Re: [EXT] Xfinity (both ends) - can't ping from users home to office

[Chuck Anderson]

On Thu, Jun 18, 2020 at 11:57:12PM +, Spencer Coplin wrote:
> I have a client that is unable to ping his office Comcast Business connection 
> from his home Xfinity connection. It was working a month ago and we can 
> confirm that his connection works over his iphone's hotspot. I am able to 
> ping from my own xfinity residential (same city) without issues. I suspect 
> something in the routing from his home connection is messed up as 
> tracert/ping can't even resolve his office's IP. The client called Xfinity 
> residential support and they blamed the inability to ping the IP on his 
> office vpn connection.
> 
> Has anyone else his this and if so, how was it resolved?

Sort of.  Try having him change the MAC address of his residential CPE router 
so the BNG sees it as a "new" device.  In my case that resolved connectivity 
issues after Comcast did some "network maintenance" and broke everything for me.

Alternatively, have you tried working this issue from the Business side?  You'd 
probably get more leverage that way.

Re: Partial vs Full tables

[Chuck Anderson]

On Fri, Jun 05, 2020 at 10:20:00AM -0700, William Herrin wrote:
> On Fri, Jun 5, 2020 at 9:49 AM Saku Ytti  wrote:
> > The comparison isn't between full or default, the comparison is
> > between static default or dynamic default. Of course with any default
> > scenario there are more failure modes you cannot route around. But if
> > you need default, you should not want to use dynamic default.
> 
> It's a little more nuanced than that. You probably don't want to
> accept a default from your transit but you may want to pin defaults
> (or a set of broad routes as I did) to "representative" routes you do
> accept from your transit. By "pin" I mean tell BGP that 0.0.0.0/0 is
> reachable by some address inside a representative route you've picked
> that is NOT the next hop. That way the default goes away if your
> transit loses the representative route and the default pinned to one
> of your other transits takes over.

I do the above using routes to *.root-servers.net to contribute to the
aggregate 0/0.

Re: [EXT] AS hijacking (Philosophy, rants, GeoMind)

[Chuck Anderson]

Go back to them and tell them that a hijacked prefix is different from a 
hijacked AS.

On Fri, May 29, 2020 at 11:39:46AM -0400, Justin Wilson (Lists) wrote:
> One of the companies I work for recently had an issue with AS 2 (University 
> of Delaware) hijacking a prefix.  Due to Origin AS, good upstreams, and the 
> like this has not really affected the traffic to the legit blocks.  However, 
> GeoMind picked this up almost immediately it seems.  The IP blocks when you 
> go to speedtest.net come back to the university of Delaware. This seems to be 
> the only issue at the moment so we are working through contacting the peers 
> of AS2 and asking them to look into this.  We had also contacted University 
> of Delaware.
> 
> Here is where the philosophy comes into play.  The very terse e-mail we 
> received back was basically “As2 gets hijacked a lot and it’s not our 
> problem”. So my question for the NANOG folks.  At what point do you say “it’s 
> not your problem” when it involves your ASN?
> 
> Rant
> I almost always have issues with GeoMind and others when it comes to IP 
> space.  Several of my folks have received allocations from Arin in March.  A 
> few are still fighting with geolocation stuff with a few of the providers.  
> So why does GeoMind atomically accept a hijacked prefix as correct? All the 
> right boxes have been ticked.  Origin Validiation, registry sets, etc.

Re: [EXT] Re: rack rails

[Chuck Anderson]

On Mon, Mar 30, 2020 at 07:09:48PM +0300, Nitzan Tzelniker wrote:
> We tried to flip the sides of rails in  QFX5120 and it cause two problems
> that prevent us from keeping it this way
> 1. The switch was 2 cm from the rear post line
> 2. The switch vibrate as you can see in the video
> https://photos.app.goo.gl/WQwcE9vcPjSiEi9N9

That is unfortunate, but amusing.

Re: [EXT] Re: rack rails

[Chuck Anderson]

On Mon, Mar 30, 2020 at 05:27:44PM +0200, Tore Anderson wrote:
> * Chuck Anderson
> 
> > The point is that the switches need to be removable without empty
> > space above/below, and ideally from the rear side of the rack.  By
> > having extending/sliding rails, you can lift out or drop in the switch
> > after you slide it out.  Then you can remove the rails.
> > 
> > With fixed rails, you can't get the switch out without bending the ear
> > part of the rails when there are PDUs and other stuff in the way.
> 
> Not necessarily. Even sliding rails must be constructed in a way that 
> facilitates removal through the cold aisle side of the rack. That's not a 
> given.
> 
> One example of sliding rails that unfortunately do *not* allow for removal 
> that way is the Edge-Core RKIT-100G-SLIDE:
> 
> https://www.redpill-linpro.com/techblog/2020/01/17/new-routers.html (Ctrl+F 
> Bonus)

I'd be happy with removal from the hot aisle, because I've already had to do 
that many times and if you manage cable routing properly it isn't as much of an 
issue.  Granted, getting everyone to be neat with their cable routing is not 
easy, but at least cables can be moved around.  The biggest issue for me is how 
the ears remain attached to the equipment while you insert or remove it.  If 
the ears/rails could be mounted to the empty rack U first and the switch slid 
in second (and the reverse for removal), that would be fine for me.  As it is 
now, there is basically no way to deal with the ears other than 
bending/destroying them on the way out.  And that doesn't solve the case for 
installing new switches in a dense rack.

Re: [EXT] Re: rack rails

[Chuck Anderson]

On Mon, Mar 30, 2020 at 03:15:54PM +, Cummings, Chris wrote:
> Juniper's ToR switches have slide in rails. They are a bit frustrating 
> compared to Dell easy rails, but they do the trick. 

You can slide the switch in/out while attached securely to the rails?  That is 
news to me and my QFX5k and QFX10k switches.

Re: [EXT] Re: rack rails

[Chuck Anderson]

On Mon, Mar 30, 2020 at 10:09:25AM -0500, Chris Adams wrote:
> Once upon a time, Chuck Anderson  said:
> > I've been asking manufacturers for proper server-like slide-rails for their 
> > switches for years.  Now they've started making the switches as deep or 
> > even deeper than servers, but they still use the same old rack ear mounting 
> > method.
> 
> Maybe it's because they're primarily a server vendor, but Dell switches
> (at least the N3000 series I've used most recently) have 4-post mount
> rails.  IIRC they aren't extending sliding rails like the servers have,
> but the switch slides into the rails.

The point is that the switches need to be removable without empty
space above/below, and ideally from the rear side of the rack.  By
having extending/sliding rails, you can lift out or drop in the switch
after you slide it out.  Then you can remove the rails.

With fixed rails, you can't get the switch out without bending the ear
part of the rails when there are PDUs and other stuff in the way.

Re: [EXT] Re: rack rails

[Chuck Anderson]

On Mon, Mar 30, 2020 at 04:18:18PM +0200, Tore Anderson wrote:
> When a rack has been filled up, removal/insertion through the rear will often 
> be essentially impossible due to cables, vertical PDUs and stuff like that 
> that gets in the way.
> 
> Explained in pictures here: 
> https://www.redpill-linpro.com/techblog/2019/08/06/rack-switch-removal.html
> 
> If someone knows of a generic rack mount kit for data centre switches that 
> allows for insertion/removal through the front of the rack, i.e. from/to the 
> cold aisle, I'd be very grateful.

I've been asking manufacturers for proper server-like slide-rails for their 
switches for years.  Now they've started making the switches as deep or even 
deeper than servers, but they still use the same old rack ear mounting method.

Re: [EXT] Shining a light on ambulance chasers - Noction

[Chuck Anderson]

On Thu, Mar 26, 2020 at 01:39:20PM -0700, Sabri Berisha wrote:
> - On Mar 25, 2020, at 5:13 PM, Chuck Anderson c...@wpi.edu wrote:
> 
> > Let's start a public blacklist, sort of like a RBL reputation block list or
> > 800notes.com, but for companies to "never to do business with" for spamming.
> 
> And while we're doing that, let's add the organizations that add "[EXT]" to
> subject lines on a public mailinglist.

Sure, feel free to block mine.

Re: [EXT] Shining a light on ambulance chasers - Noction

[Chuck Anderson]

Let's start a public blacklist, sort of like a RBL reputation block list or 
800notes.com, but for companies to "never to do business with" for spamming.

On Wed, Mar 25, 2020 at 06:11:41PM -0400, Martin Hannigan wrote:
> This is overt and more than DB scraping IMHO. It's repulsive.
> 
> Public pressure is the only way to police _this_.
> 
> YMMV,
> 
> -M<
> 
> On Wed, Mar 25, 2020 at 4:30 PM Chuck Anderson  wrote:
> 
> > Someone should tell them what happened to Cogent for scraping ARIN WHOIS.
> >
> > On Wed, Mar 25, 2020 at 04:13:51PM -0400, Rodney Joffe wrote:
> > > Under the heading of sales spam from our community that is in even
> > poorer taste, and sucks:
> > >
> > >
> > > Begin forwarded message:
> > >
> > > > From: Josh Ankin 
> > > > Subject: BGP Management
> > > > Date: March 25, 2020 at 3:39:02 PM EDT
> > > > To: rjo...@centergate.com
> > > > Reply-To: jan...@noction.com
> > > >
> > > > Hello Rodney,
> > > >
> > > > I know things are pretty hectic right now with COVID-19 precautions
> > being taken everywhere. I hope it's not affecting your team too much, and
> > most importantly, I hope everyone is safe.
> > > >
> > > > In recent months, I've been trying to bring your attention to BGP
> > optimization. However, our solution's other notable features can be of
> > utmost value at these uncertain times as the Internet traffic volumes and
> > patterns change
> > >
> > > Etc Etc

Re: [EXT] Shining a light on ambulance chasers - Noction

[Chuck Anderson]

Someone should tell them what happened to Cogent for scraping ARIN WHOIS.

On Wed, Mar 25, 2020 at 04:13:51PM -0400, Rodney Joffe wrote:
> Under the heading of sales spam from our community that is in even poorer 
> taste, and sucks:
> 
> 
> Begin forwarded message:
> 
> > From: Josh Ankin 
> > Subject: BGP Management
> > Date: March 25, 2020 at 3:39:02 PM EDT
> > To: rjo...@centergate.com
> > Reply-To: jan...@noction.com
> > 
> > Hello Rodney,
> >  
> > I know things are pretty hectic right now with COVID-19 precautions being 
> > taken everywhere. I hope it's not affecting your team too much, and most 
> > importantly, I hope everyone is safe.
> >  
> > In recent months, I've been trying to bring your attention to BGP 
> > optimization. However, our solution's other notable features can be of 
> > utmost value at these uncertain times as the Internet traffic volumes and 
> > patterns change
> 
> Etc Etc

Re: [EXT] ISC BIND 9 breakage?

[Chuck Anderson]

On the BIND Users list:

https://lists.isc.org/pipermail/bind-users/2020-March/102820.html

On Wed, Mar 25, 2020 at 05:18:49PM +, Drew Weaver wrote:
> Did anyone else on CentOS 6 just have some DNS resolvers totally fall over?
> 
> I noticed that this command: dnssec-lookaside auto; was causing the issue. 
> The issue occurred right at about 1PM EST.

Re: [EXT] Re: Hi-Rise Building Fiber Suggestions

[Chuck Anderson]

After 30 add/drops you may lose too much power.  There is a minimum 1.4dB per 
passthru and 1.3dB per add/drop, 3.5dB per MUX at the ends.

With these SFP+ modules:

https://www.fs.com/products/31238.html

it looks like you would have a 19-20 dB budget to work with.  You may be able 
to get 10 add/drops without amplification.

But they have amps too:

https://www.fs.com/products/72284.html

I'd definitely contact sales and talk to one of their engineers so they can 
design a complete working solution for you.

Are you sure you can't pull more fiber?  It may be cheaper.

On Wed, Feb 26, 2020 at 07:42:23AM -0600, Mike Hammett wrote:
> DWDM can be done fairly cheap. Some combination of MUXes and OADM modules 
> along the way. One possible solution is: 
> 
> 
> First floor: https://www.fs.com/products/35887.html 
> Every floor between: https://www.fs.com/products/70427.html 
> Top floor: https://www.fs.com/products/35887.html 
> 
> 
> Every floor gets 10G to aggregation switches on the top floor and bottom 
> floor. The aggregation switches directly connect via the second pair. 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> 
> Midwest Internet Exchange 
> 
> The Brothers WISP 
> 
> - Original Message -
> 
> From: "Ryan Hamel"  
> To: "Bradley Burch"  
> Cc: nanog@nanog.org 
> Sent: Tuesday, February 25, 2020 10:45:05 PM 
> Subject: Re: Hi-Rise Building Fiber Suggestions 
> 
> 
> How would that work to solve Norman's problem? That sounds like a lot of 
> money spending, and setup time, for nothing. 
> 
> Ryan 
> 
> On Feb 25 2020, at 8:21 pm, Bradley Burch  wrote: 
> 
> 
> 
> 
> Should consider DWDM or GPON and in those look at passive optical 
> technologies that can benefit the project. 
> 
> 
> 
> On Feb 25, 2020, at 9:33 PM, Norman Jester  wrote: 
> 
> I’m in the process of choosing hardware 
> for a 30 story building. If anyone has experience with this I’d appreciate 
> any tips. 
> 
> There are two fiber pairs running up the building riser. I need to put a POE 
> switch on each floor using this fiber. 
> 
> The idea is to cut the fiber at each floor and insert a switch and daisy 
> chain the switches together using one pair, and using the other pair as the 
> failover side of the ring going back to the source so if one device fails it 
> doesn’t take the whole string down. 
> 
> The problem here is how many switches can be strung together and I would not 
> try more than 3 to 5. This is not something I typically do (stacking 
> switches). I have fears of STP and/or RSTP issue stacking past Ethernet 
> switch to switch limits (if they still exist??) 
> 
> Is there a device with a similar protocol as the old 3com (now HP IDF) 
> stacking capability via fiber? 
> 
> I’d like to use something inexpensive as its to power ubiquiti wifi on each 
> floor. Ideally if you know something I don’t about ubiquiti switches that can 
> do this I’d appreciate knowing. 
> 
> Norman 
> 
> 
> 

Re: What NMS do you use and why?

[Chuck Anderson]

On Wed, Aug 15, 2018 at 08:49:12AM -0500, Colton Conor wrote:
> We are looking for a new network monitoring system. Since there are so many
> operators on this list, I would like to know which NMS do you use and why?
> Is there one that you really like, and others that you hate?
> 
> For free options (opensouce), LibreNMS and NetXMS come highly recommended
> by many wireless ISPs on low budgets. However, I am not sure the commercial
> options available nor their price points.

Part 2 (see Part 1 for my epistles on Autostatus & Nagios).

To complement Autostatus and Nagios and to replace our ancient Cricket
SNMP graphing/trending solution, several years ago we had adopted
Statseeker.

We've now replaced that with AKiPS, which I highly recommend.  It does
your basic 1 minute SNMP graphing, but it also collects SNMP Traps &
Syslog feeds and can alert on custom matches & events as well as host
down via ping.  Its main feature is its comprehensive vendor MIB
support--it supports almost every vendor's device we use out of the
box with no special configuration.  They are constantly adding support
for new vendors/devices and they are pretty responsive to adding new
ones.  AKiPS' weakness is in alerting--it makes no attempt at
depenencies or event correlation, so you can get flooded with events.

Re: What NMS do you use and why?

[Chuck Anderson]

On Wed, Aug 15, 2018 at 08:49:12AM -0500, Colton Conor wrote:
> We are looking for a new network monitoring system. Since there are so many
> operators on this list, I would like to know which NMS do you use and why?
> Is there one that you really like, and others that you hate?
> 
> For free options (opensouce), LibreNMS and NetXMS come highly recommended
> by many wireless ISPs on low budgets. However, I am not sure the commercial
> options available nor their price points.

For monitoring network device/interface data plane reachability with
ping, we are still using an ancient piece of open source software
called Autostatus.  I find it invaluable for notifying us about
reachability issues with it's simple to understand parent/child
relationships and graph-based fping methodology.  It isn't perfect--it
doesn't scale very well, it doesn't have HA/clustering, it has no
fancy dependencies (just basic parent-child) and no event correlation,
no contact scheduling, no API, etc. but it is very easy to understand
why you are getting an alert or not and boiling that down to a single
point of failure and as such it provides reliable, trustable
information about data plane reachability from one vantage point on
the network.

For monitoring server & network service availability,
device/environmental health, etc. we are currently using Nagios.  My
problems with it are that it has complex rules for how/when to perform
a specific health check and send or suppress a notification (and
perhaps bugs in our old version that never ever seems to send any Host
notifications except when it does) and the whole idea of "suppress the
Host check unless all Service checks for all services on the host are
down" doesn't really fit well with the idea of monitoring
device/interface reachability on routers & switches that make up a
complex graph of dependencies.  Trying to shoehorn Nagios into
alerting on just the one IP address/device/interface that is causing
all the others behind it to be unreachable doesn't work very well.
You can't use Host Depenencies because Host checks are suppressed by
default, and Host Dependencies don't affect Service
Checks/notifications.  Forcing Host checks to always run causes
performance problems.  Creating a "Ping" service for every host
requires creating manual Service Dependencies between all the "Ping"
services on every Host.  Then you end up with a complex configuration
that is very hard to understand.  But for things like telling you when
a power supply or fan has died, or if the web service crashed, it
works well.

We did a survey of a bunch of open source tools to replace Nagios and
have settled on Icinga for it's APIs, dynamic rules with pattern
matching and boolean logic, and compatibility with Nagios plugins.
But it still doesn't change the basic architectural choices of the
Nagios core engine and hence isn't a good fit for network
device/interface reachability monitoring IMO.

Re: Bogon prefix c0f:f618::/32 announced via Cogent

[Chuck Anderson]

On Mon, Jul 16, 2018 at 05:20:12PM +0200, Stephane Bortzmeyer wrote:
> On Sat, Jul 14, 2018 at 08:18:25AM +0800,
>  Siyuan Miao  wrote 
>  a message of 27 lines which said:
> 
> > c0f:f618::/32 originated from AS327814 is announcing via Cogent for several
> > weeks.
> 
> Apparently withdrawn 2018-07-14 around 16:00:00 UTC. Your mail to NANOG was
> effective :-)

I see it right now...

Re: Bogon prefix c0f:f618::/32 announced via Cogent

[Chuck Anderson]

Looks like a typo of 2c0f:f618:

A V DestinationP Prf   Metric 1   Metric 2  Next hopAS path* ? 
2c0f:f618::/32 B 170150  69040  174 327814 ?
  unverified   >fe80::f5c0:800:2


On Sat, Jul 14, 2018 at 08:18:25AM +0800, Siyuan Miao wrote:
> Hi,
> 
> c0f:f618::/32 originated from AS327814 is announcing via Cogent for several
> weeks.
> 
> I've tried to contact Cogent and AS327814 but didn't receive any reply.
> 
> Tue Jul 10 17:52:48.602 UTC
> BGP routing table entry for c0f:f618::/32
> Versions:
>   Process   bRIB/RIB  SendTblVer
>   Speaker   7640326976403269
> Local Label: 61339
> Last Modified: Jul  3 13:31:40.815 for 1w0d
> Paths: (1 available, best #1)
>   Advertised to peers (in unique update groups):
> 38.5.0.99
>   Path #1: Received by speaker 0
>   Advertised to peers (in unique update groups):
> 38.5.0.99
>   327814
> 2001:550:0:1000::261c:166 (metric 119060) from
> 2001:550:0:1000::261c:153 (38.28.1.102)
>   Origin incomplete, localpref 130, valid, internal, best, group-best
>   Received Path ID 0, Local Path ID 0, version 76403269
>   Community: 174:11100 174:20999 174:21101 174:22012
>   Originator: 38.28.1.102, Cluster list: 38.28.1.83, 38.28.1.67, 
> 38.28.1.92

Re: NG Firewalls & IPv6

[Chuck Anderson]

Also, IPv6 BGP support was only introduced in PanOS 8.  But everything works 
fine here too.

On Wed, Apr 04, 2018 at 10:47:45AM +, Dan Kitchen wrote:
> We run PaloAlto dual stack with no problems at all, that’s full dynamic 
> routing with OSPF and BGP, web filtering, IPS, VPN access using 
> GlobalProtect, etc.
> 
> I must admit GlobalProtect IPv6 support was only introduced in PanOS 8 which 
> was a little late in my opinion – but it was delivered and works.
> 
> 
> 
> 
> Dan Kitchen
> Managing Director
> razorblue | IT Solutions for Business
> 
> ddi:0330 122 7143 |  t: 0333 344 6 344 | e: 
> dkitc...@razorblue.com | w: razorblue.com
> 
> Legal and address information for all Razorblue Group companies can be found
> at www.razorblue.com/contact.
> 
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Joe Klein
> Sent: 02 April 2018 23:58
> To: NANOG list 
> Subject: NG Firewalls & IPv6
> 
> WARNING: This e-mail originated from outside the Razorblue Group corporate 
> network
> 
> All,
> 
> At security and network tradeshows over the last 15 years, I have asked
> companies if their products supported "IPv6". They all claimed they did,
> but were unable to verify any successful installations. Later they told me
> it was on their "Roadmap" but were unable to provide an estimated year,
> because it was a trade secret.
> 
> Starting this last year at BlackHat US, I again visited every product
> booth, asking if their products supported dual-stack or IPv6 only
> operations. Receiving only the same unsupported answers, I decided to focus
> on one product category.
> 
> To the gurus of the NANOG community, What are your experiences with
> installing and managing Next Generations firewalls? Do they support IPv6
> only environments? Details? Stories?
> 
> If you prefer not to disparage those poor product companies, please contact
> me off the list.
> 
> Thanks,
> 
> Joe Klein

Re: How are you configuring BFD timers?

[Chuck Anderson]

In practice, the vendor's recommendations regarding Routing Engine HA provide a 
lower bound.  I'm just starting out with 1000ms x 3 multiplier, but my network 
is not national or global.  I believe I could go as low as 500ms to keep HA 
happy.

On Wed, Mar 21, 2018 at 09:10:28AM -0400, Jason Lixfeld wrote:
> For those running BFD on your land-based point-to-point links, I’m interested 
> in hearing about what factors you consider when deciding how to configure 
> your timers and multiplier.

Re: Juniper MX - Routed pseudowire using LDP - VPWS or VPLS

[Chuck Anderson]

Would you mind sharing the solution(s)?  I've stiched a L2 PW using 
lt-interfaces.

Thanks.

On Mon, Mar 19, 2018 at 11:51:36AM -0500, Ben Bartsch wrote:
> I want to thank everyone who contacted me on and off list on this request.
> I now have two methods to land a layer 3 endpoint on a layer 2 circuit to a
> remote PE.  I very much appreciate the input, feedback, and assistance.  I
> hope I personally get to meet all of you that reached out to me at a future
> NANOG meeting.  Thanks again!
> 
> -ben
> 
> On Sat, Mar 17, 2018 at 9:25 AM, Ben Bartsch  wrote:
> 
> > When we had Cisco ASR 920/903 and  ASR9k, I could attach a layer 2
> > pseudowire endpoint on that device to a layer 3 BDI/BVI.  I'm trying to do
> > the same thing on a Juniper MX 480/960 and it does not appear to be
> > supported (for LDP at least - MP-BGP might be supported).  We could do
> > either VPWS or VPLS on the PE device handoff to the CE (layer 2 only).
> > JTAC has somewhat confirmed this is not supported for LDP, but they only do
> > break/fix, not new config.  We do not have professional services (we are
> > broke).
> >
> > Any Juniper routerheads out there that have seen this done using LDP
> > without having to hairpin on the MX?
> >
> > Thanks, y'all.
> >
> > -ben

Re: Site-Local/Unique-Local Addressing (IPv6)

[Chuck Anderson]

On Mon, Jan 08, 2018 at 05:03:14PM +, Nicholas Warren wrote:
> Layman here, I was reviewing RFCs for a local address for IPv6. I came across 
> two RFCs that seem interesting.
> 
> 3879 Which deprecates Site Local Addresses.
> 4193 Which seems to add Unique Local Addresses.
> 
> What is the main difference here? Why was this standard removed then added 
> back?

Site Local Addresses are/were Site Scope, similar to how Link-Local are 
Link-Local Scope and others are Global Scope.

ULA are Global Scope--but that doesn't mean they are globally routable.

The problem with Scopes being built-in to the addressing model is that software 
has to be coded to treat different scopes differently.  It is hard enough to 
deal with Link-Local scope, and it was deemed too hard to deal with yet another 
scope--Site Local.  For an example of the pain, try using Link-Local addresses 
in a web browser, or even with "ping" on the command line.

Re: Switch/Router

[Chuck Anderson]

Juniper MX150, except only single PS.  But they are cheap enough you could buy 
two.  Upside: most of the MX feature set is available because it is vMX 
(software) inside.

QFX5110 is more expensive but has more ports and dual PS.  Downside: Broadcom 
chipset limitations.

On Tue, Dec 12, 2017 at 09:47:17AM -0500, K MEKKAOUI wrote:
> Hi
> 
>  
> 
> I am looking for a router preferably (or switch) with the following specs:
> 
> 1-  Carrier grade
> 
> 2-  Dual power supply
> 
> 3-  1RU
> 
> 4-  Gig and 10Gig interfaces.
> 
> 5-  Does support protocols like BGP, etc.
> 
>  
> 
> Any recommendation please? Your help will be appreciated.

Re: Novice sysadmins

[Chuck Anderson]

On Wed, Dec 06, 2017 at 02:18:07PM -0500, Harald Koch wrote:
> On 6 December 2017 at 13:51, Stephen Satchell  wrote:
> 
> > What professional engineers you mentioned do can kill people.  I have yet
> > to hear of anyone dying from a sysadmin or netadmin screwing up.
> >
> 
> Oh c'mon. Now you're being deliberately obtuse.
> 
> I work IT for a hospital. Everything I do has the potential to affect
> patient safety, and we do have documented cases of patients dying from IT
> mishaps.
> 
> Perhaps do your research before spouting off more of these unsubstantiated
> claims?

Like the famous case of the Therac-25 machine.  Programmers, not sysadmins, but 
same idea.

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Chuck Anderson]

On Wed, Nov 29, 2017 at 12:17:57PM -0800, Michael Thomas wrote:
> The real problem with large enterprise that we found, however, is
> that it was really hard to track down every 25 year
> old 386 sitting in dusty corners that was sending mail directly
> instead of through corpro servers to make certain
> that everything was signed that should be signed. Maybe that's
> gotten better in the last 15 years, but I'm not too hopeful.

15 years ago we blocked outbound port 25 except from our campus mail
servers.  That should be SOP by now.  It is fairly easy to look at
firewall logs to find these.

Re: Looking for help @ 60 Hudson

[Chuck Anderson]

On Mon, Nov 13, 2017 at 01:30:25PM -0800, Seth Mattinen wrote:
> On 11/13/17 12:49, Mike Hammett wrote:
> >Keep the humans out of the rack and you should be fine.
> >
> >Where should I send the invoice?:-P
> 
> 
> It's easy to keep a rack nice if you take the time. I've spent hours
> removing and replacing cables in neatly dressed bundles because
> equipment changes required a different length/type cable, but
> sometimes that's what you gotta do to keep things neat and tidy.

Exactly.  Most people do not want to spend the time to do it properly.

Re: Are there inexpensive DWDM products?

[Chuck Anderson]

CWDM is cheaper and will probably work fine within a city.  Check fs.com.

On Thu, Nov 02, 2017 at 06:01:10PM +, LF OD wrote:
> We have several buildings and a couple data centers spread around the city 
> and interconnected via dark fiber. It's a very simple setup - no ROADM, no 
> real ring, no extended layer-2 or layer-3 via the optical gear.
> 
> 
> Pretty much we just mux/demux a channel for each building so that each 
> building sees the two data centers directly even though the fiber span may 
> wind through a couple buildings along the way. In some cases, the distance is 
> short enough to use colored optics in the network gear, but mostly the 
> distances are just long enough to warrant transponder cards.
> 
> 
> All that being said, a lot of the gear is approaching end of life (support in 
> some cases). I'm not an optical guru but I can muddle my way through with 
> Cisco ONS and I'm aware that Ciena and Fujitsu also have similar products. We 
> really don't have budget for a large optical refresh effort. However, we've 
> saved some money here and there in the routing/switching arena by leveraging 
> Arista and even Cumulus. I'm wondering if there are smaller players in the 
> optical arena that have a good quality/price value?
> 
> 
> Again, we don't need sophisticated features... we primarily have 2-to-4 1Gb 
> and 10Gb ports required per site, then we mux those onto a wavelength and 
> extend it to the two data centers. Most buildings are set up the same way, 
> each on a different wavelength so the don't even see each other... only the 
> data centers.
> 
> 
> If you guys know of any optical gear that you can vouch for (and which costs 
> less than a small house), we would greatly appreciate it. Thanks
> 
> 
> LFOD

Re: Temp at Level 3 data centers

[Chuck Anderson]

Install an air conditioner in your rack.

On Wed, Oct 11, 2017 at 02:39:19PM -0500, Andrew Latham wrote:
> David
> 
> The issue has several components and is vendor agnostic.
> 
> Set Point: The systems are specifically set at a temperature
> Capacity Ability: The systems can maintain a temperature
> Customer Desire: What you expect from sales promises.
> Sales Promise: What they might carefully avoid promising.
> 
> I suggest you review your SLA and discuss with legal asap. You could have a
> document defining your question's answer already but it sits in a filing
> cabinet file labeled business continuity.
> 
> If the set point is X then they likely would answer quickly that that is
> the case.
> If the capacity is lacking then they would likely redirect the issue.
> If they don't care about the customer that alone should be an indicator
> If a promise exists in the SLA then the ball is in your court
> 
> >From the emails I fear that we have confirmed that this is normal. So your
> question "Is the temperature at Level 3 Data Centers normally in the 80-90F
> range?" sounds like a Yes.
> 
> Regardless of the situation always ask for names, titles, and ask vendors
> to repeat critical information like the status of cooling in a building
> designed to deal with cooling. Keep the vendors that do it well.
> 
> 
> 
> On Wed, Oct 11, 2017 at 7:31 AM, David Hubbard <
> dhubb...@dino.hostasaurus.com> wrote:
> 
> > Curious if anyone on here colo’s equipment at a Level 3 facility and has
> > found the temperature unacceptably warm?  I’m having that experience
> > currently, where ambient temp is in the 80’s, but they tell me that’s
> > perfectly fine because vented tiles have been placed in front of all
> > equipment racks.  My equipment is alarming for high temps, so obviously not
> > fine.  Trying to find my way up to whomever I can complain to that’s in a
> > position to do something about it but it seems the support staff have been
> > told to brush questions about temp off as much as possible.  Was wondering
> > if this is a country-wide thing for them or unique to the data center I
> > have equipment in.  I have equipment in several others from different
> > companies and most are probably 15-20 degrees cooler.
> >
> > Thanks,
> >
> > David

Re: Vendors spamming NANOG attendees

[Chuck Anderson]

I've started keeping a list of companies who make unsolicited
calls/emails.  I tell them that I put them on my list of companies
never to do business with.

On Tue, Jun 13, 2017 at 01:12:07PM -0400, Rich Kulawiec wrote: > On
Tue, Jun 13, 2017 at 03:31:46PM +, Mel Beckman wrote: > >
Sometimes they're ignorant and don't realize they're spamming.  > >
That excuse stopped being viable sometime in the last century.  They
know > exactly what they're doing, they're just counting on the
prospective > gains to outweigh the prospective losses.  If they're
right, then the > spamming will not only continue, it will increase.
(As we've seen: > over and over and over again.)  That's because they
don't care about > being professional or responsible or ethical: they
only care about profits.  > > So the choice is clear: either make it
plain to such "people" (if I > may dignify sociopathic filth with that
term) that this is absolutely > unacceptable and that it will have
serious, immediate, ongoing negative > financial consequences, or do
nothing while the problem escalates > indefinitely.  > > If you give
people the means to hurt you, and they do it, and > you take no action
except to continue giving them the means to > hurt you, and they take
no action except to keep hurting you, > then one of the ways you can
describe the situation is "it isn't > scaling well".  > --- Paul
Vixie, on NANOG > > ---rsk

Re: Merit RADB support

[Chuck Anderson]

On Wed, Jun 07, 2017 at 12:08:50PM -0400, Chuck Anderson wrote:
> On Wed, Jun 07, 2017 at 10:41:16AM -0500, Kaiser, Erich wrote:
> > Anyone gonna email me back from RADB support?
> 
> In my experience, no.

Apologies to Merit RADB, it was BGPmon that never responds.  Merit
RADB actually does respond--my frustration is more about the
difficulty in getting them to delete stale objects that others
registered, although I was finally able to get my objects cleaned up.

Re: [SPF:Probably_Forged] Merit RADB support

[Chuck Anderson]

On Wed, Jun 07, 2017 at 10:41:16AM -0500, Kaiser, Erich wrote:
> Anyone gonna email me back from RADB support?

In my experience, no.

Re: google ipv6 routes via cogent

[Chuck Anderson]

Define "good" vs. "bad" transport of bits.  As long as there is
adequate bandwidth and low latency, who cares?

On Thu, Mar 02, 2017 at 08:30:37PM +0100, Baldur Norddahl wrote:
> That will have the effect of prioritizing Cogent routes as that would be
> more specific than the default routes from the other providers. Cogent are
> not that good that you would want to do that.
> 
> Den 2. mar. 2017 20.16 skrev "Jeff Waddell"  >:
> 
> Or at least ask for a full view from Cogent - then you won't get any routes
> they don't have
> 
> On Thu, Mar 2, 2017 at 1:58 PM, Alarig Le Lay  wrote:
> 
> > On jeu.  2 mars 12:36:04 2017, Aaron Gould wrote:
> > > Well, I asked my (3) upstream providers to only send me a ipv6 default
> > > route and they sent me ::/0...here's one of them...
> >
> > Why did you don’t ask for a full view? With that, you can easily deal
> > with that kind of problem.

Re: Consumer networking head scratcher

[Chuck Anderson]

On Thu, Mar 02, 2017 at 12:24:38PM +0700, Roland Dobbins wrote:
> On 2 Mar 2017, at 9:55, Oliver O'Boyle wrote:
> 
> >Currently, I have 3 devices connected. :)
> 
> What about DNS issues?  Are you sure that you really have a
> networking issue, or are you having intermittent DNS resolution
> problems caused by flaky/overloaded/attacked recursivs, EDNS0

This reminded me of another possibility related to NAT table
exhaustion.  Are you running a full recursive resolver on a system
behind the NAT?  Especially one like unbound possibly w/dnssec?  I had
some strange issues caused during the time when unbound was priming
its cache from a cold start...

Re: DWDM Optics cheaper than CWDM Optics?

[Chuck Anderson]

I've bought their DWDM 80km 10gig and they are working beautifully on
a couple amplified circuits with both Cisco and Juniper routers.  I've
also bought gray optics and DACs.  The only issue I've noted with some
QSFP+ DACs is some kind of programming issue where the serial number
is mis-read by some models of our Juniper switches.  Another oddity is
that each end of some of our DACs have a separate serial number...we
just record both in our inventory tracking system.

On Tue, Jan 31, 2017 at 04:17:14PM +0100, Karl Gerhard wrote:
> Hello,
> 
> fs.com offers DWDM optics that are cheaper than CWDM optics:
> CWDM 80km 10G for 600$ http://www.fs.com/c/cisco-cwdm-sfp-plus-2425?70-80km
> DWDM 80km 10G for 420$ http://www.fs.com/c/cisco-dwdm-sfp-plus-2485?70-80km
> 
> This is significant.
> Is this for real? Has anybody bought their DWDM optics?
> 
> Going with DWDM and passive Mux/Demux seems to be cheaper nowadays than going 
> with CWDM.
> 
> Regards
> Karl

Re: radb mirroring

[Chuck Anderson]

On a similar note, Level3's database has many stale entries from WCGDB
which no longer exists as far as I can tell.  Does anyone have a good
contact at Level3 for removing all the entries with a source: WCGDB?
There are some of mine that I'd like to have removed.  Here is an
example of Charter's AS object:

[Querying rr.level3.net]
[rr.level3.net]

% RIPEdb(3.0.0a13) with ISI RPSL extensions

aut-num:   AS20115
as-name:   Charter
descr: AS record for Charter
admin-c:   IPCC-WCG
tech-c:IPCC-WCG
import:from AS7911  accept ANY
export:to AS7911  announce AS20115
notify:n...@wcg.net
mnt-by:MAINT-AS20115
changed:   br...@wcg.com 20031216
source:WCGDB


vs.


[Querying whois.radb.net]
[whois.radb.net]
aut-num:AS20115
as-name:MAINT-CHTR-WD
descr:  Charter Communications
(AS20115)
import: from AS209   accept ANY
import: from AS7018   accept ANY
[...]
notify: dlnocipti...@charter.com
mnt-by: MAINT-CHTR-WD
changed:denny.de...@chartercom.com 20141028  #19:19:01Z
ssource: RADB


On Wed, Jan 25, 2017 at 09:27:40PM +0100, Job Snijders wrote:
> This is a clear case of broken mirroring. Unfortunately this is not 
> immediately apparent (for the operator) through the IRRd software. Usually 
> this is resolved by directly contacting the other side.
> 
> I've found RADB support staff to be responsive and courteous. 
> radb-supp...@merit.edu (mailto:radb-supp...@merit.edu). This address is also 
> useful for IRR hijacking issues or false entries.
> 
> Kind regards,
> 
> Job
> 
> On 25 Jan 2017, 20:16 +0100, Randy Bush , wrote:
> > [ where does one discuss IRR issues these days? ]
> >
> > ryuu.psg.com:/Users/randy> whois -h whois.radb.net 98.128.244.0/24
> > route: 98.128.244.0/24
> > descr: RGNET-98-244
> > origin: AS3130
> > notify: r...@rg.net
> > mnt-by: MAINT-RGNET
> > changed: ra...@psg.com 20090411
> > source: RGNET
> >
> > but
> >
> > ryuu.psg.com:/Users/randy> whois -h whois.rg.net 98.128.244.0/24
> > % No entries found for the selected source(s).
> >
> > broken mirroring in some way?
> >
> > how to diagnose?
> >
> > randy

Re: 10G switch drops traffic for a split second

[Chuck Anderson]

Without more detail, I'm grasping at straws here, but see this recent
thread about QoS and microbursts on the juniper-nsp list:

https://puck.nether.net/pipermail/juniper-nsp/2016-November/033692.html

Do you have ports with different speeds connected?

Another idea: Are you using Spanning Tree Protocol and seeing lots of
TCNs?

On Tue, Nov 29, 2016 at 01:06:00AM -0800, TJ Trout wrote:
> I recently upgraded my core network from 1G to 10G and after the upgrade I
> have noticed that my 10G switch during peak traffic (1500mbps, 100,000pps)
> seems to be dropping traffic for a split second across all ports and all
> vlans. I immediately replaced the switch with a different brand/model and
> the problem persists.
> 
> Sometimes traffic drops to zero, others it drops to 50%, problem is very
> random but seems to occur with much more frequency during high PPS (pushing
> high traffic / iperf does not induce problem)
> 
> Could this be MTU? I've tried flow control, hard code duplex, stp on/off etc
> 
> I'm at a loss any ideas?
> 
> TJ Trout
> Volt Broadband

Re: NIST NTP servers

[Chuck Anderson]

On Fri, May 13, 2016 at 10:12:49AM -0400, Lamar Owen wrote:
> On 05/11/2016 09:46 PM, Josh Reynolds wrote:
> >maybe try [setting up an NTP server] with an odroid?
> >
> ...
> 
> I have several ODroid C2's, and the first thing to note about them
> is that there is no RTC at all.  Also, the oscillator is just a
> garden-variety non-temperature-compensated quartz crystal, and not
> necessarily a very precise one, either (precise quartz oscillators
> can cost more than the whole ODroid board costs).  The XU4 and other
> ODroid devices make nice single-board ARM computers, but have pretty
> ratty oscillator precision.
> 
> You really have to have at least a temperature compensated quartz
> crystal oscillator (TCXO) to even begin to think about an NTP
> server, for anything but the most rudimentary of timing.  Ovenized
> quartz oscillators (OCXO) and rubidium standards are the next step
> up, and most reasonably good GPS-disciplined clocks have at least an
> ovenized quartz oscillator module (the Agilent Z3816 and kin are of
> this type).

Does anyone know of any COTS NTP servers that are based on non-ancient
Linux kernel versions?  In 2012 we bought new GPS/CDMA NTP servers
with OCXO that are based on Linux 2.4, but they are fiddly as you can
imagine with such an ancient software stack.

What would people recommend for NTP server hardware/software?

Re: Stop IPv6 Google traffic

[Chuck Anderson]

Assign your customers larger v6 prefixes so one customer's bad
behavior doesn't affect the others?

On Sun, Apr 10, 2016 at 05:27:53PM +0300, Max Tulyev wrote:
> The problem is IPv6-enabled customers complaints see captcha, and Google
> NOC refuses to help solve it saying like find out some of your customer
> violating some of our policy. As you can imagine, this is not possible.
> 
> So, the working solutions is either correctly cut IPv6 to Google, or cut
> all IPv6 (which I don't want to do).
> 
> On 10.04.16 17:17, Mike Hammett wrote:
> > I think the group wants to know what problem you're trying to solve. 
> > Obviously if you block something, there will be a timeout in getting to it. 
> > 
> > What is broken that you're trying to fix by blackholing them? 
> > 
> > 
> > 
> > 
> > - 
> > Mike Hammett 
> > Intelligent Computing Solutions 
> > http://www.ics-il.com 
> > 
> > 
> > 
> > Midwest Internet Exchange 
> > http://www.midwest-ix.com 
> > 
> > 
> > - Original Message -
> > 
> > From: "Max Tulyev"  
> > To: nanog@nanog.org 
> > Sent: Sunday, April 10, 2016 9:07:47 AM 
> > Subject: Re: Stop IPv6 Google traffic 
> > 
> > Customers see timeouts if I blackhole Google network. I looking for 
> > alternatives (other than stop providing IPv6 to customers at all). 
> > 
> > On 10.04.16 16:50, valdis.kletni...@vt.edu wrote: 
> >> On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said: 
> >>
> >>> I need to stop IPv6 web traffic going from our customers to Google 
> >>> without touching all other IPv6 and without blackhole IPv6 Google 
> >>> network (this case my customers are complaining on long timeouts). 
> >>>
> >>> What can you advice for that? 
> >>
> >> Umm.. fix the reasons why they're seeing timeouts? :) 
> >>
> >> Have you determined why the timeouts are happening? 

small automatic transfer switches

[Chuck Anderson]

Does anyone have any recommendations for a small, cheap, reliable ATS?
(I know, pick two, you can't have all three) I'm looking for something
to power one or two 120V out-of-band network device(s) in each
location with a single power supply each, much less than 10 amps
total, with two 120v input cords.  The primary input cord will go to
the UPS and the other directly to a wall outlet to be able to access
the UPS when if fails to turn on after the power returns :-)

I found the usual suspects, APC, TrippLite, ServerTech, etc. but they
are mostly 8 or more outlets and upwards of $300-$900 each.

I also found this neat one, Zonit uATS, which is a small box that
piggybacks onto the powered device's C14 input and has two power cords
coming out of it.  But it seems to cost just as much as the bigger
ones...

Re: configuration sanity check

[Chuck Anderson]

On Thu, Oct 29, 2015 at 09:16:48AM +0100, marcel.durega...@yahoo.fr wrote:
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not
> comply with those rules and generate an alert.

For Juniper at least, you can use "commit scripts" to enforce these
rules in real time each time a configuration commit is performed--if
the candidiate configuration change doesn't follow the rules, the
commit fails (or the configuration can be changed automatically to do
something).  For example "all interfaces must have a description on
them", or "changes to MSTI configuration are not allowed".

Re: How to force rapid ipv6 adoption

[Chuck Anderson]

On Fri, Oct 02, 2015 at 08:28:13AM +1000, Mark Andrews wrote:
> 
> In message <4f2e19ba-d92a-4bec-86e2-33b405c30...@delong.com>, Owen DeLong 
> writes:
> >
> > > On Oct 1, 2015, at 13:55 , Grzegorz Janoszka 
> > wrote:
> > >
> > > On 2015-10-01 20:29, Owen DeLong wrote:
> > >> However, I think eventually the residential ISPs are going to start
> > charging extra
> > >> for IPv4 service.
> > >
> > > ISP's will not charge too much. With too expensive IPv4 many customers
> > will migrate from v4/dual stack to v6-only and ISP's will be left with
> > unused IPv4 addresses and less income.
> >
> > Nope… They’ll be left with unused IPv4 addresses which is not a
> > significant source of income and they’ll be able to significantly reduce
> > the costs incurred
> > in supporting things like CGNAT.
> >
> > > Will ISP's still find other profitable usage for v4 addresses? If not,
> > they will be probably be quite slowly rising IPv4 pricing, not wanting to
> > overprice it.
> >
> > Probably they will sell it to business customers instead of the
> > residential customers. However, we’re talking about relatively large
> > numbers of customers
> > for relatively small numbers of IPv4 addresses that aren’t producing
> > revenue directly at this time anyway.
> >
> > > Even with $1/IPv4/month - what will be the ROI of a brand new home
> > router?
> >
> > About 2.5 years at that price since a brand new home router is about $29.
> >
> > Owen
> 
> The hard part is the internet connected TV's and other stuff which
> fetches content over the internet which are IPv4 only despite being
> released when IPv6 existed.  These are theoretically upgradable to
> support IPv6 so long as the manufactures release a IPv6 capable
> image.  The real question is will governments force them to do this.
> 
> Upgrading the router is a no brainer.  Upgrading the TV, games
> consoles, e-readers, etc. starts to add up.

Just brand it as the new "6-D" TV with "128 bits of goodness to
outperform your obsolete 32 bit TV!".  Then people will flock to the
stores to upgrade...

Re: udp 500 packets when users are web browsing

[Chuck Anderson]

Sounds like Opportunistic Encryption.

https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS

On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote:
> There is no VPN in the picture here. These are straight workstations
> on the network that the packets are coming from.
> 
> According to a pcaket capture in wireshark, these are isakmp packets
> reaching out to host names of web sites that are being browsed. So
> destinations are sites like twitter, facebook, amazon, cnn, etc..
> 
> We have further discovered that they seem to be initiated from the
> Windows 7 svchost, but we have not been able to find documentation
> as to how or why this is ocurring.
> 
> Robert
> 
> 
> On Thu, 3 Sep 2015 13:42:21 +
>  "Bjoern A. Zeeb"  wrote:
> >
> >>On 03 Sep 2015, at 13:35 , Robert Webb  wrote:
> >>
> >>We are seeing udp 500 packets being dropped at our firewall from
> >>user's browsing sessions. These are users on a 2008 R2 AD setup
> >>with Windows 7.
> >>
> >>Source and destination ports are udp 500 and the the pattern of
> >>drops directly correlate to the web browsing activity. We have
> >>confirmed this with tcpdump of port 500 and a single host and
> >>watching the pattern of traffic as they browse. This also occurs
> >>no matter what browser is used.
> >>
> >>Can anyone shine some light on what may be using udp 500 when
> >>web browsing?
> >
> >The VPN using IPsec UDP-Encap connection that supposedly gets
> >through NAT?   Have you checked the content with tcpdump?   Do you
> >have fragments by any chance?

Re: ATT U-Verse Data Setup Convention

[Chuck Anderson]

People need to really stop using Source IP as an ACL mechanism
whereever possible.  Have you considered using SSL certs or SSH keys
or some other sort of API key instead?  I'm mean, do you really want
to have to know how the technology of every ISP that every possible
SaaS customer may use to access your service is set up?

On Thu, Jul 30, 2015 at 04:02:06PM +, Keith Stokes wrote:
 I’m wondering if some can share their experiences or maybe there’s an ATT 
 person here who can confirm policy.
 
 I work for SaaS provider who requires a source IP to access our system to 
 businesses.
 
 Normally we tell the customer to request a “Static IP” from their provider. 
 That term makes sense to most ISPs.
 
 However, we’ve recently worked with an ATT higher-up tech who told us that 
 every U-Verse modem is locked to an address even when set to DHCP and will 
 not change unless the unit is changed. Ordering a “Static IP” from them means 
 your devices will individually get public addresses, which isn’t a 
 requirement for us, isn’t quite as easy to add multiple devices and costs our 
 customers more money.
 
 Here are my questions:
 
 1. Is it really accurate that the customer’s address is tied to the 
 modem/router?
 
 2. For my curiosity, is this done through a DHCP reservation or is there a 
 hard coded entry somewhere?
 
 3. Do all U-Verse modem/routers behave the same way? This particular unit was 
 a Motorola but the friends I’ve seen with U-Verse use a Cisco unit.

Re: Remember Internet-In-A-Box?

[Chuck Anderson]

On Thu, Jul 16, 2015 at 07:59:14AM +0200, Tore Anderson wrote:
 * Owen DeLong o...@delong.com
 
   On Jul 15, 2015, at 08:57 , Matthew Kaufman matt...@matthew.at wrote:
   This is only true for dual-stacked networks. I just tried to set up
   an IPv6-only WiFi network at my house recently, and it was a total
   fail due to non-implementation of relatively new standards...
   starting with the fact that my Juniper SRX doesn't run a load new
   enough to include RDNSS information in RAs, and some of the devices
   I wanted to test with (Android tablets) won't do DHCPv6.
  
  That’s a pretty old load then, as I’ve had RDNSS on my SRX-100 for
  several years now.
 
 Interesting. Which JUNOS version are you running, exactly?
 
 According to Juniper's web site, RDNSS support showed up in JUNOS 14.1,
 which isn't available for the SRX series (nor is any later version).
 
 http://www.juniper.net/techpubs/en_US/junos15.1/topics/reference/configuration-statement/dns-server-address-edit-protocols-router-advertisement.html

Strange.  dns-server-address IS available to be configured on my MX
box running 13.3R4.

It is however not there for SRX on 12.1X44-D50.

Re: 192.0.1.0/24?

[Chuck Anderson]

On Fri, Apr 17, 2015 at 11:13:11PM +0200, Marco Davids wrote:
 Marco Davids schreef op 17-04-15 om 23:08:
 
  https://tools.ietf.org/html/rfc6333 ?
 
 Oh wait, that's 192.0.0.0/29, not 192.0.1.0/24...

192.0.1.0/24 sounds vaguely like something really old HP JetDirects
used as a default IP when they weren't configured yet, or when BOOTP
failed.

Or maybe it was 192.0.0.192:

http://www.sprint.net.au/~terbut/usefulbox/hpjetdirectexplus.htm

Re: Prefix hijack by INDOSAT AS4795 / AS4761

[Chuck Anderson]

We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as
well:

130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326
130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326

On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote:
 On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca ro...@start.ca wrote:
  We just received a similar alert from bgpmon - part of 108.168.0.0/17 is 
  being advertised as /20's - although we're still listed as the origin. We 
  are 40788.
 
  108.168.64.0/20  4795 4795 4761 9304 40633 18978 6939 40788
  108.168.80.0/20  4795 4795 4761 9304 40633 18978 6939 40788
  108.168.96.0/20  4795 4795 4761 9304 40633 18978 6939 40788
  108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
 
 
 common point looks like LAIX ? their routeserver go crazy perhaps? or
 did they change in/out prefix management information?
 
  -Original Message-
  From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy
  Sent: March-26-15 10:08 AM
  To: nanog@nanog.org
  Subject: Prefix hijack by INDOSAT AS4795 / AS4761
 
  On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
  more specifics on one of our prefixes.   Anyone else seeing similar or
  is it just us?
 
  198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
  198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
 
  --
  Randy

Re: Comcast New England dropped for 5-15 min? Anyone

[Chuck Anderson]

I saw a problem only with my 50.176.16.0/21 subnet IP.  My
24.147.20.0/21 subnet IP was working fine throughout.

On Wed, Feb 11, 2015 at 01:44:53PM -0500, Robert Webb wrote:
 Looks like there were at least a couple of others that saw issues also.
 
 http://www.dslreports.com/forum/r29852647-Connectivity-Comcast-down-Quincy-MA
 
 Robert
 
 On Tue, 10 Feb 2015 21:52:29 -0500
  Andrey Khomyakov khomyakov.and...@gmail.com wrote:
 My boss has comcast at home in Milton, MA, said all was fine. Must
 have
 been prefix specific. Trace would die somewhere in level3 at the
 time. Was
 tracing to 8.8.8.8
 
 On Tuesday, February 10, 2015, Dan Brisson dbris...@uvm.edu wrote:
 
 FWIW...no problems here in Vermont on Comcast business.
 
 -dan
 
 
 Dan Brisson
 Network Engineer
 University of Vermont
 
 
 On 2/10/15 8:45 PM, Kevin Kadow wrote:
 
 On Tue, Feb 10, 2015 at 7:27 PM, Andrey Khomyakov 
 khomyakov.and...@gmail.com wrote:
 
  Hey, anyone had problems just now? My team and I at homes
 lost internet
 access for about 10 min. I also had many sites drop off.
 Still digging,
 but
 maybe trouble upstream? I'm in 50.133.128.0/17 at home.
 
  You were only out for 10-15 minutes?  More like an hour in New
 Hampshire.
 
 traceroutes would die out in Needham, Woburn, or  whatever
 4.68.127.229
 is.

Re: look for BGP routes containing local AS#

[Chuck Anderson]

It used to be the case that looped routes didn't even show up as
hidden routes, because Junos discarded them even from Adj-RIB-In,
although this may have changed at some Junos version.

Also, Junos won't even advertise such looped routes to a neighbor with
the same AS by default, so in many cases you won't see it at all if
you are peering with a Juniper unless it is specifically configured to
send these looped routes with advertise-peer-as, or change the AS
number with as-override.

On Wed, Jan 28, 2015 at 05:32:34PM +0800, Song Li wrote:
 Hi Joel,
 
 It is right that the BGP route containing the local ASN will be
 droped. However, such routes can still be displayed on router. For
 example, you can run show route hidden terse aspath-regex .*local
 ASN.* on Juniper to check them. We are looking for those routes.
 If you can run the command on your Juniper and find such routes,
 could you please provider them for us?
 
 Thanks!
 
 Regards!
 
 Song
 
 在 2015/1/28 16:23, joel jaeggli 写道:
 On 1/27/15 5:45 AM, Song Li wrote:
 Hi everyone,
 
 Recently I studied the BGP AS path looping problem, and found that in
 most cases, the received BGP routes containing local AS# are suspicious.
 However, we checked our BGP routing table (AS23910,CERNET2) on juniper
 router(show route hidden terse aspath-regex .*23910.* ), and have not
 found such routes in Adj-RIB-In.
 
 Updates with your AS in the path are discarded as part of loop
 detection, e.g. they do not become candidate routes.
 
 https://tools.ietf.org/html/rfc4271 page 77
 
 If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
 route should be excluded from the Phase 2 decision function.  AS loop
 detection is done by scanning the full AS path (as specified in the
 AS_PATH attribute), and checking that the autonomous system number of
 the local system does not appear in the AS path.  Operations of a BGP
 speaker that is configured to accept routes with its own autonomous
 system number in the AS path are outside the scope of this document.
 
 in junos
 
 neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
 
 where number is the number of instances of your AS in the path you're
 willing to accept will correct that.
 
 We believe that the received BGP routes containing local AS# are related
 to BGP security problem.
 
 You'll have to elaborate, since their existence is a basic principle in
 the operation of bgp and they are ubiquitous.
 
 Island instances of a distributed ASN communicate with each other by
 allowing such routes in so that they can be evaluated one the basis of
 prefix, specificity, AS path length and so forth.
 
 Hence, we want to look for some real cases in
 the wild. Could anybody give us some examples of such routes?

Re: Recommended L2 switches for a new IXP

[Chuck Anderson]

Software Defined Networking (SDN) features that QFX5100 supports:

Automatic configuration of OVSDB-managed VXLANs with trunk interfaces 
14.1X53-D15
OVSDB support 14.1X53-D10
OpenFlow v1.0 14.1X53-D10
OpenFlow v1.3.1 14.1X53-D10
VXLAN Gateway 14.1X53-D10

http://pathfinder.juniper.net/feature-explorer/select-software.html?swName=Junos+OStyp=1#family=platform=QFX5100rel=14.1X53-D15swName=Junos+OS

On Tue, Jan 13, 2015 at 10:10:56PM +, Jeff Tantsura wrote:
 What does it mean -  to be SDN ready?
 
 Cheers,
 Jeff
 
 
 
 
 -Original Message-
 From: Eduardo Schoedler lis...@esds.com.br
 Date: Tuesday, January 13, 2015 at 3:25 AM
 To: nanog@nanog.org nanog@nanog.org
 Subject: Re: Recommended L2 switches for a new IXP
 
 QFX5100 is SDN ready.
 
 --
 Eduardo Schoedler
 
 
 2015-01-13 6:29 GMT-02:00 Stepan Kucherenko t...@megagroup.ru:
 
  Is there any particular reason you prefer EX4600 over QFX5100 ? Not
  counting obvious differences like ports and upgrade options.
 
  It's the same chipset after all, and with all upgrades they have the
  same 10G density (with breakouts). Is that because you can have more 40G
  ports with EX4600 ?
 
  I'm still trying to find out if there are any noticeable software or
  feature differences.
 
  On 13.01.2015 09:01, Mark Tinka wrote:
   On Monday, January 12, 2015 11:41:20 PM Tony Wicks wrote:
  
   People seem to be avoiding recommending actual devices,
   well I would recommend the Juniper EX4600 -
  
   http://www.juniper.net/us/en/products-services/switching/
   ex-series/ex4600/
  
   They are affordable, highly scalable, stackable and run
   JunOS.
  
   We've been quite happy with the EX4550, but the EX4600 is
   good too, particularly if you're coming from its younger
   brother.
  
   Mark.
  
 
 
 
 
 -- 
 Eduardo Schoedler

Re: MPLS VPN design - RR in forwarding path?

[Chuck Anderson]

On Wed, Dec 31, 2014 at 01:08:15PM +0100, Marcin Kurek wrote:
 Hi everyone,
 
 I'm reading Randy's Zhang BGP Design and Implementation and I found
 following guidelines about designing RR-based MPLS VPN architecture:
 - Partition RRs
 - Move RRs out of the forwarding path
 - Use a high-end processor with maximum memory
 - Use peer groups
 - Tune RR routers for improved performance.
 
 Since the book is a bit outdated (2004) I'm curious if these rules
 still apply to modern SP networks.
 What would be the reasoning behind keeping RRs out of the forwarding
 path? Is it only a matter of performance and stability?

When they say move RRs out of the forwarding path, they could mean
don't force all traffic through the RRs.  These are two different
things.  Naive configurations could end up causing all VPN traffic to
go through the RRs (e.g. setting next-hop-self on all reflected
routes) whereas more correct configurations don't do that--but there
may be some traffic that natrually flows through the same routers that
are the RRs, via an MPLS LSP for example.  That latter is fine in many
cases, the former is not.  E.g. I would argue that a P-router can be
an RR if desired.

Re: DWDM Documentation

[Chuck Anderson]

On Thu, Dec 04, 2014 at 01:21:16PM +, Theo Voss wrote:
 Hi guys,
 
 we, a Berlin / Germany based carrier, are looking for a smart documentation 
 (shelfs, connections, fibers) and visualization tool for our ADVA-based 
 DWDM-enviroment. Do you have any suggestions or  hints for me? We’re testing 
 „cableScout“, the only one I found, next week but. Unfortunately it isn’t 
 easy to get any information about such tools! :(
 
 Thanks in advance!
 
 Best regards,
 Theo Voss (AS25291)

We're starting to use PatchManager.  It is flexible enough to handle
fiber shelves, splices, manholes, etc. as well as theoretically WDM,
but we have been focusing on our LAN copper cabling first, so we
haven't done much with the fiber plant yet.

Re: Phasing out of copper

[Chuck Anderson]

Verizon in MA removes copper upon FiOS installation.

My dad cancels his phone service every year when he migrates south for
the winter.  Upon returning home a few years ago, he requested
reactivation of his phone line.  Verizon refused to activate the
copper, instead switching him to FiOS Voice.  I believe they removed
the copper lines at that time.

On Fri, Nov 28, 2014 at 10:46:03AM -0500, Jean-Francois Mezei wrote:
 Currently in the midst of a CRTC policy hearing in Canada on future of
 competition in ISPs.
 
 Incumbents claim they have no plans to retire their copper plant after
 deploying FTTP/FTTH.  (strategically to convince regulator that keeping
 ISPs on copper is fine and no need to let them access FTTP).
 
 For my reply I am trying to get more authoritative info to show that
 incumbents do have plans to retire the copper plant once enough
 customers have migrated to FTTP ( I heard that 80% migration is the
 tip-ver where they convert the rest of customers to FTTP to be able to
 shutddown the copper).
 
 Anyone have pointers to documents or experiences that would help me
 convince the regulator that incumbents deploy FTTP with eventual goal to
 be able to shutdown their old copper instead of perpetually maintaining
 both systems ?
 
 Also being discussed is removing regulations for access to ULL
 (unbundled local loops).  In areas being upgraded to FTTP, are there
 services that really need copper ULLs and do not have an FTTP equivalent
 ? (home alarm systems ?).
 
 
 
 
 When an incumbent states for the record that retiring copper is not in
 their current plans, I know that it means that it isn't in their short
 term plans. But I need some evidence of what other telcos do to help
 show the incumbent is spinning.
 
 Any help appreciated.

outages list down? Lightower, Worcester, MA fiber cut

[Chuck Anderson]

I can't get to the mailing list page, and neither can
downforeveryoneorjustme.com:

http://downforeveryoneorjustme.com/puck.nether.net

I've sent a couple new email messages there and they haven't been
delivered either.

Here is the latest message I sent regarding the Lightower, Worcester,
MA fiber cut:

Date: Fri, 7 Nov 2014 07:26:55 -0500
From: Chuck Anderson c...@wpi.edu
To: outa...@outages.org
Subject: Re: [outages] Lightower, Worcester, MA fiber cut

Update as of 06:05:16 -0500:

Status has remained the same Lightower has two (2) 288 cables that
were burnt through in a National Grid  enclosure. National Grid has
informed us that there is an exposed high tension power line in this
enclosure and there will be no access granted in the near
future. National Grid has deemed this manhole unsafe at this
time. Lightower is working on an alternate solution that will re-route
fibers around the affected man hole still NO ETTR at this time. We
apologize for this inconvenience.

On Fri, Nov 07, 2014 at 04:04:27AM -0500, Chuck Anderson wrote:
 Updates as of 01:41:40 -0500 and 02:58:11 -0500:
 
 We have two (2) 288 cables that were burnt through in this National
 Grid enclosure. National Grid has informed us that there is an exposed
 high tension power line in this enclosure and there will no access
 granted in the near future. National Grid has deemed this manhole
 unsafe at this time. Lightower is working on an alternate solution
 that will re-route fibers around the affected man hole. NO ETTR at
 this time.
 
 My initial outage time was exactly 18:58:54 EST on two circuits.
 
 On Thu, Nov 06, 2014 at 08:49:16PM -0500, Chuck Anderson via Outages wrote:
  We lost several dark fiber circuits out of Lightower in Worcester, MA.
  There is a manhole fire down the street at Main St.  Highland
  St. that is most likely the cause.  Smoke is billowing out of several
  manholes.  NGrid, NStar, police  fire are on the scene.  Lightower
  has dispatched techs.  No ETR yet.
  
  One other of my circuits that leaves the building via a diverse path
  is still up luckily, or we'd be off the net entirely.

Re: Finisar SFP/SFP+

[Chuck Anderson]

Cheap DIY SFP programmer using a Raspberry Pi:

http://eoinpk.blogspot.com/2014/05/raspberry-pi-and-programming-eeproms-on.html

Software:

https://code.google.com/p/sfppi/

Now we just need some code to brute-force the OEM passwords...  How
fast is the 2-wire bus on SFPs?

On Tue, Jun 24, 2014 at 08:27:26PM +, Faisal Imtiaz wrote:
 That is one way to deal with it.
 
 :)
 
 Faisal Imtiaz
 Snappy Internet  Telecom
 7266 SW 48 Street
 Miami, FL 33155
 Tel: 305 663 5518 x 232
 
 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net 
 
 - Original Message -
  From: Nick Hilliard n...@foobar.org
  To: Faisal Imtiaz fai...@snappytelecom.net
  Cc: NANOG nanog@nanog.org
  Sent: Tuesday, June 24, 2014 4:25:51 PM
  Subject: Re: Finisar SFP/SFP+
  
  On 24/06/2014 21:23, Faisal Imtiaz wrote:
   I was wanting to know if there is anyone who has such code for the Finisar
   SFP/SFP+.
  
  there's a clear solution here: if a vendor locks the transceiver from
  reprogramming, don't buy transceivers from them.
  
  Nick

Re: IPv6 Security [Was: Re: misunderstanding scale]

[Chuck Anderson]

On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote:
 On Mar 26, 2014 6:27 PM, Luke S. Crawford l...@prgmr.com wrote:
  My original comment and complaint, though, was in response to the
 assertion that DHCPv6 is as robust as DHCPv4.   My point is that DHCPv6
 does not fill the role that DHCPv4 fills, if you care about tying an IP to
 a MAC and you want that connection to persist across OS installs by
 customers.
 
 You're right. DHCPv6 is more robust than DHCPv4. At least those of us in
 the enterprise space appreciate a client identifier that doesn't change
 when the hardware changes.

No, it is LESS robust, because the client identifier changes when the
SOFTWARE changes.  Around here, software changes MUCH more often than
hardware.  Heck, even a dual-boot scenario breaks the client
identifier stability.  Worse yet, DHCPv6 has created a scenario where
a client's IPv4 connectivity and IPv6 connectivity break under
/different/ scenarios, causing difficult-to-troubleshoot
half-connectivity issues when either the hardware is replaced or the
software is reloaded.

Re: L6-20P - L6-30R

[Chuck Anderson]

On Tue, Mar 18, 2014 at 07:09:49PM -0400, David Hubbard wrote:
 I've had to do that before; provider gave me a 208v/30a circuit and I
 already had a power strip I wanted to re-use that had a corded L6-20P
 connector on it.  I purchased a L6-30P plug / L6-20R receptacle adapter
 from http://www.stayonline.com/nema-locking-6-30-amp-adapters.aspx
 They're only $25 and they ship overnight if needed.  They have one foot
 cabled versions of the same thing too if you have tight working space
 and there's not enough room for both connectors back to back; works as a
 strain relief too so maybe that option is better regardless.

This is not really a safe thing to do unless the adapter has a 20A
circuit breaker as part of it, or if you change out the upstream
circuit breaker from 30A to 20A (and hopefully clearly mark the outlet
as such).

 If you're trying to go the other direction, plugging an L6-30P into an
 L6-20R 20 amp circuit, that I'd recommend against because it never fails
 that someone says hey, 30 amp power strip, let me plug some more stuff
 into it not realizing it's on a 20 amp breakered circuit, then all your
 stuff goes down while you try to find the facility staff to reset the
 breaker.

Going this way is safe, but as you say, you can only draw 20A
(actually, you can usually only draw a derated 80% of that, so 16A).

Re: L6-20P - L6-30R

[Chuck Anderson]

On Wed, Mar 19, 2014 at 12:24:38PM -0400, William Herrin wrote:
 On Wed, Mar 19, 2014 at 11:22 AM, Lamar Owen lo...@pari.edu wrote:
  Just replacing an L6-20P with an L6-30P on a 20A-listed PDU would be unsafe
  and (IMO) unwise, since the breaker in the input of the PDU does not protect
  the flexible cord's conductors from internal overcurrent faults.
 
 Yet an 18 awg PC power cable is perfectly safe when plugged in to a
 5-20R on a circuit with a 20 amp breaker. Get real man.

Not really, that is just a compromise in safety standards for
convenience.  It was deemed to be safe enough given the comparatively
low current 20A circuit and the open-to-air power cord.  For higher
current circuits 30A and up, the safety standards are more stringent.

 The NEC (and related fire codes) don't apply to supply cords of
 appliances in circumstances such as OP's PDU.
 
 The modification cancels the UL certification. If you have an external
 requirement to use only UL certified components then you can't make
 any modifications no matter how obviously safe they are.
 
 By the way, you either don't have that requirement or you're breaking
 it. Your custom network cables are not UL certified.

There is more to safety than just being certified.  Acting in ways
that /actually/ improves safety (if you are allowed to) is important.

This isn't just black and white.  Safety, like security, isn't
absolute.  Both benefit from defense-in-depth, and both require
compromise to balance safety vs. convenience.

Re: L6-20P - L6-30R

[Chuck Anderson]

On Wed, Mar 19, 2014 at 02:05:42PM -0400, William Herrin wrote:
 On Wed, Mar 19, 2014 at 1:55 PM, Jay Ashworth j...@baylink.com wrote:
  PoE is 48V and current limited, though, precisely to keep it what the Code
  calls Low Voltage.
 
 Hi Jay,
 
 50 watts DC. It won't electrocute you (that's AC) but it's the same
 power that makes a 40 watt bulb burning hot.

I don't know where you are getting your facts, but 802.3af maxes out
at 15.4W and 802.3at at 34.2W, and DC can electrocute you just as well
as AC.

http://en.wikipedia.org/wiki/Power_over_Ethernet#Standard_implementation

Re: NetSol AAAA glue

[Chuck Anderson]

It is quicker and easier to transfer your domain to another registrar,
even though you will have to call them up and speak to a person to do
it.

On Fri, Feb 21, 2014 at 08:01:06PM -0500, Brandon Applegate wrote:
 If anyone with ability to fix this is reading this - contact me
 offlist and I'll owe you...
 
 I'm trying to change an  host (name server) address.
 
 I've been emailing ipv6...@networksolutions.com back and forth for
 several days.  After fighting through 'authentication' (which btw I
 *didn't* do several years ago to get the  added) they say they
 have 'completed' it.  a.gtld for example still has the old .
 I've just got a gut feeling that they don't understand what I'm
 asking.  I'm actually getting a bit scared they are going to break
 my domain.
 
 Aside from someone at netsol seeing this - does anyone have any
 advice other than get off netsol (which I'm considering).

Re: BCP38 is hard, was TWC (AS11351) blocking all NTP?

[Chuck Anderson]

On Tue, Feb 04, 2014 at 10:18:21PM -, John Levine wrote:
 I was at a conference with people from some Very Large ISPs.  They
 told me that many of their large customers absolutely will not let
 them do BCP38 filtering.  (If you don't want our business, we can
 find someone else who does.)  The usual problem is that they have PA
 space from two providers and for various reasons, not all of which are
 stupid, traffic with provider A's addresses sometimes goes out through
 provider B.  Adding to the excitement, some of these customers are
 medium sized ISPs with multihomed customers of their own.
 
 I don't know BGP well enough to know if it's possible to send out
 announcements for this situtation, this address range is us, but don't
 route traffic to it.  Even if it is, not all of the customers do BGP,
 some are just stub networks.

 If we could figure out a reasonable way (i.e., one that the customers
 might be willing to implement) to handle this, it'll make BCP38 a lot
 more doable.

No-Advertise or No-Export community?

Re: IPv6 /48 advertisements

[Chuck Anderson]

On Wed, Dec 18, 2013 at 09:11:46AM -0700, Cliff Bowles wrote: 
 Question: will carriers accept IPv6 advertisements smaller than /48?

Not generally, no.

 Our org was approved a /36 based on number of locations. The bulk of
 those IPs will be in the data centers. As we were chopping up the
 address space, it was determined that the remote campus locations
 would be fine with a /60 per site. (16 networks of /64). There are
 usually less than 50 people at the majority of these locations and
 only about 10 different functional VLANs (Voice, Data, Local
 Services, Wireless, Guest Wireless, etc...).

 Now, there has been talk about putting an internet link in every
 campus rather than back hauling it all to the data centers via
 MPLS. However, if we do this, then would we need a /48 per campus?
 That is massively wasteful, at 65,536 networks per location.  Is the
 /48 requirement set in stone? Will any carriers consider longer
 prefixes?

/48 per site is the standard.

 I know some people are always saying that the old mentality of
 conserving space needs to go away, but I was bitten by that IPv4
 issue back in the day and have done a few VLSM network
 overhauls. I'd rather not massively allocate unless it's a
 requirement.

You need to throw out all old thinking in terms of what happened in
IPv4.  Current ARIN policy allows a /48 per site and that is how you
should architect the network.

Re: turning on comcast v6

[Chuck Anderson]

On Mon, Dec 09, 2013 at 11:19:18AM -0500, Christopher Morrow wrote:
 On Mon, Dec 9, 2013 at 11:08 AM, Randy Bush ra...@psg.com wrote:
  do you see PD from your modem? or RA's?
 
  still trying to educate the opwnwrt (attitude adjustment on netgear
  3800).
...
 yea, so my 'saga' started with:
   1) dlink 615 doesn't like dhcp-pd ... and is flat broken for v6
...
   2) oh! dd-wrt does this platform too, and v6
... 
 basically ... this is much harder to do than it shoudl be :( and yes,
 I can probably do something like plug in my raspberry-pi and make that
 a 'router' but come on... in 2013 I have to home-brew something to get
 a protocol developed and engineered in 2000 to work? :(
 
 (this raised itself above my level of 'fixed in a weekend' project, so
 my comcast v6 lays fallow... NOTE: this is NOT comcast's fault, in my
 eyes.)

Another option to try out is CeroWRT.  Its based on OpenWRT
development releases and focuses on good IPv6 support in addition to
its raison d'être, debloating buffers.

http://www.bufferbloat.net/projects/cerowrt/wiki/Wiki

Still waiting for my CMTS to be upgraded...

Re: BGP neighbor/configuration testing

[Chuck Anderson]

Authentication failure might mean (without knowing for sure which on
Cisco):

- mismatch AS numbers
- mismatch neighbor IP addresses
- multihop/TTL issues
- MTU issues

On Mon, Nov 25, 2013 at 11:06:33AM -0800, Eric A Louie wrote:
 That's a natural first impression but there are no passwords configured on 
 the BGP session on either router.  I know it looks like an authentication 
 error but it's a misnomer (at least from the searches I did on the error 
 message).  From the sequence of messages, we get Established and 2 seconds 
 later the session Closes.  The reason for the Close may lead us to the 
 solution.
 
 I'm reluctant to turn on debug bgp because this is a live production router, 
 and if I hose it, there will be a lot of 'splainin to do [1]
 
 [1] 
 http://www.quotecounterquote.com/2011/05/lucy-you-got-some-splainin-to-do.html
 
 
 
 
 
 
  From: Daniel Rohan dro...@gmail.com
 To: Eric A Louie elo...@yahoo.com 
 Cc: Joe Abley jab...@hopcount.ca; nanog@nanog.org nanog@nanog.org 
 Sent: Monday, November 25, 2013 10:55 AM
 Subject: Re: BGP neighbor/configuration testing
  
 
 
 Seems like:
  
 Nov 25 06:28:34.837 pacific: %BGP-3-NOTIFICATION: received from neighbor 
 xxx.118.92.149 2/5 (authentication failure) 0 bytes
 
 should be a good starting place. I'm assuming you've already discussed auth 
 keys with your provider and if everyone is putting that in correctly, I'd 
 suggest turning on debugging to see what exactly that message is all about. 
 
 
 Dan 

Re: BGP neighbor/configuration testing

[Chuck Anderson]

When you say no logged error with mismatched neighbor IP address,
what do you mean?  Did the session just not establish at all?  How
long did you wait for it to attempt to establish?

On Juniper, if it sees a BGP connection come from an IP address that
doesn't match a local neighbor statement, it will send a BGP
Notification, code 2 (Open Message Error), subcode 5 (authentication
failure), which is exactly what you are seeing.

If one side is using a loopback IP instead of a physical IP for the
local-address, that would cause both a multihop/TTL issue and a
neighbor IP mismatch.

Another possibility is if you have exceeded the max prefix limit for
the session.  One side will get stuck in Idle state which may cause
the other side to send the same authentication failure notification.

On Mon, Nov 25, 2013 at 03:07:28PM -0800, Eric A Louie wrote:
 All Cisco/Cisco, I don't have a Juniper here to test with
 
 mismatch AS
 *Apr  9 00:31:47.691: %BGP-3-NOTIFICATION: received from neighbor 
 10.250.254.253 2/2 (peer in wrong AS) 2 bytes 6A39
 
 mismatch neighbor IP address
 no logged error
 
 MTU mismatch
 no logged error, session remained up
 
 Subnet mask mismatch
 session remained up, no logged error
 
 I haven't created the multihop scenario to see the error messages.
 
 
 None of these issues caused the (authentication failure).
 
 
 
 
 
 
  From: Chuck Anderson c...@wpi.edu
 To: nanog@nanog.org 
 Sent: Monday, November 25, 2013 11:10 AM
 Subject: Re: BGP neighbor/configuration testing
  
 
 Authentication failure might mean (without knowing for sure which on
 Cisco):
 
 - mismatch AS numbers
 - mismatch neighbor IP addresses
 - multihop/TTL issues
 - MTU issues

Re: Suggestion on Fiber tester

[Chuck Anderson]

On Thu, Sep 26, 2013 at 02:23:37AM +, Blake Pfankuch - Mailing List wrote:
 I am in the market for a simple fiber tester.  I have about 80 pairs running 
 through my complex and we are running into some possible issues with some of 
 the really old ones.  The pen light to confirm that it's the right strand is 
 going to require a little bit more insight to determine if there is an issue 
 with fiber in conduit or patch.
 
 I don't need something super fancy, just need something that gives a good, 
 bad or holy crap is that concrete you are testing on for starters.  I am 
 also shooting for about $150-250 tops.
 
 Any suggestions?

How about using the built-in Digital Optcis Monitoring (DOM/DDM) in
modern SFPs?  Assuming your switches/routers and SFPs support it, you
can read the received power level right from your switches/routers.
The cost might be zero if you already have capabile equipment...

Combine that with a flashlight for identifying strands, and it might
be all you need...

recommended outdoor enclosures

[Chuck Anderson]

I'm in need of my first free-standing, pad-mounted outdoor enclosure,
19 rack rails, 12-18 rack units, with about 400W of heat load inside,
for use in the Massachusetts climate.  What do people recommend as far
as contruction, cooling/heating options, NEMA ratings, security
options, etc. for this use?

I was hoping to keep the inside temperature between 50 and 85 degrees
Fahrenheit, although my worst-case components are rated for 41 to 104
F (4 - 40 C).  If a full mechanical A/C system can be avoided, even
better.  A thermo-electric cooler would be nice.

Thanks.

Re: recommended outdoor enclosures

[Chuck Anderson]

On Mon, Jun 17, 2013 at 04:19:07PM -0400, Jon Sands wrote:
 This is by far a cheaper option, but should work just fine. I'm
 about to do the same myself.
 
 Grab a used cab here - http://www.usedtowers.com/CABINETS/CABINETS.htm
 
 Some of those come with the factory huge AC systems built for
 thousands of watts of equipment inside, but if you're like me and
 will have 300-400 watts max, grab a non-cooled cabinet for cheap.
 
 Then pick up one of these guys and slap it on, buy the capacity you
 need. You can get them with a heating option as well, they're
 thermoelectric and very affordable-
 http://www.eicsolutions.com/thermoelectric-air-conditioners.php

very affordable?  I looked at those and they cost more than twice
the cost of the cabinet itself.  But I might end up going with them
anyway, 1500 BTU would cover the 400 watts I generate inside the
cabinet, but I'm more concerned about the outdoor environment/solar
heating effects.  How many BTU should I add to account for that?

Re: recommended outdoor enclosures

[Chuck Anderson]

Unfortunately, I have some specific non-commodity circuit boards I'm
dealing with, so I have to accommodate their environmental
requirements. 

On Mon, Jun 17, 2013 at 01:22:26PM -0700, david peahi wrote:
 I have had success with the opposite approach using equipment rated from
 -40 C to +85 C (+185 F), no fans, sealed NEMA4 or NEMA12 Hoffman
 enclosures, cooling by equipment heat sinks. Ethernet switches and optics
 rated -40 C to +85 C
 This configuration has worked with the same equipment for at least 6 years
 in an environment where summer ambient temperatures reach 120-130 F, and
 winter ambient 0 F. Hoffman makes a 72 high NEMA12 enclosure with a
 swing-out 19 telco rack.
 
 
 On Mon, Jun 17, 2013 at 12:36 PM, Chuck Anderson c...@wpi.edu wrote:
 
  I'm in need of my first free-standing, pad-mounted outdoor enclosure,
  19 rack rails, 12-18 rack units, with about 400W of heat load inside,
  for use in the Massachusetts climate.  What do people recommend as far
  as contruction, cooling/heating options, NEMA ratings, security
  options, etc. for this use?
 
  I was hoping to keep the inside temperature between 50 and 85 degrees
  Fahrenheit, although my worst-case components are rated for 41 to 104
  F (4 - 40 C).  If a full mechanical A/C system can be avoided, even
  better.  A thermo-electric cooler would be nice.
 
  Thanks.

Re: Entry level WDM gear? follow-up

[Chuck Anderson]

On Fri, May 17, 2013 at 10:18:34PM -0400, Jeff Kell wrote:
 On 5/10/2013 9:56 AM, Jerimiah Cole wrote:
  On 05/08/2013 09:21 PM, Jeff Kell wrote:
  Ciena/Cyan/etc are way over our non-existant budget...  what is the
  going recommendation to throw say 4-8 lambdas over a dark pair without
  breaking the bank?  :)
  I've used http://www.omnitron-systems.com/ media converters and found
  them reliable.  They've got the filters to do an 8 channel system.
 
 Thanks for this and other responses.  Cumulatively I have some more
 information, but also more questions :)
 
 We have an existing fiber pair to location A where it is
 cross-connected to location B and terminated.  It's currently a ~35km
 link running 10G-ER optics (1550nm).  We're getting a little less than
 -7dBm receive over the link now with standard 10G-ER optics.
 
 We need to connect to another provider at location A (also 10G), so
 thinking of xWDM from campus to location A.  Would like to handoff one
 lambda on to location B to maintain that circuit, and the
 new/additional ones would terminate at location A.

Typically you would use an Optical Add/Drop Multiplexer at each
intermediate site and a regular Optical Mux at the endpoint sites, but
you should be able to simplify this to just two OMUXes, one at A and
the other at campus, sending the lambda for B through the
cross-connect as long as you don't need more than one lambda at B.

 CWDM is obviously cheaper and supports the 1550nm current band (but do
 we need to replace existing optics with tuned ones to keep things
 honest?).

Should work fine with your existing 1550 ER optics, as long as you
have enough optical budget to account for the additional loss of the
CWDM passives.  You should even be able to use one of the wavelengths
of DWDM C-band optics within the 1550nm 20nm-wide channel of a CWDM
system.  I know somemone who did this to future-proof their optics
for an eventual upgrade to a DWDM system.

 Cisco lists no CWDM 10G optics at all in any form factor, only DWDM, and
 they're really proud of them based on the list price.

Transition Networks and Integra Networks should both have 10G SFP+ and
XFP optics in CWDM wavelengths.  Integra can also do the CWDM passives
including custom arrangements in various form factors.

 The tuned optics have no SR/LR/ER/ZR attributes... so what are their
 real distance characteristics?  In particular, can we cross-connect one
 of the outputs to the existing location B and have the dBm budget to
 get there?

Distance specs are always approximate or nominal with no guarantee
that you will reach that far since it depends on lots of different
factors and in some cases you can even go farther.  You should be able
to tell definitively by the optical specs, specifically output power
in dBm  receiver sensitivity in dBm (subtract the two to get the link
budget in dB) or the optical budget may be given directly in dB or you
may be able to infer by the distance spec (different vendors' 40km,
80km, 120km optics I've seen all have similar optical power
specs/budgets--but these may be different 1gig vs. 10gig so only
compare distances of the same speed optics to infer optical budgets
and keep this in mind when upgrading a link from 1g to 10g).

Once you know the budget for each pair of optics, you need to add up
the loss of all components between the two endpoints of each pair,
using the losses given in the CWDM passives spec sheet for add/drop
loss, pass-thru loss, etc. as well as connector, splice, and distance
losses.  In my experience, so-called 80km 10gig optics were necessary
to go even 2km (two km) in a CWDM system with several add/drops in
between the endpoints (including some leftover budget for expansion to
more add/drops), while so-called 40km 1gig optics were fine under the
same conditions.

Re: Verizon DSL moving to CGN

[Chuck Anderson]

I think he means patent encumbered.

On Mon, Apr 08, 2013 at 07:13:11PM +, Rajiv Asati (rajiva) wrote:
 Chris,
 
 UmmmŠ you mean the IPv6 and IPv4 inter-dependency when you say IP
 encumbered?
 
 If so, the answer is Yes. v6 addressing doesn't need to change to
 accommodate this IPv4 A+P encoding.
 
 
 Cheers,
 Rajiv
 
 -Original Message-
 From: Christopher Morrow morrowc.li...@gmail.com
 Date: Monday, April 8, 2013 2:28 PM
 To: Rajiv Asati raj...@cisco.com
 Cc: Mikael Abrahamsson swm...@swm.pp.se, nanog list nanog@nanog.org
 Subject: Re: Verizon DSL moving to CGN
 
 
 On Mon, Apr 8, 2013 at 2:19 PM, Rajiv Asati (rajiva)
 raj...@cisco.com wrote:
 
 Yes, MAP (T-Translation or E-Encap mode) is implemented on two regular
 routers that I know of - ASR9K and ASR1K. Without that, you are right that
 MAP wouldn't have been as beneficial as claimed.
 
 
 
 
 
 glad it's cross platform... is it also IP encumbered so it'll remain just
 as 'cross platform' ?

Re: Verizon DSL moving to CGN

[Chuck Anderson]

http://datatracker.ietf.org/ipr/search/?option=document_searchid_document_tag=draft-ietf-softwire-map

http://datatracker.ietf.org/doc/draft-ietf-softwire-map/?include_text=1

On Mon, Apr 08, 2013 at 03:41:54PM -0400, Christopher Morrow wrote:
 On Mon, Apr 8, 2013 at 3:21 PM, Rajiv Asati (rajiva) raj...@cisco.comwrote:
 
  Oh, it certainly is (per the IETF IPR rules).
 
 
 which rfcs? I can find a draft in softwire:
http://tools.ietf.org/html/draft-mdt-softwire-map-translation-01
 
 and a reference to this in wikipedia:
   http://en.wikipedia.org/wiki/IPv6_transition_mechanisms#MAP
 
 which says: ...(MAP) is a Cisco IPv6 transition proposal...
 
 so.. err, we won't see this in juniper gear since:
   1) not a standard
   2) encumbered by IPR issues
 
 weee!
 
 
  Thanks for the clarity, Chuck.
 
  Cheers,
  Rajiv
 
  -Original Message-
  From: Chuck Anderson c...@wpi.edu
  Date: Monday, April 8, 2013 3:18 PM
  To: Rajiv Asati raj...@cisco.com
  Cc: Christopher Morrow morrowc.li...@gmail.com, nanog list
  nanog@nanog.org
  Subject: Re: Verizon DSL moving to CGN
 
  I think he means patent encumbered.
  
  On Mon, Apr 08, 2013 at 07:13:11PM +, Rajiv Asati (rajiva) wrote:
   Chris,
  
   UmmmŠ you mean the IPv6 and IPv4 inter-dependency when you say IP
   encumbered?
  
   If so, the answer is Yes. v6 addressing doesn't need to change to
   accommodate this IPv4 A+P encoding.
  
  
   Cheers,
   Rajiv
  
   -Original Message-
   From: Christopher Morrow morrowc.li...@gmail.com
   Date: Monday, April 8, 2013 2:28 PM
   To: Rajiv Asati raj...@cisco.com
   Cc: Mikael Abrahamsson swm...@swm.pp.se, nanog list nanog@nanog.org
   Subject: Re: Verizon DSL moving to CGN
  
   
   On Mon, Apr 8, 2013 at 2:19 PM, Rajiv Asati (rajiva)
   raj...@cisco.com wrote:
   
   Yes, MAP (T-Translation or E-Encap mode) is implemented on two regular
   routers that I know of - ASR9K and ASR1K. Without that, you are right
  that
   MAP wouldn't have been as beneficial as claimed.
   
   
   
   
   
   glad it's cross platform... is it also IP encumbered so it'll remain
  just
   as 'cross platform' ?

Re: 80 km BiDi XFPs

[Chuck Anderson]

On Fri, Apr 05, 2013 at 10:58:49AM -0600, Jerimiah Cole wrote:
 On 04/05/2013 10:39 AM, Randy Carpenter wrote:
  
  I'm going to guess that this is not going to meet the OP's request
  for an XFP, which would be 10GbE (and not an SFP).
 
 Probably a safe guess.  Mea culpa.

Check out Integra Networks.  Their catalog lists a 10G XFP Bi-Dir
80km:

http://integranetworks.net/wp-content/uploads/2012/06/Integra-Networks-Catalog-20122.pdf

XFP-CXX-80-D (CWDM)
XFP-DXX-80-D (DWDM)

Re: 2-Channel CWDM Add/Drop with SC/APC connectors

[Chuck Anderson]

On Fri, Feb 08, 2013 at 10:55:34AM +0100, Thilo Bangert wrote:
 On Thursday, February 07, 2013 08:04:41 PM Chuck Anderson wrote:
  Is it that much harder to terminate the angled connectors?
 
 no - its just a different type of pigtail, but adding another splice, will 
 increase the insertion loss slightly.

When I looked inside the OADM module, I don't remember seeing any
splices, but that may just be because I didn't look inside the optobox
itself.  I was under the impression that the connectors were not
pigtails spliced to the optobox fibers, but rather directly terminated
to the fibers emerging from the optobox.  I'm not sure the optobox is
meant to be opened.

So my question is, how hard is it to put a raw angled connector onto a
strand of fiber in the field without using factory pre-terminated
pigtails?  I assume the process would be the same as any other
connector: insert strand, cleave, polish, but using an angled sleeve
to polish the end at the correct angle?

 we once ordered a cwdm splitter box at a different than usual place - as 
 always with sc/apc connectors.
 the supplier changed the pigtails to accomodate our request. unfortunatly he 
 didnt change the bulkheads, which was less than helpfull.

Wow, that would be confusing.

2-Channel CWDM Add/Drop with SC/APC connectors

[Chuck Anderson]

Years ago I was able to purchase 2-Channel CWDM Plug-In 1-Wavelength
Optical Add/Drop Multiplexors from Finisar with SC/APC connectors on
them, even though they normally only make the SC/PC version shown
here:

FWSF-OADM-1-xx-SC

http://www.finisar.com/products/passives/MUX-DEMUX/CWDM_OADM-1_Plug-in_Module

but they won't do the SC/APC version for me now.

Does anyone know of a good alternative?  There are lots of options for
modular/rack mount 2-Channel CWDM Add/Drops that have SC/PC or LC/PC
connectors made for data networks.  There are also lots of options for
1-Channel SC/APC or LC/APC modules made for CATV applications.  But
I'm having trouble finding 2-Channel versions with APC connectors that
I can use with data equipment + CATV transmission on the same ring.

I know I could combine two separate 1-Channel OADMs, but I prefer the
integrated, modular solution.  A bonus would be to find an alternative
that fits in my existing Finisar 2-slot 1U chassis.

In any case, I'm open to hearing about all options.  Actually, I
already have the 1490nm OADM in the SC/PC version, and I suppose I
could cut off the connectors re-terminate with SC/APC and replace the
bulkhead connectors with the green ones.  My preferred fiber
contractor doesn't have experience with terminating APC connectors
though.  Is it that much harder to terminate the angled connectors?

Thanks,
Chuck

TOR fiber patch panels

[Chuck Anderson]

I'm looking for better Top-Of-Rack fiber patch panels than the ones
I've been using up to this point.  I'm looking for something that is
1U, holds 12 to 24 strands of SC, ST, or LC, has fiber jumper
management rings, and has a door that doesn't interfere with the U
below (a server might be mounted immediately below the fiber patch
panel).  I prefer one that doesn't have a sliding mechanism, because
I've had issues with fiber installers not installing those properly,
causing fiber to be crunched and broken when the tray is slid out/in
during patching.  Of course, I would still like one that is easy to
get your fingers into to install and remove fiber jumpers.

Does such a thing exist?  What are people's favorite fiber patch
panels?

Thanks.

Re: CLI Roadmap

[Chuck Anderson]

On Sun, Oct 14, 2012 at 07:41:01PM +0200, Kasper Adel wrote:
 I have never used any CLI other than Cisco so i am curious what useful and
 creative knobs and bolts are available for other network appliance Vendors.

Junos OS has:

- Multi-level hierarchical configuration with absolute or relative
  configuration editing, comments (annotations), and XML support.

Hierarchical configuration:

[edit]
user@device# show | find interfaces
interfaces {
ge-0/0/0 {
description foo;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 10 {
description bar;
vlan-id 10;
family inet {
address 10.1.2.3/24;
}   
}   
}
}


Absolute (from the root of the configuration tree) editing:

[edit]
user@device# set interfaces ge-0/0/0 description foo

[edit]
user@device# set interfaces ge-0/0/0 flexible-vlan-tagging

[edit]
user@device# set interfaces ge-0/0/0 encapsulation flexible-ethernet-services

[edit]
user@device# set interfaces ge-0/0/0 unit 10 description bar

[edit]
user@device# set interfaces ge-0/0/0 unit 10 vlan-id 10

[edit]
user@device# set interfaces ge-0/0/0 unit 10 family inet address 10.1.2.3/24


Relative (from any level in the configuration tree) editing:

[edit]
user@device# edit interfaces

[edit interfaces]
user@device# edit ge-0/0/0 unit 10

[edit interfaces ge-0/0/0 unit 10]
user@device# show 
description foo;
vlan-id 10;
family inet {
address 10.1.2.3/24;
}

[edit interfaces ge-0/0/0 unit 10]
user@device# set vlan-id 20

[edit interfaces ge-0/0/0 unit 10]
user@device# show | match vlan-id
vlan-id 20;


- Non-immediate configuration editing with commit/rollback
  functionality.

- The ability to pre-configure hardware that isn't installed yet.

- Configuration diff (compare), patch, merge, replace, etc.

[edit interfaces ge-0/0/0 unit 10]
user@device# set family inet mtu 9000

[edit interfaces ge-0/0/0 unit 10]
user@device# show | compare 
[edit interfaces ge-0/0/0 unit 10 family inet]
-mtu 1500;
+mtu 9000;

- Template  derived configurations (configuration groups,
  apply-groups, apply-path, interface-ranges which support
  GLOBs/regular expressions, etc.)

- Scripting with Op Scripts (create CLI command extensions), Event
  Scripts (react to device events), and Configuration Scripts (modify
  the to-be-committed configuration in various ways).

- Piping ala UNIX:

user@device show configuration | ?
Possible completions:
  compare  Compare configuration changes with prior version
  countCount occurrences
  display  Show additional kinds of information
  except   Show only text that does not match a pattern
  find Search for first occurrence of pattern
  hold Hold text without exiting the --More-- prompt
  last Display end of output only
  matchShow only text that matches a pattern
  no-more  Don't paginate output
  request  Make system-level requests
  resolve  Resolve IP addresses
  save Save output text to file
  trim Trim specified number of columns from start of line

user@device show configuration | display ?
Possible completions:
  changed  Tag changes with junos:changed attribute (XML only)
  commit-scripts   Show data after commit scripts have been applied
  detail   Show configuration data detail
  inheritance  Show inherited configuration data and source group
  omit Emit configuration statements with the 'omit' option
  set  Show 'set' commands that create configuration
  xml  Show output as XML tags


 I guess what makes *NIX CLI/Shell so superior is that you can advanced
 stuff from the CLI using sed, awk and all the great tools there so maybe
 this is also one thing missing.

and if you really need the UNIX shell, Junos OS has that too with sed,
awk, etc.:

user@device start shell
%

Re: F-ckin Leap Seconds, how do they work?

[Chuck Anderson]

Same here with KVM guests on Scientific Linux 6 (RHEL 6 clone) hosts.
No issues on SL 6 and CentOS 5 guests.  We also do not run NTP on the
VMs, only on the hosts.  The guest VM kernels did not log any leap
second clock change, but appear to have the same time as the hosts.

The hosts DID have issues though.  The reset the date workaround
solved the issue immediately, with no requirement to restart anything,
including ntpd.  The hosts logged leap second clock updates:

Jun 30 19:59:59 vmhost kernel: Clock: inserting leap second 23:59:60 UTC

My Fedora 16 laptop was also being sluggish due to chromium-browser
sucking up CPU.  That too was fixed immediately by resetting the date.

On Sun, Jul 01, 2012 at 12:41:25AM -0400, Derek Ivey wrote:
 We haven't had any issues with any of our VMs. We run several of our
 own Java/Tomcat apps, Jira, and Confluence on a mixture of Solaris
 and CentOS 5 and 6. We do not run NTP on our VMs though; instead, we
 rely on VMware Tools to sync the VMs' time with the ESXi hosts. The
 ESXi hosts run NTP.
 
 On 6/30/2012 11:16 PM, George Bonser wrote:
 Anything with java running seems hit.
 We just finished up a firm round of reboots... :(
 
 Recent Ubuntu boxes and RHES 6... all the same ...
 
 Bye,
 Raymond.
 
 
 Yeah, in the process of doing the same.
 
 http://news.ycombinator.com/item?id=4183122
 
 Might try this for machines with Java applications in order to avoid
 reboot:
 
 https://bugzilla.mozilla.org/show_bug.cgi?id=769972
 
 
 See comment 5
 
 
 And we have verified that this clears the issue for us.  YMMV.

Re: Squeezing IPs out of ARIN

[Chuck Anderson]

On Wed, Apr 25, 2012 at 08:28:35AM -0700, Owen DeLong wrote:
 
 On Apr 25, 2012, at 3:23 AM, Joe Maimon wrote:
 
  
  
  ad...@thecpaneladmin.com wrote:
  Anyone have any tips for getting IPs from ARIN? For an end-user
  allocation they are requesting that we provide customer names for
  existing allocations, which is information that will take a while to
  obtain. They are insisting that this is standard process and something
  that everyone does when requesting IPs. Has anyone actually had to do this?
  
  
  
  ARIN does not require you or your customers to use NAT.
  
  If you have customers, you are an ISP and need an allocation.
  
  SWIP everything you do.
  
 RWHOIS is a perfectly valid alternative to SWIP.

Can a downstream ISP SWIP records if their upstream ISP uses RWHOIS
for the block that is further delegated to that downstream ISP?

Re: Automatic IPv6 due to broadcast

[Chuck Anderson]

On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
 On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
Particularly good L2 switches also have
  DAI  or  IP Source guard  IPv4 functions,   which when properly
  enabled,  can foil certain L2 ARP  and IPv4 source  address spoofing
  attacks,  respectively.
  
 
  e.g. Source IP address of packet does not match one of the DHCP leases
  issued to that port -- then drop the packet.
  
 
 Meh... I can see many cases where that might be more of a bug than feature.
 
 Especially in environments where loops may be possible and the DHCP lease 
 might
 have come over a different path than the port in question during some network 
 event.

You're only supposed to use those features on the port directly
connected to the end-system, or to a few end-systems via an unmanaged
office switch that doesn't have redundant uplinks.  I.e. edge ports.

Re: Automatic IPv6 due to broadcast

[Chuck Anderson]

On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:

 On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
 
  On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
  On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
   Particularly good L2 switches also have
  DAI  or  IP Source guard  IPv4 functions,   which when properly
  enabled,  can foil certain L2 ARP  and IPv4 source  address spoofing
  attacks,  respectively.
  
  
  e.g. Source IP address of packet does not match one of the DHCP leases
  issued to that port -- then drop the packet.
  
  
  Meh... I can see many cases where that might be more of a bug than feature.
  
  Especially in environments where loops may be possible and the DHCP lease 
  might
  have come over a different path than the port in question during some 
  network event.
  
  You're only supposed to use those features on the port directly
  connected to the end-system, or to a few end-systems via an unmanaged
  office switch that doesn't have redundant uplinks.  I.e. edge ports.
 
 In a lot of cases, enforcing that all address assignments are via DHCP can 
 still be
 counter-productive. Especially in IPv6.

If a specific managed environment provides DHCPv6 and doesn't provide
SLAAC, and the policies of said environment forbid static addressing,
how can enforcing the use of DHCPv6 be counter-productive?

how to report spam to Yahoo!

[Chuck Anderson]

Yahoo!'s abuse contact from whois:

OrgAbuseEmail:  network-ab...@cc.yahoo-inc.com

now sends an autoresponse that tells you to go to a web form to report
spam:

http://help.yahoo.com/l/us/yahoo/mail/yahoomail/spam.html

but the link doesn't work--it just redirects to a generic Yahoo!  help
page at:

http://help.yahoo.com/kb/index?page=productlocale=en_USy=PROD_MAIL_ML

So how does a non-Yahoo! account holder report spam originating from
Yahoo!'s network?

- Forwarded message from Yahoo! Network network-ab...@cc.yahoo-inc.com 
-

From: Yahoo! Network network-ab...@cc.yahoo-inc.com
Date: Wed, 21 Mar 2012 05:59:35 -0700
Reply-To: Yahoo! Network network-ab...@cc.yahoo-inc.com

Thank you for your email, but this address is no longer being used for 
abuse reporting or abuse related questions.

To report spam, please use this form:
http://help.yahoo.com/l/us/yahoo/mail/yahoomail/spam.html

To report other types of abuse or for help with security or abuse 
related issues, please go to Yahoo! Abuse: 
http://abuse.yahoo.com
 
For questions about using Yahoo! services, please visit Yahoo Help: 
http://help.yahoo.com

Note: Please do not reply to this email as replies will not be answered.

Thank you,
 - Yahoo! Customer Care




Original Message Follows:

Re: dns and software, was Re: Reliable Cloud host ?

[Chuck Anderson]

On Thu, Mar 01, 2012 at 05:57:11PM -0500, William Herrin wrote:
 Which is what everybody basically does. And when it works during the
 decidedly non-rigorous testing, they move on to the next problem...
 with code that doesn't perform well in the corner cases. Such as when
 a host has just been renumbered or one of the host's addresses is
 unreachable.
 
 And because most everybody has made more or less the same errors, the
 DNS TTL fails to cause their applications to work as intended and
 loses its utility as a tool to facilitate renumbering.

Is there an RFC or BCP that describes how to correctly write such a
library?  Perhaps we need to work to get such a thing, and then push
for RFC-compliance of the resolver libraries, or develop a set of
libraries named after and fully compliant with the RFC and get
software to use them.

Re: Common operational misconceptions

[Chuck Anderson]

On Thu, Feb 16, 2012 at 08:27:14AM -0500, Jeff Kell wrote:
 On 2/16/2012 8:17 AM, Ray Soucy wrote:
  I've found starting off with some history on Ethernet (Maine loves Bob
  Metcalfe) becomes a very solid base for understanding; how Ethernet
  today is very different; starting with hubs, bridges, collisions, and
  those problems, then introducing modern switching, VLANs, broadcast
  domain's etc.
 
 It's a bit dated (1998) but I always thought Rich Siefert covered the
 basics very well...
 http://www.amazon.com/Gigabit-Ethernet-Technology-Applications-High-Speed/dp/0201185539

I like this free Juniper online training to introduce people to Layer 2 and
Layer 3 and how they interact:

https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

Networking Fundamentals eLearning course.

Re: Common operational misconceptions

[Chuck Anderson]

ICMP is bad, and should be completely blocked for security.

On Wed, Feb 15, 2012 at 02:47:15PM -0600, John Kristoff wrote:
 Hi friends,
 
 As some of you may know, I occasionally teach networking to college
 students and I frequently encounter misconceptions about some aspect
 of networking that can take a fair amount of effort to correct.
 
 For instance, a topic that has come up on this list before is how the
 inappropriate use of classful terminology is rampant among students,
 books and often other teachers.  Furthermore, the terminology isn't even
 always used correctly in the original context of classful addressing.
 
 I have a handful of common misconceptions that I'd put on a top 10 list,
 but I'd like to solicit from this community what it considers to be the
 most annoying and common operational misconceptions future operators
 often come at you with.
 
 I'd prefer replies off-list and can summarize back to the list if
 there is interest.
 
 John

Re: Common operational misconceptions

[Chuck Anderson]

On Wed, Feb 15, 2012 at 04:51:44PM -0600, Anton Kapela wrote:
 On Wed, Feb 15, 2012 at 4:36 PM, Chuck Anderson c...@wpi.edu wrote:
  ICMP is bad, and should be completely blocked for security.
 
 I can't tell if this reply is to say this ought to be done or if
 this is often done, and should not be.
 
 Clarify?

This thread is about misconceptions.  What I said was a common
misconception that all ICMP should be blocked for security reasons.
In reality, some kinds of ICMP are REQUIRED for proper functioning of
an internetwork for things like Path MTU Discovery (ICMP Fragmentation
Needed/Packet Too Big).  Other kinds of ICMP are good to allow for
being nice to the users and applications by informing them of an error
immediately rather than forcing them to wait for a timeout (ICMP
Destination Unreachable).

Re: RoadRunner/Adelphia AS14065 contact

[Chuck Anderson]

On Wed, Jan 11, 2012 at 12:14:29PM -0800, chk wrote:
 If there is a Roadrunner contact monitoring the list can you please  
 contact me off list regarding a routing issue from ns1/2.adelphia.net

Did you ever get any response?  I'm having a similar issue:

For the past couple months, we have been unable to query the
authoritative DNS servers for adelphia.net on IP addresses
75.180.129.58 and 75.180.129.59 from our campus network IP block
130.215.0.0/16, using either TCP or UDP:

dig +short +norec @75.180.129.58 adelphia.net. mx
;; connection timed out; no servers could be reached

dig +short +norec @75.180.129.59 adelphia.net. mx
;; connection timed out; no servers could be reached

dig +tcp +short +norec @75.180.129.58 adelphia.net. mx
;; communications error to 75.180.129.58#53: end of file

dig +tcp +short +norec @75.180.129.59 adelphia.net. mx
;; communications error to 75.180.129.59#53: end of file

This is causing email failures to anyone with an @adelphia.net email
address.

I can ping the DNS servers from 130.215.0.0/16:

ping  -c3 75.180.129.58 
PING 75.180.129.58 (75.180.129.58) 56(84) bytes of data.
64 bytes from 75.180.129.58: icmp_req=1 ttl=241 time=26.9 ms
64 bytes from 75.180.129.58: icmp_req=2 ttl=241 time=26.7 ms
64 bytes from 75.180.129.58: icmp_req=3 ttl=241 time=26.7 ms

--- 75.180.129.58 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 26.711/26.797/26.953/0.110 ms

ping -c3 75.180.129.59
PING 75.180.129.59 (75.180.129.59) 56(84) bytes of data.
64 bytes from 75.180.129.59: icmp_req=1 ttl=241 time=25.9 ms
64 bytes from 75.180.129.59: icmp_req=2 ttl=241 time=26.1 ms
64 bytes from 75.180.129.59: icmp_req=3 ttl=241 time=25.5 ms

--- 75.180.129.59 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 25.523/25.871/26.120/0.285 ms

And I can make a TCP port 53 connection which gets immediately closed:

telnet 75.180.129.58 53
Trying 75.180.129.58...
Connected to 75.180.129.58.
Escape character is '^]'.
Connection closed by foreign host.

telnet 75.180.129.59 53
Trying 75.180.129.59...
Connected to 75.180.129.59.
Escape character is '^]'.
Connection closed by foreign host.

It is acting as if there is an ACL or firewall rule that is blocking
130.215.0.0/16 from accessing DNS port 53 on the DNS servers at
75.180.129.58 and 75.180.129.59.

I've already ruled out any firewalls on our end, as well as any
routing issues.  I can see the UDP port 53 packets going out, but
there is no reply.  I can see the 3-way TCP port 53 handshake packets
going out and coming in, but the other end closes the connection
immediately.

If I use a non-130.215.0.0/16 source IP from my router, I get a normal
response via both UDP and TCP:

% dig -b 207.210.142.142 +short +norec @75.180.129.58 adelphia.net. mx
10 cdptpa-smtpin01.mail.rr.com.
20 cdptpa-smtpin02.mail.rr.com.

% dig -b 207.210.142.142 +short +tcp +norec @75.180.129.58 adelphia.net. mx
10 cdptpa-smtpin01.mail.rr.com.
20 cdptpa-smtpin02.mail.rr.com.

I'd appreciate if someone could help me find a clueful contact at
TW/RoadRunner/Adelphia/Comcast/whoever they are now.  I've tried all
the contacts in WHOIS for adelphia.net, the IP block, and ASN.  I've
tried the NOC List on puck.nether.net--no matches.

Thanks,
Chuck

Re: using ULA for 'hidden' v6 devices?

[Chuck Anderson]

On Thu, Jan 26, 2012 at 07:53:18PM +, George Bonser wrote:
  Even if you don't see an advantage to GUA, can you point to a
  disadvantage?
 
 Just a matter of convenience.  If you have a lot of management IPs or some 
 other IP addresses that are never going to need internet access (an array of 
 10,000 sensors or something) you don't need to dip into your global 
 allocation to address them.  If it is routed within the organization but 
 never goes to the Internet, ULA is ok.  If it doesn't get routed at all, link 
 local will do fine.   It's good to keep in mind that more things than 
 computers with web browsers are going to get an IP address.

Link-local won't do fine in many cases due to poor application
compatibilty with address scopes.

Re: Linux Centralized Administration

[Chuck Anderson]

On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote:
 Hey folks. just curious what people are using for automating updates to
 Linux boxes?

yum

 Today, we manually do YUM updates to all the CentOS servers . just an
 example but a good one.  I have heard there are some open source solutions
 similar to that of Red Hat Network?

yum install yum-cron
chkconfig yum-cron on
service yum-cron start

Re: Does anybody out there use Authentication Header (AH)?

[Chuck Anderson]

I'm using AH for OSPFv2 and OSPFv3 authentication.  For OSPFv3, there
is no other option than some kind of IPsec for authentication.  I'm
also using it for OSPFv2 so I don't have to maintain multiple
authentication methods and keys for the different protocols.

Re: Range using single-mode SFPs across multi-mode fiber

[Chuck Anderson]

On Wed, Dec 14, 2011 at 10:02:58PM -0500, oliver rothschild wrote:
 Thanks to all who responded to my clumsy first question (both on
 matters of etiquette and technology). The group I work with (we are a
 small project acting as a last mile provider) was in the midst of
 deploying this solution when I posed the question. We put the single
 mode Juniper SFPs (LX) on to a run of approximately 1670 meters. We
 successfully established a 1G ethernet connection. Testing to date has
 been meager, but shows that the link is viable. Under significant load
 there is some minor packet loss. Since the link far exceeds the amount
 of data it required, we have decided to continue using it.
 Interestingly neither interface showed any physical errors.

Technically you should be using offset-launch mode conditioning
patch cords at each end when running LX over multimode fiber.  I had
been lucky with not using them for many years on 62.5/125 (OM1)
multimode (and just started doing so again, albiet only for
OOB/non-production traffic use).  I believe my longest link was/is
around 1 km.

http://www.cisco.com/en/US/prod/collateral/modules/ps5455/white_paper_c11-463677.html

Re: Range using single-mode SFPs across multi-mode fiber

[Chuck Anderson]

On Wed, Dec 14, 2011 at 10:38:47PM -0500, Keegan Holley wrote:
 2011/12/14 oliver rothschild orothsch...@gmail.com
 
  Thanks to all who responded to my clumsy first question (both on
  matters of etiquette and technology). The group I work with (we are a
  small project acting as a last mile provider) was in the midst of
  deploying this solution when I posed the question. We put the single
  mode Juniper SFPs (LX) on to a run of approximately 1670 meters.
 
 
 How did you end up with a MM run this long?  SX optics are only rated at
 500 meters at best.  Even with mode conditioning jumpers more the 1km is a
 risk.  I'm glad it held up during testing though.  Just out of curiosity
 did you purchase dark from a provider?  Is it inside of a building?

In my case, it was installed for compatibility with FDDI, and used
mostly for 10BASE-FL and 100BASE-FX, which work up to 1 or 2km, until
we started using it for 1000BASE-LX.

Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

[Chuck Anderson]

On Wed, Nov 30, 2011 at 06:55:56PM -0600, Jimmy Hess wrote:
 On Wed, Nov 30, 2011 at 2:13 PM, Owen DeLong o...@delong.com wrote:
  On Nov 30, 2011, at 9:10 AM, Ray Soucy wrote:
  I do believe that there is no benefit to longer prefixes than /64.
  Nobody has provided any convincing evidence to the contrary.
 
 Yes they have, thoroughly;   mitigation of this one particular issue, ND table
 overflow is a benefit.  You simply don't have to worry about this issue in
 the most important place it arises if you implement long prefixes for all
 P-t-P links from the start.
 
 I do believe there is no benefit to prefixes shorter than /126 for P-t-P 
 links.
 Nobody has provided convincing evidence to the contrary.
 
  There are better ways to mitigate ND than longer prefixes.
 
 Please explain.What are the better ways that you would propose
 of mitigating ND table overflows?
 If you can show a rational alternative, then it would be persuasive as
 a better option.

Jumping in here, how about static ND entries?  Then you can use the
/64 for P-t-P, but set the few static ND entries you need, and turn
off dynamic ND.  An out-of-band provisioning system could add static
ND entries as needed.

Another idea, perhaps more useful for client LANs, would be to have a
fixed mapping between IPv6 IID and MAC address.  Use DHCPv6 to force
clients' lower 64 bits to be equal to their MAC address (EUI-64 or
similar) and program the router to use this directly instead of using
NDP, or statically program the ND table on the router from the DHCPv6
lease data--there is already precedent for doing this with IPv4  ARP
using DHCP Snooping or Relay or Proxy on the router.

Re: MX 80 advantages and shortcomings

[Chuck Anderson]

On Tue, Jul 05, 2011 at 12:48:45PM -0400, Paul Stewart wrote:
 Pros - small footprint, cost, feature rich
 Cons - no redundancy (other than power), 1/3rd the processor power

cons - being a different CPU architecture from its bigger cousins,
features tend to not appear at the same time on MX80 as the others.

Re: Cogent IPv6

[Chuck Anderson]

On Wed, Jun 08, 2011 at 10:33:29PM -0500, Chris Adams wrote:
 Once upon a time, William Herrin b...@herrin.us said:
  Now, as to why they'd choose a /112 (65k addresses) for the interface
  between customer and ISP, that's a complete mystery to me.
 
 I had to ask this here a while back, so I can now share. :-)
 
 IPv6 addresses are written as 8 16-bit chunk separated by colons
 (optionally with the longest consecutive set of :0 sections replaced
 with ::).  A /112 means the prefix is 7 of the 8 chunks, which means you
 can use ::1 and ::2 for every connection.
 
 Of course, just because you allocate a /112 (or shorter) in your
 database doesn't mean you have to use it.  You could also allocate a
 /112 for a point-to-point link and use a /127 (e.g. addresses ::a and
 ::b).

Please don't use /127:

Use of /127 Prefix Length Between Routers Considered Harmful
http://tools.ietf.org/html/rfc3627

More below on use of various prefix lengths.  You need to watch out
for the EUI-64 'u' and 'g' bits, as well as subnet anycast addresses
(top 127 addresses of every subnet):

IPv6 Addressing Considerations:
http://tools.ietf.org/html/rfc5375

IPv6 Address Assignment to End Sites:
http://tools.ietf.org/html/rfc6177

Emerging Service Provider Scenarios for IPv6 Deployment:
http://tools.ietf.org/html/rfc6036

IPv6 Optimal Address Plan and Allocation Tool:
http://www.ipv6book.ca/allocation.html

ARIN Wiki:
http://www.getipv6.info/index.php/IPv6_Addressing_Plans
(but some of the ARIN-related concepts here are obsolete, such as
references to the HD Ratio and non-nibble-boundary allocations)

Re: Mac OS X 10.7, still no DHCPv6

[Chuck Anderson]

On Sat, Feb 26, 2011 at 09:46:17PM -0800, Joel Jaeggli wrote:
 On 2/26/11 9:27 PM, Mikael Abrahamsson wrote:
  On a more serious note, I can on my Ubuntu machine just apt-get install
  wide-dhcpv6-client and I get dhcpv6, it'll properly put stuff in
  resolv.conf for dns-over-ipv6 transport, even though the connection
  manager knows nothing about it, at least dual stack works properly.
  
  Can one do the equivalent easy addition to OSX?
 
 You can, the actual integration issue is that network mangler (on
 ubuntu/fedora etal) and the osX airport connection manager will give up
 on a subnet on which they can't obtain an ipv4 address in prefernce to
 one where they can... this can also be worked around but it makes
 v6-only operation (Assuming that were desired, or even a good idea at
 this point) something that the majority of the users wouldn't be able to
 achive without the default behavior changing.

NetworkManager on Fedora fully supports IPv6 now, including DHCPv6.  
You can easily configure it to require an IPv4 address or an IPv6 
address or both to consider the connection successfull.

Re: 10GBASE-T Switches

[Chuck Anderson]

On Thu, Feb 10, 2011 at 09:33:50AM +, Roberts, Brent wrote:
 Looking for feedback/recommendations on higher density Switch’s in the 
 10GBASE-T arena.
 Preferably TOR switches if possible.
 Minimum 16 ports usable for Rack Server connectivity + Uplinks to Collapsed 
 Twin Distro/Core setup.
 Found the Arista 7X00 family to have the density I am looking for but others 
 of similar spec would be appreciated.
  Any Thoughts and/or suggestions would be greatly appreciated.

Juniper EX4500 has 40 fixed SFP/SFP+ ports plus 2 uplink modules that 
can contain 4 SFP/SFP+ ports each for a total of 48 10GBASE-X ports.  
Need to buy SFP+ modules or use direct-attach SFP+ cables though.

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[Chuck Anderson]

On Tue, Feb 01, 2011 at 03:14:57PM -0800, Owen DeLong wrote:
 On Feb 1, 2011, at 2:58 PM, Jack Bates wrote:
  There are many cases where ULA is a perfect fit, and to work 
  around it seems silly and reduces the full capabilities of IPv6. I 
  fully expect to see protocols and networks within homes which will 
  take full advantage of ULA. I also expect to see hosts which don't 
  talk to the public internet directly and never need a GUA.
  
 I guess we can agree to disagree about this. I haven't seen one yet.

What would your recommended solution be then for disconnected 
networks?  Every home user and enterprise user requests GUA directly 
from their RIR/NIR/LIR at a cost of hunderds of dollars per year or 
more?

Re: help needed - state of california needs a benchmark

[Chuck Anderson]

On Sat, Jan 29, 2011 at 10:00:36AM -0800, Mike wrote:
 issue, how do we go about getting 'the message' across, how do we go  
 about engineering something that could be considered statistically  
 relevant, and most importantly, how do we get this to be accepted by  
 non-technical legislators and regulators?

How about this analogy:

Using speedtest.com as the sole benchmark is like trying to test the 
speed and throughput of the city streets in Sacramento by seeing how 
long it takes to drive to New York City and back.  Oh, and why should 
we be responsible for the speeds on the Interstate portions of that 
route when we only control the city streets and local secondary roads?

Re: Is Cisco equpiment de facto for you?

[Chuck Anderson]

On Wed, Jan 12, 2011 at 11:10:16PM -0800, Scott Weeks wrote:
 To be fair to Cisco and maybe I'm way off here. But it seems they do 
 come out with a way to do things first which then become a standard 
 that they have to follow.
 
 ISL/DOT1Q
 HSRP/VRRP
 etherchannel/LACP

Yes, and then they keep their proprietary implementation instead of 
phasing it out, and no one migrates to the standard one which leads to 
vendor lockin.

Re: Pointer for documentation on actually delivering IPv6

[Chuck Anderson]

On Tue, Dec 07, 2010 at 08:18:31AM -0500, david raistrick wrote:
 On Mon, 6 Dec 2010, Owen DeLong wrote:

 Seriously, though, you're welcome to use fd00::/8 for exactly that  
 purpose. The problem is that you (and hopefully it stays this way) 
 won't have much luck finding a vendor that will provide the NAT for you 
 to do it with.

 [with my flame-retardant hat installed firmly]

 So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the  
 use of RFC1918 space?  Admitedly, it's been a year or two since I last 
 had to engineer around that particular set of rules...but it's life or 
 death for a lot of folks.

Simple.  Use RFC1918 IPv4 along side global IPv6 addresses.  Done :-)

Re: Want to move to all 208V for server racks

[Chuck Anderson]

On Thu, Dec 02, 2010 at 01:59:33PM -0500, Alex Rubenstein wrote:
 A couple of reasons.. Neutral current, more power delivered using 
 less copper, etc. Personally, I like delivering two L21-30's per 
 rack and call it day - allows for a comfortable 8kw per rack in 2N+1 
 redundancy. And, it still has a neutral if it's needed, which we 
 hope it isn't.

Here's a question for you.  How do you calculate the total current  
power capacity of a L21-20 or L21-30, and how do you do the 
calculations in order to balance the load between the phase legs?  
This seems like it would be a trivial thing to do, but given that the 
three legs are 120 degrees out of phase with each other, I don't think 
you can just do normal addition.

For example, I have APC AP7961 3-phase PDUs with L21-20 plugs.  The 
management interface claims a maximum load per phase of 16A (which I 
believe is the 80% derating of 20A required by NEC).  Does this mean I 
can draw 16A * 3, or 48A total if I have a perfectly equal balance?  
Also, how does this relate to power, i.e. how many kVA or kW does this 
provide?  16A * 208V * 3 phases ~= 10 kVA?

On another note, how do you calculate N+1 power feeds in your racks?  
If you have 2 PDUs fed from two different branch circuits/UPSes/etc. 
do you just set your PDU load alarm thresholds at 50% of the max 
rating of each PDU and never load them beyond that point, so that if 
you lose one PDU/branch circuit/UPS and the dual-power servers 
transfer their load over to the other side, it doesn't get overloaded?  
That would be 8A on each phase in the case of my AP7961's.  Of course, 
things get complicated when you have a mix of single- and dual-power 
servers, especially if you have server admins who don't keep you 
apprised as to the types of equipment that are installed there as 
things change over time...