Re: Securing Border Routers

Using non-world routable space on interfaces makes for difficulties in some situations with PMTU-D and with troubleshooting (useless information in traceroutes for example). Owen On Jan 19, 2011, at 6:04 PM, jim deleskie wrote: > Never put a firewall in front of a router, it will die first. The

United Airlines Technical Contact

Does anybody have a technical contact for United Airlines? I can't seem to get in touch with any of the phone numbers or email addresses listed in whois. Regards, Nathan Charles

United Airlines Technical Contact

Does anybody have a technical contact for United Airlines? I can't seem to get in touch with any of the phone numbers or email addresses listed in whois. Regards, Nathan Charles

Re: Update Spamhaus DROP list from Cisco CLI (TCL)

Did you try this http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#168 LInks to Marco d'Itri's "cisco tools" package - http://www.linux.it/~md/software/cisco-tools-0.2.tgz Pretty neat, can update bogons as well On Thu, Jan 20, 2011 at 7:34 AM, Thomas Magill wrote: > Previous convers

Re: Update Spamhaus DROP list from Cisco CLI (TCL)

On Jan 19, 2011, at 9:04 PM, Thomas Magill wrote: > Previous conversations made me decide this would be fun to do so I ignored > all my real work today and made it happen. > > I built a TCL script that can be mapped to an alias ("alias exec updatedrop > tclsh updatedrop.tcl") that will connect

Update Spamhaus DROP list from Cisco CLI (TCL)

Previous conversations made me decide this would be fun to do so I ignored all my real work today and made it happen. I built a TCL script that can be mapped to an alias ("alias exec updatedrop tclsh updatedrop.tcl") that will connect to the Spamhaus DROP list and route all of the prefixes to n

Re: Securing Border Routers

Never put a firewall in front of a router, it will die first. The team CYMRU stuff is great make sure you have ACL's on your VTY and allow access only from trusted internal IPs. I also like using non world routable space on any interface I can. On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim wrote

RE: Securing Border Routers

What an insightful link! Thank you, I am reading it now. > From: bryan.we...@arrisi.com > To: nanog@nanog.org > Date: Wed, 19 Jan 2011 16:38:43 -0800 > Subject: RE: Securing Border Routers > > I ALWAYS start with the CYMRU secure bgp templates, found here: > http://www.team-cymru.org/Re

Re: Securing Border Routers

A stateful firewall outside of your router may create a new bottleneck which increases your risk of DoS. Making sure that you know (and document, and test) how to effectively contact your service providers should you be attacked would be a good idea. Find out if your service providers have BGP comm

RE: Securing Border Routers

I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself. Bryan -Original

Securing Border Routers

Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainlyalthough we

Re: Is anyone Using Talari Networks WAN Optimizer?

We are considering them but bit concern as they do forwarding plane optimization instead of control plane in case of Route Science. thanks, Shahid On Wed, Jan 19, 2011 at 2:50 PM, Holmes,David A wrote: > Talari management apparently has experience at the old Routescience BGP > load-balancer st

Is anyone Using Talari Networks WAN Optimizer?

Talari management apparently has experience at the old Routescience BGP load-balancer startup, so this warrants a closer look. Has anyone used their products?

Re: Verizon FiOS Distribution Switch

On 01/19/2011 01:28 PM, GP Wooden wrote: Not that this is a requirement, but good practice none the less with this setup... Turn off cdp on the port facing the LEC... +1 also add 'nonegotiate' and turn off spanning tree on the port while you're at it. There's a list somewhere of standard st

Re: Verizon FiOS Distribution Switch

Not that this is a requirement, but good practice none the less with this setup... Turn off cdp on the port facing the LEC... -graham - Reply message - From: "Chris Burwell" Date: Wed, Jan 19, 2011 2:56 pm Subject: Verizon FiOS Distribution Switch To: "NANOG" I have a question about a

Re: Verizon FiOS Distribution Switch

I have done this exact thing. We had a client with a block of public ips and they needed the actiontec router to stay connected for the cable boxes. Just put the switch between the ONT ethernet port and the actiontec WAN port and you should be fine. Just make sure the ethernet port is active on

Verizon FiOS Distribution Switch

I have a question about a Verizon FiOS business connection with an ethernet hand off and I am hoping that someone out there has done the same thing. We have a FiOS business connection coming into our building. This includes an Ethernet hand off into the usual Actiontec router as well as a block of

Re: NAT-PT or NAT64 in real life

Hi, I didn't use NAT-PT, but have lot of experience with NAT64/DNS64. We've deployed NAT64 with DNS64 in our test lab with last Fedora linux workstations , so far, it works fine. -- Sincerely, Mikhail Strizhov Email: striz...@netsec.colostate.edu On 01/

Re: NAT-PT or NAT64 in real life

On Wed, Jan 19, 2011 at 1:18 AM, jarod smith wrote: > Although it would seem that double-stack is still the preferred method of > linux > distribution, I want my next deployed in IPv6 only. > For linux there is NAT-PT tomicki and NAT64 Viagenie. > > I don't have Cisco equipment although I'd like

NANOG 51 Agenda posted

Folks, See http://www.nanog.org/meetings/nanog51/agenda.php See you in Miami, Dave (for the NANOG PC)

Re: Network Simulators

On 1/19/2011 8:27 AM, Carlos Martinez-Cagnazzo wrote: Anything for Junipers ? Olive? Do you dare? On Wed, Jan 19, 2011 at 11:52 AM, Gary Gladney wrote: If you looking for network simulator for Cisco equipment it's been my experience that Boson (www.boson.com) has best network simulator

RE: Dual Homed BGP for failover

On Wed, 19 Jan 2011 14:26:32 -, Ahmed Yousuf wrote > We're doing BGP to announce our PI space and make sure that our PI > space is reachable through both ISPs in case one link goes down. > This is the primary need to do the BGP here. Unfortunately my boss > has requested that we make use o

RE: Dual Homed BGP for failover (Ahmed Yousuf)

On 2011/01/19 5:28 PM, "nanog-requ...@nanog.org" wrote: >Send NANOG mailing list submissions to >nanog@nanog.org > >To subscribe or unsubscribe via the World Wide Web, visit >https://mailman.nanog.org/mailman/listinfo/nanog >or, via email, send a message with subject or body 'help' t

RE: Dual Homed BGP for failover

We're doing BGP to announce our PI space and make sure that our PI space is reachable through both ISPs in case one link goes down. This is the primary need to do the BGP here. Unfortunately my boss has requested that we make use of the capacity of both links, rather than pref traffic out of the

Re: Network Simulators

Anything for Junipers ? On Wed, Jan 19, 2011 at 11:52 AM, Gary Gladney wrote: > If you looking for network simulator for Cisco equipment it's been my > experience that Boson (www.boson.com) has best network simulator for Cisco > equipment.  It behaves and process information the way real Cisco

RE: Dual Homed BGP for failover

On Wed, 19 Jan 2011 10:23:47 -, Ahmed Yousuf wrote > - Accept that we are never going to get an ideal > distribution of traffic and continue monitoring and adjusting local > pref/prepends etc. as and when we need to change the distribution of > traffic. Hopefully we don't need to

RE: Network Simulators

If you looking for network simulator for Cisco equipment it's been my experience that Boson (www.boson.com) has best network simulator for Cisco equipment. It behaves and process information the way real Cisco equipment does. I've tried GS3, it great for routing situations but lacks in simulat

Re: Network Simulators

You can do some switching by stuffing a virtual NM-16ESW into your faketastic 3660 in Dynamips. Then there are the built-in frame-relay and ethernet switches you could dump into the mix as well. -Ryan On Mon, Jan 17, 2011 at 10:23 AM, Brandon Kim wrote: > > James: > > I've been resisting GNS3 fo

Re: Software DNS hghi availability and load balancer solution

Am 19.01.11 01:01, schrieb david raistrick: On 01/18/2011 09:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for examp

Re: Software DNS hghi availability and load balancer solution

On 2011-01-19, at 08:17, Joe Greco wrote: > You wouldn't use Zebra; it isn't actively developed anymore and has > not been updated in many years. Use Quagga instead, which is the > community-based offshoot. I don't think this is what the original post was asking about, but for the sake of com

Re: Software DNS hghi availability and load balancer solution

> On 01/18/2011 07:42 AM, Sergey Voropaev wrote: > > Does any one know software sollutions (free is preferable) like as cisco GSS > > and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must > > be able to monitor server availability (for example by TCP connect) and from > > DNS

Re: NAT-PT or NAT64 in real life

Thanks for your reply. In summary it's not possible to deployed IPv6 only if I want to access the whole internet :) On Wed, Jan 19, 2011 at 10:18 AM, jarod smith wrote: > Although it would seem that double-stack is still the preferred method of > linux > distribution, I want my next deployed

RE: Dual Homed BGP for failover

Thanks to all for the responses, certainly illuminating. I'm now more aware of what I can do and what tools are available. The following makes sense to me: - Take full routing tables and default from both ISPs and decide how I filter the routes that get installed in my routers. -

Re: NAT-PT or NAT64 in real life

On Wed, 19 Jan 2011, jarod smith wrote: Are some of you have installed one of these two implementations in production on recent versions of linux? Is it stable, secure, ... ? Not in production, but we've installed it for testing. We immediately ran into problems that was MTU related where via

NAT-PT or NAT64 in real life

Although it would seem that double-stack is still the preferred method of linux distribution, I want my next deployed in IPv6 only. For linux there is NAT-PT tomicki and NAT64 Viagenie. I don't have Cisco equipment although I'd like tested their NAT-PT, even if it's obsolete. Are some of you have