OSPF vs IS-IS vs PrivateAS eBGP

[Clue Store]

Hi All,

I know this has been discussed probably many times on this list, but I was
looking for some specifics about what others are doing in the following
situations.

I would like to run an IGP (currently OSPF) to our customers that are
multi-homed in a non-mpls environment. They are multi-homed with small
prefixes that are swipped from my ARIN allocations. OSPF has been flaky at
best under certain conditions and I am thinking of making the move to IS-IS.
I have also seen others going to private AS and running eBGP. This seems a
bit much, but if it works, i'd make the move to it as I like bgp the most
(all of the BGP knobs give me the warm and fuzzies :).

I'd also like to see what folks are using in a MPLS network?? OSPFv3 or
IS-IS or right to MP-BGP and redist static from the CE to PE???

On and off list are welcome. I'll make a summary after I gather the info.

Thanks,
Clue

Re: OSPF vs IS-IS vs PrivateAS eBGP

[Clue Store]

Sorry, not OSPFv3. IPv6 thoughts dancing in my head. OSPF-VRF as most of you
probably interpret.

On Wed, Aug 19, 2009 at 10:12 AM, Clue Store  wrote:

> Hi All,
>
> I know this has been discussed probably many times on this list, but I was
> looking for some specifics about what others are doing in the following
> situations.
>
> I would like to run an IGP (currently OSPF) to our customers that are
> multi-homed in a non-mpls environment. They are multi-homed with small
> prefixes that are swipped from my ARIN allocations. OSPF has been flaky at
> best under certain conditions and I am thinking of making the move to IS-IS.
> I have also seen others going to private AS and running eBGP. This seems a
> bit much, but if it works, i'd make the move to it as I like bgp the most
> (all of the BGP knobs give me the warm and fuzzies :).
>
> I'd also like to see what folks are using in a MPLS network?? OSPFv3 or
> IS-IS or right to MP-BGP and redist static from the CE to PE???
>
> On and off list are welcome. I'll make a summary after I gather the info.
>
> Thanks,
> Clue
>

Re: OSPF vs IS-IS vs PrivateAS eBGP

[Nick Hilliard]

On 19/08/2009 16:12, Clue Store wrote:

I would like to run an IGP (currently OSPF) to our customers that are
multi-homed in a non-mpls environment.


Unless you want your customers to have very substantial control over your 
internal network, don't use an SPF IGP like ospf or is-is.   You really 
want to use BGP for this and private ASNs are fine - that's what they are 
there for.


Nick

Re: OSPF vs IS-IS vs PrivateAS eBGP

[Jack Bates]

Clue Store wrote:

I have also seen others going to private AS and running eBGP. This seems a
bit much, but if it works, i'd make the move to it as I like bgp the most
(all of the BGP knobs give me the warm and fuzzies :).



Upon previous advice I've received from large ISPs, I shifted to ISIS to 
 strictly handle internal links and loopbacks which are stable in a 
single area and use iBGP/eBGP for everything else. While not currently 
using MPLS (size, topology, and customer demand don't warrant it), it's 
nice to have the foundations already in place. Shifting IGPs is 
annoying, especially given we previously had everything in the IGP.


The only perk I saw with OSPF was future development of supporting MPLS 
across multiple areas. ISIS just seemed to suit my needs better.


Jack

F5/Cisco catalyst configuration question

[Scott Spencer]

Trying to link an F5 Local Traffic Manager with a Cisco Catalyst 6500 , have
matched ports (speed,duplex ect..) but no link light at all on the F5. Does
link with a Cisco 2950 switch in between but I need a direct connection with
the 6500.
 
Any suggestions what to try?
 
Best regards,
 
Scott Spencer
Data Center Asset Recovery/Remarketing Manager
Duane Whitlow & Co. Inc.
Nationwide Toll Free: 800.977.7473.  Direct: 972.865.1395  Fax: 972.931.3340
  sc...@dwc-computer.com
 www.dwc-it.com 
Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~   
 

RE: F5/Cisco catalyst configuration question

[Christopher Greves]

Scott,

We've had issues in the past with IOS 6500's auto-negotiating uplink ports with 
an LTM into ISL Trunk mode. This only occurred when we had the port on the LTM 
configured as a tagged interface. It was easily solved by forcing the port on 
the 6500 into dot1q encapsulation. I'm not sure this necessarily explains why 
you aren't seeing a link light on the LTM though. I can't remember what the 
interface status was on both sides. This does correlate to why it's working on 
the 2950's as they don't support ISL and would likely negotiate into dot1q.

Chris


Christopher Greves  |  Senior Systems Engineer
One North Lexington Ave, 9th Floor - White Plains, NY 10601
T 914-826-2067  |  C 914.420.8340  |  E christopher.gre...@mindspark.com
 
Mindspark Interactive Network, Inc. is an IAC company.



-Original Message-
From: Scott Spencer [mailto:sc...@dwc-computer.com] 
Sent: Wednesday, August 19, 2009 1:13 PM
To: nanog@nanog.org
Subject: F5/Cisco catalyst configuration question

Trying to link an F5 Local Traffic Manager with a Cisco Catalyst 6500 , have
matched ports (speed,duplex ect..) but no link light at all on the F5. Does
link with a Cisco 2950 switch in between but I need a direct connection with
the 6500.
 
Any suggestions what to try?
 
Best regards,
 
Scott Spencer
Data Center Asset Recovery/Remarketing Manager
Duane Whitlow & Co. Inc.
Nationwide Toll Free: 800.977.7473.  Direct: 972.865.1395  Fax: 972.931.3340
  sc...@dwc-computer.com
 www.dwc-it.com 
Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~   
 

Re: OSPF vs IS-IS vs PrivateAS eBGP

[Clue Store]

Thanks for all the replies so far. Just to clarify, I am in the small
ISP/Hosted services business. I was fortunate to inherit the current setup
of OSPF to the multi-homed customers. As i stated earlier, I would like to
run an IGP, what I really meant was I would like to run a routing protocol
that gives me most control as well as the customer and that scales. I am not
dead set on running and IGP as IGP in my mind refers to MY internal
gateways. and not my customers gateways. eBGP with Private AS is what I
would like to go with , but I have had some in the industry say this is not
as good as running an IGP with the customer. However, I disagree, but from
the looks, this really might just come down to whatever protocol im
comfortable with and making sure that it is configured in the correct manor
for my situation. As far as my internal connections, I think I will be
migrating to IS-IS, but this is not the point of my message to the list, as
I am more concerned about customer connections.

Keep the opinions coming guys.

Clue

On Wed, Aug 19, 2009 at 12:01 PM, Nick Hilliard  wrote:

> On 19/08/2009 16:12, Clue Store wrote:
>
>> I would like to run an IGP (currently OSPF) to our customers that are
>> multi-homed in a non-mpls environment.
>>
>
> Unless you want your customers to have very substantial control over your
> internal network, don't use an SPF IGP like ospf or is-is.   You really want
> to use BGP for this and private ASNs are fine - that's what they are there
> for.
>
> Nick
>
>

Re: OSPF vs IS-IS vs PrivateAS eBGP

[Marko Milivojevic]

> Keep the opinions coming guys.

there are certainly many opinions on this subject. However, the most
important factor is - how flexible you wish to be? As you correctly
point out, this is not an issue of what protocol are you going to be
running inside your network. So, "IGP" is not an issue.

The issue at hand is what routing protocol are you going to be running
with your customers. The question you should ask yourself is - in what
situations are you going to be running routing protocol with
customers? In those situations, how are you going to implement things
like loop prevention, path selection, load sharing and most
importantly - how are you going to be carrying those routes in your
network? Now, if you are clear how to do those things and you are
comfortable with them in any given scenario - why would you limit
yourself to on one thing? You could decide to be very flexible and do
"whatever customer prefers", or you could limit yourself to one
routing protocol. There are pros and cons in both cases.

Personally, I prefer being able to be flexible with customers, but I
perfectly understand larger operators wanting to have "standard
package" that can be copy/pasted without much risk...

--
Marko
CCIE #18427 (SP)
My network blog: http://cisco.markom.info/

ALTER.NET Issues in Seattle

[Gary T. Giesen]

Seeing issues with Alter.net in Seattle to a Qwest DSL customer in
Portland (and looks like a possible routing loop as well) from
Calgary:

traceroute 63.227.218.201

Type escape sequence to abort.
Tracing the route to 63.227.218.201

  1 gw-V4051.bb101-2420-1.cgy.akn.ca (209.90.250.33) 0 msec 0 msec 0 msec
  2 maxtnt01-sdf-463.fast.net (204.92.61.209) 0 msec 0 msec 0 msec
  3 125.at-6-0-0.XT2.CAL1.ALTER.NET (152.63.138.122) 0 msec 0 msec 0 msec
  4 POS5-0.BR1.SEA1.ALTER.NET (152.63.105.85) 224 msec 212 msec 200 msec
  5 POS5-0.BR1.SEA1.ALTER.NET (152.63.105.85) 188 msec 184 msec 192 msec
  6 204.255.169.30 (204.255.169.30) 192 msec 192 msec 196 msec
  7 sea-core-02.inet.qwest.net (205.171.26.85) 200 msec 204 msec 204 msec
  8 por-core-01.inet.qwest.net (67.14.1.237) 208 msec 212 msec 224 msec
  9 ptld-agw1.inet.qwest.net (205.171.130.26) 240 msec 232 msec 236 msec
 10 ptld-dsl-gw34-10.ptld.qwest.net (207.225.86.10) 236 msec 244 msec 236 msec
 11 x.x.x.x (x.x.x.x) 296 msec *  252 msec

Seeing pings jump from 0 ms to 200+ ms at hop 4 (which also appears as
hop 5), and is definitely *not* explained by geographical distance.



Traceroute from my Toronto POP are fine:

traceroute 63.227.218.201
traceroute to 63.227.218.201 (63.227.218.201), 30 hops max, 60 byte packets
 1  ge0-1.cyan.akn.ca (66.135.102.132)  1.506 ms  1.498 ms  1.482 ms
 2  ge-0-0-3.V4022.smalt.akn.ca (66.135.108.85)  2.198 ms  2.193 ms  2.180 ms
 3  te3-5.1244.ccr02.yyz02.atlas.cogentco.com (38.112.93.49)  1.640 ms
 1.634 ms  1.624 ms
 4  te3-2.ccr01.ord01.atlas.cogentco.com (66.28.4.213)  16.861 ms
16.884 ms te9-8.ccr01.ord01.atlas.cogentco.com (154.54.27.241)  16.890
ms
 5  154.54.29.18 (154.54.29.18)  17.594 ms  17.594 ms  17.582 ms
 6  qwest.ord03.atlas.cogentco.com (154.54.10.186)  17.001 ms  16.384
ms qwest.ord03.atlas.cogentco.com (154.54.12.106)  16.435 ms
 7  cer-core-01.inet.qwest.net (205.171.139.113)  16.480 ms  16.795 ms
 16.802 ms
 8  por-core-01.inet.qwest.net (67.14.1.237)  72.435 ms  72.472 ms  72.448 ms
 9  ptld-agw1.inet.qwest.net (205.171.130.26)  72.502 ms  72.473 ms  72.473 ms
10  ptld-dsl-gw34-10.ptld.qwest.net (207.225.86.10)  72.985 ms  72.958
ms  72.626 ms
11  x.x.x.x (x.x.x.x)  134.030 ms * *


Anyone else seeing the same thing?

GG

Re: ALTER.NET Issues in Seattle

[Gary T. Giesen]

Another note:

Seeing  > 50% packet loss with 605 byte packets or larger. Anything
604 or under and there's zero packet loss. With or without df-bit set.

GG

On Wed, Aug 19, 2009 at 2:40 PM, Gary T. Giesen wrote:
> Seeing issues with Alter.net in Seattle to a Qwest DSL customer in
> Portland (and looks like a possible routing loop as well) from
> Calgary:
>
> traceroute 63.227.218.201
>
> Type escape sequence to abort.
> Tracing the route to 63.227.218.201
>
>  1 gw-V4051.bb101-2420-1.cgy.akn.ca (209.90.250.33) 0 msec 0 msec 0 msec
>  2 maxtnt01-sdf-463.fast.net (204.92.61.209) 0 msec 0 msec 0 msec
>  3 125.at-6-0-0.XT2.CAL1.ALTER.NET (152.63.138.122) 0 msec 0 msec 0 msec
>  4 POS5-0.BR1.SEA1.ALTER.NET (152.63.105.85) 224 msec 212 msec 200 msec
>  5 POS5-0.BR1.SEA1.ALTER.NET (152.63.105.85) 188 msec 184 msec 192 msec
>  6 204.255.169.30 (204.255.169.30) 192 msec 192 msec 196 msec
>  7 sea-core-02.inet.qwest.net (205.171.26.85) 200 msec 204 msec 204 msec
>  8 por-core-01.inet.qwest.net (67.14.1.237) 208 msec 212 msec 224 msec
>  9 ptld-agw1.inet.qwest.net (205.171.130.26) 240 msec 232 msec 236 msec
>  10 ptld-dsl-gw34-10.ptld.qwest.net (207.225.86.10) 236 msec 244 msec 236 msec
>  11 x.x.x.x (x.x.x.x) 296 msec *  252 msec
>
> Seeing pings jump from 0 ms to 200+ ms at hop 4 (which also appears as
> hop 5), and is definitely *not* explained by geographical distance.
>
>
>
> Traceroute from my Toronto POP are fine:
>
> traceroute 63.227.218.201
> traceroute to 63.227.218.201 (63.227.218.201), 30 hops max, 60 byte packets
>  1  ge0-1.cyan.akn.ca (66.135.102.132)  1.506 ms  1.498 ms  1.482 ms
>  2  ge-0-0-3.V4022.smalt.akn.ca (66.135.108.85)  2.198 ms  2.193 ms  2.180 ms
>  3  te3-5.1244.ccr02.yyz02.atlas.cogentco.com (38.112.93.49)  1.640 ms
>  1.634 ms  1.624 ms
>  4  te3-2.ccr01.ord01.atlas.cogentco.com (66.28.4.213)  16.861 ms
> 16.884 ms te9-8.ccr01.ord01.atlas.cogentco.com (154.54.27.241)  16.890
> ms
>  5  154.54.29.18 (154.54.29.18)  17.594 ms  17.594 ms  17.582 ms
>  6  qwest.ord03.atlas.cogentco.com (154.54.10.186)  17.001 ms  16.384
> ms qwest.ord03.atlas.cogentco.com (154.54.12.106)  16.435 ms
>  7  cer-core-01.inet.qwest.net (205.171.139.113)  16.480 ms  16.795 ms
>  16.802 ms
>  8  por-core-01.inet.qwest.net (67.14.1.237)  72.435 ms  72.472 ms  72.448 ms
>  9  ptld-agw1.inet.qwest.net (205.171.130.26)  72.502 ms  72.473 ms  72.473 ms
> 10  ptld-dsl-gw34-10.ptld.qwest.net (207.225.86.10)  72.985 ms  72.958
> ms  72.626 ms
> 11  x.x.x.x (x.x.x.x)  134.030 ms * *
>
>
> Anyone else seeing the same thing?
>
> GG
>

Fwd: [Full-disclosure] Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability

[John Kinsella]

FYI...I thought PSIRT sent security notices to nanog?

Begin forwarded message:

From: Cisco Systems Product Security Incident Response Team >

Date: August 19, 2009 10:12:26 AM PDT
To: full-disclos...@lists.grok.org.uk
Cc: ps...@cisco.com
Subject: [Full-disclosure] Cisco Security Advisory: Firewall  
Services Module Crafted ICMP Message Vulnerability


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Firewall Services Module Crafted ICMP Message
Vulnerability

Advisory ID: cisco-sa-20090819-fwsm

http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml

Revision 1.0

For Public Release 2009 August 19 1600 UTC (GMT)

Summary
===

A vulnerability exists in the Cisco Firewall Services Module (FWSM)  
for

the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The
vulnerability may cause the FWSM to stop forwarding traffic and may be
triggered while processing multiple, crafted ICMP messages.

There are no known instances of intentional exploitation of this
vulnerability. However, Cisco has observed data streams that appear to
trigger this vulnerability unintentionally.

Cisco has released free software updates that address this
vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml.

Affected Products
=

Vulnerable Products
- ---

All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are
affected by this vulnerability.

To determine the version of the FWSM software that is running, issue
the "show module" command-line interface (CLI) command from Cisco IOS
Software or Cisco Catalyst Operating System Software to identify what
modules and sub-modules are installed in the system.

The following example shows a system with an FWSM (WS-SVC-FWM-1)
installed in slot 4.

switch#show module
Mod Ports Card Type  Model   
Serial No.
--- - -- -  
---
1   48SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX 
SAx
46Firewall ModuleWS-SVC-FWM-1   
SAx
52Supervisor Engine 720 (Active) WS-SUP720-BASE 
SAx
62Supervisor Engine 720 (Hot)WS-SUP720-BASE 
SAx


After locating the correct slot, issue the "show module "
command to identify the software version that is running.

switch#show module 4
Mod Ports Card Type  Model   
Serial No.
--- - -- -  
---
46Firewall ModuleWS-SVC-FWM-1   
SAx


Mod MAC addresses Hw Fw
Sw   Status
--- - --   
 ---
4   0003.e4xx. to 0003.e4xx.  3.07.2(1)
3.2(3)   Ok


The preceding example shows that the FWSM is running software version
3.2(3) as indicated by the column under "Sw".

Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the "show module" command;
therefore, executing the "show module " command is not
necessary.

If a Virtual Switching System (VSS) is used to allow two physical  
Cisco

Catalyst 6500 Series Switches to operate as a single logical virtual
switch, the "show module switch all" command can display the software
version of all FWSMs that belong to switch 1 and switch 2. The output
from this command will be similar to the output from the "show module
" but will include module information for the modules in
each switch in the VSS.

Alternatively, version information can be obtained directly from the
FWSM through the "show version" command, as shown in the following
example.

   FWSM#show version
   FWSM Firewall Version 3.2(3)

Customers who use the Cisco Adaptive Security Device Manager (ASDM) to
manage their devices can find the version of the software displayed in
the table in the login window or in the upper left corner of the ASDM
window. The version notation is similar to the following example.

   FWSM Version: 3.2(3)

Products Confirmed Not Vulnerable
- -

Other Cisco products that offer firewall services, including Cisco IOS
Software, Cisco ASA 5500 Series Adaptive Security Appliances, and  
Cisco

PIX Security Appliances, are not affected by this vulnerability.

No other Cisco products are currently known to be affected by this
vulnerability.

Details
===

The Cisco FWSM is a high-speed, integrated firewall module for  
Catalyst

6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers
firewall services with stateful packet filtering and deep packet
inspection.

A vulnerability exists in the Cisco FWSM Software that may cause
the FWSM to stop forwar

Re: IPv6 Addressing Help

[Nathan Ward]

On 16/08/2009, at 1:29 AM, William Herrin wrote:


Start with: /32
Sparsely allocate 200 /56's

Total remaining space: in excess of /33. In fact, you haven't consumed
a single /48.
Expandability by altering the netmask: to /40
Largest allocation still possible: only /40



My suggestion was to sparsely allocate /48s to push addresses to POPs  
(or something topologically relevant to your network, maybe even  
NASes) as required.


So, 200 /56s, sparsely allocated, would still be one /48 (or however  
many /48s you want to have around your network, as above).


Sparse allocation within each of those /48s is also potentially a good  
idea - case by case. Doesn't make sense on an ADSL pool where everyone  
has the same length. Makes sense where you're assigning address space  
to customers who are likely to have different prefix lengths.


Sparse allocation of /48s within a /32 has the advantage of letting  
you grow each area of your address space in each area independently.  
You can put one /48 in one POP or NAS or something, and 10 in another,  
without having to break any of your addressing architecture rules.


/48s seem flexible enough to me, but perhaps you want to use this  
technique with /44s or /40s, or something.


--
Nathan Ward

Re: F5/Cisco catalyst configuration question

[Darren Bolding]

What model BIG-IP?
On some models I have had to set the BIG-IP's or the 6500 (can't remember
which) to specified speed/duplex and the other side to auto.

I believe it was auto on the BIG-IP and fixed on the 6500.

Setting both sides the same did not work.

On Wed, Aug 19, 2009 at 10:41 AM, Christopher Greves <
christopher.gre...@mindspark.com> wrote:

> Scott,
>
> We've had issues in the past with IOS 6500's auto-negotiating uplink ports
> with an LTM into ISL Trunk mode. This only occurred when we had the port on
> the LTM configured as a tagged interface. It was easily solved by forcing
> the port on the 6500 into dot1q encapsulation. I'm not sure this necessarily
> explains why you aren't seeing a link light on the LTM though. I can't
> remember what the interface status was on both sides. This does correlate to
> why it's working on the 2950's as they don't support ISL and would likely
> negotiate into dot1q.
>
> Chris
>
>
> Christopher Greves  |  Senior Systems Engineer
> One North Lexington Ave, 9th Floor - White Plains, NY 10601
> T 914-826-2067  |  C 914.420.8340  |  E christopher.gre...@mindspark.com
>
> Mindspark Interactive Network, Inc. is an IAC company.
>
>
>
> -Original Message-
> From: Scott Spencer [mailto:sc...@dwc-computer.com]
> Sent: Wednesday, August 19, 2009 1:13 PM
> To: nanog@nanog.org
> Subject: F5/Cisco catalyst configuration question
>
> Trying to link an F5 Local Traffic Manager with a Cisco Catalyst 6500 ,
> have
> matched ports (speed,duplex ect..) but no link light at all on the F5. Does
> link with a Cisco 2950 switch in between but I need a direct connection
> with
> the 6500.
>
> Any suggestions what to try?
>
> Best regards,
>
> Scott Spencer
> Data Center Asset Recovery/Remarketing Manager
> Duane Whitlow & Co. Inc.
> Nationwide Toll Free: 800.977.7473.  Direct: 972.865.1395  Fax:
> 972.931.3340
>   sc...@dwc-computer.com
>  www.dwc-it.com
> Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~
>
>
>


-- 
--  Darren Bolding  --
--  dar...@bolding.org   --

Re: IPv6 Addressing Help

[Jack Bates]

Nathan Ward wrote:
/48s seem flexible enough to me, but perhaps you want to use this 
technique with /44s or /40s, or something.


Given my unusual network consisting of a dozen different telco's, I 
actually assign each a /40 at a time, then /44-48 in each of their pops 
depending on expected growth. I probably could have possibly gone with 
/36, but then I limit my own allocations to them and I'd like to hope I 
get more telco's in the future. I do sparse allocation on the /40's to 
allow smaller routing tables if desired, though. Even for things that 
don't need nibble boundaries for technical reasons, I usually maintain 
them for ease of management and scripting.


Jack