Here's one useful method, which depends on having appropriate subnet and
VLAN capabilities.
Have all hosts at a given site, have their main interface do dot1q (switch
config trunked port).
The ipmi interfaces will be on one VLAN (put those ports in that VLAN).
The first VLAN is the public routed
On Wed, Dec 4, 2013 at 1:32 PM, Rob Seastrom r...@seastrom.com wrote:
Brian Dickson brian.peter.dick...@gmail.com writes:
Rob Seastrom wrote:
Ricky Beam jfbeam at gmail.com
http://mailman.nanog.org/mailman/listinfo/nanog
writes:
* On Fri, 29 Nov 2013 08:39:59 -0500, Rob Seastrom
Seastrom r...@seastrom.com wrote:
Brian Dickson brian.peter.dick...@gmail.com writes:
Rob Seastrom wrote:
Ricky Beam jfbeam at gmail.com
http://mailman.nanog.org/mailman/listinfo/nanog
writes:
* On Fri, 29 Nov 2013 08:39:59 -0500, Rob Seastrom rs at seastrom.com
http
On Wed, Dec 4, 2013 at 2:34 PM, Tony Hain alh-i...@tndh.net wrote:
Brian Dickson wrote:
And root of the problem was brought into existence by the insistence
that every network (LAN) must be a /64.
[snip]
about how many bits to add for hosts on the lan. The fact it came out to 64
On Wed, Dec 4, 2013 at 3:09 PM, Owen DeLong o...@delong.com wrote:
On Dec 4, 2013, at 10:21 , Brian Dickson brian.peter.dick...@gmail.com
wrote:
Second of all, what would make much more sense in your scenario is
to aggregate at one or two of those levels. I'd expect probably the POP
On Wed, Dec 4, 2013 at 3:48 PM, Christopher Morrow
morrowc.li...@gmail.comwrote:
On Wed, Dec 4, 2013 at 3:43 PM, Brian Dickson
brian.peter.dick...@gmail.com wrote:
Except that we have a hard limit of 1M total, which after a few 100K from
where does the 1M come from?
FIB table sizes
Leo Bicknell wrote:
Even if the exchange does not advertise the
exchange LAN, it's probably the case that it is in the IGP (or at
least IBGP) of everyone connected to it, and by extension all of
their customers with a default route pointed at them.
Actually, that may not be the case, and
For filtering to/from client-only networks, here's the filtering rules
(in pseudo-code, convert to appropriate code for whatever devices you
operate), for DNS.
The objective here is:
- prevent spoofed-source DNS reflection attacks from your customers, from
leaving your network
- prevent your
Anyone know about puck.nether.net?
I read the outages list via web archive there, but can't connect
currently.
(I know - irony or what.)
If you know what's going on, please post on NANOG?
kthanks,
Brian
As a quick update, we've implemented some list settings last week to help
to
keep spam off the list. New subscribers are moderated until we're
comfortable
with their posts. We rejected the idea of keyword based message filtering
since not only is a lot of work to maintain, it's trivial
Can anyone familiar with this knob and its usage, answer a question:
Would anything break, in terms of use of that knob, if instead of
zeroing the AGGREGATOR, the local AS (as seen from the outside
world, in the case of confederations) were used?
Would the functionality of the knob, in reducing
Owen wrote:
On Oct 25, 2011, at 3:29 AM, Valdis.Kletnieks at vt.edu wrote:
On Tue, 25 Oct 2011 02:35:31 PDT, Owen DeLong said:
If they are using someone else's mail server for outbound, how, exactly do
you control
whether or not they use AUTH in the process?
1) You don't even really
RAS wrote:
On Thu, Jun 09, 2011 at 12:55:44AM -0700, Owen DeLong wrote:
Respectfully, RAS, I disagree. I think there's a big difference
between being utterly unwilling to resolve the situation by peering
and merely refusing to purchase transit to a network that appears to
offer little or no
Nick Hilliard wrote:
Someone else mentioned that we are now scraping the bottom of the ipv4
barrel. As of two days ago, there were quantifiable problems associated
with 13 out of the 26 remaining /8s. 12 of these are known to be used to
one extent or another on internet connected networks, and
pain would really be
unusually cruel.)
Brian
-Original Message-
From: Nick Hilliard [mailto:n...@foobar.org]
Sent: January-22-10 3:09 PM
To: Brian Dickson
Cc: William Allen Simpson; nanog@nanog.org
Subject: Re: 1/8 and 27/8 allocated to APNIC
On 22/01/2010 16:32, Brian Dickson wrote
I realize we're a bit off-topic, but to be tangential to the original topic,
and thus barely relevant:
(Presuming the sink.arpa. thing succeeds, big presumption I realize...)
So, how about using sink.arpa. as a(n) MNAME?
Or perhaps, one of the hosts listed in AS112?
Maybe a new AS112 entry
Ditto (puck.nether.net +9).
Thanks on behalf of everyone, Jared.
For those wanting further diversity, I also recommend using any or all of:
everydns.net
twisted4life.com
afraid.org
Also easy to use and set-up, IMHO. YMMV.
Brian Dickson
From
(Apologies for top-replying, but hey, it makes it easier to ignore stuff you've
already read.)
I think the main things to consider in identifying what things belong in a
standardized community are:
- is it something that is really global, and not local, in behaviour and scope?
- is it something
RAS wrote:
[ lots of good stuff elided for brevity ]
c) lower the mtu on the ds3 interface to 1500.
This will have another benefit, if it is done to all such interfaces on the two
devices.
(Where by all such interfaces, I mean everything with set-able MTU 1500.)
Configuring one common MTU
And more specifically, possibly an interface MTU (or ip mtu, I forget which).
If there is a mismatch between ends of a link, in one direction, MTU-sized
packets get sent, and the other end sees those as giants.
I've seen situations where the MTU is calculated incorrectly, when using some
My institution has a single /16 spread across 2 sites: the lower /17 is
used at site A, the upper /17 at site B. Sites A B are connected
internally. Currently both sites have their own ISPs and only advertise
their own /17's. For redundancy we proposed that each site advertise
both their
to confuse folks too much.
But, the short answer is:
If you use the IRR, the full value is best realized by adding *as-path*
filters to the things you build
from the IRR data, and applying them to your customers (and peers !!).
Oh, and if you already do IRR stuff, it's really quite easy to do.
Brian
Alex Pilosov wrote:
On Thu, 28 Aug 2008, Brian Dickson wrote:
However, if *AS-path* filtering is done based on IRR data, specifically
on the as-sets of customers and customers' customers etc., then the
attack *can* be prevented.
The as-path prepending depends on upstreams and their peers
What would the ip-blocking BGP feed accomplish? Spoofed source
addresses are a staple of the DNS cache poisoning attack.
Worst case scenario, you've opened yourself up to a new avenue of
attack where you're nameservers are receiving spoofed packets intended
to trigger a blackhole filter,
Paul Vixie wrote:
if you find me 300Ksqft along the caltrain fiber corridor in the peninsula
where i can get 10mW of power and have enough land around it for 10mW worth
of genset, and the price per sqft is low enough that i can charge by the
watt and floor space be damned and still come out
Here's a suggestion - perhaps it should go to nanog-futures, not sure...
Since newbies have to first subscribe before they can post...
Why not have the subscription procedure include sending the newbie
a link to a page with newbie-related material,
much like the nanog page on tools and
distant.
The only caveat is, that some parties may mess with it on prefixes they
receive.
I've used it in the past, with considerable success.
Brian Dickson
27 matches
Mail list logo
