Re: CoPP on NXOS

2021-02-19 Thread Jay Ford 

Setting the "conform" & "violate" actions to "drop" for a class with
appropriate ACL matching seems to work:

   policy-map type control-plane copp-policy-whatever
 ! other classes ...
 class copp-class-undesirable-junk
   set cos 0
   police cir 32 kbps bc 310 ms conform drop violate drop
 ! other classes ...

The rates are irrelevant in that case, but still required.

_____
Jay Ford, Network Engineering, University of Iowa
email: jay-f...@uiowa.edu, phone: 319-335-

On Wed, 17 Feb 2021, Drew Weaver wrote:

This might be a little too platform/vendor specific for this group so I 
apologize in advance
if that is the case.

 

Does anyone have a working example of CoPP on NXOS which limits things like 
BGP, SSH, and the
NXAPI HTTPS interface to a specific remote /32 and blocks everything else that 
is not
specifically allowed in the ACLs attached to the classes?

 

I’ve had a ticket open /w TAC for a month and I’m actually getting nowhere.

 

Thank you so much,

-Drew

Re: QoS for Office365

2019-07-09 Thread Jay Ford 

On Tue, 9 Jul 2019, Mark Tinka wrote:

On 9/Jul/19 16:18, Ross Tajvar wrote:

I think the difficulty lies in appropriately marking the traffic. Like
Joe said, the IPs are always changing.


Does anyone know if they are reasonably static in an Express Route scenario?


At least sometimes M$ says that Express Route is just for Azure, not for 
Orifice 365.  It's even possible that using Express Route for O365 could be 
worse due to undermining/bypassing some of the O365 availability mechanisms.


______
Jay Ford , Network Engineering, University of Iowa

Re: Dedicated Server and IP anycast provider recommendation

2018-08-07 Thread Jay Ford 

On Tue, 7 Aug 2018, John Kristoff wrote:

For those that may have used or know of a service like this.  I know
some exist, but it doesn't seem to be that popular or widely advertised
as a standard service.

I'm interested in pointers to a hosting/network provider that leases
dedicated servers and can provide an anycast IP address assignment to
two or more US-diversely connected POPs, but with reasonably consistent
routing (e.g. peering, transit).  A customer-shared prefix is OK. I'm
interested in pointers to networks that would provide the prefix and
handle all the routing.


Depending on the details of what you're after, Packet Host and/or Vultr might 
suffice.  They do BGP, IPv4 & IPv6 even. They have various flavors of 
servers, some of which might meet your definition of "dedicated".  I do a 
little BGP-based anycast DNS with both of them, with pretty decent results.


________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-

Re: Level3 IRR contact

2018-09-17 Thread Jay Ford 
I had success cleaning up old IRR stuff via email to the contact listed in 
the AS3561 whois entry.  It's a different person listed now, but perhaps they 
are also interested & responsive.


____
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-

 On Mon, 17 Sep 2018, Eric Dugas wrote:

If you find someone helpful at L3/CL for your request, I would like to have its 
contact (off-list). I've been trying to
cleanup old objects too without much success.

Eric
On Sep 17 2018, at 10:15 am, Brian Rak  wrote:

  I'm trying to get some old IRR objects removed from the LEVEL3 database,
and not having much luck.

Their support guys silently closed my ticket and then had our account
manager email us directly basically saying "we don't what you want us to
do".

I used to use routing@level3 to get this done, however they don't seem
to reply anymore.

http://www.irr.net/docs/list.html directs me to r...@level3.net, which has
an autoreply that says "open a ticket"

Re: Levle3's IRR db

2018-12-13 Thread Jay Ford 

On Thu, 13 Dec 2018, John Von Essen wrote:
Whats the best way to get in contact with Level3 to make an IRR change... if 
your not a Level3 customer?


I tried emailing r...@level3.net but that bounces back as an unmonitored 
mailbox. There are dup IRR entries in Level3's db for my prefixes (legacy 
from a carrier I used over 10 years ago). My prefixes are in Arin's IRR and I 
would like that to be the only source.


In Mar 2018 I had success sending such clean-up requests to the technical 
contact address in the AS3561 whois record.  The address has changed since 
then, but maybe whoever gets that email is still interested in maintaining 
their IRR.


________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-

hijacking of 128.255.192.0/22

2018-03-20 Thread Jay Ford 
Something apparently in Brazil is hijacking 128.255.192.0/22, part of 
128.255.0.0/16 which is held by the University of Iowa.  AS 263971 is 
announcing 128.255.192.0/22 which Hurricane Electric is accepting & 
propagating.  None of that has any authorization.


I can't find any decent contact information for the originating entity, so I 
have reported it to ab...@he.net, but it'd be fabulous if some HE folks 
listening here could whack the hijacking faster than the abuse channels will 
get to it.  Also useful would be some functional contact for AS263971.


Any help will be appreciated.

________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-

Re: IPv6 fc00::/7 — Unique local addresses

2010-10-20 Thread Jay Ford 

On Wed, 20 Oct 2010, Jeroen van Aart wrote:
According to http://en.wikipedia.org/wiki/IPv6_address#Special_addresses an 
fc00::/7 address includes a 40-bit pseudo random number:


"fc00::/7 ? Unique local addresses (ULA's) are intended for local 
communication. They are routable only within a set of cooperating sites 
(analogous to the private address ranges 10/8, 172.16/12, and 192.168/16 of 
IPv4).[12] The addresses include a 40-bit pseudorandom number in the routing 
prefix intended to minimize the risk of conflicts if sites merge or packets 
are misrouted into the Internet. Despite the restricted, local usage of these 
addresses, their address scope is global, i.e. they are expected to be 
globally unique."


I am trying to set up a local IPv6 network and am curious why all the 
examples I come accross do not seem to use the 40-bit pseudorandom number? 
What should I do? Use something like fd00::1234, or incorporate something 
like the interface's MAC address into the address? It'd make the address 
quite unreadable though.


Use the cool tool at http://www.sixxs.net/tools/grh/ula/ to generate a ULA, 
then use it for local-scope stuff.  Slick.


____
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951

Re: using ULA for 'hidden' v6 devices?

2012-01-25 Thread Jay Ford 

On Wed, 25 Jan 2012, Justin M. Streiner wrote:
Is anyone using ULA (RFC 4193) address space for v6 infrastructure that does 
not need to be exposed to the outside world?  I understand the concept of 
having fc00::/8 being doled out by the RIRs never went anywhere, and using 
space out of fd00::/8 can be a bit of a crap-shoot because of the likelihood 
of many organizations that do so not following the algorithm for picking a 
/48 that is outlined in the RFC.


There would appear to be reasonable arguments for and against using ULA. I'm 
just curious about what people are doing in practice.


Yep.  It works great for strictly local devices which don't need Internet 
access.


________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951

RE: Dns sometimes fails using Google DNS / automatic dnssec

2012-11-15 Thread Jay Ford 

It looks like if the server has the RRSIG RR, it returns it.  For example, a
query with +dnssec will cause it to cache the RRSIG, after which it returns
it even if +dnssec not specified.


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951


query without +dnssec before RRSIG is cached; RRSIG not returned


  : dig @8.8.8.8 m1.mailplus.nl

  ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 m1.mailplus.nl
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3665
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;m1.mailplus.nl.IN  A

  ;; ANSWER SECTION:
  m1.mailplus.nl. 2985IN  A   46.31.50.16

  ;; Query time: 15 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Thu Nov 15 11:22:02 2012
  ;; MSG SIZE  rcvd: 48


query with +dnssec; RRSIG is returned


  : dig +dnssec +multi @8.8.8.8 m1.mailplus.nl

  ; <<>> DiG 9.8.1-P1 <<>> +dnssec +multi @8.8.8.8 m1.mailplus.nl
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58877
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags: do; udp: 512
  ;; QUESTION SECTION:
  ;m1.mailplus.nl.IN A

  ;; ANSWER SECTION:
  m1.mailplus.nl. 2978 IN A 46.31.50.16
  m1.mailplus.nl. 2978 IN RRSIG A 7 3 3600 20130517082302 (
  20121115082302 3767 mailplus.nl.
  WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p
  QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0
  bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa
  0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )

  ;; Query time: 16 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Thu Nov 15 11:22:10 2012
  ;; MSG SIZE  rcvd: 230


query without +dnssec after RRSIG is cached; RRSIG returned


  : dig +multi @8.8.8.8 m1.mailplus.nl

  ; <<>> DiG 9.8.1-P1 <<>> +multi @8.8.8.8 m1.mailplus.nl
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13524
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;m1.mailplus.nl.IN A

  ;; ANSWER SECTION:
  m1.mailplus.nl. 2974 IN A 46.31.50.16
  m1.mailplus.nl. 2974 IN RRSIG A 7 3 3600 20130517082302 (
  20121115082302 3767 mailplus.nl.
  WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p
  QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0
  bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa
  0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )

  ;; Query time: 17 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Thu Nov 15 11:22:13 2012
  ;; MSG SIZE  rcvd: 219

Re: IPv4 Anycast Resoure Recommendations

2010-06-02 Thread Jay Ford 

On Wed, 2 Jun 2010, Jimmy Changa wrote:

I was wondering if anyone had recommendations on IPv4 Anycast resources
(whitepapers, RFCs) as it relates to DNS?


I found the following useful:
   http://www.net.cmu.edu/pres/anycast
   http://ftp.isc.org/isc/pubs/tn/isc-tn-2004-1.html
   http://www.linuxsa.org.au/meetings/2006-07/anycast-dns.pdf

They're getting a bit dated, but still OK.

____
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951

Re: Stupid Cisco ACL question

2011-04-21 Thread Jay Ford 

On Thu, 21 Apr 2011, u...@3.am wrote:

permit tcp any eq 443 any
permit tcp any eq 80 any
deny ip any host 2.2.3.4
permit ip any any

This is applied to an inbound interface(s).  We want anybody outside to be
able to reach ports 80 and 443 of any host on our network, no matter what,
then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
However, as soon as I apply this rule to the interface, ports 80 and 443
of that host become unreachable.  A telnet to 2.2.3.4 443 gets "Connection
refused" until I tear out the deny ACL above.  I even tried adding udp for
both ports, to no avail.


Your ACL is apply the 80 & 443 as source ports, not destination ports.

You probably want:
   permit tcp any any eq 443
   permit tcp any any eq 80
   deny ip any host 2.2.3.4
   permit ip any any

________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951

Re: www.nist.gov over v6 trouble Was: Microsoft's participation in World IPv6 day

2011-06-08 Thread Jay Ford 

On Wed, 8 Jun 2011, Neil Long wrote:

Top of the page it says (now, may have been added)
"Note: This top level web page has been setup to test IPv6 capabilities and 
to participate in World IPv6 Day on June 8, 2011. This IPv6 web page will be 
disabled after the end of World IPv6 Day. Links on this page do not work. 
This is a copy of the NIST website, www.nist.gov, and is only reachable using 
the IPv6 network protocol. To access the entire NIST website, you must use 
the IPv4 network protocol."


Yeah, at least they said what they did, but they seem to have a
misunderstanding of how dual-stack clients will use the www.nist.gov 
record.  The result is that they've broken access to their content.

________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951