Re: Cisco 2 factor authentication
We are in the process of rolling out Okta, including using a second factor for AnyConnect VPN. Works well. -Pete On 6/22/16, 01:27, "NANOG on behalf of Ray Ludendorff"wrote: Has anyone setup two factor VPN using a Cisco ASA VPN solution? What sort of soft client based dual factor authentication options were used for the Cisco VPNs (e.g. Symantec VIP, Google authenticator, Azure authenticator, RSA, etc.) I am trying to find what infrastructure is needed to come up with the solution. Please contact me of list Regards Ray Ludendorff
Re: syslog server
I’m a big fan of Graylog. -Pete On 6/6/16, 13:59, "NANOG on behalf of Maximino Velazquez"wrote: >Hi nanog community > >I need help !! > >What is the best syslog server (opensource)? > >Thanks for your help > >Regards. > >-- > > > >Max Velazquez | >
Google GeoIP issue
Hello folks. An address we use is not identified as being in the correct location by Google. Can someone from their NOC reach out off-list? Thanks. Sent from my iPhone
Re: Southwest Airlines captive portal
Likely. Let Southwest know, and as others have said, change your password. Hopefully it was unique to PayPal. -Pete On 2/27/16, 15:09, "NANOG on behalf of Paras Jha"wrote: >You got MITM'd > >On Sat, Feb 27, 2016 at 1:57 PM, Damien Burke >wrote: > >> You should change your paypal password. >> >> -Original Message- >> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Frank Bulk >> Sent: Saturday, February 27, 2016 10:27 AM >> To: nanog@nanog.org >> Subject: Southwest Airlines captive portal >> >> Anyone from Southwest Airlines on this list? >> >> On a recent flight I discovered I couldn't complete payment through PayPal >> because my web browsers properly noticed that the Southwest Airlines SSL >> certificate that the captive portal was giving for PayPal didn't match up. >> =) I had to create an exception for PayPal just to complete payment. >> >> Frank >> >> >
Re: mrtg alternative
We’re using Observium for trend collecting, graphing, and alerting. -Pete On 2/27/16, 13:12, "NANOG on behalf of Rafael Ganascim"wrote: >I like cacti: > >http://www.cacti.net > > > >2016-02-26 20:18 GMT-03:00 Baldur Norddahl : > >> Hi >> >> I am currently using MRTG and RRD to make traffic graphs. I am searching >> for more modern alternatives that allows the user to dynamically zoom and >> scroll the timeline. >> >> Bonus points if the user can customize the graphs directly in the >> webbrowse. For example he might be able to add or remove individual peers >> from the graph by simply clicking a checkbox. >> >> What is the 2016 tool for this? >> >> Regards, >> >> Baldur >> >
Re: Devices with only USB console port - Need a Console Server Solution
A possible alternative, although probably not one you'd want to leave in place permanently: http://www.get-console.com/airconsole/ -Pete On 2016-02-02 06:11, Jared Mauch wrote: On Mon, Dec 07, 2015 at 10:15:28PM +, Erik Sundberg wrote: We have one of these nice new and fancy Cisco ASR920-24SZ, just realized it doesn't have an RJ45 Console port only USB. When we deploy devices at our pop we wire the console port to a terminal\console server, well that doesn't work for a usb console device. So what is everyone doing for out of band management via the console when it's a usb only device? Is there something I am missing? Likely not. I've seen most equipment makers start to ignore serial console. The default these appears to be moving to a uBoot/PXE style network setup where you push an image and such via TFTP/DHCP into the device. Is there a console server for USB? I've not seen one show up, but there are other devices like this which the DIY industry has started to build: http://freetserv.github.io/ I have a side business i'm tinkering with and these are open source hardware. If there is interest, I'd be willing to build these in volume and drive the cost down. It would not be difficult to do a giant USB hub that was similar. Does cisco make an USB to RJ45 Jack adapter? Yes, but I'm always concerned about what boot messages are lost or things you can't quite do properly (like send break, etc) to get into the device as you're waiting for the USB to initalize, driver to present to OS, etc.. Maybe they spent more time thinking about this than I am aware, but it's something I've not had a proper solution explained to me for. - Jared
Re: Comcast Support (from NANOG Digest, Vol 84, Issue 23)
Apologies for a bit off topic, but I’m trying to get an issue resolved and am having trouble reaching anybody who seems clue positive. From home via Comcast cable, I’m having trouble reaching some destinations. According to mtr, there is a particular node (be-11-pe02.11greatoaks.ca.ibone.comcast.net) which is suffering 30% loss. Contacting the Comcast consumer support folks is useless (what are the lights on your modem doing? Did you power cycle it?). When this is happening, I usually am told they need to send a tech to my house. insert facepalm. Is there a way to drop a note to the NOC or other folks who would understand the info and be able to act on it? Thanks! -Pete On Jan 23, 2015, at 09:14, Brzozowski, John john_brzozow...@cable.comcast.com wrote: Folks, The thread below was sent to me a few times, apologies for not catching it sooner. Janet, I sent you mail unicast with a request for some information. I am happy to help you out. For the larger NANOG audience, Comcast has recently launched IPv6 support for our BCI products, these are our DOCSIS based commercial offerings. This means that if you gateway device is in fact in RG mode you will be delegated a dynamic IPv6 prefix, by default customers are delegated a /56 prefix along with a single IPv6 address that is assigned to the WAN of the gateway device. IPv6 support applies to the following makes and models: SMC D3G CCR (http://mydeviceinfo.comcast.net/device.php?devid=216) Cisco BWG (http://mydeviceinfo.comcast.net/device.php?devid=347) Netgear CG3000D (http://mydeviceinfo.comcast.net/device.php?devid=347) For customers where you bring your own cable modem or have one of the above in bridge mode we have enabled IPv6 support for you as well. However, your router behind the modem must be running software and configured with IPv6 support. Specifically, your router needs to be support stateful DHCPv6 for IPv6 address and prefix acquisition. We have received a number of reports from customers that the Juniper SRX does not appear to properly support IPv6. We are working with Juniper and also recommend that you reach out to Juniper as well. Please keep checking http://www.comcast6.net for updates, we will post some additional information here in the next week or so. In the mean time if you have questions feel free to send me mail or post them here on the NANOG list. HTH, John = John Jason Brzozowski Comcast Cable p) 484-962-0060 w) www.comcast6.net e) john_brzozow...@cable.comcast.com = -Original Message- From: nanog-requ...@nanog.orgmailto:nanog-requ...@nanog.org nanog-requ...@nanog.orgmailto:nanog-requ...@nanog.org Reply-To: NANOG nanog@nanog.orgmailto:nanog@nanog.org Date: Friday, January 23, 2015 at 07:00 To: NANOG nanog@nanog.orgmailto:nanog@nanog.org Subject: NANOG Digest, Vol 84, Issue 23 Date: Thu, 22 Jan 2015 22:42:17 + From: Janet Sullivan jan...@nairial.netmailto:jan...@nairial.net To: 'nanog@nanog.orgmailto:'nanog@nanog.org' nanog@nanog.orgmailto:nanog@nanog.org Subject: Comcast Support Message-ID: cy1pr0701mb1164f3448b35404bbae671a8dc...@cy1pr0701mb1164.namprd07.prod.outlook.commailto:cy1pr0701mb1164f3448b35404bbae671a8dc...@cy1pr0701mb1164.namprd07.prod.outlook.com Content-Type: text/plain; charset=us-ascii I hate to use NANOG for this, but support has now ended a chat with me twice without fixing anything, they just kicked me off. I'm not getting an IPv6 address on the Comcast provided cable modem/router. I'm not getting a PD. My machines thus have no IPv6. I've hard reset my router 4 times while working with Comcast, and I've been told to do things like switch to a static IPv4 address, which shows a level of clue that is scary. And before that they were convinced it was a wireless problem even though I have a wired connection, and told them that multiple times. I've wasted two hours with Comcast today, and even when I asked for escalation I got nothing. Just hung up on. It's honestly the worst customer support I've ever received. I don't think I ever got them to understand the difference between IPv4 and IPv6.
Re: OT - Small DNS appliances for remote offices.
And the new CPU is ARM7 so hardfloat is supported. Should make a nifty DNS box. -Pete On 2015-02-18 07:21, Maxwell Cole wrote: +1 for the pi, The new model has a quad core and 1GB of ram which should be more than enough for a DNS. On 2/18/15 10:03 AM, Peter Kristolaitis wrote: Not industrial grade, but Raspberry Pis are pretty great for this kind of low-horsepower application. Throw 2 at each site for redundancy and you have a low-powered, physically small, cheap, dead silent, easily replaceable system for ~$150 per site. Same idea as the Soekris -- just ship out replacements instead of trying to repair -- but even cheaper. Between having 2 (or more) at each site, plus cross-site redundancy via anycast, it would be pretty robust (and cheap enough that you could have cold-spares at each site). On 02/18/2015 09:28 AM, Ray Van Dolson wrote: Hopefully not too far off topic for this list. Am looking for options to deploy DNS caching resolvers at remote locations where there may only be minimal infrastructure (FW and Cisco equipment) and limited options for installing a noisier, more power hugnry servers or appliances from a vendor. Stuff like Infoblox is too expensive. We're BIND-based and leaning to stick that way, but open to other options if they present themselves. Am considering the Soekris net6501-50. I can dump a Linux image on there with our DNS config, indudstrial grade design, and OK performance. If the thing fails, clients will hopefully not notice due to anycast which will just hit another DNS server somewhere else on the network albeit with additional latency. We ship out a replacement device rather than mucking with trying to repair. There's also stuff like this[1] which probably gives me more horsepower on my CPU, but maybe not as reliable. Maybe I'm overengineering this. What do others do at smaller remote sites? Also considering putting resolvers only at hub locations in our MPLS network based on some latency-based radius. Ray [1] http://www.newegg.com/Mini-Booksize-Barebone-PCs/SubCategory/ID-309
RE: OT - Small DNS appliances for remote offices.
For any site where you would use a Pi as the DNS cache, it won't be an issue. DNS isn't that heavy at those query rates. Yeah, it would be awesome if they'd been able to get a SoC that included ethernet. -Pete On 2015-02-18 15:08, Robert Webb wrote: What I do not like about the Pi is the network port is on the USB bus and thus limited to USB speeds. div Original message /divdivFrom: Maxwell Cole mcole.mailingli...@gmail.com /divdivDate:02/18/2015 4:30 PM (GMT-05:00) /divdivTo: nanog@nanog.org 'NANOG list' nanog@nanog.org /divdivSubject: Re: OT - Small DNS appliances for remote offices. /divdiv /div
Re: OT - Small DNS appliances for remote offices.
Not to mention reliability issues with old machines...fans failing, leaky capacitors, etc, etc. -Pete On 2015-02-18 14:32, Baldur Norddahl wrote: That option is expensive in power fees... Den 18/02/2015 23.12 skrev Rich Kulawiec r...@gsp.org: Find someone unloading 50 old, physically small desktop PCs. Buy the lot. Drop OpenBSD and BIND on them, ship 3 to every site, run 1 or 2 live with the leftovers as on-site spares. If one breaks, wipe the disk and send the box to recycling. (Just checked: someone on a certain auction site is selling a lot of 64 HP Compaq 8000 (3.16GHz, 2GB) systems, current price $1K.) ---rsk