Hi Devang We are using the vrf nat where the customer demands the firewall services. For implementing this we are advertising a default route and vrf nat is used per VPN basics.This is the rate services in case of whole sale. Actual implementation; we are creating a INTERNET VRF which is having a default route; In customer vrf the RT of internet route is imported and vrf is able to get the default route. For reverse traffic a ipv4 route is added at the PE towards customer interface.
regards shivlu jain On Fri, Feb 27, 2009 at 10:17 AM, <nanog-requ...@nanog.org> wrote: > Send NANOG mailing list submissions to > nanog@nanog.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.nanog.org/mailman/listinfo/nanog > or, via email, send a message with subject or body 'help' to > nanog-requ...@nanog.org > > You can reach the person managing the list at > nanog-ow...@nanog.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of NANOG digest..." > > > Today's Topics: > > 1. RE: Documentation of switch maps (Gregory Boehnlein) > 2. Re: Yahoo and their mail filters.. (Marshall Eubanks) > 3. Re: Documentation of switch maps (Adam Armstrong) > 4. Internet access using VRF aware NAT (devang patel) > 5. Re: Yahoo and their mail filters.. (J.D. Falk) > 6. Re: Yahoo and their mail filters.. (Carl Ford) > 7. Re: Yahoo and their mail filters.. (J.D. Falk) > 8. Re: Yahoo and their mail filters.. (Suresh Ramasubramanian) > 9. Re: Yahoo and their mail filters.. (Brian Keefer) > 10. Re: Yahoo and their mail filters.. (Jo Rhett) > 11. Road Runner DNS servers (Ricardo Oliveira) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 26 Feb 2009 14:20:07 -0500 > From: "Gregory Boehnlein" <da...@nacs.net> > Subject: RE: Documentation of switch maps > To: "'Bielawa, Daniel W. \(NS\)'" <dwbiel...@liberty.edu>, > <nanog@nanog.org> > Message-ID: <02bd01c99847$3c48e540$b4daaf...@net> > Content-Type: text/plain; charset="us-ascii" > > Man.. I'd love to have this for Netgear switches! :) > > > -----Original Message----- > > From: Bielawa, Daniel W. (NS) [mailto:dwbiel...@liberty.edu] > > Sent: Thursday, February 26, 2009 2:07 PM > > To: nanog@nanog.org > > Subject: RE: Documentation of switch maps > > > > Hello, > > > > We use switchmap here for tracking port utilization, days > > inactive, and devices connected. It uses SNMP to determine the > > information. > > > > http://switchmap.sourceforge.net/ > > > > Thank You > > > > Daniel Bielawa > > Network Engineer > > Liberty University Information Services > > > > -----Original Message----- > > From: Blake Pfankuch [mailto:bpfank...@cpgreeley.com] > > Sent: Thursday, February 26, 2009 2:01 PM > > To: nanog@nanog.org > > Subject: Documentation of switch maps > > > > Howdy. > > > > Had a customer come to me this morning who wanted to create a document > > for their switching infrastructure and thought I would bounce it off > > the rest of the world on how you usually do this. Typically I use a > > spreadsheet with outlines to define the "switch" and then outlines for > > the ports and color coding for vlan's as well as a description of the > > port. Curious what other people are doing, as this would be a huge > > undertaking for a customer who is using an entire /19 of rfc 1918 ip > > addresses and has well over 150 switches and 40 active vlans. The want > > to be able to look at this document and pull up any switch and look at > > the port and be able to see what vlan the port is on, as well as what > > device it is connected to as well as port channel membership, trunks > > and other fun things like that. Needless to say their documentation is > > lacking on the physical connectivity however their cisco infrastructure > > does have labels on every port that goes to a named device outside of > > the DHCP pools. Thoughts? > > > > Thanks, > > Blake Pfankuch > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by N2Net Mailshield, and is > > believed to be clean. > > > > > > ------------------------------ > > Message: 2 > Date: Thu, 26 Feb 2009 17:06:41 -0500 > From: Marshall Eubanks <t...@multicasttech.com> > Subject: Re: Yahoo and their mail filters.. > To: John R. Levine <jo...@iecc.com> > Cc: nanog@nanog.org > Message-ID: <a3d823ef-4892-4d36-bdcb-b724d1ec0...@multicasttech.com> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes > > > On Feb 26, 2009, at 2:00 PM, John R. Levine wrote: > > >> You're that confident people know the difference between a real > >> communication from a party they conversed with before and a phish > >> designed to look like the same thing? > > > > What I worry about is when software is used to scrape lists such as > this and used to create > phishing based on actual emails, so you get phishes apparently from > people you know using their actual words. > When the botnets start doing that things could get nasty fast. > > Regards > Marshall > > > > If it's a bank, probably not. If it's a random online store, > > there's about a 99.9% chance it's actual junk mail and .01% that > > it's anything else. > > > > R's, > > John > > > > > > > ------------------------------ > > Message: 3 > Date: Thu, 26 Feb 2009 23:55:38 +0000 > From: Adam Armstrong <li...@memetic.org> > Subject: Re: Documentation of switch maps > To: Blake Pfankuch <bpfank...@cpgreeley.com> > Cc: "nanog@nanog.org" <nanog@nanog.org> > Message-ID: <49a72bfa.1070...@memetic.org> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Blake Pfankuch wrote: > > Howdy. > > > > Had a customer come to me this morning who wanted to create a document > for their switching infrastructure and thought I would bounce it off the > rest of the world on how you usually do this. Typically I use a spreadsheet > with outlines to define the "switch" and then outlines for the ports and > color coding for vlan's as well as a description of the port. Curious what > other people are doing, as this would be a huge undertaking for a customer > who is using an entire /19 of rfc 1918 ip addresses and has well over 150 > switches and 40 active vlans. The want to be able to look at this document > and pull up any switch and look at the port and be able to see what vlan the > port is on, as well as what device it is connected to as well as port > channel membership, trunks and other fun things like that. Needless to say > their documentation is lacking on the physical connectivity however their > cisco infrastructure does have labels on every port that goes to a named > device outside of the DHCP pools. Thoughts? > > > If they're cisco or similar switches, make sure your port descriptions > are correct, and keep configuration archives. Collect the port > configuration/status with snmp and populate it into a database, that way > you can generate whatever information you want in whatever format and > it's accurate, which it won't be if you're expecting someone to update a > spreadsheet. > > adam. > > > > > ------------------------------ > > Message: 4 > Date: Thu, 26 Feb 2009 17:38:18 -0700 > From: devang patel <devan...@gmail.com> > Subject: Internet access using VRF aware NAT > To: nanog@nanog.org > Message-ID: > <d0fea3580902261638v857ca36ja7442ebc7c544...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > > Have one question about VRF aware NAT for internet access! If we will > enable > the VRF aware NAT on local PE to have an internet access via central > Internet PE then we will not have connectivity to any other VPN site as all > local CE prefixes will be translated to the loopback IP address of the > local > PE. > > We can have route map which will match the ACL for specific CE source to > specific VPN destination with deny key word and it will prevent the NAT > when > CE will try to communicate with other CE of same VPN or different VPN. That > looks longer configuration in real world right! so is that the only way I > have when I will have only one option to configure the locap PE with VRF > aware NAT to gain internet access? > I need to know what is the implement in real world? How service provider > networks are providing internet access with MPLS VPN option? I know about > customer is getting VPN connectivity on one router and service provider > will > give other internet connectivity link which might be terminating on same > router or other router. I just want to know which is mostly used option as > far as the internet access service with MPLS VPN services! > > thanks, > Devang Patel > > > ------------------------------ > > Message: 5 > Date: Thu, 26 Feb 2009 18:08:27 -0700 > From: "J.D. Falk" <jdfalk-li...@cybernothing.org> > Subject: Re: Yahoo and their mail filters.. > To: nanog@nanog.org > Message-ID: <49a73d0b.2010...@cybernothing.org> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Brian Keefer wrote: > > > The other options is to stuff all the spam messages in a folder and > > expose them to the user, taking up a huge amount of storage space for > > something the vast majority of users are never going to look at any way. > > Which is, in fact, what Yahoo! does by default. Users have the option to > have that stuff deleted immediately, should they desire. > > > Blocking an entire site just because one John Doe user clicked a button > > they don't even understand just does not make sense. > > You're right -- but Yahoo! has a sufficiently large userbase that they can > count multiple complaints before blocking anything. Same story with AOL, > and Hotmail, and Cloudmark, and many others who've used this technique for > years. > > In all of those cases, they have safeguards to prevent gaming, to prevent > bouncing, and pretty much everything else anyone's suggested thus far in > this thread. > > > Last, anywhere that I've seen extensive use of forwards has had a maze > > of difficult to untangle abuse problems related to forwarded spam. Any > > site allowing forwarding should apply very robust filtering of outbound > > mail. > > Very true. MAAWG published a document last year which includes some > additional recommendations: > > http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Forwarding_BP.pdf > > -- > J.D. Falk > Return Path Inc > http://www.returnpath.net/ > > > > ------------------------------ > > Message: 6 > Date: Thu, 26 Feb 2009 20:35:57 -0500 > From: Carl Ford <carl.f...@gmail.com> > Subject: Re: Yahoo and their mail filters.. > To: Micheal Patterson <mich...@spmedicalgroup.com> > Cc: nanog@nanog.org > Message-ID: > <f79c56820902261735q3d958f3ey24c36aeb4ee29...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > very old news. > > their filter restrictions have some very absurd rules > > On Tue, Feb 24, 2009 at 9:27 PM, Micheal Patterson < > mich...@spmedicalgroup.com> wrote: > > > This may be old news, but I've not been in the list for quite some time. > At > > any rate, is anyone else having issues with Yahoo blocking / deferring > > legitimate emails? > > > > My situation is that I host our corporate mx'ers on my network, one of > the > > companies that we recently purchased has Yahoo hosting their domains > mail. > > Mail traffic to them is getting temporarily deferred with the "421 4.7.0 > > [TS01] Messages from xxx.xxx.xxx.xxx temporarily deferred due to user > > complaints - 4.16.55.1; > > see http://postmaster.yahoo.com/421-ts01.html"; > > > > The admin of the facility has contacted Yahoo about this but their > response > > was for "more information" when they were told that traffic from my mx to > > their domain was to being deferred. I may end up just having them > migrate > > to my systems just to maintain company communications if we can't clear > this > > up in a timely manner. > > > > -- > > Micheal Patterson > > > > > > > > > > > > > ------------------------------ > > Message: 7 > Date: Thu, 26 Feb 2009 18:15:08 -0700 > From: "J.D. Falk" <jdfalk-li...@cybernothing.org> > Subject: Re: Yahoo and their mail filters.. > To: nanog@nanog.org > Message-ID: <49a73e9c.1060...@cybernothing.org> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Barry Shein wrote: > > > I suggested that probably 99% of the false positives I see could be > > avoided by just waiting until there are two or more complaints from > > the same source before firing it back as spam. > > I've developed systems for ISPs to handle inbound complaints from AOL & > such, and that's exactly what we did: multiple complaints were acted upon, > single complaints only fed into the aggregate stats. On the INBOUND side. > We didn't ask AOL to do that work for us. > > Many recipients of complaint feedback actually /want/ to receive every > complaint, because -- like John Levine -- they treat those complaints as > unsubscribe requests. > > Yours is not the common use case. > > -- > J.D. Falk > Return Path Inc > http://www.returnpath.net/ > > > > ------------------------------ > > Message: 8 > Date: Fri, 27 Feb 2009 07:34:46 +0530 > From: Suresh Ramasubramanian <ops.li...@gmail.com> > Subject: Re: Yahoo and their mail filters.. > To: "J.D. Falk" <jdfalk-li...@cybernothing.org> > Cc: nanog@nanog.org > Message-ID: > <bb0e440a0902261804m77b0ca56nf3c61facf708b...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On Fri, Feb 27, 2009 at 6:45 AM, J.D. Falk > <jdfalk-li...@cybernothing.org> wrote: > > Many recipients of complaint feedback actually /want/ to receive every > > complaint, because -- like John Levine -- they treat those complaints as > > unsubscribe requests. > > That's ONE use case. But we are not senders, and we do use a feedback > loop because we are an ISP (like barry) but we dont have the luxury of > a purely geek (so largely clean e&oe pwned systems) userbase like > Barry has. > > In other words - we do get spammer customers. And the feedback loops > provide us near real time notification of these, allowing us to > terminate. > > > Yours is not the common use case. > > His IS the common use case. Just that he doesnt have the sort of > userbase that will generate usable FBLs (aka no significant number of > genuine spam issues on his network). For which he has to count > himself lucky. > > > > ------------------------------ > > Message: 9 > Date: Thu, 26 Feb 2009 20:17:37 -0800 > From: Brian Keefer <ch...@smtps.net> > Subject: Re: Yahoo and their mail filters.. > To: "J.D. Falk" <jdfalk-li...@cybernothing.org> > Cc: nanog@nanog.org > Message-ID: <257f71e4-40ff-4587-9ead-f8988465b...@smtps.net> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes > > > On Feb 26, 2009, at 5:08 PM, J.D. Falk wrote: > >> Blocking an entire site just because one John Doe user clicked a > >> button > >> they don't even understand just does not make sense. > > > > You're right -- but Yahoo! has a sufficiently large userbase that > > they can count multiple complaints before blocking anything. Same > > story with AOL, and Hotmail, and Cloudmark, and many others who've > > used this technique for years. > > This does not appear to be the case from external observation. It may > be in some cases that multiple reports are necessary, but it certainly > seems there are hair-triggers in others. For instance, see the > message from Eric Esslinger. > > As for not black-holing anything, I haven't personally verified with > Yahoo!, but others have reported that they do. It's pretty common > from what I've seen to simply make very high-scored messages disappear > and only send the mid-range stuff to the spam folder. Hotmail, as > mentioned, does this. One of the very large hosted filtering services > does as well. I'm not saying it's bad (it makes sense if you can > trust your scoring algorithm), but it does happen. Just because you > get _some_ stuff in your spam folder doesn't mean that's all the spam > that was blocked. > > -- > bk > > > > > > > ------------------------------ > > Message: 10 > Date: Thu, 26 Feb 2009 20:26:12 -0800 > From: Jo Rhett <jrh...@netconsonance.com> > Subject: Re: Yahoo and their mail filters.. > To: Ray Corbin <rcor...@traffiq.com> > Cc: "nanog@nanog.org" <nanog@nanog.org> > Message-ID: <a7f2327c-ea78-480e-812c-d6fdd7008...@netconsonance.com> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes > > On Feb 25, 2009, at 8:14 AM, Ray Corbin wrote: > > It depends on your environment. I've seen where it is helpful and > > where it is overwhelming. If you are a smaller company and want to > > know why you keep getting blocked then those should help. If you are > > a larger company and get a several hundred a day, but you send 100k > > emails to AOL then it is not as big of a deal. If you are a shared > > hosting provider and you get a lot of them you should look into what > > is being sent to AOL, such as forwarded spam from customers 'auto > > forwards' (isolate the auto forwards to a separate IP address and > > simply don't sign up for the FBL for it).... If you have a good > > setup where only customer-originated email is being sent through the > > IP's you have a FBL on, then it is useful and you shouldn't get as > > many complaints. > > > Ray, you don't get it. What comes from AOL is literally every step > in a mother-daughter conversion. You get to read the entire thread. > Loving chat, mother and daughter back and forth. But one of them is > hitting SPAM on the e-mail *AFTER* replying to it and writing a nice > letter back. > > This is abuse of the abuse department. This isn't spam. Reading > through ~3k of these not-spams every day doesn't help us solve any > actual abuse problems. > > Feedback loops will not be useful until the providers of the feedback > loops accept reports about use of the spam reporting tools, and are > willing to go fix their user behavior. > > -- > Jo Rhett > Net Consonance : consonant endings by net philanthropy, open source > and other randomness > > > > > > ------------------------------ > > Message: 11 > Date: Thu, 26 Feb 2009 20:47:35 -0800 > From: Ricardo Oliveira <rvel...@cs.ucla.edu> > Subject: Road Runner DNS servers > To: nanog@nanog.org > Message-ID: <9f40afa3-dabb-4ddc-8ce5-09393ff4e...@cs.ucla.edu> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes > > Is there anyone clueful in this list from Road Runner(Time Warner > Cable) that can explain what's going on with their DNS servers - just > contacted their tech support and heard their DNS servers have been > under attack over the last 3 days.. > thanks, > > --Ricardo > > > > ------------------------------ > > _______________________________________________ > NANOG mailing list > NANOG@nanog.org > http://mailman.nanog.org/mailman/listinfo/nanog > > End of NANOG Digest, Vol 13, Issue 145 > ************************************** > -- Thanks & Regards shivlu jain http://shivlu.blogspot.com/ 09312010137
