Re: constant FEC errors juniper mpc10e 400g

[Aaron Gould]

Thanks.  What "all the ethernet control frame juju" might you be 
referring to?  I don't recall Ethernet, in and of itself, just sending 
stuff back and forth.  Does anyone know if this FEC stuff I see 
concurring is actually contained in Ethernet Frames?  If so, please send 
a link to show the ethernet frame structure as it pertains to this 400g 
fec stuff.  If so, I'd really like to know the header format, etc.


-Aaron

On 4/18/2024 1:17 PM, Tom Beecher wrote:

FEC is occurring at the PHY , below the PCS.

Even if you're not sending any traffic, all the ethernet control frame 
juju is still going back and forth, which FEC may have to correct.


I *think* (but not 100% sure) that for anything that by spec requires 
FEC, there is a default RS-FEC type that will be used, which *may* be 
able to be changed by the device. Could be fixed though, I honestly 
cannot remember.


On Thu, Apr 18, 2024 at 1:35 PM Aaron Gould  wrote:

Not to belabor this, but so interesting... I need a FEC-for-Dummies or 
FEC-for-IP/Ethernet-Engineers...

Shown below, my 400g interface with NO config at all... Interface has no 
traffic at all, no packets at all  BUT, lots of FEC hits.  Interesting this 
FEC-thing.  I'd love to have a fiber splitter and see if wireshark could read 
it and show me what FEC looks like...but something tells me i would need a 400g 
sniffer to read it, lol

It's like FEC (fec119 in this case) is this automatic thing running between 
interfaces (hardware i guess), with no protocols and nothing needed at all in 
order to function.

-Aaron

{master}
me@mx960> show configuration interfaces et-7/1/4 | display set

{master}
me@mx960>

{master}
me@mx960> clear interfaces statistics et-7/1/4

{master}
me@mx960> show interfaces et-7/1/4 | grep packet
     Input packets : 0
     Output packets: 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
   Input rate : 0 bps (0 pps)
   Output rate    : 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4 | grep rror
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
     Bit errors 0
     Errored blocks 0
   Ethernet FEC statistics  Errors
     FEC Corrected Errors    28209
     FEC Uncorrected Errors  0
     FEC Corrected Errors Rate    2347
     FEC Uncorrected Errors Rate 0

{master}
me@mx960> show interfaces et-7/1/4 | grep packet
     Input packets : 0
     Output packets: 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
   Input rate : 0 bps (0 pps)
   Output rate    : 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4 | grep rror
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
     Bit errors 0
     Errored blocks 0
   Ethernet FEC statistics  Errors
     FEC Corrected Errors    45153
     FEC Uncorrected Errors  0
     FEC Corrected Errors Rate  29
     FEC Uncorrected Errors Rate 0

{master}
me@mx960> show interfaces et-7/1/4 | grep packet
     Input packets : 0
     Output packets: 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
   Input rate : 0 bps (0 pps)
   Output rate    : 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4 | grep rror
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
     Bit errors 0
     Errored blocks 0
   Ethernet FEC statistics  Errors
     FEC Corrected Errors    57339
     FEC Uncorrected Errors  0
     FEC Corrected Errors Rate    2378
     FEC Uncorrected Errors Rate 0

{master}
me@mx960>


    On 4/18/2024 7:13 AM, Mark Tinka wrote:



On 4/17/24 23:24, Aaron Gould wrote:


Well JTAC just said that it seems ok, and that 400g is going to
show 4x more than 100g "This is due to having to synchronize
much more to support higher data."



We've seen the same between Juniper and Arista boxes in the same
rack running at 100G, despite cleaning fibres, swapping optics,
moving ports, moving line cards, e.t.c. TAC said it's a
non-issue, and to be expected, and shared the same KB's.

It's a b

Re: constant FEC errors juniper mpc10e 400g

[Aaron Gould]

Not to belabor this, but so interesting... I need a FEC-for-Dummies or 
FEC-for-IP/Ethernet-Engineers...

Shown below, my 400g interface with NO config at all... Interface has no 
traffic at all, no packets at all  BUT, lots of FEC hits.  Interesting this 
FEC-thing.  I'd love to have a fiber splitter and see if wireshark could read 
it and show me what FEC looks like...but something tells me i would need a 400g 
sniffer to read it, lol

It's like FEC (fec119 in this case) is this automatic thing running between 
interfaces (hardware i guess), with no protocols and nothing needed at all in 
order to function.

-Aaron

{master}
me@mx960> show configuration interfaces et-7/1/4 | display set

{master}
me@mx960>

{master}
me@mx960> clear interfaces statistics et-7/1/4

{master}
me@mx960> show interfaces et-7/1/4 | grep packet
    Input packets : 0
    Output packets: 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
  Input rate : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4 | grep rror
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
    Bit errors 0
    Errored blocks 0
  Ethernet FEC statistics  Errors
    FEC Corrected Errors    28209
    FEC Uncorrected Errors  0
    FEC Corrected Errors Rate    2347
    FEC Uncorrected Errors Rate 0

{master}
me@mx960> show interfaces et-7/1/4 | grep packet
    Input packets : 0
    Output packets: 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
  Input rate : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4 | grep rror
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
    Bit errors 0
    Errored blocks 0
  Ethernet FEC statistics  Errors
    FEC Corrected Errors    45153
    FEC Uncorrected Errors  0
    FEC Corrected Errors Rate  29
    FEC Uncorrected Errors Rate 0

{master}
me@mx960> show interfaces et-7/1/4 | grep packet
    Input packets : 0
    Output packets: 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
  Input rate : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4 | grep rror
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
    Bit errors 0
    Errored blocks 0
  Ethernet FEC statistics  Errors
    FEC Corrected Errors    57339
    FEC Uncorrected Errors  0
    FEC Corrected Errors Rate    2378
    FEC Uncorrected Errors Rate 0

{master}
me@mx960>


On 4/18/2024 7:13 AM, Mark Tinka wrote:



On 4/17/24 23:24, Aaron Gould wrote:

Well JTAC just said that it seems ok, and that 400g is going to show 
4x more than 100g "This is due to having to synchronize much more to 
support higher data."




We've seen the same between Juniper and Arista boxes in the same rack 
running at 100G, despite cleaning fibres, swapping optics, moving 
ports, moving line cards, e.t.c. TAC said it's a non-issue, and to be 
expected, and shared the same KB's.


It's a bit disconcerting when you plot the data on your NMS, but it's 
not material.


Mark.


--
-Aaron

Re: constant FEC errors juniper mpc10e 400g

[Aaron Gould]

Well JTAC just said that it seems ok, and that 400g is going to show 4x 
more than 100g "This is due to having to synchronize much more to 
support higher data."


-Aaron



On 4/17/2024 4:04 PM, Aaron Gould wrote:


Interesting, thanks all, the JTAC rep got back to me and also pretty 
much said it's not an issue and is expected... also, JTAC rep sited 2 
KB's, shown here, both using 100g as an example... question please, 
should I understand that this is also true about 400g, even though his 
KB's speak about 100g ?


KB77305
KB35145

https://supportportal.juniper.net/s/article/What-is-the-acceptable-rate-of-FEC-corrected-errors-for-100G-interface 

https://supportportal.juniper.net/s/article/PTX-FEC-corrected-errors-increasing-on-link-between-QSFP-100GBASE-SR4-740-058734-and-QSFP-100G-SR4-T2-740-061405?language=en_US 



-Aaron


On 4/17/2024 3:58 PM, Matt Erculiani wrote:
At some point, an error rate would exceed the ability of forward 
error correction (FEC) overhead to compensate, resulting in CRC 
errors. You're not seeing those so all is technically well.


It's not so much how many packets come in with errors that causes a 
problem, but what percentage of each packet is corrupted. The former 
is usually indicative of the latter though.


Just as Tom said, we're talking about a whole new animal than the NRZ 
we're used to inside the building. Long-haul and DCI folks deal with 
this stuff pretty regularly. The secret is keep everything clean and 
mind your bend radii. We won't get away with some of what we used to 
get away with.


-Matt

On Wed, Apr 17, 2024 at 1:49 PM Aaron Gould  wrote:

fec cliff?  is there a level of fec erros that i should be
worried about then?  not sure what you mean.

-Aaron

On 4/17/2024 2:46 PM, Matt Erculiani wrote:

I'm no TAC engineer, but the purpose of FEC is to take and
correct errors when the port is going so fast that errors are
simply inevitable. Working as Intended.

Easier (read: cheaper) to build in some error correction than
make the bits wiggle more reliably.

No idea if that rate of increment is alarming or not, but you've
not yet hit your FEC cliff so you appear to be fine.

-Matt

On Wed, Apr 17, 2024 at 1:40 PM Dominik Dobrowolski
 wrote:

Open a JTAC case,
That looks like a work for them


Kind Regards,
Dominik

W dniu śr., 17.04.2024 o 21:36 Aaron Gould 
napisał(a):

We recently added MPC10E-15C-MRATE cards to our MX960's to upgrade 
our core to 400g.  During initial testing of the 400g interface (400GBASE-FR4), 
I see constant FEC errors.  FEC is new to me.  Anyone know why this is 
occurring?  Shown below, is an interface with no traffic, but seeing constant 
FEC errors.  This is (2) MX960's cabled directly, no dwdm or anything between 
them... just a fiber patch cable.



{master}
me@mx960> clear interfaces statistics et-7/1/4

{master}
me@mx960> show interfaces et-7/1/4 | grep rror | refresh 2
---(refreshed at 2024-04-17 14:18:53 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors0
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   0
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:55 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 4302
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   8
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:57 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 8796
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 146
 FEC Uncorre

Re: constant FEC errors juniper mpc10e 400g

[Aaron Gould]

Interesting, thanks all, the JTAC rep got back to me and also pretty 
much said it's not an issue and is expected... also, JTAC rep sited 2 
KB's, shown here, both using 100g as an example... question please, 
should I understand that this is also true about 400g, even though his 
KB's speak about 100g ?


KB77305
KB35145

https://supportportal.juniper.net/s/article/What-is-the-acceptable-rate-of-FEC-corrected-errors-for-100G-interface 

https://supportportal.juniper.net/s/article/PTX-FEC-corrected-errors-increasing-on-link-between-QSFP-100GBASE-SR4-740-058734-and-QSFP-100G-SR4-T2-740-061405?language=en_US 



-Aaron


On 4/17/2024 3:58 PM, Matt Erculiani wrote:
At some point, an error rate would exceed the ability of forward error 
correction (FEC) overhead to compensate, resulting in CRC errors. 
You're not seeing those so all is technically well.


It's not so much how many packets come in with errors that causes a 
problem, but what percentage of each packet is corrupted. The former 
is usually indicative of the latter though.


Just as Tom said, we're talking about a whole new animal than the NRZ 
we're used to inside the building. Long-haul and DCI folks deal with 
this stuff pretty regularly. The secret is keep everything clean and 
mind your bend radii. We won't get away with some of what we used to 
get away with.


-Matt

On Wed, Apr 17, 2024 at 1:49 PM Aaron Gould  wrote:

fec cliff?  is there a level of fec erros that i should be worried
about then?  not sure what you mean.

-Aaron

On 4/17/2024 2:46 PM, Matt Erculiani wrote:

I'm no TAC engineer, but the purpose of FEC is to take and
correct errors when the port is going so fast that errors are
simply inevitable. Working as Intended.

Easier (read: cheaper) to build in some error correction than
make the bits wiggle more reliably.

No idea if that rate of increment is alarming or not, but you've
not yet hit your FEC cliff so you appear to be fine.

-Matt

On Wed, Apr 17, 2024 at 1:40 PM Dominik Dobrowolski
 wrote:

Open a JTAC case,
That looks like a work for them


Kind Regards,
Dominik

W dniu śr., 17.04.2024 o 21:36 Aaron Gould 
napisał(a):

We recently added MPC10E-15C-MRATE cards to our MX960's to upgrade 
our core to 400g.  During initial testing of the 400g interface (400GBASE-FR4), 
I see constant FEC errors.  FEC is new to me.  Anyone know why this is 
occurring?  Shown below, is an interface with no traffic, but seeing constant 
FEC errors.  This is (2) MX960's cabled directly, no dwdm or anything between 
them... just a fiber patch cable.



{master}
me@mx960> clear interfaces statistics et-7/1/4

{master}
me@mx960> show interfaces et-7/1/4 | grep rror | refresh 2
---(refreshed at 2024-04-17 14:18:53 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors0
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   0
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:55 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 4302
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   8
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:57 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 8796
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 146
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:59 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, 

Re: constant FEC errors juniper mpc10e 400g

[Aaron Gould]

Thanks Joe and Schylar, that's reassuring.  Tom, yes, I believe fec is 
required for 400g as you see fec119 listed in that output... and i 
understand you can't (or perhaps shouldn't) change it.


-Aaron

On 4/17/2024 2:43 PM, Joe Antkowiak wrote:

Corrected FEC errors are pretty normal for 400G FR4



On Wednesday, April 17th, 2024 at 3:36 PM, Aaron Gould 
 wrote:

We recently added MPC10E-15C-MRATE cards to our MX960's to upgrade our core to 
400g.  During initial testing of the 400g interface (400GBASE-FR4), I see 
constant FEC errors.  FEC is new to me.  Anyone know why this is occurring?  
Shown below, is an interface with no traffic, but seeing constant FEC errors.  
This is (2) MX960's cabled directly, no dwdm or anything between them... just a 
fiber patch cable.



{master}
me@mx960> clear interfaces statistics et-7/1/4

{master}
me@mx960> show interfaces et-7/1/4 | grep rror | refresh 2
---(refreshed at 2024-04-17 14:18:53 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors0
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   0
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:55 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 4302
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   8
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:57 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 8796
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 146
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:59 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors15582
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 111
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:19:01 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors20342
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 256
 FEC Uncorrected Errors Rate 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
   Input rate : 0 bps (0 pps)
   Output rate: 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4
Physical interface: et-7/1/4, Enabled, Physical link is Up
   Interface index: 226, SNMP ifIndex: 800
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
   Flow control: Enabled
   Pad to minimum frame size: Disabled
   Device flags   : Present Running
   Interface flags: SNMP-Traps Internal: 0x4000
   Link flags : None
   CoS queues : 8 supported, 8 maximum usable queues
   Schedulers : 0
   Last flapped   : 2024-04-17 13:55:28 CDT (00:36:19 ago)
   Input rate : 0 bps (0 pps)
   Output rate: 0 bps (0 pps)
   Active alarms  : None
   Active defects : None
   PCS statistics  Seconds
 Bit errors 0
 Errored blocks 0
   Ethernet FEC Mode  : FEC119
   Ethernet FEC statistics  Errors
 FEC Corrected Errors   801787
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate2054
 FEC Uncorrected Errors Rate 0
   Link Degrade :
 Link Monitoring   :  Disable
   Interface transmi

Re: constant FEC errors juniper mpc10e 400g

[Aaron Gould]

fec cliff?  is there a level of fec erros that i should be worried about 
then?  not sure what you mean.


-Aaron

On 4/17/2024 2:46 PM, Matt Erculiani wrote:
I'm no TAC engineer, but the purpose of FEC is to take and correct 
errors when the port is going so fast that errors are 
simply inevitable. Working as Intended.


Easier (read: cheaper) to build in some error correction than make the 
bits wiggle more reliably.


No idea if that rate of increment is alarming or not, but you've not 
yet hit your FEC cliff so you appear to be fine.


-Matt

On Wed, Apr 17, 2024 at 1:40 PM Dominik Dobrowolski 
 wrote:


Open a JTAC case,
That looks like a work for them


Kind Regards,
Dominik

W dniu śr., 17.04.2024 o 21:36 Aaron Gould 
napisał(a):

We recently added MPC10E-15C-MRATE cards to our MX960's to upgrade our 
core to 400g.  During initial testing of the 400g interface (400GBASE-FR4), I 
see constant FEC errors.  FEC is new to me.  Anyone know why this is occurring? 
 Shown below, is an interface with no traffic, but seeing constant FEC errors.  
This is (2) MX960's cabled directly, no dwdm or anything between them... just a 
fiber patch cable.



{master}
me@mx960> clear interfaces statistics et-7/1/4

{master}
me@mx960> show interfaces et-7/1/4 | grep rror | refresh 2
---(refreshed at 2024-04-17 14:18:53 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors0
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   0
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:55 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 4302
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   8
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:57 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 8796
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 146
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:59 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors15582
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 111
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:19:01 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors20342
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 256
 FEC Uncorrected Errors Rate 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
   Input rate : 0 bps (0 pps)
   Output rate: 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4
Physical interface: et-7/1/4, Enabled, Physical link is Up
   Interface index: 226, SNMP ifIndex: 800
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, 
BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source 
filtering: Disabled,
   Flow control: Enabled
   Pad to minimu

Re: constant FEC errors juniper mpc10e 400g

[Aaron Gould]

i did.  Usually my NANOG and J-NSP email list gets me a quicker solution 
than JTAC.


-Aaron

On 4/17/2024 2:37 PM, Dominik Dobrowolski wrote:

Open a JTAC case,
That looks like a work for them


Kind Regards,
Dominik

W dniu śr., 17.04.2024 o 21:36 Aaron Gould  napisał(a):

We recently added MPC10E-15C-MRATE cards to our MX960's to upgrade our core 
to 400g.  During initial testing of the 400g interface (400GBASE-FR4), I see 
constant FEC errors.  FEC is new to me.  Anyone know why this is occurring?  
Shown below, is an interface with no traffic, but seeing constant FEC errors.  
This is (2) MX960's cabled directly, no dwdm or anything between them... just a 
fiber patch cable.



{master}
me@mx960> clear interfaces statistics et-7/1/4

{master}
me@mx960> show interfaces et-7/1/4 | grep rror | refresh 2
---(refreshed at 2024-04-17 14:18:53 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors0
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   0
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:55 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 4302
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate   8
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:57 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors 8796
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 146
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:59 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors15582
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 111
 FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:19:01 CDT)---
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
 Bit errors 0
 Errored blocks 0
   Ethernet FEC statistics  Errors
 FEC Corrected Errors20342
 FEC Uncorrected Errors  0
 FEC Corrected Errors Rate 256
 FEC Uncorrected Errors Rate 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
   Input rate : 0 bps (0 pps)
   Output rate: 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4
Physical interface: et-7/1/4, Enabled, Physical link is Up
   Interface index: 226, SNMP ifIndex: 800
   Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU 
Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
   Flow control: Enabled
   Pad to minimum frame size: Disabled
   Device flags   : Present Running
   Interface flags: SNMP-Traps Internal: 0x4000
   Link flags : None
   CoS queues : 8 supported, 8 maximum usable queues
   Schedulers : 0
   Last flapped   : 2024-04-17 13:55:28 CDT (00:36:19 ago)
   Input rate : 0 bps (0 pps)
   Output rate: 0 bps (0 pps)
   Active alarms  : None
   Active defects : None
   PCS statistics  Seconds
 Bit errors 0
 Errored blocks 0
   Ethernet FEC Mode  : FEC119
   Ethernet FEC statistics  Errors
 FEC Corrected Errors   801787
 

constant FEC errors juniper mpc10e 400g

[Aaron Gould]

We recently added MPC10E-15C-MRATE cards to our MX960's to upgrade our core to 
400g.  During initial testing of the 400g interface (400GBASE-FR4), I see 
constant FEC errors.  FEC is new to me.  Anyone know why this is occurring?  
Shown below, is an interface with no traffic, but seeing constant FEC errors.  
This is (2) MX960's cabled directly, no dwdm or anything between them... just a 
fiber patch cable.



{master}
me@mx960> clear interfaces statistics et-7/1/4

{master}
me@mx960> show interfaces et-7/1/4 | grep rror | refresh 2
---(refreshed at 2024-04-17 14:18:53 CDT)---
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
Bit errors 0
Errored blocks 0
  Ethernet FEC statistics  Errors
FEC Corrected Errors0
FEC Uncorrected Errors  0
FEC Corrected Errors Rate   0
FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:55 CDT)---
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
Bit errors 0
Errored blocks 0
  Ethernet FEC statistics  Errors
FEC Corrected Errors 4302
FEC Uncorrected Errors  0
FEC Corrected Errors Rate   8
FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:57 CDT)---
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
Bit errors 0
Errored blocks 0
  Ethernet FEC statistics  Errors
FEC Corrected Errors 8796
FEC Uncorrected Errors  0
FEC Corrected Errors Rate 146
FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:18:59 CDT)---
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
Bit errors 0
Errored blocks 0
  Ethernet FEC statistics  Errors
FEC Corrected Errors15582
FEC Uncorrected Errors  0
FEC Corrected Errors Rate 111
FEC Uncorrected Errors Rate 0
---(refreshed at 2024-04-17 14:19:01 CDT)---
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
Bit errors 0
Errored blocks 0
  Ethernet FEC statistics  Errors
FEC Corrected Errors20342
FEC Uncorrected Errors  0
FEC Corrected Errors Rate 256
FEC Uncorrected Errors Rate 0

{master}
me@mx960> show interfaces et-7/1/4 | grep "put rate"
  Input rate : 0 bps (0 pps)
  Output rate: 0 bps (0 pps)

{master}
me@mx960> show interfaces et-7/1/4
Physical interface: et-7/1/4, Enabled, Physical link is Up
  Interface index: 226, SNMP ifIndex: 800
  Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 400Gbps, BPDU Error: 
None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: 
Disabled,
  Flow control: Enabled
  Pad to minimum frame size: Disabled
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  Link flags : None
  CoS queues : 8 supported, 8 maximum usable queues
  Schedulers : 0
  Last flapped   : 2024-04-17 13:55:28 CDT (00:36:19 ago)
  Input rate : 0 bps (0 pps)
  Output rate: 0 bps (0 pps)
  Active alarms  : None
  Active defects : None
  PCS statistics  Seconds
Bit errors 0
Errored blocks 0
  Ethernet FEC Mode  : FEC119
  Ethernet FEC statistics  Errors
FEC Corrected Errors   801787
FEC Uncorrected Errors  0
FEC Corrected Errors Rate2054
FEC Uncorrected Errors Rate 0
  Link Degrade :
Link Monitoring   :  Disable
  Interface transmit statistics: Disabled

  Logical interface et-7/1/4.0 (Index 420) (SNMP ifIndex 815)
Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
Input packets : 1
Output packets: 1
Protocol inet, MTU: 1500
Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 1, Curr new 
hold cnt: 0, NH drop cnt: 0
  Flags: Sendbcast-pkt-to-re
  Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.10.10.76/30, Local: 10.10.10.77, 

Re: Netskrt - ISP-colo CDN

[Aaron Gould]

I've had my dual-100g-connected Amazon ACEv2 caches for over a year 
now.  With my ~55,000 subs I saw every Thursday night for NFL/TNF usage 
at 15 gbps X2 (so 30 gbps total) and one day in late November 
(thanksgiving probably) I saw 25 gbps x2 (so 50 gbps) usage!


-Aaron

On 4/4/2024 6:08 PM, Paul Bradford wrote:
I have some on my network.  I don't think they populate content from 
their own cdn network, but it comes from Amazon.   interestingly for 
the NFL super bowl, while paramount+ streamed the game, on Amazon 
Prime Video you could "Watch super bowl on paramount+ Via Prime.". 
 that did actually drive users to using the netskrt caches.


They seem to work OK.  TNF in 6 months will tell us more.  :)



On Thu, Apr 4, 2024 at 6:14 PM John Stitt  wrote:

The website says they are part of the Streaming Video Technology
Alliance.

I wonder if this is a prepackaged Open Cache box.

https://opencaching.svta.org/

We also don’t appear to have had any traffic from them.  Not much
on the peeringdb for the USA ASN either.

BGP.tools shows they have upstreams with each ASN, and are on Ohio
IX with AS53471, but not really any peers anywhere.  Looks like
Cogent and Zayo for upstreams and only peer I see is AS1239
(Sprint Wireline (Cogent))

John Stitt

*From:*NANOG  *On
Behalf Of *Aaron Gould
*Sent:* Thursday, April 4, 2024 4:36 PM
*To:* Eric Dugas 
*Cc:* nanog@nanog.org
*Subject:* Re: Netskrt - ISP-colo CDN




You don't often get email from aar...@gvtc.com. Learn why this is
important <https://aka.ms/LearnAboutSenderIdentification>



Thanks... they told me it was free.

-Aaron

On 4/4/2024 4:12 PM, Eric Dugas wrote:

That name rang a bell so I looked up my emails.

They contacted me last year, they were claiming to be "working
with some of the major streaming brands, such as Amazon Prime
Video, to improve the quality of both VOD and live streaming
while also reducing the load on ISP networks such as your own.".

Based on my quick research, they have a few registered ASNs
(their peeringdb page <https://www.peeringdb.com/org/36226>)
with a few netblocks but I get 0 traffic from them (we're a
sizable eyeball network). Their origin network might still not
be ready but digging a little bit more, it seems they act as a
third-party video caching solution and not as an origin CDN so
in the end, they're really just trying to sell ISPs and other
types of customers their caching solutions.


Eric

    On Thu, Apr 4, 2024 at 4:00 PM Aaron Gould 
wrote:

Anyone out there using Netskrt CDN?  I mean, installed in
your network
for content delivery to your customers.  I understand
Netskrt provides
caching for some well known online video streaming
services... just
wondering if there are any network operators that have
worked with
Netskrt and deployed their caching servers in your
networks and what
have you thought about it?  What Internet uplink savings
are you seeing?

Netskrt - https://www.netskrt.io/


-- 
-Aaron


-- 


-Aaron

CAUTION:This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the
sender and know the content is safe. If you are not expecting this
message contact the sender directly via phone/text to verify.


--
-Aaron

Re: Netskrt - ISP-colo CDN

[Aaron Gould]

Thanks ... that svta caching sounds interesting.  i watched the 
presentation, but don't understand how it's used by ISP's that want to 
benefit from it.


-Aaron

On 4/4/2024 5:14 PM, John Stitt wrote:


The website says they are part of the Streaming Video Technology Alliance.

I wonder if this is a prepackaged Open Cache box.

https://opencaching.svta.org/

We also don’t appear to have had any traffic from them.  Not much on 
the peeringdb for the USA ASN either.


BGP.tools shows they have upstreams with each ASN, and are on Ohio IX 
with AS53471, but not really any peers anywhere.  Looks like Cogent 
and Zayo for upstreams and only peer I see is AS1239 (Sprint Wireline 
(Cogent))


John Stitt

*From:*NANOG  *On 
Behalf Of *Aaron Gould

*Sent:* Thursday, April 4, 2024 4:36 PM
*To:* Eric Dugas 
*Cc:* nanog@nanog.org
*Subject:* Re: Netskrt - ISP-colo CDN




You don't often get email from aar...@gvtc.com. Learn why this is 
important <https://aka.ms/LearnAboutSenderIdentification>




Thanks... they told me it was free.

-Aaron

On 4/4/2024 4:12 PM, Eric Dugas wrote:

That name rang a bell so I looked up my emails.

They contacted me last year, they were claiming to be "working
with some of the major streaming brands, such as Amazon Prime
Video, to improve the quality of both VOD and live streaming while
also reducing the load on ISP networks such as your own.".

Based on my quick research, they have a few registered ASNs (their
peeringdb page <https://www.peeringdb.com/org/36226>) with a few
netblocks but I get 0 traffic from them (we're a sizable eyeball
network). Their origin network might still not be ready but
digging a little bit more, it seems they act as a third-party
video caching solution and not as an origin CDN so in the end,
they're really just trying to sell ISPs and other types of
customers their caching solutions.


Eric

On Thu, Apr 4, 2024 at 4:00 PM Aaron Gould  wrote:

Anyone out there using Netskrt CDN?  I mean, installed in your
network
for content delivery to your customers.  I understand Netskrt
provides
caching for some well known online video streaming services...
just
wondering if there are any network operators that have worked
with
Netskrt and deployed their caching servers in your networks
and what
have you thought about it?  What Internet uplink savings are
you seeing?

Netskrt - https://www.netskrt.io/


-- 
-Aaron


--
-Aaron

CAUTION:This email originated from outside of the organization. Do not 
click links or open attachments unless you recognize the sender and 
know the content is safe. If you are not expecting this message 
contact the sender directly via phone/text to verify.



--
-Aaron

Re: Netskrt - ISP-colo CDN

[Aaron Gould]

Thanks... they told me it was free.

-Aaron

On 4/4/2024 4:12 PM, Eric Dugas wrote:

That name rang a bell so I looked up my emails.

They contacted me last year, they were claiming to be "working with 
some of the major streaming brands, such as Amazon Prime Video, to 
improve the quality of both VOD and live streaming while also reducing 
the load on ISP networks such as your own.".


Based on my quick research, they have a few registered ASNs (their 
peeringdb page <https://www.peeringdb.com/org/36226>) with a few 
netblocks but I get 0 traffic from them (we're a sizable eyeball 
network). Their origin network might still not be ready but digging a 
little bit more, it seems they act as a third-party video caching 
solution and not as an origin CDN so in the end, they're really just 
trying to sell ISPs and other types of customers their caching solutions.


Eric

On Thu, Apr 4, 2024 at 4:00 PM Aaron Gould  wrote:

Anyone out there using Netskrt CDN?  I mean, installed in your
network
for content delivery to your customers.  I understand Netskrt
provides
caching for some well known online video streaming services... just
wondering if there are any network operators that have worked with
Netskrt and deployed their caching servers in your networks and what
have you thought about it?  What Internet uplink savings are you
seeing?

Netskrt - https://www.netskrt.io/


-- 
-Aaron



--
-Aaron

Netskrt - ISP-colo CDN

[Aaron Gould]

Anyone out there using Netskrt CDN?  I mean, installed in your network 
for content delivery to your customers.  I understand Netskrt provides 
caching for some well known online video streaming services... just 
wondering if there are any network operators that have worked with 
Netskrt and deployed their caching servers in your networks and what 
have you thought about it?  What Internet uplink savings are you seeing?


Netskrt - https://www.netskrt.io/


--
-Aaron

edgecast - lots of traffic at ~3:00 a.m.

[Aaron Gould]

Anyone else see a lot of traffic inbound from the Internet last night 
(early this morning) at ~3:00 a.m. central time?  I see an IP Address, 
(93.184.215.240 - EdgeCast), which I think is EdgIO (fka limelight).  
Any idea what this is related to? (something tells me it's a game update)


--
-Aaron

ipv6 address management - documentation

[Aaron Gould]

For years I've used an MS Excel spreadsheet to manage my IPv4 
addresses.  IPv6 is going to be maddening to manage in a spreadsheet.  
What does everyone use for their IPv6 address prefix management and 
documentation?  Are there open source tools/apps for this?


--
-Aaron

MCC (Microsoft Connected Cache for ISP)

[Aaron Gould]

Is MCC for ISP comparable to other well-known CDN's, like Facebook FNA, 
Netflix OCA, etc?


Anyone have any experience with MCC in an ISP environment, and do you 
see much bandwidth savings with it?


https://learn.microsoft.com/en-us/windows/deployment/do/mcc-isp


--
-Aaron

Re: Test Lab Best Practices

[Aaron Gould]

I agree with others here...

Physical lab - gotta have console server for the most control - perle 
console server is good, and also good ole fashion cisco terminal server 
(2509/2511 or 2600 with asynch module)


Virtual labs are great for testing features and functionality

- Juniper vLabs

- Cisco DevNet sandbox

- Cisco CML (i think fka VIRL)

- EVE-NG

- GNS3

I use these virtual environments a lot and do videos about them on my 
youtube channel, where I try to cover some SP-related topics.  Hope it helps


https://jlabs.juniper.net/vlabs/

https://developer.cisco.com/site/sandbox/

https://www.youtube.com/@aarontechtalk

https://www.youtube.com/playlist?list=PL2ZMKm7ZEEWI8YyRWm9fnYNtRaV-fi-7x

https://www.youtube.com/playlist?list=PL2ZMKm7ZEEWLMVxuZqeXzciRu59C02NAc


-Aaron


On 9/28/2023 9:14 AM, Kenneth Vedder wrote:

Hello NANOG,

We have been struggling with firmware bugs from a specific router 
vendor. I am looking to set up a test lab of our core network and a 
few remote site routers.  Protocols would include SR-MPLS, ISIS, EVPN 
MPLS and L3VPN with a little OSPF sprinkled in. I'd be grateful for 
any tips or resources anyone has that might cover testing strategies 
and/or best practices.


Thanks,
Ken


--
-Aaron

Re: MX204 Virtual Chassis Setup

[Aaron Gould]

some of these port capabilities are weird to me.  like on the 
ACX7100-48L you can do 4x100 or 8x50, but ONLY one 40g ?!


me@7100> show chassis pic pic-slot 0 fpc-slot 0 | find 400
  48 0   1x400G 1x100G 1x40G 4x100G 2x100G 8x50G 2x50G 4x25G 
4x10G 3x100G
  49 0   1x400G 1x100G 1x40G 4x100G 2x100G 8x50G 2x50G 4x25G 
4x10G 3x100G
  50 0   1x400G 1x100G 1x40G 4x100G 2x100G 8x50G 2x50G 4x25G 
4x10G 3x100G
  51 0   1x400G 1x100G 1x40G 4x100G 2x100G 8x50G 2x50G 4x25G 
4x10G 3x100G
  52 0   1x400G 1x100G 1x40G 4x100G 2x100G 8x50G 2x50G 4x25G 
4x10G 3x100G
  53 0   1x400G 1x100G 1x40G 4x100G 2x100G 8x50G 2x50G 4x25G 
4x10G 3x100G

  54 NA  1x10G




On 8/23/2023 11:29 AM, t...@pelican.org wrote:

On Wednesday, 23 August, 2023 16:33, "Mark Tinka"  said:

[faceplate oversubscription]


On the new ACX line, yes.

Not Trio, and different PLM :)


We don't mess around with any other MX products, so not sure (although
we are still yet to deploy the MPC10E's and the MX304).

MX304 (well, strictly LMIC16) has the same restriction, and a need for another entry in the 
magic port checker (https://apps.juniper.net/home/port-checker/index.html) for restrictions 
beyond "SUM(port-speeds) <= 1.6T".

They make sense once you've looked at the block diagram for the thing and followed the 
lines, but things like "4x10G breakout can only go in odd-numbered ports, and you 
have to leave the corresponding next-lowest even-numbered port empty" are not 
instantly obvious.

Thanks,
Tim.



--
-Aaron

Re: Issues with prefix / help needed

[Aaron Gould]

yeah i see what you mean by, it doesn't work, then it starts working...


i traced to it, and it wasn't responding at first, then later it worked


C:\>tracert -w 1 86.104.228.1

Tracing route to 86.104.228.1 over a maximum of 30 hops

...

  9   118 ms *  119 ms prs-bb1-link.ip.twelve99.net 
[62.115.112.243]
 10   125 ms   124 ms   126 ms  ffm-bb1-link.ip.twelve99.net 
[62.115.123.12]

 11 *    *    * Request timed out.
 12 *    *    * Request timed out.
 13   133 ms   133 ms   133 ms 
ipmax-ic340750-zch-b2.ip.twelve99-cust.net [62.115.168.201]

 14   130 ms *  130 ms  po5.er01.zrh56.ch.ip-max.net [46.20.254.13]
 15   128 ms   129 ms   129 ms three-fourteen.cust.zrh56.ch.ip-max.net 
[46.20.240.71]

 16 *    *    * Request timed out.
 17 *    *    * Request timed out.
 18 *    *    * Request timed out.
 19 *    *    * Request timed out.
 20 *    *    * Request timed out.
 21 *    *    * Request timed out.
 22 *    *    * Request timed out.
 23 *    *    * Request timed out.
 24 *    *    * Request timed out.
 25 *    *    * Request timed out.
 26 *    *    * Request timed out.
 27 *    *    * Request timed out.
 28 *    *    * Request timed out.
 29 *    *    * Request timed out.
 30 *    *    * Request timed out.

Trace complete.

C:\>tracert -w 1 86.104.228.1

Tracing route to 86.104.228.1 over a maximum of 30 hops

...

  9   119 ms   118 ms   118 ms prs-bb1-link.ip.twelve99.net 
[62.115.112.243]
 10 *  125 ms   124 ms  ffm-bb1-link.ip.twelve99.net 
[62.115.123.12]

 11 *    *    * Request timed out.
 12 *    *    * Request timed out.
 13   132 ms   132 ms   133 ms 
ipmax-ic340750-zch-b2.ip.twelve99-cust.net [62.115.168.201]

 14   129 ms *  129 ms  po5.er01.zrh56.ch.ip-max.net [46.20.254.13]
 15   129 ms   129 ms   129 ms three-fourteen.cust.zrh56.ch.ip-max.net 
[46.20.240.71]

 16   129 ms *  129 ms  86.104.228.1

Trace complete.

C:\>





On 3/25/2023 3:54 AM, ic wrote:

Hi there,

I’m contacting you because after spending 2 days troubleshooting I can’t seem 
to find a solution to the following.

We (AS45021) bought/transffered the 86.104.228.0/24 prefix a few months back 
because we couldn’t wait longer on the RIPE waiting list.

Before you ask, yes, AS45021 is currently single homed, this will change in a 
week (it requires travelling a few hundred miles and I couldn’t do it before).

Since we started announcing this prefix, things have been spotty, at best. 
While it seems visible in all the looking glasses I tried, it spends sometimes 
hours, sometimes days, being unreachable (you can try for ex. 86.104.228.1 or 
86.104.228.26).

I have full access (up to packet capture) on the AS and its upstream. When I 
ping one of the IPs from various ISPs, I see the ICMP Echo Request and Reply on 
the wire, going where it’s supposed to go, but it doesn’t reach the pinging 
host. Pinging any IP of the upstream (AS42275 / 85.208.69.0/24 in this 
location) works.

ROAs and RPKI seem fine to me.

I’m starting to suspect that maybe the previous user of the prefix is still 
announcing it somewhere and “shouting louder” than me. It seems when I clear 
sessions, it immediately works for a while, then stops.

Do you all have any idea what I should check / try next?

BR, Michel


--
-Aaron

MX204 and MPC7E-MRATE EoL - REVOKED

[Aaron Gould]

Did you hear? EoL was revoked December 2022... I'm so glad, I like and 
use the MX204 and the MPC7E-MRATE



TSB69626 - 12/5/2022 - Revoke End of Life Announcement: MX204

https://supportportal.juniper.net/s/article/Revoke-End-of-Life-Announcement-MX204 




TSB69631 - 12/2/2022 - Revoke End of Life Announcement: MPC7E-MRATE, 
MPC7E-MRATE-RTU


https://supportportal.juniper.net/s/article/Revoke-End-of-Life-Announcement-MPC7E-MRATE-MPC7E-MRATE-RTU 



-Aaron

Hurricane Electric AS6939

[Aaron Gould]

Do y’all like HE for Internet uplink?  I’m thinking about using them for 100gig 
in Texas.  It would be for my eyeballs ISP.  We currently have Spectrum, Telia 
and Cogent.

-Aaron

sr - spring - what's the deal with 2 names

[Aaron Gould via NANOG]

Please forgive if this has already been spoken to. if so, you can simply
send the link to old mail list entries and that will suffice. otherwise.

 

Does anyone know the scope on why we have 2 names for this ?  Seriously, was
it one of those things where a vendor started doing it first (pre-standard)
as sr, and then ietf started standardizing it as spring ? .or was it always
being standardized pre-vendor implementation and there was a disagreement
within ietf or elsewhere ?  or. was there a conscious decision amongst the
inventors to actually call it both sr and spring ?  or is their actually
something different about each one and I'm wrong in thinking they are 2
names for the same technology.

 

I'm taking stabs at this and presenting multiple choice just as I sit back
and wonder why the 2 names

 

I mean there must be a reason why someone thought that we should call this 2
different names.

 

I would think within this NANOG maillist, someone will have the answer or at
least some pretty good insights into why the 2 names.

 

 

Aaron

aar...@gvtc.com

 

RE: rsvp-te admission control - i don't see it

[Aaron Gould via NANOG]

That’s it!  Thanks dip

 

Using “signalled-bandwidth 5000”  on headend te-tunnel int

 

 

RP/0/0/CPU0:r20#sh run int tt1

Fri Sep  4 13:27:14.833 CST

interface tunnel-te1

bandwidth 20

ipv4 unnumbered Loopback0

signalled-name r20--->r22

signalled-bandwidth 5000

autoroute announce

!

destination 10.20.0.22

path-option 10 dynamic

!

 

On HE…

 

RP/0/0/CPU0:r20#sh mpls traffic-eng tunnels name r20--->r22 | in and

Fri Sep  4 13:28:28.918 CST

Name: tunnel-te1  Destination: 10.20.0.22  Ifhandle:0x1d0 

Bandwidth Requested: 5000 kbps  CT0

Bandwidth: 5000 kbps (CT0) Priority:  7  7 Affinity: 0x0/0x

 

RP/0/0/CPU0:r20#sh rsvp reservation detail | in ate

Fri Sep  4 13:25:51.509 CST

Rate: 0 bits/sec. Burst: 1K bytes. Peak: 0 bits/sec.

State expires in 0.000 sec.

Rate: 500 bits/sec. Burst: 1K bytes. Peak: 5M bits/sec.

State expires in 358.630 sec.

 

RP/0/0/CPU0:r20#sh rsvp int   

Fri Sep  4 13:26:03.738 CST

 

*: RDM: Default I/F B/W % : 75% [default] (max resv/bc0), 0% [default] (bc1)

 

Interface MaxBW (bps)  MaxFlow (bps) Allocated (bps)  
MaxSub (bps) 

-  -  
-

GigabitEthernet0/0/0/0   750M*  750M 0 (  0%)   
 0*

GigabitEthernet0/0/0/1   750M*  750M5M (  0%)   
 0*

 

 

On transit lsr in core…

 

RP/0/0/CPU0:r24#sh rsvp session detail | in ate

Fri Sep  4 13:18:25.258 CST

   Tspec: avg rate=0, burst=1K, peak rate=0

   Fspec: avg rate=0, burst=1K, peak rate=0

   Tspec: avg rate=5M, burst=1K, peak rate=5M

   Fspec: avg rate=5M, burst=1K, peak rate=5M

 

RP/0/0/CPU0:r24#sh rsvp int

Fri Sep  4 13:18:33.508 CST

 

*: RDM: Default I/F B/W % : 75% [default] (max resv/bc0), 0% [default] (bc1)

 

Interface MaxBW (bps)  MaxFlow (bps) Allocated (bps)  
MaxSub (bps) 

-  -  
-

GigabitEthernet0/0/0/0   750M*  750M 0 (  0%)   
 0*

GigabitEthernet0/0/0/1   750M*  750M5M (  0%)   
 0*

 

RE: telia - texas - 10:30 a.m. central time - issues ?

[Aaron Gould]

I think my first hop telia router is in Austin… if so, is that Austin Telia 
router redundantly connected ?  if so, then wouldn’t I likewise be redundantly 
connected to the internet via that telia Austin router ?  unsure I understand 
you.

 

I got this from Telia about 50 minutes ago…

 

“ETA for dispatch and testing is in 45 minutes.”

 

-Aaron

 

 

From: NANOG [mailto:nanog-bounces+aaron1=gvtc@nanog.org] On Behalf Of 
Kaiser, Erich
Sent: Wednesday, May 27, 2020 2:09 PM
To: NANOG list
Subject: Re: telia - texas - 10:30 a.m. central time - issues ?

 

Telia has redundancy in Austin but if you are on an unprotected wave back to 
Dallas you will not be redundant.  We have an outage with them as well between 
Dallas and Austin same issue as yourself and others have stated.   Latest 
update " Dear Customer,

We are still pushing for an ETA to the site from our provider, but they 
currently do not yet have a further update from their dispatched technicians."




Erich Kaiser

The Fusion Network

 <mailto:er...@gotfusion.net> er...@gotfusion.net

Office: 815-570-3101

 

 

 

On Wed, May 27, 2020 at 1:35 PM Aaron Gould  wrote:

Yes, that’s exactly what I heard elsewhere also… “suspected fiber cut between 
Dallas and Waxahachie”

 

I’m pretty sure I connect to Telia in Austin… and so, I’m guessing that this 
has no redundant path ?

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Suan
Sent: Wednesday, May 27, 2020 12:33 PM
To: nanog@nanog.org
Subject: Re: telia - texas - 10:30 a.m. central time - issues ?

 

Not sure about Telia specifically, but there is apparently a fiber cut between 
Dallas and Waxahachie, that took out our wave service to Austin.

 

Nick

 

On Wed, May 27, 2020, at 12:41 PM, Aaron Gould wrote:

In the Texas area, particularly, south central, Austin area….. anyone know of 
any issues with Telia Internet today around 10:32 a.m. central time ?

 

I had good bgp session and good route 0/0 from them, but little to no internet 
packets were flowing.

 

-Aaron

 

RE: telia - texas - 10:30 a.m. central time - issues ?

[Aaron Gould]

Yes, that’s exactly what I heard elsewhere also… “suspected fiber cut between 
Dallas and Waxahachie”

 

I’m pretty sure I connect to Telia in Austin… and so, I’m guessing that this 
has no redundant path ?

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Suan
Sent: Wednesday, May 27, 2020 12:33 PM
To: nanog@nanog.org
Subject: Re: telia - texas - 10:30 a.m. central time - issues ?

 

Not sure about Telia specifically, but there is apparently a fiber cut between 
Dallas and Waxahachie, that took out our wave service to Austin.

 

Nick

 

On Wed, May 27, 2020, at 12:41 PM, Aaron Gould wrote:

In the Texas area, particularly, south central, Austin area….. anyone know of 
any issues with Telia Internet today around 10:32 a.m. central time ?

 

I had good bgp session and good route 0/0 from them, but little to no internet 
packets were flowing.

 

-Aaron

 

telia - texas - 10:30 a.m. central time - issues ?

[Aaron Gould]

In the Texas area, particularly, south central, Austin area... anyone know
of any issues with Telia Internet today around 10:32 a.m. central time ?

 

I had good bgp session and good route 0/0 from them, but little to no
internet packets were flowing.

 

-Aaron

RE: How to manage Static IPs to customers

[Aaron Gould]

We have a provisioning system (promptlink) that we use to map cable modems
to their static ip addresses.  The provisioning system has a gui front end
and it sits on linux and also acts as a dhcp server, etc.  This is the same
ip address that we use for cable-helper (like ip-helper on a cmts bundle ip
interface) to forward dhcp requests from cable modem cpe, via the cmts, and
unicasted to promptlink and then the static ip address reservation within
the promptlink is sent back to the cpe

This all continues to work, even during node splits, as long as we don't
move that cm cpe to a different cmts... which would rarely happen since it's
across town to get to our other RF environment served be a different cmts
using a different static ip subnet... since we don't do L2 via cmts's in
order to stitch back that ip into a more globally located static subnet...
again, we don't do that.  If the customers moves locations, into a different
cmts area, that would be required to give back the single static /32 ip and
get a different on.  Unless they were a multi-static customer buying like a
/29... in which case we have no problem moving that /29 subnet off that cmts
and onto another one.  That's easy.

We do however have more centrally located subnets for some of our single
static ip customers in FTTH... but not CMTS docsis.

-Aaron


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Javier Gutierrez
Guerra
Sent: Thursday, May 7, 2020 3:50 PM
To: nanog@nanog.org
Subject: How to manage Static IPs to customers

Hi there, 
Just wanted to reach out and get an idea how is people managing customers
with static Ips, more specifically on Docsis networks where the customer
could be moved between cmts's when a node is split

Thanks in advance for all responses,

Javier Gutierrez Guerra

RE: YANG module designer tool

[Aaron Gould]

I like YANG Explorer.  (use apple OS computer or linux.  I used Ubuntu, and
chrome.  Windows and firefox I recall seeing minimal functionality but
shooty, so don't)

... a couple sites for assisting with getting it installed and running...


https://www.cisco.com/c/en/us/support/docs/storage-networking/management/200
933-YANG-NETCONF-Configuration-Validation.html


https://developer.cisco.com/codeexchange/github/repo/CiscoDevNet/yang-explor
er


I also found the Cisco DevNet Sandbox devices useful for explorer and
learning about automation building blocks like netconf/yang.  I ran
yang-explorer across the internet directed at the devnet sandbox csr1000v


I think there is another tool called ncc (netconf client?) on github that I
haven'r explored yet.


I was going to try MG-Soft's tool, but haven't gotten around to it.

-Aaron

-Original Message-
From: NANOG [mailto:nanog-bounces+aaron1=gvtc@nanog.org] On Behalf Of
adamv0...@netconsultings.com
Sent: Monday, May 4, 2020 10:36 AM
To: 'NANOG'
Subject: YANG module designer tool

Hi folks, 
Just wanted to ask what are your favourite tools for designing YANG models
and why?
Are these two all there is:
https://www.mg-soft.com/mgYangDesigner.html
https://github.com/CiscoDevNet/yang-explorer

Or maybe some plugins for notepad++ or totalcmd/midnightcmd :)

Thanks a bunch.

adam
 

RE: Huawei on Mount Everest

[Aaron Gould]

You made me curious...

https://en.wikipedia.org/wiki/List_of_people_who_died_climbing_Mount_Everest

wow, I guess it would be great to be able to use cell/gps technology to 
communicate with and track a lost/endangered climber


-Original Message-
From: NANOG [mailto:nanog-bounces+aaron1=gvtc@nanog.org] On Behalf Of John 
Levine
Sent: Friday, May 1, 2020 12:58 PM
To: nanog@nanog.org
Subject: Re: Huawei on Mount Everest

In article  
you write:
>-=-=-=-=-=-
>
>https://telecoms.com/504051/huawei-and-china-mobile-stick-a-5g-base-station-on-mount-everest/
>
>Why dont we leave the Everest alone? OTOH, we can now have tiktok
>videos and latest instagram posts from the summit.

Given how dangerous the ascent is, I would think it would be a good
thing for climbers to be able to check in and say whether they are OK.

I agree it's mostly a publicity stunt, though.

RE: CGNAT Solutions

[Aaron Gould]

In testing, I observed opening a website, for instance cnn.com can cause >200 
ports/sessions to fire off.  Although, many are short-lived sessions, but, 
ports requests nonetheless.

Overall, I use about 1,500 public ip's for 50,000 private ip customers

I allow 3,000 ports per customer ... 30 blocks of 100 each

We started our port blocks at a nice round number, so that each pba dynamic 
assignment results in nice 100-199, next 200-299  good for parsing, 
grep'ing logs for doing subpoena info look-ups, etc.

I see most customers hover well below 1,000 ports/sessions active, and what 
appear to be misbehaving hosts (malware, infected, bots, etc, unsure) hit up at 
the 3,000 max and trigger a ports exceeded error message.  I see the 3k port 
limit as putting a cap on free-running suspicious hosts.  We can then 
investigate and contact customer of the concern.

-Aaron


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Robert Blayzor
Sent: Wednesday, April 29, 2020 9:14 AM
To: nanog@nanog.org
Subject: Re: CGNAT Solutions

On 4/28/20 11:01 PM, Brandon Martin wrote:
> Depending on how many IPs you need to reclaim and what your target
> IP:subscriber ratio is, you may be able to eliminate the need for a lot
> of logging by assigning a range of TCP/UDP ports to a single inside IP
> so that the TCP/UDP port number implies a specific subscriber.
> 
> You can't get rid of all the state tracking without also having the CPE
> know which ports to use (in which case you might as well use LW4o6 or
> MAP), but at least you can get it down to where you really only need to
> log (or block and dole out public IPs as needed) port-less protocols.


I'm wondering if there are any real world examples of this, namely in
the realm of subscriber to IP and range of ports required, etc.  ie: Is
is a range of 1000 ports enough for one residential subscriber? How
about SMB where no global IP is required.

One would think a 1000 ports would be enough, but if you have a dozen
devices at home all browsing and doing various things, and with IOT,
etc, maybe not?


-- 
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP:  https://pgp.inoc.net/rblayzor/

RE: CGNAT Solutions

[Aaron Gould]

Hi John, I run a small/medium ISP in Texas.  A few years ago, needing to do the 
same thing you are speaking of, I lab evaluated the Cisco ASR9k VSM-500 and 
Juniper MX104 MS-MIC-16G… in the end I went with Juniper.  No regrets, been 
good and holding strong.  I’ve scaled it way beyond what I originally 
envisioned.  (but bought more as well)

 

I slow started my CGNat deployment, like with most things, baby-steps when 
doing something as extreme as taking away the public ip  address from my isp 
residential customers… so yeah, slow-start…

 

DSL was my first target.  One DSLAM at a time, waiting for issues to arise and 
dealing with them along the way, the best I could.  …until we had 6,000 dsl 
customers behind a pair of Juniper MX104’s with MS-MIC-16G cards, running fine. 
 (all done via mpls l3vpn for virtual L3 routing into and out of the nat 
boundary… so one vrf for inside, and one vrf for outside)…peak load as I recall 
was about 3 gbps on each MX104, so 6 gbps total.

 

Next, about a year or so later, we went after Cable Modem CMTS communities.  
But, added MS-MPC-128G modules to a pair of our mpls 100 gig ring MX960 nodes.  
This was another 5,000 subs or so.  (this was about 2 or 3 years ago).  Learned 
a lot during that one.  A lot about ecmp, inet.3 mp-ibgp route choices, (set 
protocols ldp track-igp-metric… is your friend), app, eim, eif, ams/mams 
interfaces and load-balancing on the source-ip…. Let that ride for a year or 
so…then…

 

…went after our FTTH communities.  Probably about 30 or 40 thousand ip’s were 
recoup’d here.  FTTH was nat’d behind (4) additional MS-MPC-128G modules in (4) 
other 100 gig mpls ring mx960 nodes.

 

There have been recent concerns about uPNP not working behind the cgnat’s.

 

All in all, we are getting lots of use out of our Juniper CGNat solution.  All 
told, it’s about 50,000 customers behind the (2) MX104’s and (6) MX960’s 
getting nat’d.

 

-Aaron

 

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John Alcock
Sent: Tuesday, April 28, 2020 2:12 PM
To: nanog@nanog.org
Subject: CGNAT Solutions

 

Afternoon,

 

I run a small ISP in Tennessee.  COVID has forced a lot of people to work from 
home.  I am starting to run low on IP's and need to consider CGNAT.

 

I do have IPV6 space, but we all know that until we force everyone to move to 
IPV6, we need to keep IPV4 up and running.

 

I could buy more space, but I am really wondering if that is the best option.  
It is expensive. I know CGNAT devices are expensive as well, but it looks like 
I could stretch it out a bit.

 

My thinking is to convert about 50% of my subscribers to CGNAT.

 

I am interested in vendors or devices you have used in the past.  I already 
know about the pitfalls many of my subscribers will have with CGNAT such as 
VPN's, Gamers, etc.

 

What are your thoughts on CGNAT vendors?  

 

A10Networks

F5Networks

Others?

RE: Applications of MPLS in the metro area

[Aaron Gould]

Yeah, I use the heck out of the ASCX5048, it is the mpls edge of my resi/busi 
mpls ftth network…

 

Lines/terminology can get blurry…But, I would say that I will do my best to get 
mpls into every nook and cranny of my network, where/when it makes sense. 

 

Forgive the atm analogy again, but seriously, when I managed the US Navy ATM 
Network in San Diego (2000-2004) I wanted cells into every nook and cranny in 
order to benefit from all the virtual capabilities atm had to offer… 

 

…same with MPLS…

 

…I’m increasingly hearing about devices like cisco’s ncs540, that enable mpls 
into smaller edge boxes, so that you can make use of up-and-coming 
sr/spring/evpn (mpls-based apps), automation, etc, etc

 

-Aaron

 

https://www.juniper.net/us/en/company/case-studies-customer-success/gvtc/

…juniper did a write-up on us :)

 

 

From: Etienne-Victor Depasquale [mailto:ed...@ieee.org] 
Sent: Tuesday, April 28, 2020 1:13 PM
To: Aaron Gould
Cc: adamv0...@netconsultings.com; NANOG
Subject: Re: Applications of MPLS in the metro area

 

I started poking around to learn more about these use cases and came across 
this interesting extract 
<https://www.juniper.net/us/en/products-services/routing/acx-series/datasheets/1000397.page>
 :

 

"Juniper Networks® ACX Series Universal Metro Routers are Juniper’s response to 
a shift in metro network architecture, where the access and aggregation layers 
are extending the operational intelligence from the service provider edge to 
the access network."

 

Not long ago, I used to think of anything above layer 2 as "service provider 
edge" and further still (away from access), but the responses I've garnered are 
pointing at a metro network that widely implements MPLS and access and 
aggregation segments that are seeing implementation of L3 functions.

 

 

Etienne

 

 

On Tue, Apr 28, 2020 at 7:45 PM Aaron Gould  wrote:

Yeah, I forgot earlier but I’m using EVPN/MPLS for DC interconnections now 
also, for nicely integrating L2/L3 and host/machine level route preference

 

MPLS in some ways is reminiscent of the ability to fire-off Smart-PVC’s 
(SPVC/P) over an ATM (asynchronous transfer mode) network, and thus achieve end 
to end virtual private connectivity without touching the intermediate nodes (p 
nodes)…. Since the p-nodes just do label swapping (like vpi/vci swapping in the 
atm analogy)

 

In actuality, many of my “p” nodes, are also “pe” nodes  J  it’s all about what 
it’s doing at that moment for what it is that we are talking about

 

-Aaron

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of 
adamv0...@netconsultings.com
Sent: Tuesday, April 28, 2020 10:46 AM
To: 'Etienne-Victor Depasquale'; 'NANOG'
Subject: RE: Applications of MPLS in the metro area

 

Hi,

So where the books talk about PEs -think of your metro nodes here (basically 
converting the metro into an MPLS network -or making it part of your existing 
MPLS core) (you might not have a classic design where PEs hang off of P-Core 
nodes and might have just rings of PEs in your metro area)  

And where the books talk about various L3VPN and L2VPN services that’s 
basically what you can offer over your metro -now that it’s been converted to a 
fully-fledged MPLS network.

Ranging from multicast L3VPNs for 3PALY services through L2 p2p|p2mp|mp2mp 
services for Dat-Center-Interconect, to network-slicing buzzword (cause with 
VRFs and Traffic Engineering you can slice your metro area network whichever 
way you like).  

  

adam 

 

From: NANOG  On Behalf Of Etienne-Victor Depasquale
Sent: Tuesday, April 28, 2020 2:44 PM
To: NANOG 
Subject: Applications of MPLS in the metro area

 

Hello !

 

I'm looking for what a network operator would consider a realistic reference 
deployment of MPLS within the metro area network. 

 

By "realistic reference", I'm asking about what a network operator would 
consider to be a typical, perhaps most common, application of MPLS technology.

 

>From a bookish perspective, I understand MPLS well but have never implemented 
>it in the scope of my current field of study (metro area networks). I would 
>dearly like to get this "grounded" perspective from anyone who might care to 
>share it.

 

 

Cheers,

 

Etienne

 

-- 

Ing. Etienne-Victor Depasquale
Assistant Lecturer
Department of Communications & Computer Engineering
Faculty of Information & Communication Technology
University of Malta

Web. https://www.um.edu.mt/profile/etiennedepasquale




 

-- 

Ing. Etienne-Victor Depasquale
Assistant Lecturer
Department of Communications & Computer Engineering
Faculty of Information & Communication Technology
University of Malta

Web. https://www.um.edu.mt/profile/etiennedepasquale

RE: Applications of MPLS in the metro area

[Aaron Gould]

Yeah, I forgot earlier but I’m using EVPN/MPLS for DC interconnections now 
also, for nicely integrating L2/L3 and host/machine level route preference

 

MPLS in some ways is reminiscent of the ability to fire-off Smart-PVC’s 
(SPVC/P) over an ATM (asynchronous transfer mode) network, and thus achieve end 
to end virtual private connectivity without touching the intermediate nodes (p 
nodes)…. Since the p-nodes just do label swapping (like vpi/vci swapping in the 
atm analogy)

 

In actuality, many of my “p” nodes, are also “pe” nodes  J  it’s all about what 
it’s doing at that moment for what it is that we are talking about

 

-Aaron

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of 
adamv0...@netconsultings.com
Sent: Tuesday, April 28, 2020 10:46 AM
To: 'Etienne-Victor Depasquale'; 'NANOG'
Subject: RE: Applications of MPLS in the metro area

 

Hi,

So where the books talk about PEs -think of your metro nodes here (basically 
converting the metro into an MPLS network -or making it part of your existing 
MPLS core) (you might not have a classic design where PEs hang off of P-Core 
nodes and might have just rings of PEs in your metro area)  

And where the books talk about various L3VPN and L2VPN services that’s 
basically what you can offer over your metro -now that it’s been converted to a 
fully-fledged MPLS network.

Ranging from multicast L3VPNs for 3PALY services through L2 p2p|p2mp|mp2mp 
services for Dat-Center-Interconect, to network-slicing buzzword (cause with 
VRFs and Traffic Engineering you can slice your metro area network whichever 
way you like).  

  

adam 

 

From: NANOG  On Behalf Of Etienne-Victor Depasquale
Sent: Tuesday, April 28, 2020 2:44 PM
To: NANOG 
Subject: Applications of MPLS in the metro area

 

Hello !

 

I'm looking for what a network operator would consider a realistic reference 
deployment of MPLS within the metro area network. 

 

By "realistic reference", I'm asking about what a network operator would 
consider to be a typical, perhaps most common, application of MPLS technology.

 

>From a bookish perspective, I understand MPLS well but have never implemented 
>it in the scope of my current field of study (metro area networks). I would 
>dearly like to get this "grounded" perspective from anyone who might care to 
>share it.

 

 

Cheers,

 

Etienne

 

-- 

Ing. Etienne-Victor Depasquale
Assistant Lecturer
Department of Communications & Computer Engineering
Faculty of Information & Communication Technology
University of Malta

Web. https://www.um.edu.mt/profile/etiennedepasquale

RE: Applications of MPLS in the metro area

[Aaron Gould]

For the ISP and Carrier Ethernet network I run, I use MPLS for various things.

 

It provides wonderful segmentation of different communities (customers and 
uses).

 

I use MPLS ELINE (p2p) extensively for Cellular Backhaul

 

I use MPLS ELAN (mp2mp) in various places for emulating LAN’s over long distance

 

I use MPLS L3VPN for various things…

-Containing customer public internet routing

-Containing customer cgnat private side

-6VPE for getting IPv6 across my ipv4-only core

 

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Etienne-Victor 
Depasquale
Sent: Tuesday, April 28, 2020 8:44 AM
To: NANOG
Subject: Applications of MPLS in the metro area

 

Hello !

 

I'm looking for what a network operator would consider a realistic reference 
deployment of MPLS within the metro area network. 

 

By "realistic reference", I'm asking about what a network operator would 
consider to be a typical, perhaps most common, application of MPLS technology.

 

>From a bookish perspective, I understand MPLS well but have never implemented 
>it in the scope of my current field of study (metro area networks). I would 
>dearly like to get this "grounded" perspective from anyone who might care to 
>share it.

 

 

Cheers,

 

Etienne

 

-- 

Ing. Etienne-Victor Depasquale
Assistant Lecturer
Department of Communications & Computer Engineering
Faculty of Information & Communication Technology
University of Malta

Web. https://www.um.edu.mt/profile/etiennedepasquale

RE: IS-IS IPAM platform

[Aaron Gould]

Our atm network in san diego was the full base 16 hex for the 13 byte nsap 
prefix of all the atm switches in our 4-level PNNI cloud

This may be slightly off topic of ISIS practices though

But, yeah, we didn't encode any switch mgmt. ip into the nsap addressing as I 
recall... just the pnni peer groups had hex identities

-Aaron

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Bryan Holloway
Sent: Monday, April 13, 2020 12:46 PM
To: Randy Bush; Tom Beecher
Cc: Nanog
Subject: Re: IS-IS IPAM platform

I've always wondered about folks' opinions about one thing, though:

In y'all's opinion, do you prefer/recommend using base-10 digits or hex 
in your NSAP addresses? I like the former for readability, but the 
latter can (could) be better for automation. Maybe.

I got into a heated argument about this once with ATM back in the day, 
but my brain's to frazzled to remember the takeaways.


On 4/13/20 7:37 PM, Randy Bush wrote:
>> Just encode the router loopback IPv4 address in the system identifier bytes
>> and call it a day.
> 
> i think asp wrote this up back in the early '90s.  anyone have a cite?
> 
> randy
> 

RE: Backhoe season?

[Aaron Gould]

Yeah Darron, we lost some san Antonio connectivity to Houston via dallas or 
somewhere twice in the past few days, affecting different things for us

-Aaron

-Original Message-
From: Darron Legnon [mailto:dar...@commzoom.com] 
Sent: Thursday, March 26, 2020 1:11 PM
To: Aaron Gould; 'William Herrin'; nanog@nanog.org
Subject: RE: Backhoe season?

I've had contractors for Zayo hitting multiple fiber routes over the past 3 
months numerous times affecting us, AT, CenturyLink, Windstream, Fiberlight, 
etc in south Texas. Actually had one cut yesterday around 3pm and lasted till 
1am.

-Original Message-
From: NANOG  On Behalf Of Aaron Gould
Sent: Thursday, March 26, 2020 1:03 PM
To: 'William Herrin' ; nanog@nanog.org
Subject: RE: Backhoe season?

CAUTION: This email originated from outside your organization. Exercise caution 
when opening attachments or clicking links, especially from unknown senders.

I heard, and am seeing that construction type jobs don't seem to be affected 
much with the virus shutdown.  I mean I see guys building homes and working on 
roads all around me...  furthermore, we've heard of a couple fiber cuts that 
have brought portions of our network down a couple times in the last week or so.

-Aaron

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of William Herrin
Sent: Thursday, March 26, 2020 12:57 PM
To: nanog@nanog.org
Subject: Backhoe season?

Howdy,

With so much work shut down, I'm curious how backhoe season is shaping up this 
year? How do the circuit and fiber outage numbers look?

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://bill.herrin.us/


This e-mail and any files transmitted with it are the property of COMMZOOM, are 
confidential, and are intended solely for the use of the individual or 
entity to which this e-mail is addressed. Any other use, retention, 
dissemination, forwarding, printing, or copying of this e-mail is strictly 
prohibited.

RE: Backhoe season?

[Aaron Gould]

I heard, and am seeing that construction type jobs don't seem to be affected 
much with the virus shutdown.  I mean I see guys building homes and working on 
roads all around me...  furthermore, we've heard of a couple fiber cuts that 
have brought portions of our network down a couple times in the last week or so.

-Aaron

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of William Herrin
Sent: Thursday, March 26, 2020 12:57 PM
To: nanog@nanog.org
Subject: Backhoe season?

Howdy,

With so much work shut down, I'm curious how backhoe season is shaping
up this year? How do the circuit and fiber outage numbers look?

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

RE: Sunday traffic curiosity

[Aaron Gould]

I can see it now Business driver that moved the world towards multicast 
 2020 Coronavirus

Also, I wonder how much money would be lost by big pipe providers with 
multicast working everywhere

-Aaron

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Alexandre Petrescu
Sent: Sunday, March 22, 2020 3:41 PM
To: nanog@nanog.org
Subject: Re: Sunday traffic curiosity


Le 22/03/2020 à 21:31, Nick Hilliard a écrit :
> Grant Taylor via NANOG wrote on 22/03/2020 19:17:
>> What was wrong with Internet scale multicast?  Why did it get abandoned?
>
> there wasn't any problem with inter-domain multicast that couldn't be 
> resolved by handing over to level 3 engineering and the vendor's 
> support escalation team.
>
> But then again, there weren't many problems with inter-domain 
> multicast that could be resolved without handing over to level 3 
> engineering and the vendor's support escalation team.
>
> Nick

For my part I speculate multicast did not take off at any level (inter 
domain, intra domain) because pipes grew larger (more bandwidth) faster 
than uses ever needed.  Even now, I dont hear problems of bandwidth from 
some end users, like friends using netflix.  I do hear in media that 
there _might_ be an issue of capacity, but I did not hear that from end 
users.

On another hand, link-local multicast does seem to work ok, at least 
with IPv6.  The problem it solves there is not related to the width of 
the pipe, but more to resistance against 'storms' that were witnessed 
during ARP storms.  I could guess that Ethernet pipes are now so large 
they could accomodate many forms of ARP storms, but for one reason or 
another IPv6 ND has multicast and no broadcast.  It might even be a 
problem in the name, in that it is named 'IPv6 multicast ND' but 
underlying is often implemented with pure broadcast and local filters.

If the capacity is reached and if end users need more, then there are 
two alternative solutions: grow capacity unicast (e.g. 1Tb/s Ethernet) 
or multicast; it's useless to do both.  If we cant do 1 Tb/s Ethernet 
('apocalypse'  was called by some?) then we'll do multicast.

I think,

Alex, LF/HF 3

traffic sag last night (early this morning)

[Aaron Gould]

At 00:49 minutes past midnight today I saw a bit of a traffic sag across all
3 of my different upstream providers.  All in Texas.  Anyone else see that ?

 

-Aaron

RE: akamai yesterday - what in the world was that

[Aaron Gould]

Wow, yeah, my Akamai servers are again, hitting all time highs… one cache hit 
up to ~30 gig… been ramping up and down since this morning around 9 or 10 a.m. 
central time.  

 

Here’s a strange thing though, around 14:45 – 15:30, I got massive outbound on 
my internet connection (~20 gbps), and I never send that much out to the 
internet

 

-Aaron

 

RE: akamai yesterday - what in the world was that

[Aaron Gould]

Yeah for our 40,000 ftth customers, I think 250M is our base package... we have 
lots of folks with 500M or 1G

-Aaron

RE: akamai yesterday - what in the world was that

[Aaron Gould]

I saw this ...

100 gbps inet - usually 25 gig peak - that day it was 35 gig peak

100 gbps inet - usually 25 gig peak - that day it was 35 gig peak

20 gbps (lag) inet - usually 12 gig peak - that day it was 16 gig peak

10 gig fed - aanp cluster site 1 - usually 3 gig peak - that day it sat at 10 
gig for hours (I know I was dropping packets)
 
10 gig fed - aanp cluster site 2 - usually 3 gig peak - that day it sat at 10 
gig for hours (I know I was dropping packets)

-Aaron

RE: akamai yesterday - what in the world was that

[Aaron Gould]

Netflix oca has it figured out, as my fill windows is during off-peak time, 2 
a.m. - 6 am. and I think it's also configurable in the oca portal.

-Aaron

Re: akamai yesterday - what in the world was that

[Aaron Gould]

Good point Bryan... With my single 10 gig pegged out for a few hours sustained, 
I guess it remains to be seen exactly how high that peak would go if I gave it 
more capacity

-Aaron 
- Original Message -
From: Bryan Holloway 
To: Nanog@nanog.org
Sent: Wed, 12 Feb 2020 07:59:20 -0500 (EST)
Subject: Re: akamai yesterday - what in the world was that

Is 10G enough? ;)

We just lit up several 100G Akamai links. Saved the day fo sho ... (this 
time.)


On 2/11/20 8:26 PM, Aaron Gould wrote:
> Huge!  Big as ever.  My aanp links are (were) pegged, seriously.  I will 
> be contacting Akamai about lighting up an additional 10 gig link to my 
> local clusters.  Started at 12 noon central… still going pretty 
> heavily.  Game/update release ?
> 
> -Aaron
> 
> *From:*Tom Deligiannis [mailto:tom.deligian...@gmail.com]
> *Sent:* Tuesday, February 11, 2020 5:41 PM
> *To:* aar...@gvtc.com
> *Cc:* Nanog@nanog.org
> *Subject:* Re: akamai yesterday - what in the world was that
> 
> There is a major update that has released today, how's everything 
> looking for everyone?
> 
> Tom
> 

RE: akamai yesterday - what in the world was that

[Aaron Gould]

Huge!  Big as ever.  My aanp links are (were) pegged, seriously.  I will be 
contacting Akamai about lighting up an additional 10 gig link to my local 
clusters.  Started at 12 noon central… still going pretty heavily.  Game/update 
release ?

 

-Aaron

 

 

From: Tom Deligiannis [mailto:tom.deligian...@gmail.com] 
Sent: Tuesday, February 11, 2020 5:41 PM
To: aar...@gvtc.com
Cc: Nanog@nanog.org
Subject: Re: akamai yesterday - what in the world was that

 

There is a major update that has released today, how's everything looking for 
everyone?

 

Tom

 

RE: Dual Homed BGP

[Aaron Gould]

I’m listening to the advice of others and taking it in…. 

 

For my ISP, I’ve had 2 or 3 internet uplinks for about 12 years now for 50,000 
subs, and have only learned a default route on them.  It’s been good up to this 
point.

 

-Aaron

 

 

RE: Reminiscing our first internet connections (WAS) Re: akamai yesterday - what in the world was that

[Aaron Gould]

I love the symmetric ~10 gig speed test to put it into perspective for how far 
we’ve come….also the 3 ms ping result.  Ain’t it great

 

-Aaron

 

From: Ben Cannon [mailto:b...@6by7.net] 
Sent: Friday, January 24, 2020 5:27 PM
To: b...@theworld.com
Cc: Aaron Gould; NANOG Operators' Group
Subject: Reminiscing our first internet connections (WAS) Re: akamai yesterday 
- what in the world was that

 

I started what became 6x7 with a 64k ISDN line.   And 9600 baud modems…   

 

in ’93 or so.  (I was a child, in Jr High…)

 

-Ben.

 

 

-Ben Cannon

CEO 6x7 Networks & 6x7 Telecom, LLC 

b...@6by7.net

 




 

On Jan 24, 2020, at 3:21 PM, b...@theworld.com wrote:

 


On January 24, 2020 at 08:55 aar...@gvtc.com (Aaron Gould) wrote:



Thanks Jared, When I reminisce with my boss he reminds me that this telco/ISP 
here initially started with a 56kbps internet uplink , lol


Point of History:

When we, The World, first began allowing the general public onto the
internet in October 1989 we actually had a (mildly shared*) T1
(1.544mbps) UUNET link. So not so bad for the time. Dial-up customers
shared a handful of 2400bps modems, we still have them.

* It was also fanned out of our office to a handful of Boston-area
customers who had 56kbps or 9600bps leased lines, not many.

-- 
   -Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

 

RE: akamai yesterday - what in the world was that

[Aaron Gould]

A hahahaha, that's great Warren !

afterall, it is Friday, might was well...

oh my gosh, I cut my teeth on a few of those mgs type routers... I recall they 
sounded a bit like a small vacuum cleaner and I think I had to set jumpers 
or flip dip switches for password recovery!
https://www.flickr.com/photos/pleia2/16858944610

back then, my onion hung on a rope around my waist 

-Aaron

RE: akamai yesterday - what in the world was that

[Aaron Gould]

Thanks Jared, When I reminisce with my boss he reminds me that this telco/ISP 
here initially started with a 56kbps internet uplink , lol

-Aaron

RE: akamai yesterday - what in the world was that

[Aaron Gould]

Thanks Hugo, very interesting.  Induced demand.  Someone said recently… they’ve 
seen that no matter how much bandwidth you give a customer, they will 
eventually figure out how to use it. (whether they realize it or not… I guess 
it just happens)

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hugo Slabbert
Sent: Thursday, January 23, 2020 11:44 AM
To: Tom Beecher
Cc: NANOG list
Subject: Re: akamai yesterday - what in the world was that

 

> This just follows the same rules as networks have always seemed to; If you 
> build it, they will come, and you'll have to build more. :)

 

https://en.m.wikipedia.org/wiki/Induced_demand

 

:-)

 

 

On Thu., Jan. 23, 2020, 09:40 Tom Beecher  wrote:

I think this is a tribute to how we’ve built and upgraded networks for capacity 
and speed.

 

I think it's spot on. 

 

In years past it made more sense to distribute smaller , incremental patches. 
More work on the software side, but it was likely a better option than getting 
blasted on Twitter because "OMG I WANT TO PLAY AND MY DOWNLOAD IS TAKING 8 
HOURS". 

 

This just follows the same rules as networks have always seemed to; If you 
build it, they will come, and you'll have to build more. :) 

 

On Thu, Jan 23, 2020 at 11:57 AM Jared Mauch  wrote:



> On Jan 23, 2020, at 11:52 AM, Valdis Klētnieks  
> wrote:
> 
> On Thu, 23 Jan 2020 17:13:15 +0100, Bryan Holloway said:
> 
>> Game releases are hardly a new thing, but these last two events seem to
>> be almost an order of magnitude higher than what we're used to (at least
>> on our predominantly eyeball network.)
>> 
>> Any thoughts from the community? We're taking steps to accommodate, but
>> from a capacity-planning perspective, this seems non-linear to me.
> 
> Be prepared for an entire new world of hurt this holiday season. Sony has 
> already
> confirmed that PS5 releases will ship on 100Gbyte blu-ray disks.  Which means 
> that
> download sizes will be comparable…

There’s also the “we will stream you all the data things” I keep hearing about 
like the
Consoles without discs or some other thing I can’t remember the name of.

I think this is a tribute to how we’ve built and upgraded networks for capacity 
and speed.

- Jared

RE: akamai yesterday - what in the world was that

[Aaron Gould]

Interesting… I just found this.  Speaks of 800 gbps, 1.2 tbps, 1.6 tbps Ethernet

 

https://en.wikipedia.org/wiki/Terabit_Ethernet

 

https://ethernetalliance.org/technology/2019-roadmap/

 

https://ethernetalliance.org/wp-content/uploads/2019/08/EthernetRoadmap-2019-Side1-ToPrint.pdf

 

https://ethernetalliance.org/wp-content/uploads/2019/08/EthernetRoadmap-2019-Side2-ToPrint.pdf

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of jdambro...@gmail.com
Sent: Thursday, January 23, 2020 11:42 AM
To: 'Tom Beecher'; 'Jared Mauch'
Cc: 'NANOG list'
Subject: RE: akamai yesterday - what in the world was that

 

Love it Love it Love it

 

I have been telling people that the IEEE 802.3 Ethernet Working Group needs to 
start looking beyond 400 Gb/s Ethernet.  It’s only a matter of time where we 
will need it!

 

From: NANOG  On Behalf Of Tom Beecher
Sent: Thursday, January 23, 2020 6:39 PM
To: Jared Mauch 
Cc: NANOG list 
Subject: Re: akamai yesterday - what in the world was that

 

I think this is a tribute to how we’ve built and upgraded networks for capacity 
and speed.

 

I think it's spot on. 

 

In years past it made more sense to distribute smaller , incremental patches. 
More work on the software side, but it was likely a better option than getting 
blasted on Twitter because "OMG I WANT TO PLAY AND MY DOWNLOAD IS TAKING 8 
HOURS". 

 

This just follows the same rules as networks have always seemed to; If you 
build it, they will come, and you'll have to build more. :) 

 

On Thu, Jan 23, 2020 at 11:57 AM Jared Mauch  wrote:



> On Jan 23, 2020, at 11:52 AM, Valdis Klētnieks  
> wrote:
> 
> On Thu, 23 Jan 2020 17:13:15 +0100, Bryan Holloway said:
> 
>> Game releases are hardly a new thing, but these last two events seem to
>> be almost an order of magnitude higher than what we're used to (at least
>> on our predominantly eyeball network.)
>> 
>> Any thoughts from the community? We're taking steps to accommodate, but
>> from a capacity-planning perspective, this seems non-linear to me.
> 
> Be prepared for an entire new world of hurt this holiday season. Sony has 
> already
> confirmed that PS5 releases will ship on 100Gbyte blu-ray disks.  Which means 
> that
> download sizes will be comparable…

There’s also the “we will stream you all the data things” I keep hearing about 
like the
Consoles without discs or some other thing I can’t remember the name of.

I think this is a tribute to how we’ve built and upgraded networks for capacity 
and speed.

- Jared

akamai yesterday - what in the world was that

[Aaron Gould]

My gosh, what in the word was that coming out of my local Akamai aanp
servers yesterday !?  starting at about 12:00 noon central time lasting
several hours ?

 

-Aaron

RE: IPv6 Prefix Delegation to customers.

[Aaron Gould]

Brandon, I vaguely recall that the dhcp relay snooping function is able to
add those routes to the local route table. and then redistribution into the
routing process occurs

 

Question similar to yours was asked here in 2017 - September.

https://mailman.nanog.org/pipermail/nanog/2017-September/092416.html


I responded with some IOS and Junos output from some of my lab gear.

https://mailman.nanog.org/pipermail/nanog/2017-September/092451.html

 

I may have to dig to find and confirm these things, or perhaps lab it up
again.  I need to anyway as I may need to get more serious about deploying
v6 too.

 

-Aaron

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brandon Price
Sent: Wednesday, January 15, 2020 8:01 PM
To: nanog list
Subject: IPv6 Prefix Delegation to customers.

 

Hey Nanog,

 

I am in the process of building out a FTTH proof of concept, and I would
really like to offer each of my customers a /48 of IPv6. 

I've been able to announce my /32 to my upstreams, dual-stack all of my
internal infrastructure no-problem, build v6 recursive name servers, etc.

This was fairly straight-forward.

 

Where I am struggling is the Prefix Delegation part. How are most folks
getting the PD subnets into their IGPs? In my environment I don't run the
DHCP server process on the router that is directly connected to the clients.
I have seen documentation that cisco and juniper DHCPv6 processes are smart
enough to insert that prefix into the routing table when they hand it out,
but how is this handled in an environment with a central DHCP server? I do
not currently run any PPPOE in my environment and I don't use RADIUS for the
subscriber management. I would really just like to stick to DHCP ideally.

 

If anyone has any pointers, I would appreciate it.

 

Brandon Price

Senior Network Engineer

City of Sherwood, Sherwood Broadband

Desk: 503.625.4258

Cell: 971.979.2182

 




This email may contain confidential information or privileged material and
is intended for use solely by the above referenced recipient. Any review,
copying, printing, disclosure, distribution, or other use by any other
person or entity is strictly prohibited and may be illegal. If you are not
the named recipient, or believe you have received this email in error,
please immediately notify the City of Sherwood at (503) 625-5522 and delete
the copy you received.

 

RE: FYI - Suspension of Cogent access to ARIN Whois

[Aaron Gould]

I’m pretty sure cogent has had issues providing full internet connectivity via 
ipv6 to google and perhaps he (hurricane electric), perhaps others as well, for 
quite some time now.

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of James Breeden
Sent: Tuesday, January 7, 2020 7:04 PM
To: Rich Kulawiec; North American Network Operators' Group
Subject: RE: FYI - Suspension of Cogent access to ARIN Whois

 

Hmm. Wonder if this can be used to cancel some cogent services... I mean, they 
technically aren't providing access to the full internet now. 路‍♂️樂

 

 

 

Sent via the Samsung Galaxy Note9, an AT 5G Evolution capable smartphone

 

 

 

 Original message 

From: Rich Kulawiec  

Date: 1/7/20 7:02 PM (GMT-06:00) 

To: North American Network Operators' Group  

Subject: Re: FYI - Suspension of Cogent access to ARIN Whois 

 

On Tue, Jan 07, 2020 at 04:54:22PM -0600, Mike Hammett wrote:
> That said, if there's a stern warning about Cogent abusing the system,
> maybe their customers finding out is a good thing for the overall
> community. ;-)

And that is what I would suggest: reply to all queries with a notice
that explains what is happening, why it's happening, and provides
contact information for Cogent executives: preferably their *personal*
email addresses and phone numbers.

---rsk

RE: End to End testing

[Aaron Gould]

We use a lot of Accedian MetroNIDs for SLA monitoring…. For cell backhaul and 
some enterprise sites.

 

-Aaron 

 

RE: Short-circuited traceroutes on FIOS

[Aaron Gould]

Yeah, and what do you do with a traceroute that looks like this….  (ip address 
intentionally changed)

 

C:\>tracert -d -w 1 1.2.3.4

 

Tracing route to 1.2.3.4 over a maximum of 30 hops

 

  1 8 ms 5 ms 5 ms  96.8.191.129

  2 *** Request timed out.

  3 *** Request timed out.

  4 *** Request timed out.

  5 *** Request timed out.

  6 *** Request timed out.

  7 *** Request timed out.

  8 *** Request timed out.

 9 *** Request timed out.

10 *** Request timed out.

11 *** Request timed out.

12 *** Request timed out.

13 *** Request timed out.

14 *** Request timed out.

15 *** Request timed out.

16 *** Request timed out.

17   267 ms   202 ms * 1.2.3.4

18   205 ms   175 ms * 1.2.3.4

19   160 ms   233 ms * 1.2.3.4

20   199 ms   201 ms * 1.2.3.4

21   213 ms   206 ms * 1.2.3.4

22   165 ms   158 ms * 1.2.3.4

23   237 ms   158 ms * 1.2.3.4

24   158 ms   290 ms * 1.2.3.4

25   158 ms   160 ms   158 ms  1.2.3.4

 

Trace complete.

 

C:\>

 

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Etienne-Victor 
Depasquale
Sent: Thursday, December 12, 2019 1:18 AM
To: Valdis Klētnieks
Cc: nanog@nanog.org
Subject: Re: Short-circuited traceroutes on FIOS

 

Traceroute is becoming more and more an expert's tool because interpretation of 
its results isn't straightforward.

 

I had written a paper last year and mentioned its misuse in academia in the 
context of estimating the number of energy-consuming devices between a source 
and a destination. 

Traceroute was being used to count the number of physical router devices from 
the hop count, notwithstanding the use of MPLS in domain cores.

To an external observer, this results in significant underestimation of the 
energy consumption in the path from source to destination.

 

On Thu, Dec 12, 2019 at 12:51 AM Valdis Klētnieks  
wrote:

On Wed, 11 Dec 2019 19:26:09 +0200, Saku Ytti said:
> On Wed, 11 Dec 2019 at 19:14, Rob Foehl  wrote:
>
> > Support claims that it was a mistake, but it's also been 15+ months and
> > it's pretty deliberate behavior.  Draw your own conclusions...
>
> TTL decrement issues are fairly common across multiple vendors and hw,
> can be sw can be hw limit

Yes, but you need to screw up gloriously on the decrement if you think that
"I decremented and it's zero now" means "therefor it must have been addressed
to me, so I'll send an ECHO REPLY instead of TTL EXCEEDED".




 

-- 

Ing. Etienne-Victor Depasquale
Assistant Lecturer
Department of Communications & Computer Engineering
Faculty of Information & Communication Technology
University of Malta

Web. https://www.um.edu.mt/profile/etiennedepasquale

RE: DDoS attack

[Aaron Gould]

Years ago, we looked at netflow data and precursors to attacks, and found that 
UDP 3074 Xbox Live was showing up just prior to the attacks...and through other 
research we concluded that gamers are a big cause of large ddos attacks 
apparently they go after each other in retaliation

I've crafted a series of things for dealing with the results of volumetric ddos 
attacks... I've had attacks in upwards of 50 or 60 gig as I recall across 
all of my (3) internet connections at times

- deny acl's ... for ports/protocols that I know are absolutely not needed
- policers of various well known port attack vectors (gleaned from netflow data)
- policers of well-known *good* ports/protocols (like ntp, dns, etc) to some 
realistic level
- a repeat-victims list of ip's with policing udp for this group (note1)
- rtbh (note2)

Note 1 - Also, I've learned that if a customer has been attack once, the 
chances of them being the target of an attack again is highso by crafting 
the repeat victims list, you can catch next-day attacks of differing vectors.
Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we 
trigger a bgp/community route that goes out to the inet cloud and stops attack 
further into the upstream providers network... I know I "complete" the attack, 
but, I save my network ;)
...I use an old cisco 2600 as my trigger router and wrote a job aid that I 
shared with the NOC for triggering rtbh when needed, couple commands.
...I would like to automate my rtbh using what I understand is a possibly use 
case for FastNetMon, but haven't got around to it

I also wonder if team cymru's utrs project and other things like that would 
benefit my security posture.


-Aaron

RE: Elephant in the room - Akamai

[Aaron Gould]

Tarko. wow, gaming again !  It's not going away. gaming traffic is growing
in a big way it seems.

 

Clayton.. My thoughts exactly!  I too have wondered how valuable these
aanp's were, but lately I'm seeing good efficiency

 

Thanks y'all

 

-Aaron

 

 

RE: Elephant in the room - Akamai

[Aaron Gould]

I see my Akamai aanp cache utilization at all-time highs the last 2 nights as 
well.  Curious what it is.

 

Jared, you can reply to my off-list if you wish, or on-list if it would benefit 
the community.

 

Thanks,

Aaron

 

RE: Disney+ Streaming

[Aaron Gould]

Justin’s original question was “….. Is it well known where the newly released 
Disney+ streaming service content is sourced?...”

 

With Eric’s finding of “I saw various content being served from Akamai, Amazon, 
Fastly and Limelight so far. I'm in Montreal.”

 

Is this an absolute answer as to how Disney+ is handling delivery of their 
content?  If not, are there any Disney folks listening that could respond to me 
either off list or on the community thread here about how we should expect to 
see this Disney+ content sourced and whether or not Disney+ has or is planning 
on building out an ISP-located CDN type of network, much like all the others? 
(OCA, FNA, AANP, AEC, ACE, GGC)

 

-Aaron

RE: Disney+ Geolocation issues

[Aaron Gould]

That email (cl...@disneystreaming.com) bounced back as undeliverable.

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Michael Crapse
Sent: Tuesday, November 12, 2019 7:27 PM
Cc: NANOG list
Subject: Re: Disney+ Geolocation issues

 

There has been a continued flurry of trouble tickets from our eyeballs. I did 
find a contact  cl...@disneystreaming.com that i have reached out to in hope 
that they can hear our pleas.

 

On Tue, 12 Nov 2019 at 16:53, Cassidy B. Larson  wrote:

We're seeing the same thing.  Actually we saw it during pre-signup.  Reached 
out to Disney+ weeks ago as well, with no response.  Now it's launched, our 
support lines are flooded with people unable to give Disney all their moneys.   
 We finally got through to Disney+ support after 2.5hrs on hold to supply them 
the error code, IP address, and zip code.. we'll see if it's passed to the 
right folks. 

 

On Tue, Nov 12, 2019 at 3:30 PM Michael Crapse  wrote:

Myself and a few other ISPs are having our eyeballs complain about disney+ 
saying that they're on a VPN. Does anyone have any idea, or who to contact 
regarding this issue?

This is most likely improper geolocation databases. Anyone have an idea who 
they use?

 

Mike

RE: FCC Takes Steps to Enforce Quality Standards for Rural Broadband

[Aaron Gould]

I heard that we would be testing to Dallas or something like that from my ISP 
in San Antonio.

 

I think I heard that customer CPE routers will soon have that testing 
functionality built into them.

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Livingood, Jason
Sent: Monday, November 4, 2019 1:23 PM
To: Bill Woodcock; North American Network Operators' Group
Subject: Re: FCC Takes Steps to Enforce Quality Standards for Rural Broadband

 

I do not. But in the FCC’s Measuring Broadband America program (MBA) they have 
SamKnows measurement servers located in a few places so perhaps that is what 
they mean? See 
https://www.fcc.gov/reports-research/reports/measuring-broadband-america/measuring-fixed-broadband-eighth-report
 which says “The measurement servers were hosted by M-Lab and Level 3 
Communications, and were located in ten cities across the United States near a 
point of interconnection between the ISP’s network and the network on which the 
measurement server resided.” In the newest (in process) report I believe they 
also added StackPath. 

 

Jason

 

 

 

From: NANOG  on behalf of Bill Woodcock 
Date: Thursday, October 31, 2019 at 11:58 PM
To: Sean Donelan , North American Network Operators' Group 

Subject: Re: FCC Takes Steps to Enforce Quality Standards for Rural Broadband

 





On Oct 31, 2019, at 6:42 PM, Sean Donelan  wrote:
There is just so much I want to make sarcastic comments about, but I worry 
about offending future potential employers (all of them).
https://www.fcc.gov/document/fcc-takes-steps-enforce-quality-standards-rural-broadband-0

 

"The Bureaus required ETCs to perform speed and latency tests from the customer 
premises of an active subscriber to a remote test server located at or reached 
by passing through an FCC-designated Internet Exchange Point (IXP) and set a 
daily test period (requiring carriers to conduct tests between 6:00 p.m. and 
12:00 a.m. local time) for such tests.”

 

Anybody have a reference for the “FCC-designated IXPs?”  And what distinguishes 
them from the actual set of IXPs?


-Bill

 

RE: Viability of GNS3 network simulation for testing features/configurations.

[Aaron Gould]

Thanks Mike for the info on GNS3…. My info is old, I’ll have to take a look at 
the recent GNS3 sometime soon…

 

 

 

-Aaron

 

From: Mike Bolitho [mailto:mikeboli...@gmail.com] 
Sent: Wednesday, October 16, 2019 1:22 PM
To: Aaron Gould
Cc: Tom Beecher; Ryland Kremeier; nanog@nanog.org
Subject: Re: Viability of GNS3 network simulation for testing 
features/configurations.

 

EVE-NG is also really good. Just an FYI, GNS3 went through a major refresh 
about 18 months ago or so and it's so much better now. Either way, you can't go 
wrong with GNS3 or EVE-NG.


- Mike Bolitho

 

 

On Wed, Oct 16, 2019 at 11:18 AM Aaron Gould  wrote:

Oh, forgot the links…

 

http://www.eve-ng.net/

 

http://www.eve-ng.net/documentation/howto-s

 

 

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron Gould
Sent: Wednesday, October 16, 2019 1:14 PM
To: 'Mike Bolitho'; 'Tom Beecher'; 'Ryland Kremeier'
Cc: nanog@nanog.org
Subject: RE: Viability of GNS3 network simulation for testing 
features/configurations.

 

I’ve used GNS3 some years ago for a lot of simulation and testing.  But, I’m 
blown away at how much more I like EVE-NG (emulated virtual environment 
next-gen)

 

I use the community free version… lots of vendor OS support… of which, I’ve 
actually work with the following….

-XRv

-IOS virtual

-vMX

-vSRX

-vQFX

 

…check your in-box for a screen shot of my current environment.

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Bolitho
Sent: Wednesday, October 16, 2019 12:02 PM
To: Tom Beecher
Cc: 
Subject: Re: Viability of GNS3 network simulation for testing 
features/configurations.

 

Totally agree with Tom here. It's going to work really well for most things. 
But if you're testing code for bugs you NEED to do it on the same hardware you 
have in your environment in an actual lab.


- Mike Bolitho

 

 

On Wed, Oct 16, 2019 at 9:56 AM Tom Beecher  wrote:

GNS3 can do a heck of a lot, and the price is definitely right. 

 

I have used it extensively for initial fleshing out of designs or ideas, 
protocol nerding, automation interaction testing, etc. There certainly other 
tools out there, but being able to visually draw a topology out, connect the 
dots, and have an environment to test in about 10 minutes is very nice. There 
is an API you can hook into to do some of that for you if you are so inclined, 
but that would depend on your use case and resources. For how I've used it, 
never been required. 

 

Some of the VMs from vendors can be pretty CPU and/or RAM intensive, so I've 
had the best experience running them all on a dedicated server, not locally. 
Again, use case dependent. For code testing I would always run the test set on 
hardware as well for likely obvious reasons. 

 

If you really get into the weeds with it you can do quite a lot.

 

On Wed, Oct 16, 2019 at 11:52 AM Ryland Kremeier  
wrote:

Hello,

 

I’m currently in the process of setting up a near identical network to our own 
in GNS3 for testing purposes. Has anyone here tried this before to any success? 
We need to buy the Cisco IOSv image to continue with the sim so I figured I 
would inquire here first before diving in.

 

All info is appreciated,

-- 

Ryland Kremeier

RE: Viability of GNS3 network simulation for testing features/configurations.

[Aaron Gould]

Oh, forgot the links…

 

http://www.eve-ng.net/

 

http://www.eve-ng.net/documentation/howto-s

 

 

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron Gould
Sent: Wednesday, October 16, 2019 1:14 PM
To: 'Mike Bolitho'; 'Tom Beecher'; 'Ryland Kremeier'
Cc: nanog@nanog.org
Subject: RE: Viability of GNS3 network simulation for testing 
features/configurations.

 

I’ve used GNS3 some years ago for a lot of simulation and testing.  But, I’m 
blown away at how much more I like EVE-NG (emulated virtual environment 
next-gen)

 

I use the community free version… lots of vendor OS support… of which, I’ve 
actually work with the following….

-XRv

-IOS virtual

-vMX

-vSRX

-vQFX

 

…check your in-box for a screen shot of my current environment.

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Bolitho
Sent: Wednesday, October 16, 2019 12:02 PM
To: Tom Beecher
Cc: 
Subject: Re: Viability of GNS3 network simulation for testing 
features/configurations.

 

Totally agree with Tom here. It's going to work really well for most things. 
But if you're testing code for bugs you NEED to do it on the same hardware you 
have in your environment in an actual lab.


- Mike Bolitho

 

 

On Wed, Oct 16, 2019 at 9:56 AM Tom Beecher  wrote:

GNS3 can do a heck of a lot, and the price is definitely right. 

 

I have used it extensively for initial fleshing out of designs or ideas, 
protocol nerding, automation interaction testing, etc. There certainly other 
tools out there, but being able to visually draw a topology out, connect the 
dots, and have an environment to test in about 10 minutes is very nice. There 
is an API you can hook into to do some of that for you if you are so inclined, 
but that would depend on your use case and resources. For how I've used it, 
never been required. 

 

Some of the VMs from vendors can be pretty CPU and/or RAM intensive, so I've 
had the best experience running them all on a dedicated server, not locally. 
Again, use case dependent. For code testing I would always run the test set on 
hardware as well for likely obvious reasons. 

 

If you really get into the weeds with it you can do quite a lot.

 

On Wed, Oct 16, 2019 at 11:52 AM Ryland Kremeier  
wrote:

Hello,

 

I’m currently in the process of setting up a near identical network to our own 
in GNS3 for testing purposes. Has anyone here tried this before to any success? 
We need to buy the Cisco IOSv image to continue with the sim so I figured I 
would inquire here first before diving in.

 

All info is appreciated,

-- 

Ryland Kremeier

RE: Viability of GNS3 network simulation for testing features/configurations.

[Aaron Gould]

I’ve used GNS3 some years ago for a lot of simulation and testing.  But, I’m 
blown away at how much more I like EVE-NG (emulated virtual environment 
next-gen)

 

I use the community free version… lots of vendor OS support… of which, I’ve 
actually work with the following….



-XRv

-IOS virtual

-vMX

-vSRX

-vQFX

 

…check your in-box for a screen shot of my current environment.

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Bolitho
Sent: Wednesday, October 16, 2019 12:02 PM
To: Tom Beecher
Cc: 
Subject: Re: Viability of GNS3 network simulation for testing 
features/configurations.

 

Totally agree with Tom here. It's going to work really well for most things. 
But if you're testing code for bugs you NEED to do it on the same hardware you 
have in your environment in an actual lab.


- Mike Bolitho

 

 

On Wed, Oct 16, 2019 at 9:56 AM Tom Beecher  wrote:

GNS3 can do a heck of a lot, and the price is definitely right. 

 

I have used it extensively for initial fleshing out of designs or ideas, 
protocol nerding, automation interaction testing, etc. There certainly other 
tools out there, but being able to visually draw a topology out, connect the 
dots, and have an environment to test in about 10 minutes is very nice. There 
is an API you can hook into to do some of that for you if you are so inclined, 
but that would depend on your use case and resources. For how I've used it, 
never been required. 

 

Some of the VMs from vendors can be pretty CPU and/or RAM intensive, so I've 
had the best experience running them all on a dedicated server, not locally. 
Again, use case dependent. For code testing I would always run the test set on 
hardware as well for likely obvious reasons. 

 

If you really get into the weeds with it you can do quite a lot.

 

On Wed, Oct 16, 2019 at 11:52 AM Ryland Kremeier  
wrote:

Hello,

 

I’m currently in the process of setting up a near identical network to our own 
in GNS3 for testing purposes. Has anyone here tried this before to any success? 
We need to buy the Cisco IOSv image to continue with the sim so I figured I 
would inquire here first before diving in.

 

All info is appreciated,

-- 

Ryland Kremeier

lots of traffic starting at 3 a.m. central time

[Aaron Gould]

Anyone else see lots of traffic coming down starting at 3 a.m. central time
?  all of my internet connections showed strangely larger load for a few
early morning hours.

 

I have some info that tells me what it was but wanted to hear it from others
too.

 

-Aaron

RE: IPv6 Pain Experiment

[Aaron Gould]

Thank God for DNS  ;)

-aaron


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Alan Buxey
Sent: Thursday, October 3, 2019 2:22 PM
To: Naslund, Steve
Cc: nanog@nanog.org
Subject: Re: IPv6 Pain Experiment

hi,

> Go ahead and read your v4 address over the phone and then do the same with 
> your v6 address.  Which is easier?  I do understand all about these addresses 
> both being binary underneath ( I've been doing this for over 30 years now).  
> However it is much easier to communicate using four decimal octets.

::1

so much quicker than 127.0.0.1  ;-)

> People generally do not like change and being forced to learn something new.

some people dont... but its called progress.  I'd have to worry about
someone whose only experience is of TCP/IP networking (and only IPv4
at that).  do they also get wobbly when
their data is now on a big broadcast collision domain network after
all those years of moving it to a switched system?

>That is just human nature.  You have to give them a reason to want to do it 
>(more money, better service, less long term cost, etc.).

the ability to communicate to the rest of the growing world where IPv4
addresses just arent there anymore?

>It is hard to make the case to eliminate v4 in use cases where it is working 
>perfectly fine (especially RFC1918 inside an enterprise).

2 things on this. just an internal network? yes, you could say 'why
bother'?   I *could* think about being in that campbut actually,
i'd stick the
security hat on and say, just like I did with wireless

'we dont have any wireless' - oh really? without being in the domain
and having kit that will detect it/trace its source etc how will you
know

int he IPv6 world...if you arent the one controlling it on your
network (and reporting on it) then you will have clients happily
talking to each other
on it, tunnelling it around the place (hello all those TEREDO tunnels)
and being the router for traffic. all the fun with ff02::1 on your
local segment  ;-)

alan

RE: few big monolithic PEs vs many small PEs

[Aaron Gould]

I was reading this and thought, planet earth is a single point of failure.

...but, I guess we build and design and connect as much redundancy (logic, hw, 
sw, power) as the customer requires and pays for and that we can truly 
accomplish.

-Aaron

RE: BGP person from Bell Canada/AS577

[Aaron Gould]

As I recall, yes that is true.

Somethings mentioned here...

https://www.akamai.com/us/en/multimedia/documents/akamai/akamai-accelerated-network-partner-aanp-faq.pdf

I recall that after I deployed my local AANP clusters, that *if* I wanted to 
bypass local aanp caching, that I would change my dns setting and thus bypass 
aanp cache, and flow out to inet.

-Aaron

RE: Traffic ratio of an ISP

[Aaron Gould]

I’m heavy inbound.  Which I think is characteristic of a stub-AS with lots of 
resi/busi bb ... no transit… just a lot of people looking at stuff.

 

Inbound is of course from the perspective of traffic coming into my AS

 

-Aaron

 

RE: Traffic ratio of an ISP

[Aaron Gould]

I run an eyeballs/isp network for about ~50,000 subscribers, and I see about 
1:10 ratio at peak time.  Last night ~4.5 gbps out, ~45 gbps in.  But, I do 
have local caching of 4 big name cdn cache providers, so that might alter the 
1:10 ratio I see on my actual inet links (which do not include the local cdn 
traffic)

 

…take Netflix for instance… I see on my local nfx cdn links, 1:100 ratio of 
in:out.  20 gbps inbound and .2 gbps outbound  (during that same timeframe as 
aforementioned actual inet links)

 

Numbers based on 21:00 CDT last night.

 

 

-Aaron

 

evpn-mpls - routes sent throughout global inet.0 routing domain

[Aaron Gould]

I see evpn mac/host routes in the evpn database.  I added an L3 irb
interface into the epvn and suddenly I see those /32 host routes put into
inet.0 (where the irb.x resides).

 

Is there a best practice for distributing/advertising those inet.0 evpn host
routes throughout my global routing domain to other neighbors?

 

I'm currently accomplishing it with an ospf export policy matching evpn. and
then I do in fact see those /32 evpn-originated host routes show up
throughout my global routing domain as OSPF Preference 150 (AS external)

 

(btw, I'm doing this in juniper routers)

 

-Aaron

RE: JunOS Fusion Provider Edge

[Aaron Gould]

Can I test fusion using vMX and vQFX ?  Will it work?

 

 

-Aaron

 

 

RE: Disney+ CDN

[Aaron Gould]

Have we found out yet if Disney+ will have a CDN?  Like Netflix oca, Akamai 
aanp, google ggc, facebook fna … a Disney isp-located cdn presence ?

 

disneyplus.com

 

-Aaron

 

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron Graves
Sent: Saturday, December 29, 2018 7:22 PM
To: nanog@nanog.org
Subject: Disney+ CDN

 

Anyone know what Disney is planning on doing for streaming content distribution 
once they leave Netflix?  Would be nice if they'd provide an on-prem cache 
server.

 

AG

RE: modeling residential subscriber bandwidth demand

[Aaron Gould]

“…especially in the face of transport tweaks such as QUIC and TCP BBR? “

 

Do these “quic and tcp bbr” change bandwidth utilization as we’ve know it for 
years ?

 

-Aaron

RE: modeling residential subscriber bandwidth demand

[Aaron Gould]

We use trendline/95% trendline that’s built into a lot of graphing tools… 
solarwinds, I think even cdn cache portals have trendlines… forecasts, etc.   
My boss might use other growth percentages gleaned from previous years… but 
yeah, like another person mentioned, the more history you have the better it 
seems… unless there is some major shift for some strange big reason…  but have 
we ever seen that with internet usage growth ?  …yet. ?

 

I mean has the internet bandwidth usage ever gone down nationally/globally , 
similar to like a graph of the housing market in 2007/2008 ?   

 

-Aaron

 

RE: Was wrong Re: Did IPv6 between HE and Google ever get resolved?

[Aaron Gould]

Why does cogent seem like the commonality between those 2 that you mentioned  :|

- Aaron

-
"I think what you were remembering is Cogent/Google and Cogent/HE are both 
IPv6 issues where the parties can't agree on peering vs transit for the v6 
relationship."

cgnat ams0 vrf-aware flow data export help

[Aaron Gould]

Need assistance with exporting flow data for inside interface of cgnat ams0
aggregated multiservice interface

 

I have MX960 with MS-MPC-128G doing cgnat using AMS0 (aggregated
multiservice of underlying mams interfaces) using next-hop-style vrf-aware
cgnat.

 

I need the cgnat inside domain interface (ams0.551) to be configured to
export flow data (jflow, sflow, ipfix, whichever version i can use) to a
flow collector server, this is important so we can have flow data of
*pre-nat) private ip traffic.

 

Anyone know how ?

 

-Aaron

RE: Last Mile Design

[Aaron Gould]

Not sure if this is what y'all are talking about, but I use lots of Juniper 
ACX5048 (previously Cisco ME3600 or ASR9000) for mpls-capable router edging in 
native ip/ethernet from ftth gpon network into mpls l2circuits and LOTS of 
vrf vrf for public ip, vrf for cgnat for private ip, vrf for voice...  I'm 
glad I did it.


Residential- ONT-ftth/gpon--OLT--ACX5048-mpls/vrf 
x---cgnat/inet--

Residential- DSL Modem-DSLAM---ACX5048-mpls/vrf 
y---cgnat/inet--

Residential- Cable Modem-CMTS---ACX5048-mpls/vrf 
z---cgnat/inet--



-Aaron

RE: BGP topological vs centralized route reflector

[Aaron Gould]

To not get off-topic too much, since you mentioned MX204, please tell me, do 
you know if it is a nice MPLS P/PE box ?  If so, is it quite capable in its 
ability to do L3 VPN's, L2 VPN's (l2circuit mainly, but also curious of vpls, 
evpn).

Actually I'm considering it as a router for my ENNI hand-offs to 3rd party 
neighboring networks where I hand-off vlans (double tagged) for various 
enterprise customers and cbh towers, etc then I would carry that probably 
in a l2circuit from that MX204 to the utter-most parts of my mpls cloud.  I 
would want to police at that subinterface (unit) level to limit traffic for 
obviously what they buy.

MX204 be good for that ?

Thanks Mark

-Aaron

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mark Tinka
Sent: Thursday, February 14, 2019 7:09 AM
To: nanog@nanog.org
Subject: Re: BGP topological vs centralized route reflector



On 14/Feb/19 14:04, Alain Hebert wrote:
> Hi,
>
> Unlucky as always, we had issues with the chassis of a MX104 about
> every years since we installed.

Are you using the MX104 as a route reflector? If so, make one of the
VM's your alternative for this function :-).

If you're not doing any non-Ethernet services on your MX104, and are
struggling with the control plane, I'd propose moving to the MX204.

Mark.

RE: Last Mile Design

[Aaron Gould]

We do 1 gig over pon (gpon)...Calix E7 (olt)

Yes, it's my understanding, and I agree with previous post response, that PON 
is for using 1 fiber strand to a home (bidir , different wavelengths for xmt 
and rcv) and then I believe it even gets prism'd (however the heck they do it) 
into a 1/32 split or something like that so that you don't have to run direct 
fibers from every home back to the CO

...AND, in a rural area, geez, those are lggg fiber runs so a pon 
cabinet in the field helps greatly

Yes, 2.4g down and  1.2 g up is a concern when you've sold (oversubscribed) 
more bw than that 

We are concerned and looking for ways to overcome this and keep up with 
subscriber bw demands all the time ... fun and job secure

-Aaron another Aaron :) 



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron
Sent: Friday, February 8, 2019 3:02 PM
To: nanog@nanog.org
Subject: Re: Last Mile Design

My statement was meant to be tongue in cheek.  We deliver 1G to the home 
free of charge and make our money on the 10,40 and 100G connections.  We 
haven't been able to deliver those capacities over PON so we've never 
really taken it seriously.  As with everything else, you're use case and 
economics may vary.

Aaron


On 2/8/2019 2:31 PM, Tony Wicks wrote:
> It also significantly reduces the requirement to distribute active equipment 
> into the field while massively reducing the feeder fibre requirement. Point 
> to point has its place to be sure, but mass market FTTH is not viable without 
> PON's economics.
>
>
> On 02/08/2019 12:48 PM, Aaron wrote:
>> I've always felt PON is a tool for people who don't know how to design a
>> proper network.
> Why is that?
>
> I always thought PON was a technology that reduced the number of active
> ports, thus altering the port cost per subscriber significantly by not
> actually needing dedicated ports.
>
>
>

-- 

Aaron Wendel
Chief Technical Officer
Wholesale Internet, Inc. (AS 32097)
(816)550-9030
http://www.wholesaleinternet.com

RE: CGNAT

[Aaron Gould]

Rich, et al, 

Circling back on some older threads... I'm doing this because I've been
growing my cgnat environments and needing to remind myself of somethings,
etc...

If an attack is targeted at 1 ip address, you would think that if
would/could affect all the napt-44 (nat overloaded/pat'd) ip's that hide
behind it... but isn't that *IF* that traffic actually got through the nat
boundary and flowed to the intended target(s) ?

Unsolicited outside>inside traffic I believe results in a deny of
traffic... and I'm seeing that the nat actually builds those flows as drop
flows

I generated some traffic at a nat destination and I see all my traffic is
"Drop"... now I wonder if this is a fast path like in asic (pfe) hardware
being dropped... if so, it would seem that the nat boundary is yet a really
nice way to quickly drop unsolicited inbound traffic from perhaps bad
sources.

My source where I was generating traffic... Hollywood-ip (only works in the
movies) 256.256.191.133 (bad guy)

Nat destination where I sending traffic to... 256.256.130.4 (victim/target)

Now of course the resources/network outside the nat is bogged down, but the
inside nat domain seems to be unaffected in this case from what I can tell.

And again, I'm wondering if that "Drop" flow is lightweight/fast processing
for the ms-mpc-128g juniper gear ?


{master}
agould@960> show services sessions destination-prefix 256.256.130.4/32 |
grep 256.256.191.133 | refresh 1
---(refreshed at 2019-02-07 12:36:45 CST)---
---(refreshed at 2019-02-07 12:36:46 CST)---
---(refreshed at 2019-02-07 12:36:47 CST)---
---(refreshed at 2019-02-07 12:36:48 CST)---
---(refreshed at 2019-02-07 12:36:49 CST)---
---(refreshed at 2019-02-07 12:36:50 CST)---
---(refreshed at 2019-02-07 12:36:51 CST)---
---(refreshed at 2019-02-07 12:36:52 CST)---
TCP256.256.191.133:54519  ->  256.256.130.4:443Drop O
1
ICMP   256.256.191.133->  256.256.130.4Drop O
1
---(refreshed at 2019-02-07 12:36:53 CST)---
TCP256.256.191.133:54519  ->  256.256.130.4:443Drop O
1
ICMP   256.256.191.133->  256.256.130.4Drop O
1
---(refreshed at 2019-02-07 12:36:54 CST)---
TCP256.256.191.133:54519  ->  256.256.130.4:443Drop O
1
ICMP   256.256.191.133->  256.256.130.4Drop O
1
---(refreshed at 2019-02-07 12:36:55 CST)---
TCP256.256.191.133:54519  ->  256.256.130.4:443Drop O
1
ICMP   256.256.191.133->  256.256.130.4Drop O
1
---(refreshed at 2019-02-07 12:36:56 CST)---
---(refreshed at 2019-02-07 12:36:57 CST)---
---(refreshed at 2019-02-07 12:36:58 CST)---
UDP256.256.191.133:12998  ->  256.256.130.4:80 Drop O
1
UDP256.256.191.133:2  ->  256.256.130.4:80 Drop O
1
---(refreshed at 2019-02-07 12:36:59 CST)---
UDP256.256.191.133:12998  ->  256.256.130.4:80 Drop O
1
UDP256.256.191.133:2  ->  256.256.130.4:80 Drop O
1
---(refreshed at 2019-02-07 12:37:00 CST)---
UDP256.256.191.133:12998  ->  256.256.130.4:80 Drop O
1
UDP256.256.191.133:2  ->  256.256.130.4:80 Drop O
1
---(refreshed at 2019-02-07 12:37:01 CST)---
UDP256.256.191.133:12998  ->  256.256.130.4:80 Drop O
1
UDP256.256.191.133:2  ->  256.256.130.4:80 Drop O
1

- Aaron

-Original Message-
From: Compton, Rich A [mailto:rich.comp...@charter.com] 
Sent: Thursday, April 6, 2017 3:49 PM
To: Aaron Gould; 'Ahmed Munaf'; 'Nanog@Nanog'
Subject: Re: CGNAT

Hi Aaron, thanks for the info.  I¹m curious what you or others do about
DDoS attacks to CGNAT devices.  It seems that a single attack could affect
the thousands of customers that use those devices.  Also, do you have
issues detecting attacks vs. legitimate traffic when you have so much
traffic destined to a small group of IPs?

Rich Compton  |  Principal Eng |  314.596.2828
14810 Grasslands  Dr,Englewood,  CO80112

RE: [ROUTING] Settle a pointless debate - more commonly used routing protocol in total deployments - OSPF vs IS-IS

[Aaron Gould]

Nah, statics everywhere.  That way only I can fix it.  ...sometimes... lol

-Aaron

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy Bush
Sent: Friday, January 25, 2019 12:41 PM
To: Tom Beecher
Cc: North American Network Operators' Group
Subject: Re: [ROUTING] Settle a pointless debate - more commonly used
routing protocol in total deployments - OSPF vs IS-IS

> Next thing we know someone is going to start pumping up EIGRP.
> 
>> there's an old saying, is-is is deployed in few networks, just some of
>> the world's largest ones.  there might be a reason for that.
>>
>> personally, i prefer emacs.

idrp please

randy

RE: [ROUTING] Settle a pointless debate - more commonly used routing protocol in total deployments - OSPF vs IS-IS

[Aaron Gould]

In my isp network of ~50,000 subscribers, I run about (200) mpls p/pe nodes in 
one ospf area with dual rr cluster for mp-ibgp type mpls overlay services.  
seems fine to me.

 

-Aaron

 

RE: A survey about networking incidents

[Aaron Gould]

It seems that this is even increasingly harder in a MEF/SP-type Layer 2 
emulated network of eline, elan, etree type things…

 

Yeah seems that you have to have synthetic-type traffic generated and inserted 
into the data path to measure on…

 

Isn’t CFM/Ethernet OAM supposed to segment up the network into management 
domains-of-responsibility with mips/meps, etc so that you can real-time-monitor 
your system and others can monitor theirs… I have not set this up, but I 
thought that was one way of being able to know on-going the state of the 
network, link-by-link and endpoint-to-endpoint… I think on-going CMM’s flow to 
give you an idea of the extent to which links and services are good or not good.

 

Perhaps that’s the proof you could point at for anyone trying to blame the 
network

 

I’m sure there are other ways… like cisco’s ip sla… accedian’s paa, twamp (I 
just remembered about twamp, and I think that’s perhaps an ip-layer version of 
what is like Ethernet layer cfm/oam, I could be wrong…but as I think about it, 
I recall mpls-oam, perhaps others too

 

Yes, as network engineer’s, I/we continually have to clear-my-name (clear the 
network) of blame

 

-Aaron

 

p.s. I’ll try to look at the survey later

 

 

 

From: NANOG [mailto:nanog-bounces+aaron1=gvtc@nanog.org] On Behalf Of Yu, 
Minlan
Sent: Wednesday, January 23, 2019 9:32 AM
To: nanog@nanog.org
Subject: A survey about networking incidents

 

Hi Nanog,

 

We all know that networks are at the heart of many of the systems we use today. 
When these systems break, the underlying networks are often the first suspects. 
Networks are hard to diagnose and they are most likely to be blamed for 
problems even if they are completely healthy. As networking engineers, we have 
all seen cases where another part of the system was causing an issue but the 
network was held the suspect until the problem was resolved.

 

We are researchers from Harvard and The University of Pennsylvania who are 
interested in understanding this problem and its impact better in order to 
build a solution. Our goal is to be able to quickly rule out the network as a 
root cause for incidents in order to be able to speed up diagnosis and also to 
improve operator efficiency. We are interested in learning the answer to a few 
questions. Specifically, we would like to know: How often do you see problems 
where the network is blamed but after investigating you find the problem to be 
caused by some other part of the system? How often have you had incidents where 
the cause of the incident was outside of the boundary of your organization? How 
much do you think fixing this problem can help you and your organization more 
quickly diagnose problems?

 

We have created a *very* short survey to be able to get an operator's 
perspective on these questions. It should take less than 15 minutes to finish. 
The findings should help us as well as the research community at large to be 
able to build a solution that can benefit all types of networks, of different 
sizes, to improve how they do the diagnosis. We will be presenting the results 
of this anonymous survey in a scientific article later this year. We will 
report back our research once it's finished.

 

Survey URL: 
https://docs.google.com/forms/d/e/1FAIpQLScx-U54eQFQi5AdBCOOucMaI6BVmLwcMFiZl2HVZ9bHi1q8bA/viewform

 

We would greatly appreciate it if you could help us with this research.  Please 
feel free forward this survey to other operators you know. Thank you!

 

Minlan Yu

http://minlanyu.seas.harvard.edu/

RE: Network Speed Testing and Monitoring Platform

[Aaron Gould]

Yes that too, thanks for the reminder, the linux sys eng I work with here 
showed me our internal stats the other day when I was asking him about this…

 

-Aaron

 

From: Luke Guillory [mailto:lguill...@reservetele.com] 
Sent: Friday, January 18, 2019 11:22 AM
To: Aaron Gould; 'Colton Conor'
Cc: 'NANOG'
Subject: RE: Network Speed Testing and Monitoring Platform

 

The paid version gives you access to all the reporting from the test ran 
against your server.

 

 

Luke

 

 

Ns

 

 

RE: Network Speed Testing and Monitoring Platform

[Aaron Gould]

I think the motivation for the paid/onsite version of ookla was so that we 
could say how good our customers speed is, without going through the internet.  
We can’t control utilization on the Internet, but we can internally.

 

-Aaron

 

From: Colton Conor [mailto:colton.co...@gmail.com] 
Sent: Friday, January 18, 2019 8:37 AM
To: Aaron Gould
Cc: NANOG
Subject: Re: Network Speed Testing and Monitoring Platform

 

Aaron,

 

How does the  <https://account.speedtestcustom.com/login> 
https://account.speedtestcustom.com/login  differ from hosting a speedtest.net 
server as an ISP, and letting anyone test through it? Seems the speedtest 
custom is a paid option, but hosting a speedtest.net server is free if you 
allow it to the public domain. Sure it uses up bandwidth (which I am sure you 
have a ton of), so I don't see the point of having a custom one? 

 

On Thu, Jan 17, 2019 at 10:27 AM Aaron Gould  wrote:

https://github.com/adolfintel/speedtest - one drawback we’ve seen is upload 
test has issues on some iphones (maybe other mobile devices) in safari, but I 
think chrome might work, unsure

 

https://account.speedtestcustom.com/login - ookla customer speedtest – we have 
this running *internally* in our network on VM and also bare-metal, this is 
where our customers test locally

 

Iperf  - us engineers used it

wifiperf – us engineers used it

 

-Aaron

 

RE: Network Speed Testing and Monitoring Platform

[Aaron Gould]

https://github.com/adolfintel/speedtest - one drawback we’ve seen is upload 
test has issues on some iphones (maybe other mobile devices) in safari, but I 
think chrome might work, unsure

 

https://account.speedtestcustom.com/login - ookla customer speedtest – we have 
this running *internally* in our network on VM and also bare-metal, this is 
where our customers test locally

 

Iperf  - us engineers used it

wifiperf – us engineers used it

 

-Aaron

 

RE: Changing upstream providers, opinions/thoughts on 123.net and cogent

[Aaron Gould]

I’ve never heard of 123

 

I’ve used Cogent for several years now… 

 

Price was good

10 gig link… for a few years

20 gig (2) 10 gigs lagged… for a year or so…

100 gig link for past few months…

 

The support is quick and easy to deal with.

 

DDOS RTBH is nice quick and easy (but different than other SP’s with 
communities…. Cogent ddos rtbh is a separate bgp neighbor session)… I like it

 

IPv6 has issues with Google and HE I think still….been years now.

 

Attacks come as often through cogent as any of my sp’s, but probably more on 
cogent than others…. Telia is catching up.

 

-Aaron

 

RE: Whats going on at Cogent

[Aaron Gould]

I guess those bots have to sit somewhere.  I don’t know that they would be in 
routers as much as they would be in Microsoft Windows… so if that’s what you 
meant, then I see what you mean Michael

 

Niels, I like my cogent and telia internet connections… I just recall seeing 
more ddos on cogent then I did on my previous att, and current spectrum… telia 
is showing a good bit of ddos also 

 

Let’s put it this way, I can thank Cogent and Telia for helping my get better 
in my ddos mitigation skills  J   … there’s a bright side to everything huh

 

Aaron

 

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Michael Crapse
Sent: Tuesday, October 16, 2018 8:37 PM
To: NANOG list
Subject: Re: Whats going on at Cogent

 

Or he's saying that cogent has the biggest network of compromised users. 
Usually ipv4 only eyeball networks tend to have the most bots on net.

 

 

On Tue, 16 Oct 2018 at 19:22, Niels Bakker  wrote:

* aar...@gvtc.com (Aaron1) [Wed 17 Oct 2018, 00:17 CEST]:
>However Cogent seems to be the dirtiest in regards to DDOS...
>however Telia might be catching up... in times past when I receive 
>volumetric DDOS, Cogent typically ranks with the highest on my 
>providers ... AT and spectrum seem to be a bit cleaner

So you're saying, Cogent and Telia have the best backbones and 
interconnects and thus deliver the most of your traffic to you, 
even at times of peak utilization?


-- Niels.

RE: Youtube Outage

[Aaron Gould]

Back up in south central texas

 

-Aaron

 

From: NANOG [mailto:nanog-bounces+aaron1=gvtc@nanog.org] On Behalf Of Bryce 
Wilson
Sent: Tuesday, October 16, 2018 9:42 PM
To: Ishmael Rufus
Cc: NANOG
Subject: Re: Youtube Outage

 

I concur, all of my systems have it as back up.

Thanks ~ Bryce Wilson, AS202313


On Oct 16, 2018, at 7:40 PM, Ishmael Rufus  wrote:

Should be coming back online

 

On Tue, Oct 16, 2018 at 9:35 PM Ben Cannon  wrote:

Confirmed outage in Windsor CA

-Ben


On Oct 16, 2018, at 7:15 PM, Charles Mills  wrote:

The reports I've seen showing it as a worldwide outage.  

 

On Tue, Oct 16, 2018 at 10:14 PM Nathan Brookfield 
 wrote:

Australia too….

 

From: NANOG  On Behalf Of Oliver O'Boyle
Sent: Wednesday, October 17, 2018 1:08 PM
To: marshall.euba...@gmail.com
Cc: North American Network Operators' Group 
Subject: Re: Youtube Outage

 

Same in Montreal.

 

On Tue, Oct 16, 2018 at 9:52 PM Marshall Eubanks  
wrote:

Reports (and humor) are flooding twitter.
On Tue, Oct 16, 2018 at 9:44 PM Ross Tajvar  wrote:
>
> You beat my email by seconds. Yes, it is widespread.
>
> On Tue, Oct 16, 2018 at 9:39 PM, Kenneth McRae via NANOG  
> wrote:
>>
>> Is this widespread?
>
>




 

-- 

:o@>

 

RE: Youtube Outage

[Aaron Gould]

Oh yeah, hitting me hard in South Central Texas... no youtube videos at all for 
my customers.

-Aaron

 

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ross Tajvar
Sent: Tuesday, October 16, 2018 8:43 PM
To: Kenneth McRae
Cc: NANOG
Subject: Re: Youtube Outage

 

You beat my email by seconds. Yes, it is widespread.

 

On Tue, Oct 16, 2018 at 9:39 PM, Kenneth McRae via NANOG  
wrote:

Is this widespread?

 

RE: new(ish) ipv6 transition tech status on CPE

[Aaron Gould]

In my CGNat environment (~11,000 subs (5,000 dsl & 6,000 cable modem)) I had to 
solve issues with site-to-site vpn, console gaming and some webmail and banking 
web sites that seem to hand off authentication to another site and try to carry 
over the ip address … also had to try to accomplish load sharing amongst (3) 
cgnat nodes on my vrf-to-vrf boundary where I do natting…  here’s some things 
we did…

 

APP - consistent mapping for priv to pub ip's

 

EIM – stabilizes ports outbound

 

EIF - stabilizes ports inbound and allows for some hold-over (actual pinhole 
openings) for further comms from outside---to>inside

 

AMS LB - ams load balancing to occur on src-ip for removing the chance for more 
ip change*

 

AMS Member Failure options - more of adding resilience if/when underlying npu's 
fail

 

IGP (OSPF/LDP) routing - not cgnat related at all, and i recall more for load 
sharing amongst my mx960but was a big win for us when we found the (set 
protocols ldp track-igp-metric) trick or causing my PE's that would then use 
the real igp metric to route to the *igp closest* cgnat node 
(mx960/ms-mpc-128g) thus causing that cgnat node to always be used for that 
pe's set of priv ip subs... you must know that i had a triple cgnat node 
boundary ((3) mx960's w/ms-mpc's) and here again had an issue with all traffic 
going to the lowest bgp loopback ip tiebreaker since apparently inet.3 has 
metric 1 for every prefix... that trick ldp command copies inet.0 metric into 
inet.3 thus giving some real igp metric consideration to the bgp best path 
calculation

 

 

* pub ip pool is divided up over the number for npu/vpic's that are aggregated 
together in an ams... so there is a chance that your priv ip's will be hashed 
over any and all npu's thus causing greater change of pub ip differences

 

Btw, there are keepalives for eif and sessions limits for resource issues to be 
considered

 

- Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Philip Loenneker
Sent: Thursday, October 11, 2018 10:58 PM
To: NANOG
Subject: RE: new(ish) ipv6 transition tech status on CPE

 

Hi Tom,

 

CGNAT is the most supported by the technology available in pretty much every 
device. Even keeping an audit trail of IP/port mappings is relatively easy 
(look into deterministic NAT – it will save you a lot of headache). You can 
likely lab it up with gear you already have, unlike the newer transition 
technologies that we’ve been discussing.

 

However, from my experience, the customer impact of going through 2 layers of 
NAT (NAT44) causes a lot of unhappy customers. I enabled it on my home 
connection for a few weeks to see how it went, and I was surprised that a lot 
of things just worked… Youtube, Netflix, etc had no issues. But there were key 
things such as Facebook Messenger voice and video calls that broke, which 
caused my family to get rather upset with me. Console gaming is also a common 
area of problems. For these types of Internet services, the profit margin can 
get eaten up quickly by the helpdesk calls.

 

As a side note, from internal discussions here (ie speculation, no real 
evidence to back it up), home users are likely to be impacted far more than 
business users, due to the difference in usage. 

 

Regards,

Philip

 

From: NANOG  On Behalf Of Tom Ammon
Sent: Friday, 12 October 2018 2:39 PM
To: NANOG 
Subject: Re: new(ish) ipv6 transition tech status on CPE

 

 

On Wed, Oct 10, 2018 at 3:08 PM Brock Tice  wrote:

On 10/09/2018 06:24 PM, Philip Loenneker wrote:
> I have asked several vendors we deal with about the newer technologies
> such as 464XLAT, and have had some responses indicating they will
> investigate internally, however we have not made much progress yet. One
> vendor suggested their device supports NAT46 and NAT64 so may support
> 464XLAT, but since it is incidental rather than an official feature, it
> may not support the full CLAT requirements. I have been meaning to do
> some tests but haven’t had a chance yet. It is also a higher price point
> than our current CPEs.
> 
>  
> 
> I have spoken to people who have looked into options such as OpenWRT
> (which supports several of these technolgoies), however the R and
> ongoing support is a significant roadblock to overcome.
> 

We looked into this somewhat intently ~6 months ago and had not much
luck from vendors. Barely on their radar if at all.

We used our own custom OpenWRT build on a few select, tested consumer
routers to do 464XLAT. In the end we went to dual-stack with CGN on
IPv4. I wrote up some documentation on how we did it on my blog, but in
the end I can't recommend the setup we used.

I would love RouterOS and (various mfgr) CPE support for 464XLAT, then I
would be ready to give it another shot.




It sounds like I am where you were 6 months ago. We've been looking at NAT64, 
MAP-T, potentially 464XLAT, and then dual stack with CGN on the v4 side. What 
did you experience with the dual-stack/CGN 

RE: Study on configuration change practices

[Aaron Gould]

Hi Aaron, interesting …making routers do what you intend…hmmm… Sounds like 
SDN J   …how does what you are doing differ from the intent-based-controller 
driven sdn concepts that I hear so much about these days.

 

BTW, I did the survey.

 

- Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron Gember-Jacobson
Sent: Friday, September 7, 2018 8:52 AM
To: nanog@nanog.org
Subject: Study on configuration change practices

 

We are a team of networking researchers at the University of Wisconsin-Madison 
and Colgate University investigating methods for automatically synthesizing 
router configurations from high-level requirements (or intents). To guide our 
research, we seek to better understand the configuration change practices used 
in production networks.

We would appreciate if you could take 3 minutes to complete our brief, 
anonymous survey: https://colgate.co1.qualtrics.com/jfe/form/SV_3ee26xayy70jP3D

To learn more about our research, visit  
 
http://aaron.gember-jacobson.com/research/repair

Thanks,
Aaron Gember-Jacobson

Assistant Professor of Computer Science

Colgate University

RE: automatic rtbh trigger using flow data

[Aaron Gould]

(I think this is all about volumetric attacks btw...it's my belief that
slow-and-low attacks are continually occurring and are going largely
unnoticed...i'll speak for myself)

Few years ago we began seeing certain ports used as attack vectors, thus we
began our internet boundary policers for these ports... as time went on, we
add to that list of ports.  Some ports as we know, like dns, and I think ntp
from time to time (dang, sorry, lol) are used in amplification, and so, we
can't police legit ports too slowly or real stuff is affected... so that's
what Roland probably meant by "judiciously"

We also have inside this set of qos tools at the internet boundary, an
ever-growing acl that we call "repeat victims"...  we have grown to
understand that, if a customer ip address is attack once, it's likely it
will be attacked again...

There are new attacked ports all the time, so sometimes, an attack gets
through... which is causing me to think about an overall UDP limit on my
internet boundary ports... since most attacks are udp-based*furthermore,
along with that overarching udp limit, I may mark internet-sourced-udp with
a certain marking dscp/exp so that as it travels through my internet
network, it will be the first to get dropped (? Wred ? work well for udp?)
during congestion when an attack gets through

-Aaron

* btw, what can you experts tell me about tcp-based volumetric attacks...
please help me to understand... does tcp have an inherent inability to
ramp-up to massive speeds/loads with it's sliding window and
must-rcv-ack-before sending more segments ??  I ask since I heard this years
ago about tcp and I wonder if this is why 




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Roland Dobbins
Sent: Friday, August 31, 2018 12:13 PM
To: NANOG list
Subject: Re: automatic rtbh trigger using flow data


On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote:

> Instead of rtbh I would suggest blocking/rate limiting common ports 
> used in DDoS attacks.

This isn't an 'instead of', it's an 'in addition to'.  And it must be 
done judiciously; many operators doing this have concentrated on common 
port-pairs observed in UDP reflection/amplification attacks.

It's important to understand that any kind of packet of any 
protocol/ports (if such concepts apply on the protocol in question) can 
be used to launch DDoS attacks.

We've many tools in the toolbox, and should use them in a 
situationally-appropriate manner.  And when we're using techniques like 
QoSing down certain ports/protocols, we must err on the side of caution, 
lest we cause larger problems than the attacks themselves.

---
Roland Dobbins 

Re: automatic rtbh trigger using flow data

[Aaron Gould]

I'm really surprised that you all are doing this based on source ip, simply 
because I thought the distribution of botnet members around the world we're so 
extensive that I never really thought it possible to filter based on sources, 
if so I'd like to see the list too

Even so, this would not stop the attacks from hitting my front door, my side of 
my Internet uplink...when paying for a 30 gigs CIR and paying double for 
megabits per second over that, up to the ceiling of 100 gig every bit that hits 
my front door over 30 gig would cost me extra, remotely triggering based on my 
victim IP address inside my network would be my solution to saving money

But stopping the attack even on my side of my Internet up like would at least 
stop it from proliferating throughout my internal network which is also costing 
me when it affects cell towers, etc.

Aaron

On Aug 30, 2018, at 6:43 PM, Michel Py  wrote:

>> Joe Maimon wrote :
>> I use a bunch of scripts plus a supervisory sqlite3 database process all 
>> injecting into quagga
> 
> I have the sqlite part planned, today I'm using a flat file :-( I know :-(
> 
>> Also aimed at attacker sources. I feed it with honeypots and live servers, 
>> hooked into fail2ban and using independent host scripts. Not very 
>> sophisticated, the remotes use ssh executed commands to add/delete. I also 
>> setup a promiscuous ebgp RR so I can extend my umbrella to CPE with diverse 
>> connectivity.
> 
> I would like to have your feed. How many attacker prefixes do you currently 
> have ?
> 
>> Using flow data, that sounds like an interesting direction to take this 
>> into, so thank you!
> 
> The one thing we can share here is the attacker prefixes. The victim prefixes 
> are unique to each of us but I expect our attacker prefixes to be very close.
> 
> Michel.
> 
> TSI Disclaimer:  This message and any files or text attached to it are 
> intended only for the recipients named above and contain information that may 
> be confidential or privileged. If you are not the intended recipient, you 
> must not forward, copy, use or otherwise disclose this communication or the 
> information contained herein. In the event you have received this message in 
> error, please notify the sender immediately by replying to this message, and 
> then delete all copies of it from your system. Thank you!...

RE: automatic rtbh trigger using flow data

[Aaron Gould]

Thanks, but what if the attacker is many... like thousands ?  ...isn't that
typically what we see, is tons and tons of sources (hence
distributeddos) ?

-Aaron

-Original Message-
From: Michel Py [mailto:michel...@tsisemi.com] 
Sent: Thursday, August 30, 2018 3:17 PM
To: Aaron Gould; Nanog@nanog.org
Subject: RE: automatic rtbh trigger using flow data 

> Aaron Gould wrote :
> Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  ...I'm thinking we could use
> quagga or a script of some sort to interact with a router to advertise to
bgp the /32 host route of the victim under attack.

Look at Exabgp : https://github.com/Exa-Networks/exabgp
That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to
inject the prefixes in BGP.
I block the attacker's addresses, not the victim but if you are willing to
write your own scripts it does the job.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are
intended only for the recipients named above and contain information that
may be confidential or privileged. If you are not the intended recipient,
you must not forward, copy, use or otherwise disclose this communication or
the information contained herein. In the event you have received this
message in error, please notify the sender immediately by replying to this
message, and then delete all copies of it from your system. Thank you!...

RE: automatic rtbh trigger using flow data

[Aaron Gould]

Wow, 4 replies for fastnetmon, thanks Ryan, Vincente, Job and Kushal

 

I'll look into it

 

-Aaron

 

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Aaron Gould
Sent: Thursday, August 30, 2018 2:53 PM
To: Nanog@nanog.org
Subject: automatic rtbh trigger using flow data 

 

Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  .I'm thinking we could use quagga or
a script of some sort to interact with a router to advertise to bgp the /32
host route of the victim under attack.

 

Btw, I already have nfsen running and we receive real-time alters of various
types of attacks, high volume, high ports, etc. and then we telnet into a
cisco trigger router and drop a few lines of code into it and then bgp does
the rest within seconds, the upstream providers learn of this route via
communities and they rtbh it in their cloud, BUT, I would like my alerts to
do this automatically. that would be very nice.  Any guidance would be
appreciated.

 

-Aaron

 

automatic rtbh trigger using flow data

[Aaron Gould]

Hi, does anyone know how to use flow data to trigger a rtbh (remotely
triggered blackhole) route using bgp ?  .I'm thinking we could use quagga or
a script of some sort to interact with a router to advertise to bgp the /32
host route of the victim under attack.

 

Btw, I already have nfsen running and we receive real-time alters of various
types of attacks, high volume, high ports, etc. and then we telnet into a
cisco trigger router and drop a few lines of code into it and then bgp does
the rest within seconds, the upstream providers learn of this route via
communities and they rtbh it in their cloud, BUT, I would like my alerts to
do this automatically. that would be very nice.  Any guidance would be
appreciated.

 

-Aaron

 

Re: Feedback - SBC Vendors.

[Aaron Gould]

I work for a Telephone/ISP/CATV/Security company

We used ACME Packet SBC years ago, then migrated to our MetaSwitch IP phone 
system with Perimeta SBC

https://www.metaswitch.com/products/core-network/perimeta-sbc

If you would like to talk to the voice engineers that I work with, let me know 
and I can put you in touch with them.  They work closely with those two products

(Like I said we migrate away from Acme packet years ago, from what I understand 
it might be an Oracle product now)

Aaron

> On Aug 8, 2018, at 6:56 PM, Ryan Finnesey  wrote:
> 
> I am going to have to install a series of SBCs for a  voice offering 
> connected to Microsoft Teams.  We are going to pass the SIP traffic off to a 
> larger number of SIP providers.  I would like  to get some feedback from the 
> group on SBC vendors.  I have two options for vendors Ribbon or AudioCodes.  
> I am leaning towards a software based SBC over an appliance. 
> 
> Would be helpful to get the other members feedback on Ribbon or AudioCodes 
> deployments within their networks.
> 
> Cheers
> Ryan
> 

RE: Akamai Contact

[Aaron Gould]

Akamai Customer Care
- 877-425-2832

Akamai NOCC
- 877-625-2624 
- 877-6-akamai (same as above)
- 617-444-3007
- nocc-sh...@akamai.com
- (if you do anything that would affect our cluster, give them at least 3 hours 
notice and give them IP of cluster
- hardware issues and 24x7 contact: nocc-...@akamai.com +1-877-6AKAMAI

Akamai Network Support
- traffic issues: netsupport-...@akamai.com +1-888-421-1003


-Aaron