Re: Route table prefix monitoring
Olsen, Jason wrote: Howdy all, What I'm left thinking is that it would have been great if we'd had a snapshot of our core routing table as it stood hours or even days prior to this event occurring, so that I could compare it with our current broken state, so the team could have seen that subnet in the core table and what the next hop was for the prefix. Are there any tools that people are using to track when/what prefixes are added/withdrawn from their routing tables, or to pull the routing table as a whole at regular intervals for storage/comparison purposes? It looks like there's a plugin for NAGIOS, but I'm looking for suggestions on any other tools (commercial, open source, home grown) that we might take a look at. For reference, we are running Cisco as well as Juniper kit. Periodic table dumps, or even a log of the updates from a quagga router inside your infrastructure could provide this information. That in a nutshell is what routeviews and other collectors do for the dfz routing table. Feel free to drop me your thoughts off-list. Thank you for any insight ahead of time, -Jason Feren Olsen
Re: Route table prefix monitoring
On Sep 10, 2009, at 7:23 AM, Joel Jaeggli wrote: Olsen, Jason wrote: Howdy all, What I'm left thinking is that it would have been great if we'd had a snapshot of our core routing table as it stood hours or even days prior to this event occurring, so that I could compare it with our current broken state, so the team could have seen that subnet in the core table and what the next hop was for the prefix. Are there any tools that people are using to track when/what prefixes are added/withdrawn from their routing tables, or to pull the routing table as a whole at regular intervals for storage/comparison purposes? It looks like there's a plugin for NAGIOS, but I'm looking for suggestions on any other tools (commercial, open source, home grown) that we might take a look at. For reference, we are running Cisco as well as Juniper kit. Periodic table dumps, or even a log of the updates from a quagga router inside your infrastructure could provide this information. That in a nutshell is what routeviews and other collectors do for the dfz routing table. There is also an Internet draft for the BGP Monitoring Protocol (hhttp://tools.ietf.org/html/draft-ietf-grow-bmp-02) . This draft provides for a method whereby the BGP speakers export their received updates to a central collector. This allows you to get route views in (more) real time, with no more screen scraping (and probably much lower CPU as well). Personally I think its an awesome idea and is something that we have need for a long long time (over the years I must have written 7-8 screen scrapers to get BGP RIB info, and they always suck). Draft Abstract: This document proposes a simple protocol, BMP, which can be used to monitor BGP sessions. BMP is intended to provide a more convenient interface for obtaining route views for research purpose than the screen-scraping approach in common use today. The design goals are to keep BMP simple, useful, easily implemented, and minimally service-affecting. BMP is not suitable for use as a routing protocol. W Feel free to drop me your thoughts off-list. Thank you for any insight ahead of time, -Jason Feren Olsen For every complex problem, there is a solution that is simple, neat, and wrong. -- H. L. Mencken
Route table prefix monitoring
Howdy all, I've done a bit of digging through the Google machine and the MarkMail archive of NANOG (Which is a great resource I cannot plug enough - http://nanog.markmail.org) and have a few vague answers, but would like some deeper thought so I'm putting this out to the list. We recently had an event where, unbeknownst to us, a circuit went down and a /16 prefix inside our core routing table was withdrawn as a consequence of adjacency disappearing with that downed circuit (the fact that it went down without us knowing is being worked already). This caused a severe breakage for a legacy system that hasn't been touched in years, and tribal knowledge couldn't explain why we were seeing that legacy system going to a subnet that nobody knew anything about (again, documentation is something that's being worked already as a consequence of this). What I'm left thinking is that it would have been great if we'd had a snapshot of our core routing table as it stood hours or even days prior to this event occurring, so that I could compare it with our current broken state, so the team could have seen that subnet in the core table and what the next hop was for the prefix. Are there any tools that people are using to track when/what prefixes are added/withdrawn from their routing tables, or to pull the routing table as a whole at regular intervals for storage/comparison purposes? It looks like there's a plugin for NAGIOS, but I'm looking for suggestions on any other tools (commercial, open source, home grown) that we might take a look at. For reference, we are running Cisco as well as Juniper kit. Feel free to drop me your thoughts off-list. Thank you for any insight ahead of time, -Jason Feren Olsen
Re: Route table prefix monitoring
2009/9/4 Olsen, Jason jol...@devry.com: Are there any tools that people are using to track when/what prefixes are added/withdrawn from their routing tables, Could you use something like BGPMon? http://bgpmon.com/ Matthew Walster
Re: Route table prefix monitoring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Sep 4, 2009 at 1:48 PM, Matthew Walstermatt...@walster.org wrote: 2009/9/4 Olsen, Jason jol...@devry.com: Are there any tools that people are using to track when/what prefixes are added/withdrawn from their routing tables, Could you use something like BGPMon? http://bgpmon.com/ There's also: MyASN: http://www.ripe.net/info/faq/projects/myasn.html PHAS: http://phas.netsec.colostate.edu/stat.html - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFKoX+Oq1pz9mNUZTMRAto+AJ9hn3ZlScq2Tv3TLUCAJCCzPWqmEwCcDImX lsmccRqdMpbWeoT6wkukuO8= =Mtdy -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Route table prefix monitoring
On Fri, Sep 4, 2009 at 4:59 PM, Paul Fergusonfergdawgs...@gmail.com wrote: On Fri, Sep 4, 2009 at 1:48 PM, Matthew Walstermatt...@walster.org wrote: 2009/9/4 Olsen, Jason jol...@devry.com: Are there any tools that people are using to track when/what prefixes are added/withdrawn from their routing tables, Could you use something like BGPMon? http://bgpmon.com/ There's also: MyASN: http://www.ripe.net/info/faq/projects/myasn.html PHAS: http://phas.netsec.colostate.edu/stat.html I think the OP wanted something for 'internal route monitoring' ... since he's from DeVry I suspect it's to monitor things on DeVry's internal WAN which probably don't show in the global table. That said, you COULD have rancid (or abuse rancid) pull rib-dumps each 'period' and index those into something that alerted on large diff's (or alerted if some critical bits were missing). Or have a quagga box peer with some number of internal devices, log update messages, alert on withdrawal of critical bits. -chris (I don't know of any COTS tools that do this, sorry)
Re: Route table prefix monitoring
Hi Jason, .-- My secret spy satellite informs me that at Fri, 04 Sep 2009, Olsen, Jason wrote: What I'm left thinking is that it would have been great if we'd had a snapshot of our core routing table as it stood hours or even days prior to this event occurring, so that I could compare it with our current broken state, so the team could have seen that subnet in the core table and what the next hop was for the prefix. Are there any tools that people are using to track when/what prefixes are added/withdrawn from their routing tables, or to pull the routing table as a whole at regular intervals for storage/comparison purposes? As already mentioned BGPmon.net can probably do what you're looking for. It will sent you a notification in cases of interesting path changes, possible hijacks, new adjacencies and new prefixes. It will also notify you when 'many' peers see a withdrawal of your prefix. This last feature might be useful for you. I'm currently also testing a new feature that basically compares yesterday's routing table with todays table. If there are any 'interesting' changes they will be emailed to you. You can think of this as a rancid for routing tables changes. I can include you in testing if you want to. All of this does assume that your prefixes are globally visible though. Cheers, Andree
RE: Route table prefix monitoring
-Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Friday, September 04, 2009 5:07 PM To: Paul Ferguson Cc: nanog@nanog.org Subject: Re: Route table prefix monitoring On Fri, Sep 4, 2009 at 4:59 PM, Paul Fergusonfergdawgs...@gmail.com wrote: On Fri, Sep 4, 2009 at 1:48 PM, Matthew Walstermatt...@walster.org wrote: 2009/9/4 Olsen, Jason jol...@devry.com: Are there any tools that people are using to track when/what prefixes are added/withdrawn from their routing tables, Could you use something like BGPMon? http://bgpmon.com/ There's also: MyASN: http://www.ripe.net/info/faq/projects/myasn.html PHAS: http://phas.netsec.colostate.edu/stat.html I think the OP wanted something for 'internal route monitoring' ... since he's from DeVry I suspect it's to monitor things on DeVry's internal WAN which probably don't show in the global table. That said, you COULD have rancid (or abuse rancid) pull rib-dumps each 'period' and index those into something that alerted on large diff's (or alerted if some critical bits were missing). Or have a quagga box peer with some number of internal devices, log update messages, alert on withdrawal of critical bits. -chris (I don't know of any COTS tools that do this, sorry) Tools such as Arbor Peakflow SP have a lot of cool traffic and routing analysis bits for internal monitoring of this sort, but it might be a bit out of your price range. Having said that, I second Chris's approach above utilizing some quagga box/low-end router (make sure you have enough memory!) and simply reflect routes from your production routers in conjunction with update message logging. If you're looking for tools that perform analysis from an exterior point-of-view, there is also BGPlay which has some cool widgetry to see particular prefixes within a user-specific time interval. Again it's using the operators route-servers so might not be of much value to you http://bgplay.routeviews.org/bgplay/ Stefan Fouant Neustar, Inc. / Principal Engineer 46000 Center Oak Plaza Sterling, VA 20166 Office: +1.571.434.5656 ▫ Mobile: +1.202.210.2075 ▫ GPG ID: 0xB5E3803D ▫ stefan.fou...@neustar.biz
