Re: Juniper configuration recommendations/BCP

2020-10-21 Thread Sebastian Wiesinger 
* Forrest Christian (List Account)  [2020-10-08 11:39]:
> I've done a bit of googling and am either finding stuff that is largely
> Cisco-specific or which is generic - all of which I'm rather familiar with
> based on my past history.   Is there anything I should worry about which is
> Juniper-specific?

Some things that come to mind:

* Juniper has a default ARP policer that is _shared_ between all
interfaces. This will bite you if you attach the box to a large L2
segment (*cough* DE-CIX *cough*). So you should either:
 - configure a non-shared policer:
set firewall policer my-arp-policer if-exceeding 
set interface xe-0/0/0.0 family inet policer arp my-arp-policer

 - disable default ARP policer for the interface (this is not recommended
   and a hidden command)
set interface xe-0/0/0.0 family inet policer disable-arp-policer


* If you do Aggregated Ethernet (Port-Channel interfaces) you need to
  reserve resources for the ae interface by declaring:
set chassis aggregated-devices ethernet device-count X
  "device-count 3" would give you ae0 to ae2 as possible interfaces


* For all modern MX boxes you should normally set network-services
  mode to enhanced-ip (this requires a reboot of the box):
   set chassis network-services enhanced-ip

* Groups (set groups some-group ... / set  apply-group 
some-group)
  are your friend

  Want to see stuff that gets applied to the config trough groups?
   show  | display inheritance
   (add "no-comments" for just the config without additional information)

* It is kind of hard sometimes to figure out the right encapsulation /
  vlan-tagging config for an interface. For most flexible use of a
  port (this might differ depending on your configuration) on MX you
  can use:
   set interface xe-0/0/0 encapsulation flexible-ethernet-services
   set interface xe-0/0/0 flexible-vlan-tagging

* Physical interface MTU for Juniper includes Ethernet overhead
  (standard MTU is 1514, 1518 with VLAN tag). So basically coming from
  Cisco its Cisco-MTU+14. You can configure a separate MTU per
  protocol family (set interface ... family inet mtu 1500). Handy for
  OSPF and co.

* You need to enable every protocol family on an interface that you
  wish to accept. So for example if you want to do IPv4(OSPF) + IPv6(ISIS) + 
MPLS
  (with LDP) you need on the interface:

   set interface .. family inet ...
   set interface .. family inet6 ...
   set interface .. family iso
   set interface .. family mpls

  After that you need to enable the interface separately under the
  relevant protocols (set protocol mpls interface ..., set protocols
  ldp interface ...)

  Yes this is a bit much but I always try to remember that the first
  part enables the receiving of the protocol packets on the interface
  and the second part enables the processing of the received packets.

* I love that Juniper shows you all routes for a destination, so if a
  destination is reachable via BGP, OSPF and direct route a 'show
  route ' will show that information for all protocols. The
  active route is marked with a star. Routes that are hidden (for
  example BGP routes that are rejected by import filters) can be shown
  by 'show route hidden'.

* You can set standard BGP parameters for the whole box under
  'routing-options':

set routing-options router-id 1.2.3.4
set routing-options route-distinguisher-id 1.2.3.4
set routing-options autonomous-system 65500

* You need to enable ECMP by binding a filter to the forwarding-table:
   set policy-options policy-statement ecmp term 10-ecmp then load-balance 
per-packet
   set routing-options forwarding-table export ecmp

  (Yes, per-packet means per-flow ECMP, don't ask)

* Sometimes if you change config and don't see a change in behaviour a
  'commit full' will fix the problem (this shouldn't be necessary
  normally).

* Some global BGP settings I would use:
   set protocols bgp precision-timers (Helps with very low BGP timers to avoid 
timeouts)
   set protocols bgp log-updown
   set protocols bgp always-compare-med (Depends on your routing policy)

* Want to look under the hood? Go to the linecard:
   > start shell pfe network fpcX (fpc0 only for MX204)
  Danger Zone: There are many commands on the linecard that can mess
  stuff up. I even managed to crash stuff with some 'show ..' commands
  there.

* Change things and want to apply it later? Save and load the patch
  later:

# show | diff | tee patch.txt
# rollback
# exit

# configure
# load patch patch.txt
# commit


Sebastian


-- 
GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

2018-05-22 Thread Sebastian Wiesinger 
* David Hubbard  [2018-05-16 19:01]:
> I’m curious if anyone who’s used 3356 for transit has found
> shortcomings in how their peering and redundancy is configured, or

>From a recent experience I can tell you that a change request to
change a peering from "full table" to "default route only" has
resulted in now 3+ weeks of conversation and an outage when they
misconfigured their session without them realising it.

Colleague of mine is now trying to send them the exact required set
commands for the Juniper gear they're using.

This is not what I would expect from a carrier like 3356.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: AS202746 Hijacks: Is Telia (a) stupid, or (b) lazy, or (c) complicit?

2017-08-08 Thread Sebastian Wiesinger 
* Ronald F. Guilmette  [2017-08-02 09:37]:
> 
> The annotations in the RIPE WHOIS record for AS202746 seem pretty clear to me.
> This thing is B-O-G-U-S!

You know, people might be more willing to listen to you when you
express your points in a less emotional and aggressive tone.

Regards


Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: AS4788 Telecom Malaysia major route leak?

2015-06-12 Thread Sebastian Wiesinger 
* Tore Anderson t...@fud.no [2015-06-12 11:12]:
 I see tons of bogus routes show up with AS4788 in the path, and at
 least AS3549 is acceping them.
 
 E.g. for the RIPE NCC (193.0.0.0/21):
 
 [BGP/170] 00:20:29, MED 1000, localpref 150
   AS path: 3549 4788 12859  I, validation-state: valid
  to 64.210.69.85 via xe-1/1/0.0

I confirm, something is going on:

http://www.karotte.org/pics/bgp-stability.png

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: AS4788 Telecom Malaysia major route leak?

2015-06-12 Thread Sebastian Wiesinger 
* Job Snijders j...@instituut.net [2015-06-12 13:30]:
 Yes, I suspect tons of 3356 / 3549 customers shut down their BGP
 sessions waiting for the storm to blow over. I expect more churn then
 usual the next 6 ~ 12 hours, due to customers slowly turning session
 back on.

Yes. It's nice and stable now.

http://www.karotte.org/pics/bgp-stability-3.png

So after this interesting morning let's hope for a boring weekend. :)
Let's wait and see what explanation will be given for this hiccup.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: AS4788 Telecom Malaysia major route leak?

2015-06-12 Thread Sebastian Wiesinger 
* Roland Dobbins rdobb...@arbor.net [2015-06-12 12:57]:
 
 On 12 Jun 2015, at 17:46, Job Snijders wrote:
 
  OK, as of now (~ 10:40) UTC things look normalised.
 
 Just got off the phone, I think things may be in hand, now.

Still seeing a lot more updates than usual:

http://www.karotte.org/pics/bgp-stability-2.png

Is this just folks turning up their sessions again? Looks a bit
much...

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

What are qatesttwai.gov/fttesttwai.gov?

2012-09-26 Thread Sebastian Wiesinger 
Hello,

my resolver running on a dedicated server is warning about DNSSEC
validation failure for these two .gov domains 7 minutes after every
full hour:

Sep 26 13:07:04 alita unbound: [28931:0] info: validation failure
qatesttwai.gov. NS IN: no keys have a DS with algorithm
RSASHA1-NSEC3-SHA1 from 199.169.196.64 for key qatesttwai.gov. while
building chain of trust

Sep 26 13:07:04 alita unbound: [28931:0] info: validation failure
fttesttwai.gov. NS IN: no keys have a DS with algorithm
RSASHA1-NSEC3-SHA1 from 199.169.196.64 for key fttesttwai.gov. while
building chain of trust

Does anyone know what these are? There are placeholder https sites at
these hosts but nothing else.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Outage between GBLX and HE?

2010-11-17 Thread Sebastian Wiesinger 
* Brielle Bruns br...@2mbit.com [2010-11-17 04:34]:
 Hey All,

 Sorry to bother the list, but I'm noticing that I've got no connectivity  
 to Hurricane Electric through GBLX from my Qwest DSL.

 In this case, I'm trying to get to tunnelbroker.net:

 ...
  3  184-99-65-41.boid.qwest.net (184.99.65.41)  38.438 ms  49.250 ms  38.459 
 ms
  4  sea-brdr-02.inet.qwest.net (67.14.41.14)  60.071 ms  53.198 ms  54.223 ms
  5  te8-3-10g.ar5.sea1.gblx.net (64.208.110.141)  294.182 ms  437.842 ms *
  6  * * *

Hello from Old Europe,

I just openend a case with GBLX because I'm unable to reach
destinations in USA. As the technician told me they're having issues
in the Seattle area and are trying to fix them at the moment.

Kind Regards,

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Google Pagerank and Class-C Addresses

2009-09-21 Thread Sebastian Wiesinger 
Hello Nanog,

I'm looking into a weird request which more and more customers have.
They want different Class C addresses, by which they mean IPs in
different /24 subnets.

The apparent reason for this is that Google will rank links from
different /24 higher then links from the same /24. So it's a SEO
thingy.

I googled a bit and found pages after pages of FUD and such great
things as the Class C Checker:  This free Class C Checker tool
allows you to check if some sites are hosted on the same Class C IP
Range.

My question is: Is there any proof that Google does differentiate
between /24s, or even better is there any proof that this isn't the
case? I will not give a customer space from different address blocks
just because he read it in a SEO magazine.

Perhaps someone from Google itself can answer this question?

Also how do you handle such requests? I expect I'm not the only one
who gets them.

Regards,

Sebastian

-- 
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant