Re: [External] Opengear alternatives that support 5g?
I certainly don't blame you for your frustrations with abusing MikroTiks as a serial console. The additional computer (Pi or otherwise) is, imo, a must. Unless you are just using the MIkroTik as an ssh jump box into the OOB network, which isn't so bad. -- Hunter Fuller (they) Lead Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Opengear alternatives that support 5g?
We use MikroTik for this. All manner of interfaces including LTE and 5G are available. I hear you can connect USB serial to them directly, but we also drop a surplus Dell OptiPlex at each location and attach the serial ports to that device. Total cost is <200 USD per site since we already have the older desktops laying around. -- Hunter Fuller (they) Lead Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: Meta outage
On Tue, Mar 5, 2024 at 10:38 AM Chris K wrote: > see: Status and outages of Meta business products (metastatus.com) Things seem to be returning now, aside from the status page, which still appears blank. Interesting. -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Fiber aggregators and such
On Mon, Mar 4, 2024 at 12:37 PM Tom Beecher wrote: >> I think there is >> a very careful attitude around making sure not just anyone can get >> this information, especially after the Nashville bombing on Christmas >> Day 2020. > > Keeping fiber location info close to the vest is nothing new. I'm not now > sure why/how you feel like this connects to the Nashville incident. I wouldn't say it's new, but in this area (TN Valley), things definitely tightened up even more, in the wake of that incident. Probably due to proximity to Nashville. I can't speak to any other regions of course.
Re: [External] Fiber aggregators and such
On Mon, Mar 4, 2024 at 11:23 AM Jared Mauch wrote: > > With all the $ being spent expanding fiber in the last mile, I’ve got a > theory that a lot of new and diverse fiber routes are being built between > locations. > > There’s a few places I know that roll up some of this information, but I’m > wondering if there’s anyone rolling this all up either publicly or privately. Jared, In the North Alabama area, you are certainly correct. And as a well-known central entity in that region, we have sort of unintentionally become one of the arbiters of this subject. So of course internally we are aggregating all the information. The problem is that, at least half the time I learn of this information, either the other entities aren't willing to disclose the real details, or they disclose the details to me but it's expected that I not share them outside of my own organization. I think there is a very careful attitude around making sure not just anyone can get this information, especially after the Nashville bombing on Christmas Day 2020. Maybe there could be a public aggregator of those who aggregate the information privately...?? Not sure what the answer is here. -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 11:16 AM William Herrin wrote: > > There isn't really an advantage to using v4 NAT. > I disagree with that one. Limiting discussion to the original security > context (rather than the wider world of how useful IPv6 is without > IPv4), IPv6 is typically delivered to "most people" without border > security, while IPv4 is delivered with a stateful NAT firewall. Maybe this is the disconnect. Who delivers v6 without a firewall? I've done a lot of T-Mobile and Comcast business connections lately, and those certainly both provide a firewall on v4 and v6. I'll admit I'm not currently well-versed in other providers (except ones that don't provide v6 at all...). It is possible to order Comcast without a firewall for v6, in which case you receive a public v4 address without protection too. What common scenario leads to your average person being unprotected on the v6 Internet?
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 10:22 AM William Herrin wrote: > Yes and no. The client application has to be programmed to understand > link-local addresses or it can't use them at all. You can't just say > "connect to fe80::1." Even if there's an fe80::1 on your network, it > doesn't work. The client app has to also carry the interface identity > into the stack (e.g. fe80::1%eth0) in order to use it. Sure, you and I know this, as a network engineering fact. But, all over the US, thousands of taco trucks (Joe's or otherwise) are using Square and similar solutions, and I happen to know from pcaps that they are (at least some of the time) using the method I described. So everything else we discuss is kind of academic; Joe will continue printing receipts for taco orders over link local addresses just fine, since it works in production today. We can talk all day about how it's not optimal, has limitations if you have 4000 Chromebooks, etc., but Joe won't care, because he is selling tacos. Businesses (not enterprises) that need dual WAN will fall into this category 99.9% of the time. I guess the point I'm making is, the methods we are using today for v6 dual WAN, work fine for most people. There isn't really an advantage to using v4 NAT. That was the original topic I was responding to... as it is visible fuzzily in the rearview mirror currently.
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 9:29 AM Mike Hammett wrote: > "In IPv6's default operation, if Joe has two connections then each of > his computers has two IPv6 addresses and two default routes. If one > connection goes down, one of the routes and sets of IP addresses goes > away." > > This sounds like a disaster. You know, I thought so too, until I deployed it and it worked fine. I have done it twice now, once on MikroTik RouterOS and once on Ubiquiti EdgeOS. You just have to make sure the timers are pretty short, and that the router will stop sending RAs for the route if it's not working. This is definitely something that a COTS SOHO dual WAN router, that Joe would buy, could and should do by default (hopefully they do; I just haven't checked). -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote: > There's also the double-ISP loss scenario that causes Joe to lose all > global-scope IP addresses. He can overcome that by deploying ULA > addresses (a third set of IPv6 addresses) on the internal hosts, but > convincing the internal network protocols to stay on the ULA addresses > is wonky too. In the real world today, most applications seem to use mDNS and link-local addresses to keep this connectivity working. (I am guessing Joe's Taco Shop uses something like Square, and just needs his register to talk to his printer. This already works with mDNS and link-locals today.) -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: The Reg does 240/4
On Tue, Feb 13, 2024 at 12:17 PM Bryan Holloway wrote: > https://help.mikrotik.com/docs/display/ROS/Routing+Protocol+Overview > > Ping across? Sure. Ok. But I wouldn't rely on it for anything critical. Well that's certainly interesting. You will not see me sticking up for MikroTik's documentation, ever. I don't think the table reflects the reality of ROS 7, there's even a note that "Routed traffic does not work to odd address" in one version. I know that to be false, because, well, I do this in production, and I suspect I would have noticed if the niche functionality of "routing" suddenly stopped working. Maybe this document refers to the literal configuration of a /31. But I always configure them as point to points, as I mentioned before. But there again, in the documentation, that ability is totally missing... great. -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: The Reg does 240/4
On Tue, Feb 13, 2024 at 10:05 AM Bryan Holloway wrote: > Let me know when they support /31s. A /31 is configured in RouterOS as a point-to-point interface. You put your IP in the "address" field and their IP in the "network" field. That's how I've been doing it since I started using RouterOS in 2014. I can't speak to versions that predate that. HTH
Re: [External] Re: Diversity in threading, Diversity of MUAs (was Re: How threading works
On Mon, Jan 15, 2024 at 12:37 AM Andy Smith wrote: > Over on a technical support list there are actually some prolific > old time posters asking for subject changes in sprawling threads > (and citing the list's FAQ…) but also gmail users asking for people > to *not* do that as it spawns new "conversations" for them. There, > the gmail users are at odds with ancient mailing list etiquette as > followed by a dwindling tech priesthood, but the gmailers now form > more than 30% of the active posting user base of the list. I don't think the attitudes are at odds. I use Google Workspace, so it is beneficial to me when someone changes the subject line *to indicate that the actual subject matter has changed* - because this causes Google Mail to break it out into a new thread, which is great, because it keeps the new subject matter apart from the old. (This is probably why Google threadbreaks when the subject line changes. If the subject of the conversation changed, then it's a new conversation.) When the subject line is changed but we have NOT changed topics, that is when it becomes confusing to me. -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: Caveat emptor: avoid Inseego 5G products unless you still believe in classful routing
v6 support is good, actually! I am using it to good effect. The classful part is very surprising. This site doesn't use a lot of v4 so I hadn't given that much thought. -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Mar 28, 2023 at 2:44 PM Matt Harris wrote: > Matt Harris > VP OF INFRASTRUCTURE > > *Follow us on LinkedIn!* <https://www.linkedin.com/company/netfirecloud/> > <https://www.linkedin.com/company/netfirecloud/> > *matt.har...@netfire.net* > *816-256-5446* <816-256-5446> > *www.netfire.com* <https://www.netfire.com/> > On Tue, Mar 28, 2023 at 2:25 PM Matthew Petach > wrote: > >> >> In the category of "I can't believe I still have to worry about this in >> 2023" >> comes an unfortunate discovery I made recently when setting up a network >> for a local non-profit. The Inseego FX2000 5G router looked like a nice >> product, it supports OpenVPN out of the box, flexible firewall rules, etc. >> >> What I did *NOT* expect from a device made in 2023, and didn't think to >> ask about ahead of time, is whether it supported classless routing. >> >> Setting the unit up, I discovered the hard way that the developers are >> apparently still working from 1989 textbooks. The only netmask the >> router will accept for a 10.x.x.x. subnet is 255.0.0.0. Absolutely >> refuses >> to accept a different length netmask. >> >> Even the user manual reflects the inherent classful assumption: >> >> " >> IPv4 >> IP Address: The IP address for your FX2000, as seen from the local >> network. Normally, you can use the default value. >> Subnet Mask: The subnet mask network setting for the FX2000. The default >> value 255.255.255.0 is standard for small (class "C") networks. If you >> change the LAN IP Address, make sure to use the correct Subnet mask for the >> IP address range of the LAN IP address >> " >> >> So, before anyone else makes the same mistake I did, I thought I'd give >> the >> community a heads-up to avoid the Inseego line of 5G products, as they're >> woefully behind the times in their understanding of IPv4 subnetting as it >> exists in 2023. ^_^; >> >> Thanks! >> >> Matt >> > > But how is their IPv6 support? ;) > >
Re: [External] Newbies Question: Do I really need to sacrifice Prefix-aggregation to do BGP Load-sharing? (the case of Multi-homed + Multi-routers + Multi-upstreams)
On Wed, Oct 19, 2022 at 1:29 AM Pirawat WATANAPONGSE via NANOG wrote: > 1. Do I really have to “de-aggregate” the address blocks, so I can do the > “manual BGP load-sharing”? Why not prepend toward the commercial ISP? Seems that should make the path longer and less desirable. -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: Longest prepend( 255 times) as path found
I would imagine the "long as-path" one would handle excessive prepends too, right? 50 prepends is silly but doesn't really hurt my feelings. But >100 is absurd. -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Thu, Aug 25, 2022 at 11:56 AM Alejandro Acosta wrote: > > Hello Alistair, > > Are you sure there is one about excess prepends?. I just took a look and I > did not find any. > > I found one about filtering long as-paths but not specifically about > prepends. > > > Thanks, > > > Alejandro, > > > On 25/8/22 10:31 AM, Alistair Mackenzie wrote: > > There are some generally accepted and useful filters found at > https://bgpfilterguide.nlnog.net/. There is one which covers excess prepends. > > On Thu, 25 Aug 2022 at 15:25, anonymous wrote: >> >> Hey everyone, >> >> Too many hops found as below. >> Usually What shoud we do ? Should we filter it ? >> >> 91.246.12.0/24 >> >> >> AS path: 4788 9002 41313 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 I >> >> AS path: 9930 9002 41313 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 >> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 I >> >> /noname
Re: [External] Re: Google Abuse
Sure, that's why I said that in my third paragraph. But once we know that they do, in fact, filter messages, we can understand why it might *seem* like they filter based on political content. For example, if a left-leaning news outlet uses bit.ly URLs, and a right-leaning one uses goo.gl URLs, and T-Mo filters all goo.gl URLs, some might conclude that "T-Mobile filters links to right-leaning news outlets." -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, Aug 17, 2022 at 11:06 AM Tom Beecher wrote: > > Spam filtering is clearly not the accusation that was laid out. > > On Wed, Aug 17, 2022 at 11:48 AM Hunter Fuller wrote: >> >> I wouldn't call it a serious claim. By their own admission T-Mobile >> filters messages based on content. >> >> https://community.t-mobile.com/accounts-services-4/can-t-send-receive-texts-that-contain-goo-gl-7776 >> >> Now, there is no indication I'm aware of, that it is political in >> nature. But they do, factually, throw away messages based on their >> content. >> >> -- >> Hunter Fuller (they) >> Router Jockey >> VBH M-1C >> +1 256 824 5331 >> >> Office of Information Technology >> The University of Alabama in Huntsville >> Network Engineering >> >> On Wed, Aug 17, 2022 at 10:46 AM Tom Beecher wrote: >> > >> > It's a pretty serious claim to say that cell providers were selectively >> > not delivering messages based on content. >> > >> > Unless you have some more concrete evidence beyond "I sent a few texts" , >> > this list is no place for such things, nor the insinuation of political >> > agendas. >> > >> > On Wed, Aug 17, 2022 at 10:54 AM Ethan O'Toole wrote: >> >> >> >> > They may tell you they are not but there is no doubt in my mind they >> >> > are and >> >> > if they got caught their response would be “Oopsie, my bad”. >> >> > -richey >> >> >> >> During Covid hysteria cellular carriers were definitly scrubbing text >> >> messages that contained things against whatever the agenda was. >> >> >> >> There was no errors from the cellular carriers that the message didn't go >> >> through, it just never arrived to the destination. Tested it first hand, >> >> T-Mobile to Verizon, T-Mobile to AT&T and vice versa. Payload was links to >> >> a few websites that weren't popular with the left, like that Doctor Robert >> >> Malone guy. These were not using URL shorteners that are sometimes >> >> considered spam. >> >> >> >> >> >> - Ethan
Re: [External] Re: Google Abuse
I wouldn't call it a serious claim. By their own admission T-Mobile filters messages based on content. https://community.t-mobile.com/accounts-services-4/can-t-send-receive-texts-that-contain-goo-gl-7776 Now, there is no indication I'm aware of, that it is political in nature. But they do, factually, throw away messages based on their content. -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, Aug 17, 2022 at 10:46 AM Tom Beecher wrote: > > It's a pretty serious claim to say that cell providers were selectively not > delivering messages based on content. > > Unless you have some more concrete evidence beyond "I sent a few texts" , > this list is no place for such things, nor the insinuation of political > agendas. > > On Wed, Aug 17, 2022 at 10:54 AM Ethan O'Toole wrote: >> >> > They may tell you they are not but there is no doubt in my mind they are >> > and >> > if they got caught their response would be “Oopsie, my bad”. >> > -richey >> >> During Covid hysteria cellular carriers were definitly scrubbing text >> messages that contained things against whatever the agenda was. >> >> There was no errors from the cellular carriers that the message didn't go >> through, it just never arrived to the destination. Tested it first hand, >> T-Mobile to Verizon, T-Mobile to AT&T and vice versa. Payload was links to >> a few websites that weren't popular with the left, like that Doctor Robert >> Malone guy. These were not using URL shorteners that are sometimes >> considered spam. >> >> >> - Ethan
Re: [External] More product suggestions: small/cheap IS-IS or VXLAN devices?
Two that immediately come to mind are: - If you don't need anything dynamic, you can run VXLAN on any Linux box. So just a random server would work. https://vincent.bernat.ch/en/blog/2017-vxlan-linux - RouterOS v7 added VXLAN, so now you can do that in a MikroTik box, or in a Cloud-Hosted Router (their VM). https://help.mikrotik.com/docs/display/ROS/VXLAN Hard to beat the price point on either. -- Hunter Fuller (they) Router Jockey VBH M-1A +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 22, 2022 at 5:45 PM Adam Thompson wrote: > At the risk of sounding like a broken record, I’m asking for product > suggestions yet again: > > > > We’re wondering if anything small & cheap (think CPE-grade) exists that > supports either IS-IS or VXLAN? > > > > If IS-IS, total route count it would have to carry would be small, > probably in the ~500 range. > > If VXLAN, it needs to interoperate with Arista. > > If both… yay! > > > > When I say CPE-grade, I mean under C$1k (~US$800, ~€700), and can be > emplaced at a customer site without any unusual infrastructure (e.g. no > -48VDC power, or DIN rail mounting, non-business-office-typical). > > > > Thanks in advance, everyone. > > -Adam > > > > *Adam Thompson* > Consultant, Infrastructure Services > [image: MERLIN] > 100 - 135 Innovation Drive > Winnipeg, MB, R3T 6A8 > (204) 977-6824 or 1-800-430-6404 (MB only) > athomp...@merlin.mb.ca > www.merlin.mb.ca > > >
Re: [External] Re: Anyone else getting the 'spam' bomb threat?
We have a distinct abuse address (not just abuse@) and that is where the messages were sent. We didn't receive the bomb threat ones. We only received the (somewhat more amusing) messages entitled "Your network has been PWNED" and "Fuck you". The situation loses its humor entirely with the introduction of bomb threats. Seems like a script kiddie taking things way too far. -- Hunter Fuller (they) Router Jockey VBH M-1A +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Oct 19, 2021 at 8:57 AM Sadiq Saif wrote: > > On Tue, 19 Oct 2021, at 08:40, Matt Hoppes wrote: > > Are you contacting your LEO? Or is this so spammy just hit delete? > > > > I feel like even spam chosen poorly comes with consequences. > > I hit delete after I saw Frantech had already reported it the FBI as per > their website. > > Whoever this is seems to be scraping ASN WHOIS data, the spam got sent to the > noc@ address that's in whois for my ASN and IP space. > -- > Sadiq Saif > https://bastetrix.com
Re: [External] Re: uPRF strict more
On Thu, Sep 30, 2021 at 12:08 AM Mark Tinka wrote: > If you don't plan to run a full BGP table on a device, don't enable uRPF, > even loose-mode. At least in Ciscoland, loose URPF checks will pass if you have a default route. So I do not think it could result in inadvertent blackholing of traffic. What it does allow is for *deliberate* blackholing for traffic; if you null-route a prefix, you now block incoming traffic from that subnet as well. This can be useful and it is how we are using URPF. -- Hunter Fuller (they) Router Jockey VBH M-1A +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: 1G/10G BaseT switch recommendation
On Fri, Jul 23, 2021 at 2:37 AM Jörg Kost wrote: > > I understand; my thinking, let's keep the diversity up for everyone's > benefit. While Commscope is not producing ethernet switches only, from > sales and numbers of employees, they are a massive mothership of > communication technology. I agree, and I love Ruckus switches. But if they intend to maintain a customer base in this market, they should maintain a competent and at least minimally helpful/knowledgeable TAC for their switches. -- Hunter Fuller (they) Router Jockey VBH M-1A +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: OOB management options @ 60 Hudson & 1 Summer
On Tue, Apr 20, 2021 at 12:03 PM Saku Ytti wrote: > On Tue, 20 Apr 2021 at 19:53, Lady Benjamin Cannon of Glencoe, ASCE < > l...@6by7.net> wrote: > > Maybe a list for mutual OOB trades? >> > > I would advise against this, OPEX nightmare. Who will NOC call when it is > down? What will they say to the other end to identify the circuit? When > will it get fixed? If not, how to escalate? > Free OOB is too expensive for me. > > I think these are definitely concerns to keep in mind. But, keeping them in mind, if anyone is at DR ATL1 (56 Marietta) and wants to do this sort of OOB trade, hit me up off-list, please. lol -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering >
Re: [External] Re: Perhaps it's time to think about enhancements to the NANOG list...?
On Mon, Mar 22, 2021 at 9:16 AM Karl Auer wrote: > Without a word of exaggeration, it operates as if the developers had > never seen a working mailing list. Quoting, signatures, sender > addresses, reply-to addresses, HTTP vs text, archiving, threading, > configuration - you name it, they screwed it up. Not in minor ways > either. Let me begin by stating that I prefer to participate via mail, and I understand all of these things just fine. However, I must point out that none of these things have the slightest bit to do with network engineering, aside from the fact that people on NANOG-L seem to expect you to understand them. It seems to me that the goal of the board is to allow participation by people who are skilled network engineers but do not care about HTML mail, top posting, or any of this other stuff that only seems to ever come up on this list. And I agree with that idea. And as a final aside (not directed at you, Karl), lots of people on this list seem to try to dunk on email clients that don't support killfiles. In fact, I don't think such a thing exists. Even Gmail, one of the most widely used email services, supports this. They just call it "mute" and you do it by pressing 'm' on your keyboard. However, lots of email clients exist that can't properly read HTML mail or top-posted replies. Maybe people should stop using these incapable clients and switch to something at least as capable as Gmail. Then there would be no need for anyone on NANOG-L to understand these idiosyncrasies. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: Parler
I see your point, but I am not sure running the authoritative name servers for a site meets the popular definition of "hosting" them. Epik is currently denying that they are going to host Parler in a traditional sense, though they are the registrar for parler.com. since a couple of days ago. Of course, Amazon could ding Epik for being Parler's registrar, but that would truly be a reach, since they aren't Parler's Web host. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, Jan 13, 2021 at 5:42 PM Matt Corallo wrote: > > In case anyone thought Amazon was being particularly *careful* around their > enforcement of Parler's ban...this is from > today on parler's new host: > > $ dig parler.com ns > ... > parler.com. 300 IN NS ns4.epik.com. > parler.com. 300 IN NS ns3.epik.com. > ... > ns3.epik.com. 108450 IN A 52.55.168.70 > > $ whois 52.55.168.70 > ... > OrgName:Amazon Technologies Inc. > > and for the curious, ns4.epik.com is hosted by an Epik sub, but from a > cursory glance appears to be single-homed to > CDN77, which is vaguely surprising to me. > > Matt > > On 1/10/21 3:23 AM, William Herrin wrote: > > Anybody looking for a new customer opportunity? It seems Parler is in > > search of a new service provider. Vendors need only provide all the > > proprietary AWS APIs that Parler depends upon to function. > > > > https://www.washingtonpost.com/technology/2021/01/09/amazon-parler-suspension/ > > > > Regards, > > Bill HErrin > >
Re: [External] DMVPN via Internet or Private APN
I probably would not choose the Private APN. I get the appeal, but I would probably use router ACLs to restrict traffic only to other endpoints in the VPN mesh. Exploits/methods that could get around this are few and far between, and the benefits are numerous, namely, you aren't tied to one cell provider, and you aren't even tied to the cellular medium (which might be important). If, for some reason, being tied to one carrier was not any concern, AND I had an amazingly good deal with my carrier on the APN, then my opinion might change, but that just seems unlikely to me. I do not think it is an excessive burden to remain on top of software releases, such that, if there was some exploit that could breach the ACL protection, you would be able to patch it very quickly. And since it's just OOB, you can test it on three or four boxes, then just blast the upgrade out to all of them at once using Ansible or whatever. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Jan 12, 2021 at 10:55 AM Sean Kelly wrote: > > Hello Nanog's > > I offer a question to help me settle an internal debate. As a network > engineer for a large enterprise, do you choose ISP flexibility or ISP > security when you build an OOB network? I was tasked to create an OOB > network for my company. Realistically it would only be deployed to 25% > of the companies sites as they are considered important enough to > justify the cost. The design is simple enough. Hub and spoke using > cellular routers. DMVPN will carry data from the spoke to the hub. > > The real debate arrives when it's time to choose a carrier to host the > router. I choose to go with a major cell carrier using a "private" > APN. It allows me to connect my cell routers to a private layer 2 > network and my private IP addresses will be used to provide layer 3 > connectivity. I know that there will be outliers that can't use this > carrier or cellular at all. These outliers, in my opinion, shouldn't > have a majority stake in the overall design. The APN overall cost is > low and so is the data plan for the hosted routers. The private APN > also eliminates the router as an internet attack vector. I don't > believe routers are appropriate security appliances to defend and > monitor against network threats. > > Some of my colleagues believe that the flexibility of public cellular > access outweighs the security risks. The cellular internet will > provide us with a solution for more of the outliers than a private > APN. I don't agree with this philosophy even though it's not > "technically" wrong. I am interested in a broader range of opinion and > technical reasoning. > > Nanog member KELLYSP
Re: [External] Re: 10g residential CPE
On Fri, Dec 25, 2020 at 12:07 Cory Sell via NANOG wrote: > Just because nobody is mentioning it - you can always build a > pfSense/VyOS/Vyatta box in whatever form factor you’d prefer. Even can run > within a VM if you really want to. > For a CPE, openwrt would also work well. It runs well on a PC-type platform. -- -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: 10g residential CPE
On Fri, Dec 25, 2020 at 11:46 Bryan Fields wrote: > On 12/25/20 4:52 AM, Mark Tinka wrote: > > For the home, if you're looking at shipping 10Gbps-based CPE's for under > > US$200, I can't think of anything other than the Tik: > > > > https://mikrotik.com/product/rb4011igs_rm > > That has 1 10g port. How can that be a 10g CPE? It would meet some customers’ needs because multiple people could use 1G of service at a time. I think it is interesting to distinguish “>1G CPE” from “true 10G CPE” and I suspect many / most customers are looking for the former. -- -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: BGP Community - AS0 is de-facto "no-export-to" marker - Any ASN reserved to "export-only-to"?'
On Wed, Sep 30, 2020 at 4:43 AM Mark Tinka wrote: > So if your peer or provider sent you a link to a web site where they > published all of their support BGP communities, you'd find that onerous > to deploy across them? I'd find it to require more effort than just applying the same route-maps we already applied to the other peers/providers, and thus, less desirable. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: BGP Community - AS0 is de-facto "no-export-to" marker - Any ASN reserved to "export-only-to"?'
On Wed, Sep 9, 2020 at 11:05 AM Mark Tinka via NANOG wrote: >> Circling back to earlier where I said there are almost 70k ASNs in use on >> the public Internet. Most of those operators don't have complex >> configurations. I'd be surprised if less than half of them had anything more >> than the most minimal default route configuration. > I don't know. If they are here, they can chime in. Hey Mark, I am here. At 10364 we have 7 network people, 3 of whom have an understanding of BGP deeper than surface level. We have 3 peers and 2 transit providers total. When we go to implement external-facing BGP policy, the #1 concern is "What are most people doing?". When we turn up a session with a peer or provider (which we will be doing much more frequently in the near future), it would be really wonderful if they could say "We support RFC-style communities" and we would know what that means. And if RFC exists then we will implement it when it's needed, just like we do no-export. I don't spend all day on BGP and so I like to defer to people who have learned from the "school of hard knocks" where possible. The last thing we want to do is to have a nonstandard or difficult-to-understand policy or configuration, because there are only 3 total people who could possibly understand it, and all of us have many, many other job responsibilities so we basically have to "page it back in" every time we go to look at it. The ideal situation is that we can google "RFC-compliant config" and get something that helps us get in line with best practices as smoothly as possible. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Contact at Ubiquiti Networks?
This thread has taken a very NANOG turn. Whether the company has or hasn't fallen apart, I'm sure someone is still there to contact. Some say the poster is still looking for a contact at Ubiquiti to this day... -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: Don't email clients have a kill file?
For those on Google Mail, enable keyboard shortcuts and hit 'm' to mute a thread. Cheers.
Re: [External] Re: Hi-Rise Building Fiber Suggestions
nah. We do up to 10m on knockoff 40G DACs in production. It's no problem. On Wed, Feb 26, 2020 at 11:44 AM Randy Bush wrote: > since we're at this layer, should i worry about going 3m with dacs at > low speed, i.e. 10g? may need to do runs to neighbor rack. > > randy >
Re: [External] Hi-Rise Building Fiber Suggestions
If you can go fully dynamically routed, Layer 3 only, this problem becomes much, much easier to solve given the constraints you mention. Among others, Ruckus switches will stack over fiber, but nowhere near 30 units. I think the max is 12 and I would not recommend going over 8. If you need L2, consider running it on an overlay, even if that overlay is just GRE. Again, rings are child's play if you can eliminate the L2 aspect. On Tue, Feb 25, 2020 at 8:32 PM Norman Jester wrote: > > I’m in the process of choosing hardware > for a 30 story building. If anyone has experience with this I’d appreciate > any tips. > > There are two fiber pairs running up the building riser. I need to put a POE > switch on each floor using this fiber. > > The idea is to cut the fiber at each floor and insert a switch and daisy > chain the switches together using one pair, and using the other pair as the > failover side of the ring going back to the source so if one device fails it > doesn’t take the whole string down. > > The problem here is how many switches can be strung together and I would not > try more than 3 to 5. This is not something I typically do (stacking > switches). I have fears of STP and/or RSTP issue stacking past Ethernet > switch to switch limits (if they still exist??) > > Is there a device with a similar protocol as the old 3com (now HP IDF) > stacking capability via fiber? > > I’d like to use something inexpensive as its to power ubiquiti wifi on each > floor. Ideally if you know something I don’t about ubiquiti switches that > can do this I’d appreciate knowing. > > Norman >
Re: [External] Re: QUIC traffic throttled on AT&T residential
On Fri, Feb 21, 2020 at 2:42 PM Jared Mauch wrote: > I can already hear the QUIC WG types blaming the network in abstentia, > because well, why would an operator want to keep their network functioning? > :-) In fairness, it's not actually functioning. For one thing, it's passing some traffic at an abysmal rate. ;)
Re: [External] Re: QUIC traffic throttled on AT&T residential
On Thu, Feb 20, 2020 at 3:45 PM Jared Mauch wrote: > I can think of many legitimate cases, but i think this is where you have > internet for everyone and internet for the tech-savvy/business split that > becomes interesting. > > I’ve generally been willing to pay more for a business class service for > support and improved response SLA. The average user isn’t going to detect > that 10% of their UDP has gone missing, nor should they be expected to. I really hope my constituents don't have to get business class connections just to get decent performance out of our services, such as UDP based tunnels. They barely care what a VPN is, much less what UDP is. And if our VPN software detects that UDP is available, it will use it, so I suspect it would be (or is being) affected by this.
Re: ECN
It is certainly odd, but it's definitely a "thing." https://archive.nanog.org/meetings/nanog37/presentations/matt.levine.pdf On Wed, Nov 13, 2019 at 10:24 AM Matt Corallo wrote: > > This sounds like a bug on Cloudflare’s end (cause trying to do anycast TCP > is... out of spec to say the least), not a bug in ECN/ECMP. > > > On Nov 13, 2019, at 11:07, Toke Høiland-Jørgensen via NANOG > > wrote: > > > > > >> > >> Hello > >> > >> I have a customer that believes my network has a ECN problem. We do > >> not, we just move packets. But how do I prove it? > >> > >> Is there a tool that checks for ECN trouble? Ideally something I could > >> run on the NLNOG Ring network. > >> > >> I believe it likely that it is the destination that has the problem. > > > > Hi Baldur > > > > I believe I may be that customer :) > > > > First of all, thank you for looking into the issue! We've been having > > great fun over on the ecn-sane mailing list trying to figure out what's > > going on. I'll summarise below, but see this thread for the discussion > > and debugging details: > > https://lists.bufferbloat.net/pipermail/ecn-sane/2019-November/000527.html > > > > The short version is that the problem appears to come from a combination > > of the ECMP routing in your network, and Cloudflare's heavy use of > > anycast. Specifically, a router in your network appears to be doing ECMP > > by hashing on the packet header, *including the ECN bits*. This breaks > > TCP connections with ECN because the TCP SYN (with no ECN bits set) end > > up taking a different path than the rest of the flow (which is marked as > > ECT(0)). When the destination is anycasted, this means that the data > > packets go to a different server than the SYN did. This second server > > doesn't recognise the connection, and so replies with a TCP RST. To fix > > this, simply exclude the ECN bits (or the whole TOS byte) from your > > router's ECMP hash. > > > > For a longer exposition, see below. You should be able to verify this > > from somewhere else in the network, but if there's anything else you > > want me to test, do let me know. Also, would you mind sharing the router > > make and model that does this? We're trying to collect real-world > > examples of network problems caused by ECN and this is definitely an > > interesting example. > > > > -Toke > > > > > > > > The long version: > > > > From my end I can see that I have two paths to Cloudflare; which is > > taken appears to be based on a hash of the packet header, as can be seen > > by varying the source port: > > > > $ traceroute -q 1 --sport=1 104.24.125.13 > > traceroute to 104.24.125.13 (104.24.125.13), 30 hops max, 60 byte packets > > 1 _gateway (10.42.3.1) 0.357 ms > > 2 albertslund-edge1-lo.net.gigabit.dk (185.24.171.254) 4.707 ms > > 3 customer-185-24-168-46.ip4.gigabit.dk (185.24.168.46) 1.283 ms > > 4 te0-1-1-5.rcr21.cph01.atlas.cogentco.com (149.6.137.49) 1.667 ms > > 5 netnod-ix-cph-blue-9000.cloudflare.com (212.237.192.246) 1.406 ms > > 6 104.24.125.13 (104.24.125.13) 1.322 ms > > > > $ traceroute -q 1 --sport=10001 104.24.125.13 > > traceroute to 104.24.125.13 (104.24.125.13), 30 hops max, 60 byte packets > > 1 _gateway (10.42.3.1) 0.293 ms > > 2 albertslund-edge1-lo.net.gigabit.dk (185.24.171.254) 3.430 ms > > 3 customer-185-24-168-38.ip4.gigabit.dk (185.24.168.38) 1.194 ms > > 4 10ge1-2.core1.cph1.he.net (216.66.83.101) 1.297 ms > > 5 be2306.ccr42.ham01.atlas.cogentco.com (130.117.3.237) 6.805 ms > > 6 149.6.142.130 (149.6.142.130) 6.925 ms > > 7 104.24.125.13 (104.24.125.13) 1.501 ms > > > > > > This is fine in itself. However, the problem stems from the fact that > > the ECN bits in the IP header are also included in the ECMP hash (-t > > sets the TOS byte; -t 1 ends up as ECT(0) on the wire and -t 2 is > > ECT(1)): > > > > $ traceroute -q 1 --sport=1 104.24.125.13 -t 1 > > traceroute to 104.24.125.13 (104.24.125.13), 30 hops max, 60 byte packets > > 1 _gateway (10.42.3.1) 0.336 ms > > 2 albertslund-edge1-lo.net.gigabit.dk (185.24.171.254) 6.964 ms > > 3 customer-185-24-168-46.ip4.gigabit.dk (185.24.168.46) 1.056 ms > > 4 te0-1-1-5.rcr21.cph01.atlas.cogentco.com (149.6.137.49) 1.512 ms > > 5 netnod-ix-cph-blue-9000.cloudflare.com (212.237.192.246) 1.313 ms > > 6 104.24.125.13 (104.24.125.13) 1.210 ms > > > > $ traceroute -q 1 --sport=1 104.24.125.13 -t 2 > > traceroute to 104.24.125.13 (104.24.125.13), 30 hops max, 60 byte packets > > 1 _gateway (10.42.3.1) 0.339 ms > > 2 albertslund-edge1-lo.net.gigabit.dk (185.24.171.254) 2.565 ms > > 3 customer-185-24-168-38.ip4.gigabit.dk (185.24.168.38) 1.301 ms > > 4 10ge1-2.core1.cph1.he.net (216.66.83.101) 1.339 ms > > 5 be2306.ccr42.ham01.atlas.cogentco.com (130.117.3.237) 6.570 ms > > 6 149.6.142.130 (149.6.142.130) 6.888 ms > > 7 104.24.125.13 (104.24.125.13) 1.785 ms > > > > > > So why is this a problem? The TCP SYN packet first needs to negotiate > > ECN, so it is sent without
Re: OT: Tech bag
I carry this. It's a preference I gained in my past life: https://www.kleintools.com/catalog/tool-storage/tradesman-pro-backpack I put my notebook (Surface Pro) in a sleeve and sandwich it between the halves. It hasn't gotten crushed to death yet. I'll admit this is not optimal. This one has since been released, and it has a laptop compartment. My co-worker loves it: https://www.kleintools.com/catalog/tradesman-pro-organizers/tradesman-pro-tech-backpack On Fri, Aug 2, 2019 at 11:14 AM Dovid Bender wrote: > > Hi, > > Sorry for the OT email. I travel extensively to DC's and my computer bag > seems to keep collecting more tools which includes your usual console cables, > spare everything, two laptops etc. My Swissgear has been taking a beating and > I was wondering what others who have to lug around 30-35 pounds use. > > TIA. > >
Re: a quick survey about LLDP and similar
On Fri, Mar 1, 2019 at 8:26 AM Anderson, Charles R wrote: > > We require LLDP/LLDP-MED to configure our VOIP phones. > > For trunk links, it is extremely helpful to verify correct topology. > > For datacenters, it is EXTREMELY helpful to verify hypervisor connectivity. I'd say it's extremely helpful anywhere. We enable it on every single port unless there is a specific reason to disable it. Our particularly clueful customers can now submit requests like: "For the system attached to port 1/2/3, please switch to VLAN 456." This ticket gets closed in about 10 seconds. We also run LLDP speakers on our University-controlled workstations so we can see details about the system in "slow lldp neighbor" on the switch. The more LLDP the better, from my perspective.
Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
On Tue, Mar 5, 2019 at 10:09 AM Bjørn Mork wrote: > Stephen Satchell writes: > > Did you submit a bug report? > > I believe this was fixed 5 years ago (in Linux v3.17): > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cb1ce2ef387b01686469487edd45994872d52d73 > > But RHEL and CentOS are using kernels from the stone age, so they > haven't noticed yet. For those who might need this feature, and have a Red Hat contract, a suggestion: If you submit a ticket, someone at Red Hat might backport the patch for you.
Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking
On Tue, Feb 26, 2019 at 9:56 PM Keith Medcalf wrote: > I did write my own TOTP client. However, why do you assume that I am talking > about a TOTP client and not the referred webpage which requires the > unfettered execution of third-party (likely malicious) javascript in order to > view? Not to mention requiring the use of (also quite possibly malicious) > downloaded fonts? Well, because: 1. the page's tag points to the github repo which contains the raw data in a fairly readable form; and 2. the page works fine in Lynx despite the warning.
Re: A Deep Dive on the Recent Widespread DNS Hijacking
On Mon, Feb 25, 2019 at 8:02 PM wrote: > So what registries/registrars are supporting 2FA that's better than SMS? > Or since 98% of domain names are Bait&Tackle type, is nobody bothering > to support something for the 2% that could use it? If Joe's Bait and Tackle buys from Namecheap, they can utilize TOTP for their second factor. https://www.namecheap.com/support/knowledgebase/article.aspx/10073/45/how-can-i-use-the-totp-method-for-twofactor-authentication
Re: skype attack
On Wed, Feb 13, 2019 at 2:12 PM Randy Bush wrote: > > an update to skype will pop up and ask you > > > deny. you will have to deny repeatedly. there is no reason in the > world skype should have access to your icloud, contacts, ... Was there meant to be a screenshot or some explanation of what would be denied here? As of right now, it seems like I'm missing the details of this, or how it would pertain to me as a network operator. Maybe I just need more caffeine. Cheers.
Re: Extending network over a dry pair
On Thu, Dec 13, 2018 at 4:22 PM Dan Hollis wrote: > Repeaters are standard for T1s. > > I strongly suggest looking at wireless. There is almost guaranteed to be a > spot you can put a repeater up to bridge you to your gateway. > > Maybe this has been mentioned, and I missed it, but: A hybrid solution could also be considered. You could use a shorter dry pair to get around whatever obstacle is preventing wireless, and then use wireless the rest of the way.
Re: Confirming source-routed multicast is dead on the public Internet
On Wed, Aug 1, 2018 at 11:27 Sean Donelan wrote: > On Wed, 1 Aug 2018, Aaron Gould wrote: > > As you all have said, to confirm, I use ssm Mcast to distribute TV from > > satellite down links in the headend, out to a few different remote head > > ends. From there it's converted back to RF video and sent to > > subscribers via cable or hfc plant > > I'm aware that multicast is used extensively for "closed enterprise" > networks in the financial and media industries. It seems to work well > when a single organization is paying for the entire network. > > My executive official came from that background, so I get why someone > from that world would think multicast is widely used. Asking enterprise > network sales people, they keep saying Yes, of course we support > multicast. > > That's why I wanted to hear from public Internet engineers if multicast > was still viable on the *public Internet*. I'd say no - even though we have done inter-AS multicast before, it's only been with our direct peers.
Re: Tunable QSFP Optics
On Tue, Jun 19, 2018 at 3:16 PM Luke Guillory wrote: > Seeing that it seems I’m misunderstanding things, so I went grab a meter > and checked what was leaving. Both of the 100g SFPs were only outputting on > 1310, while the 40g showed each of the 4 lanes. > > Thanks much for checking - I didn't have a meter handy. I certainly learned something about the tighter spacing of 100G colors. > > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: Tunable QSFP Optics
On Tue, Jun 19, 2018 at 11:53 AM Luke Guillory wrote: > They still leave the transceiver as a single 1310, the lanes color isn't > ever expose since the mux takes place within the transceiver. When I looked > into this for 40g and 100g I found no way to passively do it. > Luke, Can you link a document that corroborates this? I can only find ones that show it as 4 separate lanes and 4 separate colors, visible on the actual output. Example: https://www.nanog.org/meetings/nanog44/presentations/Monday/Hankins_100gbe_update_N44.pdf slide 11 This is also what I've observed anecdotally, but there could be other explanations, I am admittedly not an expert. -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 <(256)%20824-5331> Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: BGP in a containers
On Thu, Jun 14, 2018 at 8:46 PM Mike Hammett wrote: > I wonder which part of the proposal people find offensive. I have no idea. All - You know no one is trying to make *you* run BGP inside of a container, right?
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
On Tue, May 15, 2018 at 2:31 PM Alan Buxey wrote: > real ones > Ah, the classic "no true Scotsman." I haven't seen one of these in a while. I think the vast majority of HTML email use is due to "email formatting and markup" being somewhere near the end of the priority list. I know that's where it resides on mine. -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: USB Ethernet Adapters
We have been recommending the AmazonBasics ones for this. The reason is because they are cheap and reliable, and everyone has Amazon Prime. I have not tested the VLAN functionality under Windows, but the adapter itself works fine under Windows, and the VLAN functionality works fine under RHEL. On Mon, May 14, 2018 at 12:57 PM TJ Trout wrote: > > https://www.amazon.com/gp/product/B00BBD7NFU/ref=oh_aui_search_detailpage?ie=UTF8&psc=1 > > and > > > https://www.amazon.com/gp/product/B00X4S587K/ref=oh_aui_search_detailpage?ie=UTF8&psc=1 > > have both been working great for me on windows ten using an xps 13 > > TJ > > On Mon, May 14, 2018 at 10:45 AM, Colton Conor > wrote: > > > Our new laptops like most do not have an Ethernet adapter build in as > they > > are too slim. What USB to Ethernet adapter do you recommend and why? > > Ideally it would be compatible with Windows 10, and have the ability to > set > > speed, duplex and VLAN IDs if possible. > > > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: Suggestion for Layer 3, all SFP+ switches
Ruckus ICX switches do not do MPLS. They meet all the other requirements listed, but unfortunately MPLS was listed as the most important one. On Wed, Apr 18, 2018 at 3:01 PM Brandon Martin wrote: > On 04/18/2018 03:49 PM, Eric Litvin wrote: > > Brocade/arris is eager for business these days. They have a nice switch > (10g ports with 40g stacking) that should meet your needs with very > aggressive pricing. > > Does the Brocade/Foundry-lineage stuff that went to Arris actually do > MPLS? I didn't think ICX did any MPLS. > > The SLX (and MLX) line that went to Extreme does but is perhaps overkill > (it will also do Internet-scale FIB). The SLX9540 is a 48 port SFP+ > pizza box that also has 6 40/100Gb QSFP+/28 ports on it. You'd need the > "advanced feature" license for MPLS, and I don't know how mature the > MPLS code is. Pricing I've seen is pretty good for what you get, but > again it may be overkill. > > Juniper has some nice boxes in the EX series with at least MPLS > L2-endpoint functionality that might also be an option for this sort of > thing, but I don't know any models off the top of my head. > -- > Brandon Martin > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: Juniper Config Commit causes Cisco Etherchannels to go into err-disable state
On Thu, Apr 5, 2018 at 3:58 PM Joseph Jenkins wrote: > Mar 14 07:11:33: %PM-4-ERR_DISABLE: channel-misconfig (STP) error detected > on Po17, putting Po17 in err-disable state > We have to do this on all of our Cisco Port-channels that lead to Brocade ICX switches: no spanning-tree etherchannel guard misconfig If we don't do it, after a couple of days, the Cisco will err-disable the Port-channel just as you describe. I guess the misconfig detection is incompatible with the Brocade OS. We have seen no ill effects from this, as we are using "mode active" on all our Port-channels. So if there is a misconfiguration, the LAG does not come up for that port on either end, and we're good. Hope that helps. -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: 40G reforming
I suspect that implies that you can just take a 40Gbase-SR4 module and break it out into individual "10G" multi-mode pairs for DWDM use. Has anyone tried this? I'm also very interested in using that strategy. On Mon, Feb 5, 2018 at 1:36 PM Ryan, Spencer wrote: > Indeed. Arista does (did?) make at least one platform where you can do > this. > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Marian Durkovic > Sent: Monday, February 5, 2018 2:33 PM > To: Baldur Norddahl > Cc: nanog@nanog.org > Subject: Re: 40G reforming > > Many switches based on BCM Trident ASIC allow you to configure 4 > consecutive > SFP+ ports as 40G link (not LACP, but using real hardware 40G framing). > In such case, you can plug 4 DWDM SFP+ modules directly into the switch, > without the need for any reformer. > >M. > > On Mon, 5 Feb 2018 20:03:33 +0100, Baldur Norddahl wrote > > I may need to clarify that I do not want to break the port into 4x10G > > as such. To the switch this will be an ordinary 40G link to another > > switch far away. > > > > I want to take advantage of the fact that 40G is transported as four > > individual streams. Each of the four streams are to be converted from > > 850 nm to a 1550 DWDM channel (one channel per stream). And the > > reverse at the other end of the link. > > > > The point of doing this is that 40G DWDM modules are not generally > > available and neither are 80 km modules. > > > > I need a true 40G channel so 4x10G LACP is not an option here. For the > > same reason I am unable to accept a solution that splits the 40G port > > into 4x10G and then perhaps recombines using LACP. Instead I am > > looking at an optical solution that is invisible to the switch hardware. > > > > The only doubt I have about the proposed solution is whether the frame > > format of the 10G substreams is somehow incompatible with what goes on > > in the reformer. As I understand these reformers they are little more > > than two SFP(+) modules connected back to back. And therefore it > > should not matter that the frame format may be different. > > > > Regards > > > > Baldur > > > > Den 5. feb. 2018 7.20 PM skrev "Paul Zugnoni" : > > > > Whether a 40G port can be broken into 4x10G is dependent on the > > router/switch hardware and the optic you use. Good news is that most > > 40G ports are capable of being broken out into 4x10G, since a 40G port > > is usually operating as 4x10G internally anyway to the ASIC. The QSFP > > you'll need would be a 40G-SR4 for MTP/Multimode or 40G-LR4 for > > MTP/Singlemode (or a lower power, less expensive equivalent). This is > > a pretty common use of 40G ports. All 4 10G ports would then be at > > 850nm or 1310nm, which you can then plug into any 10G SR or LR ports. > > > > What router or switch platform is driving the 40G? > > > > Paul Z > > > > On Mon, Feb 5, 2018 at 7:57 AM, Baldur Norddahl > > > > wrote: > > > > > Hello > > > > > > Is it possible to reform a 40G signal as individual 10G links? > > > > > > The idea is to use a 40G QSFP multimode MTP module such as > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_prod > > > ucts_44058.html&d=DwIDaQ&c=Hlvprqonr5LuCN9TN65xNw&r=Iw8ah1pcqZhOErIj > > > aFRfuA&m=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y&s=_rJfOmyDlGmPG > > > C6M5FbhQ1V8_mho1OCpkcuYRNlaOvA&e=. Then connect it using a MTP > > > breakout cable such as > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_prod > > > > ucts_68049.html&d=DwIDaQ&c=Hlvprqonr5LuCN9TN65xNw&r=Iw8ah1pcqZhOErIjaFRfuA&m=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y&s=Cz0mCyM3dtcHoZ7lGy7uyroI_Y7AwmKXdnYNFIF0rPI&e= > to get four dual fiber connectors. These are then connected to four 10G > SFP+ multimode modules such as > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_11589.html&d=DwIDaQ&c=Hlvprqonr5LuCN9TN65xNw&r=Iw8ah1pcqZhOErIjaFRfuA&m=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y&s=l-9OAiUxeydRJCJc7d1kTKPVSkwQlkV4xkZFlbFxyRs&e=. > The reformer could be > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_products_43721.html&d=DwIDaQ&c=Hlvprqonr5LuCN9TN65xNw&r=Iw8ah1pcqZhOErIjaFRfuA&m=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y&s=NwCHiC_boNNs7zCOgJFRZ5nmZOVEPBovGYNTtdQ_pCE&e=. > And finally the reformed signal can be transported using anything including > DWDM modules such as > https://urldefens
Re: Static Routing 172.16.0.0/32
I think I'd rate this one as "gross but technically not breaking any rules I suppose." (I couldn't find any at first glance, anyway.) On Fri, Dec 8, 2017 at 1:55 PM Ryan Hamel wrote: > Greetings, > > A colleague of mine has static routed 172.16.0.0/32 to a usable IP > address, to have a single known IP address be static routed to a regions > closest server. While I understand the IP address does work (pings and what > not), I don't feel this should be the proper IP address used, but something > more feasible like a usable IP in a dedicated range (172.31.0.0/24 for > example). > > I would to hear everyone's thoughts on this, as this the first IP address > in an RFC1918 range. > > Thanks, > > -- > Ryan Hamel > ryan.ha...@quadranet.com | +1 (888) 578-2372 <(888)%20578-2372> > QuadraNet, Inc. | Dedicated Servers, Colocation, Cloud > > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: Long AS Path
This could just be ignorance, but based on this thread, I'm not sure what risk we would be managing, as DFZ router operators, by filtering those paths. They seem silly, but harmless (similar to, for instance, painting a nyan cat on a graph by announcing prefixes at certain times). On Sun, Jun 25, 2017 at 6:32 AM James Bensley wrote: > On 24 June 2017 at 13:10, Mel Beckman wrote: > > James, > > > > By "experienced by someone else" I mean someone who is not one of your > customers. > > > > The better strategy, I think, is to not filter long paths unless you > have a reason to see their creating a problem. Otherwise you're just > operating on superstition, no? > > > > -mel via cell > > Hi Mel, > > I mean this as a rhetorical question as we could talk until the end of > time about this; what is the difference between operating on > superstition and trying to be pro-active? Both for me fall under the > category of "risk management". > > Cheers, > James. > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: PCIe adapters supporting long distance 10GB fiber?
On Tue, Jun 20, 2017 at 10:29 AM Chris Adams wrote: > For Linux at least, the standard driver includes a load-time option to > disable vendor check. Just add "options ixgbe allow_unsupported_sfp=1" > to your module config and it works just fine. For anyone who may be going down this road, if you have a two-port Intel NIC, I discovered you have to pass "allow_unsupported_sfp=1,1" or it will only apply to the first port. Hope that helps someone. -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure
Re: google ipv6 routes via cogent
I think the implication is that, on Cogent, there isn't. :) On Thu, Mar 2, 2017 at 14:00 Chuck Anderson wrote: > Define "good" vs. "bad" transport of bits. As long as there is > adequate bandwidth and low latency, who cares? > > On Thu, Mar 02, 2017 at 08:30:37PM +0100, Baldur Norddahl wrote: > > That will have the effect of prioritizing Cogent routes as that would be > > more specific than the default routes from the other providers. Cogent > are > > not that good that you would want to do that. > > > > Den 2. mar. 2017 20.16 skrev "Jeff Waddell" < > jeff+na...@waddellsolutions.com > > >: > > > > Or at least ask for a full view from Cogent - then you won't get any > routes > > they don't have > > > > On Thu, Mar 2, 2017 at 1:58 PM, Alarig Le Lay > wrote: > > > > > On jeu. 2 mars 12:36:04 2017, Aaron Gould wrote: > > > > Well, I asked my (3) upstream providers to only send me a ipv6 > default > > > > route and they sent me ::/0...here's one of them... > > > > > > Why did you don’t ask for a full view? With that, you can easily deal > > > with that kind of problem. >
Re: "Defensive" BGP hijacking?
On Tue, Sep 13, 2016 at 10:25 AM Bryant Townsend wrote: > I also wanted to let Hugo (who started the thread) know > that we harbor no hard feelings about bringing this topic up, as it is > relevant to the community and does warrant discussion. Hugo, you may owe me > a beer the next time we meet. :) > Wait, so if I hijack someone else's prefix, someone ends up buying me a beer? Let me fire up my terminal...
Re: Nat
You are using a Cisco what for NAT? And which products are you considering? On Tuesday, December 15, 2015, Ahmed Munaf wrote: > Dear All, > > We are using cisco for natting, we'd like to change it to another brand > like A10 or Citrix. > > Please any advice regarding the three brands and what are the advantages > and disadvantages for each one? > > > Regards, > > > >
Re: AW: Uptick in spam
The trouble is that this is not the NAMSOG (North American Mail Server Operators Group). ;) On Tue, Oct 27, 2015 at 4:59 PM, Peter Beckman wrote: > Wouldn't that be interesting -- you can't join NANOG unless your email > domain publishes an SPF record with a -all rule. > > That would raise the bar AND prevent the kind of thing that happened this > weekend. > > On Tue, 27 Oct 2015, Geoffrey Keating wrote: > > ... and thus a suitable topic for NANOG, I guess, rather than a mail >> abuse list, because it's best use is for domains that send no mail and >> recieve no mail and don't want anything to do with mail and stil get >> spam complaints. >> >> > --- > Peter Beckman Internet Guy > beck...@angryox.com > http://www.angryox.com/ > --- >
Re: WiFI on utility poles
Oh, sorry, that was unclear. I meant that the majority of our streaming traffic is going over I2. Netflix, YouTube, services backed by Akamai, etc. If students were to use their cable companies' streaming services, those would likely be commodity Internet. But those don't even show up in our top 25 traffic usually, where Netflix and Google are normally within the top 5. On Thu, Sep 10, 2015 at 4:00 PM, Jim Popovitch wrote: > On Thu, Sep 10, 2015 at 4:53 PM, Hunter Fuller wrote: >> Ehh... All that content is going over Internet2 for us anyway. > > I'm genuinely curious, is that is optimized for HD delivery from TW > and C, or such services as Netflix/YouTube, etc. > > -Jim P.
Re: WiFI on utility poles
Ehh... All that content is going over Internet2 for us anyway. I'd suspect that's a somewhat common thread (though not ubiquitous). On Thu, Sep 10, 2015 at 3:42 PM, Jim Popovitch wrote: > On Thu, Sep 10, 2015 at 4:22 PM, Mike Lyon wrote: >> And it's not free, unless you are a Comcast or TW customer :( > > But it is free to the children of C&TW customers who then can watch HD > content while away at Uni without sapping the EDU bandwidth. > > -Jim P.
Re: WiFI on utility poles
Wow, it is like they are actively sabotaging us. Sigh... None of that in this area yet - I'm sure it's only a matter of time though. On Wed, Sep 9, 2015 at 8:52 PM, Michael T. Voity wrote: > Sorry folks, attachment didn't work. Here is the link - > > https://www.uvm.edu/~mvoity/pole.JPG > > -Mike > > Michael Voity > University of Vermont > > On 9/9/15 9:24 PM, Michael T. Voity wrote: >> >> Hello, >> >> Today another colleague and I discovered the famous 'xfinitywifi' >> ,'CableWIFi', 'CoxWiFi' and a new one 'XFINITY' on our University campus. >> After doing some poking around on campus we found these gems (attached >> picture) on 2 utility poles that pass by our east campus.Standing >> underneath it I got a -46 RSSI in both 5 and 2.4Ghz, maybe 75-100 yards away >> inside our hockey fieldhouse, through lots of brick, cinder blocks and >> metal, I was still picking the 2.4Ghz at -64. >> >> Looks like the unit is getting power from the coax. >> >> >> My question is, I've done a little poking around and have not found >> anything substantial to learn more information about this Comcast program. >> >> >> Any insight would be nice! >> >> >> Michael Voity >> University of Vermont >> >> >> >
