RE: NANOG 90 Venue Update

[Eric C. Miller]

I know it’s the middle of the holidays, but is there an update on the venue yet?

Eric

From: NANOG  On Behalf Of NANOG 
Support
Sent: Friday, December 8, 2023 3:07 PM
To: memb...@nanog.org; nanog@nanog.org
Subject: NANOG 90 Venue Update


Dear NANOG Community,


This letter is an update on the upcoming NANOG 90, February 2024 conference.


As we announced at NANOG 89, due to unforeseen circumstances, our contracted 
meeting venue canceled our contract and it became necessary for us to change 
the venue and date for the upcoming NANOG 90 meeting (12-14 February 2024). 
This has resulted in the delay in posting the hotel guest room information as 
we work to negotiate an agreement with a new property. The delay has been due 
to the hotel network infrastructure, which is not at the level NANOG requires 
to support its network needs.


We are happy to report at this time a solution has been developed, and contract 
signing is underway.  Once the contract is completed, there will be a room 
block we will publish for registered NANOG conference attendees to begin 
booking rooms. The room block will be available to all one week later.


We appreciate your patience as we worked through this process, along with your 
unflagging support of NANOG.


Sincerely,


Darrieux Harvey

NANOG Director of Meetings + Interim Operations Director

US Bancorp

[Eric C. Miller]

Is there anyone from USBancorp here that can help me troubleshoot a lossy 
connection from an employee VPN?

Eric

RE: [EXTERNAL] Re: Arelion/Telia AS1299 issues?

[Eric C. Miller]

It’s definitely been an annoying day. Cogent’s “don’t advertise to telia” BGP 
community doesn’t work, so we can’t route around this either. Then again, my 
bad for using the “Wal-mart” of the internet.

Eric

Temporary DIA in Equinix MI1

[Eric C. Miller]

Hello,

We have a circuit in MI1 that we are trying to relocate, but there's a crazy 
delay. Does anyone have the ability and desire to coordinate a Equinix cross 
connect and sell us DIA for 3-4months? Usage is 2-3Gbps Residential, we can use 
our own IPs/ASN if necessary.

Eric

RE: Test Dual Queue L4S (if you are on Comcast)

[Eric C. Miller]

FYI, when trying to sign up, it tells me that my input isn’t required because I 
work in the telco industry.

Eric

From: NANOG  On Behalf Of 
Livingood, Jason via NANOG
Sent: Friday, June 16, 2023 2:30 PM
To: nanog 
Subject: Test Dual Queue L4S (if you are on Comcast)

FYI that today we (Comcast) have announced the start of low latency networking 
(L4S) field trials. If you are a customer and would like to volunteer, please 
visit this 
page.

For more info, there is a blog post that just went up at 
https://corporate.comcast.com/stories/comcast-kicks-off-industrys-first-low-latency-docsis-field-trials

We anticipate testing with several different cable modems and a range of 
applications that are marking. We plan to share detailed results of the trial 
at IETF-118 in November.

Any app developers interested in working with us can either email me direction 
or 
low-latency-partner-inter...@comcast.com.

Thanks!
Jason

Service in Peabody or Danvers MA

[Eric C. Miller]

Does anybody have service here?

Eric

Get Outlook for Android

Responses to my troubles with IP reputation

[Eric C. Miller]

Friends,

I just realized that it's been some time since all of this happened. I owe a 
huge thanks to Sean, Sean, Viktor, Joshua, Tomoc, Nathan, and others that I'm 
sure that I missed. You all make this a valuable community.

Regards,

Eric

RE: Amazon Prime Video IP reputation

[Eric C. Miller]

So far, the only provider that’s given us a positive confirmation has been 
GeoComply/GeoGuard. Still working on getting resolution. We’ve been able to 
move some CGNAT gateways to different IPs, but it only buys 3-4 days before 
they get flagged again.

Eric

From: Nathan Gerencser 
Sent: Monday, August 23, 2021 11:19 AM
To: Josh Luthman ; Eric C. Miller 

Cc: nanog@nanog.org
Subject: RE: Amazon Prime Video IP reputation

Geoguard takes care of Amazon and are usually responsive.

n...@geoguard.com<mailto:n...@geoguard.com>

Nathan Gerencser, Network Engineer
MetaLINK Technologies

RE: Amazon Prime Video IP reputation

[Eric C. Miller]

We found that ipqualityscore.com seems to match up with the CGNATs that we are 
having the most trouble with. They indicated a 1-3 day turnaround in responding 
to mis-classifications. We might have to make a habit of calling them every 30 
minutes until they do something.

From: NANOG  On Behalf Of Joshua 
Stump
Sent: Wednesday, August 18, 2021 1:40 PM
To: nanog@nanog.org
Subject: RE: Amazon Prime Video IP reputation

I'm having the same with one of my valid IPv4 /21 right now. Amazon Prime, HBO 
Max, and Hulu confirmed. Just started within the last couple days.

Joshua Stump
Network Admin
Fourway.NET<https://fourway.net/>
800-733-0062

From: NANOG 
mailto:nanog-bounces+jstump=fourway@nanog.org>>
 On Behalf Of Eric C. Miller
Sent: Tuesday, August 17, 2021 7:31 PM
To: NANOG mailto:nanog@nanog.org>>
Subject: Amazon Prime Video IP reputation

Does anybody know which IP reputation service Amazon uses for Prime video? 
Within the last couple of hours several of our CGNAT publics are showing up as 
VPN or proxy when someone tries to watch Amazon video.

Any help would be appreciated!

Thank you!
Eric

Amazon Prime Video IP reputation

[Eric C. Miller]

Does anybody know which IP reputation service Amazon uses for Prime video? 
Within the last couple of hours several of our CGNAT publics are showing up as 
VPN or proxy when someone tries to watch Amazon video.

Any help would be appreciated!

Thank you!
Eric

Hotstar IP Notoriety

[Eric C. Miller]

Is there anyone here with a relationship with the Hotstar streaming service? We 
recently launched a new IP block and it's being blocked by them.

Eric

Learning Resource for IRR to RPKI

[Eric C. Miller]

Hello NANOG community,

In the many years that I've been doing this line of work, I've actually never 
had to deal with the public registry side of the job (I've always seem to walk 
into an established environment). I'm struggling to get up to speed quickly, as 
I must integrate additional AS's into my own and our upstreams are no longer 
utilizing filter lists to accommodate the IP blocks being added. I'm being 
prompted to create route objects or establish an AS set with ours and our 
peers' ASNs.

I'm sure that there's an easy button out there for getting this week's work 
done, but I want to learn more about the system in general, but I'm having 
trouble putting my thumb on the right place to look for learning.

Any help you can provide, I would appreciate it!

Regards,

Eric

SunTrust Network Ops

[Eric C. Miller]

Is there anyone on-list from SunTrust Bank? I have a CGNAT address getting 
periodic TCP Resets from the online banking portal, and I suspect it's in 
response to a threat detector.

Thank you!




Eric

RE: Are there inexpensive DWDM products?

[Eric C. Miller]

These guys are pretty inexpensive. Take it for what it is :)

https://www.sfpcables.com/cisco-cwdm-oadm-series



Eric Miller, CCNP
Network Engineering Consultant



-Original Message-
From: NANOG [mailto:nanog-bounces+eric=ericheather@nanog.org] On Behalf Of 
Adnan Ahmed
Sent: Friday, November 3, 2017 9:26 AM
To: Hank Nussbacher 
Cc: nanog@nanog.org
Subject: Re: Are there inexpensive DWDM products?

Also look at these guys,
https://www.optelian.com/products/dwdm-optical-multiplexing/

On Fri, Nov 3, 2017 at 1:10 AM, Hank Nussbacher 
wrote:

> On 02/11/2017 20:01, LF OD wrote:
>
> Try: https://www.packetlight.com/
>
> -Hank
>
> > We have several buildings and a couple data centers spread around 
> > the
> city and interconnected via dark fiber. It's a very simple setup - no 
> ROADM, no real ring, no extended layer-2 or layer-3 via the optical gear.
> >
> >
> > Pretty much we just mux/demux a channel for each building so that 
> > each
> building sees the two data centers directly even though the fiber span 
> may wind through a couple buildings along the way. In some cases, the 
> distance is short enough to use colored optics in the network gear, 
> but mostly the distances are just long enough to warrant transponder cards.
> >
> >
> > All that being said, a lot of the gear is approaching end of life
> (support in some cases). I'm not an optical guru but I can muddle my 
> way through with Cisco ONS and I'm aware that Ciena and Fujitsu also 
> have similar products. We really don't have budget for a large optical 
> refresh effort. However, we've saved some money here and there in the 
> routing/switching arena by leveraging Arista and even Cumulus. I'm 
> wondering if there are smaller players in the optical arena that have 
> a good quality/price value?
> >
> >
> > Again, we don't need sophisticated features... we primarily have 
> > 2-to-4
> 1Gb and 10Gb ports required per site, then we mux those onto a 
> wavelength and extend it to the two data centers. Most buildings are 
> set up the same way, each on a different wavelength so the don't even see 
> each other...
> only the data centers.
> >
> >
> > If you guys know of any optical gear that you can vouch for (and 
> > which
> costs less than a small house), we would greatly appreciate it. Thanks
> >
> >
> > LFOD
> >
>
>

Contact at NY State Health Department

[Eric C. Miller]

Is there anyone from NY State Health Department here that can help me with 
random connection drops?


Thank you!

Eric Miller

RE: Brighthouse Orlando Port blocking ISAKMP

[Eric C. Miller]

All is well, now.

It appears that it may have been on XO's network. My crypto tunnel between AT 
and BH crossed XO, and asymmetric routing from my office network had Cogent and 
XO outgoing, and Level3 on the return. If I forced my office connection to use 
Level3 for the outbound, the tunnel established immediately.

Brighthouse's phone support was a grade F, by the way. Their phone support had 
me yanked around for an hour, before they finally consulted with Tier3. After 
relaying the response, which was simply, "BH doesn't filter customer traffic - 
It must be on your side," I asked to speak with them directly. The person I was 
speaking to proceeded to tell me that Tier-3 had just closed, and that they 
would have to call me back. It was 48 hours before I received a call back.

Grr.



Eric Miller, CCNP
Network Engineering Consultant




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mallette, Edwin J
Sent: Monday, August 1, 2016 9:54 AM
To: NANOG <nanog@nanog.org>
Subject: Re: Brighthouse Orlando Port blocking ISAKMP

Hi Erik,

We definitely do not filter UDP500 across our network.  I¹m going to reach out 
to you directly to see if I can help figure out what¹s going on.

Cheers!

Ed

On 7/30/16, 11:38 PM, "NANOG on behalf of Eric C. Miller"
<nanog-boun...@nanog.org on behalf of e...@ericheather.com> wrote:

>Hello!
>
>Subject says it all!!! I cannot open any IPSec tunnels, because UDP 500 
>is not making it through to my Brighthouse connection. I've tried from 
>Level3, Cogent, and AT Are there any Brighthouse engineers on that 
>would help me shed some light on this?
>
>Thank you,
>
>Eric

Brighthouse Orlando Port blocking ISAKMP

[Eric C. Miller]

Hello!

Subject says it all!!! I cannot open any IPSec tunnels, because UDP 500 is not 
making it through to my Brighthouse connection. I've tried from Level3, Cogent, 
and AT Are there any Brighthouse engineers on that would help me shed some 
light on this?

Thank you,

Eric

RE: B5-Lite

[Eric C. Miller]

B5c is the only product that I've had much success with from Mimosa.

The B5Lite is a cheap plastic shell and, and it performs like it too.

If you have UBNT gear now, Mimosa is a good next step, but I'd strongly 
recommend that you stear away from the lite and go with the B5c. We use them 
with rocket dishes. You just need the RP-SMA to N cables.


Eric Miller, CCNP
Network Engineering Consultant



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jared Mauch
Sent: Friday, May 13, 2016 7:06 PM
To: North American Network Operators' Group 
Subject: B5-Lite

Anyone deployed this radio in production in the US?  I’m curious to hear from 
people who are using it, looking at replacing some UBNT hardware with it on 
some PTP links, going from the M-series class devices to something more modern.

Thanks,

- Jared

Hummingbird Networks Optics

[Eric C. Miller]

Does anybody have any experience with Hummingbird Networks optics?

Thank you!

Eric

RE: NANOG isn't for desktop OS licensing support, was: Windows 10 Release

[Eric C. Miller]

I will say that our peering traffic with Akamai has doubled since Thursday. 
It's starting to come back down, now.



Eric



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Chuck Church
Sent: Thursday, July 30, 2015 4:48 PM
To: nanog@nanog.org
Subject: NANOG isn't for desktop OS licensing support, was: Windows 10 Release

I hate to be that guy, but this is getting really outside the scope of NANOG.

Chuck

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Joe Greco
Sent: Thursday, July 30, 2015 12:58 PM
To: Scott Helms khe...@zcorum.com
Cc: NANOG nanog@nanog.org
Subject: Re: Windows 10 Release

 I was just thinking about my remaining Win 7 box _after_ I hit send 
 and I believe you're correct (I have one still to upgrade).  Which 
 means users upgrading from 7 to 10 will need to create an ID, but 
 users of 8 and 8.1 will use the one they already have.


This is incorrect.  While the Win 8{,.1} install process makes it appear as 
though you need a Microsoft ID, you can actually go into the create a new 
Microsoft ID option and there's a way to proceed without creating a Microsoft 
ID, which leaves you with all local accounts.

It does appear to be designed to make you THINK you need a Microsoft account 
however.

I have a freshly installed Windows 8.1 box here (no Microsoft ID) that I then 
upgraded to Windows 10, and it also does not have any Microsoft ID attached to 
it.  Activation shows as Windows 10 Home
and Windows is activated.  There's a beggy-screen on the user account page 
saying something like Windows is better when your settings and files 
automatically sync.  Switch to a Microsoft Account now!

So, again, totally optional, but admittedly the path of least resistance has 
users creating a Microsoft Account or linking to their existing one.  You have 
to trawl around a little to get the better (IMHO) behaviour.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We 
call it the 'one bite at the apple' rule. Give me one chance [and] then I won't 
contact you again. - Direct Marketing Ass'n position on e-mail
spam(CNN) With 24 million small businesses in the US alone, that's way too many 
apples.

ARIN+NANOG On The Road

[Eric C. Miller]

Thank you to all who put this event on! It was fun getting to meet everyone :)



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115

RE: Recommended wireless AP for 400 users office

[Eric C. Miller]

That's it. Step 1, buy the equipment at full price. Step 2, pay for the cloud 
management license, yearly. Step 3, no extended warranty option, so pay full 
price if equipment from step one fails. 

We just dumped our meraki deployment because of it:



Dear Helpdesk, 
Thank you for being a valued Meraki customer. Our records show that your 
Meraki Cloud license has expired.

If you wish to continue using your Meraki networks, you must renew your 
license immediately. If you choose not to renew, your Meraki systems will 
cease to provide network access on February 28, 2015. If you have recently 
made a Meraki purchase, please add your license key to your Dashboard account.






Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett
Sent: Sunday, February 01, 2015 9:55 AM
To: NANOG
Subject: Re: Recommended wireless AP for 400 users office

I try to avoid anything that Cisco has touched. 

Also not a fan of their stop paying our recurring fee and the device becomes a 
brick policy. 




-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com 



- Original Message -

From: Dennis Bohn b...@adelphi.edu
To: Eric C. Miller e...@ericheather.com
Cc: NANOG nanog@nanog.org
Sent: Sunday, February 1, 2015 8:41:52 AM
Subject: Re: Recommended wireless AP for 400 users office 

We are substantially larger and use Aruba, but I am wondering why no one has 
mentioned Meraki (now cisco-meraki). We tried one of their give-away aps and it 
seemed fine, with the 'cloud management.' I am not advocating Meraki, just 
curious. 
best, 


Dennis Bohn
Manager of Network and Systems
Adelphi University
b...@adelphi.edu
5168773327 

On Fri, Jan 30, 2015 at 6:28 PM, Eric C. Miller e...@ericheather.com
wrote: 

 +1 Xirrus, especially for the multi radio arrays. Crowded common areas
 benefit from sector antennas attached to individual radios. Also, 
 there XMS server is really useful for managing a large cluster. 
 Ubiquiti UniFi is good for smaller installations, but I wouldn't trust 
 them for enterprise level reliability.
 
 
 
 Eric Miller, CCNP
 Network Engineering Consultant
 (407) 257-5115
 
 
 
 
 -Original Message- 
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Lyon 
 Sent: Thursday, January 29, 2015 12:17 AM 
 To: Manuel Marín 
 Cc: NANOG 
 Subject: Re: Recommended wireless AP for 400 users office 
 
 Check out Xirrus 
 On Jan 28, 2015 9:08 PM, Manuel Marín m...@transtelco.net wrote: 
 
  Dear nanog community 
  
  I was wondering if you can recommend or share your experience with APs 
  that you can use in locations that have 300-500 users. I friend 
  recommended me Ruckus Wireless, it would be great if you can share 
  your experience with Ruckus or with a similar vendor. My experience 
  with ubiquity for this type of requirement was not that good. 
  
  Thank you and have a great day 
  
 

RE: Recommended wireless AP for 400 users office

[Eric C. Miller]

+1 Xirrus, especially for the multi radio arrays. Crowded common areas benefit 
from sector antennas attached to individual radios. Also, there XMS server is 
really useful for managing a large cluster. Ubiquiti UniFi is good for smaller 
installations, but I wouldn't trust them for enterprise level reliability.



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Lyon
Sent: Thursday, January 29, 2015 12:17 AM
To: Manuel Marín
Cc: NANOG
Subject: Re: Recommended wireless AP for 400 users office

Check out Xirrus
On Jan 28, 2015 9:08 PM, Manuel Marín m...@transtelco.net wrote:

 Dear nanog community

 I was wondering if you can recommend or share your experience with APs 
 that you can use in locations that have 300-500 users. I friend 
 recommended me Ruckus Wireless, it would be great if you can share 
 your experience with Ruckus or with a similar vendor.  My experience 
 with ubiquity for this type of requirement was not that good.

 Thank you and have a great day

DDOS, IDS, RTBH, and Rate limiting

[Eric C. Miller]

Today, we experienced (3) separate DDoS attacks from Eastern Asia, all 
generating  2Gbps towards a single IP address in our network. All 3 attacks 
targeted different IP addresses with dst UDP 19, and the attacks lasted for 
about 5 minutes and stopped as fast as they started.

Does anyone have any suggestions for mitigating these type of attacks?

A couple of things that we've done already...

We set up BGP communities with our upstreams, and tested that RTBH can be set 
and it does work. However, by the time that we are able to trigger the black 
hole, the attack is almost always over.

For now, we've blocked UDP 19 incoming at our edge, so that if future, similar 
attacks occur, it doesn't affect our internal links.

What I think that I need is an IDS that can watch our edge traffic and 
automatically trigger a block hole advertisement for any internal IP beginning 
to receive  100Mbps of traffic. A few searches are initially coming up dry...



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115

Netgear

[Eric C. Miller]

Is there anyone from Netgear on this list? If you could contact me off-list, it 
was be appreciated.

Thanks!



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115

RE: Akamai charges for IPv6 support?

[Eric C. Miller]

I thought that keeping up with the times is part of basic necessity of business.



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matthew Kaufman
Sent: Monday, August 18, 2014 10:48 PM
To: Alejandro Acosta
Cc: nanog@nanog.org
Subject: Re: Akamai charges for IPv6 support?

I guess you expect infrastructure to build itself for free?

Matthew Kaufman

Sent from my iPad

 On Aug 18, 2014, at 7:30 PM, Alejandro Acosta 
 alejandroacostaal...@gmail.com wrote:
 
 
 
 El 8/18/2014 12:23 PM, Aaron Hopkins escribió:
 On Mon, 18 Aug 2014, Mehmet Akcin wrote:
 
 What did they say when you asked them(Akamai)?
 
 I quoted their response in my mail; sorry if that wasn't clear.  They 
 offered to enable IPv6 service for a non-trivial monthly recurring 
 fee, which they offered to send me a revised contract to include.
 
 it's so sad to hear this in August 2014
 
 
 I would imagine ipv6 to be included in price not an additional fee.
 
 I was surprised to find that wasn't the case.
 
-- Aaron

RE: First ISP-hosted transparent test-IPv6.com mirror

[Eric C. Miller]

Jason,

Love the service that you guys have. I use it as part of training helpdesk 
agents as well as field techs. My ISP wants to set up a transparent mirror, and 
I encourage other to do so as well.

Do you support us adding a hosted by logo, or a link to our IPv6 speedtest 
server?



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jason Fesler
Sent: Saturday, May 17, 2014 12:52 AM
To: nanog@nanog.org
Subject: First ISP-hosted transparent test-IPv6.com mirror

TL:DR? “Thanks, Comcast!” and “Who’s Next?”

The test-ipv6.com site started out 4 years ago, at a table in Seattle, after an 
IPv6 round table meeting hosted by Internet Society. John Brzozowski and myself 
were each trying to come up with a way to help end users figure out that their 
IPv6 internet was good or bad.
Ultimately I kept plugging away at it, as John was distracted with some kind of 
broadband IPv6 rollout for his employer (Comcast). And the test-ipv6.com site 
went live about a month later, with solicitation to a few operations lists for 
feedback. All in all, pretty successful.

I’ve had two concerns since deploying test-ipv6.com: one, how to scale; and 
two, how to ensure the user’s connectivity back to the service is awesome (or 
at least, not bad). John was thinking the same thing - worried about sending 
too many of his customers to my site, and crushing it in the process. Not good 
for either of us.

Both of those are relatively easy to solve. Simply deploy tons of mirrors 
around the world, problem solved - if you have the cash and/or smart business 
plan to back it. I don’t monetize the site with advertising; nor do I charge 
fees. Nor do I have a crack CFO who can help me IPO, and make me rich in the 
process. I don’t really have the time or energy to solicit for corporate 
handouts. As it turns out, it appears that I’m bad when it comes to making 
money on this project. So any solution has to be cheap.

Asking folks to run regional mirrors (such as “test-ipv6.cz” or
“test-ipv6.co.za”) is great; it offers a community local resources that are 
more immune to global connectivity issues. However, people must explicitly 
decide to visit these mirrors; to chose the location they want to test from. 
Those regional mirrors are mostly light duty as a result. They are still 
invaluable - they provide the back end that the global connectivity test uses, 
for any IPv6-validated customer visiting any of the mirrors. With this global 
test, we effectively crowd source getting IPv6 peering problems fixed.

John and I decided to take things a step further; something I’m happy to see 
finally make it across the finish line after a fair bit of upfront dev work.

Comcast is now running two mirrors and preparing a third - which directly act 
as “test-ipv6.com”. Nothing changes for the user. John has to worry less about 
transient (and transit!) connectivity back to test-ipv6.com.

This is done with a poor-man’s GSLB (Global Server Load Balancer).
We’re using an in-house built DNS server that looks at the internet routing 
table to see what ISP the DNS queries come from. Based on the source BGP ASN, 
we can decide which ISP mirror gets the traffic. (PS:
thanks to routeviews.org and everyone who feeds data to it; that stuff is 
great!)

In the end: we both get to worry less about Comcast traffic volume to 
test-ipv6.com; as well as ensure a good user experience for the customers 
visiting.

What’s next? That’s where you come in :-).

If you’re ...

 * working at a large ISP
 * doing real IPv6 deployment
 * or considering using “helpdesk.test-ipv6.com” with customers

I’d love to help you set up a transparent mirror (acting as “test-ipv6.com”). 
For you, it means controlling the user experience using this site; as well as 
removing any capacity concerns. For me, it means the same thing. Win, win. More 
info at http://github.com/falling-sky/source/wiki/TransparentMirrors
(http://tinyurl.com/m7nnhfn).

If you want to help, or have questions, don’t hesitate to ask.

-jason

(link for sharing, if you're inclined: http://test-ipv6.com/comcast.html)

RE: L2TPv3/MPLS (TP) Pseudowire to preserve

[Eric C. Miller]

Have you looked at Cisco CEF Load Sharing?



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115



-Original Message-
From: Herro91 [mailto:herr...@gmail.com] 
Sent: Wednesday, January 08, 2014 10:19 AM
To: Cisco-nsp; nanog@nanog.org; Juniper-Nsp
Subject: L2TPv3/MPLS (TP) Pseudowire to preserve

Hi,

We have a new requirement to load balance across a couple of point to point 
ethernet links.

The previous solution was handled by a few TDM circuits and MLPPP so that 
traffic was load balanced and any fragmentation/reassembly was handled by 
ML/PPP.

Load balancing per flow is not really an option because we have a single IPSec 
tunnel (ESP-mode) and there is Layer 4 information to make a better decision to 
balance the load.

I have been considering the use of L2TPv3 or an MPLS Pseudowire as a potential 
solution as they seem to have mechanisms to ensure packets are not misordered.

I would appreciate any feedback/suggestions that the community can offer.


Best,

-Doug

RE: IPv6 /48 advertisements

[Eric C. Miller]

Owen, thanks for this explanation. +1!



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115



-Original Message-
From: Owen DeLong [mailto:o...@delong.com] 
Sent: Wednesday, December 18, 2013 2:07 PM
To: Cliff Bowles
Cc: nanog@nanog.org
Subject: Re: IPv6 /48 advertisements


On Dec 18, 2013, at 08:11 , Cliff Bowles cliff.bow...@apollogrp.edu wrote:

 I accidentally sent this to nanog-request yesterday. I could use some 
 feedback from anyone that can help, please.
 
 Question: will carriers accept IPv6 advertisements smaller than /48?

Generally, no. Since a /48 should represent nothing larger than a single site, 
it's not very reasonable to want to route something longer in general.

 Our org was approved a /36 based on number of locations. The bulk of those 
 IPs will be in the data centers. As we were chopping up the address space, it 
 was determined that the remote campus locations would be fine with a /60 per 
 site. (16 networks of /64). There are usually less than 50 people at the 
 majority of these locations and only about 10 different functional VLANs 
 (Voice, Data, Local Services, Wireless, Guest Wireless, etc...).

That's still poor planning, IMHO. You can easily get more than enough /48s to 
give one to each location. There's absolutely no advantage in the IPv6 world to 
being stingy with address space and no benefit to not putting at least a /48 at 
every location.

You've got 10 VLANs, so you're wasting at most 65,526 networks. Compare that to 
the fact that using a /64 for a VLAN with less than 2,000,000 hosts on it will 
wast at least 18,446,744,073,707,551,616 addresses and you begin to realize 
that sparse addressing in IPv6 and large amounts of excess address capacity are 
intentional.

 Now, there has been talk about putting an internet link in every campus 
 rather than back hauling it all to the data centers via MPLS. However, if we 
 do this, then would we need a /48 per campus? That is massively wasteful, at 
 65,536 networks per location.  Is the /48 requirement set in stone? Will any 
 carriers consider longer prefixes?

Massively wasteful is a fact of life in IPv6. Consider it this way... There are 
two ways to waste address space. One way is, as you describe above, deploying 
it to locations that are unlikely to fully utilize it.

Another way is to leave it sitting in a free pool until long after the protocol 
is no longer useful.

With IPv6, we're not so much choosing between wasting address space or not. 
We're choosing how much address space gets wasted using method 1 vs. how much 
gets wasted using method 2. Ideally, we arrive at the protocol end of life with 
some space remaining in both categories of waste.

 I know some people are always saying that the old mentality of conserving 
 space needs to go away, but I was bitten by that IPv4 issue back in the day 
 and have done a few VLSM network overhauls. I'd rather not massively allocate 
 unless it's a requirement.

It's a requirement and not massively allocating will bite you harder in IPv6 
than space did in IPv4.

IPv4 was designed for a different kind of network. It was designed to support 
some labs and some institutional environments. It was never intended to be the 
global public internet. IPv6 has been designed with the idea of addressing 
absolutely everything from the ground up. The design allows for plenty of /48s 
to number every building that could possibly fit on every planet in the solar 
system and several other solar systems.

Frankly, a /48 per campus is underallocating for any campus that has more than 
one building.

Owen

ZyXEL Gear

[Eric C. Miller]

I'm looking at some non-Cisco price options to deliver more than 4 SFP slots 
into a structure and was wondering if anyone had any experience with ZyXEL's 
offerings in the service provider market. Specifically MGS-3712F or GS-4012F

Thank you for your comments!

Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115

RE: ZyXEL Gear

[Eric C. Miller]

Thanks, Josh!



From: Josh Baird [mailto:joshba...@gmail.com]
Sent: Tuesday, November 26, 2013 10:51 PM
To: Eric C. Miller
Cc: NANOG (nanog@nanog.org)
Subject: Re: ZyXEL Gear

I don't, but you may want to take a look at Planet:

http://www.planet.com.tw/

Thanks,

Josh

On Tue, Nov 26, 2013 at 10:47 PM, Eric C. Miller 
e...@ericheather.commailto:e...@ericheather.com wrote:
I'm looking at some non-Cisco price options to deliver more than 4 SFP slots 
into a structure and was wondering if anyone had any experience with ZyXEL's 
offerings in the service provider market. Specifically MGS-3712F or GS-4012F

Thank you for your comments!

Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115tel:%28407%29%20257-5115

RE: Meraki

[Eric C. Miller]

I'm using an EdgeRouter lite in a deployment for a WISP, and it's holding up 
very nice. It's only passing 40-50Mbps of basic OSPF routing, but no complaints 
thus far for the performance. I've heard that once you start adding in the 
services and rules, you really start to see the PPS drop, but I haven't RFC 
2544 or EtherSam tested it yet.

Right now, I'm waiting for the GUI to get more development before we move 
further with them. Being Vyatta under the hood, you can do just about anything, 
but the helpdesk techs don't understand CLI. Kudos on the IPv6 GUI support out 
of the box.



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115



-Original Message-
From: Ray Soucy [mailto:r...@maine.edu] 
Sent: Friday, November 22, 2013 7:35 AM
To: Seth Mos
Cc: NANOG
Subject: Re: Meraki

FWIW, I picked up a UniFi 3-pack of APs and built up a controller VM using 
Ubuntu Server LTS and the beta multi-site controller code over the past week.

I'm very impressed so far, it doesn't have all the bells and whistles of Cisco 
setup, sure, but I'm pretty shocked at the level of functionality here and the 
ease of having APs use an off-site controller (they all phone home over TCP so 
no VPN or port forwarding is required).

I'm interested in UniFi mainly for remote Libraries that don't have any IT 
staff but need a little more than a router from Best Buy.

Also of interest is the EdgeMAX line.  I also got the EdgeRouter LITE for 
testing this past week after finding out it runs a fork of Vyatta (EdgeOS) and 
is developed by former Vyatta employees.  For a sub- $100 device ...
very impressive.

Pricing just popped up for the new EdgeRouter PRO last night and I was pretty 
blown away:

$360

For a device with 2 SFP ports, and 2M PPS.  That is music to my ears since we 
do a lot of dark fiber around the state even for smaller locations.  I'm pretty 
excited to get one of these and see how they perform.

I wish I would have bothered looking at Ubiquiti sooner, really.  I'm a little 
embarrassed to admit I initially wrote them off because the prices were so low, 
but the more I look into these guys the more I like them.

I feel like I'm at the risk for becoming a UBNT fanboy.  Does anyone have any 
qualified horror stories about EdgeMAX or UniFi?  Everything I've been able to 
find has been for nonsense configurations like complaining about trying to to 
OSPF over WiFi ... Who does that?






On Fri, Nov 22, 2013 at 1:34 AM, Seth Mos seth@dds.nl wrote:


 Op 22 nov 2013, om 06:37 heeft Jay Ashworth het volgende geschreven:

  - Original Message -
  Anecdote:
 
  My local IHOP finally managed to get Wifi internet access in the
 restaurant.
 
  For reasons unknown to me, it's a Meraki box, backhauled *over T-mobile*.
 
  That's just as unpleasant as you'd think it would be, And More!
 
  Both the wifi and 3G (yes, 3G) boxes lock up on a fairly regular 
  basis, requiring a power cycle, which, generally, they'll only do 
  because I've been eating there for 20 years, and they trust me when I ask 
  them to.
 
  I can't say whether this provides any illumination on the rest of 
  their product line, but...

 To compound matters, i'd go as far as to say that any wireless 
 solution on 2.4Ghz isn't really a wireless solution. It's just not 
 feasible anymore in 2013, there is just *so much* interference from 
 everything using the unlicensed 2.4Ghz band that it's own success is it's 
 greatest downfall.

 Reliable wireless isn't (to use the famous war quote friendly fire 
 isn't)

 For whatever reasons, whomever I talk to they all tell me that ISP 
 here sucks, and if I ask further if they are using the wireless 
 thingamabob that the ISP shipped them, they says yes. So, that's about right 
 then.

 I've been using a PCengines.ch Alix router for years now (AMD Geode, 
 x86, 256MB ram, CF) with a cable modem in bridge mode with seperate 
 dual band access points in the places where I need them (living room, 
 attic office) and I can't say that my experiences with the ISP here mesh 
 with theirs.

 Anyhow, if you are going to deploy wireless, make sure to use dual 
 band, and name the 2.4Ghz SSID internet and the 5Ghz SSID faster-internet.
 You'll see people having a heck of a better time. Social engineering 
 works
 :)

 When we chose the Ubiquity wireless kit we could deploy twice as many 
 APs for the same price of one of the other APs. This effectively means 
 we have a very dense wireless network that covers the entire building, 
 and lot's of kit that can actually see and use the 5Ghz band.

 Setup was super easy, I added a unifi DNS name that points to my unifi 
 controller host and I get a email that a new AP is ready to be put 
 into service. Having a local management host instead of some cloud was 
 a hard requirement. I also like that I can just apt-get update; apt-get 
 upgrade
 the software. By using DNS remote deployment was super easy too, send 
 the unit off and let them plug it in, 

RE: Cogent 100M DIA in Denver

[Eric C. Miller]

I'm in the middle of converting IPV4 to dualstack with Cogent. I was told that 
they don't have IPV6 in the edge in Tampa yet, so they are VLANing us to a core 
device to give us v6. So by dualstack, they must mean dualstack only from an 
OSI Layer 1 approach. Heartburn city.

Robert, do you have any advice from working with their ipv6 stuff, yet?



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115




-Original Message-
From: Robert Glover [mailto:robe...@garlic.com] 
Sent: Monday, October 14, 2013 4:36 PM
To: trit...@cox.net
Cc: NANOG
Subject: Re: Cogent 100M DIA in Denver

We've had them since May 2008.  Recently upgraded from 100Mb to 250Mb. 
Had minor issues here and there (no outages to speak of).

I've had some IPv6 issues since moving the link to dual-stack a few months 
back, but we are not deploying IPv6 to end-users yet, so I'll let them slide on 
that.

On 10/14/2013 12:57 PM, Tri Tran wrote:
 They're lit in the bulding and have a much faster installation interval. How 
 reliable are they? 
 Tri Tran

AS 2379

[Eric C. Miller]

Does anybody know of a list of BGP communities for AS2379 (EMBARK-WNPK now 
CenturyLink)?



I haven't reached out to Centurylink yet, but I'm used to just finding them 
through Google Searches.





Eric Miller, CCNP

Network Engineering Consultant

(407) 257-5115

Partial Outage with TW Telecom and CenturyLink

[Eric C. Miller]

Morning Everyone,



Yesterday between about 1900 and 2230 UTC, we had a partial drop with reaching 
various sites through TW Telecom from our circuit in Orlando, FL. The 
unavailable sites included Facebook, Newegg, and Godaddy. The outage did not 
affect our Atlanta TW Telecom. I confered with a colleague who manages a large 
customer in Apopka who said that they appeared not to be affected. His circuit 
and ours loop to the same TW Telecom POP.



But even more Murphy than that, our Centurylink secondary circuit was having a 
routing loop issue at the same time, so while our BGP routes were being 
advertised to world through Centurylink, the circuit was useless. Centurylink 
aknowledged the existence of a bigger transport issue and said that we weren't 
the only customer affected.



Anybody else notice these issues or have any other insight?



Thanks!



Eric Miller

Populating BGP from Connected or IGP routes

[Eric C. Miller]

Hi all,

I'm looking for a best practice sort of answer, plus maybe comments on why your 
network may or may not follow this. 

First, when running a small ISP with about the equivilent of a /18 or /19 in 
different blocks, how should you decide what should be in the IGP and what 
should be in BGP? I assume that it's somewhere between all and none, and one 
site that I found made some good sense saying something to the following, Use 
a link-state protocol to track interconnections and loopbacks only, and place 
all of the networks including customer networks into BGP.

Secondly, when is it ok, or preferable to utilize redistribute connected for 
gathering networks for BGP over using a network statement? I know that this 
influences the origin code, but past that, why else? Would it ever be 
permissible to redistribute from the IGP into BGP?

Thanks for everyone's input!

Eric Miller

Re: Arguing against using public IP space

[Eric C. Miller]

Not sure if anyone has thought of it like this, but:

Air Gap is still only as secure as the people with access to it. NAT and 
firewalls provide a compromise between security and connectivity. But remember 
that at a power plant, the PBX system still connects to the outside world, and 
there is a phone in the control room. What stops a nefarious social hacker from 
calling up the control room and convincing the 3rd shift operator to stop 
producing power (claiming to be from the regional authority)? Caller-ID can be 
hacked. My personal belief is that all layers of the OSI/DOD model should 
assume that the adjacent lower level can and will be compromised at some point 
and measures should be put in place to encrypt or authenticate messages. 
Unfortunately for us, our critical infrastructure in this country still 
operates on outdated security-less network architectures like ArcNET. Even most 
of the PLCs in use at power plants utilize no security or have simple passwords 
like supervisor and operator. The US gov's NERC has random inspections for 
CIP compliance, but I feel that they happen so infrequently, that nothing will 
be done in time to adequately protect us from certain dangers that loom.

Eric Miller
Network Engineering Consultant

Brighthouse Outage in Tampa, FL

[Eric C. Miller]

Does anyone know what the software bug that hit Brighthouse in Tampa?

Eric Miller

RE: Looking for an opinion on Colo Solutions/Orlando colocation

[Eric C. Miller]

I've worked with Colo Solutions twice in the past, very pleased. 

Knuckles has to be one of the nicest NOC engineers that I've run across, 
hopefully he hasn't found any greener grass.

As to the facility, top-notch power and environment protection, but they were a 
little bit soft on their 48VDC offering when compared to a traditional telco 
facility. Carrier neutral, and everyone is in there, They have a lot of 1/2 or 
1/3 rack customers, so lots of diversity in customer base.

Reply off-list if you need more info.

Eric Miller
Rapid Systems
Tampa, FL

-Original Message-
From: Graham Wooden [mailto:gra...@g-rock.net] 
Sent: Sunday, August 21, 2011 2:16 PM
To: nanog@nanog.org
Subject: Looking for an opinion on Colo Solutions/Orlando colocation

Hi there,

Our next POP deployment is going to be in Orlando (mainly supporting that CLEC 
client that I mentioned earlier last week).

Can any one share their good/bad/ugly experiences with Colo Solutions
there?  We had a brief conf call with their sales engineer but looking for 
real-world experiences/comments from folks that have had or currently is 
colocating hear there.

Thanks,

-graham