Re:Internet access using VRF aware NAT

27 Feb 2009

      Hi Devang

We are using the vrf nat where the customer demands the firewall services.
For implementing this we are advertising a default route and vrf nat is used
per VPN basics.This is the rate services in case of whole sale.
Actual implementation; we are creating a INTERNET VRF which is having a
default route; In customer vrf the RT of internet route is imported and vrf
is able to get the default route. For reverse traffic a ipv4 route is added
at the PE towards customer interface.

regards
shivlu jain

On Fri, Feb 27, 2009 at 10:17 AM, <nanog-request@nanog.org> wrote:
...
Send NANOG mailing list submissions to
       nanog@nanog.org
To subscribe or unsubscribe via the World Wide Web, visit
       http://mailman.nanog.org/mailman/listinfo/nanog
or, via email, send a message with subject or body 'help' to
       nanog-request@nanog.org
You can reach the person managing the list at
       nanog-owner@nanog.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of NANOG digest..."
Today's Topics:
1. RE: Documentation of switch maps (Gregory Boehnlein)
  2. Re: Yahoo and their mail filters.. (Marshall Eubanks)
  3. Re: Documentation of switch maps (Adam Armstrong)
  4. Internet access using VRF aware NAT (devang patel)
  5. Re: Yahoo and their mail filters.. (J.D. Falk)
  6. Re: Yahoo and their mail filters.. (Carl Ford)
  7. Re: Yahoo and their mail filters.. (J.D. Falk)
  8. Re: Yahoo and their mail filters.. (Suresh Ramasubramanian)
  9. Re: Yahoo and their mail filters.. (Brian Keefer)
 10. Re: Yahoo and their mail filters.. (Jo Rhett)
 11. Road Runner DNS servers (Ricardo Oliveira)
----------------------------------------------------------------------
Message: 1
Date: Thu, 26 Feb 2009 14:20:07 -0500
From: "Gregory Boehnlein" <damin@nacs.net>
Subject: RE: Documentation of switch maps
To: "'Bielawa, Daniel W. \(NS\)'" <dwbielawa@liberty.edu>,
       <nanog@nanog.org>
Message-ID: <02bd01c99847$3c48e540$b4daafc0$@net>
Content-Type: text/plain;       charset="us-ascii"
Man.. I'd love to have this for Netgear switches! :)
...
-----Original Message-----
From: Bielawa, Daniel W. (NS) [mailto:dwbielawa@liberty.edu]
Sent: Thursday, February 26, 2009 2:07 PM
To: nanog@nanog.org
Subject: RE: Documentation of switch maps
Hello,
We use switchmap here for tracking port utilization, days
inactive, and devices connected. It uses SNMP to determine the
information.
http://switchmap.sourceforge.net/
Thank You
Daniel Bielawa
Network Engineer
Liberty University Information Services
-----Original Message-----
From: Blake Pfankuch [mailto:bpfankuch@cpgreeley.com]
Sent: Thursday, February 26, 2009 2:01 PM
To: nanog@nanog.org
Subject: Documentation of switch maps
Howdy.
Had a customer come to me this morning who wanted to create a document
for their switching infrastructure and thought I would bounce it off
the rest of the world on how you usually do this.  Typically I use a
spreadsheet with outlines to define the "switch" and then outlines for
the ports and color coding for vlan's as well as a description of the
port.  Curious what other people are doing, as this would be a huge
undertaking for a customer who is using an entire /19 of rfc 1918 ip
addresses and has well over 150 switches and 40 active vlans.  The want
to be able to look at this document and pull up any switch and look at
the port and be able to see what vlan the port is on, as well as what
device it is connected to as well as port channel membership, trunks
and other fun things like that.  Needless to say their documentation is
lacking on the physical connectivity however their cisco infrastructure
does have labels on every port that goes to a named device outside of
the DHCP pools.  Thoughts?
Thanks,
Blake Pfankuch
--
This message has been scanned for viruses and
dangerous content by N2Net Mailshield, and is
believed to be clean.
------------------------------
Message: 2
Date: Thu, 26 Feb 2009 17:06:41 -0500
From: Marshall Eubanks <tme@multicasttech.com>
Subject: Re: Yahoo and their mail filters..
To: John R. Levine <johnl@iecc.com>
Cc: nanog@nanog.org
Message-ID: <A3D823EF-4892-4D36-BDCB-B724D1EC0318@multicasttech.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
On Feb 26, 2009, at 2:00 PM, John R. Levine wrote:
...
...
You're that confident people know the difference between a real
communication from a party they conversed with before and a phish
designed to look like the same thing?
What I worry about is when software is used to scrape lists such as
this and used to create
phishing based on actual emails, so you get phishes apparently from
people you know using their actual words.
When the botnets start doing that things could get nasty fast.
Regards
Marshall
...
If it's a bank, probably not.  If it's a random online store,
there's about a 99.9% chance it's actual junk mail and .01% that
it's anything else.
R's,
John
------------------------------
Message: 3
Date: Thu, 26 Feb 2009 23:55:38 +0000
From: Adam Armstrong <lists@memetic.org>
Subject: Re: Documentation of switch maps
To: Blake Pfankuch <bpfankuch@cpgreeley.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Message-ID: <49A72BFA.1070706@memetic.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Blake Pfankuch wrote:
...
Howdy.
Had a customer come to me this morning who wanted to create a document
for their switching infrastructure and thought I would bounce it off the
rest of the world on how you usually do this.  Typically I use a spreadsheet
with outlines to define the "switch" and then outlines for the ports and
color coding for vlan's as well as a description of the port.  Curious what
other people are doing, as this would be a huge undertaking for a customer
who is using an entire /19 of rfc 1918 ip addresses and has well over 150
switches and 40 active vlans.  The want to be able to look at this document
and pull up any switch and look at the port and be able to see what vlan the
port is on, as well as what device it is connected to as well as port
channel membership, trunks and other fun things like that.  Needless to say
their documentation is lacking on the physical connectivity however their
cisco infrastructure does have labels on every port that goes to a named
device outside of the DHCP pools.  Thoughts?
>
If they're cisco or similar switches, make sure your port descriptions
are correct, and keep configuration archives. Collect the port
configuration/status with snmp and populate it into a database, that way
you can generate whatever information you want in whatever format and
it's accurate, which it won't be if you're expecting someone to update a
spreadsheet.
adam.
------------------------------
Message: 4
Date: Thu, 26 Feb 2009 17:38:18 -0700
From: devang patel <devangnp@gmail.com>
Subject: Internet access using VRF aware NAT
To: nanog@nanog.org
Message-ID:
       <d0fea3580902261638v857ca36ja7442ebc7c54456b@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
Have one question about VRF aware NAT for internet access! If we will
enable
the VRF aware NAT on local PE to have an internet access via central
Internet PE then we will not have connectivity to any other VPN site as all
local CE prefixes will be translated to the loopback IP address of the
local
PE.
We can have route map which will match the ACL for specific CE source to
specific VPN destination with deny key word and it will prevent the NAT
when
CE will try to communicate with other CE of same VPN or different VPN. That
looks longer configuration in real world right! so is that the only way I
have when I will have only one option to configure the locap PE with VRF
aware NAT to gain internet access?
I need to know what is the implement in real world? How service provider
networks are providing internet access with MPLS VPN option? I know about
customer is getting VPN connectivity on one router and service provider
will
give other internet connectivity link which might be terminating on same
router or other router.  I just want to know which is mostly used option as
far as the internet access service with MPLS VPN services!
thanks,
Devang Patel
------------------------------
Message: 5
Date: Thu, 26 Feb 2009 18:08:27 -0700
From: "J.D. Falk" <jdfalk-lists@cybernothing.org>
Subject: Re: Yahoo and their mail filters..
To: nanog@nanog.org
Message-ID: <49A73D0B.2010706@cybernothing.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Brian Keefer wrote:
...
The other options is to stuff all the spam messages in a folder and
expose them to the user, taking up a huge amount of storage space for
something the vast majority of users are never going to look at any way.
Which is, in fact, what Yahoo! does by default.  Users have the option to
have that stuff deleted immediately, should they desire.
...
Blocking an entire site just because one John Doe user clicked a button
they don't even understand just does not make sense.
You're right -- but Yahoo! has a sufficiently large userbase that they can
count multiple complaints before blocking anything.  Same story with AOL,
and Hotmail, and Cloudmark, and many others who've used this technique for
years.
In all of those cases, they have safeguards to prevent gaming, to prevent
bouncing, and pretty much everything else anyone's suggested thus far in
this thread.
...
Last, anywhere that I've seen extensive use of forwards has had a maze
of difficult to untangle abuse problems related to forwarded spam. Any
site allowing forwarding should apply very robust filtering of outbound
mail.
Very true.  MAAWG published a document last year which includes some
additional recommendations:
http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Forwarding_BP.pdf
--
J.D. Falk
Return Path Inc
http://www.returnpath.net/
------------------------------
Message: 6
Date: Thu, 26 Feb 2009 20:35:57 -0500
From: Carl Ford <carl.ford@gmail.com>
Subject: Re: Yahoo and their mail filters..
To: Micheal Patterson <micheal@spmedicalgroup.com>
Cc: nanog@nanog.org
Message-ID:
       <f79c56820902261735q3d958f3ey24c36aeb4ee294e3@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
very old news.
their filter restrictions have some very absurd rules
On Tue, Feb 24, 2009 at 9:27 PM, Micheal Patterson <
micheal@spmedicalgroup.com> wrote:
...
This may be old news, but I've not been in the list for quite some time.
At
any rate, is anyone else having issues with Yahoo blocking / deferring
legitimate emails?
My situation is that I host our corporate mx'ers on my network, one of
the
companies that we recently purchased has Yahoo hosting their domains
mail.
Mail traffic to them is getting temporarily deferred with the "421 4.7.0
[TS01] Messages from xxx.xxx.xxx.xxx temporarily deferred due to user
complaints - 4.16.55.1;
see http://postmaster.yahoo.com/421-ts01.html"
The admin of the facility has contacted Yahoo about this but their
response
was for "more information" when they were told that traffic from my mx to
their domain was to being deferred.  I may end up just having them
migrate
to my systems just to maintain company communications if we can't clear
this
up in a timely manner.
--
Micheal Patterson
------------------------------
Message: 7
Date: Thu, 26 Feb 2009 18:15:08 -0700
From: "J.D. Falk" <jdfalk-lists@cybernothing.org>
Subject: Re: Yahoo and their mail filters..
To: nanog@nanog.org
Message-ID: <49A73E9C.1060604@cybernothing.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Barry Shein wrote:
...
I suggested that probably 99% of the false positives I see could be
avoided by just waiting until there are two or more complaints from
the same source before firing it back as spam.
I've developed systems for ISPs to handle inbound complaints from AOL &
such, and that's exactly what we did: multiple complaints were acted upon,
single complaints only fed into the aggregate stats.  On the INBOUND side.
We didn't ask AOL to do that work for us.
Many recipients of complaint feedback actually /want/ to receive every
complaint, because -- like John Levine -- they treat those complaints as
unsubscribe requests.
Yours is not the common use case.
--
J.D. Falk
Return Path Inc
http://www.returnpath.net/
------------------------------
Message: 8
Date: Fri, 27 Feb 2009 07:34:46 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
Subject: Re: Yahoo and their mail filters..
To: "J.D. Falk" <jdfalk-lists@cybernothing.org>
Cc: nanog@nanog.org
Message-ID:
       <bb0e440a0902261804m77b0ca56nf3c61facf708bfec@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Fri, Feb 27, 2009 at 6:45 AM, J.D. Falk
<jdfalk-lists@cybernothing.org> wrote:
...
Many recipients of complaint feedback actually /want/ to receive every
complaint, because -- like John Levine -- they treat those complaints as
unsubscribe requests.
That's ONE use case.  But we are not senders, and we do use a feedback
loop because we are an ISP (like barry) but we dont have the luxury of
a purely geek (so largely clean e&oe pwned systems) userbase like
Barry has.
In other words - we do get spammer customers. And the feedback loops
provide us near real time notification of these, allowing us to
terminate.
...
Yours is not the common use case.
His IS the common use case.  Just that he doesnt have the sort of
userbase that will generate usable FBLs (aka no significant number of
genuine spam issues on his network).  For which he has to count
himself lucky.
------------------------------
Message: 9
Date: Thu, 26 Feb 2009 20:17:37 -0800
From: Brian Keefer <chort@smtps.net>
Subject: Re: Yahoo and their mail filters..
To: "J.D. Falk" <jdfalk-lists@cybernothing.org>
Cc: nanog@nanog.org
Message-ID: <257F71E4-40FF-4587-9EAD-F8988465B119@smtps.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
On Feb 26, 2009, at 5:08 PM, J.D. Falk wrote:
...
...
Blocking an entire site just because one John Doe user clicked a
button
they don't even understand just does not make sense.
You're right -- but Yahoo! has a sufficiently large userbase that
they can count multiple complaints before blocking anything.  Same
story with AOL, and Hotmail, and Cloudmark, and many others who've
used this technique for years.
This does not appear to be the case from external observation.  It may
be in some cases that multiple reports are necessary, but it certainly
seems there are hair-triggers in others.  For instance, see the
message from Eric Esslinger.
As for not black-holing anything, I haven't personally verified with
Yahoo!, but others have reported that they do.  It's pretty common
from what I've seen to simply make very high-scored messages disappear
and only send the mid-range stuff to the spam folder.  Hotmail, as
mentioned, does this.  One of the very large hosted filtering services
does as well.  I'm not saying it's bad (it makes sense if you can
trust your scoring algorithm), but it does happen.  Just because you
get _some_ stuff in your spam folder doesn't mean that's all the spam
that was blocked.
--
bk
------------------------------
Message: 10
Date: Thu, 26 Feb 2009 20:26:12 -0800
From: Jo Rhett <jrhett@netconsonance.com>
Subject: Re: Yahoo and their mail filters..
To: Ray Corbin <rcorbin@traffiq.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Message-ID: <A7F2327C-EA78-480E-812C-D6FDD7008978@netconsonance.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
On Feb 25, 2009, at 8:14 AM, Ray Corbin wrote:
...
It depends on your environment. I've seen where it is helpful and
where it is overwhelming. If you are a smaller company and want to
know why you keep getting blocked then those should help. If you are
a larger company and get a several hundred a day, but you send 100k
emails to AOL then it is not as big of a deal. If you are a shared
hosting provider and you get a lot of them you should look into what
is being sent to AOL, such as forwarded spam from customers 'auto
forwards' (isolate the auto forwards to a separate IP address and
simply don't sign up for the FBL for it).... If you have a good
setup where only customer-originated email is being sent through the
IP's you have a FBL on, then it is useful and you shouldn't get as
many complaints.
Ray, you don't get it.   What comes from AOL is literally every step
in a mother-daughter conversion.  You get to read the entire thread.
Loving chat, mother and daughter back and forth.  But one of them is
hitting SPAM on the e-mail *AFTER* replying to it and writing a nice
letter back.
This is abuse of the abuse department.  This isn't spam.  Reading
through ~3k of these not-spams every day doesn't help us solve any
actual abuse problems.
Feedback loops will not be useful until the providers of the feedback
loops accept reports about use of the spam reporting tools, and are
willing to go fix their user behavior.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
------------------------------
Message: 11
Date: Thu, 26 Feb 2009 20:47:35 -0800
From: Ricardo Oliveira <rveloso@cs.ucla.edu>
Subject: Road Runner DNS servers
To: nanog@nanog.org
Message-ID: <9F40AFA3-DABB-4DDC-8CE5-09393FF4E73A@cs.ucla.edu>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Is there anyone clueful in this list from Road Runner(Time Warner
Cable) that can explain what's going on with their DNS servers - just
contacted their tech support and heard their DNS servers have been
under attack over the last 3 days..
thanks,
--Ricardo
------------------------------
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
End of NANOG Digest, Vol 13, Issue 145
**************************************
-- 
Thanks & Regards
shivlu jain
http://shivlu.blogspot.com/
09312010137

Shivlu Jain

tags

participants (1)