Re: PowerSwitch S4100 (S4148-ON) chipset

[Tim Jackson]

It's a lower bandwidth Trident2+ with some different I/O options iirc. Same
featureset, but a mix of 10G and 25G serdes, targeted at like 48x10g+4x100G
boxes.

--
Tim

On Tue, Oct 19, 2021 at 8:42 AM Colton Conor  wrote:

> What is the Broadcom Maverick chipset primarily used or designed for?
> This seems like a not commonly used chip to me.
>
> On Tue, Oct 19, 2021 at 8:27 AM Steven Shalita via NANOG
>  wrote:
> >
> >
> >
> > Dell S4148 is based on Broadcom Maverick.  S4048 is Trident2 (4048-T is
> Trident2+) and S5248 is Trident3.
> >
> >
> >
> >
> >
> >
> >
> > From: NANOG  On
> Behalf Of Drew Weaver
> > Sent: Tuesday, October 19, 2021 6:09 AM
> > To: 'nanog@nanog.org' 
> > Subject: PowerSwitch S4100 (S4148-ON) chipset
> >
> >
> >
> > Hello all,
> >
> >
> >
> > I’ve been googling around trying to figure out which Broadcom silicon is
> in the S4148-ON.
> >
> >
> >
> > I haven’t really been able to make much of a determination.
> >
> >
> >
> > Does anyone know which chipset this is? Trident 1? Trident 2? Trident 3?
> >
> >
> >
> > Thanks so much if anyone has already figured this out.
> >
> >
> >
> > -Drew
> >
> >
>

Re: PowerSwitch S4100 (S4148-ON) chipset

[Tim Jackson]

https://people.ucsc.edu/~warner/Bufs/S4148.html

Seems to be BCM Maverick which is pretty close to a Trident2+ iirc..

--
Tim

On Tue, Oct 19, 2021 at 8:14 AM Drew Weaver  wrote:

> Hello all,
>
>
>
> I’ve been googling around trying to figure out which Broadcom silicon is
> in the S4148-ON.
>
>
>
> I haven’t really been able to make much of a determination.
>
>
>
> Does anyone know which chipset this is? Trident 1? Trident 2? Trident 3?
>
>
>
> Thanks so much if anyone has already figured this out.
>
>
>
> -Drew
>
>
>

Re: Malicious SS7 activity and why SMS should never by used for 2FA

[Tim Jackson]

Every SMS 2FA should check the current carrier against the carrier when
enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a
few others do this.

--
Tim

On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke  wrote:

>
> https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
>
>
> https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
>
>
> Anecdotal: With the prior consent of the DID holders, I have successfully
> ported peoples' numbers using nothing more than a JPG scan of a signature
> that looks like an illegible 150 dpi black and white blob, pasted in an
> image editor on top of a generic looking 'phone bill'.
>
>
>

Re: CIDR cleanup

[Tim Jackson]

#!/usr/bin/perl
use strict;
use warnings;
use Data::Dumper;
use NetAddr::IP qw(Compact);

my @ips = ( '105.170.72.0/24', '105.170.73.0/24', '105.170.74.0/24' );

my @agged = aggregate(\@ips);

sub aggregate {
my @naddr = map { NetAddr::IP->new($_) } @{$_[0]};
my @output = Compact(@naddr);
return @output;
}


On Thu, Oct 1, 2020 at 8:36 AM John Von Essen  wrote:

> Sorry if this is slightly off-topic, but I am writing some code for a
> custom GeoDNS routemap. My starting data set is a raw list of /24 subnets,
> no prefix aggregation has been done. In other words, its the entire BGP
> routing table in /24 prefixes - tagged by Geo region. Each region is its
> own txt file with a dump of /24’s. As a result, these lists are HUGE. I
> want to aggregate the prefixes as much as possible to create a smaller
> routemap.
>
> So right now it looks like:
>
> ...
> 105.170.72.0/24 brs
> 105.170.73.0/24 brs
> 105.170.74.0/24 brs
> 105.170.75.0/24 brs
> 105.170.76.0/24 brs
> 105.170.77.0/24 brs
> 105.170.78.0/24 brs
> 105.170.79.0/24 brs
> 105.170.80.0/24 brs
> 105.170.81.0/24 brs
> 105.170.82.0/24 brs
> 105.170.83.0/24 brs
> 105.170.84.0/24 brs
> …
>
> and so on. Obviously, 105.170.72.0/24 thru 105.170.79.0/24 can be
> aggregated to 105.170.72.0/21 and so on. I normally use Perl, does anyone
> now if there is a perl module that will automatically do this prefix
> aggregation? I tried to write my code to do this, and its not trivial, just
> lookinh for a shortcurt. I did a breif glance at some CIDR related Perl
> cpan modules, and nothing has jumped out.
>
> Thanks
> John
>
>
>
>

Re: BGP FLowspec to Yang/Yaml ACL

[Tim Jackson]

Use ExaBGP to insert the routes? (https://github.com/Exa-Networks/exabgp)

This is some old Perl that generates the older ExaBGP 2.0 style entries,
but it uses template toolkit which means you can easily change the output
format:

https://paste.somuch.fail/?744af55b8bea1414#WlXYkcfATNRxpRcr4NGOtxw4cqzStbCpApxmIevRPDk=

There's a lot more you could do to make this even more flexible, you don't
need YANG or to modify any config, just build something that accepts what
you're after and sends it as flowspec routes from ExaBGP to the routers you
care about.

--
Tim

On Tue, Jun 16, 2020 at 1:46 PM Douglas Fischer 
wrote:

> We were looking for some way to implement BGP Flowspec Filtering(just the
> permit/deny basic) using L3 switches  in an automated way.
>
> Searching a bit we found https://github.com/ios-xr/bgpfs2acl
>
> Is almost what we are looking for!
> But is focused on Cisco devices.
>
> We even considered fork it to our specific vendor.
> But before reinventing the wheel, I decide to ask to colleagues if anybody
> knows some tool that converts BGP Flowspec ACLs into YAML or even to YANG.
>
> If that exists, with Ansible/Netconf/RestConf(or some similar tool), it
> would be easy to delegate to Switchs doing the basic filtering that only
> More expensive Routers can do by now.
>
>
> P.S.: This Idea does not include(on the first moment) more
> complex features of Flowspec like Redirect ou Rate-Limt.
>
> Any suggestions or ideas?
>
>
>
>
> --
> Douglas Fernando Fischer
> Engº de Controle e Automação
>

Re: AT released DANOS code to Linux Foundation

[Tim Jackson]

Just curious what ASICs/platforms/NICs are supported? I didn't see any
information about anything on the wiki.

--
Tim

On Tue, Nov 19, 2019, 7:31 PM Robert Bays  wrote:

> For the open source version we replaced our proprietary routing protocol
> stack with FRR.
>
> Since the AT acquisition we have also added support for a few merchant
> silicon platforms in a hybrid software/hardware forwarding plane.  ONIE
> images are available from the same link.
>
> Cheers,
> Robert.
>
>
> On Nov 18, 2019, at 2:24 PM, Jared Geiger  wrote:
>
> DANOS is using FRR in the opensource version at least.
>
> On Mon, Nov 18, 2019 at 1:15 PM Mike Hammett  wrote:
>
>> Chances are, if there was a decision to be made, UBNT made the wrong
>> choice.
>>
>> That said, I've heard a lot of good about ZebOS.  *shrugs*
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions 
>> 
>> 
>> 
>> 
>> Midwest Internet Exchange 
>> 
>> 
>> 
>> The Brothers WISP 
>> 
>> 
>> --
>> *From: *"Rubens Kuhl" 
>> *To: *"Nanog" 
>> *Sent: *Monday, November 18, 2019 3:10:39 PM
>> *Subject: *Re: AT released DANOS code to Linux Foundation
>>
>>
>>
>> On Mon, Nov 18, 2019 at 5:55 PM Brielle  wrote:
>>
>>> On 11/18/2019 1:31 PM, Jared Geiger wrote:
>>> > This past Friday, the code for DANOS was released as open source to
>>> the
>>> > Linux Foundation and published at https://github.com/danos
>>>
>>> This is pretty awesome news.
>>>
>>>  From what I'm reading, it looks like the commercial support options
>>> will be able to use ZebOS as the routing engine instead of quagga?
>>> EdgeOS has been using it for a while, and was a huge step up in terms of
>>> stability and functionality.
>>>
>>>
>> Curiously, at the same time EdgeOS replaced Quagga with ZebOS I started
>> reading more complaints and more people dropping UBNT altogether in the L3
>> world.
>> So I wonder if it was a good decision or not...
>>
>>
>> Rubens
>>
>>
>>
>

Re: Free Open Source Network Operating Systems

[Tim Jackson]

SONiC

https://azure.github.io/SONiC/

On Sat, Mar 9, 2019, 10:09 AM Colton Conor  wrote:

> What free, opensouce, network operating systems currently exist that run
> on whitebox broadcom or other merchant silicon switches?
>
> I know Cumulus is very popular, but I don't believe they have a free
> version that runs on whitebox switches right? Only on a virtual machine
> from what I can tell.
>
> I think if one of these vendors would release a free and truly opensource
> network operating system, with the option for paid support if needed, then
> whitebox switching would really take off. This would be similar to the
> Redhat model, but for the networking world.
>
> Right now, the cost of the whitebox plus a paid network operating system
> seems to equal the same cost as a discounted Juniper, Cisco, or Arista. I
> am not seeing the savings on paper.
>
> If we could just buy the whitebox hardware, and have a free operating
> system on there, then financially whitebox switches would be half the cost
> of a similar Cisco switch after discount.
>
> Am I missing something?
>
>
>

Re: Switch with high ACL capacity

[Tim Jackson]

Juniper QFX1(including 12) supports ~64k ACL entries + FlowSpec

--
Tim

On Tue, Nov 6, 2018 at 1:49 PM Mike Hammett  wrote:

> The intent is to see if I can construct a poor man's DDOS scrubber. There
> are low cost systems out there for the detection, but they just trigger
> something else to do the work. Obviously there is black hole routing, but
> I'm looking for something with a bit more finesse.
>
> If I need to get a switch anyway, might as well try to take advantage of
> it for other uses.
>
> -Mike HammettIntelligent Computing SolutionsMidwest Internet
> ExchangeThe Brothers WISP
>
> - Original Message -
> From: Lotia, Pratik M 
> To: Mike Hammett , 'nanog list' 
> Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST)
> Subject: Re: Switch with high ACL capacity
>
> Mike,
>
> Can you shed some light on the use case? Looks like you are confusing ACLs
> and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they
> have a different use case. ACLs cannot be configured using Flowspec
> announcements. Flowspec can be loosely explained as 'Routing based on L4
> rules' (there's a lot more to it than just L4). I doubt if a there is a
> Switch which can hold a large number of Flowspec entries.
>
>
> ~Pratik Lotia
> “Improvement begins with I.”
>
>
> On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" <
> nanog-boun...@nanog.org on behalf of na...@ics-il.net> wrote:
>
> I am looking for recommendations as to a 10G or 40G switch that has
> the ability to hold a large number of entries in ACLs.
>
> Preferred if I can get them there via the BGP flow spec, but some sort
> of API or even just brute force on the console would be good enough.
>
> Used or even end of life is fine.
>
> -Mike HammettIntelligent Computing SolutionsMidwest Internet
> ExchangeThe Brothers WISP
>
>
> E-MAIL CONFIDENTIALITY NOTICE:
> The contents of this e-mail message and any attachments are intended
> solely for the addressee(s) and may contain confidential and/or legally
> privileged information. If you are not the intended recipient of this
> message or if this message has been addressed to you in error, please
> immediately alert the sender by reply e-mail and then delete this message
> and any attachments. If you are not the intended recipient, you are
> notified that any use, dissemination, distribution, copying, or storage of
> this message or any attachment is strictly prohibited.
>
>

Re: looking glass software

[Tim Jackson]

I just tried out: https://github.com/respawner/looking-glass today, it
seems to be at least new-ish and was pretty easy to get going.

--
Tim

On Mon, Oct 29, 2018 at 4:04 PM Mehmet Akcin  wrote:

> hey there,
>
> I am looking for a looking glass software which is available as free &
> open source.
>
> I have done some research ( https://github.com/search?q=looking+glass
> ) and installed https://github.com/telephone/LookingGlass and
> https://github.com/17mon/LookingGlass
>
> i wanted to drop a note to NANOG asking for possible recommendations.
>
> thank you
>
> Mehmet
>

Re: NAT on a Trident/Qumran(/or other?) equipped whitebox?

[Tim Jackson]

The older Fulcrum/Intel FM6000 in the Arista 7150 can do NAT.

--
Tim

On Tue, Oct 9, 2018 at 10:54 AM Edward Dore <
edward.d...@freethought-internet.co.uk> wrote:

> Not sure if you count Arista as whitebox given their use of merchant
> silicon but running their own NOS, however they were touting the 7170
> series as being able to do NAT recently. That's a Barefoot Tofino chip
> under the hood.
>
> I've no idea how well it can do NAT or what the limitations are mind you,
> but it was a specific selling point that they were pushing ...
>
> Edward Dore
> Freethought Internet
>
> On 09/10/2018, 16:38, "NANOG on behalf of Jason Lixfeld" <
> nanog-boun...@nanog.org on behalf of jason+na...@lixfeld.ca> wrote:
>
> Has anyone played around with this?  Curious if the BCM (or whatever
> other chip) can do this, and if not, if any of the box vendors have tried
> to find a way to get these things to do a bunch of NAT - say some flavour
> of NAT, line-rate @ 10G.  If so, anyone know of a NOS that has support for
> it?  OcNOS, Cumulus Linux, PicOS and Switch Light OS seem to have none, but
> not sure if there are others out there.
>
> Thanks!
>
>

Re: Tunable QSFP Optics

[Tim Jackson]

You're gonna need to do something like:

https://www.packetlight.com/innovations/40g-connectivity

On Tue, Jun 19, 2018 at 11:27 AM, Lewis,Mitchell T. <
ml-na...@techcompute.net> wrote:

> Does anyone know if any Single Mode QSFPs exist on the market that use
> wavelengths other than 1310nm (either self tunable or factory tuned)? I am
> looking to put more than one 40gb link on a fiber pair similar to using
> DWDM OADMs for 1g & 10g but can't seem to find any qsfp optics that don't
> use 1310nm.
>
> Thanks.
>
>
> Regards,
>
> Mitchell T. Lewis
>
> [ mailto:mle...@techcompute.net | mle...@techcompute.net ]
>
>
> [ http://linkedin.com/in/mlewiscc ] |203-816-0371
>
> PGP Fingerprint: 79F2A12BAC77827581C734212AFA805732A1394E [
> https://pgp.mit.edu/pks/lookup?op=get=0x2AFA805732A1394E | Public
> PGP Key ]
>
>

Re: Juniper MX - Routed pseudowire using LDP - VPWS or VPLS

[Tim Jackson]

You can either attach the end of the l2circuit to an LT interface, or a PS
interface.


https://www.google.com/amp/s/tgregory.org/2016/07/10/pseudowire-headend-termination-pwht-for-juniper-mx/amp/

https://www.juniper.net/documentation/en_US/junos/topics/concept/pseudowire-subscriber-interfaces-overview.html

https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/services-configuring-logical-tunnel-interfaces.html



On Sat, Mar 17, 2018, 9:27 AM Ben Bartsch  wrote:

> When we had Cisco ASR 920/903 and  ASR9k, I could attach a layer 2
> pseudowire endpoint on that device to a layer 3 BDI/BVI.  I'm trying to do
> the same thing on a Juniper MX 480/960 and it does not appear to be
> supported (for LDP at least - MP-BGP might be supported).  We could do
> either VPWS or VPLS on the PE device handoff to the CE (layer 2 only).
> JTAC has somewhat confirmed this is not supported for LDP, but they only do
> break/fix, not new config.  We do not have professional services (we are
> broke).
>
> Any Juniper routerheads out there that have seen this done using LDP
> without having to hairpin on the MX?
>
> Thanks, y'all.
>
> -ben
>

Re: Opensource SNMP Trap Receivers ???

[Tim Jackson]

http://snmptt.sourceforge.net/



On Feb 13, 2018 6:46 AM, "Matthew Huff"  wrote:

> We are retiring a legacy SNMP system and are looking for a simple,
> opensource SNMP trap receiver/alerting system. We aren't looking for a full
> SNMP system, just something that will receive snmp traps and email/alert
> based on them.
>
> 1) Looking for something off the shelf, not a development project
> 2) Opensource or low cost
> 3) SNMP MIB compiler
>
> Any suggestions?
>
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
>
>
>

RE: 40G reforming

[Tim Jackson]

I'm pretty sure that this is only available on 7150S which is FM6000, not
broadcom at all.



On Feb 5, 2018 8:00 PM, "Ryan, Spencer"  wrote:

You don’t use 40G modules at all. Just 4 x 10G SFP+.

The Broadcom trident chip is configured at the MAC layer for 40G, so it’s
identical to a real 40G port inside.

Some more reading:

https://www.arista.com/assets/data/pdf/Whitepapers/
AgilePorts_over_DWDM_Final.pdf


Spencer Ryan | Senior Systems Administrator | sr...@arbor.net
Arbor Networks | The security division of NETSCOUT
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: Hunter Fuller [mailto:hf0002+na...@uah.edu]
Sent: Monday, February 5, 2018 2:57 PM
To: Ryan, Spencer 
Cc: Marian Ďurkovič ; Baldur Norddahl ;
nanog@nanog.org
Subject: Re: 40G reforming

I suspect that implies that you can just take a 40Gbase-SR4 module and
break it out into individual "10G" multi-mode pairs for DWDM use. Has
anyone tried this? I'm also very interested in using that strategy.

On Mon, Feb 5, 2018 at 1:36 PM Ryan, Spencer > wrote:
Indeed. Arista does (did?) make at least one platform where you can do this.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org]
On Behalf Of Marian Durkovic
Sent: Monday, February 5, 2018 2:33 PM
To: Baldur Norddahl >
Cc: nanog@nanog.org
Subject: Re: 40G reforming

Many switches based on BCM Trident ASIC allow you to configure 4 consecutive
SFP+ ports as 40G link (not LACP, but using real hardware 40G framing).
In such case, you can plug 4 DWDM SFP+ modules directly into the switch,
without the need for any reformer.

   M.

On Mon, 5 Feb 2018 20:03:33 +0100, Baldur Norddahl wrote
> I may need to clarify that I do not want to break the port into 4x10G
> as such. To the switch this will be an ordinary 40G link to another
> switch far away.
>
> I want to take advantage of the fact that 40G is transported as four
> individual streams. Each of the four streams are to be converted from
> 850 nm to a 1550 DWDM channel (one channel per stream). And the
> reverse at the other end of the link.
>
> The point of doing this is that 40G DWDM modules are not generally
> available and neither are 80 km modules.
>
> I need a true 40G channel so 4x10G LACP is not an option here. For the
> same reason I am unable to accept a solution that splits the 40G port
> into 4x10G and then perhaps recombines using LACP. Instead I am
> looking at an optical solution that is invisible to the switch hardware.
>
> The only doubt I have about the proposed solution is whether the frame
> format of the 10G substreams is somehow incompatible with what goes on
> in the reformer. As I understand these reformers they are little more
> than two SFP(+) modules connected back to back. And therefore it
> should not matter that the frame format may be different.
>
> Regards
>
> Baldur
>
> Den 5. feb. 2018 7.20 PM skrev "Paul Zugnoni" >:
>
> Whether a 40G port can be broken into 4x10G is dependent on the
> router/switch hardware and the optic you use. Good news is that most
> 40G ports are capable of being broken out into 4x10G, since a 40G port
> is usually operating as 4x10G internally anyway to the ASIC. The QSFP
> you'll need would be a 40G-SR4 for MTP/Multimode or 40G-LR4 for
> MTP/Singlemode (or a lower power, less expensive equivalent). This is
> a pretty common use of 40G ports. All 4 10G ports would then be at
> 850nm or 1310nm, which you can then plug into any 10G SR or LR ports.
>
> What router or switch platform is driving the 40G?
>
> Paul Z
>
> On Mon, Feb 5, 2018 at 7:57 AM, Baldur Norddahl
> >
> wrote:
>
> > Hello
> >
> > Is it possible to reform a 40G signal as individual 10G links?
> >
> > The idea is to use a 40G QSFP multimode MTP module such as
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_prod
> > ucts_44058.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=Iw8ah1pcqZhOErIj
> > aFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=_rJfOmyDlGmPG
> > C6M5FbhQ1V8_mho1OCpkcuYRNlaOvA=. Then connect it using a MTP
> > breakout cable such as
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.com_prod
> > ucts_68049.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=
Iw8ah1pcqZhOErIjaFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=
Cz0mCyM3dtcHoZ7lGy7uyroI_Y7AwmKXdnYNFIF0rPI= to get four dual fiber
connectors. These are then connected to four 10G SFP+ multimode modules
such as https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fs.
com_products_11589.html=DwIDaQ=Hlvprqonr5LuCN9TN65xNw=
Iw8ah1pcqZhOErIjaFRfuA=wWoshgttJT0E6q6-qJzP_ZcIrEz_EP88taPCbvAiK2Y=l-
9OAiUxeydRJCJc7d1kTKPVSkwQlkV4xkZFlbFxyRs=. The 

Re: Hurricane Harvey - Network Status (FCC)

[Tim Jackson]

KHOU's local transmitter (Missouri City I think is where it's at) seems to
be back on the air, but with all production from WFAA out of Dallas.

--
Tim

On Sun, Aug 27, 2017 at 4:24 PM, Sean Donelan  wrote:

> Hurricane Harvey DIRS report August 27, 2017:
>
> 17 PSAPs impacted, 1 out of service, 16 with partial service or re-routed
> to another PSAP
> At least 148,565 cable and wireline subscribers out of service (11
> switching centers out of service, and 21 switching centers on backup power)
> 4.1% of cell sites out of service (Aransas, Calhoun, Refugio, and San
> Patricio in TX have more than 50% of cell sites out of service)
> 9 radio stations out of service (KJOJ-FM, KKTX, KUNO, KPRC, KKWV, KAYK,
> KZFM, KKBA and KEYS)
>
> News reports also say 1 TV station (KHOU) out of service, but not reported
> in the DIRS status.
>
> https://www.fcc.gov/file/12806/download
>

Re: VXLAN for WAN Pseudowires?

[Tim Jackson]

On Fri, Jul 21, 2017 at 12:38 PM, Sabri Berisha 
wrote:

> > From: "Simon Lockhart" 
>
> Hi,
>
> > 2) Traffic engineering - we don't have a lot of requirement for this,
> but do
> >   have a small number of customers who buy A and B circuits, and require
> them
> >   to be routed across different paths on our network. This is easy with
> MPLS
> >   using explicit LSPs, but we've not yet worked out how to achieve the
> same
> >   thing in VXLAN.
>
> You may be able to achieve this by using a second loopback for the B
> circuit VTEP IP address, and use either PBR or *cough* a static *cough*
> route *cough* towards a different path. Not pretty, but will probably work.
>
> Thanks,
>
> Sabri
>

Or just use RSVP-TE... It's just IP.. T2 can do a MPLS lookup after
encapsulating in VXLAN..

--
Tim

Re: OSPF vs ISIS - Which do you prefer & why?

[Tim Jackson]

Uh.


I quote:

> Cisco is the only "real" IS-IS vendor.

> Juniper, Brocade, Arista, Avaya, etc you're not getting it. Any of the
> whitebox hardware or real SDN capable solutions, you're going to be on
OSPF.

Care to elaborate on any of those commercial vendors?

--
Tim

On Thu, Nov 10, 2016 at 7:04 PM, Josh Reynolds <j...@kyneticwifi.com> wrote:

> So, we need to narrow the discussion now to only commercial solutions?
>
> This is fun and all (not really) but you can have your thread.
>
> Congrats, you win. I'm not sure what.
>
> On Nov 10, 2016 7:01 PM, "Tim Jackson" <jackson@gmail.com> wrote:
>
>> So what about commercial implementations?
>>
>> --
>> Tim
>>
>> On Thu, Nov 10, 2016 at 6:54 PM, Josh Reynolds <j...@kyneticwifi.com>
>> wrote:
>>
>>> Oops, forgot link. Cooking dinner :)
>>>
>>> http://www.nongnu.org/quagga/
>>>
>>> On Nov 10, 2016 6:53 PM, "Josh Reynolds" <j...@kyneticwifi.com> wrote:
>>>
>>>> Here's a start!
>>>>
>>>> "Support for OSPFv3 and IS-IS is various beta states currently; IS-IS
>>>> for IPv4 is believed to be usable while OSPFv3 and IS-IS for IPv6 have
>>>> known issues."
>>>>
>>>> On Nov 10, 2016 6:50 PM, "Tim Jackson" <jackson@gmail.com> wrote:
>>>>
>>>>> Maybe you didn't look hard enough?
>>>>>
>>>>> ISIS feature support in a bunch of different products has sucked for a
>>>>> long time vs OSPF, but that's a pretty well known and accepted fact.
>>>>> Generally these features are the same across multiple products from the
>>>>> same vendor (usually across the same OS anyway)...
>>>>>
>>>>> Just name 1 feature that was in Cisco and wasn't in other
>>>>> implementations... Just one.. Something.. Does ISIS on IOS make 
>>>>> and
>>>>> hand out ice cream on Fridays? I want to know if I'm missing out..
>>>>>
>>>>> --
>>>>> Tim
>>>>>
>>>>> On Thu, Nov 10, 2016 at 6:33 PM, Josh Reynolds <j...@kyneticwifi.com>
>>>>> wrote:
>>>>>
>>>>>> My first post said the following:
>>>>>>
>>>>>> "Vendor support for IS-IS is quite limited - many options for OSPF."
>>>>>>
>>>>>> On Nov 10, 2016 6:24 PM, "Charles van Niman" <char...@phukish.com>
>>>>>> wrote:
>>>>>>
>>>>>> > Your original point was that a list of vendors "didn't get IS-IS"
>>>>>> but
>>>>>> > provided no details about what you are talking about. As far as all
>>>>>> > the documentation I have read, and some of the documentation you
>>>>>> > linked to, it works just fine on quite a few vendors, and a few
>>>>>> people
>>>>>> > on this list. Your original point mentions nothing about wider OSPF
>>>>>> > adoption, which you seem to have shifted to to deflect having to
>>>>>> > provide any actual details.
>>>>>> >
>>>>>> > Are we to assume that your original point was incorrect? As far as
>>>>>> the
>>>>>> > landscape as a whole, I have seen quite a few networks that get by
>>>>>> > with either protocol just fine, the use-case for a given network is
>>>>>> > not such a broad landscape, so I think "use the right tool for the
>>>>>> > job" seems very apt, and that you can't just say that only two
>>>>>> > protocols are suitable for all jobs.
>>>>>> >
>>>>>> > /Charles
>>>>>> >
>>>>>> > On Thu, Nov 10, 2016 at 6:00 PM, Josh Reynolds <
>>>>>> j...@kyneticwifi.com>
>>>>>> > wrote:
>>>>>> > > As cute as your impotent white knighting of one vendor is (I very
>>>>>> much
>>>>>> > like
>>>>>> > > Juniper BTW), you're absolutely ignoring my original premise and
>>>>>> point
>>>>>> > > because you got your panties in a wad over a potential triviality
>>>>>> of an
>>>>>> > > internet comment - where documentation exists, should one take
>>

Re: OSPF vs ISIS - Which do you prefer & why?

[Tim Jackson]

So what about commercial implementations?

--
Tim

On Thu, Nov 10, 2016 at 6:54 PM, Josh Reynolds <j...@kyneticwifi.com> wrote:

> Oops, forgot link. Cooking dinner :)
>
> http://www.nongnu.org/quagga/
>
> On Nov 10, 2016 6:53 PM, "Josh Reynolds" <j...@kyneticwifi.com> wrote:
>
>> Here's a start!
>>
>> "Support for OSPFv3 and IS-IS is various beta states currently; IS-IS for
>> IPv4 is believed to be usable while OSPFv3 and IS-IS for IPv6 have known
>> issues."
>>
>> On Nov 10, 2016 6:50 PM, "Tim Jackson" <jackson@gmail.com> wrote:
>>
>>> Maybe you didn't look hard enough?
>>>
>>> ISIS feature support in a bunch of different products has sucked for a
>>> long time vs OSPF, but that's a pretty well known and accepted fact.
>>> Generally these features are the same across multiple products from the
>>> same vendor (usually across the same OS anyway)...
>>>
>>> Just name 1 feature that was in Cisco and wasn't in other
>>> implementations... Just one.. Something.. Does ISIS on IOS make and
>>> hand out ice cream on Fridays? I want to know if I'm missing out..
>>>
>>> --
>>> Tim
>>>
>>> On Thu, Nov 10, 2016 at 6:33 PM, Josh Reynolds <j...@kyneticwifi.com>
>>> wrote:
>>>
>>>> My first post said the following:
>>>>
>>>> "Vendor support for IS-IS is quite limited - many options for OSPF."
>>>>
>>>> On Nov 10, 2016 6:24 PM, "Charles van Niman" <char...@phukish.com>
>>>> wrote:
>>>>
>>>> > Your original point was that a list of vendors "didn't get IS-IS" but
>>>> > provided no details about what you are talking about. As far as all
>>>> > the documentation I have read, and some of the documentation you
>>>> > linked to, it works just fine on quite a few vendors, and a few people
>>>> > on this list. Your original point mentions nothing about wider OSPF
>>>> > adoption, which you seem to have shifted to to deflect having to
>>>> > provide any actual details.
>>>> >
>>>> > Are we to assume that your original point was incorrect? As far as the
>>>> > landscape as a whole, I have seen quite a few networks that get by
>>>> > with either protocol just fine, the use-case for a given network is
>>>> > not such a broad landscape, so I think "use the right tool for the
>>>> > job" seems very apt, and that you can't just say that only two
>>>> > protocols are suitable for all jobs.
>>>> >
>>>> > /Charles
>>>> >
>>>> > On Thu, Nov 10, 2016 at 6:00 PM, Josh Reynolds <j...@kyneticwifi.com>
>>>> > wrote:
>>>> > > As cute as your impotent white knighting of one vendor is (I very
>>>> much
>>>> > like
>>>> > > Juniper BTW), you're absolutely ignoring my original premise and
>>>> point
>>>> > > because you got your panties in a wad over a potential triviality
>>>> of an
>>>> > > internet comment - where documentation exists, should one take the
>>>> time
>>>> > to
>>>> > > go through it, to find discrepancies between them.
>>>> > >
>>>> > > So, if you'd like to prove your point and earn brownie points with
>>>> > $vendor,
>>>> > > on a feature by feature basis please take the time to consult
>>>> > documentation
>>>> > > of two vendors products (you can even pick the platform and
>>>> subversion
>>>> > > release!) to refute my claim. This has nothing at all to do with the
>>>> > point
>>>> > > of my statement mind you, it's simply a sidetrack that has wasted
>>>> enough
>>>> > > time already.
>>>> > >
>>>> > > That said, glance across the landscape as a whole of all of the
>>>> routing
>>>> > > platforms out there. Hardware AND softwsre. Which ones support bare
>>>> bones
>>>> > > IS-IS? Which ones have a decent subset of extensions? Are they
>>>> comparable
>>>> > > or compatible with others? The end result is a *very mixed bag*,
>>>> with far
>>>> > > more not supporting IS-IS at all, or only supporting the bare
>>>> minimum to
>>>> > > even go by that name in a datasheet.
>>>> > >
>>>> > > Thus, my point stands. If you want as much flexibility in your
>>>> > environment
>>>> > > as you can have, you want OSPF or BGP as your IGP.
>>>> > >
>>>> > > On Nov 10, 2016 5:33 PM, "Nick Hilliard" <n...@foobar.org> wrote:
>>>> > >
>>>> > >> Josh Reynolds wrote:
>>>> > >> > I didn't "trash talk" a vendor. If I did, it would be a
>>>> multi-thousand
>>>> > >> > line hate fueled rant with examples and enough colorful language
>>>> to
>>>> > make
>>>> > >> > submarine crews blush.
>>>> > >>
>>>> > >> I have no doubt it would be the best rant.  It would be a beautiful
>>>> > rant.
>>>> > >>
>>>> > >> Entertaining and all as hand-waving may be, please let us know if
>>>> you
>>>> > >> manage to unearth any actual facts to support the claims that you
>>>> made
>>>> > >> about junos's alleged feature deficits.
>>>> > >>
>>>> > >> Nick
>>>> > >>
>>>> > >>
>>>> >
>>>>
>>>
>>>

Re: OSPF vs ISIS - Which do you prefer & why?

[Tim Jackson]

Maybe you didn't look hard enough?

ISIS feature support in a bunch of different products has sucked for a long
time vs OSPF, but that's a pretty well known and accepted fact. Generally
these features are the same across multiple products from the same vendor
(usually across the same OS anyway)...

Just name 1 feature that was in Cisco and wasn't in other
implementations... Just one.. Something.. Does ISIS on IOS make and
hand out ice cream on Fridays? I want to know if I'm missing out..

--
Tim

On Thu, Nov 10, 2016 at 6:33 PM, Josh Reynolds  wrote:

> My first post said the following:
>
> "Vendor support for IS-IS is quite limited - many options for OSPF."
>
> On Nov 10, 2016 6:24 PM, "Charles van Niman"  wrote:
>
> > Your original point was that a list of vendors "didn't get IS-IS" but
> > provided no details about what you are talking about. As far as all
> > the documentation I have read, and some of the documentation you
> > linked to, it works just fine on quite a few vendors, and a few people
> > on this list. Your original point mentions nothing about wider OSPF
> > adoption, which you seem to have shifted to to deflect having to
> > provide any actual details.
> >
> > Are we to assume that your original point was incorrect? As far as the
> > landscape as a whole, I have seen quite a few networks that get by
> > with either protocol just fine, the use-case for a given network is
> > not such a broad landscape, so I think "use the right tool for the
> > job" seems very apt, and that you can't just say that only two
> > protocols are suitable for all jobs.
> >
> > /Charles
> >
> > On Thu, Nov 10, 2016 at 6:00 PM, Josh Reynolds 
> > wrote:
> > > As cute as your impotent white knighting of one vendor is (I very much
> > like
> > > Juniper BTW), you're absolutely ignoring my original premise and point
> > > because you got your panties in a wad over a potential triviality of an
> > > internet comment - where documentation exists, should one take the time
> > to
> > > go through it, to find discrepancies between them.
> > >
> > > So, if you'd like to prove your point and earn brownie points with
> > $vendor,
> > > on a feature by feature basis please take the time to consult
> > documentation
> > > of two vendors products (you can even pick the platform and subversion
> > > release!) to refute my claim. This has nothing at all to do with the
> > point
> > > of my statement mind you, it's simply a sidetrack that has wasted
> enough
> > > time already.
> > >
> > > That said, glance across the landscape as a whole of all of the routing
> > > platforms out there. Hardware AND softwsre. Which ones support bare
> bones
> > > IS-IS? Which ones have a decent subset of extensions? Are they
> comparable
> > > or compatible with others? The end result is a *very mixed bag*, with
> far
> > > more not supporting IS-IS at all, or only supporting the bare minimum
> to
> > > even go by that name in a datasheet.
> > >
> > > Thus, my point stands. If you want as much flexibility in your
> > environment
> > > as you can have, you want OSPF or BGP as your IGP.
> > >
> > > On Nov 10, 2016 5:33 PM, "Nick Hilliard"  wrote:
> > >
> > >> Josh Reynolds wrote:
> > >> > I didn't "trash talk" a vendor. If I did, it would be a
> multi-thousand
> > >> > line hate fueled rant with examples and enough colorful language to
> > make
> > >> > submarine crews blush.
> > >>
> > >> I have no doubt it would be the best rant.  It would be a beautiful
> > rant.
> > >>
> > >> Entertaining and all as hand-waving may be, please let us know if you
> > >> manage to unearth any actual facts to support the claims that you made
> > >> about junos's alleged feature deficits.
> > >>
> > >> Nick
> > >>
> > >>
> >
>

Re: Arista unqualified SFP

[Tim Jackson]

On Aug 18, 2016 7:42 AM, "Nick Hilliard"  wrote:
> It is always better to clarify this sort of thing with the account
> management team before purchasing, and preferably have it in email or
> writing.

Sometimes you inherit bad situations...

The (bad) solution is to program your own optics to match Arista ones so
their switches can't tell the difference.. It's not hard, but a lot of the
time it's out of the normal reach of a lot of customers.

Flexoptix fixed that problem, but they're still priced way too high vs the
OEMs that supply to them..

It's still terribly frustrating to deal with this issue in 2016. It's a
desperate money grab from less informed customers.

Arista should really stop this bad practice. I'd urge anybody buying any
gear to make sure it can accept any optic meeting whatever MSA standard
optics that it's able to have plugged into it.

--
Tim

Re: Arista unqualified SFP

[Tim Jackson]

>
> Your AM team will gladly unlock this for you.
>
> This is probably just a procedural issue with Arista TAC not knowing the
> secret sauce.



That's not the answer I got at all from Arista:

"I understand that Arista TAC indicated that  could provide you with a
transceiver unlock code. While it is true that the unlock code concept
exists, it is very unusual for us to unlock optics on switches. We’d be
happy to talk with you further about this in person. "

Followup was:

"As I'm sure you know, Arista is not the only manufacturer that has made
this choice. Unlike our competition, we work to make our optics pricing
competitive, but we'll never be as low as the "Taiwan specials" that you
see floating around. I have another customer that was flashing white label
optics that just made the decision to start using Arista labeled optics
again because they were tired of bad quality."

They basically said we'll sell you 10x priced optics instead of 100x and
we're awesome because we do that. No unlock for you, buy our slightly
cheaper OEM optics instead.

--
Tim

Re: Arista unqualified SFP

[Tim Jackson]

I'd suggest bitching and moaning at your account team & support until they
give you the key to unlock them..

--
Tim

On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw  wrote:

> Hi all,
> Is there a way for unlocking off-brand transceivers usage on Arista
> switches?
>
> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been
> found out that Arista switches seem to not have possibility to unlock
> off-brand xcievers usage (by some service command or so).
>
> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the
> checking function bypass the actual check and it helped: ports are not in
> errdisable state anymore. But despite of xceivers are detected correctly,
> links aren't coming up (they are in notconnect state).
>
> If anyone possibly have does have a sacred knowledge of bringing
> off-branded transceivers to life on Arista switches, your help'd be very
> appreciated. Thanks.
>

Re: Recommendations for used satellite decoder resellers

[Tim Jackson]

This Yahoo group has a bunch of CATV gear for sale and is still pretty
active.. Shooting a message on here might work:

https://beta.groups.yahoo.com/neo/groups/buyandsellCATV/info

--
Tim

On Tue, Jul 5, 2016 at 8:41 AM, Jason Lixfeld 
wrote:

> Hello,
>
> I’m wondering if anyone can refer me to a company they’ve used in the past
> who may have (access to) used satellite decoder equipment.  I’m in the
> market for some used Sencore kit.
>
> Thanks in advance!

Re: NANOG67 - Tipping point of community and sponsor bashing?

[Tim Jackson]

>
> Really? The x-connect is run through active equipment operated by the
> data centre?
>
> Is this a specific service you purchased, or is this the way they
> deliver x-connects?


I remember fighting with Terremark around 2005 or so on this... Connecting
OC-12s through them, they insisted things go through their Lucent Lambda
Unite always, it'd turn into 6 hours of finger pointing about timing slips
where they would inform me that both sides (AT and myself) should time
towards them, through attrition we'd always end up with a regular XC.
Awesome times.

--
Tim

Re: mpls switches

[Tim Jackson]

>> Do the Juniper EX switches support MPLS? I know they have models with
>> multiple 10G ports on them.
>
> They do, but (deliberately) broken. I wouldn't try it.

EX4600 does MPLS just fine, nothing else really does in the EX
series.. EX4200 can do 1 label. The EX4600 featureset is pretty much
the same as QFX5100 in addition to supporting MACSEC.

>>  There is also the QFX series.
>
> Not that I know of, but the ACX is a QFX-derivative (Broadcom chipset,
> approach with caution).

QFX5100 works fine for MPLS.. ACX5k is QFX5100 hardware, but a
different train of software, and it's a bit different. QFX5100 is a
great P and lightweight PE..

--
Tim

Re: Equipment Supporting 2.5gbps and 5gbps

[Tim Jackson]

On Jan 29, 2016 6:29 AM, "Jared Mauch"  wrote:
> >  SFP+ Copper Twinax is another option for 10G to save on the
transceivers
>
> Not really.
>
> You can get 10G optics for sub-$10 and patch cords for cheap too,
> so why spend >$50 on DAC cables when you can go fiber and save
> space and money?
>
> Walking into a colo and seeing orange or aqua cables always
> makes me sad as people overpaid and created themselves a future problem.

2x 850nm SFP+ @ $16
2m multimode jumper @ $3.16

Vs

2m SFP+ DAC @ $18

(From Fiberstore)

Then you have the issue of Intel NICs refusing to support any optical
modules that dont show up as Intel (and the associated work arounds, etc)

DACs are usually about 40% cheaper for server interconnect.

Re: IP DSCP across the Internet

[Tim Jackson]

In general there are very few bad actors here in regards to
trusting/accepting/using DSCP across the internet.

Apple has a tendency to mark some traffic with EF that shouldn't be EF on
PNIs, and Cogent leaks a lot of their internal markings into customers, but
it's generally unmarked traffic from certain customers/peers. Other than
that IMHO it's totally valid to accept, and nobody abuses it (other than
those 2).

We accept DSCP from the internet and do queue a few things higher towards
customers for things like OTT VoIP etc.

Remarking DSCP is bad IMHO, trusting it is another thing. You just have to
be careful, and I suggest good netflow tools to keep an eye on it.
On May 5, 2015 5:30 PM, Ramy Hashish ramy.ihash...@gmail.com wrote:

 Good day all,

 A simple question, does Internet trust IP DSCP marking? Assume two ASs
 connected through two tier 1 networks, will the tier one networks trust any
 DSCP markings done from an AS to the other?

 Thanks,

 Ramy

Re: Multi-gigabit edge devices as CPE

[Tim Jackson]

Woops, missed the full tables requirement there.. Never mind.
On Apr 8, 2015 4:18 PM, Tim Jackson jackson@gmail.com wrote:

 Cisco ASR902 or Juniper ACX..
 On Apr 8, 2015 3:48 PM, Daniel Rohan dro...@gmail.com wrote:

 I work at a state REN and we are seeking a lead for a new edge device for
 on prem deployment at customer sites.

 We currently deploy two classes of routers-- a high end and a low end.
 Both
 the high end and the low end use some of the standard edge features:
 MPLS-TE, MBGP, flowspec, vrf, PIM, etc. We deliver full tables over these
 devices to the customers that need them.

 We recently finished a new ethernet procurement and have a large number of
 sites (~200) moving from 1Gbps in bandwidth to 1-10Gb in bandwidth. Our
 currently deployed low-end router can't handle these speeds and we can't
 afford to place our high end router at 200+ sites.

 So, we're looking for a middle tier router to deploy. Something with 2+
 SFP+ ports, software that can handle the aforementioned features, and
 something with an API that we can leverage for programmatic management.

 So far we've not found anything that checks all the boxes. Layer 3
 switches
 seem like obvious choices, but lack some of the features and RIB/FIB we
 need at the edge. Other devices like the Juniper MX5/10 certainly meet the
 requirements, but are priced way beyond what we can afford.

 Any suggestions for devices we might have overlooked? Preferably in the
 less than 10K per unit price point. If such a magical device exists.

 -Dan

Re: Multi-gigabit edge devices as CPE

[Tim Jackson]

Cisco ASR902 or Juniper ACX..
On Apr 8, 2015 3:48 PM, Daniel Rohan dro...@gmail.com wrote:

 I work at a state REN and we are seeking a lead for a new edge device for
 on prem deployment at customer sites.

 We currently deploy two classes of routers-- a high end and a low end. Both
 the high end and the low end use some of the standard edge features:
 MPLS-TE, MBGP, flowspec, vrf, PIM, etc. We deliver full tables over these
 devices to the customers that need them.

 We recently finished a new ethernet procurement and have a large number of
 sites (~200) moving from 1Gbps in bandwidth to 1-10Gb in bandwidth. Our
 currently deployed low-end router can't handle these speeds and we can't
 afford to place our high end router at 200+ sites.

 So, we're looking for a middle tier router to deploy. Something with 2+
 SFP+ ports, software that can handle the aforementioned features, and
 something with an API that we can leverage for programmatic management.

 So far we've not found anything that checks all the boxes. Layer 3 switches
 seem like obvious choices, but lack some of the features and RIB/FIB we
 need at the edge. Other devices like the Juniper MX5/10 certainly meet the
 requirements, but are priced way beyond what we can afford.

 Any suggestions for devices we might have overlooked? Preferably in the
 less than 10K per unit price point. If such a magical device exists.

 -Dan

Re: DDOS, IDS, RTBH, and Rate limiting

[Tim Jackson]

pmacct includes sfacctd which is an sflow collector.. Accessible via
the same methods as it's nfacctd collector or pcap based collector..

--
Tim

On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko de...@visp.net.lb wrote:
 On 2014-11-21 18:41, Peter Phaal wrote:

 Actually, sFlow from many vendors is pretty good (per your points about
 flow
 burstiness and delays), and is good enough for dDoS detection.  Not for
 security forensics, or billing at 99.99% accuracy, but good enough for
 traffic visibility, peering analytics, and (d)DoS detection.


 Well, if it is available, except hardware limitations, there is second
 obstacle,
 software licensing cost. On latest JunOS, for example on EX2200, you need
 to purchase license (EFL), and if am not wrong it is $3000 for 48port
 units.
 So if only sFlow feature is on stake, it worth to think, to purchase
 license,
 or to purchase server.


 Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):


 http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf

 I am not aware of any vendor requiring an additional license to enable
 sFlow.

 sFlow (packet sampling) works extremely well for the DDoS flood
 detection / mitigation use case. The measurements are build into low
 cost commodity switch hardware and can be enabled operationally
 without adversely impacting switch performance.  A flood attack
 generates high packet rates and sampling a 10G port at 1-in-10,000
 will reliably detect flood attacks within seconds.

 For most use cases, it is much less expensive to use switches to
 perform measurement than to attach taps / mirror port probes. If your
 switches don't already support sFlow, you can buy a 10G capable white
 box switch for a few thousand dollars that will let you monitor 1.2
 Terabits/sec. If you go with an open platform such as Cumulus Linux,
 you could even run your DDoS mitigation software on the switch and
 dispense with the external server. Embedded instrumentation is simple
 to deploy and reduces operational complexity and cost when compared to
 add on probe solutions.

 Peter Phaal
 InMon Corp.

 Wow, that's great news then, i'm using mostly Cisco gear now, but seems will
 have to take a look to Juniper, thanks for information.
 If it is free, then if EX2200 available, it is much easier to run sFlow and
 write custom collector for it, than installing custom probe(in most common
 cases).

 ---
 Best regards,
 Denys

Re: DDOS, IDS, RTBH, and Rate limiting

[Tim Jackson]

I highly recommend pmacct and it's in-memory tables. Lightweight, easy to
query and super fast.

You can also easily run multiple aggregates of traffic to find what you are
interested in, tag common interface types to easily filter traffic..

Or you can use pmacct to insert this into whatever database you want, AMQP
or MongoDB..

My current favorite is using an IMT table for DoS detection and another for
aggregates for interesting traffic types and querying this every X minutes
and inserting it into ElasticSearch. Kibana makes the most powerful netflow
dashboard ever.

--
Tim
On Nov 20, 2014 6:39 PM, Roland Dobbins rdobb...@arbor.net wrote:


 On 21 Nov 2014, at 9:19, Robert Duffy wrote:

  What open-source NetFlow analysis tools would you recommend for quickly
 detecting a DDoS attack?


 I generally recommend that folks get started with something like
 nfdump/nfsen or ntop.  There are other, more sophisticated tools out there,
 but these allow one to get up and running quickly, and to gain valuable
 operational experience with which to evaluate more sophisticated tools, if
 they're needed.

 ---
 Roland Dobbins rdobb...@arbor.net

Re: 48V DC Terminal server recommendations

[Tim Jackson]

Digi TS-16 Works well, but doesn't have USB/modem..

MRV's LX line meets all of that, but I've had mixed issues with
reliability with them..

On Wed, Jul 24, 2013 at 7:59 AM, Jeremy Bresley b...@brezworks.com wrote:
 Looking for recommendations on a good terminal server to put into a telco
 colocate facility.

 Requirements:
 8-16 ports for Cisco console access (RJ-45s preferred, DB9s if we have to)
 -48V DC power
 USB/internal modem for OOB access
 NEBS Level 1 (or better) compliance.

 So far I've found Perle has several models that meet 3 out of 4, but none
 that meet all the requirements.  The only OpenGear boxes we're seeing with
 DC power is a little 4 port unit and they don't mention NEBS compliance.
 Lantronix mentions DC power for their SLC line, but doesn't mention anything
 about NEBS compliance either.

 Anybody have any recommendations for one they've used that meets all 4 of
 those requirements?

 Thanks!

 Jeremy TheBrez Bresley
 b...@brezworks.com

RE: Service provider T1/PPP question

[Tim Jackson]

The problem being a CLEC is getting access to repeater housings.

Usually limits you to a few kft. At least you can get up to 15mbps/pair now.
On Jun 28, 2013 6:23 PM, Eric Wieling ewiel...@nyigc.com wrote:



 -Original Message-
 From: Mike [mailto:mike-na...@tiedyenetworks.com]
 Sent: Friday, June 28, 2013 8:26 PM
 To: nanog@nanog.org
 Subject: Re: Service provider T1/PPP question

 On 06/28/2013 12:56 PM, Naslund, Steve wrote:
 
  I think this post seems like a flashback.  I would not consider a T-1 to
 really be broadband anymore and it is pretty much limited to a business
 environment the way tariffs work.  As far as MLPPP, it seems to be pretty
 stable now where you need multiple bonded T-1s.  We have a few sites
 running MLPPP with Sprint on Juniper and Cisco gear and have not had an
 issue with it.  It is definitely not my preference for business
 connectivity anymore.  We tend to look for Ethernet service which is way
 cheaper per mb than T-1 and requires less expensive terminal equipment in
 most cases.  T-1s are the business solution where you need dedicated MPLS
 connectivity and fiber transport is not available.  DSL or Internet VPN are
 OK but somewhat less stable for business class private network solutions.
  If it is internet connectivity they want you will get beaten up by the
 cable companies that can outrun and outprice you across the board.  You
 will also have a heck of a time competing with incumbent and competitive
 telecoms in T-1s that have central offices or collocations in central
 offices.  The economics just don't work if you don't have direct access to
 the cable plant.  Maybe up until the telecom act but not now.  How do you
 intend to get those T-1s back to you or are you a CLEC?
 
 

 I am a clec with colocated facilities, and my targets are rural unserved
 areas where none of the factors above are considerations. I just want to
 connect with anyone who's done this and has a qualified technical opinion
 on optimal deployment strategies; the business considerations are already
 done.


 

 Most T-1 service these days seems to be delivered over HDSL.   You may
 also want to consider EoC. XO uses Adtran CPEs for their EoC service,
 anything from 1.5Mbps to 20Mbps service over 1 or more copper pairs with
 good distances between repeaters.

Re: recommended outdoor enclosures

[Tim Jackson]

Alpha's Radium Minibays should be a good start of what to look at and
seems to fit your requirements:

http://www.alpha.ca/web2/products/enclosures/outdoor-enclosures-medium/item/radium-minibay-series

On Mon, Jun 17, 2013 at 12:36 PM, Chuck Anderson c...@wpi.edu wrote:
 I'm in need of my first free-standing, pad-mounted outdoor enclosure,
 19 rack rails, 12-18 rack units, with about 400W of heat load inside,
 for use in the Massachusetts climate.  What do people recommend as far
 as contruction, cooling/heating options, NEMA ratings, security
 options, etc. for this use?

 I was hoping to keep the inside temperature between 50 and 85 degrees
 Fahrenheit, although my worst-case components are rated for 41 to 104
 F (4 - 40 C).  If a full mechanical A/C system can be avoided, even
 better.  A thermo-electric cooler would be nice.

 Thanks.

Re: Fiber project/IPTV multicast

[Tim Jackson]

Yes.

Most live IPTV is delivered across multicast*. There are a few gotchas.

MMR uses a unicast fill for instant channel change (configurable bandwidth
ammounts, etc) on top of Multicast. Some other middleware may have similar
methods to accomplish this.

Usually at the DSLAM you'll see hax to forward IGMP requests and
multicast ingress to/from a specific VLAN.

Most EFM based DSLAMs will segregate this all the way down to the CPE, and
let the CPE handle differentiating the joins on the particular VLANs.
Sometimes it's handled inside the DSLAM, but usually it's all configurable.

Handling live TV unicast is definitely possible but brings up another set
of challenges across the SP network towards the DSLAM/Agg point. Mainly
reproduction of the same content * subscriber count, so your bandwidth
towards a given DSLAM/Agg point grows with every subscriber. Low
penetration count of IPTV, this can be less bandwidth, as IPTV penetration
grows this could be several times the multicast bandwidth.

Usually most channel lineups are 1gbps-2.5gbps of multicast bandwidth,
depending on channel bitrates, amount of content, etc, etc..

MMR == Microsoft Mediaroom

--
Tim


On Sat, Feb 9, 2013 at 1:02 PM, Jay Ashworth j...@baylink.com wrote:

 Do any of the people who've worked with some of the IPTV delivery services
 mentioned here know if their live TV services can be handled via Multicast?

 Off-list replies are fine; will summarize if anyone else cares.

 Cheers,
 -- jra

 --
 Jay R. Ashworth  Baylink
 j...@baylink.com
 Designer The Things I Think   RFC
 2100
 Ashworth  Associates http://baylink.pitas.com 2000 Land
 Rover DII
 St Petersburg FL USA   #natog  +1 727 647
 1274

Re: Rollup: Small City Municipal Broadband

[Tim Jackson]

C7 is old school. E7/E20 is far far far far far far different.
On Feb 2, 2013 2:55 PM, Scott Helms khe...@zcorum.com wrote:

 Jay,

 I'm spotty on mailing lists since most of my time is spent building these
 kinds of networks.

 1)  Talk to more vendors than just Calix, especially if they're quoting
 their Ethernet density on the C7.  Also, keep in mind that port density may
 or may not be relevant to your situation since space for muni shelves isn't
 usually a problem.  Port density is much more important if you're deploying
 in existing telco enclosures but muni networks tend (not universally of
 course) to reuse existing city infrastructure building to house the nodes
 of their network.  Please note that I am not reccomending against Calix,
 they're a good solution in many cases, but AE is not a strong point on the
 C7.  The E7 and the B series, which is the old Occam product, is much
 better than the C7.  For that matter I wouldn't consider doing a new build
 on the C7 since that platform's EoL can't be too far in the future.

 2)  I have no idea who  told you this, but this is completely and utterly
 incorrect in nationwide terms.  If you have a specific layer 3 provder in
 mind that tells you they want a GPON hand off then that's fine, but ISPs in
 general don't know what GPON is and have no gear to terminate that kind of
 connection.


 On Sat, Feb 2, 2013 at 3:22 PM, Jay Ashworth j...@baylink.com wrote:

  - Original Message -
   From: Scott Helms khe...@zcorum.com
 
   Why on earth would you do this with PON instead of active Ethernet?
   What GPON vendor have you found where their technical staff will tell
 you
   this is a good architecture for their PON offering?
 
  Asked and answered, Scott; have you been ignoring the threads all week?
 
  I'm pretty sure I even answered it in the posting, but just in case:
 
  1) Line cards for the OLT frames appear to be 2 orders of magnitude
 denser
  for GPON termination than AE (480 ports per 10U vs 10k ports per 10U in
  Calix, unless I've badly misunderstood my sources), and
 
  2) GPON is what potential L3 providers large enough to want an optical
  handoff are generally used to.
 
  If someone wants AE, they can certainly have it.
 
  (C'mon; miss the *next* turn, too :-)
 
  Cheers,
  -- jra
  --
  Jay R. Ashworth  Baylink
  j...@baylink.com
  Designer The Things I Think   RFC
  2100
  Ashworth  Associates http://baylink.pitas.com 2000 Land
  Rover DII
  St Petersburg FL USA   #natog  +1 727 647
  1274
 
 


 --
 Scott Helms
 Vice President of Technology
 ZCorum
 (678) 507-5000
 
 http://twitter.com/kscotthelms
 

Re: Fwd: Rollup: Small City Municipal Broadband

[Tim Jackson]

Word to dropping docsis science on NANOG.
On Feb 2, 2013 3:34 PM, Scott Helms khe...@zcorum.com wrote:

  I hope I said E7; it's what I meant to say.  Yes, I wasn't going to
  stop at Calix; I'm just juggling budgetary type numbers at the moment;
  I'll have 3 or 4 quotes before I go to press.  It's a 36 month project
  just to beginning of build, at this point, likely.
 
  Assuming I get the gig at all.
 

 The E7 is a good shelf, so that's a decent starting point.  I'd also talk
 with Zhone, Allied Telesys, Adtran, and Cisco if for no other reason but
 get the best pricing you can.  I'd also focus much more on your cost per
 port than the density since your uptake rate will be driven by economics
 long before port density and how much space your gear takes becomes an
 issue.

 
   2) I have no idea who told you this, but this is completely and utterly
   incorrect in nationwide terms. If you have a specific layer 3 provder
   in mind that tells you they want a GPON hand off then that's fine, but
   ISPs in general don't know what GPON is and have no gear to terminate
  that
   kind of connection.
 
  Other people here, said it.  If nothing else, it's certainly what the
  largest nationwide FTTH provider is provisioning, and I suspect it serves
  more passings than anything else; possibly than everything else.
 

 I'm not sure what you mean by this.  The largest PON offering in the US is
 Verizon's FIOS, but AFAIK they don't interconnect with anyone at layer 2
 and their layer 3 fiber connections are either Packet Over SONET, Gig
 E(most common), or very occasionally still ATM.  I have heard of a few
 instances where they'd buy existing GPON networks but I've never heard of
 them cross connecting like this even with operators that they do
 significant business with in other ways.


 
  But it doesn't matter either way, except in cross-connects between my MDF
  and my colo cages; except for GPONs apparent compatibility with RF CATV
  delivery (which I gather, but have not researched) is just
 block-upconvert,
  I don't care either way; there's no difference in the plant buildout.
 

 This is not correct.  DOCSIS is an MPEG stream over QAM or QPSK modulation
 and there is nothing about it that is compatible to any flavor of PON.  In
 fact if you look at the various CableLabs standards you'll see DPoE (
 http://www.cablelabs.com/dpoe/specifications/index.html) which lists how a
 DOCSIS system can inter-operate and provision an PON system. If you look at
 the two largest PON networks (FIOS and Uverse) you'll see the two different
 approaches to doing video with a PON architecture.  Verizon is simply
 modulating a MPEG stream (this is block compatible to a cable plant, in
 fact its the same way that a HFC network functions) on a different color on
 the same fiber that they send their PON signalling.  ATT takes another
 approach where they simply run IPTV over their PON network.  I've listened
 to presentations from Verizon's VP of Engineering (at that time) for FIOS
 and he said their choice was driven by the technology available when they
 launched and they did modulated RF over their fiber instead of IPTV because
 that technology wasn't as mature when they started. Verizon's approach may
 be what someone was thinking of when they said that PON was compatible to
 cable signaling but that's not how it works.


 
  Cheers,
  -- jra
  --
  Jay R. Ashworth  Baylink
  j...@baylink.com
  Designer The Things I Think   RFC
  2100
  Ashworth  Associates http://baylink.pitas.com 2000 Land
  Rover DII
  St Petersburg FL USA   #natog  +1 727 647
  1274
 



 --
 Scott Helms
 Vice President of Technology
 ZCorum
 (678) 507-5000
 
 http://twitter.com/kscotthelms
 



 --
 Scott Helms
 Vice President of Technology
 ZCorum
 (678) 507-5000
 
 http://twitter.com/kscotthelms
 

Re: Fwd: Rollup: Small City Municipal Broadband

[Tim Jackson]

What does Cisco shitty metro switches have to do with anything?

Haay we have the best shitty metro-e boxes around. We're awesome.
On Feb 2, 2013 4:49 PM, Scott Helms khe...@zcorum.com wrote:

 That's one of the reasons to look at active ethernet over gpon.  There is
 much more of a chance to do v6 on that gear, especially cisco's Metro
 ethernet switches.
 On Feb 2, 2013 5:27 PM, Brandon Ross br...@pobox.com wrote:

  On Sat, 2 Feb 2013, Scott Helms wrote:
 
   I'd also talk with Zhone, Allied Telesys, Adtran, and Cisco if for no
  other reason but get the best pricing you can.
 
 
  I can't believe I'm going to beat Owen to this point, but considering you
  a building a brand new infrastructure, I'd hope you'd support your
 service
  provider's stakeholders if they want to do IPv6.  To do so securely,
 you'll
  want your neutral layer 2 infrastrcuture to at least support RA-guard and
  DHCPv6 shield.  You might also want/need DHCPv6 PD snooping, MLD
 snooping.
   We have found VERY disappointing support for these features in this type
  of gear.
 
  --
  Brandon Ross  Yahoo  AIM:
   BrandonNRoss
  +1-404-635-6667ICQ:
   2269442
  Schedule a meeting:  https://doodle.com/brossSkype:
   brandonross
 

Re: Will wholesale-only muni actually bring the boys to your yard?

[Tim Jackson]

Having worked with lots of other municipalities who do the same thing, I
think you're 100% right. The L1/L2 solutions are nice to think of, but I
don't think in the end it actually works in the real world.

The only time a municipality operating in the L1 space has worked well from
my experience is when they were selling fiber to other carriers. Which
generally meant the only things that the carriers and the municipality
cared about and wanted fiber built to was large enterprises, telco spaces,
or as middle-mile pieces of another network. I don't think the residential
model could actually be financially feasible for any municipality.


On Wed, Jan 30, 2013 at 8:37 AM, Art Plato apl...@coldwater.org wrote:

 I am the administrator of a Municipally held ISP that has been providing
 services to our constituents for 15 years in a competitive environment with
 Charter. We aren't here to eliminate them, only to offer an alternative.
 When the Internet craze began back in the late 1990's they made it clear
 that they would never upgrade the plant to support Internet data in a town
 this size, until we started the discussion of Bonds. We provide a service
 that is reasonably priced with local support that is exceptional. We don't
 play big brother. Both myself and my Director honor peoples privacy. No
 information without a properly executed search warrant. Having said all
 that. We are pursuing the feasibility of the model you are discussing. My
 director believes that we would better serve our community by being the
 layer 1 or 2 provider rather than the service provider. While I agree in
 principle. The reality is, from my perspective is that the entities
 providing the services will fall back to the original position that
 prompted us to build in the first place. Provide a minimal service for the
 maximum price. There is currently no other provider in position in our area
 to provide a competitive service to Charter. Loosely translated, our
 constituents would lose. IMHO.

Re: Eaton 9130 UPS feedback

[Tim Jackson]

Just go -48vdc.

None of these pesky UPS problems :)

Unfortunately there's a serious lack of PoE switches that are -48.
On Nov 13, 2012 8:51 PM, Jeff Kell jeff-k...@utc.edu wrote:

 On 11/13/2012 6:42 PM, Tom Morris wrote:
  Sorry to say, I've used them and had them eat themselves. They just
  die mysteriously and let out lots of smoke when they do. When they do,
  however, they leave behind a perfectly good set of batteries. I'd
  recommend looking elsewhere... Does Eaton/PowerWare still make the
  FerrUPS series? Those were *solid*.

 Interesting.  So far the feedback sounds overwhelmingly negative.  Heard
 some good points on Emerson (I'm assuming Liebert?).  We've had much
 better luck overall with them, although a couple of incidents where they
 don't care to come back online after they were drained.

 We largely use the UPS to survive power glitches without dropping the
 network for switch reboot times, we're not after long runs.  As such,
 the occasional extended outages drain the UPS'es and there are always
 the percentage of them that do not come back online and require manual
 intervention.

 We were formerly a big TrippLite user, but they seem to be incredibly
 fault-intolerant with regard to the scenario above (coming back online
 after draining), and to a lesser degree, going offline after a power
 glitch.

 Never used an Eaton that I'm aware of however.

 Would be interested in other recommendations for remote / IDF / MDF
 environment UPS systems to just keep the stack up over power glitches.

 Jeff

Re: Whats so difficult about ISSU

[Tim Jackson]

I would argue no.

The Class 5 softswitches that are around now are off-the-shelf cPCI or ACTA
hardware running Linux or some other *nix. The TDM - IP cards are the only
sticky point there to be upgraded, but since everything is a mid-plane, you
can do rolling N:1 upgrades across the cards with minimal (sub 400msec)
impact. There's not a ton special secret sauce there..

To the other point, they probably process way more than 2mbps/s of control
traffic during busy hour, especially in geo-redundant configurations as
lots of things have to be synchronized. I think you're talking more on the
order of 50-120mbps..

Yet all of this works pretty damn well.

--
Tim


On Mon, Nov 12, 2012 at 12:21 AM, Kasper Adel karim.a...@gmail.com wrote:

 Hi Frank,

 Is it because C5 softswitches have expensive hardware, advanced software
 and dual asics? I would have never imagined that any vendor is capable of
 upgrading fpd's/ASICs ucode without a hit unless there are multiple chips
 continuously syncing with each other.

 Regards,
 Kim

 On Monday, November 12, 2012, Frank Bulk wrote:

  We do it on our Class 5 softswitch ... and it works consistently.  There
  may
  be a few seconds, once, where a new call can't be made, but most people
  will
  re-dial.  It just works.
 
  It can be done, but the product has to be built with that in mind.
 
  Frank
 
  -Original Message-
  From: Kasper Adel [mailto:karim.a...@gmail.com javascript:;]
  Sent: Thursday, November 08, 2012 5:23 PM
  To: NANOG list
  Subject: Whats so difficult about ISSU
 
  Hello,
 
  We've been hearing about ISSU for so many years and i didnt hear that any
  vendor was able to achieve it yet.
 
  What is the technical reason behind that?
 
  If i understand correctly, the way it will be done would be simply to
 have
  extra ASICs/HW to be able to build dual circuits accessing the same
 memory,
  and gracefully switch from one to another. Is that right?
 
  Thanks,
  Kim
 
 
 

RE: Current IPv6 state of US Mobile Phone Carriers

[Tim Jackson]

http://i.imgur.com/c0Bmz.jpg

From a few minutes ago...
On May 23, 2012 2:58 PM, Frank Bulk - iName.com frnk...@iname.com wrote:

 Here's a screenshot from 15 months ago:
 http://www.fix6.net/archives/2011/02/21/ipv6-live-on-verizons-lte-network/

 Frank

 -Original Message-
 From: Randy Carpenter [mailto:rcar...@network1.net]
 Sent: Tuesday, May 22, 2012 9:07 PM
 To: PC
 Cc: nanog@nanog.org
 Subject: Re: Current IPv6 state of US Mobile Phone Carriers


 Not only does Verizon *not* have IPv6 on their LTE network, they also do
 *not*
 have IPv4, except for double-NATed rfc1918 crap that changes your IP
 address
 every couple minutes. The only way to get a stable connection is to pay
 them
 $500 to get a static public IP address.

 thanks,
 -Randy


 - Original Message -
  IPV6 is present, to my knowledge, on all devices on the Verizon IPV6
  LTE network.  I noticed its using it to communicate to Google for
  many
  of it's services when I ran a netstat.  I believe they mandated
  support for it from any certified device.
 
  Unfortunately, it's still firewalled.
 
 
  On Tue, May 22, 2012 at 5:40 PM, Paul Graydon
  p...@paulgraydon.co.uk wrote:
   On 05/22/2012 01:21 PM, Cameron Byrne wrote:
  
   On May 22, 2012 4:00 PM, Paul Porterpaul.por...@gree.co.jp
wrote:
  
   Hi NANOG,
  
   I'm looking for some information on the four largest US mobile
   phone
   carriers and the current state of their IPv6 infrastructure.
   Specifically,
   we are trying to figure out:
  
   1.  How much of the carrier core and edge for ATT, Verizon.
   T-Mobile,
   and
   Sprint are on IPv6 now?
  
   Hi,
  
   T-Mobile USA has native ipv6 to all subscribers in all of it's
   coverage
   area. But, less than 1% of subscribers use IPv6 because they do
   not have
   an
   IPv6 capable phone. The Nexus S and Galaxy Nexus work well.
  
   This device challenge will improve in time.  Samsung is doing a
   good job
   of
   bringing IPv6 to Android devices. More info here
  
   That's interesting.  I have a Galaxy Nexus on T-Mobile USA and it
   doesn't
   get an IPv6 address, only IPv4.  Works fine with IPv6 over my
   wireless
   network at home.  Doesn't seem to be anything obvious in the
   settings to
   enable or disable that.
  
   Paul
  
 
 
 

Re: Anyone have a layman's guide to writing an rwhois daemon?

[Tim Jackson]

Dunno how much help it'll be but here's mine.. It's basic and probably
non-RFC compliant, but it might help.

crapbox.idge.net/~tjackson/rwhois.tar.gz
On May 7, 2012 6:35 PM, Landon Stewart lstew...@superb.net wrote:

 Hi All,

 I just wrote a perl daemon that seems to be a working rwhois server but the
 RFC is quite difficult to read for me.  When talking about the protocol it
 mentions a bunch of requirements and describes them quite strangely
 (see rfc2167 section 3.1.9).  Is there a layman's guide around somewhere or
 can anyone lend some advice here?  Is what I wrote acting like a real
 rwhois server - at least partially?

 $ whois -h sirt.hopone.net -p rwhois 66.235.162.21
 %rwhois V-1.5:00:00 rwhois.hopone.net (HopOne Internet Corp)
 servername:sls-cf7p17
 domain:rac13a.com
 ipaddress:66.235.162.21
 ipaddress:66.235.166.15
 ipaddress:66.235.179.110
 abusename:Abuse Department
 abusephone:206-438-5909
 abusemail:ab...@hopone.net
 %ok

 (If you try running the command above it may or may not be running and may
 not succeed)

 If anyone knows where to get an rwhois daemon that has hooks for looking up
 the data in an external database (not a .cdb database or flat file) I'd
 appreciate it a great deal.  I won't want to waste too much time on this if
 I can help it but I want a functioning rwhois server.  Our rwhoisd at
 rwhois.hopone.net has been broken for a while and for the life of me I
 cannot figure out what's wrong with the data formatting it's using.  I
 attempted to join the mailing list for ISC's rwhoisd daemon but it's dead
 (no volume on the list).

 --
 Landon Stewart lstew...@superb.net
 Sr. Administrator
 Systems Engineering
 Superb Internet Corp - 888-354-6128 x 4199
 Web hosting and more Ahead of the Rest: http://www.superbhosting.net

Re: IETF - Overlapping IPv4 Address Support

[Tim Jackson]

I thought you were gonna read up on the timecube.
On Mar 6, 2012 2:57 PM, Guru NANOG nanog.g...@gmail.com wrote:

 Adding four more bits to the Left of the Source Address and setting
 those bits to  (0xF) can help to start the migration to Regions
 and more IPv4 Addresses - Using and Re-Using legacy
 spectrumhttp://
 www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt

 16 /8s for Future use - it looks like the Future has arrived

 240/8  Future use 1981-09
  RESERVED[15]
   241/8  Future use 1981-09
 RESERVED[15]
   242/8  Future use
   ...
  253/8  Future use 1981-09
   RESERVED[15]
   254/8  Future use 1981-09
 RESERVED[15]
   255/8  Future use 1981-09
 RESERVED  [15]


 http://tools.ietf.org/html/draft-gundavelli-v6ops-community-wifi-svcs-014.13
 .
 Overlapping IPv4 Address Support Wi-Fi Service Provider may segment the
 network into regions. Two regions may use overlap IPv4 address space. This
 is particularly important when the Internet is transitioning to IPv6. The
 Wi-Fi SP may not have enough unique public IPv4 addresses to globally
 address large number of Wi-Fi device.

Re: Spread Spectrum IP Addressing - SOURCE Address Field ROTATED|shifted? Left 2 Bits

[Tim Jackson]

http:// http://www.timecube.com/www.timecube.com/http://www.timecube.com/

Goes together well..
On Mar 3, 2012 1:34 PM, Guru NANOG nanog.g...@gmail.com wrote:

 Common Misconception

 With Spread Spectrum IP Addressing the 32-bit Source Address Field is
 Shifted LEFT 2-bits by the originator of the packet.

 That Folds the IPv4 Legacy Address Space into 1/4th tsize table

 The lost 2-bits are stored in the Right-Most 2 bits of the 32-bit
 field and in other places in the IPv4 Header

 The Destination can easily recover the Source Address - if the proper
 algorithms are in use

 Responses blindly sent back to the shifted Source Address may fall
 into agile hands or not

 With the advanced Spread-Spectrum techniques, additional addressing
 bits are created from the noise intentionally stored in the Right-Most
 2 bits

 NANOG Operators buying /8s or /6s may want to look at the
 Spread-Spectrum CODE in the Linux-based CPE Routers

 The following table is deprecated and 1/4th the size:
 http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt

 With Spread-Spectrum collisions and mis-directions are OK and expected but
 other
 techniques ensure the packets get to the right place.

 http://NANOG.GURU

Re: Console Server Recommendation

[Tim Jackson]

On Mon, Jan 30, 2012 at 10:16 AM, Matthew Huff mh...@ox.com wrote:
 We use MRV, and are very happy with them:

 http://www.mrv.com/oobn/console-servers/

At least someone is.. We couldn't keep their -48vdc products from
dying every few months requiring a manual reboot, or hardware
replacement.

Outside of that, they did a few things nobody else seemed to do, but
they had a few drawbacks such as pppd not supporting classless on
inbound dial-in connections (hopefully that's fixed now).

--
Tim

Re: US DOJ victim letter

[Tim Jackson]

The 3rd email they sent:

This email is intended to provide clarification on a previous email
sent to you. You will be receiving a letter by U.S. Postal Service in
the coming days.  In the meantime, please visit the link below which
provides more details on the investigation and identifying you as a
possible victim:

www.fbi.gov/news/stories/2011/november/malware_110911

--
Tim

Re: DC wiring standards

[Tim Jackson]

https://ebiznet.sbc.com/sbcnebs/Documents/TP76300/index.html



On Tue, Jan 3, 2012 at 1:40 PM, Leigh Porter
leigh.por...@ukbroadband.com wrote:
 Hi all,

 Does anybody know where I can find standards for DC cabling for -48v systems?

 I'm looking for general best common practices, cable colouring etc.

 Thanks,

 --
 Leigh Porter


 __
 This email has been scanned by the Symantec Email Security.cloud service.
 For more information please visit http://www.symanteccloud.com
 __

Re: Resilient streaming protocols

[Tim Jackson]

You mean like ProMPEG?
On May 28, 2011 4:42 PM, Aria Stewart aredri...@nbtsc.org wrote:
 Anyone have any interest in a forward-error-corrected streaming protocol
suitable for multicast, possibly both audio and video?

 Good for when there's some packet loss.

 
 Aria Stewart

Re: Internet Edge Router replacement - IPv6 route table sizeconsiderations

[Tim Jackson]

MX80 is perfect for this.. 5g 10g bundles are cheap..
On Mar 8, 2011 8:49 PM, Jack Carrozzo j...@crepinc.com wrote:
 Get a cheap J series, load it full of memory, forget about it. If you
 haven't played with Juniper gear before, you will be quite pleased.

 -Jack Carrozzo

 On Tue, Mar 8, 2011 at 8:58 PM, George Bonser gbon...@seven.com wrote:



  -Original Message-
  From: Chris Enger [mailto:chr...@ci.hillsboro.or.us]
  Sent: Tuesday, March 08, 2011 5:18 PM
  To: 'jgood...@studio442.com.au'; 'nanog@nanog.org'
  Subject: RE: Internet Edge Router replacement - IPv6 route table
  sizeconsiderations
 
  Our Brocade reps pointed us to the CER 2000 series, and they can do up
  to 512k v4 or up to 128k v6. With other Brocade products they spell
  out the CAM profiles that are available, however I haven't found
  specifics on the CER series.
 
  Chris
  \

 CER features are here:



http://www.brocade.com/products/all/routers/product-details/netiron-cer-2000-series/features.page

Re: Ethernet circuit testing

[Tim Jackson]

http://documents.exfo.com/specsheets/ETS-1000L-angHR.pdf

http://documents.exfo.com/specsheets/ETS-1000L-angHR.pdfWe use these for
testing, much cheaper than a full test set...



On Mon, Mar 7, 2011 at 2:06 PM, Dustin Swinford dustinna...@gmail.comwrote:

 More often on Ethernet services, we experience a customer wanting to see
 more than an Ookla based server test from our network.  Our hands in the
 field are limited in the number of Ethernet smart loopback devices that
 they
 own.  If we do have a tester on site, we can generate traffic from an Exfo
 purpose built appliance toward the loop and determine results.  Too often,
 we have found things such as ftp downloads to be unreliable based on use of
 server, windows PC doing the download, etc.  What other methods are you
 guys
 using for testing these services?

Re: SLA for voice and video over IP/MPLS

[Tim Jackson]

For video, the SCTE 168 doc covers this.. (first hit on google)

Its fairly strict, but in depth.
On Feb 24, 2011 6:12 PM, Diogo Montagner diogo.montag...@gmail.com
wrote:

Re: Low end, cool CPE.

[Tim Jackson]

As well as an expresscard slot for a wireless modem..
On Nov 11, 2010 8:27 PM, Adam Leff a...@leff.co wrote:
 I'd take a peak at Juniper's branch model SRX line. Something like the
 SRX210 has a mini-PIM slot that can take a DOCSIS hand-off.

 Can't speak to pricing, however, but they're great little boxes.

 Adam

 On Nov 11, 2010, at 18:43, Leo Bicknell bickn...@ufp.org wrote:


 I've run into a number of low end CPE situations lately where I
 haven't found anything that does what I want, but I have to believe
 it is out there. I'm hoping NANOG can help.

 Basically think about a sophisticated home user, or a 1-5 person
 small office. Think DSL, Cable Modem, maybe Cell Card or ISDN as
 backups. Looking for an appliance, very much fire and forget. I
 probably won't get all the features that I want, but in no particular
 order:

 - Able to load balance over 2 links (probably via NAT).
 - IPv6 support, native or tunnel to tunnelbroker.net type thing.
 - Able to deal with backup connectivity, eg. Cell Cards which you
 only want to use if the primary is down.
 - User friendly features, e.g. UPNP, NAT-PMP, etc.
 - Good manageability. ssh to a cli would be a huge bonus, at least
 the ability to backup a config.
 - Able to handle decent througput, probably 20Mbps/sec min, 50 would
 be nice.
 _ Nice firewall features.
 - IDS features are cool.

 WiFi is not strictly required, but would be cool. Things like guest
 WiFi would be an added bonus.

 Something a NANOGer might want at home would be a good baseline.
 I realize the exact product may differ depending on DSL/Cable/Cell/ISDN,
 that's ok, let's get some various good solutions going here.

 What is the state of the art, and who has it?

 --
 Leo Bicknell - bickn...@ufp.org - CCIE 3440
 PGP keys at http://www.ufp.org/~bicknell/

Re: Ethernet performance tests

[Tim Jackson]

We dispatch a technician to an end-site and perform tests either
head-head with another test set, or to a loop at a far-end..

We do ITU-T Y.156sam/EtherSAM and/or RFC2544 tests depending on the
customer requirements. (some customers require certain tests for x
minutes)

http://www.exfo.com/en/Products/Products.aspx?Id=370
^--All of our technicians are equipped with those EXFO sets and that
module. Also covers SONET/DS1/DS3 testing as well in a single easy(er)
to carry set..

--
Tim

On Wed, Oct 27, 2010 at 6:32 PM, Diogo Montagner
diogo.montag...@gmail.com wrote:
 Hello everyone,

 I am looking for performance test methodology for ethernet-based
 circuits. These ethernet circuits can be: dark-fiber, l2circuit
 (martini), l2vpn (kompella), vpls or ng-vpls. Sometimes, the ethernet
 circuit can be a mix of these technologies, like below:

 CPE - metro-e - l2circuit - l2vpn - l2circuit - metro-e - CPE

 The goal is verify the performance end-to-end.

 I am looking for tools that can check at least the following parameters:

 - loss
 - latency
 - jitter
 - bandwidth
 - out-of-order delivery

 At this moment I have been used IPerf to achieve these results. But I
 would like to check if there is some test devices that can be used in
 situations like that to verify the ethernet-based circuit performance.

 The objective of these tests is to verify the signed SLAs of each
 circuit before the customer start to use it.

 I checked all MEF specifications and I only find something related to
 performance for Circuit Emulation over Metro-E (which is not my case).

 Appreciate your comments.

 Thanks!
 ./diogo -montagner

Re: Ethernet performance tests

[Tim Jackson]

Each KM does not ad 4.9ms..

More like ~1msec per 100km...

1/4/msec usually per OEO conversion (depends on the box)...

--
Tim

On Wed, Oct 27, 2010 at 9:31 PM, Mike Mainer mmai...@tekinside.com wrote:
 Exfo, JDSU, Fluke all offer hand held test sets that can run a rfc2544
 (http://www.ietf.org/rfc/rfc2544.txt) test.  Do you own the path between cpe
 - cpe?  Remeber that for each km of fiber distance add about 4.9ms (one
 way) of latency.  Do basline tests on your cpe gear so you know what you are
 working with from the being.  Different tests at different speeds/cpe hand
 off (1Gig fiber, 10Gig fiber, Copper @ 10/100/1000) so that all varations
 are captured.

 Did this at a pervious company, had to test everything in everything
 deployable state.


 On Wed, Oct 27, 2010 at 6:54 PM, Tim Jackson jackson@gmail.com wrote:

 We dispatch a technician to an end-site and perform tests either
 head-head with another test set, or to a loop at a far-end..

 We do ITU-T Y.156sam/EtherSAM and/or RFC2544 tests depending on the
 customer requirements. (some customers require certain tests for x
 minutes)

 http://www.exfo.com/en/Products/Products.aspx?Id=370
 ^--All of our technicians are equipped with those EXFO sets and that
 module. Also covers SONET/DS1/DS3 testing as well in a single easy(er)
 to carry set..

 --
 Tim

 On Wed, Oct 27, 2010 at 6:32 PM, Diogo Montagner
 diogo.montag...@gmail.com wrote:
  Hello everyone,
 
  I am looking for performance test methodology for ethernet-based
  circuits. These ethernet circuits can be: dark-fiber, l2circuit
  (martini), l2vpn (kompella), vpls or ng-vpls. Sometimes, the ethernet
  circuit can be a mix of these technologies, like below:
 
  CPE - metro-e - l2circuit - l2vpn - l2circuit - metro-e -
  CPE
 
  The goal is verify the performance end-to-end.
 
  I am looking for tools that can check at least the following parameters:
 
  - loss
  - latency
  - jitter
  - bandwidth
  - out-of-order delivery
 
  At this moment I have been used IPerf to achieve these results. But I
  would like to check if there is some test devices that can be used in
  situations like that to verify the ethernet-based circuit performance.
 
  The objective of these tests is to verify the signed SLAs of each
  circuit before the customer start to use it.
 
  I checked all MEF specifications and I only find something related to
  performance for Circuit Emulation over Metro-E (which is not my case).
 
  Appreciate your comments.
 
  Thanks!
  ./diogo -montagner
 
 




 --
 -Mike Mainer

Re: DDOS attack via as702 87.118.210.122

[Tim Jackson]

Whois really isn't that hard Maybe reading: ASNumber: 701 - 705 is though..

t...@shitbox:/var/log$ whois a 702 -h whois.arin.net
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/asns;q=702?showDetails=true
#

ASNumber:   701 - 705
ASName: UUNET
ASHandle:   AS701
RegDate:1990-08-03
Updated:2008-07-24
Ref:http://whois.arin.net/rest/asn/AS701

OrgName:MCI Communications Services, Inc. d/b/a Verizon Business
OrgId:  MCICS
Address:22001 Loudoun County Pkwy
City:   Ashburn
StateProv:  VA
PostalCode: 20147
Country:US
RegDate:2006-05-30
Updated:2009-12-07
Ref:http://whois.arin.net/rest/org/MCICS

OrgTechHandle: JHU140-ARIN
OrgTechName:   Huffines, Jody
OrgTechPhone:  +1-703-886-6093
OrgTechEmail:  jody.huffi...@verizonbusiness.com
OrgTechRef:http://whois.arin.net/rest/poc/JHU140-ARIN

OrgNOCHandle: OA12-ARIN
OrgNOCName:   UUnet Technologies, Inc., Technologies
OrgNOCPhone:  +1-800-900-0241
OrgNOCEmail:  hel...@verizonbusiness.com
OrgNOCRef:http://whois.arin.net/rest/poc/OA12-ARIN

OrgTechHandle: SWIPP-ARIN
OrgTechName:   swipper
OrgTechPhone:  +1-800-900-0241
OrgTechEmail:  swip...@verizonbusiness.com
OrgTechRef:http://whois.arin.net/rest/poc/SWIPP-ARIN

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName:   abuse
OrgAbusePhone:  +1-800-900-0241
OrgAbuseEmail:  abuse-m...@verizonbusiness.com
OrgAbuseRef:http://whois.arin.net/rest/poc/ABUSE3-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#




On Tue, Oct 26, 2010 at 8:54 AM, Cutler James R
james.cut...@consultant.com wrote:
 Jack,

 I agree that whois is hard. Please explain how you knew to query AS701 when 
 Serg asked about AS702.

 computer:~ me$ whois as702
 SNIP
 No match for AS702.
 Last update of whois database: Tue, 26 Oct 2010 13:47:47 UTC 

 Regards.

        Cutler

Re: POS to Ethernet Converter

[Tim Jackson]

You could always use a pair of SONET ADMs on both sides with OC-3
cards and ethernet cards.

Cisco 15454 is a little big, but maybe the 15327 would have OC-3 cards...

--
Tim

On Thu, Sep 9, 2010 at 12:59 PM, Alan Bryant
a...@gtekcommunications.com wrote:
 I did a quick google search for a converter but either I'm not
 understanding, or I'm not searching for the right thing.

 We currently have a POS OC-3 that I would like to be able to convert
 it to Ethernet, if possible.

 Do such devices exist?

 --
 Alan Bryant | Systems Administrator
 Gtek Computers  Wireless, LLC.
 a...@gtekcommunications.com | www.gtek.biz
 O 361-777-1400 | F 361-777-1405

Re: IP Address Management Tool

[Tim Jackson]

http://iptrack.sf.net


On Tue, Jun 1, 2010 at 8:07 AM, D C cassel...@gmail.com wrote:

 I am looking for a better way to manage IP addresses.  I am currently using
 an excel spreadsheet, but this is becoming cumbersome as more and more
 addresses are being added.  Does anyone have any recommendations?

 Thanks,
 Danielle

Re: Upstream BGP community support

[Tim Jackson]

Being the architect/head-nerd-in-charge of a fairly new network.

Not reading ras's HOWTOs and others is suicide There's no
excuse... It really makes running your network easier.. If my customer
needs to prepend X to Y transit/peer/customer or not announce to them
at 3am, that means they don't have to call me...

My customers like it, and so do I. RTFM and we'll all be happier...






On 10/31/09, Richard A Steenbergen r...@e-gerbil.net wrote:
 On Sat, Oct 31, 2009 at 09:37:03PM +0100, Andy B. wrote:
 While most decent upstream providers support this kind of traffic
 engineering, one of them refuses to send and accept BGP communities. I
 tried to contact my upstream several times through different channels
 to get some background as to why they would not be able to provide us
 this service, but all we get is tickets that get closed without an
 answer. Management itself does not seem to bother either.

 Is this normal or is it too much to ask for BGP communities from an
 upstream who has points of presence in the US, Europe and Asia?

 Yes and no. There are a handful of old stodgy networks who are of the
 belief that this kind of information is proprietary, and therefore
 should not be sent to customers or other networks on the Internet. My
 opinion is that those networks are idiots, and therefore money should
 not be sent to them.

 Even if (for whatever reason) you don't need a particular set of
 features in BGP communities, I personally think that they are an
 excellent indicator of the networks' general technical competence and
 ability to work with them on a wide variety of other issues. In this day
 and age a robust and functional set of communities should really be a
 requirement for any network provider.

 shamelessplug
 There was also a NANOG presentation on a pretty reasonable design and
 implementation of BGP communities for a service provider:

 http://www.nanog.org/meetings/nanog40/presentations/BGPcommunities.pdf
 /shamelessplug

 --
 Richard A Steenbergen r...@e-gerbil.net   http://www.e-gerbil.net/ras
 GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



-- 
Sent from my mobile device

Re: ISP BGP Resources

[Tim Jackson]

http://www.nanog.org/meetings/nanog40/presentations/BGPcommunities.pdf

Great presentation.


On 7/10/09, Babak Pasdar bpas...@batblue.com wrote:
 Hello,

 We are in the process of rolling out communities that our customers can use
 to manipulate their routes.  Are there any resources (books, web sites,
 mailing lists, etc..) that anyone can recommend?

 Thank you,

 Babak


-- 
Sent from my mobile device

Re: OEMs for X2 10G LAN PHY optics

[Tim Jackson]

I second Adam's recommendation. Fluxlight has always been awesome to deal with.

On 7/10/09, Adam Rothschild asr+na...@latency.net wrote:
 On 2009-07-10-14:21:49, Duane Waddle duane.wad...@gmail.com wrote:
 I am searching for opinions on OEMs of X2 form factor 10G LAN PHY
 optics.  We've found that most router/switch vendors  mark these
 particular items up significantly just to provide their own
 sticker/EEPROM ID.  As such, we'd prefer if we can to procure from the
 OEM (or their reseller).  Is this a situation where any company who's
 a signatory to the MSA produces suitable modules, or are there
 particular OEMs to prefer (or avoid)?

 If it matters, the prime platform we're looking to plug optics into is
 the WS-X6708-10G module for a 6500/7600.

 I'd suggest looking at FluxLight (www.fluxlightinc.com) for this.
 Their sales and support process is nothing short of stellar, and
 pricing is a fair medium between paying too much for vendor optics
 and fly-by-night eBay imports.

 To wit, all of their products Just Worked without ever needing Cisco's
 infamous 'service unsupported-transceiver' vendor lock override.

 -a



-- 
Sent from my mobile device

Re: Rackmount Vendors

[Tim Jackson]

http://www.racksolutions.com/



On Thu, Oct 9, 2008 at 10:31 AM, Rogelio [EMAIL PROTECTED] wrote:

 Charles Wyble wrote:


 I second that. Worked at several places that used them. Also check out
 Graybar. They have a will call office in Van Nuys.
 http://www.graybar.com/
 PDU search results for example: http://tinyurl.com/4xh4wg



 If you're looking for a one stop place, Graybar is great.

 But if you need better prices, it's often better to shop around and get the
 stuff individually at other shops.

Re: big DC -48V to AC inverters

[Tim Jackson]

Unipower out of florida.. They can provide scalable inverters for 120
and 208/240. Modular N+1 setups and very flexible..

We have a large 200amp 120vac setup from them. I'd recommend letting
your electrician build a parallel setup instead of relying on their
modules, however...




On 7/30/08, Andreas Ott [EMAIL PROTECTED] wrote:
 Hello,

 we are looking into providing power for 'legacy' equipment in a data
 center that is exclusively giving us -48V DC power. The most recent
 thread on this list was about -48V DC modems but in our case I am rather
 looking into inverting on the order of 4 kW per rack from the supplied DC
 into AC equipment. And yes, that's not the most efficient use of power,
 we know it already ;-) .

 Does anyone operate devices like this that are capable of 2...4 kW
 power conversion and do you have recommendations, good or bad experience
 to share?

 Please reply direct to me and indicate if it's OK to use your answer in
 a summary e-mail back to the list.

 Thanks, andreas
 --
 Andreas Ott  K6OTT   [EMAIL PROTECTED]



-- 
Sent from Gmail for mobile | mobile.google.com

Re: Cable Colors - A Standard

[Tim Jackson]

This one is plenty safe to stick on a live cable, plus it works a whole lot
better than the old analog ones:

http://www.flukenetworks.com/fnet/en-us/products/IntelliTone+Toner+and+Probe/Overview.htm?categorycode=CPTT

--
Tim

On Thu, Jun 19, 2008 at 7:50 PM, Nathan Ward [EMAIL PROTECTED] wrote:

 On 20/06/2008, at 4:19 AM, Glen Turner wrote:

 A useful tool is a audio cable tracer. When disconnecting
 a PC you attach the signal injector. You then use the other
 half of the tool to identify the cable (it buzzes when near).
 This allows the patch cables to be pulled with certainty
 rather than left in the rack just in case it attached to some
 other host and you fear causing an unplanned outage.



 You whack on one of these things when there's still active gear on the end?

 --
 Nathan Ward

Re: [NANOG] RackMount DC to AC Inverters

[Tim Jackson]

Check out Unipower. They make a stackable N-1 setup that does 30+ amps
(redundantly) of 110 in 2U.

Just remember to wire up their sync cable if you parallel 2 or more shelves.

--
Tim



On 5/16/08, Gregory Boehnlein [EMAIL PROTECTED] wrote:
 Hello all,
   I have some equipment going into a Telco Co which only offers
 battery backup on it's DC power plant. Most of the equipment that is already
 moving into that facility is AC powered, so I am looking for advice on
 rackmount DC inverters. Looking for something that can accommodate inverting
 enough power to load a 30 AMP 110 circuit, preferably something that has N+1
 redundancy.. I'm not finding a lot of options on Google, so I figured that I
 would ask here...



 ___
 NANOG mailing list
 NANOG@nanog.org
 http://mailman.nanog.org/mailman/listinfo/nanog


-- 
Sent from Gmail for mobile | mobile.google.com

___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog