6PE on ALU
Hello, Running into a little problem configuring 6PE on ALU7750. All prefixes in the IPv6 table except prefixes learned via my eBGP peers are getting exported via MP-BGP: group "IPV6-LU" description "6PE config" family label-ipv6 remove-private export "permitAll" peer-as 123 neighbor 10.1.2.3 exit exit policy-statement "permitAll" default-action accept exit exit This is on SROS 14. The "advertise-label ipv6" command no longer exists. "family label-ipv6" seems to do the same thing. For locally connected subnet the next hop gets set to IPv4-IPv6 mapped address. I've tried different export policies and cannot get eBGP learned IPv6 prefixes to get exported. Has anyone run into this before? Thanks, Serge
Re: NetFlow - path from Routers to Collector
Hello again, Well, this generated a bit more discussion than I was expecting. I've retained the following from all your comments: -Doing flow export over an OOB network can help make sure you still "see" your network during a DDoS -If we do this over an OOB network, it may not work over the OOB port on the RE/RSP. I do have some specific questions for the folks who are OK with doing this inband: -Are you concerned with someone intercepting the Flow streams? I assume if someone has the ability to do so, you've got bigger problems. -If we make the assumption that someone can intercept the Flow steam, do you think the data in the steam can be used for anything? It's just L3 & L4 headers. In other words, do you feel an OOB network is require to secure the flow data? Thanks again, your comments are very helpful. Serge On Tue, 9/1/15, Serge Vautour <sergevaut...@yahoo.ca> wrote: Subject: NetFlow - path from Routers to Collector To: nanog@nanog.org Received: Tuesday, September 1, 2015, 12:33 PM Hello, For those than run Internet connected routers, how do you get your NetFlow data from the routers to your collectors? Do you let the flow export traffic use the same links as your customer traffic to route back to central collectors? Or do you send this traffic over private network management type path? If you send this traffic over the "Internet" (within your AS), are you worried about security? Thanks, Serge
NetFlow - path from Routers to Collector
Hello, For those than run Internet connected routers, how do you get your NetFlow data from the routers to your collectors? Do you let the flow export traffic use the same links as your customer traffic to route back to central collectors? Or do you send this traffic over private network management type path? If you send this traffic over the "Internet" (within your AS), are you worried about security? Thanks, Serge
NAT444 or ?
Hello, Things I understand: IPv6 is the long term solution to IPv4 exhaustion. For IPv6 to work correctly, most of the IPv4 content has to be on IPv6. That's not there yet. IPv6 deployment to end users is not trivial (end user support, CPE support, etc...). Translation techniques are generally evil. IPv6-IPv4 still requires 1 IPv4 IP per end user or else you're doing NAT. IPv4-IPv6 (1-1) doesn't solve our main problem of giving users access to the IPv4 Internet. I expect like most companies we're faced with having to extend the life of IPv4 since our users will continue to want access to the IPv4 content. Doing that by giving them an IPv6 address is not very feasible yet for many reasons. NAT444 seems like the only solution available while we slowly transition over to IPv6 over the next 20 years. Based on the this RFC, NAT444 breaks a lot of applications! http://tools.ietf.org/html/draft-donley-nat444-impacts-01 Has anyone deployed NAT444? Can folks share their experiences? Does it really break this many apps? What other options do we have? Thanks, Serge
IPv6 BGP communities
Hello, I'm looking at re-writing our IPv4 BGP policies for IPv6. Does anyone see a problem with re-using the same BGP community values? If we use AS:110 for LP 110 under IPv4, can I just use AS:110 for LP 110 under IPv6? Technically it works - at least I haven't seen a problem in my initial tests. It sure would make everything easier than assigning new values. Is there a BCP for this? Thanks, Serge
OAM and QinQ
Hello, We're working on deploying some L2 services over an MPLS network. Our model includes a CPE with OAM capabilities and QinQ from the PE to the CPE. For now we want to do simple OAM functions from CPE-CPE (no MIPs in the MPLS network). Our lab testing has shown some sort of incompatibilities between OAM and QinQ. OAM frames are encapsulated with a single VLAN tag (the SVLAN) on the CPE. When the PEs only perform SVLAN swapping, everything works fine. If we configure the PE to also perform CVLAN manipulation, it drops OAM frames. It likely does not know how to process them because they don't have a CVLAN tag. We're working with 2 CPE vendors and neither of them are able to add 2 VLAN tags to the OAM frames. Has anyone else encountered this problem? How do you get around it? One option we're looking at is to simply not perform CVLAN manipulation on the PE. This means limiting our service to customers. Our PEs are all Juniper MX boxes if it helps. Thanks, Serge
Customer Interface Reporting / Portal
Hello, What are people using to provide customer interface usage reports to customers? There seems to be lots of RRD based tools that can gather the data and store it for long term viewing. We use ZenOSS for internal purposes for example. How do we go about providing each customer access to their data in a secure way? A portal type access. Is anyone aware of a tool that includes a front end that can partition the data on a per customer basis? Each customer would have their own login ID and only see their data? How do we link the data to that customer? Some customer ID on the interface description? Thanks, Serge
BFD over p2p transport links
Hello, I'm being asked to look into using BFD over our P2P transport links. Is anyone else doing this? Our transport links are all 10G Ethernet (LAN-PHY). There's no alarming inside of LAN-PHY like there is in SONET. The transport side should propagate a fiber break by stopping to send light on both ends. This is enough to cause the router interfaces to drop and for protocols to converge. Since LAN-PHY doesn't have any built end-end alarming, some folks believe that we may encounter situations where a fiber break doesn't cause interfaces do go down. Convergence would then have to wait for IGP hellos to detect the problem. Is anybody else running BFD over 10G LAN-PHY transport links? Any comments around BFD for this application in general? Thanks, Serge __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/
Maximum devices in OSPF area 0
Hello, We are looking to deploy a greenfield MPLS network with OSPF as the IGP. I'm told OSPF areas don't play well with OSPF TED. For this reason, we are looking at using only area 0. Only Loopback interfaces and p-p core ethernet links will be in OSPF. What are the maximum number of Routers Links that folks would be comfortable with putting in 1 area? If folks are already using this type of approach, could you share your current numbers? Thanks, Serge __ Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
Dedicated Route Reflectors
Hello, We're in the process of planning for an MPLS network that will use BGP for signaling between PEs. This will be a BGP free Core (i.e. no BGP on the P routers). What are folks doing for iBGP in this case? Full Mesh? Full Mesh the Main POP PEs and Route Reflect to some outlining PEs? Are folks using dedicated/centralized Route Reflectors (redundant of course)? What about using some of the P routers as the Centralized Route Reflectors? The boxes aren't doing much from a Control Plane perspective, why not use them as Route Reflectors. Any comments would be appreciated. Thanks, Serge __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/
Re: Single router for P/PE functions
We're trying to save on Transport links. Instead of multi-homing each PE to 2 Ps, we're considering building a ring: P-PE-PE-PE-P. This ring follows the transport ring. Each link would be engineering to make sure it can handle all of the traffic from all 3PEs in case of a failure. As the network grows, we could get individual transport links from PE-P. Apart from bandwidth, I was curious if there were other problems I related to doing this that I wasn't thinking of. Thanks for all the replies. Much appreciated. Serge From: William McCall william.mcc...@gmail.com To: Serge Vautour se...@nbnet.nb.ca Cc: nanog@nanog.org Sent: Friday, September 4, 2009 1:07:40 AM Subject: Re: Single router for P/PE functions Kinda depends on what you're doing exactly, but like Erik said, it certainly possible and depending on your particular needs, it might not be much of an issue at all. Can you describe your scenario a bit more? --WM On Thu, Sep 3, 2009 at 10:20 AM, Serge Vautour sergevaut...@yahoo.ca wrote: Hello, I'm pretty confident that a router can be used to perform P PE functions simultaneously. What about from a best practice perspective? Is this something that should be completely avoided? Why? We're considering doing this as a temporary workaround but we all know temporary usually lasts a long time. I'd like to know what kind of mess awaits if we let this one go. Thanks, Serge __ Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now http://ca.toolbar.yahoo.com. -- William McCall, CCIE #25044 __ Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
Single router for P/PE functions
Hello, I'm pretty confident that a router can be used to perform P PE functions simultaneously. What about from a best practice perspective? Is this something that should be completely avoided? Why? We're considering doing this as a temporary workaround but we all know temporary usually lasts a long time. I'd like to know what kind of mess awaits if we let this one go. Thanks, Serge __ Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now http://ca.toolbar.yahoo.com.
Re: atac.fr DNS problem
.net (4.68.17.126) 34.681 ms 30.700 ms 6 ae-64-64.ebr4.Washington1.Level3.net (4.69.134.177) 35.436 ms 32.659 ms 25.709 ms 7 ae-3-3.ebr1.NewYork1.Level3.net (4.69.132.94) 26.966 ms 26.866 ms 26.734 ms 8 ae-81-81.csw3.NewYork1.Level3.net (4.69.134.74) 27.338 ms 27.391 ms ae-71-71.csw2.NewYork1.Level3.net (4.69.134.70) 34.384 ms 9 ae-1-69.edge1.NewYork1.Level3.net (4.68.16.14) 27.319 ms ae-3-89.edge1.NewYork1.Level3.net (4.68.16.142) 27.641 ms ae-2-79.edge1.NewYork1.Level3.net (4.68.16.78) 27.816 ms 10 COLT-TELECO.edge1.NewYork1.Level3.net (4.78.132.22) 88.956 ms 89.076 ms 89.154 ms 11 212.74.85.1 (212.74.85.1) 104.463 ms 104.253 ms 104.851 ms 12 90.168-14-84.ripe.coltfrance.com (84.14.168.90) 106.559 ms 107.168 ms 106.853 ms 13 * * * ---No further responses traceroute 62.160.25.65 traceroute to 62.160.25.65 (62.160.25.65), 30 hops max, 40 byte packets 1 x.x.x.x. (x.x.x.x) 0.213 ms 0.202 ms 0.198 ms 2 x.x.x.x (x.x.x.x) 1.601 ms 1.439 ms 0.743 ms 3 xe-3-0-0.bx01.asbn.va.aliant.net (207.231.227.6) 21.251 ms 21.258 ms 21.173 ms 4 xe-9-2-0.edge2.Washington4.Level3.net (4.53.114.13) 21.251 ms 21.417 ms 21.375 ms 5 vlan89.csw3.Washington1.Level3.net (4.68.17.190) 22.518 ms vlan69.csw1.Washington1.Level3.net (4.68.17.62) 24.455 ms vlan89.csw3.Washington1.Level3.net (4.68.17.190) 22.144 ms 6 ae-64-64.ebr4.Washington1.Level3.net (4.69.134.177) 30.684 ms ae-74-74.ebr4.Washington1.Level3.net (4.69.134.181) 29.177 ms 27.076 ms 7 ae-3-3.ebr1.NewYork1.Level3.net (4.69.132.94) 26.891 ms 26.730 ms 26.770 ms 8 ae-61-61.csw1.NewYork1.Level3.net (4.69.134.66) 35.472 ms ae-91-91.csw4.NewYork1.Level3.net (4.69.134.78) 38.017 ms ae-71-71.csw2.NewYork1.Level3.net (4.69.134.70) 38.655 ms 9 ae-4-99.edge2.NewYork1.Level3.net (4.68.16.208) 27.428 ms 27.855 ms ae-1-69.edge2.NewYork1.Level3.net (4.68.16.16) 27.529 ms 10 francetelecom-level3-te.NewYork1.Level3.net (4.68.111.86) 28.286 ms francetelecom-level3-te.NewYork1.Level3.net (4.68.111.82) 27.442 ms 27.764 ms 11 * * * 12 * * * ---No further responses - Original Message From: Florian Weimer fwei...@bfk.de To: Serge Vautour se...@nbnet.nb.ca Cc: nanog@nanog.org Sent: Monday, August 17, 2009 11:43:46 AM Subject: Re: atac.fr DNS problem * Serge Vautour: Hello, Our AS855 can't seem to contact the DNS servers for atac.fr domains (dns.atac.fr [62.160.25.65] dns2.atac.fr [195.68.125.36]). From our network, dig dies for both IPs: Please post full trace output, e.g. the result of dig www.atac.fr +trace +all +norecurse if you still can reproduce the issue. (Perhaps this topic is more suitable for the dns-operations mailing list, BTW.) -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 __ Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail. Click on Options in Mail and switch to New Mail today or register for free at http://mail.yahoo.ca
