
I know there are 40G breakout cables, but the whole point of 40G is to
aggregate VLAN/circuits.

Has anyone done this before?

RE: DMCA processing software

[Tony Wicks]

Speaking for Networks outside of the USA (and not being at all helpful sorry), 
/dev/null works well. Sorry, couldn't help myself...



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jason Baugher
Sent: Wednesday, 7 June 2017 5:18 PM
To: NANOG 
Subject: DMCA processing software

I'm curious what people are using to manage DMCA takedown notices in mid-sized 
networks. I've been searching, and have found the ACNS spec, and a few obscure 
references to an RT plugin, but not much else. As the ISP I work for grows, 
manual handling of notices is starting to be a problem. I'd prefer something 
open-source so we can extend it to hook into our other systems, but primarily I 
need something to parse the notice emails, store the information, track the 
number of incidents over time, and generate letters to users.

If nothing exists, and everyone just has in-house proprietary systems, then 
we'll start down the same road, but I don't like to re-invent the wheel if I 
can help it.

Thanks

RE: Question about experiences with BGP remote-AS

[Tony Wicks]

JunOS has three different modes for Virtual routers depending on your
situation requirements. I would suggest that something in the QFX or ACX
range will be able to replicate what you are after. Otherwise the entry
level MX will certainly do the job for a little more outlay. 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of LF OD
Sent: Saturday, 6 May 2017 4:56 AM
To: nanog@nanog.org
Subject: Question about experiences with BGP remote-AS

We have a number of small routers in co-lo sites that peer with B2B
partners. As more of our partners move to cloud, we are considering a
consolidation effort and putting all of  our peering routers in a cloud
exchange site on a single HA pair of routers. Now, each existing B2B peering
router uses a unique private ASN to EBGP peer with partners and they, in
turn, EBGP peer with our extranet perimeter ASNs for security vetting and
other stuff.


We looked for a medium-density router (or L3-switch) that can replace
multiple small routers (b2b-only, no internet), but we need to retain all of
our existing ASNs and peerings. As it turns out, there are many routers that
can do VRFs but you cannot put a unique ASN on each VRF so replicating the
old environment isn't quite that straightforward. The BGP remote-as looks to
be a possible alternative solution, but we've never used it in production
and we are unsure of the caveats. Taken at face value, it looks like we can
mimic the multi-router/unique-ASN environment we have today on a single
platform. However, networking is rarely as smooth as that so I'm asking some
of the BGP gurus... what are the pros/cons of doing using remote-as? If
anyone here uses it extensively, we could really use some feedback if you
run into challenges or hidden surprises that we wouldn't normally think of
beforehand.


Thanks in advance!


LFOD

RE: PSN (Playstation Network) security team

[Tony Wicks]

snei-noc-ab...@am.sony dot com

Good luck with that! Sony is uniquely difficult to deal with when it comes to 
the arrogance of their "security" people at PSN.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Josh Luthman
Sent: Friday, 28 April 2017 7:27 AM
To: NANOG list 
Subject: PSN (Playstation Network) security team

I'm hoping someone here can reach out to me from the department that deals with 
automatically blocking IPs.  As far as I can tell they're all in the same /24.  
The phone support is completely worthless in this situation (I'm supposed to 
change my ISP).

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

RE: BRAS/BNG Suggestion

[Tony Wicks]

I was told by some high up people in Ericsson several years ago that their
target for the Redback range is the top dozen telco's and they are not
really interested in smaller customers. It's a shame, because the Redback in
many ways is still superior to other offerings IMHO. To the OP's question -

1. The Nokia 7750 is a good option, but you would likely need the larger
7750-SR or 7750-e over the 7750-a series as the "a" does not have the MS-ISA
card option that allows access to several key BNG functions. Likely outside
of budget once spares etc are taken into account

2. Cisco ASR1K, likely this will do what you need, the advantage if the 1K
range is it's just a big CPU based box, so you don't need add on cards to do
anything fancy. There is also affordable support and an active grey market
option available (2x asr1006-esp40).

3. A virtual offering from Juniper (VMX) or Cisco might work for you.
Nokia's offering is a bit too new.


I would choose option 2 with option 3 as a backup if you want to get things
going quickly. Unless money is not an option then option 1 (2x 7750-sr7 or
7750-e2).



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Patrick Cole
Sent: Sunday, 4 December 2016 1:20 AM
To: t...@pelican.org
Cc: nanog@nanog.org
Subject: Re: BRAS/BNG Suggestion

2nded, I tried for months to get Ericsson to get us a quote and sort us out
with a solution as I'd used their kit and liked it in the past.

Exactly as Tim said, they just didn't seem interested if you're not after a
big $$ solution.

We went with ASR1k as cisco came to the party on price and we were already
using 7200 at the time.  No complaints.

Patrick

Fri, Dec 02, 2016 at 10:37:29AM -, t...@pelican.org wrote:

RE: PlayStationNetwork blocking of CGNAT public addresses

[Tony Wicks]

So the last one we successfully managed to isolate, our customer they had more 
than one PC with multiple infections. It’s not Playstation’s, but Windows 
machines that are infected with I assume some malware that is trying to log 
into PSN.

 

cheers

 

From: Jason Baugher [mailto:ja...@thebaughers.com] 
Sent: Monday, 19 September 2016 12:09 PM
To: valdis.kletni...@vt.edu
Cc: Tony Wicks <t...@wicks.co.nz>; NANOG <nanog@nanog.org>
Subject: Re: PlayStationNetwork blocking of CGNAT public addresses

 

So I should try again to get them to tell me what an "Account Takeover Attempt" 
is? They ignored my last request.

 

It's easy to explain DMCA or spam to an end-user, but it's difficult to explain 
to some soccer mom that her kids are doing something to make Sony mad, when I 
can't explain to them what Sony is mad about.

 

On Sun, Sep 18, 2016 at 5:58 PM, <valdis.kletni...@vt.edu 
<mailto:valdis.kletni...@vt.edu> > wrote:

On Mon, 19 Sep 2016 10:41:59 +1200, "Tony Wicks" said:
> Interestingly, Sony (SNEI-NOC-Abuse <SNEI-NOC-Abuse@am. 
> <mailto:SNEI-NOC-Abuse@am. %20 sony%20dot%20com)%20jut%0b>sony dot com) 
> jut
> replied to being forwarded back one of their notification blocks requesting
> more detailed information with a csv file in under an hour!

So I guess name-and-shame *does* work? :)

 

RE: PlayStationNetwork blocking of CGNAT public addresses

[Tony Wicks]

Interestingly, Sony (SNEI-NOC-Abuse - Sony say no, either through silence, or explicitly.

RE: PlayStationNetwork blocking of CGNAT public addresses

[Tony Wicks]

So the pain has finally flowed down to other parts of the world. (APNIC ran
out of IP's a long time ago, so CGN has been in use here for a lot longer)
This issue is one I have been dealing with for the last four years. Only
with Sony, no other company has caused such a headache in regard to CGNAT. I
will not go into the long and painful saga of dealing with the constant
issue of Sony putting blocks on random pool addresses, refusing to supply
sufficient information to identify rouge users (timestamp, source IP,
destination IP and port) then telling our customers it is a problem at the
ISP end, but... Something happened about three months ago that Proves that
if the Sony technical people want to get off their asses they are perfectly
capable of supplying adequate information to identify a rogue user for the
ISP to deal with. One of the local Sony PSN helpline managers actually
managed to convince one of their technical people to supply a spreadsheet
that magically contained sufficient information to allow us to identify a
couple of users that did indeed have multiple infections.  Great I thought,
now if we can just get them to automate/regularly sent this info we will
have a way forward. Alas, it appears it was a one off and we are back to the
start. I will quote below what the Sony Network guy said when explaining why
they can't send detailed information every time -


" From: SNEI-NOC-Abuse [mailto:snei-noc-ab...@am.sony.com] 
Sent: Thursday, 11 August 2016 8:38 AM
To: ##me##
Cc: ##helpful Sony guy## Subject: RE: PSN / Flip Network blocks

Hello,

There is quite a bit of extra computing power required to produce the CSV
file with timestamps and destination IP addresses.  We send out over 6000
emails per day which already takes a significant amount of resources and
time.  We tend to get around 20-30 responses.  Instead of wasting the
resources on all those emails we generate CSV files for those who respond.

We hope you understand.

Thank you for taking action on these."

So there you go, Sony can indeed solve this issue, but apparently a company
that makes computers has insufficient computing power and staff to do so. Oh
and after this, despite being asked many times they have never responded to
requests for the CSV or similar detailed info.




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Simon Lockhart
Sent: Saturday, 17 September 2016 1:13 AM
To: nanog@nanog.org
Subject: PlayStationNetwork blocking of CGNAT public addresses

All,

We operate an access network with several hundred thousand users.
Increasingly we're putting the users behind CGNAT in order to continue to
give them an IPv4 service (we're all dual-stack, so they all get public IPv6
too). Due to the demographic of our users, many of them are gamers.

We're hitting a problem with PlayStationNetwork 'randomly' blocking some of
our CGNAT outside addresses, because they claim to have received anomalous,
or 'attack' traffic from that IP. This obviously causes problems for the
other legitimate users who end up behind the same public IPv4 address.

Despite numerous attempts to engage with PSN, they are unwilling to give us
any additional information which would allow us to identify the 'rogue'
users on our network, or to identify the 'unwanted' traffic so that we could
either block it, or use it to identify the rogue users ourselves.

Has anyone else come up against the problem, and/or have any suggestions on
how best to resolve it?

Many thanks in advance,

Simon

RE: Host.us DDOS attack

[Tony Wicks]

Further to that, and I would suggest it should be part of the overall 
discussion here. It appears the IPv4 IP block my VM is in is not currently 
advertised on the world route table. I assume hostus.us's transit provider has 
dropped their ipv4 BGP to save themselves. This is really the ultimate reward 
for the extortionists as they don't even need to sustain the DDOS to attack 
their target. While I see the transit providers point of view, it’s a pretty 
shitty situation for their customer, and their customers/customers.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Tony Wicks
Sent: Thursday, 4 August 2016 9:10 AM
To: 'NANOG list' <nanog@nanog.org>
Subject: RE: Host.us DDOS attack

Interestingly my VM (LA) with them has been effectively down for half a day as 
far as IPv4 is concerned. IPv6 traffic seems unaffected. 

RE: Host.us DDOS attack

[Tony Wicks]

Interestingly my VM (LA) with them has been effectively down for half a day as 
far as IPv4 is concerned. IPv6 traffic seems unaffected. 




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Robert Webb
Sent: Thursday, 4 August 2016 1:42 AM
To: NANOG list 
Subject: Host.us DDOS attack

Anyone have any additonal info on a DDOS attack hitting host.us?

Woke up to no email this morning and the following from their web site:

RE: BGP peering strategies for smaller routers

[Tony Wicks]

I have used variations Gustav's solution below to good effect as well, this 
also works with two smaller routers providing basic fail over and load 
balancing. I found its best to take Full + default from one provider and just 
default from the other. Set a higher local-pref on the default only provider 
than the full+default one, then filter the full+default routes by AS-path as 
desired. Incoming control via the normal prepending of outgoing advertisements.




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Gustav Ulander
Sent: Tuesday, 3 May 2016 8:30 AM
To: Mike ; NANOG list 
Subject: RE: BGP peering strategies for smaller routers

Hello.

When we was in a similar situation we opted for one transit provider to provide 
a default to us then we filtered on AS-HOPS so prefixes that was more than 3 
hops away was denied. 
This way we got the ones that where closest to us and that where more likely to 
matter. Prefixes that’s more than 3 hops away on both links could probably just 
as well go on a default insteed. 
However it’s a rather crude way of fixing the issue. We just did it to have the 
router up while we got extra memory from it. (we had memory shortage after an 
update that we needed to apply to correct some bug I think. We couldn’t just 
rollback the update if my memory serves me correct.) 

//Gustav

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike
Sent: den 2 maj 2016 21:07
To: NANOG list 
Subject: BGP peering strategies for smaller routers

Hello,

 I have an ASR1000 router with 4gb of ram. The specs say I can get
'1 million routes' on it, but as far as I have been advised, a full table of 
internet routes numbers more than 530k by itself, so taking 2 full tables seems 
to be out of the question (?).

  I am looking to connect to a second ip transit provider and I'm looking 
for any advice or strategies that would allow me to take advantage and make 
good forwarding decisions while not breaking the bank on bgp memory 
consumption. I simply don't understand how this would likely play out and what 
memory consumption mitigation steps may be necessary here. Im open to ideas... 
a pair of route reflectors? 
selective bgp download? static route filter maps?

Thank you.

Mike-

RE: 10G-capable customer router recommendations?

[Tony Wicks]

Hmm, the chances of getting a single flow of more than 1gig to/from the 
"internet" is close to zero in a CPE situation. If the Connection is a service 
provider or similar sure, this limitation may well apply, but a home user 
(however high end), nope I just can't see it. If you need something capable of 
a single stream over 1G with 10G interfaces then really cost is going to have 
to be no object. If this is the case then something like a 600D will do the job 
-

http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-600D.pdf
Add any 10G switch you like off the second SFP+ port if you need 10G CPE, it's 
not likely to need to be an expensive one (EX3300?)

I've used the Mikrotik CCR's as high end CPE (with 10G uplink) very 
successfully as they offer excellent price/performance, but if that's no object 
then there are plenty of options.






> Can't do more than 1Gbps per flow. Not suitable for this application.
> On Apr 15, 2016 5:03 PM,  wrote:

RE: PlayStation Network blocking an IP

[Tony Wicks]

Good luck with that! Sorry, long experience with them tells me that you are 
unlikely to get any help on that one.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Velocity Lists
Sent: Saturday, 2 April 2016 11:31 AM
To: NANOG list 
Subject: PlayStation Network blocking an IP

Can someone form Sony's Playstation network give me call or contact me offlist.

One of our apartment complexes has been reporting errors of PS4s not working 
for a few days then they start working again.

PSN Support is telling the users to call us.
We have diagnosed it and PSN is blocking the IP of the complex and it has 
nothing to do with us.


Velocity Online
Rodger Lewis rcle...@velocityonline.net
850-205-4638 x201

RE: Juniper QFX5200-32C junos base services license and BGP

[Tony Wicks]

>
>Hi,
>Does anyone has a QFX5200-32C gear with a "Junos Base Services" license? 
>Does that license technically allow running BGP?
>
>Currently I have a QFX5100 which only gives me warning "This feature
requires a license" during commit but BGP routing works fine. So I'm
wandering if that trick works in QFX5200..
>

Um, you do realise that all the major vendors (including that well Known
vendor) have people on this list ? Sending a question about taking advantage
of said vendors light handed approach to licencing to this list is somewhat
less than subtle ?

RE: Softlayer / Blocking Cuba IP's ?

[Tony Wicks]

>
>Cc: nanog list 
>Subject: Re: Softlayer / Blocking Cuba IP's ?
>

I had a couple of VM's (personal mail/web hosting) with a provider who used 
Softlayer for transit. About a month ago Softlayer (without any notice or 
warning) blocked all outgoing port 25 at multipole datacentres for this 
provider. It took the hosting provider half a day to work out what had 
happened. Needless to say as much as I liked the company I had to move my hosts 
elsewhere (they did refund me to their credit). It seems that someone at 
Softlayer is extremely aggressive on their blocking policies to the point of 
making their service unusable. I would highly recommend the community votes 
with its wallet when it comes to these turkeys.

RE: Nat

[Tony Wicks]

We have the ASR1006 ESP40's handling 25,000+home broadband users running NAT 
and barely breaking a sweat. What ESP are you using ?

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ahmed Munaf
Sent: Thursday, 17 December 2015 5:36 AM
To: Mark Tinka 
Cc: nanog@nanog.org
Subject: Re: Nat

In addition to the limited concurrent sessions for ASR1000, we are facing some 
issue with many users how are playing online games! Nat problems! 

Ahmed, 

RE: New ISPs getting of the ground without IPv4?

[Tony Wicks]

>-Original Message-
>
>Surprisingly enough demand for Internet services did not end when we ran out 
>of IPv4. I'd like to hear from the guys and gals starting new ISPs how they 
>are facing this brave new world. 
>

Well, APNIC ran out years ago, so as someone with experience running a 
residential ISP with very limited IPv4 I can tell you that the overwhelming 
majority of customers don't know or care that they are running behind CGNAT as 
long as you are upfront about it (in the FAQ's, no you can't run a server on 
this service). One /24 is good for about 16k broadband users without major 
issues (apart from dealing with random blocks by our "friends" at 
"playstation"). Overall it just works and nobody notices. You will want a good 
DDOS scrubbing solution though as you can't just block a destination IP that 
happens to be in one of your IP pools.