Re: Cisco 2 factor authentication

[Peter Loron]

We are in the process of rolling out Okta, including using a second factor for 
AnyConnect VPN. Works well.

-Pete

On 6/22/16, 01:27, "NANOG on behalf of Ray Ludendorff"  wrote:

Has anyone setup two factor VPN using a Cisco ASA VPN solution?
What sort of soft client based dual factor authentication options were used for 
the Cisco VPNs (e.g. Symantec VIP, Google authenticator, Azure authenticator, 
RSA, etc.)
I am trying to find what infrastructure is needed to come up with the solution.

Please contact me of list

Regards
Ray Ludendorff

Re: syslog server

[Peter Loron]

I’m a big fan of Graylog.

-Pete

On 6/6/16, 13:59, "NANOG on behalf of Maximino Velazquez" 
 wrote:

>Hi nanog community
>
>I need help !!
>
>What is the best syslog server  (opensource)?
>
>Thanks for your help
>
>Regards.
>
>-- 
>
>
>
>Max Velazquez |
>

Google GeoIP issue

[Peter Loron]

Hello folks. An address we use is not identified as being in the correct 
location by Google. Can someone from their NOC reach out off-list?

Thanks.


Sent from my iPhone

Re: Southwest Airlines captive portal

[Peter Loron]

Likely. Let Southwest know, and as others have said, change your password. 
Hopefully it was unique to PayPal. 

-Pete




On 2/27/16, 15:09, "NANOG on behalf of Paras Jha"  wrote:

>You got MITM'd
>
>On Sat, Feb 27, 2016 at 1:57 PM, Damien Burke 
>wrote:
>
>> You should change your paypal password.
>>
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Frank Bulk
>> Sent: Saturday, February 27, 2016 10:27 AM
>> To: nanog@nanog.org
>> Subject: Southwest Airlines captive portal
>>
>> Anyone from Southwest Airlines on this list?
>>
>> On a recent flight I discovered I couldn't complete payment through PayPal
>> because my web browsers properly noticed that the Southwest Airlines SSL
>> certificate that the captive portal was giving for PayPal didn't match up.
>> =)  I had to create an exception for PayPal just to complete payment.
>>
>> Frank
>>
>>
>

Re: mrtg alternative

[Peter Loron]

We’re using Observium for trend collecting, graphing, and alerting.

-Pete




On 2/27/16, 13:12, "NANOG on behalf of Rafael Ganascim" 
 wrote:

>I like cacti:
>
>http://www.cacti.net
>
>
>
>2016-02-26 20:18 GMT-03:00 Baldur Norddahl :
>
>> Hi
>>
>> I am currently using MRTG and RRD to make traffic graphs. I am searching
>> for more modern alternatives that allows the user to dynamically zoom and
>> scroll the timeline.
>>
>> Bonus points if the user can customize the graphs directly in the
>> webbrowse. For example he might be able to add or remove individual peers
>> from the graph by simply clicking a checkbox.
>>
>> What is the 2016 tool for this?
>>
>> Regards,
>>
>> Baldur
>>
>

Re: Devices with only USB console port - Need a Console Server Solution

[Peter Loron]

A possible alternative, although probably not one you'd want to leave in 
place permanently:


http://www.get-console.com/airconsole/

-Pete

On 2016-02-02 06:11, Jared Mauch wrote:

On Mon, Dec 07, 2015 at 10:15:28PM +, Erik Sundberg wrote:
We have one of these nice new and fancy Cisco ASR920-24SZ, just 
realized it doesn't have an RJ45 Console port only USB. When we deploy 
devices at our pop we wire the console port to a terminal\console 
server, well that doesn't work for a usb console device.


So what is everyone doing for out of band management via the console 
when it's a usb only device?

Is there something I am missing?


	Likely not.  I've seen most equipment makers start to ignore serial 
console.
The default these appears to be moving to a uBoot/PXE style network 
setup

where you push an image and such via TFTP/DHCP into the device.


Is there a console server for USB?


I've not seen one show up, but there are other devices like this
which the DIY industry has started to build:

http://freetserv.github.io/

I have a side business i'm tinkering with and these are open source
hardware.  If there is interest, I'd be willing to build these in 
volume and

drive the cost down.

It would not be difficult to do a giant USB hub that was similar.


Does cisco make an USB to RJ45 Jack adapter?


Yes, but I'm always concerned about what boot messages are lost
or things you can't quite do properly (like send break, etc) to get 
into
the device as you're waiting for the USB to initalize, driver to 
present

to OS, etc..  Maybe they spent more time thinking about this than I
am aware, but it's something I've not had a proper solution explained 
to me

for.

- Jared

Re: Comcast Support (from NANOG Digest, Vol 84, Issue 23)

[Peter Loron]

Apologies for a bit off topic, but I’m trying to get an issue resolved and am 
having trouble reaching anybody who seems clue positive.

From home via Comcast cable, I’m having trouble reaching some destinations. 
According to mtr, there is a particular node 
(be-11-pe02.11greatoaks.ca.ibone.comcast.net) which is suffering  30% loss. 
Contacting the Comcast consumer support folks is useless (what are the lights 
on your modem doing? Did you power cycle it?). When this is happening, I 
usually am told they need to send a tech to my house. insert facepalm.

Is there a way to drop a note to the NOC or other folks who would understand 
the info and be able to act on it?

Thanks!

-Pete
 On Jan 23, 2015, at 09:14, Brzozowski, John 
 john_brzozow...@cable.comcast.com wrote:
 
 Folks,
 
 The thread below was sent to me a few times, apologies for not catching it 
 sooner.
 
 Janet,
 
 I sent you mail unicast with a request for some information.  I am happy to 
 help you out.
 
 For the larger NANOG audience, Comcast has recently launched IPv6 support for 
 our BCI products, these are our DOCSIS based commercial offerings.  This 
 means that if you gateway device is in fact in RG mode you will be delegated 
 a dynamic IPv6 prefix, by default customers are delegated a /56 prefix along 
 with a single IPv6 address that is assigned to the WAN of the gateway device. 
  IPv6 support applies to the following makes and models:
 
 SMC D3G CCR (http://mydeviceinfo.comcast.net/device.php?devid=216)
 Cisco BWG (http://mydeviceinfo.comcast.net/device.php?devid=347)
 Netgear CG3000D (http://mydeviceinfo.comcast.net/device.php?devid=347)
 
 For customers where you bring your own cable modem or have one of the above 
 in bridge mode we have enabled IPv6 support for you as well.  However, your 
 router behind the modem must be running software and configured with IPv6 
 support.  Specifically, your router needs to be support stateful DHCPv6 for 
 IPv6 address and prefix acquisition.  We have received a number of reports 
 from customers that the Juniper SRX does not appear to properly support IPv6. 
  We are working with Juniper and also recommend that you reach out to Juniper 
 as well.
 
 Please keep checking http://www.comcast6.net for updates, we will post some 
 additional information here in the next week or so.  In the mean time if you 
 have questions feel free to send me mail or post them here on the NANOG list.
 
 HTH,
 
 John
 =
 John Jason Brzozowski
 Comcast Cable
 p) 484-962-0060
 w) www.comcast6.net
 e) john_brzozow...@cable.comcast.com
 =
 
 
 
 -Original Message-
 From: nanog-requ...@nanog.orgmailto:nanog-requ...@nanog.org 
 nanog-requ...@nanog.orgmailto:nanog-requ...@nanog.org
 Reply-To: NANOG nanog@nanog.orgmailto:nanog@nanog.org
 Date: Friday, January 23, 2015 at 07:00
 To: NANOG nanog@nanog.orgmailto:nanog@nanog.org
 Subject: NANOG Digest, Vol 84, Issue 23
 
 Date: Thu, 22 Jan 2015 22:42:17 +
 From: Janet Sullivan jan...@nairial.netmailto:jan...@nairial.net
 To: 'nanog@nanog.orgmailto:'nanog@nanog.org' 
 nanog@nanog.orgmailto:nanog@nanog.org
 Subject: Comcast Support
 Message-ID:
 cy1pr0701mb1164f3448b35404bbae671a8dc...@cy1pr0701mb1164.namprd07.prod.outlook.commailto:cy1pr0701mb1164f3448b35404bbae671a8dc...@cy1pr0701mb1164.namprd07.prod.outlook.com
 Content-Type: text/plain; charset=us-ascii
 
 I hate to use NANOG for this, but support has now ended a chat with me twice 
 without fixing anything, they just kicked me off.
 
 I'm not getting an IPv6 address on the Comcast provided cable modem/router.  
 I'm not getting a PD.  My machines thus have no IPv6.  I've hard reset my 
 router 4 times while working with Comcast, and I've been told to do things 
 like switch to a static IPv4 address, which shows a level of clue that is 
 scary.  And before that they were convinced it was a wireless problem even 
 though I have a wired connection, and told them that multiple times.  I've 
 wasted two hours with Comcast today, and even when I asked for escalation I 
 got nothing.  Just hung up on.  It's honestly the worst customer support I've 
 ever received.  I don't think I ever got them to understand the difference 
 between IPv4 and IPv6.

Re: OT - Small DNS appliances for remote offices.

[Peter Loron]

And the new CPU is ARM7 so hardfloat is supported. Should make a nifty 
DNS box.



-Pete

On 2015-02-18 07:21, Maxwell Cole wrote:

+1 for the pi,

The new model has a quad core and 1GB of ram which should be more than
enough for a DNS.

On 2/18/15 10:03 AM, Peter Kristolaitis wrote:
Not industrial grade, but Raspberry Pis are pretty great for this 
kind of low-horsepower application.  Throw 2 at each site for 
redundancy and you have a low-powered, physically small, cheap, dead 
silent, easily replaceable system for ~$150 per site.   Same idea as 
the Soekris -- just ship out replacements instead of trying to repair 
-- but even cheaper.


Between having 2 (or more) at each site, plus cross-site redundancy 
via anycast, it would be pretty robust (and cheap enough that you 
could have cold-spares at each site).




On 02/18/2015 09:28 AM, Ray Van Dolson wrote:

Hopefully not too far off topic for this list.

Am looking for options to deploy DNS caching resolvers at remote
locations where there may only be minimal infrastructure (FW and 
Cisco

equipment) and limited options for installing a noisier, more power
hugnry  servers or appliances from a vendor.  Stuff like Infoblox is
too expensive.

We're BIND-based and leaning to stick that way, but open to other
options if they present themselves.

Am considering the Soekris net6501-50.  I can dump a Linux image on
there with our DNS config, indudstrial grade design, and OK
performance.  If the thing fails, clients will hopefully not notice 
due
to anycast which will just hit another DNS server somewhere else on 
the

network albeit with additional latency.  We ship out a replacement
device rather than mucking with trying to repair.

There's also stuff like this[1] which probably gives me more 
horsepower

on my CPU, but maybe not as reliable.

Maybe I'm overengineering this.  What do others do at smaller remote
sites?  Also considering putting resolvers only at hub locations in
our MPLS network based on some latency-based radius.

Ray

[1] 
http://www.newegg.com/Mini-Booksize-Barebone-PCs/SubCategory/ID-309

RE: OT - Small DNS appliances for remote offices.

[Peter Loron]

For any site where you would use a Pi as the DNS cache, it won't be an 
issue. DNS isn't that heavy at those query rates.


Yeah, it would be awesome if they'd been able to get a SoC that included 
ethernet.


-Pete

On 2015-02-18 15:08, Robert Webb wrote:

What I do not like about the Pi is the network port is on the USB bus
and thus limited to USB speeds. 

div Original message /divdivFrom: Maxwell Cole
mcole.mailingli...@gmail.com /divdivDate:02/18/2015  4:30 PM
(GMT-05:00) /divdivTo: nanog@nanog.org  'NANOG list'
nanog@nanog.org /divdivSubject: Re: OT - Small DNS appliances
for remote offices. /divdiv
/div

Re: OT - Small DNS appliances for remote offices.

[Peter Loron]

Not to mention reliability issues with old machines...fans failing, 
leaky capacitors, etc, etc.


-Pete

On 2015-02-18 14:32, Baldur Norddahl wrote:

That option is expensive in power fees...
 Den 18/02/2015 23.12 skrev Rich Kulawiec r...@gsp.org:



Find someone unloading 50 old, physically small desktop PCs.  Buy the
lot.  Drop OpenBSD and BIND on them, ship 3 to every site, run 1 or 2
live with the leftovers as on-site spares.  If one breaks, wipe the 
disk

and send the box to recycling.

(Just checked: someone on a certain auction site is selling a lot of 
64

HP Compaq 8000 (3.16GHz, 2GB) systems, current price $1K.)

---rsk