Re: netstat -s
:On Jul 17, 2019, at 20:54, Randy Bush wrote: :> :> do folk use `netstat -s` to help diagnose on routers/switches? Yes, for sufficienly Unix-y routers/switches. :I have used netstat -s on hosts to look at error counters if a switch or router was suspect. :But that was a while ago (anyone remember when NFS corrupted all your files if one of your routers or the NIC had a bit error outside the protection provided by the Ethernet CRC?). : :Today, I have the problem that netstat -s doesn’t seem to work right on macOS. :Many counter values are nonsensical, or simply zero. :I was guessing this was due to NIC offload, but I haven’t analyzed further. :If anyone knows more about recent macOS netstat -s, I’d love to hear more details. "sudo netstat -s" is your friend. -Mike -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Puny god." -Hulk signature.asc Description: PGP signature
Re: QoS for Office365
:How do you deal with QoS for Office365, since the IPs are subject to changes ? How often is the data in: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service out of date? -Mike -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Nothing unreal exists." -Kiri-Kin-Tha's First Law Of Metaphysics signature.asc Description: PGP signature
Re: a quick survey about LLDP and similar
:Hello, :having a bit of a debate in my team about turning on LLDP and/or CDP. :I would appreciate if you could spend a minute answering this :survey so I have some numbers to back up my reasoning, or to accept :defeat. : :https://www.surveymonkey.com/r/TH3WCWP "Is LLDP / CDP that evil?" -- geez. Ask a leading question, get a leaden answer. It's clear what your biases are from the first few questions you ask. It _might_ be more interesting for you to present the points of view within your team. FWIW, my most recent foray into LLDP involved advising to turn it off for some systems. There were defects specific to the implementation on particular hardware, and I had a strange desire to not make my head hurt. I didn't label it evil, but it just wasn't a situation where I wanted "guinea pig" treatment while the vendor sorted out LLDP. -Mike -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "We buy junk and sell antiques." -Anguished English signature.asc Description: PGP signature
Re: Foundry FastIron
:A client of mine has some Foundry FastIron Edge X424HFs. : :Brocade and Extreme don't seem overly ambitious to help. Brocade EOL'ed those old FESX-4 switches themselves on 03/31/2011, with EOS in 2016. This was before Brocadecom spun off to Extreme. :Anyone have any documentation they can scrounge up? SFP compatibility list? The ones I see in there already look substantially like the ones I get from FiberStore, but that doesn't mean much. Can't help you there, sorry... :Do they still sell support on these? I'm largely just interested in newer firmware for them. I don't think they were updated since they left the factory and there are a few quirks I'm hoping they addressed at some point. Depending on your bother, check out the FESX424-L3U "Layer 3 Upgrade Kit". That particular software piece looks like it gets support for another few months, if I am to believe Brocade's website (which only has the FESX-6 EOL notice, not the older FESX-4 one). http://www.brocade.com/en/backend-content/pdf-page.html?/content/dam/common/documents/content-types/end-of-life-notice/brocade-fastiron-edge-x-6-end-of-life-notice.pdf -Mike -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Take me out... to the black. Tell 'em I ain't comin' back."-Firefly signature.asc Description: PGP signature
Re: Google DNS intermittent ServFail for Disney subdomain
:I know it doesn't help your problem, but friends don't let friends use public DNS resolvers (Google, L3, Open DNS, etc.). ;-) I've been experimenting with using Google's DNS resolvers for Google's assorted domains. At some point, I keep meaning to add Google's address space as in-addr.arpa domains, but just haven't gotten there yet. Why? Just curious, that's all. Thus far, I haven't really noted any major differences, but wasn't sure what to expect. Maybe something would be notably faster/slower, maybe different results/ads/whatever, I dunno. It just seemed reasonable to punt Google DNS to Google DNS and see how things work. YMMV, void where prohibited. ~Mike -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "If you have enough plutonium, everything starts looking like a city." -Ches signature.asc Description: PGP signature
Re: Favorite Speed Test Systems
:On 05-12-2016 16:34, Nick Ryce wrote: :> For testing downloads, fast.com is pretty nice :> : :The problem with fast.com is that they use HTTPS for the test. The user needs :a fast computer to decode the SSL at full speed. Even if you have a very fast :computer the test will max out at 100-200 Mbps because the Netflix servers :are apparently not able to encode SSL any faster. Maybe we would get better :speed if multiple SSL connections were used. I've run into the opposite problem -- fast.com sporadically reporting 1+ Gbps times for circuits that are only 20-40 Mbps. There's no obvious client-side issues -- no proxying, interesting browsers, etc. fast.com is glitchy just often enough to give some friends of mine silly glee when it misreports. -Mike -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "A superhero should always speak from his diaphragm!" -The Tick signature.asc Description: PGP signature
Re: NTP versions in production use?
:Thanks, and I'm kinda stunned that folks are running such ancient :versions of NTP. I suggest you get accustomed to being stunned. :https://support.ntp.org/bin/view/Dev/ReleaseTimeline : :4.2.0 was EOL'd in June of 2006, and we've fixed about 3,000 issues in :the codebase since then. 4.2.0 may have been EOL'd in 2006, but it was still shipping as the default in FreeBSD until 2009. Out of those 3000 issues, only a tiny fraction are security-related that would apply to JunOS. I expect that they backport security and other fixes as necessary, until some bigger engineering effort and|or headache calls for a forklift/mass upgrade of things. -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Fire me, boy!" -The Human Bullet pgpPiL8fSvRlj.pgp Description: PGP signature
Re: the little ssh that (sometimes) couldn't
: :corruption! : : :http://mina.naguib.ca/blog/2012/10/22/the-little-ssh-that-sometimes-couldnt.html I ran into a similar issue with a customer just a few days ago! The customer's theory was that there was something badly wrong with their dorky gateway/switch (which we sold and support ). ssh was timing out, with a SSH2_MSG_KEX_DH_GEX_GROUP hang/failure during the ssh protocol exchange. Based on that, some wireshark captures, and and stray Google droppings, I advised them to ratchet down the MTU to make things work. Through bisectional MTU settings and pinging, we arrived at an MTU of 850. And I initially started cursing at the switch (because that helps move packets, really :) ). Turns out -- the ssh server in question was running RHEL 5.x Linux, and that was the key. Even though "ip route show cache" looked sane, "ip route flush cache" (which I had them run, just on a lark) made the problem go away. So it probably wasn't my switch (unless it had done something untoward in the distant past that induced some weird Linux stack bug). I'm mostly posting this because I was wondering if anyone else had run into an MTU of 850 before. Is that a "magic number" that rings any bells (or perhaps has seen the Linux route cache behavior I did). -Mike -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "It is now the age of now."-Non Campus Mentis pgpco3nCOlAoW.pgp Description: PGP signature
Re: Mobile Looking Glass?
:Anyone know of an iPhone application for checking public Looking Glass servers? : :Boss called me in a panic when I was out for lunch to check on something and would make my life much easier but searching for stuff on iTunes is awful. If you have an AIM or Jabber client on your iPhone, there's bgpbotz: http://software.merit.edu/bgpbotz/ I've used it successfully via AIM on my phone a couple times -- worked like a champ. -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "YOU MUST OBEY ME BECAUSE I'M LOUD!" -Dogbert
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
:I think anyone in their right mind would agree that if a provider see :criminal activity, they should take action, no? What a provider "should" do and what makes sense under the law of the land are two different things. :If that also holds true, then why doesn't it happen? The laws pertaining to what's required of people when witnessing a crime vary by locality within the U.S. I dunno how they work for the rest of the NANOG audience. What is required of people versus what's required of corporate entities varies, too. "Good Samaritan" laws are hardly universal, and don't always play well with the other laws of the land. Things can get ugly when some murky behavior gets retroactively deemed a crime (perhaps by some tech-challenged judge or jury) and a provider becomes an accessory after the fact. "You mean, the DMCA makes THAT illegal?!?" Or, perhaps a provider tries to take some small action in the face of a crime, then is deemed to have a "special relationship" making them liable for not being quite helpful enough. "You mean, I have to rebuild my entire network because my customer support rep has reported bad behavior to the authorities?" Ultimately, acting on crime is a rat's nest. Some providers have enough trouble dealing with attacks from Pax0rland, extracting sane prices for last-mile service, evaluating/deploying new technology, keeping up with all the off-topic emails on NANOG, etc. Raise the bar so the least-paid front-line rep requires a "customer support within the law" class. Create a legal climate where the only way it makes sense to provide bits involves a big army of attorneys and lobbyists to define the regulatory climate. Let's make total provider consolidation a reality... then we won't need those pesky 32-bit ASNs. :) Back to work... -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Not baked goods, professor... baked BADS!"-The Tick
Re: two interfaces one subnet
:Hi, : :This is a pretty moronic question, but I've been searching RFC's on- :and-off for a couple of weeks and can't find an answer. So I'm hoping :someone here will know it offhand. : :I've been looking through RFC's trying to find a clear statement that :having two interfaces in the same subnet does not work, but can't find :it that statement anywhere. : :The OS in this case is Linux. I know it can be done with clever :routing and prioritization and such, but this has to do with vanilla :config, just setting up two interfaces in one network. : :I would be grateful for a pointer to such an RFC statement, assuming :it exists. RFC1122, Section 3.3.4.1 explicitly says this IS a legal config from an IP perspective: 3.3.4 Local Multihoming 3.3.4.1 Introduction A multihomed host has multiple IP addresses, which we may think of as "logical interfaces". These logical interfaces may be associated with one or more physical interfaces, and these physical interfaces may be connected to the same or different networks. There are other considerations here -- OS, link-layer, etc. Obviously, you want to do such things with care. But simply from a "standards" perspective, it's ok. There are a lot of hosts that historically didn't have enough RFC1122 compliance to make such configurations problematic (e.g. section 3.3.1.2 and multiple default route support vs. old BSD IP stacks) but that doesn't invalidate the standards. -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Pain has an element of blank." -Emily Dickinson