Microsoft contact

[David Bass]

Hi everyone, hope y’all had a great holidays.

I’m looking for a Microsoft Office 365 contact who can help us…we’re
struggling to get anywhere using the standard methods.

We have a customer whose subnet is blacklisted, and is causing a lot of
heartache.  We’ve proven to a couple of people at this point that Microsoft
is blocking inbound traffic from this subnet, and so they can’t
send/receive emails or access M365.  This is a new eyeball network, so
needless to say that it’s painful.

Appreciate the help!

David

Re: Low to Mid Range DWDM Platforms

[David Bass]

Yeah, was looking at their active solution for a customer, but just don’t
know enough about it to go that route.

David

On Fri, Oct 6, 2023 at 10:17 AM Mike Hammett  wrote:

> Well, and that's kinda where I was going.
>
> I've used FS passive systems for years. FS has an active platform or two
> (that I understand, they just whitebox). Does it really do everyone one
> would need to do? How much of a step is it to get something more?
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
> *From: *"David Bass" 
> *To: *"Dave Bell" 
> *Cc: *nanog@nanog.org
> *Sent: *Friday, October 6, 2023 8:55:21 AM
>
> *Subject: *Re: Low to Mid Range DWDM Platforms
>
> On the same topic, anyone have experience with the stuff from fs.com?
>
> On Fri, Oct 6, 2023 at 9:53 AM Dave Bell  wrote:
>
>> Smartoptics?
>>
>> https://smartoptics.com/
>>
>> Regards,
>> Dave
>>
>> On Fri, 6 Oct 2023 at 14:43, Mark Tinka  wrote:
>>
>>>
>>>
>>> On 10/6/23 15:07, Mike Hammett wrote:
>>>
>>> > I've been using various forms of passive WDM for years. I have a
>>> couple different projects on my plate that require me to look at the next
>>> level of platform.
>>> >
>>> > In some projects, I'll be looking for needing to have someone long
>>> distances of glass without any electronics. Some spans could be over 60
>>> miles.
>>> >
>>> > In some projects, I'll need to transport multiple 100-gig waves.
>>> >
>>> > What is the landscape like between basic passive and something like a
>>> 30 terabit Ciena? I know of multiple vendors in that space, but I like to
>>> learn more about what features I need and what features I don't need from
>>> somewhere other than the vendor's mouth. Obviously, the most reliability at
>>> the least cost as well.
>>>
>>> 400G-ZR pluggables will get you 400Gbps on a p2p dark fibre over 80km -
>>> 100km. So your main cost there will be routers that will support.
>>>
>>> The smallest DCI solution from the leading DWDM vendors is likely to be
>>> your cheapest option. Alternatively, if you are willing to look at the
>>> open market, you can find gear based on older CMOS (40nm, for example),
>>> which will now be EoL for any large scale optical network, but cost next
>>> to nothing for a start-up with considerable capacity value.
>>>
>>> There is a DWDM vendor that showed up on the scene back in 2008 or
>>> thereabouts. They were selling a very cheap, 1U box that had a different
>>> approach to DWDM from other vendors at the time. I, for the life of me,
>>> cannot remember their name - but I do know that Randy introduced them to
>>> me back then. Maybe he can remember :-). Not sure if they are still in
>>> business.
>>>
>>> Mark.
>>>
>>>
>>>
>

Re: Low to Mid Range DWDM Platforms

[David Bass]

On the same topic, anyone have experience with the stuff from fs.com?

On Fri, Oct 6, 2023 at 9:53 AM Dave Bell  wrote:

> Smartoptics?
>
> https://smartoptics.com/
>
> Regards,
> Dave
>
> On Fri, 6 Oct 2023 at 14:43, Mark Tinka  wrote:
>
>>
>>
>> On 10/6/23 15:07, Mike Hammett wrote:
>>
>> > I've been using various forms of passive WDM for years. I have a couple
>> different projects on my plate that require me to look at the next level of
>> platform.
>> >
>> > In some projects, I'll be looking for needing to have someone long
>> distances of glass without any electronics. Some spans could be over 60
>> miles.
>> >
>> > In some projects, I'll need to transport multiple 100-gig waves.
>> >
>> > What is the landscape like between basic passive and something like a
>> 30 terabit Ciena? I know of multiple vendors in that space, but I like to
>> learn more about what features I need and what features I don't need from
>> somewhere other than the vendor's mouth. Obviously, the most reliability at
>> the least cost as well.
>>
>> 400G-ZR pluggables will get you 400Gbps on a p2p dark fibre over 80km -
>> 100km. So your main cost there will be routers that will support.
>>
>> The smallest DCI solution from the leading DWDM vendors is likely to be
>> your cheapest option. Alternatively, if you are willing to look at the
>> open market, you can find gear based on older CMOS (40nm, for example),
>> which will now be EoL for any large scale optical network, but cost next
>> to nothing for a start-up with considerable capacity value.
>>
>> There is a DWDM vendor that showed up on the scene back in 2008 or
>> thereabouts. They were selling a very cheap, 1U box that had a different
>> approach to DWDM from other vendors at the time. I, for the life of me,
>> cannot remember their name - but I do know that Randy introduced them to
>> me back then. Maybe he can remember :-). Not sure if they are still in
>> business.
>>
>> Mark.
>>
>>
>>

Re: Lossy cogent p2p experiences?

[David Bass]

Per packet LB is one of those ideas that at a conceptual level are great,
but in practice are obvious that they’re out of touch with reality.  Kind
of like the EIGRP protocol from Cisco and using the load, reliability, and
MTU metrics.

On Wed, Sep 6, 2023 at 1:13 PM Mark Tinka  wrote:

>
>
> On 9/6/23 18:52, Tom Beecher wrote:
>
> > Well, not exactly the same thing. (But it's my mistake, I was
> > referring to L3 balancing, not L2 interface stuff.)
>
> Fair enough.
>
>
> > load-balance per-packet will cause massive reordering, because it's
> > random spray , caring about nothing except equal loading of the
> > members. It's a last resort option that will cause tons of reordering.
> > (And they call that out quite clearly in docs.) If you don't care
> > about reordering it's great.
> >
> > load-balance adaptive generally did a decent enough job last time I
> > used it much.
>
> Yep, pretty much my experience too.
>
>
> > stateful was hit or miss ; sometimes it tested amazing, other times
> > not so much. But it wasn't a primary requirement so I never dove into why
>
> Never tried stateful.
>
> Moving 802.1Q trunk from N x 10Gbps LAG's to native 100Gbps links
> resolved this load balancing conundrum for us. Of course, it works well
> because we spread these router<=>switch links across several 100Gbps
> ports, so no single trunk is ever that busy, even for customers buying N
> x 10Gbps services.
>
> Mark.
>

Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging

[David Bass]

If you are both connected to the same upstream, but the customer wants
traffic destined to the upstream to go through you (in and out), then they
need to do something on their devices to try and affect the inbound path to
their AS. From the upstream carrier in question they’ll take the best path
to a prefix, which direct connection is generally going to be preferred
over a transit AS (basic BGP best path algorithm stuff) unless there is
some manipulation of the prefix advertisement happening.

To confirm the path being taken you should be able to do a few trace routes
from various locations as well as use looking glasses.

Now the sflow data is an entirely different thing to analyze.

On Tue, Apr 4, 2023 at 7:45 AM Mike Hammett  wrote:

>
> sh ip bgp neighbor advertised-routes shows the only routes being
> advertised to Y are the routes that should be advertised to them. I checked
> a variety of other peers and have the expected results.
>
>
>
> From my perspective:
>
> Packets come in on port A, supposed to leave on port X, but they leave on
> port Y. All of the troubleshooting steps I've done on my own (or suggested
> by mailing lists) say the packets should be leaving on the desired port X.
>
>
> From the customer's perspective, they're supposed to be coming from me on
> port X, but they're arriving on port Y, another network.
>
> Port X in both scenarios is our direct connection, while port Y is a
> mutual upstream provider.
>
>
> Without knowing more about the specific platform, it seems to me like a
> bug in the platform. If all indicators (not just configurations, but show
> commands as well) say the packet should be leaving on X and it leaves on Y,
> then I'm not sure what else it could be, besides a bug.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"David Bass" 
> *To: *"Mike Hammett" 
> *Cc: *"Matthew Huff" , "NANOG" 
> *Sent: *Monday, April 3, 2023 9:12:52 PM
>
> *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
>
> You said that they are seeing traffic from another upstream…are you
> advertising the prefix to them?  Are you advertising their prefix to your
> upstream?
>
> Looks like the route maps are involved in some dual redistribution…might
> want to make sure everything is matching correctly, and being advertised
> like you want.
>
> On Mon, Apr 3, 2023 at 4:20 PM Mike Hammett  wrote:
>
>> I don't see any route-maps applied to interfaces, so there must not be
>> any PBR going on. I only see ACLs, setting communities, setting local pref,
>> etc. in the route maps that are applied to neighbors.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>
>> Midwest-IX
>> http://www.midwest-ix.com
>>
>> --
>> *From: *"Mike Hammett" 
>> *To: *"Matthew Huff" 
>> *Cc: *"NANOG" 
>> *Sent: *Monday, April 3, 2023 8:26:30 AM
>>
>> *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
>>
>> Only two VRFs, default and manangement. IIRC, everything I saw before
>> mentioned the default VRF.
>>
>> I do see a ton of route-maps. It's mostly Greek to me, so I'll have to
>> dig through this a bit to see what's going on.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>
>> Midwest-IX
>> http://www.midwest-ix.com
>>
>> --
>> *From: *"Matthew Huff" 
>> *To: *"Mike Hammett" 
>> *Cc: *"NANOG" 
>> *Sent: *Monday, April 3, 2023 8:06:51 AM
>> *Subject: *RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
>>
>> What about VRFs and/or policy based routing?
>>
>> switch-core1# show vrf
>> VRF-Name   VRF-ID State   Reason
>>
>> default 1 Up  --
>>
>> management  2 Up  --
>>
>>
>> switch-core1# show route-map
>> route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10
>>   Match clauses:
>> interface: Ethernet1/33
>> route-type: internal
>>   Set clauses:
>> metric 4000 10 255 1 1500
>> route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20
>>   Match clauses:
>> interface: Ethernet1/34
>> route-type: internal
>>   Set clauses:
>> me

Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging

[David Bass]

You said that they are seeing traffic from another upstream…are you
advertising the prefix to them?  Are you advertising their prefix to your
upstream?

Looks like the route maps are involved in some dual redistribution…might
want to make sure everything is matching correctly, and being advertised
like you want.

On Mon, Apr 3, 2023 at 4:20 PM Mike Hammett  wrote:

> I don't see any route-maps applied to interfaces, so there must not be any
> PBR going on. I only see ACLs, setting communities, setting local pref,
> etc. in the route maps that are applied to neighbors.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"Mike Hammett" 
> *To: *"Matthew Huff" 
> *Cc: *"NANOG" 
> *Sent: *Monday, April 3, 2023 8:26:30 AM
>
> *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
>
> Only two VRFs, default and manangement. IIRC, everything I saw before
> mentioned the default VRF.
>
> I do see a ton of route-maps. It's mostly Greek to me, so I'll have to dig
> through this a bit to see what's going on.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"Matthew Huff" 
> *To: *"Mike Hammett" 
> *Cc: *"NANOG" 
> *Sent: *Monday, April 3, 2023 8:06:51 AM
> *Subject: *RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
>
> What about VRFs and/or policy based routing?
>
> switch-core1# show vrf
> VRF-Name   VRF-ID State   Reason
>
> default 1 Up  --
>
> management  2 Up  --
>
>
> switch-core1# show route-map
> route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10
>   Match clauses:
> interface: Ethernet1/33
> route-type: internal
>   Set clauses:
> metric 4000 10 255 1 1500
> route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20
>   Match clauses:
> interface: Ethernet1/34
> route-type: internal
>   Set clauses:
> metric 4000 30 255 1 1500
> route-map rmap_static_to_eigrp, permit, sequence 10
>   Match clauses:
> ip address prefix-lists: prefix_static_to_eigrp
>   Set clauses:
> route-map rmap_static_to_eigrp_v6, permit, sequence 10
>   Match clauses:
> ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp
>   Set clauses:
>
>
>
> From: Mike Hammett 
> Sent: Monday, April 3, 2023 9:00 AM
> To: Matthew Huff 
> Cc: NANOG 
> Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
>
> It could be an sFlow bug, but I come at this from a reported problem and
> gathering data on that problem as opposed to looking at data for problems.
>
> The snmp if index reported by the Nexus matches the if index in ElastiFlow.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> 
> From: "Matthew Huff" 
> To: "Mike Hammett" 
> Cc: "NANOG" 
> Sent: Monday, April 3, 2023 7:50:08 AM
> Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
> SFlow misconfiguration or bug on either the nexus or the sflow monitor? On
> the monitor, can you verify that the snmp interfaces are mapped to the
> correct ones on the nexus?
>
>
>
>
>
> From: Mike Hammett 
> Sent: Monday, April 3, 2023 8:47 AM
> To: Matthew Huff 
> Cc: NANOG 
> Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
>
> It shows the desired result.
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> 
> From: "Matthew Huff" 
> To: "Mike Hammett" , "NANOG"  nanog@nanog.org>
> Sent: Monday, April 3, 2023 5:38:23 AM
> Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging
>
> switch-core1# sh forwarding route x.x.x.x
>
> slot  1
> ===
>
>
> IPv4 routes for table default/base
>
>
> --+-+--+-+-
> Prefix| Next-hop| Interface
>  | Labels  | Partial Install
>
> --+-+--+-+-
> x.x.x.x/24  x.x.x.250Ethernet1/29
>
>
> switch-core1# show routing hash x.x.x.x y.y.y.y
> Load-share parameters used for software forwarding:
> load-share mode: address source-destination port source-destination
> Hash for VRF "default"
> Hashing to path *y.y.y.y Eth1/29
> For route:
> y.y.y.0/24, ubest/mbest: 1/0
> *via 

Caribnog email list

[David Bass]

Anyone on here run it?  The URL to sign up on the website doesn’t seem to
work at the moment.

Re: any dangers of filtering every /24 on full internet table to preserve FIB space ?

[David Bass]

I frequently do this (accept peer’s, and their customers prefixes), and it
works out well. Then you can choose where you want the rest of it to go.
With multiple peers in your country this works out quite well.

On Mon, Oct 10, 2022 at 5:02 PM richey goldberg 
wrote:

> The OP can always take the provider's address space plus their
> customer's routes and use a default route to fill in the blanks.I
> did this at a provider years ago where the global routing table
> outgrew the speed they could spend the money on upgrades and it worked
> out well.I think it was two upstreams and a connection into  a TIE
> with good peering.
>
>
> -richey
>
> On Mon, Oct 10, 2022 at 4:11 PM Geoff Huston  wrote:
> >
> >
> >
> > > On 11 Oct 2022, at 4:23 am, Tobias Fiebig <
> tob...@reads-this-mailinglist.com> wrote:
> > >
> > > Heho,
> > > Let alone $all the /24 assigned under the RIPE waiting list policy.
> > >
> > > In the Geoff Huston spirit, I quickly took a look how less specifics
> for /24s looks in my table:
> > >
> > […]
> >
> > > So it seems like there is a healthy amount (~260k) prefixes which lack
> a less specific.
> >
> >
> > I also looked using a slightly different approach - namely looking for
> /24s where there was no spanning aggregate that matched the /24’s AS Path.
> In my local table there are 224,580 of them.
> >
> >
> > Geoff
> >
> >
> >
>

Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[David Bass]

The real problem most users experience isn’t that they have a gig, or even
100Mb of available download bandwidth…it’s that they infrequently are able
to use that full bandwidth due to massive over subscription .

The other issue is the minimal upload speed.  It’s fairly easy to consume
the 10Mb that you’re typically getting as a residential customer.  Even
“business class” broadband service has a pretty poor upload bandwidth
limit.

We are a pretty high usage family, and 100/10 has been adequate, but
there’s been times when we are pegged at the 10 Mb upload limit, and we
start to see issues.

I’d say 25/5 is a minimum for a single person.

Would 1 gig be nice…yeah as long as the upload speed is dramatically
increased as part of that.  We would rarely use it, but that would likely
be sufficient for a long time.  I wouldn’t pay for the extra at this point
though.

On Mon, May 23, 2022 at 8:20 PM Sean Donelan  wrote:

>
> Remember, this rulemaking is for 1.1 million locations with the "worst"
> return on investment. The end of the tail of the long tail.  Rural and
> tribal locations which aren't profitable to provide higher speed
> broadband.
>
> These locations have very low customer density, and difficult to serve.
>
> After the Sandwich Isles Communications scandal, gold-plated proposals
> will be viewed with skepticism.  While a proposal may have a lower total
> cost of ownership over decades, the business case is the cheapest for
> the first 10 years of subsidies.  [massive over-simplification]
>
> Historically, these projects have lack of timely completion (abandoned,
> incomplete), and bad (overly optimistic?) budgeting.
>

Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[David Bass]

What is changing in the next 5 years that could possibly require a
household to need a gig?  That is just ridiculous.

On Mon, May 23, 2022 at 3:15 PM Michael Thomas  wrote:

>
> On 5/23/22 12:04 PM, Thomas Nadeau wrote:
> >
> >
> >> On May 23, 2022, at 3:00 PM, Michael Thomas  wrote:
> >>
> >>
> >> On 5/23/22 11:49 AM, Aaron Wendel wrote:
> >>> The Fiber Broadband Association estimates that the average US
> household will need more than a gig within 5 years.  Why not just jump it
> to a gig or more?
> >>
> >> Really? What is the average household doing to use up a gig worth of
> bandwidth?
> >>
> >> Mike
> > Thats almost the same question we were asked at BT a dozen years ago
> when moving from DSL -> FTTC when someone said, “but surely DSL is
> sufficient because its so much faster than dial.”
>
> The two of us survive just fine with 25Mbs even when we have a house
> full of friends. I mean it would be nice to have 100Mbs so that it's
> never a problem but the reality is that it just hasn't been a problem in
> practice. I mean how many 4k streams are running at the same time in the
> average household? What else besides game downloads are sucking up that
> much bandwidth all of the time?
>
> Mike
>
>
> >
> > —Tom
> >
> >
> >>>
> >>> On 5/23/2022 1:40 PM, Sean Donelan wrote:
> 
> https://www.fcc.gov/document/fcc-proposes-higher-speed-goals-small-rural-broadband-providers-0
> 
>  The Federal Communications Commission voted [May 19, 2022] to seek
> comment on a proposal to provide additional universal service support to
> certain rural carriers in exchange for increasing deployment to more
> locations at higher speeds. The proposal would make changes to the
> Alternative Connect America Cost Model (A-CAM) program, with the goal of
> achieving widespread deployment of faster 100/20 Mbps broadband service
> throughout the rural areas served by rural carriers currently receiving
> A-CAM support.
> 
>

Re: AT, Comcast, Verizon, Others Commit to Low-Income Broadband Program

[David Bass]

There’s a new one starting up based out of Atlanta with the goal of doing
addressing the same thing called Culture Wireless Business.

Will be interesting to see how this all plays out.

On Mon, May 9, 2022 at 6:47 PM Christopher Morrow 
wrote:

>
>
> On Mon, May 9, 2022 at 10:32 AM Sean Donelan  wrote:
>
>>
>> AT, Comcast, Verizon, Others Commit to Low-Income Broadband Program
>> Providers will help offer high-speed internet to millions of households
>> under the infrastructure law
>>
>>
>> https://www.wsj.com/articles/internet-providers-commit-to-low-income-broadband-program-under-infrastructure-law-11652086801
>>
>>
>> Waiting to see what the catch-22 is.  In the past, large providers have
>> imposed various dark patterns which raised the cost, and made discount
>> programs difficult to find.  Instead directing people to more expensive
>> services or requiring extra costs.
>>
>>
> One would hope[*] that the shame caused by various articles showing
> children sitting outside their schools to
> use wifi instead of home wifi/internet coupled with school systems
> getting/donating/using mifi-equivalent units
> to dis-advantaged folks would make this less likely to happen.
>
> -chris
> * "Hope is not a strategy" :(
>
> Previous 2021 program
>>
>> https://arstechnica.com/tech-policy/2021/05/verizon-uses-fcc-pandemic-subsidy-to-upsell-customers-to-pricier-plans/
>>
>>

Re: V6 still not supported

[David Bass]

So your answer is do nothing because we should be spending the time on v6?

There are a lot of barriers to v6, and there is no logical reason why this
range of v4 subnets wasn’t made available to the world a decade (or two)
ago.  The next best time to do it is now though.

On Wed, Mar 16, 2022 at 12:21 PM Owen DeLong via NANOG 
wrote:

> >
> > What struck me is how NONE of those challenges in doing IPv6 deployment
> > in the field had anything to do with fending off attempts to make IPv4
> > better.
> >
> > Let me say that again.  Among all the reasons why IPv6 didn't take
> > over the world, NONE of them is "because we spent all our time
> > improving IPv4 standards instead".
>
>
> I’ll somewhat call bullshit on this conclusion from the data available.
> True, none
> of the reasons directly claim “IPv6 isn’t good enough because we did X for
> v4
> instead”, yet all of them in some way refer back to “insufficient
> resources to
> make this the top priority.” which means that any resources being
> dedicated to
> improving (or more accurately further band-aiding) IPv4 are effectively
> being
> taken away from solving the problems that exist with IPv6 pretty much by
> definition.
>
> So I will stand by my statement that if we put half of the effort that has
> been
> spent discussing these 16 relatively useless /8s that would not
> significantly
> improve the lifespan of IPv4 on resolving the barriers to deployment of
> IPv6,
> we would actually have a lot less need for IPv4 and a lot more deployment
> of
> IPv6 already.
>
> Owen
>
>

Re: VPN recommendations?

[David Bass]

If you want something gui driven I’d do something like Meraki…you can do
the same with just regular old Cisco routers using DMVPN as well.  It’s a
pretty common use case and well established.

On Thu, Feb 10, 2022 at 1:03 PM William Herrin  wrote:

> Hi folks,
>
> Do you have any recommendations for VPN appliances? Specifically: I need
> to build a site to site VPNs at speeds between 100mpbs and 1 gbit where all
> but one of the sites are behind an IPv4 NAT gateway with dynamic public IP
> addresses.
>
> Normally I'd throw OpenVPN on a couple of Linux boxes and be happy but my
> customer insists on a network appliance. Site to site VPNs using IPSec and
> static IP addresses on the plaintext side are a dime a dozen but traversing
> NAT and dynamic IP addresses (and automatically re-establishing when the
> service goes out and comes back up with different addresses) is a hard
> requirement.
>
> Thanks in advance,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> 
> https://bill.herrin.us/
>

Re: Flow collection and analysis

[David Bass]

Most of these things, yes.

Add:
Troubleshooting/operational support
Customer reporting




On Tue, Jan 25, 2022 at 1:38 PM Christopher Morrow 
wrote:

>
>
> On Tue, Jan 25, 2022 at 10:53 AM David Bass 
> wrote:
>
>> Wondering what others in the small to medium sized networks out there are
>> using these days for netflow data collection, and your opinion on the tool?
>
>
> a question not asked, and answer not provided here, is:
>   "What are you actually trying to do with the netflow?"
>
> Answers of the form:
>   "Dos detection and mitigation planning"
>   "Discover peering options/opportunities"
>   "billing customers"
>   "traffic analysis for future network planning"
>   "abuse monitoring/management/investigations"
>   "pretty noc graphs"
>
> are helpful.. I'm sure other answers would as well.. but: "how do you
> collect?" is "with a collector" and isn't super helpful if the collector
> can't feed into the tooling / infrastructure / long-term goal you have.
>

Flow collection and analysis

[David Bass]

Wondering what others in the small to medium sized networks out there are
using these days for netflow data collection, and your opinion on the tool?

Thanks!

Re: Long hops on international paths

[David Bass]

I think a large part of your problem is that you’re using trace route to
try and determine the full topology of a large complex network.  It won’t
show the full topology.

On Mon, Jan 17, 2022 at 7:43 PM PAUL R BARFORD  wrote:

> What we're considering specifically are consecutive (layer 3) hops as
> identified by traceroute.  Thus, TTL is decremented by 1 and no more than 1
> (i.e., we have to get full information (not *) from consecutive hops to
> consider the link).  I have asked my colleague to put together a set of
> examples.  We assume that there are multiple layer 1 and 2 links, and
> possibly layer 3 hops masked from traceroute by MPLS.  But what we're
> seeing in terms of hops exposed by traceroute make it look like a single
> (TTL decremented by 1) hop.
>
> I'll post the examples when I get them.
>
> PB
> --
> *From:* morrowc.li...@gmail.com 
> *Sent:* Monday, January 17, 2022 5:13 PM
> *To:* PAUL R BARFORD 
> *Cc:* Pengxiong Zhu ; nanog@nanog.org 
>
> *Subject:* Re: Long hops on international paths
>
>
>
> On Mon, Jan 17, 2022 at 5:31 PM PAUL R BARFORD  wrote:
>
> Dear Pengxiong,
>
> Thanks for your questions:
>
>
>1. We are using CAIDA’s Internet Topology Data Kit (ITDK) that uses
>the MIDAR alias resolution method to infer IP addresses assigned to the
>same router.
>2. We understand the concerns about IP geolocation.  Interfaces of the
>router in question are assigned similar domain names e.g., “
>chi-b2-link.ip.twelve99.net” (62.115.50.61). We also used CAIDA’s
>ITDK, which provides geolocation information, and indicates that this
>router is located in Chicago.  We cross-reference with Maxmind where
>possible.  In this particular case, there is the telltale in the use of
>"chi" in the domain name.
>3.
>
>
> I think nick's point about ttl expiry and missing some context on
> topology still stands.
> I'd be that the paths between 2 continents do not actually land in
> chicago... that you're seeing (or not seeing) missing hops between the
> coast(s) and chicago inside 1299's network in the US.
>
>
>
>1.
>
> Hope that helps.
>
> Regards, PB
> --
> *From:* Pengxiong Zhu 
> *Sent:* Monday, January 17, 2022 3:23 PM
> *To:* PAUL R BARFORD 
> *Cc:* nanog@nanog.org 
> *Subject:* Re: Long hops on international paths
>
> Hi Paul,
>
> Just curious. How do you determine they are the same routers? Is it based
> on IP address or MAC addresses? Or using CAIDA’s router alias database?
>
> Also how do you draw the conclusion that the AS1299 router is indeed in
> Chicago? IP-geolocation based on rDNS is not always accurate though.
>
>
> Pengxiong
>
> On Mon, Jan 17, 2022 at 10:03 AM PAUL R BARFORD  wrote:
>
> Hello,
>
> I am a researcher at the University of Wisconsin.  My colleagues at
> Northwestern University and I are studying international Internet
> connectivity and would appreciate your perspective on a recent finding.
>
> We're using traceroute data from CAIDA's Ark project for our work.  We've 
> observed
> that many international links (i.e., a single hop on an end-to-end path
> that connects two countries where end points on the hop are identified via
> rDNS) tend to originate/terminate at the same routers.  Said another way,
> we are observing a relatively small set of routers in different countries
> tend to have a majority of the international connections - this is
> especially the case for hops that terminate in the US.  For example,
> there is a router operated by Telia (AS1299) in Chicago that has a high
> concentration of such links.  We were a bit surprised by this finding since
> even though it makes sense that the set of providers is relatively small
> (i.e., those that offer global connectivity), we assumed that the set of
> routers that used for international connectivity within any one country
> would tend to be more widely distributed (at least with respect to how they
> appear in traceroute data - MPLS notwithstanding).
>
> We're interested in whether or not this is indeed standard practice and if
> so, the cost/benefit for configuring international connectivity in this
> way?
>
> Any thoughts or insights you might have would be greatly appreciated -
> off-list responses are welcome.
>
> Thank you.
>
> Regards, PB
>
> Paul Barford
> University of Wisconsin - Madison
>
> --
>
> Regards,
> Pengxiong Zhu
> Department of Computer Science and Engineering
> University of California, Riverside
>
>

Re: Squat space is now being advertised by AS 749 (DoD Network Information Center)

[David Bass]

When can we reclaim all this unused space from the US DoD?  Serious
question.

I’ve never understood how they can just sit on this without having to do
something with it.

On Fri, Sep 10, 2021 at 8:34 PM Paul Ferguson 
wrote:

> Both articles are base don Doug Madory's research:
>
> https://www.kentik.com/blog/wait-did-as8003-just-disappear/
>
> Cheers,
>
> - ferg
>
>
> On 9/10/21 5:26 PM, Daniel Lacey wrote:
>
> > Just saw an article in the Washington Post explaining what went on…
> >
> > It was a follow up to the Apr 24 and 26 articles…
> >
> > I don’t have a link without a subscription….
> >
> > Basically, unused IPv4 addresses from DOD were being transferred to
> > Global Resource  Systems. It was transferred back today.This is some
> > pilot program for network resilience by the Pentagon unit Defense
> > Digital Service.
> >
> > I don’t know if this is a smoke screen or exactly what “they” say it is…
> > Just trying to fill in the blanks…
> >
> >> On Sep 10, 2021, at 15:40, Compton, Rich A 
> >> wrote:
> >>
> >> 
> >>
> >> Hi, this week it looks like the DoD owned squat space that was
> >> previously advertised by AS 8008 (a shadow company called Global
> >> Resource Systems,
> >> seehttps://
> apnews.com/article/technology-business-government-and-politics-b26ab809d1e9fdb53314f56299399949
> >> <
> https://apnews.com/article/technology-business-government-and-politics-b26ab809d1e9fdb53314f56299399949>)
>
> >> is now being advertised by AS 749 (DoD Network Information Center).
> >> Does anyone have any idea why this change was made?  Is the DoD
> >> planning on actually legitimately putting services on the space soon
> >> instead of using it as a giant honeypot?  Or maybe even selling it?
> >>
> >> Thanks,
> >>
> >> Rich
> >>
>
>
> --
> Paul Ferguson
> Tacoma, WA  USA
> Illegitimi non carborundum.
>

Re: "Tactical" /24 announcements

[David Bass]

Ben,

Yes, sorry.

Pulling/pushing the config data to a server, and then managing it there in
addition to on the box.  Like, if I want to run some reports to see how
many PL are defined on each box, it’s easier to do that with the data
centralized and managed.

David

On Thu, Aug 19, 2021 at 6:35 AM Ben Maddison  wrote:

> Hi David,
>
> On 08/18, David Bass wrote:
> > I'm also in the externally managed space...very cool tool though.  I love
> > the idea of distributing some of this functionality.
> >
> > Are you also exporting and managing this data outside?
> >
> [assuming that was directed to me...]
>
> I'm not sure what you mean by "exporting and managing this data
> outside".
> Would you elaborate?
>
> Cheers,
>
> Ben
>

Re: "Tactical" /24 announcements

[David Bass]

I'm also in the externally managed space...very cool tool though.  I love
the idea of distributing some of this functionality.

Are you also exporting and managing this data outside?

On Tue, Aug 17, 2021 at 12:23 PM Ben Maddison via NANOG 
wrote:

> Hi Saku,
>
> On 08/17, Saku Ytti wrote:
> > I share your confusion Randy. It seems like perhaps Jakob answered a
> > slightly different question and his answer is roughly.
> >
> > a) Use this as-set feature to ensure valid set of ASNs from given peer
> > b) Validate prefix using RPKI (I'm assuming with rejecting unknowns
> > and invalids)
> > c) Don't punch in prefix-lists anywhere
> >
> > Which in theory works, but in practice it does not, as RPKI validity
> > cover is incomplete.
> >
> This, and (more fundamentally) RPKI-breakage gets translated into a
> dataplane
> outage.
>
> > Somewhat related, when JNPR implemented RTR the architecture was
> > planned so that the RTR implementation itself isn't tightly coupled to
> > RPKI validity. It was planned day1 that customers could have multiple
> > RTR setups feeding prefixes and the NOS side could use these for other
> > purposes too. So technically JNPR is mostly missing CLI work to allow
> > you to feed prefix-lists dynamically over RTR, instead of punching
> > them in vendor-specific way in config.
> >
> We already do essentially this on arista EOS using a custom agent.
>
> It runs under the EOS process supervisor and calls home to a REST-API
> wrapper around bgpq3. It looks for specific config lines to work out
> which prefix lists to build, and then fetches them on a configurable
> interval.
>
> This has been in production for a year or two, without major incident.
> It's all open source, available at
> https://github.com/wolcomm/eos-prefix-list-agent.
> Pull-requests
>  welcomed
> ;-)
>
> I'm in the middle of writing the equivalent tool for junos at the
> moment. Assuming that it works, we'll open source that too.
>
> HTH,
>
> Ben
>

Re: Parler

[David Bass]

Internet providers have always been able to regulate who their customers
are...that’s why criminals have such a hard time finding a provider to host
their platform.  It’s why the kkk and nazis have a hard time finding a
place to host their crap.

This is no different except that they’ve allowed it, and defied their own
rules up until now.

On Sun, Jan 10, 2021 at 10:12 AM  wrote:

> Yes, it seems subsection (c)(2)(b) gives them cover, perhaps it’s time
> that this is revised, less the Internet content become moderated by a small
> group of private platform owners.
>
> Sent from my iPhone
>
> On Jan 10, 2021, at 9:05 AM, Daniel Jurado  wrote:
>
> 
> Government made it political.
> Parler is free conservative speech that the MSM doesn't control.
> CNN stated that it was a threat to democracy because they didn't have
> control over what was posted like Twitter or Facebook.
> So at this point it is 100% political.
>
> --
> Sent from my Android phone with mail.com Mail. Please excuse my brevity.
> On 1/10/21, 8:57 AM sro...@ronan-online.com wrote:
>>
>> Why? This is extremely relevant to network operators and is not political
>> at all.
>>
>> On Jan 10, 2021, at 8:51 AM, Mike Bolitho  wrote:
>>
>> 
>> Can we please not go down this rabbit hole on here? List admins?
>>
>> - Mike Bolitho
>>
>> On Sun, Jan 10, 2021, 1:26 AM William Herrin  wrote:
>>
>>> Anybody looking for a new customer opportunity? It seems Parler is in
>>> search of a new service provider. Vendors need only provide all the
>>> proprietary AWS APIs that Parler depends upon to function.
>>>
>>>
>>> https://www.washingtonpost.com/technology/2021/01/09/amazon-parler-suspension/
>>>
>>> Regards,
>>> Bill HErrin
>>>
>> 
>
>

Re: "Hacking" these days - purpose?

[David Bass]

It becomes more clear when you think about the options out there, and get a
little creative.  Now a days it’s definitely chess that’s being played.

This Solarwinds thing is going to be extremely interesting.

On Mon, Dec 14, 2020 at 11:35 AM Mark Tinka  wrote:

>
>
> On 12/14/20 18:23, Ryland Kremeier wrote:
>
> I would have to disagree. Considering the amount of people who have
> bitcoin, and even less the amount of people who farm it, or have farmed it
> before it became so difficult. It seems much more likely that the
> wide-spread infiltrations of every-day systems is for information and DDoS
> over bitcoins.
>
> I seriously doubt it’s that hard to sell information to companies, as they
> most likely don’t care how you got that information.
>
>
>
> If information wasn’t key, whether it be for selling to another party, or
> scraping that data for easy to social engineer targets; then I also don’t
> think that fraudulent calls would be so prevalent these days. Where the
> main target is older people who will fall for their basic tricks and end up
> losing potentially thousands per person.
>
>
> Tend to agree.
>
> Despite all the advice and mindless videos out there to help people
> protect their data and/or not fall for basic scams, a lot of people still
> do.
>
> Humans' capacity to want to believe in and trust others is a strong avenue
> that the scammers exploit to get paid. More so the older folk, yes, but
> even the young, tech-savvy; particularly those who have been too busy
> flipping between apps to realize that the Internet can be a dangerous
> place.
>
> You'd be surprised how innovative and simple these scams are, and actually
> becoming less and less sophisticated, which makes them even more dangerous.
>
>
> Mark.
>

Re: BGP Peers Data modeling schema

[David Bass]

I second Jeff in using YANG.

On Thu, Nov 5, 2020 at 1:37 PM Jeff Tantsura 
wrote:

> YANG is the right direction.
> OpenConfig BGP and policy models are supported by every vendor on the
> earth.
> We are finalizing IETF BGP and policy models
> draft-ietf-rtgwg-policy-model is about to be last-called
> draft-ietf-idr-bgp-model is pretty much ready
>
> Cheers,
> Jeff
> On Nov 5, 2020, 4:57 AM -0800, Douglas Fischer ,
> wrote:
>
> I'm designing a tool for provisioning configurations for an ITP and his
> Peers.
> The idea is that based on that, all the configs to all the involved
> components configurations to be deployed based on that source of data. I'm
> Talking about Routers, BMP, SNMP tool(Ex.: Zabbix), etc...
>
> But, once again, I'm feeling that I'm reinventing the wheel.
> I'm pretty sure that someone else has already suffered from that.
>
> I search for a bit, and I didn't find anything...
> But with this gray area between developers and network operators, I'm not
> sure if I'm looking at the right place.
>
> I even tried to look at http://schema.org but didn't find anything
> related to networks and BGP there yet.
>
>
> So, anyone could point me in the right direction?
> --
> Douglas Fernando Fischer
> Engº de Controle e Automação
>
>

Re: 4G / 5G backup

[David Bass]

There’s probably a dozen ways to do this, and a couple times that with
regard to devices.

What I’m doing at home is a plain old Cisco router from my old lab with a
couple 4G Cradlepoint modems.  I load share across all paths (1 x DSL, & 2
x att 4G).

Unless you have a requirement to backhaul the backup path over the 4G, then
I would avoid doing that for performance reasons.



On Sun, Jul 12, 2020 at 8:39 AM Baldur Norddahl 
wrote:

> Hello
>
> I am looking for a CPE product that can use the 4G and soon 5G cell
> network as backup to our fiber. The product should create a VPN back to our
> network, so the customer can keep his IPv4/IPv6 address and all other
> services running as normal except maybe at a lower speed.
>
> I imagine this CPE router could use BGP to announce itself through both
> the fiber and the cell backup.
>
> Are somebody doing this and what can you recommend?
>
> Thanks
>
> Baldur
>
>

Cost effective time servers

[David Bass]

What are folks using these days for smaller organizations, that need to
dole out time from an internal source?

Re: historical Bogon lists

[David Bass]

I think Git would be the perfect solution...would definitely appreciate it.

On Tue, Dec 18, 2018 at 12:01 PM Rabbi Rob Thomas  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Dear Tom,
>
> > I wonder if there's value in having the lists that Team Cymru
> > generates auto pushed to a public Git repo. Covers historical
> > changes for folks who want that, and also provides a more modern
> > ingestion method for automation around that info. (Not that I'm
> > hating on wget / curl ... :) )
>
> We'd be happy to make that happen, if folks are keen.  We're fine with
> Git, as we use it regularly.
>
> Be well!
> Rob.
> - --
> Rabbi Rob Thomas   Team Cymru
>"It is easy to believe in freedom of speech for those with whom we
> agree." - Leo McKern
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAlwZJ5wACgkQQ+hhYvqF
> 8o2ULQ/+N++KAtZkfuYvzjnAwFQZGWvfTmFcmEwQKtbS+O53ymn2tGfMf/NjZKrS
> AyJdiNby1PFjDd4X/4bKsm1k4pOcqIvWHrNuQfSCMnsAAVlWWZr1SWjkV+rD2o80
> XSrpz1nXYFH/Et3TMedc6fKLt6UgKlfua1t7xm4pBypjSHTBari601cvGMqa++4k
> wqAB5KUoIC1Ni5GVff1i+NCQ+6kfuVvXvnTHBjq6q6O+rLC5KpQwI/9pY3J5LODm
> 3nfqPYEo/otNRn/vX4lENMI/3lrMIXC4NO8fjYDgStVZ/1CZVWzxNFc4MgplpwKJ
> k/VLYnkuai7o4yT5Ao4xhKIctGOO79v8Gmgv9NJUXkfcqrL+EVI6FGQoWB8PiHxI
> ZWppA3kdiB7csG+zHG/+hliB5xI3SzlvNH/ywPzym06FLK5/1yKSI788qjyXBgZ4
> h/Vs14DSrtqw/VlgBAV0f25PPJllmZeJwrtgqGzgwakLKqrk9ByCHBA77Xhk3XN8
> Y5klq2uE8n2tYq5RHlUg1/+jdj6kQo2APHN7Q3H7FWv0CrW8JluHQdb7dLCnqFR8
> Obo4H/G1DtjR60ECXvnS7X/6Fzs0KZFhd0E+jAbb2ErKQ2ZL+6+XuzaCXkDJ3oEp
> M+RftjLnwywE1MNf7q3Hmrpt3ku7HKjDQjvLZv2h8/f92rwy/1M=
> =i27M
> -END PGP SIGNATURE-
>

Re: O365 IP space

[David Bass]

Sorry, I should have stated that I have already searched, and have seen the
above mentioned docs as well as everything else on the first page of the
search results.

I guess what I was looking for was to see if somebody has already
consolidated that list in to something easier to work with.

On Tue, Sep 25, 2018 at 11:26 AM Job Snijders  wrote:

> On Tue, Sep 25, 2018 at 12:18:50PM -0400, Steve Meuse wrote:
> >
> https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
>
> I think it is cool that companies take the time and effort to publish
> such useful lists. Keep it up!
>
> Kind regards,
>
> Job
>

O365 IP space

[David Bass]

Does anyone have a good list of all of the US IPs used for O365?  Not
looking for specific IPs, and can just use the blocks.

Thanks!

Re: Consumer networking head scratcher

[David Bass]

This all goes away when he reconnects his old router from what I remember...

If that is the case, then I would concentrate my effort on the new router,
and its functionality (or lack of).  Could be something simple that you are
missing on it as a setting, or assuming it works a certain way when it does
not.  Sometimes these devices can be counter intuitive.

On Wed, Mar 1, 2017 at 1:23 PM, Aaron Gould  wrote:

> That's strange... it's like the TTL on all Windows IP packets are
> decrementing more and more as time goes on causing you to get less and less
> hops into the internet
>
> I wonder if it's a bug/virus/malware affecting only your windows computers.
>
> -Aaron
>
>
>

Re: Cellular enabled console server

[David Bass]

I tried to build one in the past, but didn't have much success.  Anyone 
successfully built some and willing to give details?

> On Feb 26, 2017, at 9:07 AM, nanog_maillinglist  wrote:
> 
> Hi.
> 
> I use lots of opengears boxes - mainly the Console Manager range 41xx then 
> 71xx for "big location" with more than 8 consoles needed
> 550x when it's less than 8.
> We use them only as out-of-band access when either we have inband pbm or when 
> a intervention is risky - so no fancy feature is needed here ( hense the 
> CM71xx range.. )
> 
> I tried from them a cellular one ( 5504 I guess back in the days ) but the 
> cellular cover wasn't great in the particular DC i've tested it.
> + it was hard to get a cellular with static IP 
> So I stayed with small/cheap 10mb access for that box.
> 
> short feedback:
> + It just works - no hardware issues so far ( in years ) - software stable.
> + ZTP also works okay for provisionning with XML config ( I do it with 
> Ansible/Jinja2 )
> + Support ready to help - even though we are not a huge buyer, they provide 
> us the feature we needed right quick ( beeing able to touch the serial config 
> as a "user" instead of admin
> + cisco pinout by default - no overcharge if you want the classic serial 
> rs232 pinout
> 
> - From my test, provisionning is limited to a basic config - I couln't make 
> it work buy generating the whole setup in the .opg images.
> So I generated basic XML config file to make the box pings then i use ansible 
> in RAW SSH for post-deploy.
> - No python on the box so for every-day update/config I need to use ansible 
> in raw SSH mode - which is a bit dumb in 2016/17 :)
> - Still no that cheap for a rasp like base box
> 
> Cheers,
> Nico
> 
> -Original Message-
> From: NANOG [mailto:nanog-bounces+nanog=lodpp@nanog.org] On Behalf Of Ben 
> Bartsch
> Sent: Friday, February 24, 2017 5:09 PM
> To: NANOG 
> Subject: Cellular enabled console server
> 
> NANOG - Are any of you running a console server to access your network 
> equipment via a serial connection at a remote site?  If so, what are you 
> using and how much do you like it?  I have a project where I need to stand up 
> over 100 remote sites and would like a backdoor to the console just to be 
> able to see what's going on with the equipment to hopefully avoid a truck 
> roll for something simple like a hung device.  I need 4 console ports and 1 
> RJ45 ethernet jack.  My quick Google search landed me at BlackBox 
> LES1204A-3G-R2, but I've never actually used such a device.  This would be 
> for use in the USA.
> 
> Thank you in advance.
> 
> -ben

Re: External BGP Controller for L3 Switch BGP routing

[David Bass]

Arista has a version of their switches that can handle a full table.  

I think what the OP is asking about though is something like openflow though.  
Some have played around with using it to modify the switches routing table 
based on flows that exist.  The same theory applies in regard to the 
presentation link provided (we don't need the full table 99%of the time, so 
just insert what you need). 

Using filters is an "old school" technique that's been around for a long time, 
and I don't think that's what he's asking.  

> On Jan 16, 2017, at 2:00 AM, Yucong Sun  wrote:
> 
> In my setup, I use an BIRD instance to combine multiple internet full
> tables,  i use some filter to generate some override route to send to my L3
> switch to do routing.  The L3 switch is configured with the default route
> to the main transit provider , if BIRD is down, the route would be
> unoptimized, but everything else remain operable until i fixed that BIRD
> instance.
> 
> I've asked around about why there isn't a L3 switch capable of handling
> full tables, I really don't understand the difference/logic behind it.
> 
>> On Sun, Jan 15, 2017 at 10:43 PM Tore Anderson  wrote:
>> 
>> Hi Saku,
>> 
 
>> https://www.redpill-linpro.com/sysadvent/2016/12/09/slimming-routing-table.html
>>> 
>>> ---
>>> As described in a prevous post, we’re testing a HPE Altoline 6920 in
>>> our lab. The Altoline 6920 is, like other switches based on the
>>> Broadcom Trident II chipset, able to handle up to 720 Gbps of
>>> throughput, packing 48x10GbE + 6x40GbE ports in a compact 1RU chassis.
>>> Its price is in all likelihood a single-digit percentage of the price
>>> of a traditional Internet router with a comparable throughput rating.
>>> ---
>>> 
>>> This makes it sound like small-FIB router is single-digit percentage
>>> cost of full-FIB.
>> 
>> Do you know of any traditional «Internet scale» router that can do ~720
>> Gbps of throughput for less than 10x the price of a Trident II box? Or
>> even <100kUSD? (Disregarding any volume discounts.)
>> 
>>> Also having Trident in Internet facing interface may be suspect,
>>> especially if you need to go from fast interface to slow or busy
>>> interface, due to very minor packet buffers. This obviously won't be
>>> much of a problem in inside-DC traffic.
>> 
>> Quite the opposite, changing between different interface speeds happens
>> very commonly inside the data centre (and most of the time it's done by
>> shallow-buffered switches using Trident II or similar chips).
>> 
>> One ubiquitous configuration has the servers and any external uplinks
>> attached with 10GE to leaf switches which in turn connects to a 40GE
>> spine layer with. In this config server<->server and server<->Internet
>> packets will need to change speed twice:
>> 
>> [server]-10GE-(leafX)-40GE-(spine)-40GE-(leafY)-10GE-[server/internet]
>> 
>> I suppose you could for example use a couple of MX240s or something as
>> a special-purpose leaf layer for external connectivity.
>> MPC5E-40G10G-IRB or something towards the 40GE spines and any regular
>> 10GE MPC towards the exits. That way you'd only have one
>> shallow-buffered speed conversion remaining. But I'm very sceptical if
>> something like this makes sense after taking the cost/benefit ratio
>> into account.
>> 
>> Tore
>> 

Re: OSPF vs ISIS - Which do you prefer & why?

[David Bass]

Are you sure those other vendors don't do it too?  Lol.  

Dual stack ISIS on Juniper is a thing of beauty...

> On Nov 10, 2016, at 1:01 PM, Josh Reynolds  wrote:
> 
> Cisco is the only "real" IS-IS vendor.
> 
> Juniper, Brocade, Arista, Avaya, etc you're not getting it. Any of the
> whitebox hardware or real SDN capable solutions, you're going to be on OSPF.
> 
>> On Nov 10, 2016 12:13 AM, "Mark Tinka"  wrote:
>> 
>> 
>> 
>> On 10/Nov/16 04:52, Josh Reynolds wrote:
>> 
>> Vendor support for IS-IS is quite limited - many options for OSPF.
>> 
>> 
>> Depends on the vendor.
>> 
>> Cisco have as many knobs for IS-IS as they do for OSPF.
>> 
>> Juniper, not so much.
>> 
>> Don't know about other vendors.
>> 
>> At any rate, many of these knobs are not part of the original protocol
>> spec., although they can be very useful when scaling.
>> 
>> Mark.
>> 

Re: MPLS in the campus Network?

[David Bass]

This is exactly what we are recommending and building for our customers in that 
space. Most of the time the university network acts as a provider, so to me it 
only makes sense to use that type of tech.  The biggest problem then is 
support, which could be something they are unwilling or unable to overcome. 

> On Oct 21, 2016, at 1:45 PM, Leo Bicknell  wrote:
> 
> In a message written on Fri, Oct 21, 2016 at 12:02:24PM -0500, Javier Solis 
> wrote:
>> In a campus network the challenge becomes extending subnets across your
>> core. You may have a college that started in one building with their own
>> /24, but now have offices and labs in other buildings. They want to stay on
>> the same network, but that's not feasible with the routed core setup
>> without some other technology overlay. We end up not being able to extend
>> the L2 like we did in the past and today we modify router ACL's to allow
>> communications. If you already have hundreds of vlans spanned across the
>> network, it's hard to get a campus to migrate to the routed core. I think
>> this may be one of Marks challenge, correct me if I'm wrong please.
> 
> FWIW, if I had to solve the "college across buildings with common
> access control" problem I would create MPLS L3 VPN's, one subnet
> per building (where it is a VLAN inside of a building), with a
> "firewall in the cloud" somewhere to get between VLAN's with all
> of the policy in one place.
> 
> No risk of the L2 across buildings mess, including broadcast and
> multicast issues at L2.  All tidy L3 routing.  Can use a real
> firewall between L3 VPN instances to get real policy tools (AV, URL
> Filtering, Malware detection, etc) rather than router ACL's.  Scales
> to huge sizes because it's all L3 based.
> 
> Combine with 802.1x port authentication and NAC, and in theory every
> L3 VPN could be in every building, with each port dynamically assigning
> the VLAN based on the user's login!  Imagine never manually configuring
> them again.  Write a script that makes all the colleges (20? 40? 60?)
> appear in every building all attached to their own MPLS VPN's, and
> then the NAC handles port assignment.
> 
> -- 
> Leo Bicknell - bickn...@ufp.org
> PGP keys at http://www.ufp.org/~bicknell/

Re: Advertising rented IPv4 prefix from a different ASN.

[David Bass]

> On Aug 5, 2016, at 9:52 AM, Mark Tinka  wrote:
> 
> 
> 
>> On 5/Aug/16 15:40, Soon Keat Neo wrote:
>> 
>> If you are just announcing more specific address space that you've obtained
>> legitimately off their assigned address space, it should be no problem,
>> just obtain an LoA and register it on the different databases and you
>> should be set to ask your upstreams to allow the announcements.
> 
> Do people actually do this? A customer asked us to do this for them and
> we refused, because inconsistent AS has never been a thing.
> 
> I'm apprehensive about a subnet and its aggregate appearing from
> multiple AS's at the same time. But, I'm old school, so...
> 
> Mark.

I agree with you...not a great practice.  Each AS should just announce the 
prefix that they actually use.  The school could be used as a transit for the 
ISP, which may be undesirable. 

Re: Thinking Methodically about building a PoC

[David Bass]

> On Jun 13, 2016, at 12:49 AM, Roland Dobbins  wrote:
> 
> 
>> On 13 Jun 2016, at 8:52, Kasper Adel wrote:
>> 
>> 2) Do some planning and research first.
> 
> This.
> 
> ---
> Roland Dobbins 

I'll second that!  How can you do it any other way and get any sort of reliable 
data...especially a POC. Seems like you would waste a lot of time just plodding 
forward without doing the research. 

Re: mpls switches

[David Bass]

Interesting.  What SDN controller are you using?

Seems like quite a few are moving to white box switches...

> On Apr 6, 2016, at 9:53 PM, Todd Crane  wrote:
> 
> Edge-Core 5712-54X

Re: Internet Exchanges supporting jumbo frames?

[David Bass]

Could you do the same with a 1501 byte packet?

> On Mar 9, 2016, at 10:51 AM, Nick Hilliard  wrote:
> 
> Kurt Kraut wrote:
>> Thank you for replying so quickly. I don't see why the consensus for an
>> MTU must be reached. IPv6 Path MTU Discovery would handle it by itself,
>> wouldn't it? If one participant supports 9k and another 4k, the traffic
>> between them would be at 4k with no manual intervention. If to
>> participants adopts 9k, hooray, it will be 9k thanks do PMTUD.
>> 
>> Am I missing something?
> 
> for starters, if you send a 9001 byte packet to a router which has its
> interface MTU configured to be 9000 bytes, the packet will be
> blackholed, not rejected with a PTB.
> 
> Even if it weren't, how many icmp PTB packets per second would a router
> be happy to generate before rate limiters kicked in?  Once someone
> malicious works that out, they can send that number of crafted packets
> per second through the IXP, thereby creating a denial of service situation.
> 
> There are many other problems, such as pmtud not working properly in the
> general case.
> 
> Nick
> 

Re: sFlow vs netFlow/IPFIX

[David Bass]

I don't agree with that statement (about rare to find big companies using 
Nexus).  If you want 10 gig/40 gig (or 100 gig soon) your options are Cisco 
Nexus/Arista/Juniper QFX...some periphery devices as well, but the majority use 
one of those 3. 

The merchant silicon based switches are pretty reasonably priced too. 



> On Mar 1, 2016, at 9:24 AM, Mark Tinka  wrote:
> 
> 
> 
>> On 1/Mar/16 09:44, Pavel Odintsov wrote:
>> But unfortunately they (Cisco Nexus) are pretty expensive and fairly
>> new for DC and ISP market. It's pretty rare to find big company with
>> switching backbone on Nexus switches.
> 
> As opposed to?
> 
> We are looking at the Nexus 7700 for 100Gbps core switching.
> 
> Mark.

Re: Thank you, Comcast.

[David Bass]

I disagree...the point of what I sent (missed by some) is that in just this 
small audience there are many that do/have/know about customers that run their 
own stuff.  

Trying to blow it off, or minimize those customers just makes you seem a little 
arrogant.  Nothing worse than an arrogant business...  

> On Feb 26, 2016, at 11:15 AM, Mike Hammett  wrote:
> 
> I think you'd be hard pressed to find more than a tenth of a percent of 
> people attempt to run their own DNS server. Some do because they think it'll 
> be better in some way. Rare is the occasion where anything user configured 
> would outperform a local DNS server managed by the ISP that does no form of 
> trickery. 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> Midwest-IX 
> http://www.midwest-ix.com 
> 
> - Original Message -
> 
> From: "Brielle Bruns"  
> To: nanog@nanog.org 
> Sent: Friday, February 26, 2016 9:56:40 AM 
> Subject: Re: Thank you, Comcast. 
> 
>> On 2/26/16 6:27 AM, Mike Hammett wrote: 
>> "you will also block legitimate return traffic if the customers run 
>> their own DNS servers or use opendns / google dns / etc." 
>> 
>> I'm fine with that. Residential customers shouldn't be running DNS 
>> servers anyway and as far as the outside resolvers to go, e... I 
>> see the case for OpenDNS given that you can use it to filter (though 
>> that's easily bypassed), but not really for any others.
> 
> 
> Except that half the time people run their own DNS resolvers because 
> their provider's resolvers are 
> 
> 1) Absolute garbage and either fail queries for no reason, don't respond 
> at times, respond super slow, etc. 
> 
> 2) Hijack NXDOMAIN for advertising / money generation 
> 
> 3) Hijack responses to inject their own ads, popups, etc. 
> 
> 
> 
> -- 
> Brielle Bruns 
> The Summit Open Source Development Group 
> http://www.sosdg.org / http://www.ahbl.org 
> 

Re: Thank you, Comcast.

[David Bass]

I agree with this...from a customer perspective.  I've seen ISPs block other 
traffic as well...even on "business" accounts, and break their customers 
networks.  

It's the Internet not a private network...

I've never been a typical user though...maybe one of the "dozen" Mike refers to 
that runs a email server, web server, dns server, etc, etc, etc out of their 
house. 

> On Feb 26, 2016, at 9:31 AM, Keith Medcalf  wrote:
> 
> 
> ISP's should block nothing, to or from the customer, unless they make it 
> clear *before* selling the service (and include it in the Terms and 
> Conditions of Service Contract), that they are not selling an Internet 
> connection but are selling a partially functional Internet connection (or a 
> limited Internet Service), and specifying exactly what the built-in 
> deficiencies are.
> 
> Deficiencies may include:
>  port/protocol blockage toward the customer (destination blocks)
>  port/protocol blockage toward the internet (source blocks)
>  DNS diddling (filtering of responses, NXDOMAIN redirection/wildcards, etc)
>  Traffic Shaping/Policing/Congestion policies, inbound and outbound
> 
> Some ISPs are good at this and provide opt-in/out methods for at least the 
> first three on the list.  Others not so much.
> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Maxwell Cole
>> Sent: Friday, 26 February, 2016 07:19
>> To: Mikael Abrahamsson
>> Cc: NANOG list
>> Subject: Re: Thank you, Comcast.
>> 
>> I agree,
>> 
>> At the very least things like SNMP/NTP should be blocked. I mean how many
>> people actually run a legit NTP server out of their home? Dozens? And the
>> people who run SNMP devices with the default/common communities aren’t the
>> ones using it.
>> 
>> If the argument is that you need a Business class account to run a mail
>> server then I have no problem extending that to DNS servers also.
>> 
>> Cheers,
>> Max
>> 
 On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson 
>>> wrote:
>>> 
 On Fri, 26 Feb 2016, Nick Hilliard wrote:
 
 Traffic from dns-spoofing attacks generally has src port = 53 and dst
>> port = random.  If you block packets with udp src port=53 towards
>> customers, you will also block legitimate return traffic if the customers
>> run their own DNS servers or use opendns / google dns / etc.
>>> 
>>> Sure, it's a very interesting discussion what ports should be blocked or
>> not.
>>> 
>>> http://www.bitag.org/documents/Port-Blocking.pdf
>>> 
>>> This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been
>> blocked for a very long time to fix some issues, even though there is
>> legitimate use for these ports.
>>> 
>>> So if you're blocking these ports, it seems like a small step to block
>> UDP/TCP/53 towards customers as well. I can't come up with an argument
>> that makes sense to block TCP/25 and then not block port UDP/TCP/53 as
>> well. If you're protecting the Internet from your customers
>> misconfiguraiton by blocking port 25 and the MS ports, why not 53 as well?
>>> 
>>> This is a slippery slope of course, and judgement calls are not easy to
>> make.
>>> 
>>> --
>>> Mikael Abrahamssonemail: swm...@swm.pp.se
> 
> 
> 
> 

Re: Cisco ASR9010 vs Juniper MX960

[David Bass]

I don't think I'd trust any vendor's "ISSU" to be completely without 
impact...been more of a marketing term from my experience...



> On Feb 18, 2016, at 10:51 AM, Nick Hilliard  wrote:
> 
> Jason Bothe wrote:
>> The 9k does however get a huge win with the ability to apply a ‘pie’
>> or software patch while staying in service vs requiring a reload.
> 
> SMUs are often "hitless", which is to say, "hitless" with scary quotes.
> What this means in practice is that the SMU itself might be hitless but
> it will depend on 47 other SMUs, thereby almost guaranteeing some form
> of reload.  Also, restarting processes is "hitless" (e.g. restarting
> bgpd, ospfd, etc) or shutting down interfaces.
> 
> E.g.:
> 
> CSCuo47663: "Hitless/Optional SMU,aigp metric different in RIB & BGP
> table".  This will restart the bgp process.
> 
> CSCus26923: "traffic from SIP700 to 9000v is dropped when a link to
> 9000v flaps".  Release notes state that the issue is not service
> impacting, then "After the SMU installation , we need to apply
> shut/noshut of the problematic interface to trigger the hardware
> programming."  Wuh??
> 
> In other words, "hitless" does not mean "not service impacting".
> 
> Nick

Re: Low density Juniper (or alternative) Edge

[David Bass]

Yeah, on the list...well the 4600 is since it's somewhat the replacement to the 
4500/4550. 

> On Feb 6, 2016, at 1:55 PM, Josh Reynolds <j...@kyneticwifi.com> wrote:
> 
> Why not consider an EX4500?
> 
>> On Feb 6, 2016 12:24 PM, "Cameron Ferdinands" <came...@jferdinands.com> 
>> wrote:
>> If you need high-er density 10GE. Consider an Juniper ACX5048.
>> 
>> Great edge box, MPLS features, it's essentially just a QFX with
>> repartitioned CAM / some tricks to get the most out of the Trident II
>> chipset.
>> 
>> Won't do a bunch of things, so make sure it's exactly what you need or
>> you'll burn yourself YMMV.
>> 
>> On Wed, Feb 3, 2016 at 9:50 AM Dan Spataro <dspat...@corp.nac.net> wrote:
>> 
>> > Depending on your interpretation of full MPLS stack, you can look into the
>> > Brocade CES.
>> >
>> >
>> >
>> >
>> > -Original Message-
>> > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of David Bass
>> > Sent: Tuesday, February 2, 2016 4:04 PM
>> > To: nanog@nanog.org
>> > Subject: Low density Juniper (or alternative) Edge
>> >
>> > Looking to see what others are using out there as an alternative to a
>> > Cisco ME3600X? Also, what other vendors out there are playing in this 
>> > space?
>> >
>> > Need a full MPLS stack.
>> >

Re: Low density Juniper (or alternative) Edge

[David Bass]

Thanks for all the insight everyone...very helpful discussion!

Has anyone see the SRX deployed in these situations?  

We have been talking to Juniper about the ACX, and they seem to be pushing it 
as a Metro E, or in situations where you don't need a lot of features (like a 
L2 agg point for wireless).



> On Feb 6, 2016, at 5:39 AM, Cameron Ferdinands <came...@jferdinands.com> 
> wrote:
> 
> If you need high-er density 10GE. Consider an Juniper ACX5048.
> 
> Great edge box, MPLS features, it's essentially just a QFX with repartitioned 
> CAM / some tricks to get the most out of the Trident II chipset.
> 
> Won't do a bunch of things, so make sure it's exactly what you need or you'll 
> burn yourself YMMV.
> 
>> On Wed, Feb 3, 2016 at 9:50 AM Dan Spataro <dspat...@corp.nac.net> wrote:
>> Depending on your interpretation of full MPLS stack, you can look into the 
>> Brocade CES.
>> 
>> 
>> 
>> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of David Bass
>> Sent: Tuesday, February 2, 2016 4:04 PM
>> To: nanog@nanog.org
>> Subject: Low density Juniper (or alternative) Edge
>> 
>> Looking to see what others are using out there as an alternative to a Cisco 
>> ME3600X? Also, what other vendors out there are playing in this space?
>> 
>> Need a full MPLS stack.

Low density Juniper (or alternative) Edge

[David Bass]

Looking to see what others are using out there as an alternative to a Cisco 
ME3600X? Also, what other vendors out there are playing in this space?

Need a full MPLS stack. 

Re: Low density Juniper (or alternative) Edge

[David Bass]

Thanks to all that have replied!

Yes, I just started looking at the ASR9xx series of routers as well...seems 
like a likely alternative if we go with Cisco. 

> On Feb 2, 2016, at 5:19 PM, Jérôme Nicolle <jer...@ceriz.fr> wrote:
> 
> Hi David,
> 
> Le 02/02/2016 22:03, David Bass a écrit :
>> Looking to see what others are using out there as an alternative to a Cisco 
>> ME3600X?
> 
> I'd rather use the ASR920, the ME3600X is too deep to fit in some PoPs.
> It also has a higher 10G port count.
> 
> Alternatively, on low cost deployments, I used Mikrotik CCR1016-12S-1S+.
> Lower density, though.
> 
> For higher 10G density, I like the Juniper EX4550. But when you have to
> stick to a limited number of vendors, I guess you could consider the
> Catalyst 6840 line. Never had one to play with, though.
> 
> I'm currently evaluating another alternative : the Nokia-Alcatel-Lucent
> ISAM 7360FX chassis (4 to 16 slots) with either P2P (36 client lines per
> slot) or PON (up to 16 ports/slot), and a Mikrotik CCR1072 right behind
> to encapsulate L2 circuits. It's, by far, the denser and cheapest way to
> provide more than a few hundred 100M-1Gbps circuits per PoP.
> 
> Best regards,
> 
> -- 
> Jérôme Nicolle

Re: Opinions on Arista 7280?

[David Bass]

These are being implemented in production on many a bank network...so yes,
they are plenty good enough.  You will obviously need to test them in a lab
to make sure the features you need to implement don't have any bugs that
need to be addressed first.  Overall I've had good experiences with them
though in a spine/leaf topology in major data centers.

I've also been implementing Arista switches as core devices outside of the
data center with some pretty great results, but you need to be careful to
make sure the features you need are available on the platform you want to
buy.  As with Cisco (and any other vendor) there are some hardware
limitations where some features will exist on one platform, but not another.

On Fri, Nov 27, 2015 at 4:39 AM, H I Baysal  wrote:

> Hi,
>
> Hardware is really nice.
> Backplane, buffers, just basically “pumping” bandwidth. It’s really good.
>
> However, mlag can show some bugs when having only 1 interface in an MLAG
> (only 1 side) they had issues with the ifindex numbering in software.
> There were OSPF configuration options missing, etc.
>
> In short, hardware is really nice, software needs more maturing.
> Nice for distribution but not for core.
>
>
>
> > On 24 Nov 2015, at 19:02, David Hubbard 
> wrote:
> >
> > Curious if anyone's used the 7280 and wants to share their experience?
> > I'm looking at it primarily for three reasons, MLAG (i.e. multi-chassis
> > LACP), large ARP/MAC table (256k entries) and large IPv6 neighbor table
> > (256k entries).  For the table sizes we would like out of one pair of
> > switches, we'd be into the Cisco 7000 series, but that's dramatically
> > more expensive and we don't need much of anything else that it offers.
> >
> > Looked at Brocade too, but they don't have devices that can do the multi
> > chassis LACP, has the huge table sizes and has a reasonable number of
> > 10gig ports.  It was possible to construct a workable solution using
> > VDX's for switching and CER's for routing, but that's more complex than
> > Arista's option if it's a usable option.
> >
> > Thanks,
> >
> > David
>
>

SPAM solutions (to prevent mass emails from ever happening again)

[David Bass]

Considering the latest mass SPAM attack I have determined that action must
be taken to prevent this from ever happening again!  It is obvious that
email servers are to blame, as without them SPAMmers would not be able to
carry out their vicious attacks.  We therefore must outlaw all email
servers, except those run by government agencies who specialize in running
email servers.

I vote that we start a petition to outlaw email servers...WHO'S WITH ME?

Re: NX-OS as LSR router

[David Bass]

There are ISP using NX-OS...just in the DC where it belongs (since the Nexus 
platform is designed for the data center). I don't think it has anything to do 
with IS-IS support though (although it may help sway some people now). 

> On Oct 25, 2015, at 8:50 AM, "marcel.durega...@yahoo.fr" 
>  wrote:
> 
> related to the discussion about IGP choice, I had a quick look and found that 
> NX-OS ISIS for IPv6 support is quiet recent. Was not supported on 5.x, but it 
> supported on 7.x (2015).
> 
> This might explain why not so many ISP use NX-OS.
> 
>> On 21.10.2015 08:25, marcel.durega...@yahoo.fr wrote:
>> Dear Nanog'er,
>> 
>> Anybody using NX-OS on MPLS LSR and/or Edge-LSR ?
>> 
>> We are evaluating the replacement of 7600 LSR routers. Our natural
>> carrier/ISP choice would go for XR everywhere, but we are also curious
>> about NX-OS on the core.
>> 
>> Why not NX-OS for LSR and XR for Edge-LSR ?
>> 
>> 
>> Thank,
>> -Marcel

Re: eBay is looking for network heavies...

[David Bass]

Yeah, I think that's more about them stroking their own ego than anything to do 
with you or the job. I've unfortunately seen a few of those types before as 
well. 



 On Jun 8, 2015, at 5:26 PM, Justin M. Streiner strei...@cluebyfour.org 
 wrote:
 
 On Mon, 8 Jun 2015, Jeroen van Aart wrote:
 
 On 06/05/2015 06:38 PM, Mike Hale wrote:
 We need a pool on what percentage of readers just googled traceroute.
 
 Don't learn by heart that which you can look up. In this day and age where 
 knowledge about every subject imaginable is a 5 second (to a minute for 
 those less versed in researching) internet search away there is no need to 
 hold all that knowledge iny our memory.
 
 Reminds me of a job interview I had many years ago, where the interviewer was 
 looking for me to quote chapter and verse of several RFCs for different 
 routing protocols.  Uh... yeah.
 
 jms

Re: Verizon Policy Statement on Net Neutrality

[David Bass]

Let's not discuss Comcast and its performance in the customer service 
department so not to completely sidetrack the discussion...

Sent from my iPhone

 On Feb 27, 2015, at 11:05 AM, valdis.kletni...@vt.edu wrote:
 
 On Fri, 27 Feb 2015 10:45:11 -0600, Mike Hammett said:
 What about ISPs that aren't world-class dicks?
 
 That's unfortunately a very YMMV problem.  For instance, Comcast has (so far)
 provided the bandwidth I pay for, deployed very usable IPv6, not screwed up my
 bill, and the few times I've had to deal with their support structure it's 
 gone
 amazingly smoothly.  However, I'm told that other people have wildly divergent
 user experiences with them... :)
 

Re: mpls over microwave

[David Bass]

Done it, and it works well.  Used Motorola radios, and the key is the radio and 
building that part of the infrastructure right.  The MPLS is just another IP 
packet to the wireless.  Always used Ethernet handoffs on the radios to keep 
things simple.  

Make sure you have good line of site, have ample fade or lack of, and you take 
vegetation growth in to consideration.  Also make sure you buy stuff that 
handles jumbo frames and enable that, so that you don't have issues with 
fragmentation. 



 On Feb 5, 2015, at 3:55 PM, Scott Weeks sur...@mauigateway.com wrote:
 
 
 
 Anyone doing MPLS over microwave radios?  Please 
 share your experiences on list or off.  
 
 scott

Metaswitch ax1000 as a RR

[David Bass]

I have a client looking to implement x86 based route reflectors, and was 
looking at the ax1000.  I'm wondering if anyone has implemented it yet, and 
what your experience has been?

Any other alternatives would also be appreciated.  This customer does standard 
L3 VPNs, and VPLS services so the software has to support that.  

Thanks!

Re: Cisco Nexus

[David Bass]

The n2k ToR is not a great design for user or storage interfaces if most of 
your traffic is east/west.  It is great as a low cost ilo/drac/choose your oob 
port, or if most of your traffic is north/south.  Biggest thing to remember is 
that it is not a switch, and has limitations such as not connecting other 
switches to it. Like anything else you have to understand the product so that 
you don't engineer something that it wasn't designed to do. 

Lots of very large companies using Nexus gear...

That being said I prefer Arista when I'm architecting DCs. 



 On Feb 2, 2015, at 12:17 PM, Herman, Anthony anthony.her...@mattersight.com 
 wrote:
 
 Nanog,
 
 I would like to poll the collective for experiences both positive and 
 negative with the Nexus line. More specifically I am interested in hearing 
 about FEX with N2K at the ToR and if this has indeed made any impact on Opex 
 as well as non-obvious shortcomings to using the fabric extenders. Also if 
 anyone is using any of the Nexus line for I/O convergence (FCoE) I would be 
 interested in hearing your experience with this as well.
 
 Thank you in advance,
 
 -A

Re: scaling linux-based router hardware recommendations

[David bass]

I'm also in the research stage of building our own router.  I'm interested in 
reading more if you can post links to some of this research and/or testing. 

David

Sent from my iPad

 On Jan 26, 2015, at 6:45 PM, Phil Bedard bedard.p...@gmail.com wrote:
 
 Kind of unsurprisingly, the traditional network vendors are somewhat at 
 the forefront of pushing what an x86 server can do as well.  Brocade 
 (Vyatta), Juniper, and Alcatel-Lucent all have virtualized routers using 
 Intel's DPDK pushing 5M+ PPS at this point.  They are all also tweaking 
 what Intel is providing, and they are the ones with lots of software 
 developers with a lot of hardware and network programming experience.  
 
 ALU claims to be able to get 160Gbps full duplex through a 2RU server with 
 16x10G interfaces and two 10-core latest-gen Xeon processors.  Of course 
 that's probably at 9000 byte packet sizes, but at Imix type traffic it's 
 probably still pushing 60-70Gbps.  They have a demo of lots of them in a 
 single rack managed as a single router pushing Tbps.  
 
 A commerical offering you are going to pay for that kind of performance 
 and the control plane software.  Over time though you'll see the DPDK type 
 enhancements make it into standard OS stacks.   Other options include 
 servers with integrated network processors or NPs on a PCI card, there is 
 a whole rash of those type of devices out there now and coming out.  
 
 Phil 
 
 
 
 On 1/26/15, 22:53, micah anderson mi...@riseup.net wrote:
 
 
 Hi,
 
 I know that specially programmed ASICs on dedicated hardware like Cisco,
 Juniper, etc. are going to always outperform a general purpose server
 running gnu/linux, *bsd... but I find the idea of trying to use
 proprietary, NSA-backdoored devices difficult to accept, especially when
 I don't have the budget for it.
 
 I've noticed that even with a relatively modern system (supermicro with
 a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server
 adapters, and 16gig of ram, you still tend to get high percentage of
 time working on softirqs on all the CPUs when pps reaches somewhere
 around 60-70k, and the traffic approaching 600-900mbit/sec (during a
 DDoS, such hardware cannot typically cope).
 
 It seems like finding hardware more optimized for very high packet per
 second counts would be a good thing to do. I just have no idea what is
 out there that could meet these goals. I'm unsure if faster CPUs, or
 more CPUs is really the problem, or networking cards, or just plain old
 fashioned tuning.
 
 Any ideas or suggestions would be welcome!
 micah