Re: Netskrt - ISP-colo CDN

[Aaron1]

Yeah, to date I haven’t been in a place where peering is a reality, yet.  CDN providers sending servers to us has been our best option.  AaronOn Apr 7, 2024, at 12:30 PM, Mike Hammett  wrote:I suppose that depends on the size (bits and miles) of the network and the cost of transport within it. In many areas, space + power + port is cheaper than transport.-Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISPFrom: "Tim Burke" To: "Aaron Gould" Cc: nanog@nanog.orgSent: Saturday, April 6, 2024 10:00:05 PMSubject: Re: Netskrt - ISP-colo CDNI have been trying to get _away_ from caching appliances on our network — other than Google, we are able to pick up most of the stuff that otherwise would be cacheable via private peering; so it doesn’t make a whole lot of sense for us to have appliances in the datacenter taking up space, power, and 100G ports, and increasing potential attack surface by having devices that we cannot control directly connected to edge routers.> On Apr 4, 2024, at 2:57 PM, Aaron Gould  wrote:> > Anyone out there using Netskrt CDN?  I mean, installed in your network for content delivery to your customers.  I understand Netskrt provides caching for some well known online video streaming services... just wondering if there are any network operators that have worked with Netskrt and deployed their caching servers in your networks and what have you thought about it?  What Internet uplink savings are you seeing?> > Netskrt - https://www.netskrt.io/> > > -- > -Aaron> 

Re: Netskrt - ISP-colo CDN

[Aaron1]

Thanks… and does anyone know the benefit of Netskrt for ISPs that already have native Amazon ACEv2 servers installed?AaronOn Apr 4, 2024, at 4:50 PM, Jesse DuPont  wrote:

  

  
  
Right now, Amazon Prime is sponsoring the
  deployment of the caches. They deploy in your network and requests
  from your IPs (v4 or v6) are redirected to your on-net caches. For
  on-demand content, it's loaded nightly (as best they can predict)
  and for live (like TNF), it's a one-to-many HLS media server for
  participating content.

On 4/4/24 3:36 PM, Aaron Gould wrote:


  
  Thanks... they told me it was free.
  -Aaron
  
  On 4/4/2024 4:12 PM, Eric Dugas
wrote:
  
  

That name rang a bell so I looked up my emails.
  
  
  They contacted me last year, they were claiming to be
"working with some of the major streaming brands, such as
Amazon Prime Video, to improve the quality of both VOD and
live streaming while also reducing the load on ISP networks
such as your own.".
  
  
  Based on my quick research, they have a few
registered ASNs (their peeringdb page) with a few
netblocks but I get 0 traffic from them (we're a sizable
eyeball network). Their origin network might still not be
ready but digging a little bit more, it seems they act as a
third-party video caching solution and not as an origin CDN
so in the end, they're really just trying to sell ISPs and
other types of customers their caching solutions.
  

  Eric
  



  On Thu, Apr 4, 2024 at
4:00 PM Aaron Gould 
wrote:
  
  Anyone
out there using Netskrt CDN?  I mean, installed in your
network 
for content delivery to your customers.  I understand
Netskrt provides 
caching for some well known online video streaming
services... just 
wondering if there are any network operators that have
worked with 
Netskrt and deployed their caching servers in your networks
and what 
have you thought about it?  What Internet uplink savings are
you seeing?

Netskrt - https://www.netskrt.io/


-- 
-Aaron

  

  
  -- 
-Aaron


  

Re: Contact from Apple Cache for ISP

[Aaron1]

peering-...@group.apple.com

I think it’s AEC (Apple Edge Caching). This might get you closer to speaking 
with someone in that group.

Aaron

> On Mar 6, 2024, at 1:46 AM, Pascal Masha  wrote:
> 
> Hello,
> 
> Looking for contacts for anyone from Apple who can assist with subject 
> request.
> 
> Regards,
> Pascal 

Re: Akamai AANP minimum traffic?

[Aaron1]

Akamai AANP was the first CDN in my network… ~2010’ish…I forget what the 
minimum requirement was back then, but wanted to let you know that around 
2018/2019 they started telling me they wanted to pull the caches from my 
network.  It wasn’t until like last year sometime that they were telling me 
they would no longer support it and we need to work with them to drain and 
remove it.  So we did.  No more AANP for me.  I think, like someone else 
mentioned, a tier 2/3 sized ISP like myself I think was a market they were not 
after anymore.

Aaron

> On Feb 22, 2024, at 12:30 PM, Tom Samplonius  wrote:
> 
>  Does anyone know what the minimum traffic is to qualify for an Akamai AANP 
> cache?
> 
> 
> 
> Tom

Re: ACX7100 Woes - Operator Outreach -

[Aaron1]

ACX7100-48L
…or…
ACX7100-32C
?

Aaron

> On Nov 27, 2023, at 3:59 PM, Edwin Mallette  wrote:
> 
> 
> In attempting to operationalize the ACX7100 I have run into quite a few 
> challenges with the platform once I stray outside of traditional routing and 
> switching.  The EVPN instances seem to have quite a few caveats and things 
> like CFM and RFC2544 traffic generation.  Many of the show commands don't 
> seem to work, many of the counters either don't work or update slowly (like I 
> run the command to show CFM messages and it says it sent 100 then I run it 
> again a couple seconds later and it says 1 sent then a couple seconds 
> later it says 100 sent) this with a periodicity of 1 message per second.
> 
> Oh and the latest is that our original OEM QSFPs just disappear.  As in they 
> not only stop working but the chassis no longer sees them.  I guess I'm just 
> reaching out to see if I'm all alone in my struggles...
> 
> Warm Regards and happy Monday after Thanksgiving,
> 
> Ed

Re: Akamai Network Partnership

[Aaron1]

It’s my understanding that they are scaling back their AANP (ISP-embedded) 
systems.  They decomm’d mine a few months ago.  It had been in place for over 
10 years.

Aaron

> On Oct 17, 2023, at 5:27 PM, Justin Krejci  wrote:
> 
> 
> Hello Edy,
> 
> 
> 
> Log into your peeringdb.com account and go to their network, they have a 
> peering contact listed there.
> 
> 
> 
> https://www.peeringdb.com/net/2
> 
> 
> 
> 
> 
> 
> From: NANOG  on behalf of 
> em...@edylie.net 
> Sent: Tuesday, October 17, 2023 5:10 PM
> To: nanog@nanog.org
> Subject: Akamai Network Partnership
>  
> Dear All,
> 
> May I know if anyone could guide me to the right contact for Akamai 
> Network Partnership?
> 
> We are a network operator in Indonesia and is keen to work with Akamai 
> to speed up access to Akamai Content.
> 
> Many Thanks.
> 
> Best Regards,
> Edy

Re: Using RFC1918 on Global table as Loopbacks

[Aaron1]

I carry public Internet routing in a vrf, and my loopback and internal IGP 
interfaces are in the master/default vrf

Aaron

> On Oct 5, 2023, at 12:24 PM, Javier Gutierrez  
> wrote:
> 
> 
> Hi, 
> I have recently encountered some operational differences at my new 
> organization that are not what I have been exposed to before, where the 
> loopback of the core network devices is being set from RFC1918 while on the 
> global routing table. I'm sure this is not a major issue but I have mostly 
> seen that ISPs use global IPs for loopbacks on devices that would and hold 
> global routing.
> My question is, what is the most used or recommended way to do this, if I 
> continue to use RFC1918 I will save some very much desired public address 
> space, but would this come back to bite me in the future?
> 
> 
> Kind regards,
> 
>  
> 
> Javier Gutierrez,
> 
>  
> 
>  

Re: Test Lab Best Practices

[Aaron1]

I love the built-in Wireshark capability in EVE-NG.  BTW, EVE-NG Community is 
free.  You just have to get images for anything you want to emulate.  Virtual 
images for various vendor products are sometimes freely available, with trail 
licenses.  For instance Junipers vMX was freely available for a while with a 60 
day license.  …also vSRX, vQFX, and the new vJunos-switch (I think vEX). 

Aaron

> On Sep 28, 2023, at 3:16 PM, Mark Prosser  wrote:
> 
> ++ all that was said thus far. Physical equipment with console access is the 
> best way to test software/firmware issues. As for virtualization, it's great 
> for expanding your topology quickly.
> 
> Use a virtual bridge in GNS3 or EVE-NG and you can make your smaller 
> footprint physical lab into a larger topology with ease -- especially around 
> cabling. It also allows you to do packet generation & link simulation (packet 
> loss, jitter) much easier. You can even couple it with T-Rex.
> 
> - Mark
> 

Re: MX204 Virtual Chassis Setup

[Aaron1]

No VC here, unsure if it works, but yeah, we like them and deploy them in pairs 
for metro-e (ce) and cbh for vlans carried over mpls pw

Reliable for us


Aaron

> On Aug 25, 2023, at 4:40 PM, Mark Tinka  wrote:
> 
> 
> 
>> On 8/25/23 19:16, Tom Beecher wrote:
>> 
>> In my experience and testing with them, you have a decent bit of headroom 
>> past the published RIB/FIB limits before they'll fall over.
> 
> They are holding up pretty well for us, mainly because we do a lot more BGP 
> on MX480's than on MX204's. We use the MX204's mainly for peering and CDN 
> gateways. Where we use them for edge customers, it's a handful of BGP 
> sessions.
> 
> On MX480 16GB RE's running two full BGP feeds but hundreds of customer 
> sessions, Add-Paths really eats into RAM. We've had to upgrade some of the 
> busier routers from 16GB to 64GB RE's, especially on later versions of code 
> where ROV can also bite into memory on boxes carrying lots of BGP sessions.
> 
> Mark.

Re: Hawaiian ILEC infrastructure and fire

[Aaron1]

“Big, undersea, mpls network”.  Doesn’t get much cooler than that ;)

Aaron

> On Aug 16, 2023, at 9:51 PM, scott via NANOG  wrote:
> 
> 
> 
>> On 8/17/23 2:03 AM, John Levine wrote:
>> According to Eric Kuhnke :
>>> -=-=-=-=-=-
>>> 
>>> It's my understanding that the Hawaiian ILEC is now owned by Cincinnati
>>> Bell, which is also a unique historical artifact, as it was its own
>>> independent corporation/operating entity in the region of Cincinnati during
>>> the era of the pre-1984 Bell system.
>> Not that unique, SNET was also a Bell affiliate in most of Connecticut.
>> Hawaiian Tel has a very painful history. It was independent until
>> 1967, then bought by GTE, then merged into Verizon along with the rest
>> of GTE in 2000, then sold to a hedge fund in 2004 which knew nothing
>> about telephony and ran it into bankruptcy, then an independent public
>> company from 2010 to 2017, when it was bought by Cincinnati Bell,
>> which in turn was bought in 2021 by Australian conglomerate Macquarie.
> 
> Yep, that's it.  And the hedge fund (The Carlyle Group) thing was a complete 
> disaster.  I was here for all that.  Fugly is all I can say.
> 
> 
> 
>> Running phone systems on islands is very expensive. There's only
>> 160,000 people on Maui, about the same as Salinas CA, but separated
>> from the rest of the world by a lot of water.
> 
> We have a lot of undersea fiber and it is all connected into one big MPLS 
> network for the internet stuff.  There is still SS7 stuff out there, too.  I 
> am unfamiliar with that part.
> 
> scott

Re: BGP Books

[Aaron1]

Depending on how many years since you last looked at BGP, you may be shocked at 
how many address families BGP now carries… it’s very Multi-Protocol now.  MP-BGP

I’ll always remember how informative the Basam Halabi book was.  Also the Ivan 
Peplnjak MPLS VPN book.  Both have a couple editions.  Those are oldies but 
goodies.  More recently is MPLS in the SDN era.  But it seems the SR/SPRING 
will be the most recent topics to study, I think that’s were BGP-LU comes in.  
I need to get a book and read too 

Aaron

> On Apr 25, 2023, at 5:56 PM, Lyndon Nerenberg (VE7TFX/VE6BBM) 
>  wrote:
> 
> It has been a couple of decades since I've done any BGP in anger,
> but it looks like I will be jumping into the deep end again, soon,
> and I desperately need to get up to speed again.
> 
> There seem to be a lot of good guides out there from Cisco, Juniper,
> and the like, but naturally they are very product oriented.  What
> I'm looking for is more like the Stevens networking bibles (i.e.
> "BGP Illustrated Vol I and II"). Something that covers more than
> just the raw protocols, and includes things like RPKI.  (The world
> sure has changed since the last time I was doing this!)
> 
> Any/all suggestions welcome.
> 
> Thanks!
> 
> --lyndon

Re: Is malicious asymmetrical routing still a thing?

[Aaron1]

Sounds like something uRPF would prevent 

Does anyone do uRPF ?  lol 

Aaron

> On Mar 9, 2023, at 2:03 PM, John Levine  wrote:
> 
> Back in the olden days, a spammer would set up a server with a fast
> broadband connection and a dialup connection, and send out lots of
> spam over the broadband connection using the dialup's IP address.  Since
> mail traffic is quite asymmetric, this got them most of the broadband
> speed, and when the dialup provider cancelled their service, they could
> just dial into someone else.  Or maybe work through that giant pile of
> AOL CD-ROMs we all had.  The broadband provider often wouldn't notice
> since it wasn't their IP and they didn't get the complaints.
> 
> Is this still a thing? Broadband providers fixed this by some
> combination of filtering port 25 traffic both ways, and BCP38 so you
> can only send packets with your own address. Do providers do both of
> these? More of one than the other? TIA.
> 
> R's,
> John

juniper.net down?

[aaron1]

juniper.net down?

 

 

 

Aaron

aar...@gvtc.com

 

RE: Any sign of supply chain returning to normal?

[aaron1]

I bought (3) MX204's 10/2021 and received them 2/2022 so about 5 months to
receive those. Also received a couple SRX300's in that same purchase.

 

I'll add that I can't say the same for the other stuff I also ordered
10/2021.

 

- MX480

 

- MX240

 

- MPC10E-10C

 

 

.which is due in around 5/2022. So about 8 months for that stuff, but,
actually remains to be seen because we still haven't got it yet.

 

 

-Aaron

 

 

RE: Telia is now Arelion

[aaron1]

R-Lion, sounds like a grocery store.

 

Thanks for the heads-up that one of my 100g inet connection providers just
changed.  You beat my account rep to it.

 

-Aaron

 

 

From: NANOG  On Behalf Of Justin
Krejci
Sent: Wednesday, January 19, 2022 11:59 AM
To: nanog@nanog.org
Subject: Telia is now Arelion

 

https://www.arelion.com/

 



Since all other work is now complete in the world I should have plenty of
time to update documentation, billing, labels, port names, route-maps,
contact email addresses, etc.

 

After watching their marketing video I learned the pronunciation of Arelion
is not R-Lion but is actually A-Ray-Lee-On but I may continue thinking of it
as R-Lion because it is shorter and it just sounds cooler in my head.

RE: SRv6 Capable NOS and Devices

[aaron1]

I'm still growing in my understanding of SR-MPLS and SRv6 but I can say 
that about everything... seems like the one constant in life, and particularly 
network technology... is change.

Like ytti (saku) mentioned, with SR/SPRING the IGP is finally carrying the 
Label/Sid, so we no longer need a label distribution mechanism running 
alongside the IGP (don't need LDP or RSVP).  And for SRv6 vice SR-MPLS, the SID 
is now the IPv6 address, and not the MPLS Label.  So we don't even need MPLS, 
but can accomplish network virtualization using a pure IPv6 core.  Reminds me 
of Cell Mode MPLS vs Frame Mode MPLS... whereas the ATM Cell header VPI/VCI was 
repurposed as the MPLS label, until we went with straight MPLS shim headers.

In case you are interested, I put a video on my channel showing a quick look at 
SRv6.  Using Cisco CML, IOS-XR 7.2.2, IS-IS, only using FE80 link local 
addressing.  L3VPN to prove end to end Customer connectivity over SRv6.
https://www.youtube.com/watch?v=SrryHbjpnAc

The P node is quite interesting in it's ability to handle this with little to 
no additional protocols.

-Aaron





-Original Message-
From: NANOG  On Behalf Of Saku Ytti
Sent: Wednesday, January 12, 2022 2:35 AM
To: Adam Thompson 
Cc: NANOG 
Subject: Re: SRv6 Capable NOS and Devices

On Wed, 12 Jan 2022 at 00:00, Adam Thompson  wrote:

> My question is, why do you think you need Segment Routing at all?  Is your 
> network so enormously large and/or complex that IS-IS (and/or MPLS-TE) isn't 
> capable of handling it?
> So far, SR looks like a solution in search of a problem, at least to me.

SR is terrific, SRv6 is snake-oil.

Everyone needs some type of tunnelling in most modern applications of the 
network. maybe for pseudowires, repair, l3 vpns, traffic engineering or just 
removing state and signalling from backbone.
Signalling labels via IGP is obviously better than via LDP.

--
  ++ytti

RE: Quantifying the customer support and impact of cgnat for residential ipv4

[aaron1]

I have >50,000 subscribers behind CGNat.  I would have to find out from the 
assigners group, the rate at which static/public IP address sales increased 
during our CGNat deployment over the last few years.  I do understand that we 
had an up-tick in public IP sales, but unsure of the rate at which it occurred… 
actually I may have to get in contact with the sales group for a question like 
that.

 

About problems (BTW, we use Juniper MX platform with service mic/mpc) … we had 
some significant issues initially… but things like…

 

*   Tuning the IGP to route to the closest CGNat boundary node, consistently
*   AMS interface source-ip load balancing 
*   APP
*   EIM
*   EIF

 

…help greatly in fixing issue with authentication on websites (webmail, 
banking) and also, vpn issues, and issues with gaming consoles, were largely 
resolved with those aforementioned enhancements

 

-Aaron

 

RE: massive facebook outage presently

[aaron1]

Yes, embedded ISP CDN’s show a huge drop

 

-Aaron

 

From: NANOG  On Behalf Of Eric Kuhnke
Sent: Monday, October 4, 2021 11:22 AM
To: George Herbert ; nanog@nanog.org list 

Subject: Re: massive facebook outage presently

 

Considering the massive impact of this it would be interesting to see some 
traffic graphs from ISPs that have PNIs with Facebook, or high volume peering 
sessions across an IX, showing traffic to FB falling off a cliff. 

 

On Mon, Oct 4, 2021 at 12:16 PM George Herbert mailto:george.herb...@gmail.com> > wrote:

And WhatsApp and Instagram.  Twitter users nationwide agree anecdotally.

 

What I’m getting is DNS failure. 

 

-George 

Sent from my iPhone





On Oct 4, 2021, at 9:07 AM, Eric Kuhnke mailto:eric.kuh...@gmail.com> > wrote:



https://downdetector.com/status/facebook/

 

Normally not worth mentioning random $service having an outage here, but this 
will undoubtedly generate a large volume of customer service calls. 

 

Appears to be failure in DNS resolution.

 

RE: EVPN P2MP Implementation

[aaron1]

By “p2mp” I’m thinking you are speaking of a rooted multipoint etree type 
environment… if so….

 

Interesting, I’ve never done this before but here’s what I found …  I see this 
in my lab mx960…

 

me@lab-960# set interfaces ae40.100 etree-ac-role ?

Possible completions:

  leaf ETREE leaf interface

  root ETREE root interface

 

 

https://www.juniper.net/documentation/us/en/software/junos/evpn-vxlan/topics/concept/evpn-etree-overview.html

 

https://www.juniper.net/documentation/us/en/software/junos/evpn-vxlan/topics/example/example-etree-service-evpn-configuring.html

 

- Aaron

 

RE: New minimum speed for US broadband connections

[aaron1]

Ethernet AUI , LOL

 

RE: New minimum speed for US broadband connections

[aaron1]

Yes, my customers “cry” about the speedtest.net result…. All day…

 

 

From: NANOG  On Behalf Of Mike Hammett
Sent: Tuesday, June 1, 2021 12:50 PM
To: Lady Benjamin Cannon of Glencoe 
Cc: NANOG Operators' Group 
Subject: Re: New minimum speed for US broadband connections

 

What did they cry about?

The speedtest.net result?

Loading google.com in a fraction of a second?

or was it that you didn't have 75 ms of garbage in the way?

That you didn't go through a congested port between the PC and the destination?

That you were hard wired instead of single-chain 802.11n WiFi going through 5 
walls?

That you were using a local recursive resolver DNS server?

 



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

 

  _  

From: "Lady Benjamin Cannon of Glencoe" mailto:l...@6by7.net> >
To: "Mike Hammett" mailto:na...@ics-il.net> >
Cc: "Christopher Morrow" mailto:morrowc.li...@gmail.com> >, "NANOG Operators' Group" mailto:nanog@nanog.org> >
Sent: Tuesday, June 1, 2021 12:40:15 PM
Subject: Re: New minimum speed for US broadband connections

I’ve had people cry about how fast the internet is at my office…

 

I guess your mileage may vary, but yes humans do notice those kinds of delays 
and they are cumulative.  (It’s not just bandwidth, it’s latency.  The 3ms ping 
in my signature is real too.)

 

-LB

Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
6x7 Networks & 6x7 Telecom, LLC 
CEO 
b...@6by7.net  
"The only fully end-to-end encrypted global telecommunications company in the 
world.”

ANNOUNCING: 6x7 GLOBAL MARITIME  


FCC License KJ6FJJ

RE: New minimum speed for US broadband connections

[aaron1]

If 2 people use it at the same time, do they call in with a trouble ticket that 
they didn’t get their contracted bandwidth?

 

 

From: Mike Hammett  
Sent: Tuesday, June 1, 2021 11:45 AM
To: aar...@gvtc.com
Cc: Mark Tinka ; nanog@nanog.org
Subject: Re: New minimum speed for US broadband connections

 

That is true, but if no one uses it, is it really gone?



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

 

  _  

From: aar...@gvtc.com  
To: "Mark Tinka" mailto:mark@tinka.africa> >, 
nanog@nanog.org  
Sent: Tuesday, June 1, 2021 11:18:53 AM
Subject: RE: New minimum speed for US broadband connections

Yeah I thought gpon was 2.4 ghz down and 1.2 ghz up... so you could only 
honestly sell (1) 1 gbps symm service via that gpon interface correct? (without 
oversubscription)

I think ng-pon(2), xgs-pon and other variants allow for much more.

-Aaron



 

RE: New minimum speed for US broadband connections

[aaron1]

Yeah I thought gpon was 2.4 ghz down and 1.2 ghz up... so you could only 
honestly sell (1) 1 gbps symm service via that gpon interface correct? (without 
oversubscription)

I think ng-pon(2), xgs-pon and other variants allow for much more.

-Aaron

RE: MPLS/MEF Switches and NIDs

[aaron1]

Yeah, good point Shawn, I’ve had guys ask “where is the mac table?” in the 
accedian, ha.  Yeah it’s very point to point’ish… you tell a port what vlan to 
expect, and then what port to send that out.  Very rigid like that.

 

Yeah Ryan, and as I understand it, the NCS540 has the sweet XR OS too

 

-aaron

 

RE: MPLS/MEF Switches and NIDs

[aaron1]

Wow, ciena has the means to implement SR and MPLS services?  I mean they run 
the underlying LS IGP to signal those SID’s ??  I didn’t know that.  I may look 
at them in the future then.  I thought Ciena just did some sort of static 
mpls-tp or something…

 

We use Accedian as NID’s with SkyLight director for PAA (SLA stuff)…and uplink 
those into our network at (yester-year, Cisco ME3600’s and ASR9000’s), but now, 
ACX5048 and MX204

 

-Aaron

 

RE: NAT/CGNAT IP address/users ratios

[aaron1]

I currently have about ~2750 public IP's (11 /24's) for ~53,000 broadband
customers.  (ftth, cable modem and dsl)

 

I cap them at 3,000 ports using PBA, port block allocation.. Blocks of 100
at a time, and 30 blocks per subscriber.  (100*30=3000)

 

I usually see, when a private internal IP is using up the full 3,000 ports,
when we look closer at the sessions, they usually look suspect, as if the
end host is infected or has malware causing lots of connections

 

I run all this though, (6) MX960's with (1) MS-MPC-128G in each chassis, and
(2) MX104's with (1) MS-MIC-16G per 104.  The utilization as far as I've
seen, regarding memory and load on the service modules seems fine at the
levels we are at.

 

Hope that helps.

 

-Aaron

RE: Juniper hardware recommendation

[aaron1]

Thanks Mark.  We have a ring of MX960’s currently and wanted to spare the parts 
with each other, between the 960’s and 240’s…. scb’s, re’s, mpc’s…

 

-Aaron

 

RE: Juniper hardware recommendation

[aaron1]

I prefer MX204 over the ACX5048.  The ACX5048 can’t add L3 interface to an mpls 
layer 2 type of service.  There are other limitations to the ACX5048 that cause 
me to want to possibly replace them with MX204’s.  But in defense of the 
ACX5048, we have gotten some good mileage (a few years now) of good resi/busi 
bb over vrf’s and also carrier ethernet for businesses and lots of cell 
backhaul… so they are good for that.  I’ve heard the ACX5448 was even better.

 

I’m looking at the MX240 for the SCB3E MPC10E hefty with 100 gig ports

 

-Aaron

 

RE: IS-IS and IPv6 LLA next-hop - just Arista, or everyone?

[aaron1]

I did an L3VPN over SRv6 test recently using IS-IS as the IGP.  I thought it 
was quite cool that I didn't configure any IPv6 addressing at all in the 
core... simply enabled v6 on interfaces and allowed FE80 LL's to run... IS-IS 
neighbored up... then added a mp-ibgp v6 loopback (rfc 4193) to the PE's and 
let BGP neighbor up... L3VPN worked over SRv6 (of course with all that weird 
(new) locator magic).

But, point is, LL FE80's worked nice.

Yeah, less attack surface... I always say, you can't attack what you can't reach

-Aaron

RE: wow, lots of akamai

[aaron1]

Yes, I was reaching out to my NANOG folks to find out as you stated... "Hey I 
was curious what happened and I thought to ask here on NANOG?"

I appreciate the membership with you all and value your position and visibility 
in regional, continental and global operations.  Thanks for your insights, and 
I hope I contribute occasionally as well.

-Aaron

RE: wow, lots of akamai

[aaron1]

U, throw bandwidth at it.  ...which reminds me... I actually want a t-shirt 
that says   "Bandwidth solves a lot"

-aaron

-Original Message-
From: Jean St-Laurent  
Sent: Thursday, April 1, 2021 2:01 PM
To: aar...@gvtc.com; 'Jared Mauch' ; 'Töma Gavrichenkov' 

Cc: 'NANOG' 
Subject: RE: wow, lots of akamai

I remembered working for a big ISP in Europe offering cable tv + internet with 
+20M subscribers

Every time there was a huge power outage in major cities, all tv`s would go off 
at the same time. I don`t have stats on power grid stability in Europe Vs N/A.

The problem, was when the power was coming back in big cities, all the tv 
subscribers would come back online at the exact same second or minute.
More or less the same 2 or 3 minutes.

What happened is that it would create a kind of internal DDoS and they would 
all timed out and give a weird error message. Something very useful like Error 
Code 0x8098808 Please call our support line at this phone number.

The server sysadmins would go on a panic because all systems were overloaded. 
They often needed to do overtime because DB crashed, key servers there crashed, 
DB here crashed, whatever... there was always something crashing.  This was 
before the cloud when you could just push a slider and have tons of VMs or 
containers to absorb the load in real time. (in my dream)

This would every time create frustration from the clients, the help desk, the 
support teams and also the upper management. Every time the teams were really 
tired after that. It was draining juice.

Anyway, after some years of talking internally (red tape), we finally managed 
to install a random artificial penalty in the setup boxes when they boot after 
a power outage. Nothing like 20 minutes, but just enough to spread the load 
over a longer period of time. For the end user, it went transparent for them 
because, if the setup box would boot in 206 seconds instead of the super 
aggressive 34 seconds, well it booted and they could watch tv. 
Vs 

my system is totally frozen and it`s been like that for 20 minutes with weird 
messages because all your systems are down and the error msg said to call the 
help desk.

This simple change to add 3 lines of code to add a random artificial boot 
penalty of few seconds, completely solve the problem. This way, when a city 
would black out, we wouldn't be self DDoS, because the systems would slowly 
rampup. The setup boxes would all reboot but, wait randomly before asking for 
the DRM package to unlock the cable TV service and validate whether billing is 
right.

I`m no Call of Duty expert nor Akamai, but it's been many times that I observe 
the same question here:

What's happening?
Call of Duty!
Okay.

Would a kind of throttle help here? 

An artificial roll out penalty somehow? Probably not at the ISP level, but more 
at the game level. Well, ISP could also have some mechanisms to reduce the 
impact or even Akamai could force a progressive roll out. 

I`m not sure that the proposed solutions could work, but it seems to impact 
NANOG frequently and/or at least generate a call overnight/weekend. It seems to 
also happens just before long holidays when operations are sometimes on reduce 
personnel.

Are big games roll out really impacting NANOG? or it's more a: Hey I was 
curious what happened and I thought to ask here on NANOG?

#JustCurious

Jean

-Original Message-
From: NANOG  On Behalf Of 
aar...@gvtc.com
Sent: April 1, 2021 12:12 PM
To: 'Jared Mauch' ; 'Töma Gavrichenkov' 

Cc: 'NANOG' 
Subject: RE: wow, lots of akamai

Gaming update... I had a feeling.  Thanks for the feedback folks.

Thanks Jared, it's running well, before, during and after.  We have a lot of 
capacity there.

-Aaron

RE: wow, lots of akamai

[aaron1]

Gaming update... I had a feeling.  Thanks for the feedback folks.

Thanks Jared, it's running well, before, during and after.  We have a lot of 
capacity there.

-Aaron

wow, lots of akamai

[aaron1]

That was a lot of traffic coming out of akamai aanp clusters the last couple
nights!  What was it?

 

 

 

Aaron

aar...@gvtc.com

 

RE: CGNAT

[aaron1]

We thought about it for a while at the ISP where I work, and went with Juniper 
MX960's w/MS-MPC-128G.  Been working quite nice for us.

Initially, we went with smaller MX104 w/MS-MIC-16G to prove it out on our 
~4,000 lower bandwidth DSL customers... when convinced, we then went all in 
with multiple MX960's w/MS-MPC-128Gnow over 50,000 customers of dsl, cable 
modem and ftth

...all that behind about ~/21

I'll add that we already had the 960's for the 100gig mpls sp core we had 
built, so it was an investment only on the service module to do cgnat.


-Aaron

cogent issues in texas?

[aaron1]

Anyone else having cogent internet issues in south central Texas or the
region?

 

I called Cogent and they mentioned a few spans down between el paso, fort
worth, san Antonio and Houston

 

My 100 gig link to them took a lot of loss. I had to bring down bgp for
preferring other sp

 

 

 

Aaron

aar...@gvtc.com

 

RE: AT - INET Data Caps

[aaron1]

You made me curious… found some interesting links…

 

https://www.att.com/support/data-calculator/ 

 

https://www.att.com/support/article/u-verse-high-speed-internet/KM1010099/ 

 

https://broadbandnow.com/internet-providers-with-data-caps 

 

https://www.cabletv.com/blog/which-brands-have-data-caps 

 

 

-Aaron

 

From: NANOG  On Behalf Of Thomas Yarger
Sent: Monday, November 30, 2020 9:11 AM
To: nanog@nanog.org
Subject: AT - INET Data Caps

 

Hello All, 

 

This past week when I was helping my father perform some home networking, I 
called AT to get a newer Arris router and they mentioned that if I were to 
upgrade his service, he would fall under a 1 TB data cap for home internet. Is 
this just in FL or have others seen similar restrictions with AT? Thanks!


 

-- 

Thanks, 

Thomas Yarger 

 

RE: Strange connectivity issue Frontier EVPL

[aaron1]

My coworker is having similar issues with PS Lightwave and Alpheus/Logix
from San Antonio to Houston whereas some things work and somethings don't

-Aaron

RE: Strange connectivity issue Frontier EVPL

[aaron1]

EVPL (eline) should not be learning macs.  So mac table size should be a 
non-issue.  Unless someone somewhere has constructed a 2-part bridge domain 
(mef-speak, etree or elan of sorts) which would have mac learning, then Matt's 
question comes into play.

-Aaron

-Original Message-
From: NANOG  On Behalf Of Matt Hoppes
Sent: Friday, November 6, 2020 11:09 AM
To: Jay Hennigan ; NANOG list 
Subject: Re: Strange connectivity issue Frontier EVPL

Could you be running up against a MAC table limit on the circuit?

On 11/6/20 11:59 AM, Jay Hennigan wrote:
> We have a strange issue that defies logic. We have a NNI at our POP 
> with Frontier serving as an aggregation circuit with different 
> customers on different VLANs. It's working well to several customers.
> 
> Bringing up a new customer shows roughly half of the IP addresses 
> unreachable across the link, as if there's some kind of load-balancing 
> or hashing function that's mis-directing half of the traffic. It's 
> consistent, if an address is reachable it's always reachable. If it's 
> not reachable, it's never reachable. Everything ARPs fine.
> 
> The Frontier circuit is layer 2 so shouldn't care about IP addresses. 
> Frontier tech shows no trouble. They changed the RAD device on-premise. 
> We've triple-checked configurations, torn down and rebuilt 
> subinterface, etc. with no joy.
> 
> Any suggestions?
> 

RE: Mellanox / Cumulus

[aaron1]

One of my CDN caching providers sent a Mellanox SN2700 with their servers.  
Seems to be running well.  They manage them, I just give them rack, power, and 
a couple 10 gig links into my core

-Aaron

-Original Message-
From: NANOG  On Behalf Of Tom Hill
Sent: Wednesday, November 4, 2020 9:37 AM
To: nanog@nanog.org
Subject: Re: Mellanox / Cumulus

On 02/11/2020 17:52, Bryan Holloway wrote:
> Anybody using these in production in an SP environment? And if so, any 
> opinions, good or bad?

I haven't used them in an SP environment precisely because the Mellanox 
hardware - while miles better than equivalent Broadcom designs - does not cater 
to anyone with more than the most basic of QoS requirements.

Realistically, the ASIC designs are brilliant for data centre/storage/HPC use, 
but they do not have (last I was briefed) any hardware that would replace even 
an access switch, let alone a capable border router.

I would *love* for that to change, so please correct me if I'm outdated.

On the software side, Cumulus Linux is very capable, and a joy to work with. 
However, the business case to support even the Broadcom DNX range (e.g. Arista 
7280R) just wasn't there /before/ their acquisition. Again, if that's changed 
it would be a fine software suite to investigate.

Regards,

--
Tom

RE: cheap MPLS router recommendations

[aaron1]

I’m using a pair of MX104’s for 10 gig and a MS-MIC-16G for CGNat integrated 
with L3VPN’s (LDP for label distro), just fine.  About 5,000 DSL broadband 
customer behind them, on a /24 public ip nat pool.  Some nice IP savings there.

 

Can’t speak to your BFP, RSVP-TE requirement as I never needed that on mine.

 

-Aaron

 

RE: Hurricane Electric AS6939

[aaron1]

Thanks, Yeah MEF-speak….

 

Lit layer 2 untagged is EPL

Lit layer 2 tagged is EVPL

 

...it’s MEF (CE) terminology

 

-Aaron

 

 

From: NANOG  On Behalf Of Josh Luthman
Sent: Wednesday, October 14, 2020 8:44 AM
To: Forrest Christian (List Account) 
Cc: nanog list 
Subject: Re: Hurricane Electric AS6939

 

Charter/Spectrum calls it an EPL - Ethernet Private Line.


 

Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

 

 

RE: Hurricane Electric AS6939

[aaron1]

Don’t you have to be there to join?

 

I’m in Austin and San Antonio

 

-Aaron

 

From: Mike Hammett  
Sent: Tuesday, October 13, 2020 7:20 PM
To: Aaron Gould 
Cc: nanog@nanog.org
Subject: Re: Hurricane Electric AS6939

 

https://bgp.he.net/AS16527

 

You don't appear to be on any IXes. Definitely join some IXes before buying 
another 100G of transit.

 

DFW has a couple and there are some more that are starting up.

 



-
Mike Hammett
  Intelligent Computing Solutions
   
  
  
 
  Midwest Internet Exchange
   
  
 
  The Brothers WISP
   
 

  _  

From: "Aaron Gould" mailto:aar...@gvtc.com> >
To: nanog@nanog.org  
Sent: Tuesday, October 13, 2020 6:29:55 PM
Subject: Hurricane Electric AS6939

Do y’all like HE for Internet uplink?  I’m thinking about using them for 100gig 
in Texas.  It would be for my eyeballs ISP.  We currently have Spectrum, Telia 
and Cogent.

-Aaron

 

RE: Hurricane Electric AS6939

[aaron1]

I have to be in Dallas for that right?

 

I’m in Austin (Data Foundry) and San Antonio (100 Taylor)

 

-Aaron

 

From: Ryan Hamel  
Sent: Tuesday, October 13, 2020 6:34 PM
To: Aaron Gould 
Cc: nanog@nanog.org
Subject: Re: Hurricane Electric AS6939

 

You would get better peering from Equinix IX, which includes free HE IPv4 
Peering + IPv6 Transit

 

Ryan

On Oct 13 2020, at 4:29 pm, Aaron Gould mailto:aar...@gvtc.com> > wrote:

Do y’all like HE for Internet uplink? I’m thinking about using them for 100gig 
in Texas. It would be for my eyeballs ISP. We currently have Spectrum, Telia 
and Cogent.

 

-Aaron

RE: Juniper configuration recommendations/BCP

[aaron1]

Thanks for setting me straight.  

 

I had heard that there was some new stuff with Linux hypervisors or something 
like that…. So I misspoke.

 

Appreciate y’all

 

-Aaron

RE: Juniper configuration recommendations/BCP

[aaron1]

Right, it's been freebsd forever as I understand it, but I thought there had
been some more recent involvement with linux, which is why I said that.  I'm
not an authority on it though.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/vm-host-o
verview.html

-Aaron

RE: Juniper configuration recommendations/BCP

[aaron1]

Typos, sorry…

 

Meant …fxpc process…

 

Meant …now 540

 

RE: Juniper configuration recommendations/BCP

[aaron1]

I just remembered another one I use the heck out of….

 

Show whateverwhatever | refresh 1

 

Love it

 

Or refresh 30 (whatever time you want)

 

It’s so nice to be able to take hands off keyboard and know exactly when 
something changes in that show command…. Piping to “refresh” and a timer will 
redo that command over and over again

 

Another one is the ability to stop and restart processes, which wasn’t as 
possibly in Classic IOS (perhaps more in XE and was possible in XR), but I was 
pleased with the ability to do this in JunOS

 

There have been a few occasions when the JTAC has had me restart a jdhcpd 
process or fxp0 process or whatever during bug-hits as a quick way of freeing 
up the pegged CPU or leaked out memory, until a JunOS upgrade perm fix could be 
accomplished.

 

Oh, show log interactive – really cool, it’s like having your own local aaa 
(tacacs) accounting log… right there on the box a built in log file showing 
every command that was typed be everyone!

 

Forgive me if I continue sending emails as I recall nice things I’ve learned 
over the last few years during my conversion from cisco to juniper

 

IOS is nice

IOS-XE is nicer (I guess, lol)

IOX-XR is great

JunOS is greater I think – seems that there is just more you can do in JunOS 
than XR… and JunOS capabilities are across many of Junipers products… XR is a 
bit limited to certain platforms (although growing with more NCS products, 
first 5x00, not 540)

 

-Aaron

RE: Juniper configuration recommendations/BCP

[aaron1]

~30 years of being a Cisco IOS shop or Cisco IOS-XR shop?  A bit different.

 

Welcome to the SP-world of really nice JunOS

 

Conf

Blah blah blah

Commit check  <- will check your pending config for 
correctness

Commit | compare <- will tell you what is about to change (similar 
to IOS-XR “show commit change diff”

…if you don’t like it….

Rollback

…if you are nervous about breaking something and what to smoke test it…

Commit confirmed 2  <- allows you a couple minutes to see if the sky 
falls…if it does, it’ll all be good in 2 minutes when it reverses the change.  
XR has this too

…if you like it…

Commit

…if you still don’t like it…

Conf

Rollback 1

Commit

 

Gosh, there’s so much more

 

Built in monitor/sniffer for interfaces

 

JunOS is so linux based, that you will find a lot of things like that in it.  
Shell under the hood and see various other things

 

The mx204 has some strange 1 gig option for 10 gig interfaces… which are still 
referred to as xe-?/?/? even when operating in 1 gig…

 

 

-Aaron

 

 

 

From: NANOG  On Behalf Of Forrest 
Christian (List Account)
Sent: Thursday, October 8, 2020 4:38 AM
To: nanog list 
Subject: Juniper configuration recommendations/BCP

 



After nearly 30 years of being a cisco shop, I'm working on configuring our 
first pair of Juniper MX204's to replace our current provider-edge cisco. 

 

I've worked through enough of the Juniper documentation/books to have a fairly 
good handle on how to configure these, but I wanted to check with the list to 
see if there are any Juniper-Specific gotchas I might run into that isn't 
documented well.  

 

I've done a bit of googling and am either finding stuff that is largely 
Cisco-specific or which is generic - all of which I'm rather familiar with 
based on my past history.   Is there anything I should worry about which is 
Juniper-specific?

 

-- 

- Forrest

telia selling carrier ops to polhem infra

[aaron1]

I wonder how this will affect those who have Telia as an upstream Internet
provider?  Will it be business as usual and just different company name?  Or
maybe other changes to come?

 

Telia Company today (10-06-2020) announces that it has reached an agreement
with Polhem Infra for the sale of its international carrier business, Telia
Carrier...

https://www.teliacompany.com/en/news/press-releases/2020/10/telia-company-re
aches-agreement-to-sell-its-carrier-operation-to-polhem-infra-and-proposes-t
o-reinstate-the-original-dividend-for-2019/

 

 

 

Aaron

aar...@gvtc.com

 

RE: SRv6

[aaron1]

Lol

I was thinking that if I ever need to know about *anything*, I can now just 
google "srv6 nanog"

- Aaron

RE: SRv6

[aaron1]

Nick, does CRH-16/32 and uSID change the overhead concern?  I could be wrong, 
but I thought that's what SRm6 was for, was to shrink the overhead, perhaps 
amongst other things.  Also, with VPN's over SRv6 would this enable automatic 
vpn capability over the internet?  I mean if I can do VPN's over an IPv6 
network, seems that I could do that across the Internet as well.  

Thanks Tom, man, I have read so much the last week or so regarding sr/spring... 
so if you mean that I borrowed someone else's description of the anatomy of an 
SRv6 SID then, yes, I may have and didn't know it.  Hey, was it you? LOL

- Aaron

RE: SRv6

[aaron1]

You might be on to something, but I'm unsure... are you suggesting that it's
any less private over SRv6 than it was over MPLS ?

-Original Message-
From: Randy Bush  
Sent: Tuesday, September 15, 2020 1:12 PM
To: aar...@gvtc.com
Cc: North American Network Operators' Group 
Subject: Re: SRv6

> I'm still learning, but, It does seem interesting that the IP layer
> (v6) can now support vpn's without mpls.

as the packet payload is nekkid cleartext, where is the P in vpn?

RE: SRv6

[aaron1]

Sorry guys, I'm not aware of much of what you mention as far as agenda, vendor 
motive, and hardware support, etc 

I'm still learning, but, It does seem interesting that the IP layer (v6) can 
now support vpn's without mpls.  So one less layer of encapsulation seems cool. 
 Don't get me wrong, I love all that mpls has done for us and offers, but, 
seems that SRx6 (x=v or m) is able to do it.  Seems that the end to end label 
challenges with unified mpls, and all the csc and vpn type a,b,c might be 
better done with an IPv6 stack of headers and SIDs.

(wow, I'm not a prophet, but am I sensing another death of a labeling protocol 
?!  this would be interesting if like MPLS killed ATM SR kills MPLS !)  
(namely SRv6/SRm6)

And with this v6 SID being smartly divided into Locator:Function(Argument), I'm 
reading that this will carry with it much more functionality as well, like 
network programmability, application-to-network interaction or something like 
that.

Oh and I do agree that this SRv6 terminology and architecture does make your 
head hurt, lol, there is some very different/new stuff going on there.

-Aaron

RE: SRv6

[aaron1]

Oh snap!  Hey hey, that's good, thanks Nick.  I had to go into the locator 
service of the remote pe and find a sid that would respond to ping.  

This is apparently an OAM Endpoint with Punt (End.OP)

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-0/segment-routing/configuration/guide/b-segment-routing-cg-asr9000-70x/b-segment-routing-cg-asr9000-70x_chapter_011.html

Here I'm executing ping/trace from the SRv6 ingress pe...to the egress PE

RP/0/RP0/CPU0:r1#ping fc00:0:4:4::1 source lo0 use-srv6-op-sid fc00:0:0:4:40::
Mon Sep 14 20:27:09.727 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to fc00:0:4:4::1, timeout is 2 seconds:
S
Success rate is 100 percent (5/5), round-trip min/avg/max = 329/371/416 ms


RP/0/RP0/CPU0:r1#traceroute fc00:0:4:4::1 source lo0 use-srv6-op-sid 
fc00:0:0:4:40::
Mon Sep 14 20:27:19.068 UTC

Type escape sequence to abort.
Tracing the route to fc00:0:4:4::1

 1  :::0.0.0.0
[IP tunnel: DA=fc00:0:0:4:40:: SRH Stack 0 =(fc00:0:4:4::1   ,SL=1) 
] 29 msec
[IP tunnel: DA=fc00:0:0:4:40:: SRH Stack 0 =(fc00:0:4:4::1   ,SL=1) 
] 56 msec
[IP tunnel: DA=fc00:0:0:4:40:: SRH Stack 0 =(fc00:0:4:4::1   ,SL=1) 
] 12 msec
 2  :::0.0.0.0
[IP tunnel: DA=fc00:0:0:4:40:: SRH Stack 0 =(fc00:0:4:4::1   ,SL=1) 
] 118 msec
[IP tunnel: DA=fc00:0:0:4:40:: SRH Stack 0 =(fc00:0:4:4::1   ,SL=1) 
] 101 msec
[IP tunnel: DA=fc00:0:0:4:40:: SRH Stack 0 =(fc00:0:4:4::1   ,SL=1) 
] 99 msec
 3  fc00:0:4:4::1 224 msec 277 msec 254 msec
 4  :::0.0.0.0 237 msec 209 msec 204 msec
 5  fc00:0:4:4::1 386 msec 431 msec 403 msec


Now I see this on the wireshark capture...

Ethernet - 86dd
Ipv6 - DA fc00:0:0:4:40:: (cool, this is the active/top SID, and not the 
ping'ed DA)
- routing header for v6 (segment routing)
--- segments left: 1
--- address next segment: fc00:0:4:4::1
Icmpv6



-Aaron

RE: SRv6

[aaron1]

Thanks Nick, I only see the following layers...  I see no extension headers
behind the ipv6 header.  I sent you the wireshark sniff directly so you can
see what I'm seeing.

Ethernet - Type 0x86dd
Ipv6 - Next Header IPIP (4)
Ipv4
Icmp

-Aaron

SRv6

[aaron1]

I have what seems to be a good SRv6 test in my lab running XRv9k 7.0.2

 

But I'm wondering why the sniffer doesn't show the much-spoken-of SRH
(Segment Routing Header).. But rather, shows my L3VPN v4 traffic riding v6
and that's it.  Let me know if I'm seeing an SRH and just don't know it,
LOL.

 

Ethernet - Type 0x86dd

Ipv6 - Next Header IPIP (4)

Ipv4 - icmp echo (my tests ce to ce end to end)

 

Those layers is all it shows.  I've read a lot about SRv6 with SID's inside
extension headers or segment routing header, but I'm not seeing it.

 

Any idea what this is that I'm seeing ?

 

I've configured the PE's IAW
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-6/se
gment-routing/configuration/guide/b-segment-routing-cg-asr9000-66x/b-segment
-routing-cg-asr9000-66x_chapter_011.html#id_95420

 

I can give you more info if you wish.  

 

Aaron

aar...@gvtc.com

 

RE: sr - spring - what's the deal with 2 names

[aaron1]

I found these threads about BGP Prefix-SID decoded needed for Wireshark.  
Anyone know what wireshark version fixes this ?  I just installed 3.2.6 and 
that doesn’t seem to do it

 

https://www.wireshark.org/lists/wireshark-bugs/201603/msg00621.html

 

https://www.wireshark.org/lists/wireshark-bugs/201603/msg00623.html

 

-Aaron

 

 

RE: sr - spring - what's the deal with 2 names

[aaron1]

Thanks Jeff, this is pretty trippy… I mean the fact that VPNV4 L3VPN works over 
SRv6 !

 

I’m so accustomed to seeing L3VPN being an MPLS thing, and now, no labels, no 
mpls. Wow

 

The wireshark sniff shows…

 

Ethernet

Ipv6

Ipv4

 

That’s it.  No double mpls tags like I’ve so familiar with.

 

I wanted to look at the MP-iBGP update to see what was in there, but apparently 
this is so new, it seems that my wireshark decode doesn’t show everything.  I 
see “BGP Prefix-SID” and then an Unknown 37 bytes under that.  I wonder if I 
could enable the SR Wireshark decode.  I have had to do that for other 
protocols in the past.

 

   05 00 22 00 01 00 1e 00 fc 00 00 00 00 00 00 04

   00 00 00 00 00 00 00 00 00 ff ff 00 01 00 06 28

   18 10 00 10 40

 

 

-Aaron

 

 

 

 

From: Jeff Tantsura  
Sent: Thursday, September 10, 2020 3:41 AM
To: aar...@gvtc.com
Cc: NANOG 
Subject: Re: sr - spring - what's the deal with 2 names

 

SR could be instantiated with 2 data planes, MPLS and IPv6  - SR-MPLS and SRv6 
respectively.

MPLS data  plane could be instantiated over either IPv4 or IPv6 (similarly to 
LDP6), MPLSoUDP->SRoUDP allows  transport of SR-MPLS over IP/UDP(RFC8663) and 
could be used to build innovative, end2end architectures, e.g.  
draft-bookham-rtgwg-nfix-arch.
There is SFC related work, draft-ietf-spring-nsh-sr.





And there’s whole SRv6 thingy...





Let me know if I can help in any way.



Cheers,

Jeff





On Sep 10, 2020, at 08:10, aar...@gvtc.com   wrote:

Interesting... I've never heard of SPRINGv4

https://www.juniper.net/us/en/products-services/routing/ptx-series/datasheet
s/1000538.page 

I found it in the bottom section

I wonder if SPRINGv4 is like SRv6, meaning, SPRING(SR) over IPv4 dataplane?
Or, am I reading way too much into that SPRINGv4 acronym?

-Aaron

RE: Getting Fiber to My Town by Jared Mauch

[aaron1]

Yep, years ago, the telephone comms guys in the Marine Corps taught me (I was a 
data pc/network guy) the name “Snot”

 

-Aaron

 

From: NANOG  On Behalf Of Brandon Svec
Sent: Thursday, September 10, 2020 3:48 PM
To: NANOG 
Subject: Re: Getting Fiber to My Town by Jared Mauch

 

I’ve heard people call cable lube elephant snot, lol.





On Sep 10, 2020, at 1:29 PM, Josh Luthman mailto:j...@imaginenetworksllc.com> > wrote:

 

I believe this is the stuff we used on our project:
https://www.menards.com/main/electrical/electrical-tools-accessories/wire-conduit-installation/ideal-regyellow-77-wire-pulling-lubricant-5-gallon/31-355/p-133962344-c-6458.htm
  


 

Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

 

 

On Thu, Sep 10, 2020 at 4:25 PM Jared Mauch mailto:ja...@puck.nether.net> > wrote:



> On Sep 10, 2020, at 4:10 PM, Jared Geiger   > wrote:
> 
> Another Jared with a question. What method did you use to blow the fiber 
> through the conduit? You mentioned you had trouble figuring out the process 
> relating to lubrication and building a contraption to blow the fiber.

You need the conduit lube.  The duraline summer blowing lube worked well for me.

- Jared

 

RE: sr - spring - what's the deal with 2 names

[aaron1]

Thanks for the heads up Mark... I see docs showing SRv6 not supported until XR 
6.6, I put XR7 in my lab to start testing it...

I have what seems to be a good test for vpnv4 mpls l3vpn over SRv6 IS-IS in core

This is my first go at this so still learning.  Srv6 has a strange locator 
thing with it.  Here's a PE with a CEF entry showing the remote l3vpn subnet.  
Interesting about the SRv6 T.Encaps.Red thing

RP/0/RP0/CPU0:r1#sh cef vrf one 1.1.1.0/30
Thu Sep 10 18:57:04.082 UTC
1.1.1.0/30, version 3, SRv6 Transit, internal 0x501 0x0 (ptr 0xe208f5c) 
[1], 0x0 (0xe3d45a8), 0x0 (0xf1ce1a8)
 Updated Sep 10 18:47:58.416
 Prefix Len 30, traffic index 0, precedence n/a, priority 3
   via fc00:0:0:4::/128, 3 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xd905574 0x0]
next hop VRF - 'default', table - 0xe080
next hop fc00:0:0:4::/128 via fc00:0:0:4::/64
SRv6 T.Encaps.Red SID-list {fc00:0:0:4:41::}


I only used link local default fe80 on the transit core interfaces...

Only added a rfc4193 fc00 address to each loopback to get bgp session to come 
up.  Works

Ce to ce can ping 

Interesting looking trace from pe lo0 to pe lo0

RP/0/RP0/CPU0:r4#traceroute fc00:0:1:1::1 source fc00:0:4:4::1
Thu Sep 10 19:02:55.211 UTC

Type escape sequence to abort.
Tracing the route to fc00:0:1:1::1

 1  :::0.0.0.0 16 msec 7 msec 8 msec
 2  :::0.0.0.0 6 msec 5 msec 6 msec
 3  fc00:0:1:1::1 92 msec 86 msec 80 msec



-Aaron

RE: sr - spring - what's the deal with 2 names

[aaron1]

Interesting... I've never heard of SPRINGv4

https://www.juniper.net/us/en/products-services/routing/ptx-series/datasheet
s/1000538.page 

I found it in the bottom section

I wonder if SPRINGv4 is like SRv6, meaning, SPRING(SR) over IPv4 dataplane?
Or, am I reading way too much into that SPRINGv4 acronym?

-Aaron

RE: rsvp-te admission control - i don't see it

[aaron1]

Thanks dip, let me know what you think.

r20 is headend and r22 is tailend   r20>r22

r22 is headed and r20 is tailend  r22>r20

RP/0/0/CPU0:r20#sh run int tt1

Fri Sep  4 12:25:09.198 CST

interface tunnel-te1

bandwidth 20

ipv4 unnumbered Loopback0

signalled-name r20--->r22

autoroute announce

!

destination 10.20.0.22

path-option 10 dynamic

 

 

RP/0/0/CPU0:r22#sh run int tt1

Fri Sep  4 11:50:01.581 CST

interface tunnel-te1

bandwidth 20

ipv4 unnumbered Loopback0

signalled-name r22--->r20

autoroute announce

!

destination 10.20.0.20

path-option 10 dynamic

 

 

 

 

From: dip  
Sent: Friday, September 4, 2020 11:15 AM
To: Aaron 
Cc: Mark Tinka ; NANOG 
Subject: Re: rsvp-te admission control - i don't see it

 

What's the signalled bandwidth being reserved by the headend "R20" in your 
example? it's a hunch that you may not have that defined and it becomes Zero 
bandwidth LSPs.

 

On Fri, Sep 4, 2020 at 9:09 AM mailto:aar...@gvtc.com> > 
wrote:

Thanks Mark, I have a tunnel traversing those interfaces.  Customer routers 
(r10, r30) can ping end to end via tunnel.

 

Not sure if I’m missing something here.  I wonder if I’m not signaling for the 
rsvp bandwidth correctly.  I just don’t see any allocated bandwidth in the rsvp 
interfaces anywhere.

 

Here’s one of the transit routers… r24…. Should I see “allocated (bps)” here ?

 

RP/0/0/CPU0:r24#sh rsvp int  

Fri Sep  4 10:54:16.451 CST

 

*: RDM: Default I/F B/W % : 75% [default] (max resv/bc0), 0% [default] (bc1)

 

Interface MaxBW (bps)  MaxFlow (bps) Allocated (bps)  
MaxSub (bps) 

-  -  
-

GigabitEthernet0/0/0/0   750M*  750M 0 (  0%)   
 0*

GigabitEthernet0/0/0/1   750M*  750M 0 (  0%)   
 0*

 

 

Details….

 

LSP/TE-tunnel has dynamic path option, but I disallow it to flow via r21… so 
tunnel takes the southbound path via r20-24-r25-r23-r22

 

(2) unidirectional te-tunnels

 

r20 is headend and r22 is tailend   r20>r22

r22 is headed and r20 is tailend  r22>r20

 

 

R10  R30

|   |

|   |

r20-r21-r22

|   |

|   |

|   |

r24-r25-r23

 

r20’s tunnel…

 

RP/0/0/CPU0:r20#sh mpls traffic-eng tun br

Fri Sep  4 10:59:51.509 CST

 

 TUNNEL NAME DESTINATION  STATUS  STATE

  tunnel-te1  10.20.0.22  up  up

  r22--->r20  10.20.0.20  up  up

Displayed 1 (of 1) heads, 0 (of 0) midpoints, 1 (of 1) tails

Displayed 1 up, 0 down, 0 recovering, 0 recovered heads

 

RP/0/0/CPU0:r20#sh mpls traffic-eng tun name tunnel-te1 | be count

Fri Sep  4 10:59:54.309 CST

  Node hop count: 4

  Hop0: 10.20.1.21

  Hop1: 10.20.1.18

  Hop2: 10.20.1.17

  Hop3: 10.20.1.14

  Hop4: 10.20.1.13

  Hop5: 10.20.1.10

  Hop6: 10.20.1.9

  Hop7: 10.20.0.22

Displayed 1 (of 1) heads, 0 (of 0) midpoints, 0 (of 1) tails

Displayed 1 up, 0 down, 0 recovering, 0 recovered heads

 

r22’s tunnel….

 

RP/0/0/CPU0:r22#sh mpl tr tun br

Fri Sep  4 10:25:32.668 CST

 

 TUNNEL NAME DESTINATION  STATUS  STATE

  tunnel-te1  10.20.0.20  up  up

  r20--->r22  10.20.0.22  up  up

Displayed 1 (of 1) heads, 0 (of 0) midpoints, 1 (of 1) tails

Displayed 1 up, 0 down, 0 recovering, 0 recovered heads


RP/0/0/CPU0:r22#sh mpl tr tun name tunnel-te1 | be count

Fri Sep  4 10:25:35.858 CST

  Node hop count: 4

  Hop0: 10.20.1.10

  Hop1: 10.20.1.13

  Hop2: 10.20.1.14

  Hop3: 10.20.1.17

  Hop4: 10.20.1.18

  Hop5: 10.20.1.21

  Hop6: 10.20.1.22

  Hop7: 10.20.0.20

Displayed 1 (of 1) heads, 0 (of 0) midpoints, 0 (of 1) tails

Displayed 1 up, 0 down, 0 recovering, 0 recovered heads

 

X = router number

10.20.0.0/16  

10.20.0.X/24  - loopbacks

10.20.1.0/24    – /30’s between routers

(numbered clockwise, lowest to highest, start at r20)

(r20 is .1 , r21 is .2 , r21 is .5 , etc)

10.20.1.0/30    – r20---r21

10.20.1.4/30    – r21---r22

10.20.1.8/30    – r22---r23

10.20.1.12/30   – r23---r25

10.20.1.16/30   – r25---r24

10.20.1.20/30   – r24---r20

 

r10#sh ip int br | in up

GigabitEthernet3   1.0.0.2 YES manual upup

 

RP/0/0/CPU0:r30#sh ip int br | in Up

GigabitEthernet0/0/0/2 1.1.1.2 Up  Up   default

 

r10#trace 1.1.1.2   

Type escape sequence to abort.

Tracing the route to 1.1.1.2

VRF info: (vrf in 

RE: rsvp-te admission control - i don't see it

[aaron1]

Thanks Mark, I have a tunnel traversing those interfaces.  Customer routers 
(r10, r30) can ping end to end via tunnel.

 

Not sure if I’m missing something here.  I wonder if I’m not signaling for the 
rsvp bandwidth correctly.  I just don’t see any allocated bandwidth in the rsvp 
interfaces anywhere.

 

Here’s one of the transit routers… r24…. Should I see “allocated (bps)” here ?

 

RP/0/0/CPU0:r24#sh rsvp int  

Fri Sep  4 10:54:16.451 CST

 

*: RDM: Default I/F B/W % : 75% [default] (max resv/bc0), 0% [default] (bc1)

 

Interface MaxBW (bps)  MaxFlow (bps) Allocated (bps)  
MaxSub (bps) 

-  -  
-

GigabitEthernet0/0/0/0   750M*  750M 0 (  0%)   
 0*

GigabitEthernet0/0/0/1   750M*  750M 0 (  0%)   
 0*

 

 

Details….

 

LSP/TE-tunnel has dynamic path option, but I disallow it to flow via r21… so 
tunnel takes the southbound path via r20-24-r25-r23-r22

 

(2) unidirectional te-tunnels

 

r20 is headend and r22 is tailend   r20>r22

r22 is headed and r20 is tailend  r22>r20

 

 

R10  R30

|   |

|   |

r20-r21-r22

|   |

|   |

|   |

r24-r25-r23

 

r20’s tunnel…

 

RP/0/0/CPU0:r20#sh mpls traffic-eng tun br

Fri Sep  4 10:59:51.509 CST

 

 TUNNEL NAME DESTINATION  STATUS  STATE

  tunnel-te1  10.20.0.22  up  up

  r22--->r20  10.20.0.20  up  up

Displayed 1 (of 1) heads, 0 (of 0) midpoints, 1 (of 1) tails

Displayed 1 up, 0 down, 0 recovering, 0 recovered heads

 

RP/0/0/CPU0:r20#sh mpls traffic-eng tun name tunnel-te1 | be count

Fri Sep  4 10:59:54.309 CST

  Node hop count: 4

  Hop0: 10.20.1.21

  Hop1: 10.20.1.18

  Hop2: 10.20.1.17

  Hop3: 10.20.1.14

  Hop4: 10.20.1.13

  Hop5: 10.20.1.10

  Hop6: 10.20.1.9

  Hop7: 10.20.0.22

Displayed 1 (of 1) heads, 0 (of 0) midpoints, 0 (of 1) tails

Displayed 1 up, 0 down, 0 recovering, 0 recovered heads

 

r22’s tunnel….

 

RP/0/0/CPU0:r22#sh mpl tr tun br

Fri Sep  4 10:25:32.668 CST

 

 TUNNEL NAME DESTINATION  STATUS  STATE

  tunnel-te1  10.20.0.20  up  up

  r20--->r22  10.20.0.22  up  up

Displayed 1 (of 1) heads, 0 (of 0) midpoints, 1 (of 1) tails

Displayed 1 up, 0 down, 0 recovering, 0 recovered heads


RP/0/0/CPU0:r22#sh mpl tr tun name tunnel-te1 | be count

Fri Sep  4 10:25:35.858 CST

  Node hop count: 4

  Hop0: 10.20.1.10

  Hop1: 10.20.1.13

  Hop2: 10.20.1.14

  Hop3: 10.20.1.17

  Hop4: 10.20.1.18

  Hop5: 10.20.1.21

  Hop6: 10.20.1.22

  Hop7: 10.20.0.20

Displayed 1 (of 1) heads, 0 (of 0) midpoints, 0 (of 1) tails

Displayed 1 up, 0 down, 0 recovering, 0 recovered heads

 

X = router number

10.20.0.0/16

10.20.0.X/24  - loopbacks

10.20.1.0/24  – /30’s between routers

(numbered clockwise, lowest to highest, start at r20)

(r20 is .1 , r21 is .2 , r21 is .5 , etc)

10.20.1.0/30  – r20---r21

10.20.1.4/30  – r21---r22

10.20.1.8/30  – r22---r23

10.20.1.12/30 – r23---r25

10.20.1.16/30 – r25---r24

10.20.1.20/30 – r24---r20

 

r10#sh ip int br | in up

GigabitEthernet3   1.0.0.2 YES manual upup

 

RP/0/0/CPU0:r30#sh ip int br | in Up

GigabitEthernet0/0/0/2 1.1.1.2 Up  Up   default

 

r10#trace 1.1.1.2   

Type escape sequence to abort.

Tracing the route to 1.1.1.2

VRF info: (vrf in name/id, vrf out name/id)

  1 1.0.0.1 23 msec 5 msec 7 msec

  2 10.20.1.21 [MPLS: Labels 24000/24010 Exp 0] 43 msec 50 msec 40 msec

  3 10.20.1.17 [MPLS: Labels 19/24010 Exp 0] 49 msec 42 msec 41 msec

  4 10.20.1.13 [MPLS: Labels 24001/24010 Exp 0] 42 msec 46 msec 46 msec

  5 10.20.1.9 42 msec 38 msec 34 msec

  6 1.1.1.2 55 msec *  44 msec

 

RP/0/0/CPU0:r30#traceroute 1.0.0.2

Fri Sep  4 15:25:10.129 UTC

 

Type escape sequence to abort.

Tracing the route to 1.0.0.2

 

1  1.1.1.1 29 msec  0 msec  0 msec 

 2  10.20.1.10 [MPLS: Labels 24000/24009 Exp 0] 49 msec  49 msec  49 msec 

 3  10.20.1.14 [MPLS: Labels 20/24009 Exp 0] 39 msec  49 msec  39 msec 

 4  10.20.1.18 [MPLS: Labels 24001/24009 Exp 0] 49 msec  39 msec  49 msec 

 5  10.20.1.22 49 msec  49 msec  39 msec 

 6  1.0.0.2 69 msec  *  49 msec 

RP/0/0/CPU0:r30#

 

 

 

 

 

From: NANOG  On Behalf Of Mark Tinka
Sent: Thursday, September 3, 2020 10:58 PM
To: nanog@nanog.org
Subject: Re: rsvp-te admission control - i don't see it

 

 

On 3/Sep/20 22:20, aar...@gvtc.com   wrote:

Thanks, how do I see the control plane reservation?  I don’t seem to be seeing 
anything getting 

RE: rsvp-te admission control - i don't see it

[aaron1]

Thanks, how do I see the control plane reservation?  I don’t seem to be seeing 
anything getting allocated 

 

RP/0/0/CPU0:r20#sh rsvp interface g0/0/0/1

Thu Sep  3 15:15:55.825 CST

 

*: RDM: Default I/F B/W % : 75% [default] (max resv/bc0), 0% [default] (bc1)

 

Interface MaxBW (bps)  MaxFlow (bps) Allocated (bps)  
MaxSub (bps) 

-  -  
-

GigabitEthernet0/0/0/1 1M 1M 0 (  0%)   
 0

 

RP/0/0/CPU0:r20#sh rsvp interface summary   

Thu Sep  3 15:16:57.131 CST

 

Interface  MaxBW (bps) Allocated (bps) Path In Path Out Resv In Resv Out

-- --- --- ---  --- 

Gi0/0/0/000 (  0%)   10   01

Gi0/0/0/11000K0 (  0%)   01   10

 

-Aaron

 

 

From: Łukasz Bromirski  
Sent: Thursday, September 3, 2020 2:45 PM
To: aar...@gvtc.com
Cc: nanog@nanog.org
Subject: Re: rsvp-te admission control - i don't see it

 

Aaron,





On 3 Sep 2020, at 20:05, aar...@gvtc.com   wrote:

 

I have a functional mpls-te test running, seems fine…but, question about 
bandwidth reservations please.

 

At the Headend router, I set bandwidth on my mpls-te tunnel, but I can’t for 
the life of me, find where in the network is this bandwidth actually being 
admitted, or seen, or allocated or anything!

 

I mean I look on rsvp interfaces, I look in wireshark at the tspec field of the 
path message, I look in the mpls te tunnels along the way, etc, etc, I can’t 
find where the network sees that bandwidth I’m asking for at the tunnel Head 
end.

 

I’m not sure if I understand you, but RSVP only does control plane reservation.

 

Then, once you have a tunnel to establish with specific bandwidth required, 
RSVP-TE will do CSPF based on link coloring, bandwidth available over 
interfaces and priority of tunnel to decide how to establish it. If the tunnel 
is setup over interface, bandwidth assigned to tunnel is taken out from 
bandwidth available on that interface. But this is purely control plane 
reservation. Nothing will be enforced in data plane.

 

To enforce those values, you need to apply QoS policies to interfaces over 
which you expert to serve MPLS TE tunnels.

 

— 

./

rsvp-te admission control - i don't see it

[aaron1]

I have a functional mpls-te test running, seems fine.but, question about
bandwidth reservations please.

 

At the Headend router, I set bandwidth on my mpls-te tunnel, but I can't for
the life of me, find where in the network is this bandwidth actually being
admitted, or seen, or allocated or anything!

 

I mean I look on rsvp interfaces, I look in wireshark at the tspec field of
the path message, I look in the mpls te tunnels along the way, etc, etc, I
can't find where the network sees that bandwidth I'm asking for at the
tunnel Head end.

 

Using IOS-XR in EVE-NG for testing.  XR 6.3.1

 

I'll give you other details if you want them.

 

 

 

Aaron

aar...@gvtc.com

 

Re: CenturyLink RCA?

[Aaron1]

Yeah, could have been one of those...gone from bad to worse things like Dave 
mentioned... initial problem and course of action perhaps led to a worse 
problem.

I’ve had DWDM issues that have taken down multiple locations far apart from 
each other due to how the transport guys hauled stuff 

A few years back I had about 15 routers all reboot suddenly... they were all 
far apart from each other, turned out to be one of the dual bgp sessions to rr 
cluster flapped and all 15 routers crash rebooted.

But ~50 hours of downtime !? 

Aaron

> On Dec 31, 2018, at 11:41 AM, Dave Temkin  wrote:
> 
>> On Mon, Dec 31, 2018 at 11:33 AM Naslund, Steve  wrote:
> 
>> They shouldn’t need OOB to operate existing lambdas just to configure new 
>> ones.  One possibility is that the management interface also handles master 
>> timing which would be a really bad idea but possible (should be redundant 
>> and it should be able to free run for a reasonable amount of time).  The 
>> main issue exposed is that obviously the management interface is critical 
>> and is not redundant enough.  That is if we believe the OOB explanation in 
>> the first place (which by the way is obviously not OOB since it wiped out 
>> the in band network when it failed).
>> 
>>  
>> 
>> Steven Naslund
>> 
>> Chicago IL
>> 
>>  
>> 
>  
> A theory, and only a theory, is that they decided to, in order to 
> troubleshoot a much smaller problem (OOB/etc.), deploy an optical 
> configuration change that, when faced with inaccessibility to multiple nodes, 
> ended up causing a significant inconsistency in their optical network, 
> wreaking havoc on all sorts of other systems. With the OOB network already in 
> chaos, card reseats were required to stabilize things on that network and 
> then they could rebuild the optical network from a fully reachable state.
> 
> Again, only a theory.
> 
> -Dave
> 
>  
>>  
>> 
>> >This seems entirely plausible given that DWDM amplifiers and lasers being a 
>> >complex analog system, they need OOB to align. 
>> 
>> >--
>> 
>> >Eric
>> 
>> 
>> 

Re: Service Provider NetFlow Collectors

[Aaron1]

I’m still using nfsen/nfdump

Been looking at manageengine netflow analyzer lately and liking it, we might be 
buying some time on Calix flowanalyze which might be an improved version of 
xangati 

Aaron

> On Dec 30, 2018, at 10:44 PM, Michael Gehrmann  
> wrote:
> 
> 
> Add Flowtraq to your list.
> 
> Cheers
> Mike
> 
> 
>> On Mon, 31 Dec 2018 at 14:30, Erik Sundberg  wrote:
>> Hi Nanog….
>> 
>>  
>> 
>> We are looking at replacing our Netflow collector. I am wonder what other 
>> service providers are using to collect netflow data off their Core and Edge 
>> Routers. Pros/Cons… What to watch out for any info would help.
>> 
>>  
>> 
>> We are mainly looking to analyze the netflow data. Bonus if it does ddos 
>> detection and mitigation.
>> 
>>  
>> 
>> We are looking at
>> 
>> ManageEngine Netflow Analyzer
>> 
>> PRTG
>> 
>> Plixer – Scrutinizer
>> 
>> PeakFlow
>> 
>> Kentik
>> 
>> Solarwinds NTA
>> 
>>  
>> 
>>  
>> 
>> Thanks in advance…
>> 
>>  
>> 
>> Erik
>> 
>>  
>> 
>> 
>> 
>> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files 
>> or previous e-mail messages attached to it may contain confidential 
>> information that is legally privileged. If you are not the intended 
>> recipient, or a person responsible for delivering it to the intended 
>> recipient, you are hereby notified that any disclosure, copying, 
>> distribution or use of any of the information contained in or attached to 
>> this transmission is STRICTLY PROHIBITED. If you have received this 
>> transmission in error please notify the sender immediately by replying to 
>> this e-mail. You must destroy the original transmission and its attachments 
>> without reading or saving in any manner. Thank you.

Re: Cellular backup connections

[Aaron1]

On the topic of static ip... as a Net Eng of an ISP, and seeing the pains that 
we have to endure with our static ip customers , I wonder if static ip 
customers actually inadvertently get less optimal treatment than more flexible, 
agile and dynamic ip customers ?  

I’m saying that since over the years as I have migrated from one router to 
another, from one technology Ethernet/IP, mpls/ip, it’s more difficult to move 
those static customers subnets around, and sometimes easier just to leave them 
on an old router where they’ve been for years.

Aaron

> On Dec 28, 2018, at 12:32 PM, Jared Geiger  wrote:
> 
> I found horrible routing with a static IP setup with T-Mobile. The device was 
> located in Ashburn, outbound routing would go out via Dallas and inbound 
> would come in via Seattle. So ping times and usability was rough. Tried it on 
> the west coast and the same problem. T-Mobile support said this was by design 
> and they couldn’t change it. 
> 
> I decided to switch to a regular consumer AT data sim without a static IP 
> and set up a small router to initiate a VPN tunnel out to wherever I need it. 
> It turns out to be cheaper and reliable for us. 
> 
> ~Jared Geiger
> 
>> On Fri, Dec 28, 2018 at 11:53 AM Ryan Wilkins  wrote:
>> You mention your connection is 4G.  On T-Mobile 4G is UMTS whereas LTE is, 
>> well, LTE.  Are you really on UMTS (which I would expect to have much 
>> crazier RTTs and jitter like you report) or did you mean LTE?
>> 
>> Ryan
>> 
>> > On Dec 28, 2018, at 7:06 AM, Dovid Bender  wrote:
>> > 
>> > Hi All,
>> > 
>> > I finally got around to setting up a cellular backup device in our new 
>> > POP. I am currently testing with T-Mobile where the cell signal strength 
>> > is at 80%. The connection is 4G. When SSH'ing in remotely the connection 
>> > seems rather slow. Ping times seem to be all over the place (for instance 
>> > now I am seeing: rtt min/avg/max/mdev = 174.142/336.792/555.574/99.599 ms) 
>> > . Is that just cellular or is that more related to the provider and the 
>> > location where I am? I could in theory test with VZ and ATT as well. With 
>> > Verizon they charge $500.00 just to get a public IP and I want to avoid 
>> > that if possible.
>> > 
>> > Thanks and sorry in advance if this is off topic.
>> > 
>> > 
>> 

Re: Spectrum technical contact

[Aaron1]

I’m glad you got it figured out with the right people at spectrum.  When I was 
sitting up ddos rtbh with my 3 isp’s , I remember spectrum (fka twc/charter) 
was difficult to get the right person on the phone to help me understand what I 
needed to do.  I had to go through layers of phone attendants and groups to get 
to someone who knew about ddos rtbh.

Btw, I’ve wondered about using sp-neutral(agnostic) forms of ddos rtbh... maybe 
cymru utrs combined with fastnetmon for immediate mitigation without human 
intervention.  I’d really like to get there.

Aaron

> On Dec 23, 2018, at 1:28 AM, Josh Luthman  wrote:
> 
> Got a hold of someone, finally!  All you have to do, if it's done through 
> BGP, is set a community to 10796:666
> 
> This was setup as Time Warner Cable but is Spectrum today.  The people I 
> spoke with had been with Time Warner Cable for years before the 
> acquisition/name change.
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
> 
>> On Sun, Dec 23, 2018 at 12:53 AM Josh Luthman  
>> wrote:
>> Attack is back on.  If there's anyone out there that works at Spectrum and 
>> can do a route change and hopefully share some info on BGP communities I 
>> would greatly appreciate hearing from you.
>> 
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>> 
>>> On Sun, Dec 23, 2018, 12:12 AM Tim Warnock >> > That’s where you confuse me Josh, if you do BGP with them wouldn’t it be
>>> > your advertisement to them that’s causing them to route to you.  In other
>>> > words, aren’t they only routing packets to you for prefixes that you 
>>> > advertise
>>> > via BGP to them?
>>> 
>>> Unless of course the point-to-point between spectrum and Josh is under 
>>> attack...?

Re: Spectrum technical contact

[Aaron1]

That’s where you confuse me Josh, if you do BGP with them wouldn’t it be your 
advertisement to them that’s causing them to route to you.  In other words, 
aren’t they only routing packets to you for prefixes that you advertise via BGP 
to them?

Aaron

> On Dec 22, 2018, at 7:51 PM, Josh Luthman  wrote:
> 
> The IP is their routing to me.  It's not BGP.
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
>> On Sat, Dec 22, 2018, 7:51 PM Jason Canady > Your upstream provider is null routing it when you send them the command via 
>> BGP, no longer filling your pipe. 
>> 
>>> On Dec 22, 2018, at 19:24, Josh Luthman  wrote:
>>> 
>>> But if they route it to me and I null it, the traffic is already fillimg my 
>>> pipe (which is my issue).
>>> 
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> 
>>>> On Sat, Dec 22, 2018, 11:32 AM Jason Canady >>> The /32 should override any static route they are sending you with a 
>>>> larger prefix.
>>>> 
>>>> Jason Canady
>>>> Unlimited Net, LLC
>>>> Responsive, Reliable, Secure
>>>>> On 12/22/18 11:30 AM, Josh Luthman wrote:
>>>>> I do BGP with them, but of course the issue is an IP that they route to 
>>>>> me.
>>>>> 
>>>>> My issue is with ASN 10796
>>>>> 
>>>>> Josh Luthman
>>>>> Office: 937-552-2340
>>>>> Direct: 937-552-2343
>>>>> 1100 Wayne St
>>>>> Suite 1337
>>>>> Troy, OH 45373
>>>>> 
>>>>> 
>>>>>> On Fri, Dec 21, 2018 at 4:55 PM Aaron1  wrote:
>>>>>> If you BGP neighbor with them you can send-community /32 advertisement 
>>>>>> to them, and the will remotely black hole it 
>>>>>> 
>>>>>> Aaron
>>>>>> 
>>>>>> > On Dec 21, 2018, at 3:51 PM, Josh Luthman 
>>>>>> >  wrote:
>>>>>> > 
>>>>>> > We have had a DOS attack for over 12 hours.  I simply want them to 
>>>>>> > null route or black hole an address.  The traffic is filling one of 
>>>>>> > our circus with them.
>>>>>> > 
>>>>>> > The farthest I got was them telling me they can't do route changes 
>>>>>> > because we're not public safety.
>>>>>> > 
>>>>>> > Josh Luthman
>>>>>> > Office: 937-552-2340
>>>>>> > Direct: 937-552-2343
>>>>>> > 1100 Wayne St
>>>>>> > Suite 1337
>>>>>> > Troy, OH 45373
>>>>>> 
>>>> 

Re: Spectrum technical contact

[Aaron1]

well, my comment about ddos rtbh using /32 BGP community is with regard to my 
provider spectrum which was previously time warner cable/charter AS 11427 is 
who I peer with

Aaron

> On Dec 21, 2018, at 5:40 PM, n...@imap.cc wrote:
> 
> Is this the right Spectrum? There's one that's aka Wave and are pretty good 
> and incredibly responsive to abuse reports, and then there's Spectrum 
> Cable/Charter, which is on par with residential Comcast service.
> 
> 
>> On Fri, Dec 21, 2018, at 2:01 PM, Bryan Holloway wrote:
>> http://as11404.net/communities.html
>> 
>> 11404:666 is probably what you want.

Re: Spectrum technical contact

[Aaron1]

If you BGP neighbor with them you can send-community /32 advertisement to them, 
and the will remotely black hole it 

Aaron

> On Dec 21, 2018, at 3:51 PM, Josh Luthman  wrote:
> 
> We have had a DOS attack for over 12 hours.  I simply want them to null route 
> or black hole an address.  The traffic is filling one of our circus with them.
> 
> The farthest I got was them telling me they can't do route changes because 
> we're not public safety.
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373

Re: Pinging a Device Every Second

[Aaron1]

I think the guys in the NOC will add a customer CPE to Solarwinds monitoring 
and just have it continually run pings, and set up an alert so that we know as 
soon as the ping stop the alerts go to email or whererver

Aaron

> On Dec 15, 2018, at 12:32 PM, Colton Conor  wrote:
> 
> The problem I am trying to solve is to accurately be able to tell a customer 
> if their home internet connection was up or down.  Example, customer calls in 
> and says my internet was down for 2 minutes yesterday. We need to be able to 
> verify that their internet connection was indeed down. Right now we have no 
> easy way to do this.  Getting metrics like packet loss and jitter would be 
> great too, though I realize ICMP data path does not always equal customer 
> experience as many network device prioritize ICMP traffic. However ICMP pings 
> over the internet do usually accurately tell if a customers modem is indeed 
> online or not.  
> 
> Most devices out in the field like ONT's and DSL modems do not support SNMP 
> but rather use TR-069 for management. Most of these devices only check into 
> the TR-069 ACS server once a day. 
> If the consumer device does support SNMP, they usually have weak broadcom or 
> qualcom SoC processors, outdated linux kernel embedded operating systems, 
> limited ram, and storage. Most of these can't handle SNMP walks every minute 
> let alone every 5. We are talking about sub $100 routers here not Juniper, 
> Cisco, Arista, etc. 
> 
> Most all of these consumer devices are connected to an carrier aggregation 
> device like a DSLAM, OLT, ethernet switch, or wireless access point. These 
> access devices do support SNMP, but most manufactures recommend only 5 minute 
> SNMP poling, so a 2 minute outage would not easily be detected. Plus its hard 
> to correlate that consumer X is on port Y on access switch, and get that 
> right for a tier 1 CSR. 
> 
> The only two ways I think I can accomplish this is:
> 1. ICMP pings to a device every so many seconds. Almost every device supports 
> responding to WAN ICMP pings. 
> or 
> 2. IPFIX sampling at core router, and then drilling down by customer IP. I 
> think this will tell me if any data was flowing to this customers IP on a 
> second by second basis, but won't necessarily give us an up or down 
> indicator. Requires nothing from the consumer's router. 
> 
> 
> 
> 
> 
>> On Sat, Dec 15, 2018 at 10:51 AM Stephen Satchell  wrote:
>> On 12/15/18 7:48 AM, Colton Conor wrote:
>> > How much compute and network resources does it take for a NMS to:
>> > 
>> > 1. ICMP ping a device every second
>> > 2. Record these results.
>> > 3. Report an alarm after so many seconds of missed pings.
>> > 
>> > We are looking for a system to in near real-time monitor if an end
>> > customers router is up or down. SNMP I assume would be too resource
>> > intensive, so ICMP pings seem like the only logical solution.
>> > 
>> > The question is once a second pings too polling on an NMS and a consumer
>> > grade router? Does it take much network bandwidth and CPU resources from
>> > both the NMS and CPE side?
>> > 
>> > Lets say this is for a 1,000 customer ISP.
>> 
>> What problem are you trying to solve, exactly?  That more than anything
>> will dictate what you do.
>> 
>> Short answer: about 1500 bits of bandwidth, and the CPU loading on the
>> remote device is almost invisible.  Remember the only real difference
>> between ping and SNMP monitoring (UDP) is the organization of the bits
>> in the packet and the protocol number in the IP header.  It's still one
>> packet pair exchanged, unless you get really ambitious with your SNMP
>> OID list.
>> 
>> When I was in a medium-sized hosting company, I developed an SNMP-based
>> monitoring system that would query a number of load parameters (CPU,
>> disk, network, overall) on a once a minute schedule, and would keep
>> history for hours on the monitoring server.  The boss fretted about the
>> load such monitoring would impose.  He never saw any.
>> 
>> For pure link monitoring, which is what I'm hearing you want to do, in
>> my experience I found that a six-second ping cycle gives lots of early
>> warning for link failures.  Again, it depends on the specifications and
>> detection targets.
>> 
>> Some things to consider:
>> 
>> 1.  Router restarts take a while.  Consumer-grade routers can take a
>> minute or more to complete a restart to the point where it will respond
>> to ping.  Carrier-grade routers are more variable but in general have so
>> many options built into them that it takes longer to complete a restart
>> cycle.  Since you are talking consumer-grade gear, you probably don't
>> want to be sensitive to CP power sags.
>> 
>> 2.  Depending on the technology used on the link, you may get some
>> short-term outages, on the order of seconds, so doing "rapid" pings do
>> nothing for you.  During my DSL time, ATM would drop out for short
>> intervals -- so watch out for nuisance trips.
>> 
>> 3.  Some routers implement 

Re: Should ISP block child pornography?

[Aaron1]

... The only thing I can think of is the idea that I’ve heard before is the way 
to catch someone is to watch them well they are accessing, the concept of 
honeypots comes to mind

Aaron

> On Dec 11, 2018, at 10:43 AM, Larry Allen  wrote:
> 
> I can't imagine a single rational argument against this. 
> 
>> On Tue, Dec 11, 2018, 10:56 William Anderson >> On Fri, 7 Dec 2018 at 06:08, Lotia, Pratik M  
>>> wrote:
>> 
>>> Hello all, was curious to know the community’s opinion on whether an ISP 
>>> should block domains hosting CPE (child pornography exploitation) content? 
>>> Interpol has a ‘worst-of’ list which contains such domains and it wants 
>>> ISPs to block it.
>>> 
>> 
>> This already happens in the UK, and has done for years.
>> 
>> https://en.wikipedia.org/wiki/Child_abuse_image_content_list 
>> 
>> 
>> -n

Re: Should ISP block child pornography?

[Aaron1]

Right... When would it ever be wrong to stop terrible internet activity such as 
this?!

Aaron

> On Dec 11, 2018, at 10:43 AM, Larry Allen  wrote:
> 
> I can't imagine a single rational argument against this. 
> 
>> On Tue, Dec 11, 2018, 10:56 William Anderson >> On Fri, 7 Dec 2018 at 06:08, Lotia, Pratik M  
>>> wrote:
>> 
>>> Hello all, was curious to know the community’s opinion on whether an ISP 
>>> should block domains hosting CPE (child pornography exploitation) content? 
>>> Interpol has a ‘worst-of’ list which contains such domains and it wants 
>>> ISPs to block it.
>>> 
>> 
>> This already happens in the UK, and has done for years.
>> 
>> https://en.wikipedia.org/wiki/Child_abuse_image_content_list 
>> 
>> 
>> -n

Re: Should ISP block child pornography?

[Aaron1]

Makes we want to cry, so sad 

Aaron

> On Dec 7, 2018, at 1:43 PM, cosmo  wrote:
> 
> I've done a bit of work in this space, wont elaborate . but here are some 
> thoughts :
> 
> * many less-engaged or new pedophiles may indeed search such content in the 
> clear, however 
> * the persistent abusers tend to form communities within TOR hidden services, 
> making them difficult to find. Most are likely just consumers of the 
> material, but many are producers (inc kidnappers)
> * some underground communities require that prospective members contribute 
> new abuse imagery/videos in order to prove they are not law enforcement. 
> Tragically this encourages abusers to abuse a family member
> * other communities have plenty of essays espousing the viewpoint that such 
> behavior is quite natural, which does convince some to excuse their behavior. 
> This content itself does have the ability to convert non-offenders to 
> offenders, IMHO.
>- The following article discuss these communities and their underlying 
> agendas. I'll warn you that you may need therapy after reading it . 
>  * 
> http://www.cracked.com/personal-experiences-1760-5-things-i-learned-infiltrating-deep-web-child-molesters.html
> * Some of the content is indeed quite traumatic - it's as bad as they say it 
> is, and many people working in this space have long-term psychological 
> problems
> * While many of these communities hide in TOR, making it difficult to find 
> the perpetrators, many of the images there actually link to images hosted in 
> public-facing image-hosting servers. This means that the abusers access it 
> through 3 hops through the proxy network instead of 6, for hidden servers.
> 
> This means that indeed, the majority of people accessing that content on your 
> network may be doing so from hotlinks posted to a hidden server somewhere. 
> You may see them primarily being accessed via known TOR exit nodes.
> 
> My recommendations :
> * First, reach out to NCMEC for guidance on filtering/logging
> * Second, Ive done a teensy bit of work for these guys at Thorn (Ashton 
> Kutchers nonprofit). They have an interesting program that attempts to 
> recognize people searching for abuse imagery, and redirects them to material 
> urging them to seek psychological help for their problem. : 
> https://www.wearethorn.org/deterrence-prevent-child-sexual-abuse-imagery/
> 
> 
> 
> 
>> On Fri, Dec 7, 2018 at 11:32 AM Lotia, Pratik M  
>> wrote:
>> Very well explained, Max!
>> 
>> 
>> With Gratitude,
>> Pratik Lotia
>> 
>> “Information is not knowledge.”
>> 
>> On 12/7/18, 13:16, "NANOG on behalf of na...@jack.fr.eu.org" 
>>  wrote:
>> 
>> Well said
>> 
>> 
>> On 12/07/2018 07:48 PM, Max Tulyev wrote:
>> > Hi All,
>> > 
>> > we are fighting with censorship in our country. So I have something to 
>> say.
>> > 
>> > First, censorship is not just "switch off this website and that
>> > webpage". No magic button exist. It is more complex, if you think as 
>> for
>> > while system.
>> > 
>> > Initially, networks was build without systems (hardware and software)
>> > can block something.
>> > 
>> > Yes, you may nullroute some IP with some site, but as the collateral
>> > damage you will block part of Cloudflare or Amazon, for example. So you
>> > have to buy and install additional equipment and software to do it a 
>> bit
>> > less painful. That's not so cheap, that should be planned, brought,
>> > installed, checked and personal should be learned. After that, your
>> > system will be capable to block some website for ~90% of your customers
>> > will not proactively avoid blocking. And for *NONE* who will, as CP
>> > addicts, terrorists, blackmarkets, gambling, porn and others do.
>> > 
>> > Yep. Now you network is capable to censor something. You just maid the
>> > first step to the hell. What's next? Some people send you some websites
>> > to ban. This list with CP, Spamhaus DROP, some court orders, some
>> > semi-legal copyright protectors orders, some "we just want to block it"
>> > requests... And some list positions from time to time became outdated,
>> > so you need to clean it from time to time. Do not even expect people
>> > sent you the block request will send you unblock request, of course.
>> > Then, we have >6000 ISPs in our country - it is not possible to 
>> interact
>> > with all of them directly.
>> > 
>> > So, you end up under a lot of papers, random interactions with random
>> > people and outdated and desyncronized blocking list. It will not work.
>> > 
>> > Next, government realizes there should be one centralized blocking list
>> > and introduces it.
>> > 
>> > Ok. Now we have censored Internet. THE SWITCH IS ON.
>> > 
>> > In a very short time the number of organizations have permission to
>> > insert something in the list dramatically 

Re: Should ISP block child pornography?

[Aaron1]

What is “ROKSO's DROP list” ?

Aaron

> On Dec 7, 2018, at 8:57 AM, John Von Essen  wrote:
> 
> ROKSO's DROP list

Re: netflix OCA in a CG-NAT world

[Aaron1]

Thanks Dave, so my local OCA will listen to my BGP advertisements for RFC1918 
prefixes if I decided to advertise them?

Aaron

> On Nov 25, 2018, at 10:47 PM, Dave Temkin  wrote:
> 
> FWIW (reviving an old thread)-
> 
> Putting an OCA with bypass through the CGN with RFC1918 space will actually 
> work just fine. We (Netflix) don't formally support it because of the vast 
> number of non-standard CGN implementations out there, but if your clients are 
> in RFC1918 space and the next hop router from the OCA knows how to reach 
> them, it will just work. We only use BGP to inform our control plane, not for 
> local routing. Any traffic not served via the OCA will go through CGN as 
> usual and out peering/transit. Note that it does complicate troubleshooting 
> for both sides.
> 
> And yes, IPv6 is fully supported by every piece of our infrastructure; the 
> issue is TVs and STBs that do not support v6 - but we have finally seen the 
> largest device manufacturers commit to supporting it (if they don't already 
> on their late model sets) so that should change year over year.
> 
> -Dave
> 
>> On Mon, Sep 17, 2018 at 11:52 PM Jared Mauch  wrote:
>> 
>> 
>> > On Sep 17, 2018, at 6:54 AM, Tom Ammon  wrote:
>> > 
>> > I'm looking to understand the impact of CG-NAT on a set of netflix OCAs, 
>> > in an ISP environment. I see in Netflix's FAQ on the subject that traffic 
>> > sourced from RFC 1918/6598 endpoints can't be delivered to the OCA. Is 
>> > this simply a matter of deploying the OCA on the outside of the CGN layer? 
>> > What are the other consequences of CGN upon the OCA?
>> > 
>> 
>> Yes, you want to deploy it outside your CG-NAT.  
>> 
>> I also strongly suggest you look at how to get native IPv6 from your clients 
>> behind the CG-NAT rolled out.  I know many folks have had issues with 
>> various CDNs and the number of devices that reach out.  This is why folks 
>> get the Google captcha, etc.
>> 
>> Giving those end-users an alternate way out will help.  I understand this 
>> may take effort and is harder for folks using UBNT & Tik gear in a smaller 
>> environment, but there is value for your end-users.
>> 
>> - Jared
>> 

Re: Internet diameter?

[Aaron1]

Yes I agree Ross/Stephen.  I didn’t mean to overstate the CDN fact.

I wonder what the answer is to Bill’s question is. “average, median and
> maximum diameter (ip hop count) of the Internet? “

Aaron

> On Nov 21, 2018, at 9:44 PM, Stephen Satchell  wrote:
> 
>> On 11/21/2018 07:32 PM, Ross Tajvar wrote:
>> I'd argue that's just content (though admittedly a lot of it). You can't
>> cache, e.g., a SIP trunk, and offices which need to connect to each other
>> can't cache one another in a CDN either.
> 
> 
> I would further argue that you can't cache active Web content, like bank
> account statements, utility billing, help desk request/responses,
> equipment status, and other things that change constantly.

Re: Internet diameter?

[Aaron1]

Considering 40% of the “internet” is sitting in my backyard in cdn caching, I’d 
say the perceived diameter for that content is 3 or 4 hops.  ;)

...but something tells me that isn’t they response you were seeking... 

... but seriously it is interesting that with local caching that much of the 
Internet is now sitting local in the subscriber’s ISP.

Aaron

> On Nov 21, 2018, at 4:55 PM, William Herrin  wrote:
> 
> Hi folks,
> 
> Does anybody have more or less recent data on the average, median and
> maximum diameter (ip hop count) of the Internet? My google fu is
> failing me: I've only found stuff from the '90s.
> 
> Thanks,
> Bill Herrin
> 
> -- 
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web: 

Re: Zayo vs Coent

[Aaron1]

My cogent is pretty good... I had 10 gig for a few years, then dual 10’s Lag’d 
together for about year or so, and now 100 gig for about 2 months.  So it’s 
been about five or six years that I’ve been with cogent

They usually are knowledgeable when I talk to them and they are able to do what 
I ask of them.  They usually don’t have to hand me off to somebody else.

Cogent has good DDOS RTBH also.  I trigger a /32 and it’s immediately black 
holed in the cloud.

Cogent does however have an issue with ipv6 peering with google.  I currently 
have my v6 ebgp session shut down with them because of this.  Moving forward 
and doing more V6 in the future, I will have to figure out how to deal with us.

I’ve also had Spectrum, ATT, Telia, all good as well.  I’ve have no experience 
with Zayo, so I can’t speak to that

Aaron

> On Nov 9, 2018, at 8:52 PM, Dan Stralka  wrote:
> 
> We have 10G IPv4 circuits with both Zayo and Cogent getting full routes.  One 
> major difference is the maintenance windows - when Cogent has maintenance, 
> things get weird for hours at a time. 
> 
> 
> 
>> On Fri, Nov 9, 2018 at 4:00 PM JASON BOTHE via NANOG  wrote:
>> If you love yourself and your organization just peer with Zayo and not look 
>> back. 
>> 
>>> On Nov 9, 2018, at 14:19, Ca By  wrote:
>>> 
>>> Zayo will provide you all of the internet
>>> 
>>> Cogent will provide you with something that is not all internet, it is 
>>> missing HE and Google on ipv6. 
>>> 
 On Fri, Nov 9, 2018 at 10:53 AM William Herrin  wrote:
 Zayo is the former above.net. Worked well for me at previous $job.
 Cogent is Cogent. Refer to the list archives for experiences with
 Cogent.
 
 Regards,
 Bill Herrin
 On Fri, Nov 9, 2018 at 10:19 AM Dovid Bender  wrote:
 >
 > Hi,
 >
 > We are in a facility where my only options are Cogent or Zayo. We plan 
 > on getting a 10G connection for a web crawler using v4 only. Looking for 
 > feedback on either or (keeping the politics out of it).
 >
 > TIA.
 >
 > Dovid
 >
 
 
 -- 
 William Herrin  her...@dirtside.com  b...@herrin.us
 Dirtside Systems . Web: 

Re: Whats going on at Cogent

[Aaron1]

If he only uses a default route then his outbound routing won’t have anything 
to do with what destinations are closer, etc

Aaron

> On Oct 21, 2018, at 7:39 AM, Mike Hammett  wrote:
> 
> I guess first thing's first...  you aren't doing anything to force the 
> traffic that way, are you?
> 
> If you've got IPv6 deployed, chances are that no Google will be coming over 
> that Cogent.  :-)
> 
> CAIDA says Cogent is bigger.
> 
> http://as-rank.caida.org/asns/174/as-core
> http://as-rank.caida.org/asns/6939/as-core
> 
> Being an eyeball network, what's going to impact that kind of usage the most 
> is where the next up connections to Netflix, Google, Akamai, Cloudflare, etc. 
> are located. If they're closer via HE than Cogent, that's where your traffic 
> will come from.
> 
> Looking at your network specifically, Netflix isn't on either IX that you're 
> on, so that HE traffic very well could be a majority Netflix.
> 
> What do your netflows say?
> 
> 
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions
> 
> Midwest Internet Exchange
> 
> The Brothers WISP
> 
> From: "Baldur Norddahl" 
> To: nanog@nanog.org
> Sent: Sunday, October 21, 2018 3:20:12 AM
> Subject: Re: Whats going on at Cogent
> 
> Is he.net smaller than Cogent? Over the past 24 hours we had 6.7 Gbps peak 
> from our HE link and 336 Mbps peak from our Cogent link. This is inbound 
> traffic. We are eyeballs and our outbound is a small fraction of our inbound.
> 
> Regards.
> 
> Baldur
> 
> 
>> On Tue, Oct 16, 2018 at 4:17 PM Dovid Bender  wrote:
>> We have been very happy with HE. It was a no brainer over cogent. They are 
>> smaller (so are we). When there are issues they are real fast to fix them, 
>> you also get the personal touch which you don't get with others.
>> 
>> 
>>> On Tue, Oct 16, 2018 at 10:10 AM, Eric Dugas  
>>> wrote:
>>> I don't really get the Cogent/Google peering issues. I've been hearing this 
>>> for years... How about fixing it already? Telling customer to get other 
>>> transit providers to get to a given network is really bad.
>>> 
>>> On a side note, HE is still HE but they're trying really hard to be a good 
>>> netcitizen. They've finally pushed filtering for peers: 
>>> http://routing.he.net. I wouldn't get transit from them, but in some 
>>> markets, they're the only affordable IP transit providers.
>>> 
>>> On Oct 16 2018, at 10:04 am, DaKnOb  wrote:
>>> 
>>> 
>>> When I call and mention it I’m told that it’s HE’s fault (despite the 
>>> lovely cake), but when I also bring Google, then they tell me to get a 
>>> different provider just for this traffic, or meet them at an IX and send my 
>>> traffic from there.
>>> 
>>> About the staff rotation I’ve seen it too, and I’ve also seen an increase 
>>> in salespeople calling, for example when an AS is registered etc. in 
>>> addition to the normal calls..
>>> 
>>> On 16 Oct 2018, at 16:54, Dovid Bender  wrote:
>>> 
>>> They call me every few months. the last time they emailed me I said I 
>>> wasn't interested because of the HE issue. I have yet to get another 
>>> email...
>>> 
>>> 
>>> On Tue, Oct 16, 2018 at 9:29 AM, Ca By  wrote:
>>> 
>>> 
>>> On Tue, Oct 16, 2018 at 5:16 AM David Hubbard 
>>>  wrote:
>>> Have had the same sales rep for several years now; unfortunately he has no 
>>> ability to fix their IPv6 peering issue so we’re slowly removing circuits, 
>>> but otherwise for a handful of 10gig DIA circuits it’s been stable.
>>> 
>>>  
>>> 
>>> Yep, this.  Whenever Cogent calls, this is what i tell them. Black-holing 
>>> HE and Google ipv6 traffic, which is what they do if i use a default route 
>>> from them, is dead on arrival.  Shows they make bad decisions and dont put 
>>> the customer first, or even create such an illusion. 
>>> 
>>> 
>>> 
>>> 
>>> From: NANOG  on behalf of Ryan Gelobter 
>>> 
>>> Date: Tuesday, October 16, 2018 at 6:04 AM
>>> To: NANOG 
>>> Subject: Whats going on at Cogent
>>>  
>>> Anyone else seen terrible support and high turnover of sales/account people 
>>> at Cogent the last few months? Is there something going on over there 
>>> internally? I'm sure some people will say Cogent has always been crap but 
>>> in the past their account reps and support were pretty good. It seems to 
>>> have gone downhill the last 12 months really bad.
>>>  
>>> Regards,
>>> Ryan
> 

Re: Whats going on at Cogent

[Aaron1]

ecogent looking glass tools are helpful 

Aaron

> On Oct 19, 2018, at 9:54 PM, Jason Canady  wrote:
> 
> It's been slow for quite some time now. I only find it useful for billing 
> purposes.  It's a shame carriers don't have a good ticket system.
> 
> Jason Canady
> Unlimited Net, LLC
> Responsive, Reliable, Secure
>> On 10/19/18 5:47 PM, Aaron1 wrote:
>> Yes I noticed that last week, it is very slow
>> 
>> Aaron
>> 
>> On Oct 19, 2018, at 4:43 PM, Ryan Gelobter  
>> wrote:
>> 
>>> Has anyone else noticed their ecogent portal is super fucking slow? Back in 
>>> the day it used to be fast
>>> 
>>>> On Thu, Oct 18, 2018 at 2:12 PM Troy Mursch  wrote:
>>>> Cogent has done well to remediate the compromised MikroTik routers on 
>>>> their network. 3,000 IPv4 hosts were found on Aug. 25 
>>>> (https://twitter.com/bad_packets/status/1033256704941514752) and today, 
>>>> only a hundred: 
>>>> https://censys.io/ipv4?q=%28%28%28%22CoinHive.Anonymous%22%29+AND+%28MikroTik%29%29+AND+location.country_code%3A+US%29+AND+autonomous_system.description.raw%3A+%22COGENT-174+-+Cogent+Communications%22;
>>>> __
>>>> 
>>>> Troy Mursch
>>>> 
>>>> 
>>>> 
>>>>> On Thu, Oct 18, 2018 at 12:05 PM Aaron Gould 
>>>>>wrote:
>>>>> I guess those bots have to sit somewhere.  I don’t know that they would 
>>>>> be in routers as much as they would be in Microsoft Windows… so if that’s 
>>>>> what you meant, then I see what you mean Michael
>>>>> 
>>>>>  
>>>>> 
>>>>> Niels, I like my cogent and telia internet connections… I just recall 
>>>>> seeing more ddos on cogent then I did on my previous att, and current 
>>>>> spectrum… telia is showing a good bit of ddos also
>>>>> 
>>>>>  
>>>>> 
>>>>> Let’s put it this way, I can thank Cogent and Telia for helping my get 
>>>>> better in my ddos mitigation skills  ☺   … there’s a bright side to 
>>>>> everything huh
>>>>> 
>>>>>  
>>>>> 
>>>>> Aaron
>>>>> 
>>>>>  
>>>>> 
>>>>>  
>>>>> 
>>>>>  
>>>>> 
>>>>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Michael Crapse
>>>>> Sent: Tuesday, October 16, 2018 8:37 PM
>>>>> To: NANOG list
>>>>> Subject: Re: Whats going on at Cogent
>>>>> 
>>>>>  
>>>>> 
>>>>> Or he's saying that cogent has the biggest network of compromised users. 
>>>>> Usually ipv4 only eyeball networks tend to have the most bots on net.
>>>>> 
>>>>>  
>>>>> 
>>>>>  
>>>>> 
>>>>> On Tue, 16 Oct 2018 at 19:22, Niels Bakker  wrote:
>>>>> 
>>>>> * aar...@gvtc.com (Aaron1) [Wed 17 Oct 2018, 00:17 CEST]:
>>>>> >However Cogent seems to be the dirtiest in regards to DDOS...
>>>>> >however Telia might be catching up... in times past when I receive 
>>>>> >volumetric DDOS, Cogent typically ranks with the highest on my 
>>>>> >providers ... AT and spectrum seem to be a bit cleaner
>>>>> 
>>>>> So you're saying, Cogent and Telia have the best backbones and 
>>>>> interconnects and thus deliver the most of your traffic to you, 
>>>>> even at times of peak utilization?
>>>>> 
>>>>> 
>>>>> -- Niels.
>>>>> 
> 

Re: Whats going on at Cogent

[Aaron1]

Yes I noticed that last week, it is very slow

Aaron

> On Oct 19, 2018, at 4:43 PM, Ryan Gelobter  
> wrote:
> 
> Has anyone else noticed their ecogent portal is super fucking slow? Back in 
> the day it used to be fast
> 
>> On Thu, Oct 18, 2018 at 2:12 PM Troy Mursch  wrote:
>> Cogent has done well to remediate the compromised MikroTik routers on their 
>> network. 3,000 IPv4 hosts were found on Aug. 25 
>> (https://twitter.com/bad_packets/status/1033256704941514752) and today, only 
>> a hundred: 
>> https://censys.io/ipv4?q=%28%28%28%22CoinHive.Anonymous%22%29+AND+%28MikroTik%29%29+AND+location.country_code%3A+US%29+AND+autonomous_system.description.raw%3A+%22COGENT-174+-+Cogent+Communications%22;
>> __
>> 
>> Troy Mursch
>> 
>> 
>> 
>>> On Thu, Oct 18, 2018 at 12:05 PM Aaron Gould  wrote:
>>> I guess those bots have to sit somewhere.  I don’t know that they would be 
>>> in routers as much as they would be in Microsoft Windows… so if that’s what 
>>> you meant, then I see what you mean Michael
>>> 
>>>  
>>> 
>>> Niels, I like my cogent and telia internet connections… I just recall 
>>> seeing more ddos on cogent then I did on my previous att, and current 
>>> spectrum… telia is showing a good bit of ddos also
>>> 
>>>  
>>> 
>>> Let’s put it this way, I can thank Cogent and Telia for helping my get 
>>> better in my ddos mitigation skills  J   … there’s a bright side to 
>>> everything huh
>>> 
>>>  
>>> 
>>> Aaron
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Michael Crapse
>>> Sent: Tuesday, October 16, 2018 8:37 PM
>>> To: NANOG list
>>> Subject: Re: Whats going on at Cogent
>>> 
>>>  
>>> 
>>> Or he's saying that cogent has the biggest network of compromised users. 
>>> Usually ipv4 only eyeball networks tend to have the most bots on net.
>>> 
>>>  
>>> 
>>>  
>>> 
>>> On Tue, 16 Oct 2018 at 19:22, Niels Bakker  wrote:
>>> 
>>> * aar...@gvtc.com (Aaron1) [Wed 17 Oct 2018, 00:17 CEST]:
>>> >However Cogent seems to be the dirtiest in regards to DDOS...
>>> >however Telia might be catching up... in times past when I receive 
>>> >volumetric DDOS, Cogent typically ranks with the highest on my 
>>> >providers ... AT and spectrum seem to be a bit cleaner
>>> 
>>> So you're saying, Cogent and Telia have the best backbones and 
>>> interconnects and thus deliver the most of your traffic to you, 
>>> even at times of peak utilization?
>>> 
>>> 
>>> -- Niels.

Re: Whats going on at Cogent

[Aaron1]

As an eyeball network operator, Cogent has served me well for several years, I 
can say that they are probably the easiest and most relaxed and most accessible 
to work with from my experience compared to my other providers, I’m comparing 
to 3 other well-known providers

It seems like when I call Cogent the person that answers the phone is the 
person that solves my problem, other providers I have to go through multiple 
layers of people to get to someone who knows how to do what I need them to do

Cogent has typically been the cheapest also

However Cogent seems to be the dirtiest in regards to DDOS...  however Telia 
might be catching up... in times past when I receive volumetric DDOS, Cogent 
typically ranks with the highest on my providers ... AT and spectrum seem to 
be a bit cleaner

I also have the long-standing v6 google issue

So yeah, pros and cons, but that’s true about most things, pros and cons 

Aaron

> On Oct 16, 2018, at 12:08 PM, Mike Hammett  wrote:
> 
> Agreed. A couple IXes, Cogent, HE, and a couple others. Add more IXes and 
> others as needed. Eyeballs should be fine with the above.
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> 
> Midwest-IX
> http://www.midwest-ix.com
> 
> From: "Daniel Corbe" 
> To: "DaKnOb" 
> Cc: "NANOG" 
> Sent: Tuesday, October 16, 2018 10:44:10 AM
> Subject: Re: Whats going on at Cogent
> 
> at 11:34 AM, DaKnOb  wrote:
> 
> > I guess people really don’t like Cogent judging by the fact that one  
> > unrelated email caused all this to happen again.. :-)
> 
> Cogent have more pain points on average but they’re still the best option  
> for getting to other Cogent customers.  It’s not really hard to design  
> around their shortcomings.   I’d rather have 30 small links and be  
> well-connected than two large ones and be SOL because someone refuses to  
> peer.
> 
> I can’t speak to their MPLS service, because cogent’s the last company I’d  
> ever trust with my backbone.
> 
> 
> 
>