Re: Default routes on BGP routers with full feeds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Nov 5, 2014, at 7:49 AM, Andreas Larsen andreas.lar...@ip-only.se wrote: There is one setup where you would need default route from your provider. If you have no IBGP between two sites and your prefix is a large /16 on side and maybe a /18 from that /16 on another site. These site would not be able to talk to each other if you orginate from the same AS. Other than that I see not harm in having both default and a full table since longest prefix match will always win even if you have 2 or more transits. I think in that case you would use “allowas-in”. Regards, Marc -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUWg8PAAoJEBqZdpQUXtTCkr8P/j/V0nsJwS6UOhEBU0Cpvrlf BnhGgBy3exIiMq87IqO472P5Gkwsx52a/P5zUfuRDd3GKs1kNx4cyM6MH+XUFti0 f7kkKxDJ5hAne2Bg+KYLK/oLJUFC9gjSJM5AL8fjTb7qr+X2Wc2Wuqm/F346V3gQ cpO8lTuctM9pmBguAk8hCggKrsQBjDZJ7aF6qEebSdZHEG4JuONzx/2xFwq9vZMW 1lh+hyoGiVmb5dglma3525N0SbfJBbRgIFjcd7kQTq7toyRUytGecjpmXjCdomkG Y07Atj9T02w4M3h3dUpsAfXPRZhHuXBhDV24n0eBOnaJEwbEkdz5qfYjbXLVAItH 8yo8gtEYjzhPyfivdJ4YiZ97Yd4BID7boaiuyEBxczLfZ77Fm7XxPqbD+9K5+DJv VnyIt1adZkIcnoNSOOfJPswNT8Tfmz6r5F3l0+xa+ZnmCUgKZ8XtcHoLPYGR5ZMs mU6W7SsLSeX4QgO/2Ae+hmfV+jWcyNnt/Vs9MNqFkAbyjsjXX4H7gc88UKpPzvIq kkMzlKrk5hlXhZ6bQJWwIgX3PaDxD+YLa/nmq6/sgqA8rIKNiOVtNYWMbEkve5JJ l+RAA7foh22Sz0zCce6Rf/jmibBRAZ3GBD/UxV5bH+XB+vStlBZ8B8EHe22fwBaX BThfag88mErUm+MXKbar =qJ44 -END PGP SIGNATURE-
RE: Default routes on BGP routers with full feeds
We receive full routes and a default so we can perform traffic engineering within our network. We have links to multiple carriers, via multiple routers. We inject a default route into OSPF from distinct segments of our network, based on receiving the default route on that segment via eBGP. If the default route goes down, the default injected from another segment assumes priority and traffic routes out through that segment's carrier. It's easier to manage this kind of failover (for us) using default routes, so we don't have to carry full routes on all our core routers. We also prefer using a default route over engineering things based on some other arbitrary route learned from eBGP. Thanks, Adam -Original Message- From: NANOG [mailto:nanog-bounces+maillist=webjogger@nanog.org] On Behalf Of Marc Storck Sent: Wednesday, November 05, 2014 6:53 AM To: nanog@nanog.org Subject: Re: Default routes on BGP routers with full feeds -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Nov 5, 2014, at 7:49 AM, Andreas Larsen andreas.lar...@ip-only.se wrote: There is one setup where you would need default route from your provider. If you have no IBGP between two sites and your prefix is a large /16 on side and maybe a /18 from that /16 on another site. These site would not be able to talk to each other if you orginate from the same AS. Other than that I see not harm in having both default and a full table since longest prefix match will always win even if you have 2 or more transits. I think in that case you would use “allowas-in”. Regards, Marc -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUWg8PAAoJEBqZdpQUXtTCkr8P/j/V0nsJwS6UOhEBU0Cpvrlf BnhGgBy3exIiMq87IqO472P5Gkwsx52a/P5zUfuRDd3GKs1kNx4cyM6MH+XUFti0 f7kkKxDJ5hAne2Bg+KYLK/oLJUFC9gjSJM5AL8fjTb7qr+X2Wc2Wuqm/F346V3gQ cpO8lTuctM9pmBguAk8hCggKrsQBjDZJ7aF6qEebSdZHEG4JuONzx/2xFwq9vZMW 1lh+hyoGiVmb5dglma3525N0SbfJBbRgIFjcd7kQTq7toyRUytGecjpmXjCdomkG Y07Atj9T02w4M3h3dUpsAfXPRZhHuXBhDV24n0eBOnaJEwbEkdz5qfYjbXLVAItH 8yo8gtEYjzhPyfivdJ4YiZ97Yd4BID7boaiuyEBxczLfZ77Fm7XxPqbD+9K5+DJv VnyIt1adZkIcnoNSOOfJPswNT8Tfmz6r5F3l0+xa+ZnmCUgKZ8XtcHoLPYGR5ZMs mU6W7SsLSeX4QgO/2Ae+hmfV+jWcyNnt/Vs9MNqFkAbyjsjXX4H7gc88UKpPzvIq kkMzlKrk5hlXhZ6bQJWwIgX3PaDxD+YLa/nmq6/sgqA8rIKNiOVtNYWMbEkve5JJ l+RAA7foh22Sz0zCce6Rf/jmibBRAZ3GBD/UxV5bH+XB+vStlBZ8B8EHe22fwBaX BThfag88mErUm+MXKbar =qJ44 -END PGP SIGNATURE-
Re: BGP process torture
On 11/03/2014 12:47 PM, chip wrote: Exabgp should be able to help you out here. Great for doing fun things with BGP. https://github.com/Exa-Networks/exabgp You find a new tool every day. Thanks for the heads up on that particular swiss army knife. Looks like it would make this pretty straightforward. -- Brandon Martin
Issues with SNMP monitoring over a GRE tunnel.
I have two different customers where I am unable to monitor their networks due to GRE MTU issues. This is monitoring cable modems so I can't change the MTU of the end device. The problem I am having is that the modems are producing frames that appear to be larger than some kind of MTU limit in the system (we do not control the customer routers in either case). One that I am looking at is dropping anything larger than 1472, and I have let to tune down on the other one. In one case the customer endpoint is a Cisco ASR1K router and the other is a ASR9K. because these are UDP packets I can't use a mss to clamp things down. Also I have been unable to replicate the issue in my lab, so I can't send them a list of commands to help fix the issue on their end. -- Brian Christopher Raaen Network Architect Zcorum
Re: Default routes on BGP routers with full feeds
On Nov 4, 2014, at 10:49 PM, Andreas Larsen andreas.lar...@ip-only.se wrote: There is one setup where you would need default route from your provider. That may be true, but this isn’t it… If you have no IBGP between two sites and your prefix is a large /16 on side and maybe a /18 from that /16 on another site. These site would not be able to talk to each other if you orginate from the same AS. 1. Don’t do this. No, really, this is like the old joke about “Doctor, Doctor, it hurts when I do this!”. Just get a second AS. Supposed definition of an AS: “A collection of prefixes with a common routing policy”. If you have a /18 advertised from group A and a /17 and a /18 advertised from group B (even if you’re pretending it’s a /16 and including the covered separate /18), then you have 3 (or pretending 2) prefixes which have different routing policies. 2. If you are going to do this, then you’re better off building a tunnel between the sites and setting up iBGP across the tunnel. 3. Another option is to coerce your BGP into accepting routes with your own AS in the AS PATH. This circumvents BGP loop detection, but if you’re two sites are stub sites (and I can’t imagine a scenario where you would do this with transit sites), then that is a pretty low risk. Further, you can filter out the potential loop routes pretty easily since you know which ones are local to each site, making that particular loop detection irrelevant). Other than that I see not harm in having both default and a full table since longest prefix match will always win even if you have 2 or more transits. The harm is that instead of dropping traffic that can’t go anywhere, you’re passing it to someone else to drop for you. I suppose as long as you’re paying for the bandwidth used, it’s not a big deal, but it also breaks your ability to implement things like BCP38. Owen // Andreas Med vänlig hälsning Andreas Larsen IP-Only Telecommunication AB| Postadress: 753 81 UPPSALA | Besöksadress: S:t Persgatan 6, Uppsala | Telefon: +46 (0)18 843 10 00 | Direkt: +46 (0)18 843 10 56 www.ip-only.se https://webmail.ip-only.net/owa/UrlBlockedError.aspx 5 nov 2014 kl. 02:41 skrev Chris Rogers crog...@inerail.net mailto:crog...@inerail.net: We don't accept a default from anyone, but will send one to a customer when specifically requested. We heavily filter all incoming routes (bogon, 1918, and many others). We don't want data resorting to 0/0 and ::/0 when we specifically rejected the matching route at the import policy. Additionally, if your upstream isn't announcing a route to you, where are they going to send your traffic anyway? Regards, Chris Rogers +1.302.357.3696 x2110 http://inerail.net/ http://inerail.net/ On Tue, Nov 4, 2014 at 5:42 PM, Owen DeLong o...@delong.com wrote: It seems in such a case, the traffic still doesn’t know where to go, but you don’t realize it because you have a default. Then you pass the traffic to one of the providers who doesn’t have a route for it and they drop it instead of you. If you see something different, then, by definition, said provider is not feeding you a full set of their tables, or, they, too, are depending on a default and are not receiving a full set of tables. Owen On Nov 4, 2014, at 10:25 AM, Mike Walter mwal...@3z.net wrote: I have 5 providers and we get the default from all of them and full routing tables. I have seen cases where if there is no default route, the traffic didn't know where to go, even with full routes from all my providers. -Mike -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Berry Mobley Sent: Tuesday, November 04, 2014 12:47 PM To: nanog@nanog.org Subject: Default routes on BGP routers with full feeds I'm wondering how many of you who are multihomed also add default routes pointing to your providers from whom you are receiving full feeds. If so, why? If not, why not? Thanks, Berry
Re: Issues with SNMP monitoring over a GRE tunnel.
I think the simple solution here is to query for fewer OIDs to get the packet size (in both directions) down below the MTU. It'll take more requests and thus longer, but if that's what solves the problem... well, that's what solves the problem. On Wed, Nov 5, 2014 at 7:59 AM, Brian Christopher Raaen mailing-li...@brianraaen.com wrote: I have two different customers where I am unable to monitor their networks due to GRE MTU issues. This is monitoring cable modems so I can't change the MTU of the end device. The problem I am having is that the modems are producing frames that appear to be larger than some kind of MTU limit in the system (we do not control the customer routers in either case). One that I am looking at is dropping anything larger than 1472, and I have let to tune down on the other one. In one case the customer endpoint is a Cisco ASR1K router and the other is a ASR9K. because these are UDP packets I can't use a mss to clamp things down. Also I have been unable to replicate the issue in my lab, so I can't send them a list of commands to help fix the issue on their end. -- Brian Christopher Raaen Network Architect Zcorum
Re: Issues with SNMP monitoring over a GRE tunnel.
This would be a good approach. In SNMP the request initiator (the one sending the SNMP 'Get' or 'GetNext' or 'GetBulk' ) can anticipate the size of the outgoing request will be small(er) by asking for fewer variables at a time. (Each variable is a 'varbind' and each is specified in the outgoing request packet as an OID.) But it sometime impossible to know how large the return size will be. The SNMP Agent responding the to request will load up the return UDP packet with the required data and this could be quite large - depending on what is being requested. Thus, it is good to ask for fewer variables at a time thus hopefully keeping the SNMP Agent from responding with something that will prove too large to the MTU barrier that is being hit somewhere along the transitioned network path. 'GetBulk' would seem to be the worst enemy regarding this. Of course some returns are very small per-variable. 'ifInOctets' is a 32bit integer. 'ifHCInOctets' is a 64bit integer. Etc. These are not likely the problem. Issues will occur when fetching octet strings such as 'ifDescr' or 'sysLocation' - there can be times when these values have been loaded up the remote SNMP Agent with quite a substantial response. On Wed, Nov 5, 2014 at 1:36 PM, Jeff Walter jwal...@weebly.com wrote: I think the simple solution here is to query for fewer OIDs to get the packet size (in both directions) down below the MTU. It'll take more requests and thus longer, but if that's what solves the problem... well, that's what solves the problem. On Wed, Nov 5, 2014 at 7:59 AM, Brian Christopher Raaen mailing-li...@brianraaen.com wrote: I have two different customers where I am unable to monitor their networks due to GRE MTU issues. This is monitoring cable modems so I can't change the MTU of the end device. The problem I am having is that the modems are producing frames that appear to be larger than some kind of MTU limit in the system (we do not control the customer routers in either case). One that I am looking at is dropping anything larger than 1472, and I have let to tune down on the other one. In one case the customer endpoint is a Cisco ASR1K router and the other is a ASR9K. because these are UDP packets I can't use a mss to clamp things down. Also I have been unable to replicate the issue in my lab, so I can't send them a list of commands to help fix the issue on their end. -- Brian Christopher Raaen Network Architect Zcorum -- Greg Moberg, Director, NerveCenter Engineering LogMatrix, Inc | http://www.logmatrix.com/ | CommunityForum http://community.logmatrix.com/LogMatrix/ | Blog http://www.logmatrix.com/Blog Telephone: +1 (800)892-3646 http://www.logmatrix.com http://www.twitter.com/NerveCenter http://www.linkedin.com/company/logmatrix?trk=ppro_cprof https://www.facebook.com/Logmatrix?sk=page_insights http://www.youtube.com/user/logmatrixchannel
Re: Default routes on BGP routers with full feeds
On Tue, Nov 4, 2014 at 12:47 PM, Berry Mobley be...@gadsdenst.org wrote: I'm wondering how many of you who are multihomed also add default routes pointing to your providers from whom you are receiving full feeds. If so, why? If not, why not? Back when I worked for the DNC we ran into a problem with the TCAM size. Given the DNC's focus on the U.S., network reliability to the /8's operated out of the APNIC and RIPE regions was much less important to us. So, we filtered BGP announcements from within those /8's and relied on covering routes to get our packets there instead. I used covering /8's instead of a default, but a default would have been as effective. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
hawaiian telcom
if there is a commercial contact from hawaiian telcom lurking here, can you please ping me offlist? thanks, chris
Hijack factory: AS201640 -- MEGA - SPRED LTD / Michael A. Persaud
I already posted about this rogue AS days ago, but nothing has really changed much, since then, with respect to its hijacking of IP space. Well, at least Brian Krebs was kind anough to write about it: http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/ (Please note that that is a convicted felon spamming from the hijacked IP space. He's not allowed to own firearms, but he _can_ apparently own a keyboard.) As of today, AS201640 is still hijacking a total of eleven routes to IP space scattered all over the world... none of which appears to belong to anybody in or near Bulgaria. In fact, it would appear that the organization that is the registrant of AS201640 currently has exactly -zero- IP addresses to call its own. Nobody in a postion to _do_ anything about this gives a darn? As of today: 36.0.56.0/21 41.92.206.0/23 41.198.80.0/20 41.198.224.0/20 61.242.128.0/19 119.227.224.0/19 123.29.96.0/19 177.22.117.0/24 177.46.48.0/22 187.189.158.0/23 202.39.112.0/20
Re: Hijack factory: AS201640 -- MEGA - SPRED LTD / Michael A. Persaud
From our view of the table, it looks like it would be up to either 22 (not likely to happen) or GTT. They've lined the IIRs to pass 201640 through 22 via AS-HereHost. Anyone from GTT able to comment? -- Hugo -Original Message- Date: Wed, 5 Nov 2014 13:59:17 -0800 From: Ronald F. Guilmette r...@tristatelogic.com To: nanog@nanog.org Subject: Hijack factory: AS201640 -- MEGA - SPRED LTD / Michael A. Persaud I already posted about this rogue AS days ago, but nothing has really changed much, since then, with respect to its hijacking of IP space. Well, at least Brian Krebs was kind anough to write about it: http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/ (Please note that that is a convicted felon spamming from the hijacked IP space. He's not allowed to own firearms, but he _can_ apparently own a keyboard.) As of today, AS201640 is still hijacking a total of eleven routes to IP space scattered all over the world... none of which appears to belong to anybody in or near Bulgaria. In fact, it would appear that the organization that is the registrant of AS201640 currently has exactly -zero- IP addresses to call its own. Nobody in a postion to _do_ anything about this gives a darn? As of today: 36.0.56.0/21 41.92.206.0/23 41.198.80.0/20 41.198.224.0/20 61.242.128.0/19 119.227.224.0/19 123.29.96.0/19 177.22.117.0/24 177.46.48.0/22 187.189.158.0/23 202.39.112.0/20
Re: Cisco CCNA Training
This course has 25 hours of video, I haven't started it yet but I've watched many of Laz's videos on Youtube, and he explains stuff very well. It is $399 though. They could share the Udemy account, and watch them in their free time. *I'm not affiliated with Udemy* https://www.udemy.com/the-complete-ccna-200-120-course
Shipping bulk hardware via freight
I'm interested in talking with someone who has experience shipping hardware that has been pulled from a working environment. The assumption is that it would not use a normal carriers such as UPS of Fedex, but via private freight. Assuming that 20 x 1U switches and a handful of 10U chassis's were to be shipped, has anyone found a productive way to package them in something other than the boxes they come in? Has anyone tried to crate / pallet pack them or something more efficient? If so, please contact me offline if you are willing to share your experience. Jason
Re: Default routes on BGP routers with full feeds
Long time I had the same opinion, however, if someone operates a network with multiple upstream providers the operator should be able to afford a proper out of band console access which solves this issue completely. I would only accept a default route on Uplinks where I am only receiving a partial table for rescue purpose. Blake Hudson: I often opt to leave one or more default routes configured with low priority (lower than BGP). The thinking is that if there is a fault with BGP, the router will still operate and the fault can be corrected remotely (in-band). The downside is that I might pass traffic for non-existing destinations an additional hop and put the load of generating an ICMP unreachable on someone else's router. --Blake Berry Mobley wrote on 11/4/2014 11:47 AM: I'm wondering how many of you who are multihomed also add default routes pointing to your providers from whom you are receiving full feeds. If so, why? If not, why not? Thanks, Berry
[curiosity] Internet's first router, 1969
Old days... :) http://www.snotr.com/video/14338/In_Honor_Of_The_Internet_Turning_45_Today__Here_Is_Its_First_Router
Re: Shipping bulk hardware via freight
My suggestion would be to leave the packing shipping to professionals Take it to you local UPS store or similar, they can pack it and ship it ( 1u switches, no big deal, but the 10u chassis, most likely best if they are palatalized) Doing it any other way would be greatly dependent on what facilities are available to you.. i.e. can you palatalize it ? Shrink wrap it and have a freight carrier pick it up.. (the are picky about doing that from a location that does not have dock height warehouse / ramp. You might be able to find a consolidator freight forwarder who may have the facilities to palatalize and shrink wrap.. You can also take the do it your-self approach, get / find some pallets, buy some strapping, and shrink wrap rolls, while not hard to do. but make sure you have the resources to do so (pallet jack, space, tools etc). Regards Faisal Imtiaz Snappy Internet Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net - Original Message - From: Jason 8...@tacorp.us To: nanog@nanog.org Sent: Wednesday, November 5, 2014 1:02:08 PM Subject: Shipping bulk hardware via freight I'm interested in talking with someone who has experience shipping hardware that has been pulled from a working environment. The assumption is that it would not use a normal carriers such as UPS of Fedex, but via private freight. Assuming that 20 x 1U switches and a handful of 10U chassis's were to be shipped, has anyone found a productive way to package them in something other than the boxes they come in? Has anyone tried to crate / pallet pack them or something more efficient? If so, please contact me offline if you are willing to share your experience. Jason
Re: Shipping bulk hardware via freight
If you are planning to scrap it after retiring it from production, talk to nsrc @ uoregon, they'll pick it up and ship it to developing countries that could use it. On Nov 6, 2014 4:45 AM, Jason 8...@tacorp.us wrote: I'm interested in talking with someone who has experience shipping hardware that has been pulled from a working environment. The assumption is that it would not use a normal carriers such as UPS of Fedex, but via private freight. Assuming that 20 x 1U switches and a handful of 10U chassis's were to be shipped, has anyone found a productive way to package them in something other than the boxes they come in? Has anyone tried to crate / pallet pack them or something more efficient? If so, please contact me offline if you are willing to share your experience. Jason
Re: Shipping bulk hardware via freight
On Wed, Nov 5, 2014 at 9:54 PM, Gary Buhrmaster gary.buhrmas...@gmail.com wrote: (rather than the router that had a fork lift hole in the side of the box (only bent the sheet metal, fortunately), or the entire rack that now had a 15 degree tilt, and for which the inserted disk drives no longer really fit into the metal shell, both issues showing up at the other end Ah yes, I recall watching them decommission the old Control Data Cyber 990 back at Georgia Tech. The mover slipped trying to get it on the liftgate and the whole cabinet dropped about a foot to the ground with a nice solid thud. -Bill -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: [curiosity] Internet's first router, 1969
On November 6, 2014 at 01:57 israel.l...@lugosys.com (Israel G. Lugo) wrote: Old days... :) http://www.snotr.com/video/14338/In_Honor_Of_The_Internet_Turning_45_Today__Here_Is_Its_First_Router You'll probably love this: A Conversation with Steve Crocker (Chairman, ICANN, author RFC #1, etc) and Leonard Kleinrock (in the video linked above) a couple of weeks ago: http://la51.icann.org/en/schedule/mon-crocker-kleinrock I was there, it was fun. Or as Abraham Lincoln would say: For people who like this sort of thing this is probably the sort of thing they will like. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: [curiosity] Internet's first router, 1969
On November 6, 2014 at 01:57 israel.l...@lugosys.com (Israel G. Lugo) wrote: Old days... :) http://www.snotr.com/video/14338/In_Honor_Of_The_Internet_Turning_45_Today__Here_Is_Its_First_Router Except, it's the ARPANET that's 45 years old, and the video of is an IMP. :-) Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra