Re: remote serial console (IP to Serial)

[greg whynott]

Thanks to all who responded to me,  quite the flood of suggestions and
options.

Found a lot of 20 Digi CM32's on ebay for 35 dollars each,  overkill but
can't beat the price,  going to look into those to make sure they are still
able to get OS updates.  There will be no firewall in front of this device
so it should have one itself.

I like the raspberry pi idea...  Would ensure perpetual security updates
with the OS running on it,  whereas I'm sure some of the vendors of
commercial console products EOL support at some point.  The fact it runs
linux is inviting as we can add it to our monitoring systems.

have a great day,
greg



On Tue, Mar 8, 2016 at 10:33 AM, Christopher Morrow <morrowc.li...@gmail.com
> wrote:

> for singular serial .. there are many, do you want something that's
> "appliance" or are you willing to deploy 18 raspnberry-pi-like
> thingies?
>
> On Tue, Mar 8, 2016 at 10:30 AM, greg whynott <greg.whyn...@gmail.com>
> wrote:
> > Recently I have taking over the responsibility of managing about 18
> remote
> > routers and firewalls.   None of these have a console port for 'out of
> > band' access accessible today.
> >
> > Most sites has available IPs between the ISP and us (typically a /29) or
> a
> > backup DSL connection available for use. I'd like to purchase a IP to
> > Serial port device I can use for each location in the event I lock myself
> > out.   The requirement would be an Ethernet port,  a serial port,  and
> SSH.
> >
> >
> > Anyone have any recommendations on something like this?
> >
> > thanks much,
> > greg
>

remote serial console (IP to Serial)

[greg whynott]

Recently I have taking over the responsibility of managing about 18 remote
routers and firewalls.   None of these have a console port for 'out of
band' access accessible today.

Most sites has available IPs between the ISP and us (typically a /29) or a
backup DSL connection available for use. I'd like to purchase a IP to
Serial port device I can use for each location in the event I lock myself
out.   The requirement would be an Ethernet port,  a serial port,  and SSH.


Anyone have any recommendations on something like this?

thanks much,
greg

Re: RBL resource to check entire netblock

[greg whynott]

Team NANOG,

I will summarize once I get to looking at things.   This isn't an immediate
need but with that said I expect to start on it next week.   I may not
evaluate all of them but what I do try I will share.

My next challenge is finding a router that will forward on 4 x 1 gig
interfaces (2 inside 2 outside) for less than 30k...

-greg



On Wed, Feb 17, 2016 at 1:32 PM, Roberto Alvarado 
wrote:

> You can try this script:
>
> https://github.com/DjinnS/check-rbl
>
>
> -i,--ip The IP or subnet to check
>
> I’m using it to check my subnets
>
>
> Roberto
>
>
>
>
>
> > On Feb 17, 2016, at 15:25, Bernd Spiess  wrote:
> >
> >> I find many sites where you can enter 1 IP to
> >> do a check but they don't seem to accept subnets to check.
> >
> > Maybe this is a help?
> > https://www.senderbase.org/
> >
> > Bernd
>
>

Re: RBL resource to check entire netblock

[greg whynott]

Thank you everyone for the responses,  I now have about 10 options to look
at due to the many replies.


greg





On Wed, Feb 17, 2016 at 1:25 PM, Bernd Spiess 
wrote:

> > I find many sites where you can enter 1 IP to
> > do a check but they don't seem to accept subnets to check.
>
> Maybe this is a help?
> https://www.senderbase.org/
>
> Bernd
>

RBL resource to check entire netblock

[greg whynott]

Hello,

I am wanting to purchase a /22 from one of the online auction sites
(Hilco).   Before we move ahead with it I wanted to check the history of
IPs within the allocation.I find many sites where you can enter 1 IP to
do a check but they don't seem to accept subnets to check.

Are you aware of any services which could tell us if a /22 is clean or not?
 my google foo is weak.

thank you,
greg

59.229.189.0/24

[greg whynott]

Hello,


Up until today we have been able to reach hosts in the
59.229.189.0/24network via AS174,  Cogent,  in Toronto.   Now we can
not,  our packets
stop at 38.112.36.101.  The support team at Cogent informed me that network
isn't in the internet routing table.

I attempted to do an AS lookup on it and sure enough it is not.  Using
looking glass routers in Korea indicate the same.

Yet it is still reachable from other networks,   I can use 'Team Viewer'
and webx to connect to hosts at the remote office which sits within that
/24.When on the remote site,  i can do traceroutes back to our office
in Toronto.

This part is a bit confusing to me,   from Toronto I get a 'no route to
host'.   So packets arriving from Korea to our network shouldn't be able to
find a route back,  even if its taking a different path.

any guess why this network may not be advertising its routes or what is
going on here?

thanks in advance,

greg


This is the network route from Toronto to Korea:

 Host
Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 10.101.2.1
0.0% 61.5  15.1   1.5  83.3  33.4
 2. 10.101.111.11
0.0% 60.2   0.2   0.2   0.2   0.0
 3. 10.101.101.101
0.0% 60.7   0.8   0.7   0.8   0.0
 4. 38.122.184.161
0.0% 6   -- ISP ROUTER
 5. 38.20.50.130
0.0% 61.9   2.0   1.9   2.1   0.0
 6. 38.112.36.101
89.0% 51.6   1.7   1.6   1.7   0.0


This is the route from Korea to Toronto,  done at the same time as the
above.

 11 ms1 ms1 ms  192.168.0.1
 2 1 ms1 ms1 ms  58.229.189.1
 3 1 ms 1 ms 1 ms  10.254.241.205
 4 1 ms 1 ms 1 ms  58.229.66.9
 5 2 ms 1 ms 1 ms  58.229.66.105
 6 7 ms 5 ms 3 ms  58.229.119.149
 7 2 ms 2 ms 2 ms  118.221.7.34
 8   144 ms   144 ms   144 ms  58.229.92.254
 9   276 ms   208 ms   192 ms  te-8-2.car1.SanJose2.Level3.net [4.59.0.161]
10   204 ms   162 ms   162 ms  ae-2-70.edge1.SanJose3.Level3.net[4.69.152.80]
11   165 ms   165 ms   165 ms
Cogent-level3-4x10G.SanJose.Level3.net[4.68.110.138]
12   156 ms   156 ms   156 ms
be2000.ccr21.sjc01.atlas.cogentco.com[154.54.6.105]
13   166 ms   165 ms   165 ms
be2164.ccr21.sfo01.atlas.cogentco.com[154.54.28.33]
14   187 ms   187 ms   187 ms
be2256.mpd21.mci01.atlas.cogentco.com[154.54.6.90]
15   206 ms   206 ms   206 ms
be2158.mpd21.ord01.atlas.cogentco.com[154.54.7.130]
16   216 ms   216 ms   216 ms
be2081.ccr21.yyz02.atlas.cogentco.com[154.54.42.10]
17   221 ms   221 ms   221 ms  te3-8.ccr02.yyz01.atlas.cogentco.com[154.54.5.85]
18   231 ms   230 ms   230 ms
te4-1.mag03.yyz01.atlas.cogentco.com[154.54.86.82]
19   214 ms   215 ms   214 ms  38.122.184.162   -- OUR ROUTER

Re: 59.229.189.0/24

[greg whynott]

oh my   how embarrassing is that...

 15 years doing networking too...   It was a typo this whole time as
indicated by Jeroen and I didn't even catch it..  will 'its monday' work as
an excuse?  ;)58 instead of 59.  I was pulling my hair on this one,
the network drawing I was referencing has the wrong IP and its been like
that for months.

I sent support those trace routes and they didn't even catch that.   I
mention this only to make myself feel a weee bit better..

so sorry for wasting your time but thanks very much for it everyone.


-g





On Mon, Mar 24, 2014 at 5:26 PM, Paul Ferguson fergdawgs...@mykolab.comwrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 On 3/24/2014 2:13 PM, Paul Ferguson wrote:

  On 3/24/2014 1:53 PM, Christopher Morrow wrote:
 
  On Mon, Mar 24, 2014 at 4:49 PM, greg whynott
  greg.whyn...@gmail.com wrote:
  59.229.189.0
 
  $ whois -h whois.cymru.com 59.229.189.0 AS  | IP | AS Name NA
  | 59.229.189.0 | NA
 
  cymru seems to think there's no route for that network. my
  network agrees.
 
 
 
 
 
  **
 
   Oregon Exchange BGP Route Viewer route-views.oregon-ix.net /
  route-views.routeviews.org
 
  route views data is archived on http://archive.routeviews.org
 
  This hardware is part of a grant from Cisco Systems. Please contact
  h...@routeviews.org if you have questions or comments about this
  service, its use, or if you might be able to contribute your view.
 
  This router has views of the full routing tables from several
  ASes. The list of ASes is documented under Current Participants
  on http://www.routeviews.org/.
 
  **
 
  route-views.routeviews.org is now using AAA for logins.  Login
  with username rviews.  See http://routeviews.org/aaa.html
 
  **
 
 
 
 
 
  route-viewssho ip bgp 59.229.189.0 % Network not in table
  route-views
 

 Derp.


 Hello, this is Quagga (version 0.99.21).
 Copyright 1996-2005 Kunihiro Ishiguro, et al.

 route-views2.routeviews.org sho ip bgp 59.229.189.0/24
 % Network not in table
 route-views2.routeviews.org
 route-views2.routeviews.org

 - - ferg




 - --
 Paul Ferguson
 VP Threat Intelligence, IID
 PGP Public Key ID: 0x54DC85B2
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (MingW32)
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iF4EAREIAAYFAlMwox0ACgkQKJasdVTchbJgbAEAhCCMIaiacSobZY78gdh0PGHw
 V33PZIZCqOsyNll3BhIA/3tdScGQaKAsW6TTzWz1X2xgrTuBMXJuUgSxxLATS/Zl
 =RH8X
 -END PGP SIGNATURE-

Re: NFSen plugin - ddd

[greg whynott]

now both SGI and Apple will sue them!

sad how apple can get a patent on curved corners...

it has a nice tezro look to it.   wrong color tho.




On Mon, Aug 6, 2012 at 10:40 PM, Andrew Jones a...@jonesy.com.au wrote:

 I did manage to get my hands on it this morning (thanks Brandon!).
 I've put it up for anyone who's interested [1], I had a couple of people
 ask for a copy if I found it.
 I haven't had a chance to look through the plugin yet, so take no
 responsibility for it.
 Cheers,
 Jonesy

 [1] http://www.haqthegibson.com/files/ddd.zip


 On Sun, 5 Aug 2012 19:08:56 -0400, Jason Hellenthal
 jhellent...@dataix.net wrote:
  Don't know if you ever recieved a reply for this but this is the best I
  have come up with to get more eyes on it.
 
  http://sourceforge.net/apps/trac/nfsen-plugins/wiki/RequestPlugin
 
  I have not submitted a request for it but if you happen to come accross
  this plugin, I would be interested.
 
  On Fri, Aug 03, 2012 at 01:55:21PM +1000, Andrew Jones wrote:
  Hi All,
  Does anyone have a copy of the DDoS detection plugin for NFSen called
 ddd
  that they could send to me?
  According to a blog article [1] I read, it used to be available at [2].
  It's not there, and I haven't had any luck trying to track it down the
  usual ways. If anyone is able to provide a copy, I'd appreciate it.
  Thanks,
  Jonesy
 
 
  [1] http://www.ccieflyer.com/2010-01-JasonRowley.php
  [2] http://www.synacknetworks.com/ddd/ddd.zip

Re: Advisory — D-root is changing its IPv4 address on the 3rd of January.

[greg whynott]

and ones who don't read posts before responding.



On Mon, Dec 17, 2012 at 8:14 AM, Randy Bush ra...@psg.com wrote:

  Actually, I have an excellent memory also. The one thing I do NOT
  remember is this much Sturm und Drang over any of the past changes.

 increase in number of people who can't resist telling others what they
 should do

 randy

Re: Routing study

[Greg Whynott]

On May 12, 2011, at 6:30 AM, bmann...@vacation.karoshi.com 
bmann...@vacation.karoshi.com wrote:

 er…
 d I would appreciate it if they
 would at least notify me ahead of time if they want to futz around
 with prefixes that are not registered to them.


er….   isn't that exactly what they just did,  notified you ahead of time?  the 
test starts on the 18th.

helps to read before you jump!

-g


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Routing study

[Greg Whynott]

On May 12, 2011, at 12:38 PM, Stefan Bethke wrote:

 Am 12.05.2011 um 18:02 schrieb Greg Whynott:

 helps to read before you jump!

 I think he might be referring to the fact that the prefix supposedly used to 
 conduct the test is his, not Georgia Tech's.

 --
 Stefan Bethke s...@lassitu.de   Fon +49 151 14070811





perhaps.  i should of reframed and not said anything since it added nothing.

sorry bmanning.

-g



Gregory Whynott
Networks and Storage

Ontario Institute for Cancer Research
MaRS Centre, South Tower
101 College Street, Suite 800
Toronto, Ontario, Canada M5G 0A3

647-294-2813 | www.oicr.on.ca


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

FTP is 40 years old today.

[Greg Whynott]

Sorry,  its not operationally related but probably of interest to a few.

I cant' believe its been that long,  time flys.   RFC 114!



http://www.bit-tech.net/news/hardware/2011/04/15/ftp-is-40-years-old/



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Auto ACL blocker

[Greg Whynott]

send/expect?

On Jan 18, 2011, at 2:12 PM, Brian R. Watters wrote:

 We are looking for the following solution.

 Honey pot that collects attacks against SSH/FTP and so on

 Said attacks are then sent to a master ACL on a edge Cisco router to block 
 all traffic from these offenders ..

 Of course we would require a master whitelist as well as to not be blocked 
 from our own networks.

 Any current solutions or ideas ??

 --

 BRW


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

BGP route-map options

[Greg Whynott]

Following a few documents on how to use route-maps to set preference of routes 
(related to my last thread regarding asymmetrical routing) all the ones I have 
looked at today (about 6or so) use the below method to apply the route map 
under the router section:

router bgp YOURAS#
neighbour x.x.x.x remote-as AS#
neighbour x.x.x.x route-map MAPNAME in

yet in the last line,  route-map  is not an option on my router,  which is an 
ASR1004 running the version 15 line of code.

is there a new way to do this?

don't you love Cisco's consistency?

thanks much for your time again,
greg




--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: BGP route-map options

[Greg Whynott]

thanks Thomas,  I opened a ticket with Cisco and am pestering other lists so 
i'm not bothering anyone with my operational issues.

it does accept it under address-family,  and doing a show bgp indicates 
something is going on:

ASR1004#show bgp | inc \ \ 150\
* 132.248.13.0/24  205.211.94.145150  0 549 26677 6509 
18592 278 i

but the selected path is still going out via the other provider,  not 549.

if your intrested it'll let you know the outcome.

thanks for taking the time to respond,

greg






On Jan 14, 2011, at 12:51 PM, Thomas Magill wrote:

 Try doing it under the 'address-family ipv4'?

 I've never seen any version of IOS not take it.

 -Original Message-
 From: Greg Whynott [mailto:greg.whyn...@oicr.on.ca]
 Sent: Friday, January 14, 2011 9:00 AM
 To: nanog@nanog.org list
 Subject: BGP route-map options

 Following a few documents on how to use route-maps to set preference of 
 routes (related to my last thread regarding asymmetrical routing) all the 
 ones I have looked at today (about 6or so) use the below method to apply the 
 route map under the router section:

 router bgp YOURAS#
 neighbour x.x.x.x remote-as AS#
 neighbour x.x.x.x route-map MAPNAME in

 yet in the last line,  route-map  is not an option on my router,  which is 
 an ASR1004 running the version 15 line of code.

 is there a new way to do this?

 don't you love Cisco's consistency?

 thanks much for your time again,
 greg




 --

 This message and any attachments may contain confidential and/or privileged 
 information for the sole use of the intended recipient. Any review or 
 distribution by anyone other than the person for whom it was originally 
 intended is strictly prohibited. If you have received this message in error, 
 please contact the sender and delete all copies. Opinions, conclusions or 
 other information contained in this message may not be that of the 
 organization.



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: BGP route-map options

[Greg Whynott]

haha…  yeah that is not a copy and paste but rather me just typing that out.

the proper spelling in the config is being used,  or the american spelling…  
english is the worse language…

thanks again,
greg

On Jan 14, 2011, at 12:52 PM, Thomas Magill wrote:

 Wait...

 Does the router even accept 'neighbour' instead of ' neighbor'?


 -Original Message-
 From: Greg Whynott [mailto:greg.whyn...@oicr.on.ca]
 Sent: Friday, January 14, 2011 9:00 AM
 To: nanog@nanog.org list
 Subject: BGP route-map options

 Following a few documents on how to use route-maps to set preference of 
 routes (related to my last thread regarding asymmetrical routing) all the 
 ones I have looked at today (about 6or so) use the below method to apply the 
 route map under the router section:

 router bgp YOURAS#
 neighbour x.x.x.x remote-as AS#
 neighbour x.x.x.x route-map MAPNAME in

 yet in the last line,  route-map  is not an option on my router,  which is 
 an ASR1004 running the version 15 line of code.

 is there a new way to do this?

 don't you love Cisco's consistency?

 thanks much for your time again,
 greg




 --

 This message and any attachments may contain confidential and/or privileged 
 information for the sole use of the intended recipient. Any review or 
 distribution by anyone other than the person for whom it was originally 
 intended is strictly prohibited. If you have received this message in error, 
 please contact the sender and delete all copies. Opinions, conclusions or 
 other information contained in this message may not be that of the 
 organization.



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Is Cisco equpiment de facto for you?

[Greg Whynott]

at one shop were i considered using Juniper instead of a Cisco internet edge 
router,  the cost of the Juniper was so close to the Cisco it was a non 
consideration.The only reason we went with Cisco that time was due to the 
fact most of the other gear was Cisco,  and it seemed to make more sense to 
stay with cisco instead of introducing a new vendor/methods into the mix 
without good reason.

The hardware alone was cheaper than the Cisco kit,  but after we said we needed 
to hold a million BGP routes,  the prices became very similar.  Juniper wants 
to license you on the amount of routes you intend to receive,  if i remember 
correctly.

-g





On Jan 13, 2011, at 2:40 PM, Chris Adams wrote:

 Once upon a time, Michael Ruiz mr...@lstfinancial.com said:
 I like Cisco personally and they are cheaper than
 buying a Juniper.  For example a M-series is always going to cost some
 bucks after you factor the FPC and the PICS that need to be loaded.

 We didn't find that to be the case, after you factor in all the Cisco
 pieces that need to be loaded as well.  Both make modular routers, so I
 don't see how saying that one requires modules is a valid argument.

 --
 Chris Adams cmad...@hiwaay.net
 Systems and Network Administrator - HiWAAY Internet Services
 I don't speak for anybody but myself - that's enough trouble.



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Fw: Cisco Sanitization

[Greg Whynott]

V

- Original Message -
From: Greg Whynott
Sent: Wednesday, January 12, 2011 09:46 AM
To: 'timothy.gr...@mantech.com' timothy.gr...@mantech.com
Subject: Re: Cisco Sanitization

Replace the flash cards.  If you are really concerned about information being 
disclosed,  formatting/deleting files will not destroy the data and it probably 
can be recovered.   Or take the flash cards and scrub them from a pc.

G

- Original Message -
From: Green, Timothy [mailto:timothy.gr...@mantech.com]
Sent: Wednesday, January 12, 2011 09:41 AM
To: nanog@nanog.org nanog@nanog.org
Subject: Cisco Sanitization

Hey all!

I'm currently creating a sanitization guide for all my hardware.  When I got to 
my Cisco devices I noticed there are numerous ways to reset them back to the 
default and clear the NVRAM.  Does anyone have a guide that includes 
sanitization information for all Cisco devices(at least switches, routers, 
IDS's, and ASA 5500 Series) so I don't have to recreate the wheel?

Thanks,

Tim



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Cisco Sanitization

[Greg Whynott]

list,  sorry for this but this is getting a little annoying.  I've tried 
sending Randy email without luck.. think i'm black listed by his kit,  so if 
someone would kindly forward this to him…


Randy,

I'm not trying to be difficult or annoy you.   Please stop sending me this 
email which is considered spam by most.  30 messages of with the same 
unsolicited content is spam.

I understand you do not like a signature which 'seems' to contain legal jargon.

I understand you know everything about my environment and the policies of my 
company which I do not define.

I undertand you would like me to use gmail and violate my company policy.

I don't expect _anything_ from you,  but i would appreciate it if you could 
take some of your apparent talent and put some logic into your proc mail recipe 
or whatever it is you use to to generate this message.   avoid responding with 
this spam message every time i post to a list you happen to be on.   The email 
was not directed to you directly.   should take about someone with your skill 
set very little effort.

thank you.

greg




On Jan 12, 2011, at 10:50 AM, Randy Bush wrote:

 you have sent a message to me which seems to contain a legal
 warning on who can read it, or how it may be distributed, or
 whether it may be archived, etc.

 i do not accept such email.  my mail user agent detected a legal
 notice when i was opening your mail, and automatically deleted it.
 so do not expect further response.

 yes, i know your mail environment automatically added the legal
 notice.  well, my mail environment automatically detected it,
 deleted it, and sent this message to you.  so don't expect a lot
 of sympathy.

 and if you choose to work for some enterprise clueless enough to
 think that they can force this silliness on the world, use gmail,
 hotmail, ...

 randy


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Cisco Sanitization

[Greg Whynott]

my bad list,i'll stay on topic in the future and ensure i keep personal 
messages out of here and your inbox.

bad bad greg…   interesting how brain dead and un respectful i am till 
sufficiently caffeinated.




On Jan 12, 2011, at 11:19 AM, Lynda wrote:

 On 1/12/2011 8:04 AM, Greg Whynott wrote:

 list,  sorry for this but this is getting a little annoying.  I've
 tried sending Randy email without luck.. think i'm black listed by
 his kit,  so if someone would kindly forward this to him…

 Well, here it is. Perhaps you might consider getting a gmail or other
 account, and posting on NANOG from there. Either that, or filter Randy
 out. Personally, I find those silly disclaimers annoying, but am far too
 lazy to set up a script such as Randy has.

 You don't want to be annoyed? Lose the disclaimer, use a different email
 address, or filter Randy out. This is NOT the first time you've
 complained about this (although we know, for sure, that Randy is going
 to send this off, automagically, to anyone that has the silly disclaimer
 thing going for them). Get over it. Please don't post on this again.
 Thanks in advance.

 --
 Amor fati. Vale. (Seneca)




--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Is Cisco equpiment de facto for you?

[Greg Whynott]

I've tried to use other vendors threw out the years for internal L2/L3.  Always 
Cisco for perimeter routing/firewalling.

from my personal experience,  each time we took a chance and tried to use 
another vendor for internal L2 needs,  we would be reminded why it was a bad 
choice down the road,  due to hardware reliability,  support issues,  multiple 
and ongoing software bugs,  architectural design choices.  Then for the next 
few years I'd regret the decision. This is not to say Cisco gear has been 
without its issues,  but they are much fewer and handled better when stuff hits 
the fan.

the only other vendor at this point in my career I'd fee comfortable deploying 
for internal enterprise switching,  including HPC requirements which is not 
CIsco branded,  would be Force10 or Extreme.  it has always been Cisco for edge 
routing/firewalling,  but i wouldn't be opposed to trying Juniper for routing,  
I know of a few shops who do and they have been pleased thus far.I've 
little or no experience  with many of the other vendors,  and I'm sure they 
have good offerings,  but I won't be beta testing their firmwares anymore (one 
vendor insisted we upgrade our firmware on our core equipment several times in 
one year…).


Cisco isn't a good choice if you don't have the budget for the smart net 
contracts.   They come at a price.   a little 5505 with unrestricted license 
and contract costs over 2k,  a 5540 about 40k-70k depending on options,  with a 
yearly renewal of about 15k or more…

-g




On Jan 10, 2011, at 11:21 AM, Randy Carpenter wrote:


 We have traditionally been a Cisco shop, but we are starting to move toward 
 Juniper for much of our needs, and will be recommending Juniper as an 
 alternative for customers' needs. From a technical point of view, I find the 
 configurations to be simpler and easier to understand, and I like the fact 
 that most everything runs the same OS, with the same interface. From a 
 financial point of view, Juniper tends to be less expensive for more 
 performance, and their support contracts are much cheaper.

 All that said, and as other's have said, Cisco is always a safe choice, 
 particularly since many people are familiar with them.

 -Randy

 --
 | Randy Carpenter
 | Vice President, IT Services
 | Red Hat Certified Engineer
 | First Network Group, Inc.
 | (419)739-9240, x1
 

 - Original Message -
 Hello gents:

 I wanted to put this out there for all of you. Our network consists of
 a mixture of Cisco and Extreme equipment.

 Would you say that it's fair to say that if you are serious at all
 about being a service provider that your core equipment is Cisco
 based?

 Am I limiting myself by thinking that Cisco is the de facto vendor
 of choice? I'm not looking for so much fanboy responses, but more of
 a real world
 experience of what you guys use that actually work and does the
 job.

 No technical questions here, just general feedback. I try to follow
 the Tolly Group who compares products, and they continually show that
 Cisco equipment
 is a poor performer in almost any equipment compared to others, I find
 that so hard to believe.

 Thanks!

 Brandon



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Is Cisco equpiment de facto for you?

[Greg Whynott]

 Brandon


 Just as a pointer - one of the largest and most utilized IX (AMS-IX) has
 their platform built on Brocade devices.



Brocade device's pre Foundry purchase correct?  I can't see anyone that large 
using Foundry in large deployments..

-g


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Is Cisco equpiment de facto for you?

[Greg Whynott]

the pro curve line is cheap and the standard support contract price can't be 
beat (life time free).   For many ' normal ' deployments it would be a good 
choice.in a 10Gbit HPC  or highly redundant environment I'd probably be 
looking at Extreme or Force 10.

There is a feature on the Cisco 6500 series which is very appealing for those 
needing highly redundant / quick fail over,  VSS.   Currently you can only get 
it on 6500's or better,  so the cost of admission is huge,  and you have to 
have the physical space to mount the units.  Extreme has a similar feature 
which is available threw out most of the product line,  meaning you don't have 
to drop 6 figures for a redundant zero time fail over solution and can fit it 
into as little as 2Us in the rack.   I recently set up a pair of Summit 650's 
using the virtual switch feature.  I have multiple 10Gbit clients terminated to 
the pair.  zero time fail over when a link goes down,  its nice.  This is 
what I find is the trend with features and Cisco,   Cisco sticks with what is 
known and a bit reluctant to throw a new feature into the mix,  where as a 
compeating vendor sees that as an opertunity.Cisco is slow and steady,  
where the other vendors tend to be lighter on their feet.   sometimes when you 
are quick on your feet,  you trip more often than the one walking slowly.


-g



On Jan 10, 2011, at 12:04 PM, Brandon Kim wrote:


 Wow, overall consensus is that there are quite a few that are migrating to 
 Juniper from Cisco.

 I am a bit biased because I have spent an awful amount of time invested into 
 Cisco and understanding how to configure them.
 But being a former business owner, I also am very much sensitive to costs and 
 business needs.

 For those that have been Cisco focused, do you stay fully objective, and are 
 you willing to pitch another vendor knowing that you will
 have to learn a new IOS? And that that will be your time that you'll have to 
 spend to understand the product and support it?

 We have been selling HP procurves to SMB's because of the cost factor. I 
 don't really mind them all that much. I've tried to fit Cisco switches
 in the mix but their pricing is just so much more as well as the smartnet 
 costs. They really price themselves out and that is unfortunate.

 I will be looking at refreshing our core switches and routers soon so I will 
 stay objective as much as I can.

 =)




 To: nanog@nanog.org
 Subject: Re: Is Cisco equpiment de facto for you?
 Date: Mon, 10 Jan 2011 10:36:24 -0600
 CC: brandon@brandontek.com
 From: tad1...@gmail.com

 On Mon, 10 Jan 2011 09:31:32 -0600, Brandon Kim
 brandon@brandontek.com wrote:


 Hello gents:

 I wanted to put this out there for all of you. Our network consists of a
 mixture of Cisco and Extreme equipment.

 Would you say that it's fair to say that if you are serious at all about
 being a service provider that your core equipment is Cisco based?

 Am I limiting myself by thinking that Cisco is the de facto vendor of
 choice? I'm not looking for so much fanboy responses, but more of a
 real world
 experience of what you guys use that actually work and does the job.

 No technical questions here, just general feedback. I try to follow the
 Tolly Group who compares products, and they continually show that Cisco
 equipment
 is a poor performer in almost any equipment compared to others, I find
 that so hard to believe.

 Cisco is typically not known as the fastest or most power efficient when
 compared to other vendors, but they usually have some advanced feature
 sets that are very nice. In the ISP space this may be less helpful, but in
 the SMB and Enterprise space this can be very helpful. Things such as Call
 Manager Express, Web Content Filtering, WebEx Nodes, Server Load
 Balancing, Wireless Lan Controllers, etc. that are either built into IOS
 or available with a line card or module, are nice tools to have at your
 disposal, and often can mean reducing the number of devices you need in
 your rack.

 As of the Tolly group, I find whomever pays Tolly for the survey tends to
 be the fastest.

 Example:
 Abstract:

 HP commissioned Tolly to evaluate the performance, power consumption and
 TCO of its E5400 zl and E8200 switch series and compare those systems with
 the Cisco Systems Catalyst 3750-X and Catalyst 4500.

 This is because the Vendor is getting to pick what they want to benchmark
 rather than the company benchmarking them. No one is going to choose tests
 that their product will lose in. There isn't much in the way of Tom's
 Hardware Style testing of enterprise gear to my knowledge.

 Cisco gear is also known for long life, being very consistent, and high
 reliability. A walk through colos you will often see many many Cisco
 12000's for those exact reasons.

 I feel each vendor has its strong points, price/performance may not be
 Cisco's but Cisco's ease of configuration and feature sets, along with
 reliability are definitely notable.

 

Re: Is Cisco equpiment de facto for you?

[Greg Whynott]

i think it really depends on who answers your call.   I've called Cisco a few 
times before for inter vendor issues and they gave us the   call the other 
vendor   finger.  ..  Other times they saved the day.

i know some shops negotiate their support contract which precludes them from 
going threw the regular support escalation process.  you get to speak to a more 
senior tech on the first 'hello'.

-g


On Jan 10, 2011, at 3:04 PM, Chris Adams wrote:

 Once upon a time, Andrey Khomyakov khomyakov.and...@gmail.com said:
 There have been awfully too many time when Cisco TAC would just say that
 since the problem you are trying to troubleshoot is between Cisco and
 VendorX, we can't help you. You should have bought Cisco for both sides.

 That kind of behavior from a vendor tells me I shouldn't have bought
 that vendor for either side.


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Is Cisco equpiment de facto for you?

[Greg Whynott]

just a side note,  HP probably was the most helpful vendor i've dealt with in 
relation to solving/providing inter vendor interoperability solutions.   they 
have PDF booklets on many  things we would run into during work.  for example,  
setting up STP between Cisco and HP gear,  ( 
http://cdn.procurve.com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf
 ).

At the time the other vendor in this case (cisco) flat our refused to help us.  
this was a few years back tho,  things may of changed.  I'd ask support you 
are not telling me i'm the _only_ customer trying to do this …   to which they 
would try and play the well most people don't mix gear..

HP's example should be the yard stick in the field.

-g



On Jan 10, 2011, at 3:04 PM, Brandon Kim wrote:


 To your point Andrey,

 It probably works both ways too. I'm sure HP would love to finger point as 
 well. I remember reading for my CCNP one
 of the thought process behind getting all Cisco is the very reason you 
 pointed out, get all Cisco!

 How convenient though for Cisco to do that, I wonder if they are being 
 sincere(sarcasm).

 Wouldn't it a perfect world for Cisco to just have everyone buy their 
 stuff...I think it's a cop out though and you really should
 try to support your product as best you can if it is connected to another 
 vendor.

 I'm sad to hear that TACACS took that route. I hope they at least tried their 
 hardest to support you.



 From: khomyakov.and...@gmail.com
 Date: Mon, 10 Jan 2011 14:35:36 -0500
 Subject: Re: Is Cisco equpiment de facto for you?
 To: nanog@nanog.org

 There have been awfully too many time when Cisco TAC would just say that
 since the problem you are trying to troubleshoot is between Cisco and
 VendorX, we can't help you. You should have bought Cisco for both sides.
 I had that happen when I was troubleshooting LLDP between 3750s and Avaya
 phones, TACACS between Cisco and tac_plus daemon, link bundling between
 juniper EX and Cisco, some obscure switching issues between CAT and
 Procurves and other examples like that just don't recall them anymore.

 Every time I'm reminded that if you have a lot of Cisco on the network, the
 rest should be cisco too, unless there is a very good technical/financial
 reason for it, but you should be prepared to be your own help in those
 cases.

 Vendors love to point at the other vendors for solutions. At least in my
 experience.

 My $0.02

 Andrey

 On Mon, Jan 10, 2011 at 11:52 AM, Greg Whynott 
 greg.whyn...@oicr.on.cawrote:

 I've tried to use other vendors threw out the years for internal L2/L3.
 Always Cisco for perimeter routing/firewalling.

 from my personal experience,  each time we took a chance and tried to use
 another vendor for internal L2 needs,  we would be reminded why it was a bad
 choice down the road,  due to hardware reliability,  support issues,
 multiple and ongoing software bugs,  architectural design choices.  Then
 for the next few years I'd regret the decision. This is not to say Cisco
 gear has been without its issues,  but they are much fewer and handled
 better when stuff hits the fan.

 the only other vendor at this point in my career I'd fee comfortable
 deploying for internal enterprise switching,  including HPC requirements
 which is not CIsco branded,  would be Force10 or Extreme.  it has always
 been Cisco for edge routing/firewalling,  but i wouldn't be opposed to
 trying Juniper for routing,  I know of a few shops who do and they have been
 pleased thus far.I've little or no experience  with many of the other
 vendors,  and I'm sure they have good offerings,  but I won't be beta
 testing their firmwares anymore (one vendor insisted we upgrade our firmware
 on our core equipment several times in one year…).


 Cisco isn't a good choice if you don't have the budget for the smart net
 contracts.   They come at a price.   a little 5505 with unrestricted license
 and contract costs over 2k,  a 5540 about 40k-70k depending on options,
 with a yearly renewal of about 15k or more…

 -g



 --
 Andrey Khomyakov
 [khomyakov.and...@gmail.com]



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Is Cisco equpiment de facto for you?

[Greg Whynott]

for vendors who we were not getting the goods from,  I've found calling your 
sales rep much more efficient than anything you can say/ask/beg/threaten the 
tech on the phone.Sales guys have the inside numbers to call,  the clout to 
get things moving as they generate revenue for said vendor.his pay comes 
from you,  you pay him,  he works for 2.

-g


On Jan 10, 2011, at 4:14 PM, Thomas Donnelly wrote:


 On Mon, 10 Jan 2011 14:39:19 -0600, Brandon Kim
 brandon@brandontek.com wrote:



 to which they would try and play the well most people don't mix gear..



 ha! Funny if you responded with, Oh really? Thanks I didn't know that,
 I guess I'll get all HP...who do I talk to, to return this Cisco router?

 I've threatened that one against Juniper and minutes later I had an
 engineer on the phone. At 3:30am. Funny how once you mention buying
 another vendor they raise an eyebrow.






 From: greg.whyn...@oicr.on.ca
 To: brandon@brandontek.com
 CC: khomyakov.and...@gmail.com; nanog@nanog.org
 Date: Mon, 10 Jan 2011 15:20:06 -0500
 Subject: Re: Is Cisco equpiment de facto for you?

 just a side note,  HP probably was the most helpful vendor i've dealt
 with in relation to solving/providing inter vendor interoperability
 solutions.   they have PDF booklets on many  things we would run into
 during work.  for example,  setting up STP between Cisco and HP gear,
 (
 http://cdn.procurve..com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf
 ).

 At the time the other vendor in this case (cisco) flat our refused to
 help us.  this was a few years back tho,  things may of changed.  I'd
 ask support you are not telling me i'm the _only_ customer trying to
 do this …   to which they would try and play the well most people
 don't mix gear..

 HP's example should be the yard stick in the field.

 -g



 On Jan 10, 2011, at 3:04 PM, Brandon Kim wrote:


 To your point Andrey,

 It probably works both ways too. I'm sure HP would love to finger
 point as well. I remember reading for my CCNP one
 of the thought process behind getting all Cisco is the very reason
 you pointed out, get all Cisco!

 How convenient though for Cisco to do that, I wonder if they are
 being sincere(sarcasm).

 Wouldn't it a perfect world for Cisco to just have everyone buy their
 stuff...I think it's a cop out though and you really should
 try to support your product as best you can if it is connected to
 another vendor.

 I'm sad to hear that TACACS took that route. I hope they at least
 tried their hardest to support you.



 From: khomyakov.and...@gmail.com
 Date: Mon, 10 Jan 2011 14:35:36 -0500
 Subject: Re: Is Cisco equpiment de facto for you?
 To: nanog@nanog.org

 There have been awfully too many time when Cisco TAC would just say
 that
 since the problem you are trying to troubleshoot is between Cisco and
 VendorX, we can't help you. You should have bought Cisco for both
 sides.
 I had that happen when I was troubleshooting LLDP between 3750s and
 Avaya
 phones, TACACS between Cisco and tac_plus daemon, link bundling
 between
 juniper EX and Cisco, some obscure switching issues between CAT and
 Procurves and other examples like that just don't recall them
 anymore.

 Every time I'm reminded that if you have a lot of Cisco on the
 network, the
 rest should be cisco too, unless there is a very good
 technical/financial
 reason for it, but you should be prepared to be your own help in
 those
 cases.

 Vendors love to point at the other vendors for solutions. At least
 in my
 experience.

 My $0.02

 Andrey

 On Mon, Jan 10, 2011 at 11:52 AM, Greg Whynott
 greg.whyn...@oicr.on.cawrote:

 I've tried to use other vendors threw out the years for internal
 L2/L3.
 Always Cisco for perimeter routing/firewalling.

 from my personal experience,  each time we took a chance and tried
 to use
 another vendor for internal L2 needs,  we would be reminded why it
 was a bad
 choice down the road,  due to hardware reliability,  support issues,
 multiple and ongoing software bugs,  architectural design choices.
 Then
 for the next few years I'd regret the decision. This is not to
 say Cisco
 gear has been without its issues,  but they are much fewer and
 handled
 better when stuff hits the fan.

 the only other vendor at this point in my career I'd fee comfortable
 deploying for internal enterprise switching,  including HPC
 requirements
 which is not CIsco branded,  would be Force10 or Extreme.  it has
 always
 been Cisco for edge routing/firewalling,  but i wouldn't be opposed
 to
 trying Juniper for routing,  I know of a few shops who do and they
 have been
 pleased thus far.I've little or no experience  with many of the
 other
 vendors,  and I'm sure they have good offerings,  but I won't be
 beta
 testing their firmwares anymore (one vendor insisted we upgrade our
 firmware
 on our core equipment several times in one year…).


 Cisco isn't a good choice if you don't have the budget for the
 smart net
 contracts

Re: Is Cisco equpiment de facto for you?

[Greg Whynott]

just to play devils advocate..

PVST is Cisco propriety.

I'd rather see vendors default to an open standard as opposed to something 
which is closed.  the lowest common denominator…

in my eyes the document tells you how to make a cisco and hp switch work 
together,  not convert.

numbers alone do not denote intelligence,  if so cockroaches would rule the 
world.  8)


-g





On Jan 10, 2011, at 5:32 PM, Jeff Kell wrote:

 On 1/10/2011 3:20 PM, Greg Whynott wrote:
 HP probably was the most helpful vendor i've dealt with in relation to 
 solving/providing inter vendor interoperability solutions.   they have PDF 
 booklets on many  things we would run into during work.  for example,  
 setting up STP between Cisco and HP gear,  ( 
 http://cdn.procurve.com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf
  ).

 Well, technically, the HP reference tells you how to convert your Cisco
 default PVST over to MST to match the HP preference.

 The handful of HP switches versus the stacks and stacks of production
 Cisco requiring conversion to suit them was intimidating to say the
 least :-)

 Foundry/Brocade on the other hand do PVST (so they say, I haven't given
 it a thorough lab test).

 Jeff


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

asymmetric routes/security concerns/Fortinet

[Greg Whynott]

Hello,

we have multiple internet connections of which one is a research network where 
many medical institutions and universities are also connected to threw out the 
country.  This research network (ORION) also has internet access but is not 
meant to be used as a primary path to the internet by its customers. 
Connected to the ORION network are many sites we exchange email with daily who 
also have multiple internet connections.   One of these sites is not reachable 
by us.   After investigating,  it was discovered this site is dropping our 
connections as the path back to use would use a different interface on the 
firewall ( a Fortinet device) than that which it arrived upon.

The admins at this university claim this is by design and for security 
reasons..   My response was the entire internet is asymmetrical and while this 
may of been a legitimate concern in the 90's,  I don't think its a real concern 
anymore if things are set up correctly.  They suggested we add static routes to 
our equipment to address this…  This seems like a bad idea and I am not 
comfortable adjusting my routing table to address one site's issues on the 
internet due to their (not ours) routing/security policies.

am I correct here?  any comments on this would be greatly appreciated as I'll 
be called into a meeting to discuss this further (they are digging in their 
heals in on this,  and higher ups are getting involved now).  I'd like to arm 
myself with a few perspectives.

thanks very much for your time again,

greg





--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: asymmetric routes/security concerns/Fortinet

[Greg Whynott]

Thanks John for your input.

You are correct,  ORION is a dedicated high speed research network.

Based on the fact that we access ORION via one of our ISPs (3rd party,  we 
don't  BGP/directly peer with ORION),  I'm not sure if i can use this solution 
here.   I could do that for the routes learned from that ISP,  but we receive 
the entire internet routing table from them…  I'd have to understand things 
more before I went down that road.  perhaps I shouldn't be accepting the full 
table from them.

the localpref is something I'll look at,  thanks for that.   I'm not a BGP 
expert by any stretch,  and our requirements here are simple.  we are not a 
transit.I've only attempted to make the config safe,  not efficient.


 i'd like to hear what you have to say about the original question,  is there 
good reason in this day and age to drop traffic as described in the original 
post in your opinion?

-g



On Jan 7, 2011, at 1:15 PM, John Kristoff wrote:

 On Fri, 7 Jan 2011 12:40:32 -0500
 Greg Whynott greg.whyn...@oicr.on.ca wrote:

 we have multiple internet connections of which one is a research
 network where many medical institutions and universities are also
 connected to threw out the country.  This research network (ORION)
 also has internet access but is not meant to be used as a primary
 path to the internet by its customers. Connected to the ORION
 network are many sites we exchange email with daily who also have
 multiple internet connections.   One of these sites is not reachable
 by us.   After investigating,  it was discovered this site is
 dropping our connections as the path back to use would use a
 different interface on the firewall ( a Fortinet device) than that
 which it arrived upon.

 Correct me if I'm wrong, I'm not very familiar with ORION, but if it's
 like some of the research networks in the U.S. have been built in the
 past, ORION is dedicated high speed, low latency network that
 interconnects research institutions together.  The way these are often
 used is that you localpref routes you learn from ORION participants so
 that traffic between each of you goes over the research network.  You'd
 typically want this since the performance is good and there is plenty of
 capacity available, but it is also paid for, probably through some
 research grant, helping to reduce the use and expense of your commercial
 transit.

 You should be sending your traffic to them via ORION and they
 likewise.  However, if that path is down, then it would make sense for
 it to go via another route.  Hence, asymmetry may happen.

 Are you not sending the traffic via ORION?  If so, then I'd suggest you
 both have something to fix.  :-)

 John


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: asymmetric routes/security concerns/Fortinet

[Greg Whynott]

Thanks Ken,

Some good stuff there,  thanks.

Since my original email,  i think i've come up with a partial solution not 
requiring the far end's involvement. If not,  at least it would get us into 
a better position to utilize the ORION network when possible.   We peer over a 
L2 tunnel with a router down in the states threw one of our ISP's 10G links,  
I'm going to see if ORION will do the same with us.  This would allow us to 
establish a BGP session directly with the ORION router,  then I could use the 
localpref options, which may help.

this problem is intermitting,  most of the time things are fine.doing the 
above isn't going to help if path/route conditions change,  but at least we'll 
have done all we could within reason and have a proper config.

I didn't consider the reasons you mentioned related to 'fail fast', that does 
make a lot of sense.   this is not the reason they claim this policy is in 
place,  it is for security reasons.

we access ORION via GTAnet,  they are within/part of/something to do with the 
UoT,  and we are across the street.


take care,
greg






@Anthony Pardini t...@pardini.org
On Jan 7, 2011, at 2:45 PM, Anthony Pardini wrote:

   Firewalls aren't routers and pretty much all of them
 behave in the similar manner.



oh!  thanks.  8)









On Jan 7, 2011, at 2:37 PM, Ken Chase wrote:

 It sounds like the target site has a possible misconfiguration if this is a
 long term issue. If they're using the open internet to get back to you and not
 ORION (when your packets arrived from ORION-based connection), then something
 is misconfigured or down. The problem is a conflict in the way BGP works and
 how people assume it works :) BGP is designed to get packets to where they
 want to go, not drop them if they're going the wrong way.


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Alleged backdoor in OpenBSD's IPSEC implementation.

[Greg Whynott]

update..  hoax it appears.

http://www.itworld.com/open-source/130820/openbsdfbi-allegations-denied-named-participant




--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Over a decade of DDOS--any progress yet?

[Greg Whynott]

i found it funny how M$ started giving away virus/security software for its OS. 
 it can't fix the leaky roof,  so it includes a roof patch kit. (and puts about 
10 companies out of business at the same time)


 Many Windows infections
 I've seen occur not due to the OS, but due to lack of patching of
 applications on the OS. The system does as much as it can.


which applications are home users using which are exploited more than RPC and 
friends?

-g


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Lightning Debates at NANOG 51

[Greg Whynott]

 Cooling: Raised floor vs. Underfloor


forgive me,  but what is the difference between raised floor and underfloor?



 Ethernet: 40GE vs. 100GE

people are debating which is better?   really?




 Optics: XFP vs. SFP+

?

some interesting choices of things to debate..  are these serious debate 
sessions or more for fun?






--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Lightning Debates at NANOG 51

[Greg Whynott]

 Excuse me. Raised floor vs. overhead.

ahh that makes much more sense,  thanks Tom.


 I'm sure someone has an opinion…

i suspect you are correct,  not sure who would elect for the slower standard,  
considering they hit the streets fairly close to each other and I can't see 
there being a huge difference in cost, but i could be wrong. (the isp i'm 
connected to is running100G now)


 Optics: XFP vs. SFP+
 Maybe you have no idea on what XFP or SFP+ is because you've been running a 
 Gigabit based network and haven't made the jump to 10GE yet -

i've more 10G ports than you can shake a stick at actually…  my '?' was again,  
people debate this?  as the bit rates are verbatum,  the major difference which 
one would choose the other over from my understanding was distance to 
endpoint..  but again i could be wrong…  wishing now i didn't send anything.  8)


-g




--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

non operational question related to IP

[Greg Whynott]

i was pinging a host from a windows machine and made a typo which seemed 
harmless.  the end result was it interpreted my input differently than what I 
had intended.   thinking this was a m$ issue I quickly took the opportunity to 
poke fun at windows as the senior m$ admin was near by.

look at how brain dead this os is,  it can't even do simple math!

He is now looking at my screen scratching his head…..

watch,  i'll open a shell on os x and show you how it can add 0 +10

I open a shell on os x,  same behavior as windows.

 ok so apple is brain dead too,  watch,  it'll work on linux!

same deal…


long story short,  it does work as expected on all our hardware routing gear.   
 still not sure what is happening here…


osx-gwhynott:~ gwhynott$ ping 10.010.10.1
PING 10.010.10.1 (10.8.10.1): 56 data bytes


gwhyn...@ops:~$ ping 10.010.10.1
PING 10.010.10.1 (10.8.10.1) 56(84) bytes of data.


CORE1ping 10.010.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!


anyone happen to know how the OS's are interpreting the 010?   doesn't appear 
work out in base[2-10] (1010,101,22,20,14,13,12,11,10,A)


thanks!

greg





--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: non operational question related to IP

[Greg Whynott]

thanks guys.  I should of paid more attention in school.

interesting cisco understands what we meant.  8)


-g


On Nov 22, 2010, at 2:56 PM, Matlock, Kenneth L wrote:

 'Octal' (Base-8) :)

 The leading '0' is telling the box to interpret it as octal instead of
 decimal or hex.

 Ken Matlock
 Network Analyst
 Exempla Healthcare
 (303) 467-4671
 matlo...@exempla.org


 -Original Message-
 From: Greg Whynott [mailto:greg.whyn...@oicr.on.ca]
 Sent: Monday, November 22, 2010 12:53 PM
 To: nanog list
 Subject: non operational question related to IP


 i was pinging a host from a windows machine and made a typo which seemed
 harmless.  the end result was it interpreted my input differently than
 what I had intended.   thinking this was a m$ issue I quickly took the
 opportunity to poke fun at windows as the senior m$ admin was near by.

 look at how brain dead this os is,  it can't even do simple math!

 He is now looking at my screen scratching his head.

 watch,  i'll open a shell on os x and show you how it can add 0 +10

 I open a shell on os x,  same behavior as windows.

  ok so apple is brain dead too,  watch,  it'll work on linux!

 same deal...


 long story short,  it does work as expected on all our hardware routing
 gear.still not sure what is happening here...


 osx-gwhynott:~ gwhynott$ ping 10.010.10.1
 PING 10.010.10.1 (10.8.10.1): 56 data bytes


 gwhyn...@ops:~$ ping 10.010.10.1
 PING 10.010.10.1 (10.8.10.1) 56(84) bytes of data.


 CORE1ping 10.010.10.1
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
 !


 anyone happen to know how the OS's are interpreting the 010?   doesn't
 appear work out in base[2-10] (1010,101,22,20,14,13,12,11,10,A)


 thanks!

 greg





 --

 This message and any attachments may contain confidential and/or
 privileged information for the sole use of the intended recipient. Any
 review or distribution by anyone other than the person for whom it was
 originally intended is strictly prohibited. If you have received this
 message in error, please contact the sender and delete all copies.
 Opinions, conclusions or other information contained in this message may
 not be that of the organization.



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: IPv6 Space Management. Tracking, not Allocating

[Greg Whynott]

IPPlan does this fairly well for ipv4 space,  and they have recently added ipv6.

-g



On Nov 17, 2010, at 12:22 PM, chip wrote:

 There's been lots of discussion on how we should allocate space to various
 bits of the network.  What I haven't yet seen is how people are tracking
 these allocations.  Is everyone using one of the two or three commercial
 applications or some OSS solution or a few large(ish) text files?  Anyone
 have any recommendations or feedback?

 Thanks!

 --chip

 --
 Just my $.02, your mileage may vary,  batteries not included, etc

Gregory Whynott
Network Operations

Ontario Institute for Cancer Research
MaRS Centre, South Tower
101 College Street, Suite 800
Toronto, Ontario, Canada M5G 0A3
Tel: 647-294-2813
www.oicr.on.ca







--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: IPv6 Space Management. Tracking, not Allocating

[Greg Whynott]

good for you Mike,  for contributing.  thanks.
-g




 Open Source world - leaching off the good will and effort of the Open Source
 community, yet give nothing in return.

  then you would also want to grab
 the patch I posted to the bug tracker.  Enjoy, I do.

 --
 Mike Oliver, KT2T


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

AS path question.

[Greg Whynott]

Recently I adjusted the maxas-limit option on our router,logs started 
reporting routes being refused because the AS path is to long.   seems to work 
as expected.

when I looked at the logs I was a bit confused at what i was looking at...   
why is it there are multiple AS's in the path that appear to be the same AS?  I 
expected an AS path comprised of mostly unique ASs.

instead of this:

476330: Nov 10 14:55:07.247 EDT: %BGP-6-ASPATH: Long AS path 549 26677 6939 
21011 43022 43022 43022 43022 43022 47359 47359 47359 47359 47359 47359 47359 
47359 received from isp router: More than configured MAXAS-LIMIT



i expected it would look more like:

476330: Nov 10 14:55:07.247 EDT: %BGP-6-ASPATH: Long AS path 549 26677 6939 
21011 43022  47359 received from … .. .




thanks for your time again,
greg






--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: AS path question.

[Greg Whynott]

thanks all,  this makes sense now.and i just showed the internet how 
ignorant I am…


i have my maxas-limit set to 10 based on an article I was reading.  perhaps I 
should up that a bit.

what sort of problems are associated to overly long AS paths?   is it more of a 
system resource control setting?

-g



On Nov 10, 2010, at 3:31 PM, Nick Olsen wrote:

They are prepending routes.
Looks like both 43022 are prepending, As well as 47359...Multiple times... They 
do this to make that route look bad so it comes in other transit they have.

Nick Olsen
Network Operations
(855) FLSPEED  x106

[http://www.flhsi.com/files/emaillogo.jpg]



From: Greg Whynott greg.whyn...@oicr.on.camailto:greg.whyn...@oicr.on.ca
Sent: Wednesday, November 10, 2010 3:23 PM
To: nanog@nanog.orgmailto:nanog@nanog.org list 
nanog@nanog.orgmailto:nanog@nanog.org
Subject: AS path question.



Recently I adjusted the maxas-limit option on our router, logs started 
reporting routes being refused because the AS path is to long. seems to work as 
expected.

when I looked at the logs I was a bit confused at what i was looking at... why 
is it there are multiple AS's in the path that appear to be the same AS? I 
expected an AS path comprised of mostly unique ASs.

instead of this:

476330: Nov 10 14:55:07.247 EDT: %BGP-6-ASPATH: Long AS path 549 26677 6939 
21011 43022 43022 43022 43022 43022 47359 47359 47359 47359 47359 47359 47359 
47359 received from isp router: More than configured MAXAS-LIMIT



i expected it would look more like:

476330: Nov 10 14:55:07.247 EDT: %BGP-6-ASPATH: Long AS path 549 26677 6939 
21011 43022 47359 received from … .. .




thanks for your time again,
greg






--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.


Gregory Whynott
Network Operations

Ontario Institute for Cancer Research
MaRS Centre, South Tower
101 College Street, Suite 800
Toronto, Ontario, Canada M5G 0A3
Tel: 647-294-2813
www.oicr.on.cahttp://www.oicr.on.ca/








--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: OT: VM slicing and dicing

[Greg Whynott]

if you are using KVM (or even VMware) and you can write shell scripts,  you can 
do this in house.both have the ability to create VMs from the command line. 
  in KVM you can create a VM with a one liner.

-g



On Nov 9, 2010, at 11:17 AM, Brandon Kim wrote:


 Hey gents:

 As always I value your input. Best resource on the planet! =)
 I'm hoping this isn't too off-topic if so please respond to me offline if so.

 I figured since most of everyone here are operators working in a datacenter, 
 you may or may
 not have experience with virtualization software that allows you to configure 
 VM's on the fly.

 I'm not looking for companies that offer this service, but the actual 
 software engines that allow you
 to create VM's on the fly. So a customer goes to your website and says I want 
 Win2008 with 8gigs of RAM and 120gigs of HDD.
 Just like custom configuring a new PC.

 Does anyone here have experience or knowledge of companies that offer this 
 type of software engine?

 Thanks in advance!

 Brandon




--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: VM slicing and dicing

[Greg Whynott]

no copper cables 10G and FC is all you need to deploy images.  8)
-g



On Nov 9, 2010, at 11:38 AM, Holmes,David A wrote:

 We've been looking at Cisco's Unified Computing System (UCS) blade
 server, which appears to have great potential. Very fast, and eliminates
 almost all top-of-rack copper cabling from servers to top-of-rack
 switch. Custom-built for VMWare optimization, but other virtualization
 OS's will run also from what I have read. Ten GiGE and FCoE are the
 entry points at the server access layer.

 -Original Message-
 From: Brandon Kim [mailto:brandon@brandontek.com]
 Sent: Tuesday, November 09, 2010 8:18 AM
 To: nanog group
 Subject: OT: VM slicing and dicing


 Hey gents:

 As always I value your input. Best resource on the planet! =)
 I'm hoping this isn't too off-topic if so please respond to me offline
 if so.

 I figured since most of everyone here are operators working in a
 datacenter, you may or may
 not have experience with virtualization software that allows you to
 configure VM's on the fly.

 I'm not looking for companies that offer this service, but the actual
 software engines that allow you
 to create VM's on the fly. So a customer goes to your website and says I
 want Win2008 with 8gigs of RAM and 120gigs of HDD.
 Just like custom configuring a new PC.

 Does anyone here have experience or knowledge of companies that offer
 this type of software engine?

 Thanks in advance!

 Brandon





--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Token ring? topic hijack: was Re: Mystery open source switching

[Greg Whynott]

off topic…

you recently converted from token ring to ethernet?   i had no idea there was 
still token ring networks out there,  or am i living in a bubble?

-g


On Oct 31, 2010, at 9:07 PM, Paul WALL wrote:

 I don't know what the big deal is.  I've rolled at least 20 of these
 switches into my network, and not only are they more stable than the
 Centillion switches that they replaced, they only cost half as much.
 Most of the money I dropped was on converting my stations from token
 ring to ethernet.


 On Sun, Oct 31, 2010 at 6:59 PM, bas kilo...@gmail.com wrote:
 Hi,

 On Sat, Oct 30, 2010 at 11:26 PM, Kevin Oberman ober...@es.net wrote:
 I might also mention that I received private SPAM from a name we all
 know and loath. (Hint: He's been banned from NANOG for VERY good
 reason and his name is of French derivation.) I just added a filter to
 block any mail mentioning pica8 and will see no more of this thread or
 their spam.

 Same here.
 He harvests email addresses from peeringdb. (I have slight typo's in
 my peeringdb record to recognize harvested spams.)

 Bas





--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

RE: BGP support on ASA5585-X

[Greg Whynott]

probably going out on a limb here,  but i suspect you'll never see BGP support 
in any of Cisco's firewall products.  In routers which have FW bits included,  
yes,  but not in an ASA product.

perhaps the marketing thinking is 'if you can afford an asa 558x, you can 
afford one of our fine router products too.'

-g




From: srg [srgqwe...@gmail.com]
Sent: Friday, October 29, 2010 1:42 PM
To: nanog@nanog.org
Subject: BGP support on ASA5585-X

Hi:

At this moment we know that ASA5585-X does not support BGP.

Does anybody know if BGP support in the ASA5585-X is in roadmap?
More precisely... MP-BGP support in the ASA5585-X?
Any oficial link in the Cisco website about this? (I did't find it)

Thanks a lot and best regards



--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: How to have open more than 65k concurrent connections?

[Greg Whynott]

this has nothing to do with ports.as others have said,  think of a web 
server.  httpd listens on tcp80 (maybe 443 too) and all the facebooker's on 
earth hit that port.  could be hundreds of thousands,  and only one port. 
Available memory and open files will be the limiting factor as to how many 
established connections you can maintain with one host,  providing there are 
not any external limitations such as port speed.



On Oct 14, 2010, at 12:42 PM, D'Arcy J.M. Cain wrote:

 Hint:  That gives you 65K connections *per interface*.  You can listen
 on more than one interface.


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Hey Leber - you think Melissa is going to issue that refund properly or do we need to escalate this into legal actions against HE

[Greg Whynott]

its sad that the list apparently has become a sounding board for these 
'operators' who think others care about their plights and opinions which have 
nothing to do with L1/2/3 issues.

*i'm taking my ball and going home!*

-g



On Oct 12, 2010, at 12:44 PM, Kevin Oberman wrote:

 Pardon me, but did I miss the announcement of Whine on NANOG day?




--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.

Re: Facebook down!! Alert!

[Greg Whynott]

Especially for Facebook alerts.. You are propagating a false perception 
that everyone cares.

-g



On Oct 6, 2010, at 2:20 PM, christian koch wrote:

 +1
 
 
 
 On Wed, Oct 6, 2010 at 12:57 AM, Zaid Ali z...@zaidali.com wrote:
 
 I think the Outages mailing list is more appropriate for this.
 
 
 On 10/5/10 9:46 PM, Mike Lyon mike.l...@gmail.com wrote:
 
 Same here in SF Bay Area
 
 On Tue, Oct 5, 2010 at 9:44 PM, James Smith ja...@smithwaysecurity.com
 wrote:
 
 At 1:20am here in Canada, NB our networks are showing that facebook is
 down.
 Please confirm in the USA.
 
 
 
 ~SmithwaySecurity
 
 Sent from my iPhone
 
 
 
 
 
 

Re: Facebook down!! Alert!

[Greg Whynott]

 just because you don't want to play facebook games doesn't make a facebook 
 outage any less operationally relevant than, say, an akamai or limelight 
 outage.



IMO which may be way off base,   when akamai goes off the air,  people lose 
potential sales/revenue.   when facebook goes off the air,   a greater number 
of companies become more efficient than those who suffer productivity loss.

  yes,  it is worth mention,  but else where,  like twitter or on your wall.  

-g

Re: Rough cost for monitoring

[Greg Whynott]

get a VAR involved,  it'll be more efficient and accurate than asking here.   
things change weekly.

-g



On Oct 5, 2010, at 10:25 AM, Eric Gauthier wrote:

 Heya,
 
 I'm trying to quickly pull together some very rough
 budget numbers for purchasing a full monitoring
 system (network, server, security, facilities).  Is
 there a source for rough unit costs?  If not, does
 anyone have recent RFI pricing that they'd be willing
 to share?
 
 Eric :0
 

Re: Anyone can share the Network card experience

[Greg Whynott]

the question of which is better,  onboard vrs plug in would in part be 
determined by the type (make/model) of motherboard you are speaking of.   How 
they have IRQs allocated (which is something you may be able to adjust),  where 
it is attached to the bus etc…   Also,  what comes with the main board is what 
you get.   You can purchase option NICs with extra processors  (TOE for 
example) which offload your main CPU.


For 10Gbit we use Intel cards for production service machines,  and 
ConnextX/Intel in the HPC cluster.


-g



On Oct 5, 2010, at 10:01 AM, Deric Kwok wrote:

 Hi
 
 Anyone can share the Network card experience
 
 ls onborad PCI Expresscard better or Plug in slot PCI Express card good?
 
 How are their performance in Gig transfer rate?
 
 Thank you so much
 

Re: Anyone can share the Network card experience

[Greg Whynott]

Hi,

most of our traffic is heading directly into memory,  not hitting the local 
disks,  on the HPC end of things.   Our file servers are feeding the network 
with around 24 x 10Gibit   (active/active clusters),  and regularly run at over 
80 percent on all ports during runs..   this is all HPC / file movement 
traffic.   we have instruments which generate over 6TB of data per run,  every 
3 days,  7/365.  we have about 20 of these instruments.  so most of the 
data on 10Gbit is indeed static,  or to/from a file server to/from HPC 
clusters.  

 iSCSI we run on its own network hardware,  autonomous from the 'data' network. 
  its not in wide deployment here,  only the file server is connected via 
10Gbit,  the hosts using iSCIS (predominately KVM and Vmware clusters) are 
being feed over multiple 1Gbit links for their iSCIS requirements.

Our external internet servers are connected to the internet via 1Gbit links,  
not 10Gibt,  but apparently that is coming next year.  The type of traffic 
they'll see will not be very chatty/interactive.  it'll be researchers 
downloading data sets ranging in size from a few hundred megs, to a few TB..  

take care,
-g






On Oct 5, 2010, at 10:59 AM, Heath Jones wrote:

 For 10Gbit we use Intel cards for production service machines,  and 
 ConnextX/Intel in the HPC cluster.
 
 Greg - I've not been exposed to 10G on the server side..
 Does the server handle the traffic load well (even with offloading) -
 that's a LOT of web requests / app queries per second!
 
 Or are you using 10G mainly for iSCSI / file serving / static content?
 
 Cheers

do you use SPF TXT RRs? (RFC4408)

[Greg Whynott]

A partner had a security audit done on their site.  The report said they were 
at risk of a DoS due to the fact they didn't have a SPF record.   

I commented to his team that the SPF idea has yet to see anything near mass 
deployment and of the millions of emails leaving our environment yearly,  I 
doubt any of them have ever been dropped due to us not having an SPF record in 
our DNS.  When a client's email doesn't arrive somewhere,  we will hear about 
it quickly,  and its investigated/reported upon.  I'm not opposed to 
putting one in our DNS,  and probably will now - for completeness/best practice 
sake..  


how many of you are using SPF records?  Do you have an opinion on their use/non 
use of?

take care,
greg

Re: do you use SPF TXT RRs? (RFC4408)

[Greg Whynott]

i think it was an observation they made,  and suggestions to make things 
better.   I don't think the message was fix this or you'll be off the air one 
day..   

  if they have a 56k port speed(stuck in the 80's),  there is potential there 
for a DoS from a large volume of spam back splatter..  8)  

  over all,  I'm inclined to accept your assumptions.   

-g


On Oct 4, 2010, at 2:38 PM, Suresh Ramasubramanian wrote:

 On Mon, Oct 4, 2010 at 12:47 PM, Greg Whynott greg.whyn...@oicr.on.ca wrote:
 
 A partner had a security audit done on their site.  The report said they 
 were at risk of a DoS due to the fact they didn't have a SPF record.
 
 This is pure unadulterated BS from someone who doesnt understand
 either DDOS mitigation, or SPF .. or more likely both.
 
 -- 
 Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Facebook Issues/Outage in Southeast?

[Greg Whynott]

productivity in NA just sky rocketed!

-g


On Sep 23, 2010, at 3:39 PM, Ernie Rubi wrote:

 Anyone else having trouble? We're colo'ed at the NOTA in Miami and directly 
 peer with them - even though our session hasn't gone down we still can't 
 reach them.
 
 Ernesto M. Rubi
 Sr. Network Engineer
 AMPATH/CIARA
 Florida International Univ, Miami
 Reply-to: erne...@cs.fiu.edu
 Cell: 786-282-6783
 
 
 
 

ip block history.

[Greg Whynott]

probably an odd question …

we have been assigned a few large blocks of IPs,  and while configuring BGP i 
got to wondering what these block's history might be.  who had them in the 
past,etc..


is there a publicly accessible db or similar which tracks that type of 
information,  or is that liability concern?

thanks!
greg

Re: ip block history.

[Greg Whynott]

that will show past whois records or just current?  I didn't see any options 
for historic records on arin, 

thanks by the way.

-g



On Sep 14, 2010, at 4:56 PM, Murphy, Jay, DOH wrote:

 www.Whois.net; whois.arin.net, etc.
 
 ~Jay Murphy 
 IP Network Specialist
 NM State Government
 We move the information that moves your world. 
 “Good engineering demands that we understand what we’re doing and why, keep 
 an open mind, and learn from experience.”
 “Engineering is about finding the sweet spot between what's solvable and what 
 isn't.
   Radia Perlman
  Please consider the environment before printing e-mail
 
 -Original Message-
 From: Greg Whynott [mailto:greg.whyn...@oicr.on.ca] 
 Sent: Tuesday, September 14, 2010 2:52 PM
 To: nanog@nanog.org list
 Subject: ip block history.
 
 probably an odd question …
 
 we have been assigned a few large blocks of IPs,  and while configuring BGP i 
 got to wondering what these block's history might be.  who had them in the 
 past,etc..
 
 
 is there a publicly accessible db or similar which tracks that type of 
 information,  or is that liability concern?
 
 thanks!
 greg
 
 
 
 
 
 
 Confidentiality Notice: This e-mail, including all attachments is for the 
 sole use of the intended recipient(s) and may contain confidential and 
 privileged information. Any unauthorized review, use, disclosure or 
 distribution is prohibited unless specifically provided under the New Mexico 
 Inspection of Public Records Act. If you are not the intended recipient, 
 please contact the sender and destroy all copies of this message. -- This 
 email has been scanned by the Sybari - Antigen Email System. 
 
 
 

Re: ip block history.

[Greg Whynott]

Thanks for the pointers Joel!
google knows all,  scary isn't it?

-g


On Sep 14, 2010, at 5:01 PM, Joel Jaeggli wrote:

 assuming the whois data has been cleaned up the next resource to look at
 is:
 
 routeviews or ris table dumps to see where or if it was advertised in
 the past, and from where.
 
 google and rbl lists are also worth querying in that context.
 
 joel
 
 On 9/14/10 1:51 PM, Greg Whynott wrote:
 probably an odd question …
 
 we have been assigned a few large blocks of IPs,  and while configuring BGP 
 i got to wondering what these block's history might be.  who had them in the 
 past,etc..
 
 
 is there a publicly accessible db or similar which tracks that type of 
 information,  or is that liability concern?
 
 thanks!
 greg
 
 
 
 
 
 

Re: iPhone updates and required bandwidth

[Greg Whynott]

I set up an OS X server which hosts updates for the rest of the company,  so 
the OS X client machines poll/pull updates from the internal machine as opposed 
to 100 of them pulling the same updates over the internet.  saves bucket loads 
of bandwidth and  you can pre ok individual packages,  so the client just 
updates without prompting.   I'm not sure but I suspect they might have 
something which allows their other devices to poll this same source.  it would 
seem reasonable anyway..  

probably not a very useful answer but there it is.  8)


-g


On Aug 18, 2010, at 2:54 PM, JoeSox wrote:

 Am I the only one that gets ticked off at the Apple iPhone update
 procedure and the amount of bandwidth it needs?
 Is there any secret I am missing to cut down on the required bandwidth
 needed for it (caching the update somewhere etc)?  I don't own an
 iPhone (DroidX user here) and am unfamiliar with the update, all I
 know is it uses tons of BW.
 
 
 --
 Thanks, Joe
 

Re: iPhone updates and required bandwidth

[Greg Whynott]

sorry Joe if i wasn't clear,  what i was trying to say is I know there is a 
solution to address the bandwidth issue caused by updates for OS X machines,   
I am unsure if they have a similar solution for their hand held devices.I 
am assuming they do or soon will.   I'm on the road right now,  when I return 
to the office I'll take a look at the OS X update server and see if there is 
any provisions for the iPhones and friends.  

perhaps a squid caching server in-between the device network and internet?
back in the day this is how i mitigated other many to one client update issues.

-g




On Aug 18, 2010, at 3:07 PM, JoeSox wrote:

 Interesting.
 Do you have to configure the iPhone devices or just use its standard settings?
 
 --
 Thanks, Joe
 
 
 On Wed, Aug 18, 2010 at 12:03 PM, Greg Whynott greg.whyn...@oicr.on.ca 
 wrote:
 I set up an OS X server which hosts updates for the rest of the company,  so 
 the OS X client machines poll/pull updates from the internal machine as 
 opposed to 100 of them pulling the same updates over the internet.  saves 
 bucket loads of bandwidth and  you can pre ok individual packages,  so the 
 client just updates without prompting.   I'm not sure but I suspect they 
 might have something which allows their other devices to poll this same 
 source.  it would seem reasonable anyway..
 
 probably not a very useful answer but there it is.  8)
 
 
 -g
 
 
 On Aug 18, 2010, at 2:54 PM, JoeSox wrote:
 
 Am I the only one that gets ticked off at the Apple iPhone update
 procedure and the amount of bandwidth it needs?
 Is there any secret I am missing to cut down on the required bandwidth
 needed for it (caching the update somewhere etc)?  I don't own an
 iPhone (DroidX user here) and am unfamiliar with the update, all I
 know is it uses tons of BW.
 
 
 --
 Thanks, Joe
 
 
 
 

Re: Lightly used IP addresses

[Greg Whynott]

how does ARIN or whomever deal with similar situations where someone is 
advertising un-allocated,  un-assigned by ARIN IP space in NA?   do they have a 
deal/agreement with the 'backbone' providers?  

-g



 
 
 6.ARIN receives a fraud/abuse complaint that A's space is being used by B.
 7.ARIN discovers that A is no longer using the space in accordance with 
 their RSA
 8.ARIN reclaims the space and A and B are left to figure out who owes 
 what to whom.
 
 

Re: Lightly used IP addresses

[Greg Whynott]

 
 
 I would consider a transit provider who subverted an ARIN revocation to be 
 disreputable, and seek other sources of transit.

easy to say,  but the reality is you may chose not to do so due to logistical,  
monetary or management/boss  reasons which trumps your constitutionally 
balanced nature.

  If someone who was downstream  from this provider in a similar situation, I'd 
say there is a stronger propensity for them to not 'do the right thing'.   
which by the way isn't a law,  so who says its right?its a set of guide 
lines a group of folks put together.


-g

RE: Lightly used IP addresses

[Greg Whynott]

I agree with you.the context around my statement is if the downstream 
believed or has some validity to a claim that they are being unjustly treated 
or over sighted by ARIN (or others).   it wasn't about procuring blocks from a 
criminal,  rather when ARIN says you are no longer entitled to the blocks they 
assigned the downstream customer,  who believes they are.   

I'm not against ARIN,  I think they have good intentions.  I'd like to think so 
anyway.  

take care and have a great weekend,
greg





From: Jared Mauch [ja...@puck.nether.net]
Sent: Friday, August 13, 2010 5:00 PM
To: Greg Whynott
Cc: Nathan Eisenberg; nanog@nanog.org
Subject: Re: Lightly used IP addresses

I know of several large providers that would stop routing such rogue space.

Any provider that isn't prepared to deal with such a possible customer threat 
or problem you don't want to be associating with. They likely harbor other 
badness as well.

It may take some time to catch up to them but we have seen more of these rogue 
elements end up with people refusing to sell to them or law enforcement taking 
some action.

If your management does not realize they are buying from possible criminals, 
you get what you pay for.

I've found a number of cases where providers are actually doing mitm and 
stealing SIP credentials for fraud. Make sure you actually have good controls 
and communication for when things hit the fan

Jared Mauch

On Aug 13, 2010, at 3:00 PM, Greg Whynott greg.whyn...@oicr.on.ca wrote:



 I would consider a transit provider who subverted an ARIN revocation to be 
 disreputable, and seek other sources of transit.

 easy to say,  but the reality is you may chose not to do so due to 
 logistical,  monetary or management/boss  reasons which trumps your 
 constitutionally balanced nature.

  If someone who was downstream  from this provider in a similar situation, 
 I'd say there is a stronger propensity for them to not 'do the right thing'.  
  which by the way isn't a law,  so who says its right?its a set of guide 
 lines a group of folks put together.


 -g

Re: Proxy Server

[Greg Whynott]

I am fairly sure Squid has the concept of bandwidth pools which you can apply 
via ACLs within the squid conf.
That may meet your proxy requirements but would not help with traffic not being 
proxied.  

Squid will also allow you to define access to the inet based on ACLs which can 
use various things to determine which policy will be applied to the connection. 
 eg,  client src IP,  client username,  time of day,  regx…

you may find it here:

http://www.squid-cache.org/



-g




On Aug 5, 2010, at 2:45 PM, Joshua William Klubi wrote:

 Hi,
 
 Is there any one with an idea of an open source packeteer or bandwidth
 management solution like Allot NetEnforcer Bandwidth Management Appliance.
 Which can do proxy services and also allocate bandwidth to certain websites
 and staff, prevent them from viewing certain websites
 We currently have Microsoft TMG 2010 with GFI Web monitor 2009 installed on
 it, we are looking for a solution possible from open source.Which can
 replace it.
 
 I actually  want it as a proxy server and use it to shape, allocate and
 restrict access to certain websites of our staff.
 Joshua
 (Ghana)

Re: Appliance Vs Software based routers

[Greg Whynott]

it works,  i see folks creating networks of hosts under ESXi protected by an 
ASA instance.. not for production.I'm sure its not legal but Cisco doesn't 
seem to have a strong stand on it,  I'd think as long as you are using it for 
educational use and not commercial,  they may not care a whole bunch.  

What you can not do while emulating ASA is use encryption,  no VPNs or 
otherwise.  this is due to the fact the ASA units use hardware encryption, when 
the OS makes calls to the controller,  it isn't there..

-g




On Aug 4, 2010, at 9:53 AM, Xavier Beaudouin wrote:

 
 Le 4 août 2010 à 15:14, Mirko Maffioli a écrit :
 
 2010/7/25 Laurens Vets laur...@daemon.be:
 
 Cisco PIX: no, Cisco ASA: yes. It even runs under VMware...  It's however
 very hackish... :)
 
 Cisco ASA under VMware?? :|
 
 CiscoASA is based on x86, there is no reasons you cannot run this into VMWare 
 or Xen...
 
 Xavier

Re: Appliance Vs Software based routers

[Greg Whynott]

GNS is just a front end for dynamips/qemu.   ASA will run under qemu without 
the use of extra wrappers/tools.  it will run natively under vmware too.  ASA 
is basically an application running above a linux kernel.   I forget what the 
internal name is,  lisa or similar…

-g



On Aug 4, 2010, at 10:56 AM, Mike Walter wrote:

 I assume the ASA's don't run natively on VMware or Xen, I assume you have to 
 use something like GNS3.  I think that would be fine for testing, but in real 
 world production running an ASA on GNS3 under an another OS seems like a bad 
 idea.  I hope Cisco will come out with Virtual Appliances for some of their 
 products like they did for the Nexus 1000V.
 
 -Mike
 
 
 -Original Message-
 From: Daryl G. Jurbala [mailto:da...@introspect.net] 
 Sent: Wednesday, August 04, 2010 10:54 AM
 To: Xavier Beaudouin
 Cc: nanog
 Subject: Re: Appliance Vs Software based routers
 
 On Aug 4, 2010, at 9:53 AM, Xavier Beaudouin wrote:
 
 
 Le 4 août 2010 à 15:14, Mirko Maffioli a écrit :
 
 2010/7/25 Laurens Vets laur...@daemon.be:
 
 Cisco PIX: no, Cisco ASA: yes. It even runs under VMware...  It's however
 very hackish... :)
 
 Cisco ASA under VMware?? :|
 
 CiscoASA is based on x86, there is no reasons you cannot run this into 
 VMWare or Xen...
 
 If that were the only qualification, PIX builds for the 515s would run under 
 VMWare or XEN as well.  Maybe they do, but I've never seen it.
 

virtual switches

[Greg Whynott]

Cisco has VSS (on 6500 class) and H3C has IRF;   allowing you to virtualize 2 
or more physical switches/routers in an active/active configuration where you 
can use all links and terminate LACP aggregates between the two devices.   Is 
anyone using this or similar technology from another vendor?   any 
recommendations or comments would be appreciated.  thanks very much for your 
time!

-g

Re: Vyatta as a BRAS

[Greg Whynott]

 
 
 They are all software based, no matter who builds them.  Cisco IOS, 
 Juniper JunOS, etc.

controlling hardware asic's and fpga's.  

-g

Re: Advice regarding Cisco/Juniper/HP

[Greg Whynott]

On Jun 30, 2010, at 12:07 PM, George Bonser wrote:
  if I want to
 know which vlans a port is in, you look at the port config and there it
 is.  Other gear you need to look through each vlan configuration and
 note which vlans the port appears in and hope you don't overlook one.

or become familiar with some basic commands,  which is after all,  our job...  
on hp:  show port vlan e1,   which will show you all the vlans port E1 is a 
member of.. 

I like cisco,  but i think the HP way is more logical and less prone to error.  
A previous poster gave an excelent example,  i burnt myself not adding the 
add to a trunk config on our cisco switches.   i went over the magical number 
(and I've no idea why you need to use another argument when you pass some 
threshold,  it seems redundant and silly) of vlans and took out about 7 
departments till I realized what I had done.   thankfully you only need to do 
this once to learn. 

the trunking is more logical on HP config wise too,   there is a line in the 
config which shows all the members and trunk type,  on one line.   

not being able to issue commands while in config mode (without the 'do') is 
annoying as hell too..  its like not being able to do anything on a unix box 
while you are root without being asked are you sure every time you hit 
carriage return.
 
the biggest think I don't like about the HP CLI is the lack of regx or the 
ablitly to string a few together on one line.  some models have it,  others 
don''t.   that woudl be the second issue,  the lack of consistency between 
devices.  cisco owns that one.




-g

Re: Advice regarding Cisco/Juniper/HP

[Greg Whynott]

On Jun 30, 2010, at 4:50 PM, Ricky Beam wrote:

 Personally, I prefer a bit of both.  

same here.  both have some things which I don't agree with.   prime example 
again is adding more than X vlans to an interface,  why the add?

interface TenGigabitEthernet5/5
 switchport trunk allowed vlan 20,30,40,50,60,100,121,124,125,128,334-336
 switchport trunk allowed vlan add 500-505,509,510,513,515-518,530,532,540

that should all be able to go onto one line. I don't follow the logic.   

we could sit here all day nit picking I guess.   It was more my managers rage 
on that fateful day that made me hate that 'method' so much.  8)

 not being able to issue commands while in config mode (without the 'do')  
 is annoying as hell too..
 
 This is a safety measure to keep your mind on the road.  A typo in config  
 mode can make a seriously royal mess.

 I dis-agree with you on this. who might they be to determine my ability to 
not mess things up,  and why are the so concerned?and how does this logic 
follow onto ASA/PIX/FWSM and WLC devices?   when you are enabled and in config 
mode on those you can issue non elevated commands.  there is much more 
potential for damage on an edge security device than an inter departmental 
switch/router I'd think.  but i could be wrong….  

 
 ... that woudl be the second issue,  the lack of consistency between  
 devices.  cisco owns that one.
 
 No they don't.  Which version of IOS are you running? Oh, right, that  
 switch doesn't run IOS, it runs CatOS?  Wait a min, that's a 1900... it  
 uses a menu interface.

haha.  I have to agree with you there. i stand corrected.  It been awhile since 
i used a set based IOS.

 
 I have three Cisco switches right here that are radically different.  In  
 fact, the 2948G-L3 confused a CCIE for several weeks. :-) Until I told him  
 stop thinking switch and config it like a 48 port router. (and sadly, it  
 doesn't support interface ranges. :-()

in closing,  i have to say I love HP's alias command,   I can rev my config 
and save it to a tftp server by typing saveit while enabled.  Some IOS's 
allow you to do a wr net and get it there with a predefined tftp server,  but 
as we discovered,  this isn't available on all devices.. 


take care and have a great weekend,
greg

RE: NAT translation from a sourced network to a destination network

[Greg Whynott]

depending on your vendor equipment you'll need an ACL or a route map to define 
the traffic you wish to Nat and apply it to the 'nat engine'. 

if you are doing this on cisco ASA or similar it might look something like this:

-define the interesting traffic with an ACL:

access-list 110 permit   ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.31
access-list 110 deny ip any any

- create a route-map:

route-map natme permit 10
 match ip address 110

- apply the map:
ip nat inside source route-map natme interface GigabitEthernet0/1 overload


hope that helps.
-g



From: Mike Ruiz [mr...@lstfinancial.com]
Sent: Friday, June 18, 2010 4:13 PM
To: nanog@nanog.org
Subject: NAT translation from a sourced network to a destination network

Ok here we go.  I know the subject is a little ambiguous, please allow to 
explain.



I have a network of 192.168.1.0/24 and I need it to reach a network 10.0.1.0/27 
only when it needs to be accessed by specific machines that reside on the 
192.168.1.0/24 network.





192.168.1.10 à NAT à10.0.1.10 à route that packet to 10.0.1.1.



I only want specific host to route to that specific /27 network .



Any help would be appreciated. So far what I have gathered is only for VPN 
connections but I do not want to build a VPN.  Thank you again in advance.





Michael Ruiz

Network Engineer



If you tell people where to go, but not how to get there, you'll be amazed at 
the results. -- General George S. Patton Jr.

Re: Advice regarding Cisco/Juniper/HP

[Greg Whynott]

Haven't seen these same issues either,  but have seen others..

We use HP 8212's here to connect our storage and hpc devices.   each 8212 has 
about 20 or more 10Gbit connections.   Everyone is happy with them from an 
availability and performance perspective.  Two things which I noticed,  1.  
Under heavy load (60% or more of 10Gbit interfaces at +80%) we have seen _all_ 
interfaces simultaneously  drop packets and generate interface errors.   this 
was on an early release of the firmware and I don't think we have seen this 
problem in awhile.  2. each module only has about 28 Gbits of bandwidth to the 
backplane.  this means if you want non blocking 10Gbit access to the backplan 
you can only load up an 8212 50% of its physical port capacity with active 
links.  

Very recently they changed licensing,  the 8212's use to ship with premium 
licenses included.  this gave you OSPF,  PIM VRRP and QinQ.   without a product 
number change or other clear indication,  these no longer are included but must 
be purchased separately.   This was a bit of a let down as we use OSPF 
internally and was one of the items that made the 8212's interesting when 
deciding what we would standardize on for access switches. 

We also use 6509e's for our core routers,   they use to be the only routers 
till we deployed OSPF.   On the internet edge we use ASRs.

The 'H3C' switches they recently acquired look nice(r).

-g





On Jun 17, 2010, at 12:47 PM, Tom Ammon wrote:

 We've had a much different experience than what Tom is describing here. 
 We've used HP extensively in our networks, mostly because of the price 
 and warranty. For simple, flat networks, they are a great buy, in my 
 opinion. We've never seen the packet loss issues that were described, 
 and we push quite a bit of data through the 5412, 2900, and 6600 series 
 products.
 
 That said, we've never used them for much outside of basic layer 2 
 services. We have a couple of c6500s for our core network, but at the 
 edge, we have been very happy with HP. So far, warranty service has been 
 flawless, although we have only replaced maybe half a dozen switches out 
 of about 70 total that we have installed, over the course of 5 years.
 
 There isn't much as far as advanced features (for example, don't expect 
 to get MPLS or BGP), but since we don't use those features at the edge, 
 we haven't been hurt by that.
 
 Tom
 
 On 06/17/2010 10:37 AM, Tom wrote:
 On Thu, 17 Jun 2010, James Smith wrote:
 
 So my questions to the NANOG community are: Would you recommend HP over
 Cisco or Juniper?
 
 Pretty much never, unless you're talking about a rebadged Brocade product.
 Every time I've seen HP networking gear in production, its usually before
 it gets replaced with something else. The last install I dealt with was
 having so many problems it had a constant %10 packetloss on a simple flat
 network.
 
 
 How is HP's functionality and performance compared to Cisco or Juniper?
 
 Typically poor, but this varies widely with the series of HP gear.
 The software updates available also vary widely in quality, and I have
 rarely gotten a good answer from HP support on anything.
 
 
 Does anyone have any HP networking experiences they can share, good or
 bad?
 
 To end on a positive note, HP does have a good warranty, is typically
 fairly low cost and provides free software updates.
 
 -Tom
 
 
 
 
 -- 
 
 Tom Ammon
 Network Engineer
 Office: 801.587.0976
 Mobile: 801.674.9273
 
 Center for High Performance Computing
 University of Utah
 http://www.chpc.utah.edu
 
 

RE: Advice regarding Cisco/Juniper/HP

[Greg Whynott]

they may require a deposit before  you load their web site.. 
-g


-Original Message-
From: Seth Mattinen [mailto:se...@rollernet.us] 
Sent: Thursday, June 17, 2010 2:07 PM
To: nanog@nanog.org
Subject: Re: Advice regarding Cisco/Juniper/HP

On 6/17/2010 11:01, Sandone, Nick wrote:
 I would also add Brocade/Foundry to the mix as well.  We've been deploying 
 these switches with great results.  Since the IOS is very similar to Cisco's, 
 the transition has been quite easy.
 
 


Do you still have to pay them to read the manual?

~Seth

Re: 1slash8 pollution

[Greg Whynott]

 I can confirm this,  our WLC from Cisco came with a default IP setting of 
1.1.1.1 for the portal. 
-g




On Jun 14, 2010, at 2:48 PM, Jens Link wrote:

 Tom bifr...@minions.com writes:
 
 DHCPACK from 1.2.1.3
 
 Perhaps someone should mention this to the hotel? :)
 
 I've senn DHCPACK from 1.1.1.1 I was told it's the default value of a
 Cisco WLAN Controller. There are more things broken in most hotel
 WLANs. 
 
 Jens
 -- 
 -
 | Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
 | http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
 -
 

Re: Network Naming Conventions

[Greg Whynott]

We use confidence inspiring names here for our devices,  shakey,  broken,  
jitter,  crusty  

G
 

- Original Message -
From: Adcock, Matt [HISNA] madc...@hisna.com
To: Ravi Pina r...@cow.org; Randy Bush ra...@psg.com
Cc: nanog@nanog.org nanog@nanog.org
Sent: Mon Mar 15 09:10:40 2010
Subject: RE: Network Naming Conventions


I've used a Jimmy Buffett theme in test labs before.


 
 Matt Adcock, Manager
334-481-6629 (w) / 334-312-5393 (m) / madc...@hisna.com
700 Hyundai Blvd. / Montgomery, AL 36105

P
The average office worker uses 10,000 sheets of paper = 1.2 trees, per year
By not printing this email, you’ve saved paper, ink and millions of trees
 


From: Ravi Pina [mailto:r...@cow.org]
Sent: Sat 3/13/2010 3:33 PM
To: Randy Bush
Cc: nanog@nanog.org
Subject: Re: Network Naming Conventions



On Sun, Mar 14, 2010 at 04:58:11AM +0900, Randy Bush wrote:
  On my last network I named all the routers after simpsons characters.

 scaled well?

Don't forget there were 5 Snowballs...




 

The information in this email and any attachments are for the sole use of the 
intended recipient and may contain privileged and confidential information. If 
you are not the intended recipient, any use, disclosure, copying or 
distribution of this message or attachment is strictly prohibited.  We have 
taken precautions to minimize the risk of transmitting software viruses, but we 
advise you to carry out your own virus checks on any attachment to this 
message. We cannot accept liability for any loss or damage caused by software 
viruses. If you believe that you have received this email in error, please 
contact the sender immediately and delete the email and all of its attachments

 

Re: Network Naming Conventions

[Greg Whynott]

ours is a small network,  so is ok to have fun.  8) 

we do use CNAMES to provide useful information(and make managers happy)..  and 
name servers after the service the provide,  eg ldap1.auth.mgt

here is an example:
gwhyn...@ops:~$ host rma.mgt
rma.mgt.oicr.on.ca is an alias for RiserRoom5a.hp8212.rack2.mgt.oicr.on.ca.
RiserRoom5a.hp8212.rack2.mgt.oicr.on.ca has address 10.3.200.35
gwhyn...@ops:~$ 

-g




On Mar 15, 2010, at 10:08 AM, Nathan Ward wrote:

 On 16/03/2010, at 2:10 AM, Adcock, Matt [HISNA] wrote:
 
 I've used a Jimmy Buffett theme in test labs before.
 
 Naming themes are fine in test labs, because devices have a different 
 function/role several times per day, a name acts like an asset tag in that it 
 sticks with it through its lifetime.
 
 Same goes for those servers that sit in our networks that I can only really 
 think to call bitch boxes. They do all sorts of random one-off network 
 hackery tasks, and never get any love. They're not supposed to scale, they 
 were only supposed to be there for one job 5 years ago and they're still 
 there.
 
 If I've got guys out there rolling out gear according to cookie cutter 
 designs, I don't want them coming up with names and using ex girlfriends or 
 TV shows or whatever. They're going to run out of ideas, and I don't want to 
 have 50 boxes called rachel on the network with no idea what they do. That 
 sort of thing works fine when you're the only person putting the names in to 
 boxes - like in a lab - but no good if you've grown much.
 
 I'm a contractor/consultant type thing, and getting my customers to use 
 naming schemes like the rant that follows helps me understand their network 
 if they do things without me, and helps anyone else who comes along too.
 
 
 So, for production network and server gear, I like domain names built with 
 city and site codes:
 site.city.domain
 
 Perhaps if I had a bigger network I'd have .country.domain on the end of that 
 instead.
 
 Hosts within each site are told to search within their site, then city, then 
 domain. Here's how in resolv.conf:
 search site.city.domain, city.domain, domain
 
 This lets me refer to a host called 'access-1' as, access-1, or 
 access-1.site, or access-1.site.city depending on where I am. That's handy 
 and saves my lazy ass typing lots. It also means we can have standard configs 
 for lots of things. For example, we can syslog to syslog and it will choose 
 either the one in the local site if its size warrants it, or one in the city, 
 or a network-wide one. I'm sure you can think of other ways this can be 
 useful.
 
 It can be annoying when a box doesn't let you display a full hostname in a 
 prompt, or fudge it and set the hostname to hostname.site.city because 
 hostnames shouldn't have periods in them. YMMV, etc. The benefits outweigh 
 the negatives for me I think. Things can get a bit hairy when devices 
 identify themselves by their hostnames in some other protocols though. 
 Ignoring that and using DNS is encouraged, etc.
 
 As for hostnames themselves, I have varying ways of doing that, but I never 
 use a naming scheme that won't scale for.. a long time.
 I always use numbers, but never use leading zeros - ie. access-1, not 
 access-001. It's not hard to sort numerically, come on now.
 I generally try to use something that describes the devices function. 
 access-[1-9][0-9]* = access router. core-[1-9][0-9]* = core router. IP 
 is implied unless it's something else, ie. (eth|atm)-access-[1-9][0-9]* are 
 Ethernet or ATM switches.
 
 For places where I collapse functionality, ie. a small site with collapsed 
 core and access boxes, I call them access, because they are less to move and 
 hence need renaming when core boxes come in the future to support additional 
 access boxes.
 
 Interface addresses in DNS include the interface name and VLAN or some other 
 logical circuit details (PVC, etc.), as is common.
 
 Juniper boxes have re0-hostname.domain and re1-hostname.domain, and also 
 re-hostname.domain if I've got a moving master IP address configured.
 
 That's about all I can think of to write, I hope it's useful to someone, 
 YMMV, etc.
 
 --
 Nathan Ward
 
 

RE: 10GBase-t switch

[Greg Whynott]

I will likely never buy or recommend  Foundry equipment again.   In a previous 
gig,  a HPC enviorment,  they caused us many problems,  support was horrible, 
and thier 10Gbit kit was the pits when it was first released (no idea how it is 
now or what they offer,  its been 5 years since.  burnt once, twice shy).   We 
replaced most all our Foundry L2 gear with HP 8212s which met our expectations.

Brocade is the king of license gouging,  it is no surprise they want money to 
view a pdf.

Force10 and Extreme are both having sales this month on 24 port 10Gbit 
switches,  $20k off almost.

-g





From: David Hubbard [dhubb...@dino.hostasaurus.com]
Sent: Thursday, March 11, 2010 1:31 PM
To: nanog@nanog.org
Subject: RE: 10GBase-t switch

From: Malte von dem Hagen [mailto:m...@hosteurope.de]

 Hi,

 Am 11.03.10 16:29 schrieb Dylan Ebner:
  Do the Arista switches support netflow?

 nothing about it in the datasheets, and regarding documentation:

 A registered account and a valid support contract is
 required to access the
 Software Download and Documentation section of the website.

 Service fail.

+1

After Brocade started doing that with the Foundry
docs, which hung me out to dry one night when I
needed some docs I didn't have easy access to, I
decided I will try to avoid buying from companies
that require a support contract to read the manual.

David

Bell canada CIDR

[Greg Whynott]

Hello,

We received a /21 from ARIN a year or so ago which we have been using.  At the 
time I noticed Bell was advertising a longer CIDR which included ours.  I 
contacted Bell, they said it would be corrected,  multiple times.   

Who I might contact to have this resolved?

Thanks for your time,
greg


AS11628
ipcalc 206.108.120.0/21
=
Network:   206.108.120.0/21
HostMin:   206.108.120.1  
HostMax:   206.108.127.254 


AS577
ipcalc 206.108.96.0/19
=
Network:   206.108.96.0/19 
HostMin:   206.108.96.1
HostMax:   206.108.127.254  

RE: Power Analysis/Management Tools

[Greg Whynott]

I'd think SNMP will be what any product uses to query APC gear,  even their own 
suite uses SNMP to collect information and receive traps.
We use cacti to graph our loads on the APC power bars and UPS gear, gives you 
everything you need on all phases/legs,  was there something in particular you 
were after?

-g


-Original Message-
From: Brandon Galbraith [mailto:brandon.galbra...@gmail.com] 
Sent: Monday, October 26, 2009 4:59 PM
To: nanog@nanog.org
Subject: Power Analysis/Management Tools

Not to go too off-topic, but if there is a more preferred location for me to
ask, please let me know. I'm looking for recommendations on open source
packages that people are using for monitoring power utilization of their
network/server gear.

We're using Cacti currently, pulling the data from APCs via SNMP, and I
wanted to check if someone had come across a better method before I
reinvented the wheel.

RE: Beware: a very bad precedent set

[Greg Whynott]

that is so sad  makes me very angry reading this.

-g



From: na...@wbsconnect.com [na...@wbsconnect.com]
Sent: Monday, August 31, 2009 5:35 PM
To: nanog@nanog.org
Subject: Beware: a very bad precedent set

http://finance.yahoo.com/news/Louis-Vuitton-Awarded-324-bw-3561952192.html?x=0.v=1

NEW YORK--(BUSINESS WIRE)--Louis Vuitton Malletier, S.A. (“Louis Vuitton”) part 
of LVMH, the world’s leading luxury group, today announced that it has won the 
lawsuit it filed in 2007 against the California based Internet hosting business 
of Akanoc Solutions, Inc., Managed Solutions Group, Inc., and Steven Chen (the 
“Akanoc Defendants”) in the United States District Court, Northern District of 
California (San Jose). On August 28th, the jury found the Akanoc Defendants 
liable for contributory trademark and copyright infringement, and awarded 
statutory damages in the amount of $32,400,000.00. The court is expected 
shortly to issue a permanent injunction banning the Akanoc Defendants from 
hosting websites that sell counterfeit or infringing Louis Vuitton goods.

Any and all nefarious activity alleged in this lawsuit was conducted by a 
customer, of a customer, of a customer yet the hosting provider was found 
liable, not the actual criminal manufacturing and selling the fakes.

We had all better watch our backs since it seems that claims of not being able 
to inspected tens of millions of packets per second is no longer a viable 
excuse.