Re: Firewalls in service provider environments
On Tue, Feb 7, 2012 at 4:35 PM, Matthew Reath m...@mattreath.com wrote: One of my customers has a list like that. They can't understand why one in every hundred or so TCP connections on port 443 fails. Hint: you forgot access-list 102 permit tcp any any established after access-list 102 deny ip host 255.255.255.255 any. The destination port in one direction is the source port in the other and many of those are dynamic source ports picked by Windows. Unless you restrict that filter to just packets attempting to initiate a new connection, you're shooting yourself in the foot. Yeah agreed. The only place this gets applied is inbound on the interface facing an upstream provider. ACLs ingress from end customers are much different. In theory this could cause issues with externally initiated traffic that use lets say as its random source port. If you apply the ACL you showed as an inbound ACL on your provider facing interfaces, you will be breaking any connections that exit your network with source ports from your list of bad ports. For example, you connect out from x.x.x.x: to y.y.y.y:80, then the response packets coming back into your network will be from y.y.y.y:80 to x.x.x.x: and will be dropped by your ACL. This seems to be a common mistake, and is often missed because it manifests as one-in-thousands failures of TCP connections. People tend to just try a second time and it works and never investigate why they had one random failure. Good point. Adding in an established entry, although may open you up for TCP/SYN sort of packets is a better trade off than affecting customer traffic. -Matt
Re: Firewalls in service provider environments
On Wed, Feb 8, 2012 at 9:25 AM, Matthew Reath m...@mattreath.com wrote: Good point. Adding in an established entry, although may open you up for TCP/SYN sort of packets is a better trade off than affecting customer traffic. 'established' is explicitly NOT 'syn' ... maybe you meant 'ack flood' ? (or rst flood? or but certainly not syn flood) If I had an 'established' entry on an inbound ACL to filter traffic coming from my upstream provider wouldn't SYN ACK (2nd step in handshake) packets be allowed to pass the ACL because of this? But I see your point a connection initiation from external sources with just the SYN flag set would not be allowed. However if a session is initiated internally the returning SYN ACK from the external server would be allowed as would ACK and data packets with ACK set.
Firewalls in service provider environments
All, Looking for some recommendations on firewall placement in service provider environments. I'm of the school of thought that in my SP network I do as little firewalling/packet filtering as possible. As in none, leave that to my end users or offer a managed firewall solution where if a customer signs up for the extra service I put him in a VRF or VLAN that is behind a firewall and manage that solution for them. Otherwise I don't prefer to have a firewall inline in my service provider network for all customer traffic to go through. I can accomplish filtering of known bad ports on my edge routers either facing my customers or upstream providers. What is the group's thought on this? -Matt -- Matt Reath CCIE #27316 (SP) m...@mattreath.com | http://mattreath.com Twitter: http://twitter.com/mpreath
Re: Question about prefix list
Ann, the commas not withstanding, the le/ge operands as applicable to prefix-lists simply mean less-than or equal-to or greater-than or equal-to wrt netmasks in CIDR speak. In you prefix-list below, the le operand means - allow following ranges: /22,/23,/24 deny all else for the /21 it means allow /21 thru /24 Anything without an operand means an exact-match(permit/deny) Homework for you: What do the following do: 1) ip prefix-list foo deny 0.0.0.0/0 le32 2) ip prefix-list foo permit 0.0.0/0 le 32 Understand the above and you will understand how operands work in prefix-lists. ./Randy --- On Wed, 2/1/12, Ann Kwok annkwo...@gmail.com wrote: From: Ann Kwok annkwo...@gmail.com Subject: Question about prefix list To: nanog@nanog.org Date: Wednesday, February 1, 2012, 6:32 AM Hi I read this prefix list. Can I know why there is le 24 after network block in /22 and /21 Why don't have le 24 after /24? I also saw another prefix list before. They use le 32 instead of le 24 What are their different? ip prefix-list prefix-filter-as100 seq 10 permit 202,168.136.0/22 le 24 ip prefix-list prefix-filter-as100 seq 20 permit 202,22.92.0/22 le 24 ip prefix-list prefix-filter-as100 seq 30 permit 202,21.148.0/22 le 24 ip prefix-list prefix-filter-as100 seq 40 permit 203,178.88.0/21 le 24 ip prefix-list prefix-filter-as100 seq 50 permit 178.88.74.0/24 Thank you so much Here is how I look at prefix lists Lets say I have the following: ip prefix-list EXAMPLE permit 202.21.148.0/22 le 24 What this essentially means is match any prefixes that match the first 22 bits of 202.21.148.0 with a prefix length less than or equal to /24. The third octet (148) is 10010100 in binary, the /22 would be at 100101|00. So we would match anything that has the same bits set before the divider or the /22 mark. Matching prefixes would be: 202.21.148.0/22 202.21.148.0/23 202.21.150.0/23 202.21.148.0/24 202.21.149.0/24 202.21.150.0/24 202.21.151.0/24 Hope that makes sense. -- Matt Reath CCIE #27316 (SP) m...@mattreath.com | http://mattreath.com Twitter: http://twitter.com/mpreath
Re: Please help our simple bgp
Hello Our router is running simple bgp. one BGP router, two upstreams (each 100M from ISP A and ISP B) We are getting full feeds tables from them We discover the routes is going to ISP A only even the bandwidth 100M is full Can we set the weight to change to ISP B to use ISP B as preference routes? Can the following configuration work? What suggest to this weight no. too? neighbor 1.2.3.4 description ISP B neighbor 1.2.3.4 remote-as 111 neighbor 1.2.3.4 weight 2000 If this works, how is ISP B upstream connection is down? Can it still be failover to ISP A automatically? If it won't work, Do you have any suggestion? Thank you for your help Ann, I've done this for a few customers that have requested it. Some engineers complain that advertising /24 routes dilutes the Internet routing tables, which is true in some regards. However, this does work in many situations to balance things out. Check out my blog post that walks through this procedure: http://mattreath.com/2012/01/29/bgp-load-balancing/ -Matt -- Matt Reath CCIE #27316 (SP) m...@mattreath.com | http://mattreath.com Twitter: http://twitter.com/mpreath
Problem with AOL through XO
I'm wondering if anyone else is having issues with their customers accessing AOL related sites including Engadget. We have two upstream providers, Charter and TW, both of which peer with XO. If traffic goes out Charter to AOL sites it gets blackholed in XO. If it goes out TW the sites load fine. Any thoughts? -Matt
Re: Resilient streaming protocols
There is a RTP FEC extension... Pete On May 29, 2011, at 12:40 AM, Aria Stewart wrote: Anyone have any interest in a forward-error-corrected streaming protocol suitable for multicast, possibly both audio and video? Good for when there's some packet loss. Aria Stewart I believe Cisco had/has a solution called VQE: http://www.cisco.com/en/US/prod/collateral/video/ps7191/ps7127/product_data_sheet0900aecd806c0bfb.html. It works by having a free software (LGPL or GPL) VQE client on the STB or PC device that queues and requests missing packets. -- Matt Reath CCIE #27316 (SP) m...@mattreath.com | http://mattreath.com Twitter: http://twitter.com/mpreath
Re: Question about migrating to IPv6 with multiple upstreams.
I have an interesting situation at a business that I am working on. We currently have the office set up with redundant connections for their mission critical servers and such, and also have a (cheap) cable modem for general browsing on client machines. The interesting part is that the client machines need to access some customer networks via the main redundant network, so we have a firewall set up to route those connections via the redundant connections, and everything else via the cheaper, faster cable modem. NAT is used on both outbound connections. With IPv6, we are having some trouble coming up with a way to do this. Since there is no NAT, does anyone have any ideas as to how this could be accomplished? In a nutshell: how do you have 2 upstream connections, and choose between them based on outbound destination? thanks, -Randy Standard IP routing, the default gateway of the network can decide based on a route entry whether to send it to the cable modem or send it to the firewall. -- Matt Reath CCIE #27316 (SP) m...@mattreath.com | http://mattreath.com Twitter: http://twitter.com/mpreath
RE: Question about migrating to IPv6 with multiple upstreams.
-Original Message- From: Matthew Reath [mailto:m...@mattreath.com] Sent: June-11-11 11:22 PM To: Randy Carpenter Cc: nanog@nanog.org Subject: Re: Question about migrating to IPv6 with multiple upstreams. Standard IP routing, the default gateway of the network can decide based on a route entry whether to send it to the cable modem or send it to the firewall. If the source block is not routed via both connections it won't work without NAT. I had this same problem trying to use my ISP's native v6 over PPPoE and maintain a tunnel as backup since it was still pretty flaky as they were testing it at the time ... no way a residential ISP is going to route 3rd party blocks for all their customers, and no chance the tunnel provider was going to route the block my ISP assigned me either ... with no NAT66 in Tomato/ddWRT/etc it was 100% impossible to have multiple connections ... I guess I'm a little confused on the setup. You have a firewall with a connection to a local LAN, another connection to customer network(s), and a third connection to the Internet via cable modem? You have NAT setup to NAT your Local LAN out to the Internet and to the customer network? A customer network device would use the outside IP on the customer network connection to communicate with devices in the Local LAN? I think it makes more sense to me now. -- Matt Reath CCIE #27316 (SP) m...@mattreath.com | http://mattreath.com Twitter: http://twitter.com/mpreath
RE: Question about migrating to IPv6 with multiple upstreams.
-Original Message- From: Matthew Reath [mailto:m...@mattreath.com] Sent: June-11-11 11:22 PM To: Randy Carpenter Cc: nanog@nanog.org Subject: Re: Question about migrating to IPv6 with multiple upstreams. Standard IP routing, the default gateway of the network can decide based on a route entry whether to send it to the cable modem or send it to the firewall. If the source block is not routed via both connections it won't work without NAT. I had this same problem trying to use my ISP's native v6 over PPPoE and maintain a tunnel as backup since it was still pretty flaky as they were testing it at the time ... no way a residential ISP is going to route 3rd party blocks for all their customers, and no chance the tunnel provider was going to route the block my ISP assigned me either ... with no NAT66 in Tomato/ddWRT/etc it was 100% impossible to have multiple connections ... Are you able to create ip6ip tunnels from your firewall/router to each customer? -- Matt Reath CCIE #27316 (SP) m...@mattreath.com | http://mattreath.com Twitter: http://twitter.com/mpreath
Re: The stupidity of trying to fix DHCPv6
This is different types of networks and network users and also different operational, administrative, and security domains. I am also getting frustrated with the endless discussions that could be immediately shortened by tinkering with DHCP to add one or two additional options -- a minimal cost process. Why is the argument not about business needs instead of technical purity? I'd have to agree with this. Although from a technical standpoint RA Guard would be a plausible solution to the rogue RA problem. However, the bigger issue seems to be the mixing of what used to be managed by different groups. Now you have IP transport folks implementing parameters sent to client machines or routers. Less than ideal probably. What are the current options for a company to disable RA messages, implement RAGuard, and force clients/routers to use DHCPv6 or static assignment for IPv6 addresses? I believe ignoring M and O bits would break standard though - but what if they never get sent? I know on Cisco you can suppress the RA, but not sure if you can force most clients to make DHCPv6 requests instead of listen for RAs. -- Matt Reath CCIE #27316 (SP) m...@mattreath.com | http://mattreath.com Twitter: http://twitter.com/mpreath