Archive

Category Archives for "Saku Ytti"

eBGP triggered blackhole for customers

Very many large scale transit providers, if not most of them support eBGP remote triggered blackhole via separate multihop eBGP session. I suspect this is, because they've used for very long time single shared route-map for transit customers, and it is not immediately obvious how you can support blackholing without customer specific route-map. Requiring customer specific route-map would probably be less than minor change in their provisioning systems. However, it is perfectly doable and same idea works just the same in JunOS and IOS, here is pseudoIOShy example how to do it:

router bgp N neighbor eBGP peer-group neighbor eBGP route-map eBGP-IN in neihgbor eBGP disable-connected-check neighbor CUSTIP peer-group eBGP neighbor CUSTIP prefix-list C-CUSTID-IN in ! route-map eBGP-IN permit 100 match community BLACKHOLE set ip next-hop BLACKHOLE set community BLACKHOLE additive route-map eBGP-IN permit 200 match ip address prefix-list eBGP-TRANSIT-FULL set community full-transit additive route-map eBGP-IN permit 300 match ip address prefix-list eBGP-TRANSIT-PARTIAL set comunity partial-transit additive route-map eBGP-IN permit 400 set ip address prefix-list eBGP-PUNCHOLE set community no-export additive ! ip prefix-list C-CUSTID-IN permit 192.0.2.0/24 le 32 ip prefix-list C-CUSTID-IN permit 10.10.42.0/28 le 32 ip prefix-list eBGP-TRANSIT-FULL permit 192.0.2.0/24 ip prefix-list eBGP-PUNCHOLE Continue reading

Consumer hardware vendors, boxes and versions

Yes, this is actually a rant.
<rant>
I have a Apple Time Capsule which I love and cherish. It's about a year old. No, it isn't the latest model anymore. It claims it is able to talk IPv6... but it doesn't. Sadly, it runs something called version 7.4.2 - that works fine but where IPv6 is broken. To have functioning IPv6 I should have 7.5 or later. That would require me to pay more money for protection to Apple as it seems like it is only available on the Very Latest Time Capsules.
Now, someone explain to me:
  1. what the fuck? over.
  2. why must I buy a new box to get something to work which is supposedly is there already
  3. immediate cessation in software updates upon release of incremental hardware update
  4. if you changed the chipset then how hard can it be to make a conditional instead of drop all future upgrades
  5. fail to communicate what's going to work and what's not
Feel free to google "time capsule 7.4.2 ipv6" for more info.
</rant>
Feels much better now. :-)

IPv6 and the enterprise of tomorrow(ish)

One of the great promises of IPv6 has been to get rid of NAT, no more will IT do RFC1918 and NAPT to single public IP. But how is IPv6 going to accomplish this, what is the magical toggle for it? Let's get disappointed.

Some devices, like Cisco IOS allow you to configure IPv6 prefix as 'macro', so you could tell that macro 'ME' is 2001:db8::/32 and everywhere where you write IPv6 address, you use macro 'ME'instead. So in theory, when your prefix changes, you simply change the macro. So the great renumbering benefit is ability to always get same size network. But of course this was true for IPv4 too, you got the network size you needed. Why isn't this utilized? Because enterprises don't have one Cisco IOS devices, they have plethora of devices from different vendors, firewalls, slb, ips, ids, servers, OSS systems and so forth, you'd still need to go in all of these to change the 'macro', not all devices even have the concept and quite frankly no enterprise of non-trivial size will even know without months of work _where_ and _what_ will need to be changed for renumbering to be successful. I know industry professionals Continue reading

IEEE OUI address (MAC address) allocation

I've recently noticed that it is becoming more and more common to see 'weird' MAC addresses, i.e. MAC addresses which do not start with numbers 00. Previously it was very easy to spot automatically mentally software defects which would cause strange MAC addresses to appear, it has helped me to diagnose several issues in the past. We've now beginning to lose that advantage, as IEEE has started to allocate MAC addresses quite randomly across the address space.

I emailed to IEEE and asked what was the motivation and perceived advantage in doing this change and reply was quite simply 'We changed our allocation methods to prevent vendors using unregistered mac addresses.'. OUI costs 1650USD one time fee, but IEEE appears to be concerned that some vendors choose not to pay it, instead allocate themselves OUI somewhere far in the address space, effectively thinking they are getting free OUI with little to no possibility of overlap. It would be curious to know if this instance who wants to save 1650USD would care about this slightly changed climate, I personally doubt the change while good-willed is completely ineffective and the slight operational benefit serial assignment had is lost. (/me starts Continue reading

Resolving SNMP OID in snmpbulkwalk and tshark

This isn't exactly esoteric science but at least for me it has been too hard and I've rather looked up OIDs manually, which makes little sense in the long run.

NET-SNMP

First of all, you probably want to set system wide version and community, so you never need to type them on snmpbulkwalk
# cat /etc/snmp/snmp.conf defVersion 2c defCommunity supersecret #
Also I prefer to have vendor MIBs for my user only, as I might want to load lot of them, which will give lot of warnings, which other users may not want.
# cat ~/.snmp/snmp.conf mibs +ALL #
Instead of +ALL you could add named MIBs which to load, ~/.snmp/mibs/ directory is searched for users MIBs. You could start by uncompressing ftp://ftp.cisco.com/pub/mibs/v2/v2.tar.gz there. Now you should be able to snmpbulkwalk router by giving just its name, no version, no community and OIDs should be resolved.

WIRESHARK/TSHARK

To me this is more useful than net-snmp, to lab what type of traps router would send and in what situation. For some weird reason wireshark/tshark doesn't honour net-snmp settings, but needs its own settings.
# cat ~/.wireshark/prefefences name_resolve: mtC name_resolve_load_smi_modules: TRUE snmp.display_oid: Continue reading

Cisco Network^WLive! 2011 Las Vegas Conference report, part 2

Part 2... where we take a stab at the food served one gets for 1700 (thereabouts) bucks at conferences.
Breakfast
When: every day 0700-0800 (one hour only)
What's available: cereal + milk, sugary doughnuts, croissants, bottles of juice or soda pop.
Grade: C-. The time could be longer and the stuff available isn't exactly from the food pyramid either. I did this once and the rest of the time paid for hotel breakfast which was excellent.
Lunch
When: 11-13 (or thereabouts)
What's available: different menu every day, lots of choices, veggie, meat, fish, salad, etc. Drinks water, icea tea, lemonade, soda pop
Grade: B+. Certainly isn't a Michelin restaurant experience but seemed nutritious enough, wasn't all greased up, there were plenty of choice each day (beef/fish, fish/chicken, chicken, etc.) and always a veggie choice.
Snacks
When: around 1000, around 1400
What's available: granola bars, sugary coated doughnuts, coffee, tea, water, some fruit, juice, ice cream, ... depending on the day
Grade: B-. Lots of choice. Sometimes the snacks went quite quickly so I didn't get some on a few days when the presentation ended later than planned. Either there were too little snacks to start with or some people stocked Continue reading
1 2