Re: OSS Systems
My personal opinion has been that we have seen great success in large environments with FreeRadius and using radrelay for mysql synchronization then an OpenLDAP-backend. We used FreeBSD/CARP and/or FreeVRRPd for failover but this can be accomplished in other methods. FreeRadius has a built-in CLUSTERIP module which allows clustering/load-balancing/failover or you could AnyCast the systems for redundancy. As for load balancing other Radius servers which may not have it built in - I would say a hardware solution is usually great because you get support, etc. However, if you don't need the support then there are a ton of options available. You could go as far as load balancing it with LVS (which I personally do not like but MANY do :)) or software load balancers like pen/pound/haproxy. Best of luck! -Original Message- From: Shahab Vahabzadeh sh.vahabza...@gmail.com Sent: Sunday, January 15, 2012 4:26pm To: Leigh Porter leigh.por...@ukbroadband.com Cc: nanog@nanog.org nanog@nanog.org Subject: Re: OSS Systems Hi there again, I think Leigh is not available this week, anybody else idea about such a system? Which loadbalancer is good to use? LVS or hardware one? or radius as a proxy? How database must be placed? How radius servers talk to DB? And which radius server you suggest? Radiator? Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter leigh.por...@ukbroadband.comwrote: On 5 Jan 2012, at 22:02, Shahab Vahabzadeh sh.vahabza...@gmail.com wrote: Hi there, Has anybody experience about running and OSS System in enterprise level? And do you have any idea about it? For example for an ISP who is running users more than 20K or 30K, there must be some good solutions to integrate all systems like: Radius, Billing Systems and CRM For example after searching and asking friends I have some ideas about Radius to use: radiator Is there anybody who has analyse such a systems before in his ISP? Need sharing here :) Thanks We did this a few years ago and ended up writing the while thing ourselves. This included billing, subscriber management etc etc. We integrates to salesforce.com for the internal front end and the user facing stuff we did ourselves. It was a big project and took a team of six about six months. But we ended up with a perfect solution that did exactly what we needed and it was pretty good. It handled within the order of users you mention, but we designed to 100k users. We used radiator (highly recommended) with openldap back end. Multiple load balanced servers etc etc. The worst thing we did was to build our own mail system. Not that it was an issue, it never went wrong, but these days I'd just send people to gmail or something. -- Leigh Porter __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90
Re: BGP support on ASA5585-X
They could make it out of the box but this is why Dylan made his statement. The platform simply doesn't perform well enough enough to support all of that functionality on the current ASA models. I know first-hand from much of our testing the ASA's rarely meet the box specs for PPS/throughput simply serving the purpose as a static firewall. They would have to dramatically improve the system performance prior to adding any additional CPU / timing dependent features. IMHO you would see better performance out of BSD. I won't open that can o' worms but the ROI for the ASA line is quite out of balance. -Original Message- From: Greg Whynott greg.whyn...@oicr.on.ca Sent: Tuesday, November 2, 2010 1:46pm To: Dylan Ebner dylan.eb...@crlmed.com Cc: nanog@nanog.org nanog@nanog.org Subject: Re: BGP support on ASA5585-X i couldn't disagree with this statement more than I do. they could make a box do it all if they wanted to, but it does not make business sense. On Nov 2, 2010, at 1:42 PM, Dylan Ebner wrote: IMHO, I don't think this is a marketing issue for cisco. It's a design issue. PIX/ASA is good at some things, and bad at others. They have never been good as routers. You have to remember, EIGRP didn't even come to the security line until 8.0 code and they still do not support traffic shaping. These services use memory and cpu resources which can dramatically reduce your ability to get through very long access lists. I am not positive on the ASAs, but I seem to remember that the routing features on the PIX was all done in software. If that is still true today, I can't imagine you could effectively perform stateful inspection, access lists, maybe VPN services, and BGP for a 100Mb+ internet connection on even a 5585. They just aren't that powerful. Dylan Ebner -Original Message- From: srg [mailto:srgqwe...@gmail.com] Sent: Friday, October 29, 2010 12:43 PM To: nanog@nanog.org Subject: BGP support on ASA5585-X Hi: At this moment we know that ASA5585-X does not support BGP. Does anybody know if BGP support in the ASA5585-X is in roadmap? More precisely... MP-BGP support in the ASA5585-X? Any oficial link in the Cisco website about this? (I did't find it) Thanks a lot and best regards -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
RE: BGP support on ASA5585-X
None of the ASA's support BGP. I didn't think so but I went ahead and did the research for you: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/glossary.html#wp1027964 he security appliance does not support BGP. -Kevin -Original Message- From: David DiGiacomo dav...@corp.nac.net Sent: Friday, October 29, 2010 1:45pm To: srg srgqwe...@gmail.com, nanog@nanog.org nanog@nanog.org Subject: RE: BGP support on ASA5585-X I would seriously doubt it. Think of it from Cisco's point of view; If the ASA ran BGP, you wouldn't need to buy a router. Dave Joel DiGiacomo dav...@corp.nac.net Network Engineer / Peering Coordinator Net Access Corp Network Operations Center 973-590-5050 -Original Message- From: srg [mailto:srgqwe...@gmail.com] Sent: Friday, October 29, 2010 1:43 PM To: nanog@nanog.org Subject: BGP support on ASA5585-X Hi: At this moment we know that ASA5585-X does not support BGP. Does anybody know if BGP support in the ASA5585-X is in roadmap? More precisely... MP-BGP support in the ASA5585-X? Any oficial link in the Cisco website about this? (I did't find it) Thanks a lot and best regards
Re: AS11296 -- Hijacked?
Now that's some paranoia ;) -Original Message- From: Heath Jones hj1...@gmail.com Sent: Tuesday, September 28, 2010 4:05pm To: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? He blocked google mail? WTF? -- Forwarded message -- From: Mail Delivery Subsystem mailer-dae...@googlemail.com Date: 28 September 2010 20:49 Subject: Delivery Status Notification (Failure) To: hj1...@gmail.com Delivery to the following recipient failed permanently: r...@tristatelogic.com Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.7.1 mail-qy0-f176.google.com[209.85.216.176]: Client host rejected: Domain google.com BLACKLISTED - Use http://www.tristatelogic.com/contact.html (state 14). - Original message - MIME-Version: 1.0 Received: by 10.224.62.217 with SMTP id y25mr308053qah.193.1285703359508; Tue, 28 Sep 2010 12:49:19 -0700 (PDT) Received: by 10.229.226.204 with HTTP; Tue, 28 Sep 2010 12:49:12 -0700 (PDT) In-Reply-To: 63619.1285701...@tristatelogic.com References: 63619.1285701...@tristatelogic.com Date: Tue, 28 Sep 2010 20:49:12 +0100 Message-ID: aanlkti=qx7cx4f3y_az803wdpmkmtc_hzzpsmdqs1...@mail.gmail.com Subject: Re: AS11296 -- Hijacked? From: Heath Jones hj1...@gmail.com To: Ronald F. Guilmette r...@tristatelogic.com Cc: nanog@nanog.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Out of curiosity, what led you to this conclusion? Evidence strongly suggests that AS11296 together with all of the IPv4 space it is currently announcing routes for, i.e.: have all been hijacked. I will be reporting this formally to ARIN today, via their helpful fraud reporting web form.
Re: Software-based Border Router
I do agree here. If you are not moving a lot of data then something like BSD or Vyatta may be a good alternative. You do still have possible reboots required and things you would not see as often with a hardware-appliance model. However, for cheaper than the cost of 1 appliance you could build in redundancy. I guess the question is how many PPS you plan to push, whether you have regularly scheduled maintenance windows that you could bring it down for a reboot, and whether the additional maintenance involved still keeps you in the black? I am a big proponent of open source every thing. Although, I am a bigger proponent of stability and less maintenance. If you could prove out a software-based solution against the cost of a hardware solution then I don't see any reason not to go that route. -Original Message- From: Fletcher Kittredge fkitt...@staff.gwi.net Date: Sun, 26 Sep 2010 17:21:57 To: William Herrinb...@herrin.us Cc: nanog@nanog.org Subject: Re: Software-based Border Router Another big problem for Linux/Unix-based routers of this size/cost is upgrade-ability. If you need to add cards, you are going to have to bring the router down for extended periods. Likewise, a software upgrade can be a bigger deal than on a purpose designed router. If a router is mission critical, Linux/Unixed-based has issues over extended periods. regards, Fletcher On Sun, Sep 26, 2010 at 4:35 PM, William Herrin b...@herrin.us wrote: On Sun, Sep 26, 2010 at 6:15 AM, Nathanael C. Cariaga nccari...@stluke.com.ph wrote: Thank you for the prompt response. Just to clarify my previous post, I was actually referring to Linux/Unix-based routers. We've been considering this solution because presently we don't have any budget for equipment acquisition this year. What's your time worth? Quagga on Linux is a fine software, but messing with the idiosyncrasies is far more time consuming than buying a Cisco 2811, adding enough RAM to handle BGP, configuring it once and forgetting about it. Also bear in mind that while your ISP's engineers can help you configure your Cisco router, Quagga is a mystery to them. You can still get help... but not from someone who also knows how the ISP's network is configured. This is not a problem if you have lots of experience with BGP routing. Do you? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- Fletcher Kittredge GWI 8 Pomerleau Street Biddeford, ME 04005-9457 207-602-1134
Re: Copyright Enforcement DoS/DDoS Attacks
No matter how they spin it, it isn't legal. Likely he won't be touched in India but in the U.S. he and the industry paying him would be facing a judge. The guy is a moron. Wanna be elitist. --Original Message-- From: Michael Painter To: nanog@nanog.org Subject: Re: Copyright Enforcement DoS/DDoS Attacks Sent: Sep 9, 2010 12:13 AM Brandon Galbraith wrote: http://www.smh.com.au/technology/technology-news/film-industry-hires-cyber-hitmen-to-take-down-internet-pirates-20100907-14ypv.html http://www.smh.com.au/technology/technology-news/film-industry-hires-cyber-hitmen-to-take-down-internet-pirates-20100907-14ypv.htmlHas anyone dealt with this in the wild? I wasn't aware DoS/DDoS attacks were suddenly legal. It's gotta' be tough reading that when you're in the slammer, eh? http://www.theregister.co.uk/2010/05/25/second_scientology_ddoser_jailed/
Re: Copyright Enforcement DoS/DDoS Attacks
He mentioned doing work (for hire) in AU and such. I think he may be in for a rude awakening since our past experience with the Australian authorities is they are more active chasing ddos/cyber-crimes than the U.S. Those guys pull out all the stops to prosecute. (Which I am happy to see) Sadly, here in the U.S. you have little to no chance of getting assistance unless the client is a bank or very public company. In fact, that doesn't always work. (Even with direct FBI contacts in multiple field offices) Kind of a shame.. We are likely already tracking his botnets so I almost welcome it as well. Out of curiosity, I did pull some stats over the last 60 days and we have seen more attacks originating from the India area than we have seen in the past 12 months. Maybe it's a coincidence. I would almost bet this guy has never carried out an attack in his life and simply trying to gain some publicity. *shrug* --Original Message-- From: Jeffrey Lyon To: Beavis Cc: nanog@nanog.org Subject: Re: Copyright Enforcement DoS/DDoS Attacks Sent: Sep 9, 2010 11:43 AM He may get some business out of it, now that he has effectively put out a DDoS for hire ad. Jeff On Thu, Sep 9, 2010 at 8:56 PM, Beavis pfu...@gmail.com wrote: man.. this guy is retarded.. good luck posing your company, face and such. lol -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: NOC Automation / Best Practices
We run a *free* WISP and block 25 but I'm not sure why you would want to force all traffic through it. That's a touchy argument but it would really bother me as a paying subscriber. We use customized squid to haproxy (custom) to route traffic. Our main business is ddos protection and we use datacenters in multiple places. However, when we wanted to offer free wireless out of our office in Oxford, MS we found getting 10Mbps+ of bandwidth was nearly impossible. So we setup a few caching load balancers in the Oxford office which connect out through two load-balanced proxy systems sitting in the datacenter on 1Gbps connections. Works well - some sites cannot be cached but we are able to enforce gzip compression on everything, cache dns, images, etc. We get upwards of 100 users concurrently. Works beautifully - we can see our office pushing 40Mbps+ and the downstream at 5Mbps or less (total available we have is 2x10Mbps links). Requires some serious tuning but if you got time, this is the way to go. We do block bittorrent traffic which we find more of a threat than properly monitored smtp traffic. -Original Message- From: Martin Hotze m.ho...@hotze.com Date: Wed, 8 Sep 2010 16:59:14 To: nanog@nanog.orgnanog@nanog.org Subject: RE: NOC Automation / Best Practices -Original Message- Date: Wed, 08 Sep 2010 08:54:20 -0700 From: Charles N Wyble char...@knownelement.com Subject: NOC Automation / Best Practices To: nanog@nanog.org NOGGERS, (...) The way I see it, an ounce of prevention is worth a pound of cure. Along those lines, I'm putting in some mitigation techniques are as follows (hopefully this will reduce the number of incidents and therefore calls to the abuse desk). I would appreciate any feedback folks can give me. A) Force any outbound mail through my SMTP server with AV/spam filtering. B) Force HTTP traffic through a SQUID proxy with SNORT/ClamAV running (several other WISPs are doing this with fairly substantial bandwidth savings. However I realize that many sites aren't cache friendly. Anyone know of a good way to check for that? Look at HTTP headers?). Do the bandwidth savings/security checking outweigh the increased support calls due to broken web sites? C) Force DNS to go through my server. I hope to reduce DNS hijacking attacks this way. Thanks! For either A, B or C you won't get my business, let alone a combination of all 3. *wah!* There is too much FORCE here. :-) #m
Re: IPv4 squatters on the move again?
Kind of funny how they intend to do enough 'WholesaleVoIP on a 10Mbps connection/1GB RAM for a /20 :) That is a giveaway in itself. -Original Message- From: Tero Toikkanen tero.toikka...@nebula.fi Date: Tue, 7 Sep 2010 08:24:05 To: NANOG listnanog@nanog.org Subject: IPv4 squatters on the move again? Anyone hear of the SundownGroup? On Thursday we received an interesting RFQ from them and suspect their intentions for requesting an IP assignment isn't exactly what they state. We have already turned them down, but thought others might be interested in their activities as well. RIPE NCC has also been notified of this. In brief they wanted to buy colo form us: P4 single core @ 2 Ghz, 1 GB RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP Adresses Their reason for requesting such a large address block was As we are currently launching our WholesaleVOIP operation we are in desperate need of this IP space as part of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber with ARIN and return the netblocks to you as soon as ours are allocated and routed. Interesting tidbits about the company we and the networking community have already found out: Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has been notified). The contact address is the same as National University Nevada (nu.edu): Sundown Capital Management LLC 2850 Horizon Ridge Parkway Henderson, Nevada 89052 United States of America They also have virtually no Internet presence (http://www.google.com/search?q=%22Sundown+Capital+Management%22) The first result shows them as a franchicing company with contact address in California: http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With-Exhibits I'd say this case is pretty obvious... With Kind Regards, -- Tero Toikkanen Nebula Oy Internet Services
Re: Looking for Fiber Plant Management software
Most of the ones I have seen (2 out of 3) were inhouse/home-grown solutions. I believe the other was provided by SA (Scientific Atlanta). I tried to do a quick search on it and it appears that product may now be provided by Cisco in partnership with SA. Best of luck -Original Message- From: Jason Lixfeld ja...@lixfeld.ca Date: Fri, 27 Aug 2010 12:13:35 To: Jeff Saxejs...@briworks.com Cc: nanog@nanog.org Subject: Re: Looking for Fiber Plant Management software I've got a client who uses AutoCAD. They use it exclusively and have a pretty big fibre network for someone who's not an ILEC, so I guess it works fairly well. On 2010-08-27, at 11:39 AM, Jeff Saxe wrote: Good morning, NANOGers. My colleague at work wonders if anyone has suggestions for software to database all our fiber plant that we're constructing. We started out with paper, then Excel spreadsheets in a folder and on paper in a book, but clearly as our plant grows and we do more splicing this is not going to scale. We have started a MySQL database with a few tables, but wonder if someone has already invented this wheel. What do the big boys use? Homegrown solutions developed in-house and jealously guarded? Something standard? Expensive or cheap? Free open-source? He'd like to see... outside plan facilities: cables, fibers, splice points, poles; copper and fiber, preferably, but fiber is more important circuit or DLR that knows what elements are involved in a circuit GIS integration so that cables can be drawn on a map automagically low cost, of course Thanks in advance, everyone. -- Jeff Saxe, Network Engineer Blue Ridge InternetWorks, Charlottesville, VA 434-817-0707 ext. 2024 / js...@briworks.com
Re: Looking for suggestions for an internet content filteringappliance
(Excuse me if I missed part of the email chain. This may have already been mentioned) It could be a bit of an annoyance for configuration but the one method you could use is to force a proxy internally. I am a bit unsure why most don't do this already but it has it's flaws. 1) Lack of static/dynamic IP's 2) More work for tracking 3) Management of additional infrastructure However, you could force a proxy and run it inhouse, like squid or some other type. This would give you some advantages: 1) Content caching - increasing speeds for users while decreasing your overall bandwidth utilization. 2) Increased security for filtering out malware/virii. --- Now that is more of a sledgehammer approach and I am not sure I would highly recommend it. A better solution which will not work for the more advanced users but it will likely work for the majority, which is to work with a provider like OpenDNS for your dns resolution. They have an easily configurable filtering system which you can apply to your users. This would allow you to block specific content and/or generalized content like (hardcore porn vs educational nudity) This is a better approach. Otherwise, you are likely going to cause real issues with people doing homework or webmd searches, for example. There is not a foolproof method when trying to blanket an entire provider but this would get you closer and it is likely going to be more accurate than keyword blocking/proxy blocking. Best of luck. -Original Message- From: Jeroen Massar jer...@unfix.org Date: Mon, 23 Aug 2010 21:15:38 To: frnk...@iname.com Cc: nanog@nanog.org Subject: Re: Looking for suggestions for an internet content filtering appliance On 2010-08-23 20:52, Frank Bulk - iName.com wrote: We offer an optional internet content filtering service to our residential and business customers using M86's appliance (http://www.m86security.com/products/web_security/m86-web-filtering-reportin g-suite.asp). I've been in conversation with them since Q1 regards IPv6 support, but the update I received today was that IPv6 support won't be available until middle to late next year. That's not ideal, because the local college is a significant user and they started with IPv6 this summer. College students can easily bypass content filtering by using the IPv6 version of the site (i.e. http://www.playboy.com.sixxs.org) Emmm.. if they can use that to circumvent your filter don't you think those same people won't be able to find out about other proxy servers, it is not like the internet is not filled with them or anything. Please note to yourself that you are fighting a lost cause as there are more locations on the Internet that are annoying for the policy than you can list, thus one of the very few ways to make it very hard to 'filter' is to only allow approved sites, and with 'approve' I mean fetch the URL on a controlled machine, scrub it and pass it back, as the moment somebody can have a host on the outside and can send a few bits to it and get an answer back they are outside, if you like it or not. That said, there are loads of free HTTP proxies, anonymizers and other such tools and most of them are not caught by your filtering toy anyway. But indeed, it is a bad thing that they are unable to update their little box to do IPv6, there really is not that much different there. Greets, Jeroen (Who could block stuff on the above URL actually, but except for silly people trying to run torrents over it which does not work but which do hammer those boxes nothing gets blocked [CP is the except])
Re: Recycling old cabling?
It's pretty standard for any company to terminate upon taking something without permission. I worked with a company that threw away / recycled nearly an entire 100k sq. foot datacenter. All of the gear still in working order. It's just one those things... Your employer tells you to throw it away... It's best to throw it away and not try to take it home :) We (employees) could request specific pieces but the majority was thrown out. Kind of crazy to see entire Cisco lab environments trashed but it's not uncommon and trash or not, still stealing. As far as the original question: More companies recycle and properly dispose of equipment than they did ten years ago. Yet, if they aren't being looked at to be green or something along those lines then many choose the cheapest route (the dumpster). Per the note by Jeff, it's not recommended to try to take it into your own hands. Your best bet would be to approach your employer with a recommendation that you feel may be more cost-effective or environmentally friendly. -Original Message- From: Jeffrey Lyon jeffrey.l...@blacklotus.net Date: Wed, 18 Aug 2010 10:35:30 To: nanog@nanog.org Subject: Re: Recycling old cabling? I know of a guy that was terminated for stealing CAT5 that he was instructed to throw in the dumpster. Jeff On Wed, Aug 18, 2010 at 9:38 AM, Frank A. Coluccio fr...@fttx.org wrote: All of the larger telcos and power utilities have been 're-smelting' copper for decades. Verizon (nee NY Telephone) had a copper smelting plant on Staten Island at one time that recycled all of the used cross-connect wire and cables removed from underground and poles. Telco main distribution frame personnel were, and very likely still are, instructed to use copper-scrap bags for depositing small bits and pieces of copper wiring collected at cleanup time at the end of work shifts. Many years ago, copper, for this reason, was one of the three C's that no one would mess with. Copper and Cash were two.I'll leave the third one to the reader's imagination. This subject is interesting because it's one of the cost-justifiers in business models that seek to re-engineer large office buildings and other copper-intensive venues where the objective is to replace all copper wiring with hybrid fiber-wireless alternatives. While reclamation through salvage is only a by-product of this movement, it is nonetheless one that is cash intensive, so it cannot be overlooked. Not only is the copper data cabling removed (Cat3/5e/6, in this case), but also potentially tons of power cables and racks supporting sometimes hundreds of riser telecom/LAN closets, where there are usually anywhere from two to four closets per floor, depending on the size of the floor plate, in a forty- or sixty-story building, say. Every copper penny helps these days. --- strei...@cluebyfour.org wrote: From: Justin M. Streiner strei...@cluebyfour.org To: nanog@nanog.org Subject: Recycling old cabling? Date: Tue, 17 Aug 2010 07:29:50 -0400 (EDT) Just out of curiosity, is anyone here recycling old cabling and plant infrastructure for their raw materials, or engaging a recycler to handle those materials? Where I work, there is almost always a renovation project going on. This provides opportunities to rip out Cat3/Cat5/long-abandoned thicknet/thinnet/FDDI-grade fiber/etc, which we normally do. Most of the time that old cabling ends up in the dumpster, but I'm wondering if anyone is recycling it, either by their choice, or as the result of company policy or relevant laws in your area? Cat3/Cat5 can be broken down to raw materials with some effort, but I haven't seen many recyclers with an economically viable process for doing it. Coax is a bit tougher, but not impossible (same questions about economic viability still apply). Fiber can be tough, expecially if you're dealing with something like 20+ year old gel-buffered cable where the has long-since dried out. I'd be interested to hear other peoples' experiences along these lines. jms -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Follow us on Twitter at http://twitter.com/ddosprotection to find out about news, promotions, and (gasp!) system outages which are updated in real time. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to protect your booty.
Re: IPv4 Exhaustion...
Hello, From our past experience this can be accomplished without issue as long as you have good log records and tracking in place. Ensure you have long-term retention for the logs to cover yourself. Many ISP's are moving to this sort of environment simply due to the reasoning stated. -Kevin --Original Message-- From: Positively Optimistic To: nanog@nanog.org Subject: IPv4 Exhaustion... Sent: Jul 23, 2010 12:11 PM How do ISPs handle RIAA notices when NATTING customers.. ? We have several customers that don't require public address space that could be moved to private.. We're reluctant to make the move due to legal liabilities..
Re: NOC Best Practices
I have to agree that this is all good information. Your question on ITIL: My personal opinion is that ITIL best practices are great to apply to all environments. It makes sense, specifically in the change control systems. However, as stated, it's also highly dependent on how many devices being managed/monitored. I come from a NOC managing 8600+ network devices across 190+ countries. Strict change management policies, windows, approvers. All depending on times relative to the operations in different countries. We were growing so rapidly that we continued purchasing companies and bringing over their infrastructure. Each time bringing in new ticket systems, etc. NNM is by far one of my favorite choices for network monitoring. The issue with it is really the views and getting them organized in an easily viewable fashion. RT is a great ticketing tool for specific needs. It allows for approvers and approval tracking of tickets. However, it isn't extremely robust. I would recommend something like HP ServiceCenter since it can integrate and automate the alert output directly to tickets. This also allows the capability to use Alarmpoint for automated paging of your on-calls based on their schedules, by device, etc. Not to say that I'm a complete HP fan boy but I will say that it works extremely well. Easy to use and simplicity is the key to less mistakes. All of our equipment was 99% Cisco so the combination worked extremely well. Turnover : I firmly believe shift changes should be verbally handed off. Build a template for the days top items or most critical issues. List out the ongoing issues and any tickets being carried over with the status. Allot 15 minutes for the team to sit down with the printout and review it. Contracts/SLA's: We placed all of our systems in a bulk 99.999% uptime critical SLA. However, this was a mistake on our part and the lack of time to plan well when adapting to an ever-changing environment. It would be best to setup your appliances/hardware in your ticket system and monitoring tool based on the SLA you intend to apply to it. Also ensure you include all hardware information: Supply Vendor, Support Vendor, Support coverage, ETR from Vendor, Replacement time. There are many tools that do automated discovery on your network and monitors changes on the network. This is key if you have a changing environment. The more devices you have, the more difficult it is to pinpoint what a failed router or switch ACTUALLY affects upstream or downstream. If this is your chance, take the opportunity to map your hardware/software dependencies. If a switch fails and it provides service to: example: db01 and db01 drives the service in another location. Then you should know that failure is there. It's far too common for companies to get so large they have no idea what the impact of 1 port failure in xyz does to the entire infrastructure. Next: Build your monitoring infrastructure completely separate than the rest of the network. If you don't do switch redundancy (active/passive) on all of your systems or NIC teaming (active/passive) then ensure you do it at least on your monitoring systems. Build your logging out in a PCI/SOX fashion. Ensure you have remote logging on everything, log retention based on your need. Tripwire with approved reports being sent weekly on the systems requiring PCI/SOX monitoring. Remember, if your monitoring systems go down, your NOC is blind. It's highly recommend that the NOC have gateway/jump box systems available to all parts of the network. Run the management completely on RFC1918 for security. Ensure all on-calls have access, use a VPN solution that requires a password + vpn keygen. Utilize TACACs/LDAP the most you can. Tighten everything. Log everything. I can't say that enough. Enforce pw changes every 89 days, require strong passwords/non dictionary, etc. Build an internal site, use a wiki-based format, allow the team the ability to add/modify with approval. Build a FAQ/Knowledgebase. Possibly create a forum so your team can post extra tips/notes, one-offs. Anything that may help new members or people who run across something in the middle of the night they may have never seen. This keeps from waking up your lead staff in the middle of the night. On-calls: Always have a primary/secondary with a clear on-call procedure 'documented'. Example (critical): 1. Issue occurs 2. Page on-call within 10 minutes 3. Allow 10 minutes for return call. 4. Page again 5. Allow 5 minutes 6. Page secondary Etc. Ensure the staff documents every step they take and they copy/paste every page they send into the ticket system. Build templated paging formats. Understand that most txt messages with several carriers have hard limits. Use something like: Time InitialsofNOCPerson SystemAlerting Error CallbackNumber (Ie. 14:05 KH nycgw01 System reports down 555-555- xt103) Use a paging internal website/software or as mentioned,
Re: NOC Best Practices
eTOM is best regarded as a companion to ITIL practices. It has additional layers not covered by ITIL and vice versa. I think a combination of practices from both is the best method. -Kevin -Original Message- From: Xavier Banchon xbanc...@telconet.net Date: Sat, 17 Jul 2010 20:20:26 To: nanog-p...@rsuc.gweep.net; Kasper Adelkarim.a...@gmail.com Reply-To: xbanc...@telconet.net Cc: NANOG listnanog@nanog.org Subject: Re: NOC Best Practices What about e-TOM? Is it better than ITIL V3? Regards, Xavier Telconet S.A -Original Message- From: Joe Provo nanog-p...@rsuc.gweep.net Date: Sat, 17 Jul 2010 14:56:04 To: Kasper Adelkarim.a...@gmail.com Reply-To: nanog-p...@rsuc.gweep.net Cc: NANOG listnanog@nanog.org Subject: Re: NOC Best Practices On Fri, Jul 16, 2010 at 09:34:53PM +0300, Kasper Adel wrote: Thanks for all the people that replied off list, asking me to send them responses i will get. [snip] Which is useful but i am looking for more stuff from the best people that run the best NOCs in the world. So i'm throwing this out again. I am looking for pointers, suggestions, URLs, documents, donations on what a professional NOC would have on the below topics: A lot, as others have said, depending on the business, staffing, goals, SLA, contracts, etc. 1) Briefly, how they handle their own tickets with vendors or internal Run a proper ticketing system over which you have control (RT and friends rather than locking you into something you have to pay for changes). Don't just by ticket closure rate, judge by succesfully resolving problems. Encourage folks to use the system for tracking projects and keeping notes on work in progress rather than private datastores. Inculcate a culture of open exploration to solve problems rather than rote memorization. This gets you a large way to #2. 2) How they create a learning environment for their people (Documenting Syslog, lessons learned from problems...etc) Mentoring, shoulder surfing. Keep your senior people in the mix of triage response so they don't get dull and cross-pollenate skills. When someone is new, have their probationary period be shadowing the primary on-call the entire time. Your third shift [or whatever spans your maintenance windows] should be the folks who actually wind up executing well-specified maintenances (with guidance as needed) and be the breeding ground of some of your better hands-on folks. 3) Shift to Shift hand over procedures This will depend on your systems for tickets, logbooks, etc. Sole that first and this should become evident. 4) Manual tests they start their day with and what they automate (common stuff) This will vary on the business and what's on-site; I can't advise you to always include the genset is you don't have one. 5) Change management best practices and working with operations/engineering when a change will be implemented Standing maintenance windows (of varying severity if that matters yo your business), clear definition of what needs to be done only duringthose and what can be done anytime [hint: policy tuning shouldn't be restructed to them, and you shouldn't make it so an urgent things like a BGP leak can't be fixed]. Linear rather than parallel workflows for approval, and not too many approval stages else your staff will be spending time trying to get things through the administrative stages instead of actual work. Very simply, have a standard for specifying what needs to be done, the minimal tests needed to verify success, and how you fallback if you fail the tests. If someone can't specify it and insist on frobbing around, they likely don't understand the problem or the needed work. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Vyatta as a BRAS
My comment would be: That is simply matter of opinion and opinions may be swayed depending on the market that signs your check? :) There have been a fair share of appliance bugs/sec vulnerabilities over the years as well. I agree software-based deployments have their flaws but I do not agree that it cannot be managed securely with comparable or exceeding uptime -vs- a drop in appliance. I firmly believe it has it's place in 'today's internet'. The question is where your expertise lies and what you expect to get out of it. If your background is Cisco and you have a good relationship then I wouldn't fix what isn't broken. I have very little experience with Vyatta other than doing some mild testing. I am simply speaking more to the 'software-based' market like Vyatta/BSD. -Original Message- From: Truman Boyes tru...@suspicious.org Date: Tue, 13 Jul 2010 16:56:16 To: Dobbins, Rolandrdobb...@arbor.net Cc: NANOG listnanog@nanog.org Subject: Re: Vyatta as a BRAS On 13/07/2010, at 4:50 PM, Dobbins, Roland wrote: On Jul 13, 2010, at 1:34 PM, Sharef Mustafa wrote: do you recommend it? My comment would be that a software-based BRAS - 7200, Vyatta, et. al. - is no longer viable in today's Internet, and hasn't been for years, due to security/availability concerns. Same for peering/transit edge, customer aggregation edge, et. al. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken I agree. In a bind I have seen small providers experiment with FreeBSD/Linux L2TP termination (as a LNS), I would recommend against it if you have a business that depends upon these customers' happiness. There were all sorts of issues to address when the customer ran significant traffic forwarding through the unix boxes, namely adjusting kernel parameters for NMB_CLUSTERS, heap sizes, all sorts of sysctl parameters, adding additional interface counts, etc. A low cost 7200 or ERX-310 would easily fit the bill, and you can buy them cheap these days. Cheers, Truman
Re: Vyatta as a BRAS
I haven't done real world testing with Vyatta but we consistently pass 750KPPS+ without the slightest hiccup on our FreeBSD routing systems. Correct hardware with the right configuration can make all of the difference. -Original Message- From: Dobbins, Roland rdobb...@arbor.net Date: Tue, 13 Jul 2010 16:15:18 To: NANOG listnanog@nanog.org Subject: Re: Vyatta as a BRAS On Jul 13, 2010, at 10:58 PM, Joe Greco wrote: It's interesting. One can get equally militant and say that hardware based routers are irrelevant in many applications. When BCPs are followed, they don't tend to fall over the moment someone hits them with a few kpps of packets - which should be a key criteria for an edge device. The same can't be said of software-based devices. If maintaining availability is important, then hardware-based (semantic hairsplitting aside) devices are a requirement. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Re: Vyatta as a BRAS
Routing. We can route that. If it were targeting the box itself it would depend if the attack were getting through. Certainly iptables can't handle something like that but pf does well with high PPS rates. If it were all 'DROP' traffic then likely higher. If it were hitting the box directly and getting past the firewall, yes it would be substantially lower. We were talking about routing though. --Original Message-- From: Dobbins, Roland To: NANOG list Subject: Re: Vyatta as a BRAS Sent: Jul 13, 2010 12:56 PM On Jul 14, 2010, at 12:39 AM, khatfi...@socllc.net khatfi...@socllc.net wrote: I haven't done real world testing with Vyatta but we consistently pass 750KPPS+ without the slightest hiccup on our FreeBSD routing systems. 750kpps packeting the box itself? Also, note that kpps is a small amount of traffic, compared to what even very small botnets can dish out. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Re: Vyatta as a BRAS
In that case you are entirely accurate. If you were to use Vyatta (linux-based) systems for this then you would likely need additional infrastructure to firewall or zone it to ensure it can't be hit directly. Depending on what all it has running and the configuration it could be firewalled off locally but you're right it wouldn't withstand like 'hardware-accelerated' as stated before. Sorry for the confusion :) --Original Message-- From: Dobbins, Roland To: NANOG list Subject: Re: Vyatta as a BRAS Sent: Jul 13, 2010 1:37 PM On Jul 14, 2010, at 1:29 AM, khatfi...@socllc.net wrote: We were talking about routing though. I was talking about packeting the boxes directly, apologies for being unclear - that's what I meant when I said that the era of software-based edge boxes is long past. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Re: ASR vs 7604 for BGP border router?
What kind of budget do you have? I think it really depends on what you're going after. Both would work... Is there something specific you want to do? Honestly, your current bandwidth utilization and need could be handled by an OpenBSD system. I think I may be missing your exact question. Are you asking which would work best? Or simply asking about reliability? In my opinion, I prefer the Juniper MX series over the ASR. However, there are plenty of fanboys for ASR's. I really don't think you could go wrong either way. Unless a deciding factor is budget or something along those lines... --Original Message-- From: David Hubbard To: nanog@nanog.org Subject: ASR vs 7604 for BGP border router? Sent: Jun 30, 2010 10:48 PM Curious if anyone can give me some real world thoughts on the Cisco ASR1004 w/RP2 ESP5 versus a 7604 w/?? as a border router for web hosting environment. I'm looking to replace a pair of aging routers of a different make. Current config is four providers, two send full BGP on gigE to both of our routers for redundancy, two providers send full BGP on gigE to only one each, so basically each device receives three full feeds and then they talk to each other. Very simple network; border passes through firewalls to core using static routes, core has default route out to the border, all one physical location, nothing obscure or complicated. Cisco rep suggested looking at the ASR due to our interest in having the firewall functionality built in so we can get rid of the standalones, but that's not mandatory. A friend suggested the 7604 but I'm not sure what config as far as management, add-on cards, etc. The cumulative outbound traffic may burst up to 1 Gbit/sec during the business day, averages less. Only three things that really matter are reliable BGP, functional IPv6 (not using it yet but want to), won't fall down if a compromised server starts sending out line rate garbage packets it has to discard or similar things that don't happen in a test lab. Thanks, Dave
Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system
Folks, We have a strange situation occurring lately where we are getting some reports of TCP Sweeps from some one of our IP's, yet the IP is one of many specifically configured for inbound traffic and do not emit outbound traffic unless for response. Specifically, these are ddos mitigation IP's so they are attacked fairly frequently. With this in mind, the last few days one of the IP's being reported has been under constant attack. Here is an example report we received from ATT: 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=1024,min=212.1.188.1,max=212.1.185.126,Jun27-04:29:51,Jun27-04:35:53) (USI-amsxaid01) 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=25,dp=1024,min=212.1.190.11,max=212.1.189.120,Jun27-04:12:37,Jun27-04:20:40) (USI-amsxaid01) 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=18,dp=3072,min=212.1.189.3,max=212.1.186.118,Jun27-04:13:15,Jun27-04:20:37) (USI-amsxaid01) 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=34,dp=1024,min=212.1.191.8,max=212.1.191.121,Jun27-03:56:28,Jun27-04:12:29) (USI-amsxaid01) 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=28,dp=3072,min=212.1.186.6,max=213.244.176.119,Jun27-03:56:48,Jun27-04:11:45) (USI-amsxaid01) Report from DK*CERT: If nothing else mentioned below, timezone is believed to be UTC+0200(CEST) Destination address(es): Adresser i nettene 130.225.16.0/22 og 130.225.2.128/25 Security logs: #Jun 27 18:13:40 2010 .. Jun 27 18:58:13 2010 # Scan from x.x.x.x affecting at least # 81 addresses targeting TCP:1024, TCP:3072. # I have removed our IP and replaced it with x.x.x.x. To be a bit more clear, this is a reverse-proxy IP address. This IP is in a NAT type configuration where it is sent back to filtering clusters. No outbound traffic is configured on these IP's except where requests / responses flow through it. I know a year or two ago there was a bug in Cisco IOS that would report a sweep when extreme packet load occurred or a burst hit. At the time of this report we saw an attack burst to around 310,000PPS on this IP (inbound). Is it simply likely the networks reporting have several IP's being used in the attack and that is what they are seeing? That's what we originally thought but the port scans throw that theory off... Our security team has gone through all PCAPs during the mentioned time frames and we are not showing any sort of outbound scan traffic. Any ideas why this would be showing as a sweep? Our IDS systems do not scan requesting IP's originating systems. Any help is appreciated, we're simply trying to get to the bottom of the reports. Kevin
Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system
Thanks Matt, That's what we believe we're seeing at this point but we're trying to convince our upstream. :) We have seen this in the past but proving it is occurring seems to be the primary issue we're running into at this point. -Kevin -Original Message- From: Matt Hite li...@beatmixed.com Sent: Sunday, June 27, 2010 5:36pm To: khatfi...@socllc.net Cc: nanog@nanog.org Subject: Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system Hi Kevin, Someone may want to throw RST traffic your way by spoofing their own source (as you) and machine gunning TCP ACK or SYN packets to Internet hosts such as this ATT customer. Just a nice way of throwing traffic at you in a fairly undetectable manner. Just a guess, -M On Sun, Jun 27, 2010 at 2:22 PM, khatfi...@socllc.net wrote: Folks, We have a strange situation occurring lately where we are getting some reports of TCP Sweeps from some one of our IP's, yet the IP is one of many specifically configured for inbound traffic and do not emit outbound traffic unless for response. Specifically, these are ddos mitigation IP's so they are attacked fairly frequently. With this in mind, the last few days one of the IP's being reported has been under constant attack. Here is an example report we received from ATT: 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=1024,min=212.1.188.1,max=212.1.185.126,Jun27-04:29:51,Jun27-04:35:53) (USI-amsxaid01) 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=25,dp=1024,min=212.1.190.11,max=212.1.189.120,Jun27-04:12:37,Jun27-04:20:40) (USI-amsxaid01) 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=18,dp=3072,min=212.1.189.3,max=212.1.186.118,Jun27-04:13:15,Jun27-04:20:37) (USI-amsxaid01) 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=34,dp=1024,min=212.1.191.8,max=212.1.191.121,Jun27-03:56:28,Jun27-04:12:29) (USI-amsxaid01) 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=28,dp=3072,min=212.1.186.6,max=213.244.176.119,Jun27-03:56:48,Jun27-04:11:45) (USI-amsxaid01) Report from DK*CERT: If nothing else mentioned below, timezone is believed to be UTC+0200(CEST) Destination address(es): Adresser i nettene 130.225.16.0/22 og 130.225.2.128/25 Security logs: #Jun 27 18:13:40 2010 .. Jun 27 18:58:13 2010 # Scan from x.x.x.x affecting at least # 81 addresses targeting TCP:1024, TCP:3072. # I have removed our IP and replaced it with x.x.x.x. To be a bit more clear, this is a reverse-proxy IP address. This IP is in a NAT type configuration where it is sent back to filtering clusters. No outbound traffic is configured on these IP's except where requests / responses flow through it. I know a year or two ago there was a bug in Cisco IOS that would report a sweep when extreme packet load occurred or a burst hit. At the time of this report we saw an attack burst to around 310,000PPS on this IP (inbound). Is it simply likely the networks reporting have several IP's being used in the attack and that is what they are seeing? That's what we originally thought but the port scans throw that theory off... Our security team has gone through all PCAPs during the mentioned time frames and we are not showing any sort of outbound scan traffic. Any ideas why this would be showing as a sweep? Our IDS systems do not scan requesting IP's originating systems. Any help is appreciated, we're simply trying to get to the bottom of the reports. Kevin
Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic onsystem
Excellent! Thanks John. We have seen this sort of signature before but we couldn't find the reference source in our library. I don't believe this is one we had. Thanks! Kevin --Original Message-- From: John Kristoff To: Kevin Hatfield Cc: nanog@nanog.org Subject: Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic onsystem Sent: Jun 27, 2010 9:32 PM On Sun, 27 Jun 2010 17:22:51 -0400 (EDT) khatfi...@socllc.net wrote: Here is an example report we received from ATT: 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] This looks like the trademark signature of back scatter as a result of someone using the juno.c or derivative code to SYN flood a host. You are most likely getting this traffic from a host that is getting attacked. In the junos.c code you'll see this: syn-sport = htons(1024 + (random() 2048)); A random number is ANDed against 2048, the result is then added to 1024. What will be added is always either 0 or 2048, because 2048 has only one bit set. 1024 + 2048 = 3072. Therefore, syn-sport will only ever equal 1024 or 3072. Or in your case, it shows up as the dport on the way back. John
Re: Micro-allocation needed?
Are you considering doing SNTP or regular NTP? If regular NTP... I once read some excellent advice on AnyCast: It often doesn't make sense to go through the extra complexity in deploying a service with AnyCast addressing if it doesn't justify the benefit. In this sense, I really don't understand what you will gain. -Original Message- From: Kevin Oberman ober...@es.net Date: Mon, 21 Jun 2010 15:13:28 To: Joe Ableyjab...@hopcount.ca Cc: nanog@nanog.org Subject: Re: Micro-allocation needed? From: Joe Abley jab...@hopcount.ca Date: Mon, 21 Jun 2010 17:55:40 -0400 I'm interested in the idea of anycasting one of the pool.ntp.org herd-members. Every time I've suggested such a thing I've been told (paraphrasing) that a good (server, client) NTP session exhibits reasonable RTT stability, this constitutes, in effect, a long-lived transaction, and hence anycast is not a good answer unless you have confidence that the potential for oscillations is low, or that the frequency of the oscillations is very low (i.e. in a private network this might be a good answer, but across the public Internet it's a poor answer). Has the thinking changed, or did I just misunderstand? Joe, This would be better asked on the NTP list, but I'd say it depends on the accuracy you want to achieve. For the NTP pool, the idea is to try for good accuracy and very good long-term stability are the goals. That does not work well of the actual source of the data changes very often. Aside from losing the advantages of long-term PLL filtering of the time, you also will see substantial changes in delay (i.e. RTT) and, almost certainly, jitter. Unless you are confident that the source of the anycast at any point in the network will remain stable over a very long term, it really does not sound like a good solution to me. Then again, with GPS time source available for 75 USD, anyone who is really trying for really good time should just buy one and run a local stratum 1 server. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Re: Monitoring Tool
When you say monitoring... Do you mean servers and network gear or just network? What type of gear? What kind of information are looking to get? (How detailed?) What kind of budget do you have? Really all of those are needed to make a recommendation. I'm guessing this is a small network? How many devices? -Kevin --Original Message-- From: Joshua William Klubi To: nanog@nanog.org Subject: Monitoring Tool Sent: Jun 14, 2010 2:12 AM Hi I have been tasked to develop a good network for a Bank and i have also been tasked to get a good monitoring tool for the Bank's local network and Service providers network. i would like to ask the community to help recommend the best tool out there that can help me do this Joshua