Re: BGP Monitoring
Hi Alex, l...@qrator.net (Alexander Lyamin) wrote: > Ray mentioned precisely that he wants to monitor BGP announcements and > route changes. > > Leak detection is kind of on a different level. You need a bit more data > to effectively detect them. ( I kind of know that). Our use case is extremely simple, so the RIS feed gives us everything we need. We don't need to qualify the leak, *any* leak from a local node is undesirable, they tag everything NO_EXPORT. Anybody exporting must thus be dealt with. But you gave me an idea regarding our datacenter prefixes... Cheers, Elmar.
Re: BGP Monitoring
nanog@nanog.org (Alexander Lyamin via NANOG) wrote: > RIPE RIS > https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/ > is also good, but as Job Snijders pointed me out doesn't send emails out > of the box. It does provide a filterable live feed that we use for leak detection. Apart from that we're using bgp.tools when we want to dig into stuff. Oh, and most of the T1s have either routeservers or at least mostly usable looking glasses. HTH, Elmar.
Re: Arelion/Telia AS1299 issues?
We also observed this today, UTC morning, esp. across the pond, and our alternative paths from Europe to the US were suffering from the still unfixed fibre cut, so I was a bit unhappy with 200 extra ms, and 60% loss. 1299 seems to've found an alternative path in the meantime, looks good to us. Elmar. nanog@nanog.org (Andrian Visnevschi via NANOG) wrote: > We had the same issue with Arelion this morning, a huge increase in the > latency and jitter was happening across the US and of course for any > traffic sourced from the EU flowing to the US. > Within the US we noticed a latency spike from 20-50ms to ~200ms. From the > EU to our US facilities, we noticed a spike from ~130ms to ~400ms. > > > We ended up shifting traffic from Arelion to a different carrier, and will > stay there until we are confident that they fixed any issue that they had > in their network. To be honest, we've been experiencing quite similar > issues with unstable latency on Arelion over the past couple of months, and > it's becoming quite frustrating > > > > > *Andrian Visnevschi* > > VP of Network & Security > > +373 68374133 > > andr...@acreto.io | https://acreto.io > > > > > On Tue, Oct 24, 2023 at 6:03 PM David Hubbard > wrote: > > > Hey all, anyone aware of issues with Arelion this morning? We have a > > bunch of end users on at least Cox and Cogeco who are having serious issues > > with service access, and the problem appears to be on the return path where > > it traverses Arelion. Source net is Lumen/L3 3356 but loss/latency doesn’t > > appear to creep up until already within Arelion’s network. > > > > > > > > Imperva mentioned outage/degradation due to a national ISP issue too, so I > > suspect it’s affecting more than just certain peerings. > > > > > > > > Thanks, > > > > > > > > David > >
Re: maximum ipv4 bgp prefix length of /24 ?
Re Mark, mark@tinka.africa (Mark Tinka) wrote: > From our customers, the most we are accepting today is a /24 and a /48. This > is for transit customers with their own AS and address space. Oh sure - I was looking at those customers who might need multihoming to their ISP, but not multihoming in the DFZ, unlike the ones you're looking at here. > Of course, if it's a DIA customer, we can assign longer prefixes, but that > is internal address space that belongs to us. Exactly what I was referring to. This is what I believe to be the standard case. Elmar.
Re: maximum ipv4 bgp prefix length of /24 ?
li...@mtin.net (Justin Wilson (Lists)) wrote: > I think it is going to have to happen. We have several folks on the IX and > various consulting clients who only need 3-6 Ips but have to burn a full /24 > to participate in BGP. I wrote a blog post awhile back on this topic > https://blog.j2sw.com/data-center/unpopular-opinion-bgp-should-accept-smaller-than-a-24/ Justin, I'm not sure you're not confusing scope here. Everybody and their sister accept smaller blocks from their customers; we're all talking about the DFZ here, not customer routes that you aggregate. I would estimate most of the "consulting clients" have no need for multihoming. If they do, they can always use IP, and abandon legacy IP. Elmar. PS: I'm convinced we'll never agree to put longer prefixes into the DFZ. The gear everybody's using doesn't handle it well, and as people have stated before, there's just no incentive. I, personally, don't even take /24s in many places (sometimes cutting off at /20), but then I take defaults from my transits who have less ancient gear.
Re: maximum ipv4 bgp prefix length of /24 ?
Volkan, you are confusing routing and forwarding. Elmar. volkan.salih...@gmail.com (VOLKAN SALİH) wrote: > how would you route 800 Gigabit-ethernet that will soon be released as IEEE > standart? > > we were paying 1 usd per megabit several years ago. now it is as low as 4 > usd cent. > > As i said before, the future is coming just now. There must be ways to > increase CPU caches and memories of routers. > > It is also about wholesale. When you buy cheaper routers, powerful routers > stay expensive. > > But when everybody upgrades, memory and processor unit prices decrease.. > Vendors gain from demand. > > > 29.09.2023 07:31 tarihinde William Herrin yazdı: > > Others use an expensive kind of memory > > called a TCAM that's very fast but both expensive and power hungry, so > > generally not sized for huge numbers of tiny routes.
Re: LINX is down?
dmi...@interhost.net (Dmitry Sherman) wrote: > Hello any problems with Linx? I've seen an "At Risk" notice this morning, about some emergency fibre testing. Our equipment is not affected, but other locations might be. If you're a member, https://portal.linx.net/member/maintenance/1670 HTH, Elmar.
Re: AS3491 Contact
Aaron, > Would someone from AS3491 please contact me off-list? if you find one, plesae share... Thx, Elmar.
Contact for AS 19338
Hello 'body, I'm looking for a NOC contact for AS 19338, the old Telmex Chile AS. Anybody have anything? Thanks, Elmar.
Equinix: Still looking for routeserver community info
Hi folks, my inquiry kind of dead-ended here; I still have trouble in Warsaw (could be the name of a movie). Whether I send my prefix with NO_EXPORT, or with the secretly documented 24115:65281 (or 2 or 3) (from https://ix.equinix.com/portal/resources/mlpe-information), the routeserver just eats my prefix and doesn't forward... Does anybody have experience with getting the MLPE system to do what would be required (i.e., take the prefix, attach a NO_EXPORT, and forward)? Thanks! Elmar. PS: Anybody from Equinix wanting to shed some light on this, please...
Re: Equinix routeservers (MLPE) behavior c/f no_export
Re Frank, thanks for the quickie, ge...@geier.ne.tz (Frank Habicht) wrote: > it seems to be a not completely agreed/standardised question. > https://www.rfc-editor.org/rfc/rfc7947#section-2.2.4 [...] > https://docs.ixpmanager.org/features/route-servers/#rfc1997-passthru [...] Yeah, I know... I just don't know what Equinix actually does. As said before, I assumed transparency (==passthru). Any hard experience info would be helpful here :-) Thanks again, Elmar.
Equinix routeservers (MLPE) behavior c/f no_export
Hi guys (and others), I couldn't find an official description/explanation of this (EQX docs only mention that this should behave the same as their "set the no_export" TE community. We are using Equinix' IXP platform's routeserver service (MLPE) in a few locations on the planet, and due to the nature of our anycast structure, we are sending our prefixes with the well-known NO_EXPORT community attached. It seems to me that, at least in some places (i.e. Warsaw, ex-PLIX), the routeservers will not forward the routes further, being intransparent to the NO_EXPORT setting. My assumption was transparency, so the prefixes would be forwarded unchanged, including the NO_EXPORT community attached. It would be nice to hear directly from Equinix, of course, but if anybody on this list has hard knowledge of this, please share, so that I can take the appropriate measures... Thanks in advance, Elmar.
Re: jon postel
joey@gmail.com (Joseph) wrote: > A good book on the topic of the early internet is "Where Wizards Stay Up > Late" by Katie Hafner and Matthew Lyon. +1 The only thing I have to criticize is that the book has way too few pages.
Re: any dangers of filtering every /24 on full internet table to preserve FIB space ?
na...@ics-il.net (Mike Hammett) wrote: > Feasibility of adding some middleware that culls unneeded routes (existing > more specific and aggregate routes pointing to the same next hop), when that > table starts to fill? Well... if that covering prefix goes away, let's hope you still have a default. I've (been forced to) cull long prefixes on some memory-starved routers, and given that all of them have defaults, For our (former employers and certainly the current one) I've seen moderate to no traffic shifting, and this approach gave the museum gear another lease on life - they were fine with bandwidth. I've even gone down to strip anything longer than a /20 in v4, and a /40 in v6. If you run a backbone that needs to know the best exit for a prefix in order to throw traffic out locally and not pay good money for sightseeing capacity, you might fare better with beefier routing engines. El Mare.
Re: Equinix IX support contact me please
Hi Chris, ch...@noskillz.com (Chris) wrote: > I'd personally recommend logging into the portal and opening a case, I've done that in parallel, of course. (Also, as expected, they don't use their own documentation, you have to point your finger to it when they want to "find a physical asset"...Equinix...) > If you really want to email > servicedesk...@eu.equinix.com should be right assuming you're using the > fabric in Germany like your email address suggests. Otherwise, check This was about PAIX, but yeah, there might be some email contacts. I guess my main point is: Keep those da** peeringdb entries usable. Thanks for the help! Elmar.
Equinix IX support contact me please
Hi folks at Equinix, your peeringdb entry contact address (servicesupp...@equinix.com) bounces. Please contact me right away to fix a MAC filter. Elmar.
Re: "Permanent" DST
dedel...@iname.com (Dave) wrote: > Folks for most systems, this is a change to a single file. Not a really hard > thing to accomplish Well... 1 - I'm surprised anybody is running local timezones on their systems at all 2 - I like how american politics is capable of creating new problems; where did this bill come from in the first place? And who's lobbying? Elmar.
701 contact that actually responds...
Hi guys, we (1280) have a prefix missing from 701's routing tables that harms us quite a bit. I've tried contacting the obvious email addresses with details, but got zero response (I've checked the spamtrap) inside 24 hours. Is there a better way to contact the actual NOC than carynmc...@verizon.com ? Thanks for any help, Elmar.
Contact for Telmex Chile
Hi folks, peeringdb is very quiet about them - does anybody have a NOC email contact for Telmex Chile (I have them as AS19338)? Trying to resurrect something... TIA, Elmar.
Re: MGMIX (Montgomery, AL) - contact me please
Hi Walt, folks, > Holt, Marcus > Has been and is a good contact Thank you - unfortunately, my emails seem to land in his spam folder (sent half a dozen over the last year, never heard a peep). Marcus - you reading this? Elmar.
MGMIX (Montgomery, AL) - contact me please
Hi everyone, someone from MGMIX in Montgomery, AL, contact me please. Your official address (supp...@mgmix.net) bounces as undeliverable. Elmar.
Re: 2021.02.10 community meeting unofficial notes
Matt, thank you for the notes, very helpful! (Also, sorry for dropping out of the BoF, my ISP decided it was time for some downtime, I hope they'll get it sorted) Elmar.
Re: Any2 Los Angeles down again
avel...@misaka.io (Siyuan Miao) wrote: > Does anybody know if there's an alternative to Any2 Los Angeles > with predictable uptime and enough members in LA? Sure, there's NYIIX LA. Tried searching peeringdb? Elmar.
Re: Contact for OCIX (Philipsburg, SX)
e...@4ever.de (Elmar K. Bins) wrote: > I'm looking for a working email address to contact the OCIX exchange in Sint > Maarten. Unfortunately, ocix.net points to a single MX without A/ > records... They moved their MXs yesterday after I got them through telemgroup.sx, so ocix should be reachable again. - Elmar.
Contact for OCIX (Philipsburg, SX)
Hi people, I'm looking for a working email address to contact the OCIX exchange in Sint Maarten. Unfortunately, ocix.net points to a single MX without A/ records... Thanks in advance, Elmar.
Re: Anyone have contacts at Bharti Airtel?
bottige...@gmail.com (Bottiger) wrote: > Does anyone have any contacts at Bharti Airtel? I either get no response or > full inbox for emails in their WHOIS at AS9498 and AS24560. Hi, if you get a response, please share...I'm also at a loss there... Elmar.
AS112 contact
Hi guys, I hope this is only slightly off-topic... I'm looking for the correct address for AS112, 1...@root-servers.org keeps bouncing whatever I try. If anybody can drop me a line...much appreciated. Cheers, Elmar.
Sourcing Dell servers in Buenos Aires (AR)
Hi helpful people around the world, we are currently at a loss of sourcing Dell servers (R630 etc.) for our Buenos Aires datacenter... can anybody here jump in and provide us with hardware there short-term, or recommend a local dealer? We need to upgrade quickly, and estimates for import run in weeks to months :-( Yours, Elmar.
Re: Bezeq Internet (IL) around?
Re Hank, thank you for the comprehensive info, this kind of help is why I still consider NANOG a very good community and this mailing list one of the major tools of the network business. Not to even mention the really nice people that hang out here. Thanks again, Elmar. h...@efes.iucc.ac.il (Hank Nussbacher) wrote: > On 27/05/2018 17:32, Theo Voss wrote: > > There are basically two colo sites available in the Tel Aviv area: > > Med-1 - https://www.medone.co.il/en/ > Bezeqint - > https://www.bezeqint.net/english/carrier-wholesale-services/data-center-and-dr/jaffa-data-center > > The first is run by a company that doesn't provide any sort of transit - > just data center. > The second is run by a company that can also sell you transit. > > There are only 4 companies in Israel that can provide carrier services: > Bezeqint > HOT - http://www.hot.net.il/heb/English/ > Partner - No English site > Cellcom - No English site > > At Med-1 you can buy transit from any of the 4 listed above. > At the Bezeqint site they only allow Bezeqint circuits so you are > limited to only one carrier. > > If you need contacts at any of the companies, drop me an email and I'll > send you email contacts at each of the companies. > > -Hank
Bezeq Internet (IL) around?
Hi Bezeq people, I hope you're subscribed here, I could use your immediate help, probably leading to a contract... Yours, Elmar.
Re: aggregate6 - a fast versatile prefix list compressor
na...@studio442.com.au (Julien Goodwin) wrote: > > The first optimisation is to remove any supplied prefixes which are > > superfluous because they are already included in another supplied > > prefix. For example, 2001:67c:208c:10::/64 would be removed if > > 2001:67c:208c::/48 was also supplied. > > > > The second optimisation identifies adjacent prefixes that can be > > combined under a single, shorter-length prefix. For example, > > 2001:67c:208c::/48 and 2001:67c:208d::/48 can be combined into the > > single prefix 2001:67c:208c::/47. As an IPv4 exampl: 10.0.0.0/24 and > > 10.0.1.0/24 can be joined into 10.0.0.0/23. > > Will it catch cases like: > 10.0.0.0/24 10.0.1.0/24 10.0.2.0/23 -> 10.0.0.0/22 I guess the developers will have implemented a loop that runs until no more optimizations have been found. Which would of course catch it as Iteration 1 10.0.0.0/24 + 10.0.1.0/24 -> 10.0.0.0/23 Iteration 2 10.0.0.0/23 + 10.0.2.0/23 -> 10.0.0.0/22
Re: Request for comment -- BCP38
Re Stephen, > So, to beat that horse to a fare-thee-well, to be BCP38 compliant I need, on > every interface sending packets out to the internet, to block any source > address matching a subnet in the BOGON list OR not matching any of my > routeable network subnets? Plus add null-route entries for all the BOGONs > in my routing table so I don't send a bad destination packet to my upstream? The correct way to implement this is - outgoing permit my allocated address blocks as source addresses - outgoing deny EVERYTHING (else) Elmar.
Fw: new message
Hey! New message, please read <http://jitconsultancyzm.com/seemed.php?8ylj> Elmar K. Bins
Fw: new message
Hey! New message, please read <http://magnet-invest.ru/hopes.php?sbzs> Elmar K. Bins
Re: eBay is looking for network heavies...
eyeronic.des...@gmail.com (Mike Hale) wrote: We need a pool on what percentage of readers just googled traceroute. None of course!
Re: From Europe to Australia via right way
piotr.1...@interia.pl (Piotr) wrote: What's the reason, there are some telecoms,isp that have paths eastbound, southbound but in routing table they prefer longer path via US ? Come on - you do know that it's called policy routing for a reason? Costs, reserved bw/s for high-rollers, capacity... (Sometimes sheer stupidity, too) Elmar.
Re: Linux: concerns over systemd [OT]
na...@jack.fr.eu.org (na...@jack.fr.eu.org) wrote: I'm not gonna throw Debian away due to such a mess, without fighting hard, and I think you should do the same: talk, patch if needed, show you're here ...and sit it out with wheezy-LTS... Elmar.
Re: The Department of Work and Pensions, UK has an entire /8
eyeronic.des...@gmail.com (Mike Hale) wrote: You know what sucks worse than NAT? Memorizing an IPv6 address. ;) I agree. But we'll have to live with it until something better comes along. The assumption behind my original question is that the IP space simply isn't used anywhere near as efficiently as it could be. While reclaiming even a fraction of those /8s won't put off the eventual depletion, it'll make it slightly more painless over the next year or two. I don't see how this would help. We all - and the world - have known for at least three years when the allocatable IPv4 pool would/will run out. Have we done something (at large)? No. Instead, people are whimpering about others having v4 addresses they are obviously not using and couldn't we pull those and redistribute so everyone's happier. Honestly - you'd only push the current situation two months back. Now everybody start using v6 and quit whining. (Or like Randy said - get back to pushing packets) Elmar.
Re: LinkedIn password database compromised
(Fight of the Leos...) bickn...@ufp.org (Leo Bicknell) wrote: Users would find it much more convenient and wonder why we ever used passwords, I think... Yeah cool. Shame I have three accounts on peerindb.com alone...
Re: .GW registrar?
Re Ben, b...@bencarleton.com (Ben Carleton) wrote: Does anyone have a contact at either DENIC or Fundação IT MEDIA Universidade de Bissao that can advise if registrations are currently being accepted for .GW domain names? The IANA admin contact, ad...@register.gw, is at a domain with no valid MX records (or A records, for that matter). The technical contact is listed as DENIC. I'll pick this up and forward your contact info to someone inside DENIC who might know. Yours, Elmar.
Re: Questions about anycasting setup
Morn' Steve, s...@gibbard.org (Steve Gibbard) wrote: I have no idea what Cisco equipment Elmar is using, but I wouldn't jump to the conclusion that it can't withdraw routes when needed. We use scripts external to both the routing platform and the service delivery platform to check the service and reconfigure L3 equipment (which is all kinds of L3 capable hardware). Elmar.
Re: Questions about anycasting setup
Bill, wo...@pch.net (Bill Woodcock) wrote: 2. We plan to use this anycasting based setup for DNS during initial few months. Assuming low traffic for DNS say ~10Mbps on average (on 100Mbps port) and transit from just single network (datacenter itself) - is this setup OK for simple software based BGP like Quagga or Bird? Yes, and in fact, that's how nearly all large production anycast networks are built??? Each anycast instance contains its own BGP speaker, which announces its service prefix to adjacent BGP-speaking routers, whether those be your own, or your transit-provider's. Doing exactly as you describe is, in fact, best-practice. Well, let's say, using Quagga/BIRD might not really be best practice for everybody... (e.g., *we* are using Cisco equipment for this) Using anycasting for DNS is, to my knowledge, best practice nowadays. 3. IPv6! - Is /32 is standard? We have only one /32 allocation from ARIN and thus if using /32 seems like hard deal - we have to likely get another /32 just for anycasting? or we can use /48 without issues? Also, is /48 a good number for breaking /32 so that we can do /48 announcements from different datacenters in simple uni casting setup? A /48 is quite reasonable. Announcing a whole /32 just for your anycast service would be wasteful. Why? It's simply another prefix, no matter how big. It might look wasteful, but if *that* is the allocation you *have*, it's the one you ought to use. One should be careful - people do filter on allocation lengths, so breaking out a /48 out of a /32 allocation and advertising it on its own can lead to it being filtered. Elmar.
Re: Questions about anycasting setup
Re Bill, p...@altadena.net (Pete Carah) wrote: Well, let's say, using Quagga/BIRD might not really be best practice for everybody... (e.g., *we* are using Cisco equipment for this) Actually there is a *very* good reason why many (most?) anycast instances use quagga/BIRD/gated/etc to speak bgp (or even ospf for internal anycast) which using a Cisco (or any separate router) usually won't accomplish. Please enlighten me... Elmar.
Re: Questions about anycasting setup
Re Bill, wo...@pch.net (Bill Woodcock) wrote: Well, let's say, using Quagga/BIRD might not really be best practice for everybody... (e.g., *we* are using Cisco equipment for this) How does your Cisco know whether an adjacent nameserver is heavily loaded, and adjust its BGP announcements accordingly? It doesn't have to. I don't know how you guys do it, but we take great care to keep min. 70% overhead capacity during standard operation. Elmar.
Re: Can somebody stop nanog@nanog.org from forwarding spam, kthx!
jer...@unfix.org (Jeroen Massar) wrote: I am fairly sure that the fake Western Union message and various other spams that are dripping through are from real subscribers... Err... what I find most interesting is that I have received no spam via this list today. I've checked my spamfilters' garbage heap... Did someone unsubscribe me from the spam part of the list? Thank you :) Elmar.
Re: experience with equinix exchange
Re, meh...@akcin.net (Mehmet Akcin) wrote: But all the traffic on every Equinix and PAIX switch combined, is still lower than the traffic on any one of the three large exchanges in Europe. It really is all about the PNIs. I wonder how is NOTA like, do they ever make the traffic info public? Not really, but that's probably typical. http://www.ripe.net/ripe/meetings/ripe-58/content/presentations/Snowhorn-NOTA_Update.pdf mentions 170+Gbps for NOTA, but that was 1.5 years ago. Yours, Elmar. -- Machen Sie sich erst einmal unbeliebt. Dann werden Sie auch ernstgenommen. (Konrad Adenauer) --[ ELMI-RIPE ]--- pgpxOLVTci4Se.pgp Description: PGP signature
Re: Reverse DNS for IPv6 client networks
Re Harry, Owen and all the others, first, thank you for your feedback. Seems there is no real consensus, but people are leaning more towards if it's dynamic, forget rDNS. The PowerDNS solution looks nice to me (alas, another chunk of software the system droids would have to maintain). I am also always fond of homegrown Scripts that get the job done. And yes, Harry... harry.na...@harry.lu (Harry Strongburg) wrote: However, I bet I totally misunderstood your question! You lose your that bet :-) Thanks for the pointer to the paper. Cheers, Elmar. -- Machen Sie sich erst einmal unbeliebt. Dann werden Sie auch ernstgenommen. (Konrad Adenauer) --[ ELMI-RIPE ]---
Re: Web expert on his 'catastrophe' key for the internet
andrew.wall...@rocketmail.com (andrew.wallace) wrote: A British computer expert has been entrusted with part of a digital key, to help restart the internet in the event of a major catastrophe. Paul Kane talked to Eddie Mair on Radio 4's PM programme about what he might be called upon to do in the event of an international online emergency. http://www.bbc.co.uk/news/uk-10781240 One, I do not see the operational relevance of this news. Second, people cult is just not the hype anymore. Third, my opinion towards Mr. Kane will stay with myself.
Re: v6 bgp peer costs?
mle...@he.net (Mike Leber) wrote: You can get a free IPv6 BGP tunnel from Hurricane Electric at http://tunnelbroker.net We have tunnel servers spread through out the world, so typically the nearest server has reasonably low latency from your location. Of course our main business is selling wholesale native IPv6 and IPv4 transit, however you don't have to be a paying customer to use our free service. On 7/21/10 12:08 PM, Zaid Ali wrote: I currently have a v4 BGP session with AS 701 and recently requested a v6 BGP session to which I was told a tunnel session will be provided (Same circuit would be better but whatever!). Towards the final stage in discussions I was told that it will cost $1500. I find this quite Mike, Mike, I still wonder how you are able to sell the stuff that you are *also* giving away for free (minus the physical port) and that admittedly works like a charm... Elmar. PS: Keep up the good tunne^Wwork! PPS: Any plans on having something inside mainland China?
Re: Cisco ASR
Re guys, just to enforce the statement that the ASR is not really in the Kindergarten anymore: rt uptime is 22 weeks, 1 day, 17 hours, 33 minutes Uptime for this control processor is 22 weeks, 1 day, 17 hours, 34 minutes System returned to ROM by reload at 11:00:33 CET Mon Dec 21 2009 System restarted at 16:16:32 CET Mon Dec 21 2009 System image file is bootflash:asr1000rp1-advipservicesk9.02.04.02.122-33.XND2.bin [...] cisco ASR1002 (2RU) processor with 1759125K/6147K bytes of memory. 4 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7798783K bytes of eUSB flash at bootflash:. Configuration register is 0x2102 -- Unfortunately, it is also correct that the box crashes with soft-reconfig enabled (it's my bug, actually). Cisco told me they could not reproduce it in the lab, so there's no fix yet. With soft-reconfig disabled, the system works and is stable and fast. CPU is almost zero (2%), with 150 v4 and 40 v6 BGP sessions active. Just to mention it - I'd have preferred an NPE-G2 with some hardware forwarding board. That system simply rocks. But well, I guess this is evolution... Elmar.
Juniper SRX-210 -- CCC certificate required
Hello altogether, I'm in kind of a pinch currently - I have to get a Juniper SRX-210 into China. That got the box stuck at import there, and they demand the CCC certificate from us. Unfortunately, Juniper has as yet not been willing or able to respond to this request (ongoing for weeks), and I wonder if anyone on this list might just have the certificate on file... If so, please help me out - I'm pretty desperate and would even consider buying you a beer at NANOG49. ;-) (Well, don't have to be desparate for that...) Yours, Elmar.
Re: Juniper SRX-210 -- CCC certificate required
Re Gordon, gordsla...@ieee.org (gordon b slater) wrote: ...something in the back of my head says they retracted from their initial stance recently (few month ago?) and said the CCC for IT security kit was only needed for Gov't Procurement kit - I could be very wrong, it was a snippet of casual conversation in passing. Thank you for this side note already - I'll forward your thoughts, maybe it helps. Still, if anyone can dig something up... Maybe you're just up against extra red tape, officials not up to speed etc; or maybe it is for a Govt Contract after all. It's not for a government contract (it's for the renewal of the .de ccTLD DNS setup in Beijing), and they could have put the red tape around other stuff that's in there. I guess it's just the usual formalism. Unfortunately, Google doesn't come up with anything about SRX's and CCC certification, though there seems to be a version with chinese plugsets... Yours, Elmar. -- Machen Sie sich erst einmal unbeliebt. Dann werden Sie auch ernstgenommen. (Konrad Adenauer) --[ ELMI-RIPE ]---
Re: Juniper SRX-210 -- CCC certificate required
ssh...@gmail.com (Lala Lander) wrote: You should buy locally in China and Juniper's partner in china will provide you CCC. Thank you for the insight, Shahid. Can you please send me your time machine? ;-) Elmar.
Re: Peering Exchange Configurations
Re JOe, jab...@hopcount.ca (Joe Abley) wrote: 1) Is a private AS typically used for the exchange side of the session? No. Also many exchange points do not run route servers at all, and expect participants to build bilateral BGP sessions directly between each other. ...which is a shame. Routeservers in place gives you a nice benefit upon hooking up to the exchange and before you have even found out who is on the grid (anyone have a list for NOTA?). Basically, the bigger exchange points (as in european mostly) all have routeservers ready, but not everybody chooses to use them. 2) Are RFC1918 IPs typically used for the p2p links into the exchange? No. Participants in an exchange typically number their exchange-facing interfaces out of a larger (non-p2p) subnet, e.g. an IPv4 /24 or /23, or an IPv6 /48 (or both). Using RFC1918 for oft-traversed addresses is also not a good idea ;) 3) Do peering exchanges typically remove their AS from the path advertised to exchange participants? Some do, I hear. See above regarding route servers. None of the routeservers I am peering with does insert their ASN. On direct peering sessions, there is of course nobody in between. 4) Do exchanges typically support the following address families? IPv4 Multicast IPv6 Unicast IPv6 Multicast I'm quite ignorant of multicast. IPv6 unicast peering is common. Multicast is still seen as something special, sometimes even on dedicated hardware, or on different VLANs. It's certainly possible, but usually there are not so many participants... 5) I see that Bird, OpenBDGd, and Quagga are all options for route server software. Does one of those packages stand out as the clear current choice for production peering exchanges? BIRD seems to be the choice du jour based on idle hallway chatter, but I have not compared them. I was thinking plat du jour...and well, it's du jour, so it can change in an instant. Cheers, Elmar.
Re: NAP of Americas
xbanc...@telconet.net (Xavier Banchon) wrote: Does anyone have issues with Internet connection through NAP of Americas? Yes - there's obviously been some failure on the DC power, which took the peering grid down (and a few ISPs, too). Session's have come up again around an hour ago. Btw - anyone there and not peering with 31529 (.de ccTLD service), please drop me an email. It's pretty hard to get a list of participants... Cheers, Elmar.
Conclusion: Smart hands in NYC area and new: Tokyo
Hello altogether, I got a couple of freelancers and a few tips which companies to use. I thought I'd at least share the company recommendations, of which I'll have the bosses pick. One other thing - I'll be needing the same thing in Tokyo by the end of the year. If anyone has recommendations, please don't hesitate. I'm not shy of travelling, but I'd rather save time and money there... Yours, Elmar. Recommended companies: Team Silverback (www.teamsilverback.com) OnForce (www.onforce.com) Endeavor Xeta Blackbox Ledcor (www.ltscompany.com)
Smart hands in NYC area
Hello friendly NANOGers, we'll have to move out of a colo in the NYC area (Verizon DC Elmsford) soon and I need two guys to disassemble half a rack full of equipment, pack the stuff securely and send it away in two batches (one within the US, one to Germany). Packing material needs to be brought, I suppose. The setup has been there for a while - unlikely Verizon kept the material. Can anyone refer me to a company that can help me there, or offer their own services? Thanks for your help, Elmar.
Re: Fiber cut - response in seconds?
jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site?
Re: Fiber cut - response in seconds?
sro...@fattoc.com (Shane Ronan) wrote: In my experience they are required not only to mark the line, but to identify it with the initials of the owner. Hell yeah - but that's not the point I wanted to make. For any given construction project, the main goal is to build something without destroying something else (unless it's planned to be destroyed). Unfortunately, this goal has to be broken into easy tasks for the people executing the work. And what leaks to them is dig a hole. They definitely don't care whether they _will_ hit something. They do care after they hit something... (sometimes they'll try to cover up like someone did here; after cutting a whole bunch of fibre trunks, they decided to fill the just-dug hole with a ton of concrete...)
Re: Managing your network devices via console
jvar...@crypticstudios.com (Jake Vargas) wrote: I stumbled across these, which look like decent alternatives to getting a 2511 from eBay: http://www.perle.com/products/Terminal-Server.shtml The 48-port 1U terminal server with redundant power looks particularily nice. I've no experience with Perle, though. Anyone else? I use them in my datacenter. SCS 32 with the IOLAN Modem card. I have some basic advice for using it as a dialup source. It also does IPSec via our DSL line which also happens to be our POTs line. All kinds of nice stuff but a bit of a pain to initially configure if you do not know what you are doing (slight learning curve). I'm happy with it. We are still using the ancient Cyclades/Avocent ACS'es with a matching modem card (getting rare, them). They work fine, a bit slow on sshV2, but no problems in all the remote locations. I had one (pretty old) fail in the lab, but this might have been due to it being quite warm there... I am concerned about remote power control, though. If you know your datacenter, you can get all kinds of remote-controlled power strips. With us, we don't always know beforehand what kind of power the DCs will have, and I'd like the exact same equipment everywhere (except the cables, of course). In order to achieve this, I used Cyclades (now Avocent) ATP3120-001 (2...@100-240v input on IEC C320-20, 10A outputs on IEC C320-13). They have three shortcomings: - sometimes they forget their configuration (not critical) - they can only be accessed by serial console (no SNMP etc.) - consequently there's no power meter remote readout Is anyone here aware of such universally usable devices that can be accessed over IP and give power readouts remotely? Electrical specs are as above - 20 Amps input (for 120V countries), usable anywhere from 100-240 Volts and IEC input and output plugs... Any hints? (No, APC fails in the 100-240V part) (No, Perle fails in the 100-240V and the IEC part) (No, even Avocent's other strips fail there...) Yours, Elmi. -- Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche Eigenschaft von Vergleichen angesehen werden. (Marius Fränzel in desd) --[ ELMI-RIPE ]---
Re: NPE-G2 vs. Sup720-3BXL
dstora...@teljet.com (David Storandt) wrote: Our engineering team has settled on three $20k/node options: - Sup720-3BXLs with PS and fan upgrades Still quite slow CPU wise. RSP's are supposed to be a lot faster and actually usable. - Sup2s as switches + ISIS + statics and no BGP, push BGP edge routing off to NPE-G2s across a 2-3Gbps port-channel The NPE-G2 - even an NPE-G1 - will do all that BGP stuff easily; the CPU is fast enough. But...you might be in for a bad surprise concerning the Portchannel. Remember - it's done in software. So, depending on your packet sizes, you might experience a throughput _drop_ once you bundle. My experiments were done with very small packets though (DNS queries and responses, avg. packet size around 140 Byte). The devices I tested were the 1RU models (7301 for NPE-G1 and 7201 for NPE-G2). In unbundled mode they pushed around 940 kpps (G1) and 1320 kpps (G2) with CPU loads between 85% and 100%. Channel bundling took a lot out of the boxes. 7301 keeled over at 470, 7201 at 660 kpps. If you're only pushing big packets, though... Yours, Elmar.
Re: shipping pre-built cabinets vs. build-on-site
mar...@theicelandguy.com (Martin Hannigan) wrote: 1. as-builts designated by the RU 2. physical layer wiring diagram 3. cable run list (optical, fiber, connector type, pots) 4. Bill of materials down to the rack mount kit screws 5. cut view, detailing cabinet details _from the datacenter_. ;-) We have quite some experience in having third party people, including professional hosting companies and friends on-site, receiving our boxes and assembling the entire thing for us. The only ones that failed were a big german teclo back in 2004. Which was essentially why we why we assembled an entire cabinet ready-for-production, in the 2006 rebuild for their new datacenter site. Yes, we got it shipped within Germany (Frankfurt to Ulm). Getting a shipping company to do that difficult at best: The big ones all turned us down. We found a small company that did it (who usually worked for one of the big ones that turned us down). They claimed to have experience, and they delivered everything in working condition. The telco was eventually able to plug the five cables into the right sockets and everything was ready to jumpstart. Usually we send parts, and what has proven a very good idea for us is to ship really everything, including every cable, connector and adaptor, except for the mains connectors which are different in every single place. It is crucial to label every port (and I mean server ports and strange boxes' ports; everything but switchports, really) with a number and do the same with every single cable and adaptor. A detailled cabling plan which lists and sometimes depicts what goes where (A- and B-side systems, cable numbers, lengths and colors, and the according port numbers) makes cabling the thing - as I've been told - pretty easy. Well, soon enough I'll be doing the first ever on-site installation myself which comes with a nice couple of days vacation, so I opted for doing it. Of course, it's actually just the verification of our assembly instructions being _really_ idiot-proof. Anyway, Joe, if you can make it happen, have people on-site assemble the stuff for you. They will usually be kind enough to make power cables for you, too. I have had people from professional hosters really go out of their way (using private credit cards to obtain parts etc) to make the thing work. Sending that one full rack has proven successful for us, but that was specialists with some experience, and it was road only. Every time I see suitcases being thrown around in airports...well... Elmar.
Re: FW: Ctrl+Shift+6 then X
Re Bruce, br...@yoafrica.com (Bruce Grobler) wrote: Using Putty or any other ssh/telnet terminal I find that Ctrl+Shift+6 then X (on a cisco) works only sometimes after beating your keyboard multiple times with a hammer, has anyone else come across or had a solution to this problem ? I have found that using Ctrl-6 (through putty) gives me breaks on Ciscos. You usually have to wait for the device to poll for a break (especially in pings/traceroutes), but it does actually work. Elmar. PS: Please don't fedex beer to Germany...
Re: World famous cabling disasters?
patr...@ianai.net (Patrick W. Gilmore) wrote: I'm looking for a couple of pictures of the worst cabling infrastructure ever seem. One Wilshire meet me room comes to mind. Anyone got any links to their photo albums, etc? I've always considered this the worst: http://englishrussia.com/images/home_networks/4.jpg Still looks like a pasta factory...
Re: Network equipments process utilization
Good morning (from here), lion...@samsung.com (???×?) wrote: I wonder which percentage is good level of CPU and Memory util of network equipment ? In my case, I try to keep under 30% cpu util and 70% memory util. My most equipment are Cisco product. I have no technical reference about that, it is just a rule of mine or my predecessor. Could you tell me how other operators are doing ? what is your operation baseline ? or is there any guideline about process utilization ? I'm trying to keep all Cisco equipment idle, if at all possible, since there may come worse times... Typical exceptions are - software forwarding routers, where CPU load is directly depending on current traffic levels; should the load stay above 15-20% all the time, it's time for an upgrade - slow-CPU boxes like everything Cisco with SUPs, since the CPU load _always_ jumps to 100% for short periods of time - BGP needs something calculated ;-) I get interested whenever CPU load _stays_ high - switches; Cisco switches need like 5% CPU to blink the LEDs ;) It gets more interested with packet filters and load balancers, where CPU loads depend on traffic levels and patterns. I try to keep the baseline between 5 and 10%. HTH, Elmar.
Re: Network equipments process utilization
h...@efes.iucc.ac.il (Hank Nussbacher) wrote: - slow-CPU boxes like everything Cisco with SUPs, since the CPU load _always_ jumps to 100% for short periods of time - BGP needs something calculated ;-) I get interested whenever CPU load _stays_ high Yeah - Cisco would like to know why as well: http://www.cisco.com/web/about/ac50/ac207/crc_new/university/RFP/rfp07026.html I know ;-) But: This is not a churn problem, it's a problem of slow CPUs in allegedly big-and-fast boxes. I'd like a NPE-G2 blade for my 76's, as RP. Still, this is getting off-topic. Elmar.
Re: Network equipments process utilization
li...@memetic.org (Adam Armstrong) wrote: CPU load _always_ jumps to 100% for short periods of time - BGP needs something calculated ;-) I get interested whenever CPU load _stays_ high Yeah - Cisco would like to know why as well: http://www.cisco.com/web/about/ac50/ac207/crc_new/university/RFP/rfp07026.html I know ;-) But: This is not a churn problem, it's a problem of slow CPUs in allegedly big-and-fast boxes. I'd like a NPE-G2 blade for my 76's, as RP. Still, this is getting off-topic. The MSFC4 in the RSP720 has a 1.2GHz 8548 PPC whereas the NPE-G2 has a 1.67GHz 7448 PPC. I'd guess the performance isn't all that far apart, especially as the MSFC4's processor isn't doing any forwarding. That's why I wrote with SUPs (and not RSPs). RSP is fairly new, and they got it right this time.
Re: One /22 Two ISP no BGP
Re Charles, this is all about control, so you don't lose connectivity in case something outside your control fails. The best idea so far is the ebgp-multihop idea with your ISP's transit provider. This means speaking BGP to them yourself and taking care that the traffic takes the intended path, too (will usually work). If you can spare the money, I'd set up my own hubs on the mainland, tunnel to them through each of my ISPs and use that hub for the routing of all incoming traffic. This does of course mean additional hardware, housing, local loops and probably additional transit providers. It would nonetheless give you full control. The second best idea so far is that the NANOG people could talk to your ISP(s)...this has worked in more than one case. So - where is your island, how's the weather, and are you hiring? ;-) Yours, Elmar.
Re: Creating demand for IPv6
[EMAIL PROTECTED] (Joe Abley) wrote: 6to4 (for content- or access-focussed networks) is surely a solution to the problem of I have no good way to acquire IPv6 transit; It solves another problem as well, like I cannot go v6 to my servers because my load balancing and packet filtering black boxes don't do it yet. Elmar.
