Internet access using VRF aware NAT

Shivlu Jain shivlu.jain at gmail.com
Fri Feb 27 00:00:54 CST 2009


Hi Devang

We are using the vrf nat where the customer demands the firewall services.
For implementing this we are advertising a default route and vrf nat is used
per VPN basics.This is the rate services in case of whole sale.
Actual implementation; we are creating a INTERNET VRF which is having a
default route; In customer vrf the RT of internet route is imported and vrf
is able to get the default route. For reverse traffic a ipv4 route is added
at the PE towards customer interface.

regards
shivlu jain

On Fri, Feb 27, 2009 at 10:17 AM, <nanog-request at nanog.org> wrote:

> Send NANOG mailing list submissions to
>        nanog at nanog.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://mailman.nanog.org/mailman/listinfo/nanog
> or, via email, send a message with subject or body 'help' to
>        nanog-request at nanog.org
>
> You can reach the person managing the list at
>        nanog-owner at nanog.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NANOG digest..."
>
>
> Today's Topics:
>
>   1. RE: Documentation of switch maps (Gregory Boehnlein)
>   2. Re: Yahoo and their mail filters.. (Marshall Eubanks)
>   3. Re: Documentation of switch maps (Adam Armstrong)
>   4. Internet access using VRF aware NAT (devang patel)
>   5. Re: Yahoo and their mail filters.. (J.D. Falk)
>   6. Re: Yahoo and their mail filters.. (Carl Ford)
>   7. Re: Yahoo and their mail filters.. (J.D. Falk)
>   8. Re: Yahoo and their mail filters.. (Suresh Ramasubramanian)
>   9. Re: Yahoo and their mail filters.. (Brian Keefer)
>  10. Re: Yahoo and their mail filters.. (Jo Rhett)
>  11. Road Runner DNS servers (Ricardo Oliveira)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 26 Feb 2009 14:20:07 -0500
> From: "Gregory Boehnlein" <damin at nacs.net>
> Subject: RE: Documentation of switch maps
> To: "'Bielawa, Daniel W. \(NS\)'" <dwbielawa at liberty.edu>,
>        <nanog at nanog.org>
> Message-ID: <[email protected]>
> Content-Type: text/plain;       charset="us-ascii"
>
> Man.. I'd love to have this for Netgear switches! :)
>
> > -----Original Message-----
> > From: Bielawa, Daniel W. (NS) [mailto:dwbielawa at liberty.edu]
> > Sent: Thursday, February 26, 2009 2:07 PM
> > To: nanog at nanog.org
> > Subject: RE: Documentation of switch maps
> >
> > Hello,
> >
> >         We use switchmap here for tracking port utilization, days
> > inactive, and devices connected. It uses SNMP to determine the
> > information.
> >
> > http://switchmap.sourceforge.net/
> >
> > Thank You
> >
> > Daniel Bielawa
> > Network Engineer
> > Liberty University Information Services
> >
> > -----Original Message-----
> > From: Blake Pfankuch [mailto:bpfankuch at cpgreeley.com]
> > Sent: Thursday, February 26, 2009 2:01 PM
> > To: nanog at nanog.org
> > Subject: Documentation of switch maps
> >
> > Howdy.
> >
> > Had a customer come to me this morning who wanted to create a document
> > for their switching infrastructure and thought I would bounce it off
> > the rest of the world on how you usually do this.  Typically I use a
> > spreadsheet with outlines to define the "switch" and then outlines for
> > the ports and color coding for vlan's as well as a description of the
> > port.  Curious what other people are doing, as this would be a huge
> > undertaking for a customer who is using an entire /19 of rfc 1918 ip
> > addresses and has well over 150 switches and 40 active vlans.  The want
> > to be able to look at this document and pull up any switch and look at
> > the port and be able to see what vlan the port is on, as well as what
> > device it is connected to as well as port channel membership, trunks
> > and other fun things like that.  Needless to say their documentation is
> > lacking on the physical connectivity however their cisco infrastructure
> > does have labels on every port that goes to a named device outside of
> > the DHCP pools.  Thoughts?
> >
> > Thanks,
> > Blake Pfankuch
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by N2Net Mailshield, and is
> > believed to be clean.
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 26 Feb 2009 17:06:41 -0500
> From: Marshall Eubanks <tme at multicasttech.com>
> Subject: Re: Yahoo and their mail filters..
> To: John R. Levine <johnl at iecc.com>
> Cc: nanog at nanog.org
> Message-ID: <A3D823EF-4892-4D36-BDCB-B724D1EC0318 at multicasttech.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
>
> On Feb 26, 2009, at 2:00 PM, John R. Levine wrote:
>
> >> You're that confident people know the difference between a real
> >> communication from a party they conversed with before and a phish
> >> designed to look like the same thing?
> >
>
> What I worry about is when software is used to scrape lists such as
> this and used to create
> phishing based on actual emails, so you get phishes apparently from
> people you know using their actual words.
> When the botnets start doing that things could get nasty fast.
>
> Regards
> Marshall
>
>
> > If it's a bank, probably not.  If it's a random online store,
> > there's about a 99.9% chance it's actual junk mail and .01% that
> > it's anything else.
> >
> > R's,
> > John
> >
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 26 Feb 2009 23:55:38 +0000
> From: Adam Armstrong <lists at memetic.org>
> Subject: Re: Documentation of switch maps
> To: Blake Pfankuch <bpfankuch at cpgreeley.com>
> Cc: "nanog at nanog.org" <nanog at nanog.org>
> Message-ID: <49A72BFA.1070706 at memetic.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Blake Pfankuch wrote:
> > Howdy.
> >
> > Had a customer come to me this morning who wanted to create a document
> for their switching infrastructure and thought I would bounce it off the
> rest of the world on how you usually do this.  Typically I use a spreadsheet
> with outlines to define the "switch" and then outlines for the ports and
> color coding for vlan's as well as a description of the port.  Curious what
> other people are doing, as this would be a huge undertaking for a customer
> who is using an entire /19 of rfc 1918 ip addresses and has well over 150
> switches and 40 active vlans.  The want to be able to look at this document
> and pull up any switch and look at the port and be able to see what vlan the
> port is on, as well as what device it is connected to as well as port
> channel membership, trunks and other fun things like that.  Needless to say
> their documentation is lacking on the physical connectivity however their
> cisco infrastructure does have labels on every port that goes to a named
> device outside of the DHCP pools.  Thoughts?
> >
> If they're cisco or similar switches, make sure your port descriptions
> are correct, and keep configuration archives. Collect the port
> configuration/status with snmp and populate it into a database, that way
> you can generate whatever information you want in whatever format and
> it's accurate, which it won't be if you're expecting someone to update a
> spreadsheet.
>
> adam.
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 26 Feb 2009 17:38:18 -0700
> From: devang patel <devangnp at gmail.com>
> Subject: Internet access using VRF aware NAT
> To: nanog at nanog.org
> Message-ID:
>        <d0fea3580902261638v857ca36ja7442ebc7c54456b at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
>
> Have one question about VRF aware NAT for internet access! If we will
> enable
> the VRF aware NAT on local PE to have an internet access via central
> Internet PE then we will not have connectivity to any other VPN site as all
> local CE prefixes will be translated to the loopback IP address of the
> local
> PE.
>
> We can have route map which will match the ACL for specific CE source to
> specific VPN destination with deny key word and it will prevent the NAT
> when
> CE will try to communicate with other CE of same VPN or different VPN. That
> looks longer configuration in real world right! so is that the only way I
> have when I will have only one option to configure the locap PE with VRF
> aware NAT to gain internet access?
> I need to know what is the implement in real world? How service provider
> networks are providing internet access with MPLS VPN option? I know about
> customer is getting VPN connectivity on one router and service provider
> will
> give other internet connectivity link which might be terminating on same
> router or other router.  I just want to know which is mostly used option as
> far as the internet access service with MPLS VPN services!
>
> thanks,
> Devang Patel
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 26 Feb 2009 18:08:27 -0700
> From: "J.D. Falk" <jdfalk-lists at cybernothing.org>
> Subject: Re: Yahoo and their mail filters..
> To: nanog at nanog.org
> Message-ID: <49A73D0B.2010706 at cybernothing.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Brian Keefer wrote:
>
> > The other options is to stuff all the spam messages in a folder and
> > expose them to the user, taking up a huge amount of storage space for
> > something the vast majority of users are never going to look at any way.
>
> Which is, in fact, what Yahoo! does by default.  Users have the option to
> have that stuff deleted immediately, should they desire.
>
> > Blocking an entire site just because one John Doe user clicked a button
> > they don't even understand just does not make sense.
>
> You're right -- but Yahoo! has a sufficiently large userbase that they can
> count multiple complaints before blocking anything.  Same story with AOL,
> and Hotmail, and Cloudmark, and many others who've used this technique for
> years.
>
> In all of those cases, they have safeguards to prevent gaming, to prevent
> bouncing, and pretty much everything else anyone's suggested thus far in
> this thread.
>
> > Last, anywhere that I've seen extensive use of forwards has had a maze
> > of difficult to untangle abuse problems related to forwarded spam. Any
> > site allowing forwarding should apply very robust filtering of outbound
> > mail.
>
> Very true.  MAAWG published a document last year which includes some
> additional recommendations:
>
> http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Forwarding_BP.pdf
>
> --
> J.D. Falk
> Return Path Inc
> http://www.returnpath.net/
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 26 Feb 2009 20:35:57 -0500
> From: Carl Ford <carl.ford at gmail.com>
> Subject: Re: Yahoo and their mail filters..
> To: Micheal Patterson <micheal at spmedicalgroup.com>
> Cc: nanog at nanog.org
> Message-ID:
>        <f79c56820902261735q3d958f3ey24c36aeb4ee294e3 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> very old news.
>
> their filter restrictions have some very absurd rules
>
> On Tue, Feb 24, 2009 at 9:27 PM, Micheal Patterson <
> micheal at spmedicalgroup.com> wrote:
>
> > This may be old news, but I've not been in the list for quite some time.
> At
> > any rate, is anyone else having issues with Yahoo blocking / deferring
> > legitimate emails?
> >
> > My situation is that I host our corporate mx'ers on my network, one of
> the
> > companies that we recently purchased has Yahoo hosting their domains
> mail.
> > Mail traffic to them is getting temporarily deferred with the "421 4.7.0
> > [TS01] Messages from xxx.xxx.xxx.xxx temporarily deferred due to user
> > complaints - 4.16.55.1;
> > see http://postmaster.yahoo.com/421-ts01.html"
> >
> > The admin of the facility has contacted Yahoo about this but their
> response
> > was for "more information" when they were told that traffic from my mx to
> > their domain was to being deferred.  I may end up just having them
> migrate
> > to my systems just to maintain company communications if we can't clear
> this
> > up in a timely manner.
> >
> > --
> > Micheal Patterson
> >
> >
> >
> >
> >
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 26 Feb 2009 18:15:08 -0700
> From: "J.D. Falk" <jdfalk-lists at cybernothing.org>
> Subject: Re: Yahoo and their mail filters..
> To: nanog at nanog.org
> Message-ID: <49A73E9C.1060604 at cybernothing.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Barry Shein wrote:
>
> > I suggested that probably 99% of the false positives I see could be
> > avoided by just waiting until there are two or more complaints from
> > the same source before firing it back as spam.
>
> I've developed systems for ISPs to handle inbound complaints from AOL &
> such, and that's exactly what we did: multiple complaints were acted upon,
> single complaints only fed into the aggregate stats.  On the INBOUND side.
> We didn't ask AOL to do that work for us.
>
> Many recipients of complaint feedback actually /want/ to receive every
> complaint, because -- like John Levine -- they treat those complaints as
> unsubscribe requests.
>
> Yours is not the common use case.
>
> --
> J.D. Falk
> Return Path Inc
> http://www.returnpath.net/
>
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 27 Feb 2009 07:34:46 +0530
> From: Suresh Ramasubramanian <ops.lists at gmail.com>
> Subject: Re: Yahoo and their mail filters..
> To: "J.D. Falk" <jdfalk-lists at cybernothing.org>
> Cc: nanog at nanog.org
> Message-ID:
>        <bb0e440a0902261804m77b0ca56nf3c61facf708bfec at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Fri, Feb 27, 2009 at 6:45 AM, J.D. Falk
> <jdfalk-lists at cybernothing.org> wrote:
> > Many recipients of complaint feedback actually /want/ to receive every
> > complaint, because -- like John Levine -- they treat those complaints as
> > unsubscribe requests.
>
> That's ONE use case.  But we are not senders, and we do use a feedback
> loop because we are an ISP (like barry) but we dont have the luxury of
> a purely geek (so largely clean e&oe pwned systems) userbase like
> Barry has.
>
> In other words - we do get spammer customers. And the feedback loops
> provide us near real time notification of these, allowing us to
> terminate.
>
> > Yours is not the common use case.
>
> His IS the common use case.  Just that he doesnt have the sort of
> userbase that will generate usable FBLs (aka no significant number of
> genuine spam issues on his network).  For which he has to count
> himself lucky.
>
>
>
> ------------------------------
>
> Message: 9
> Date: Thu, 26 Feb 2009 20:17:37 -0800
> From: Brian Keefer <chort at smtps.net>
> Subject: Re: Yahoo and their mail filters..
> To: "J.D. Falk" <jdfalk-lists at cybernothing.org>
> Cc: nanog at nanog.org
> Message-ID: <257F71E4-40FF-4587-9EAD-F8988465B119 at smtps.net>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
>
> On Feb 26, 2009, at 5:08 PM, J.D. Falk wrote:
> >> Blocking an entire site just because one John Doe user clicked a
> >> button
> >> they don't even understand just does not make sense.
> >
> > You're right -- but Yahoo! has a sufficiently large userbase that
> > they can count multiple complaints before blocking anything.  Same
> > story with AOL, and Hotmail, and Cloudmark, and many others who've
> > used this technique for years.
>
> This does not appear to be the case from external observation.  It may
> be in some cases that multiple reports are necessary, but it certainly
> seems there are hair-triggers in others.  For instance, see the
> message from Eric Esslinger.
>
> As for not black-holing anything, I haven't personally verified with
> Yahoo!, but others have reported that they do.  It's pretty common
> from what I've seen to simply make very high-scored messages disappear
> and only send the mid-range stuff to the spam folder.  Hotmail, as
> mentioned, does this.  One of the very large hosted filtering services
> does as well.  I'm not saying it's bad (it makes sense if you can
> trust your scoring algorithm), but it does happen.  Just because you
> get _some_ stuff in your spam folder doesn't mean that's all the spam
> that was blocked.
>
> --
> bk
>
>
>
>
>
>
> ------------------------------
>
> Message: 10
> Date: Thu, 26 Feb 2009 20:26:12 -0800
> From: Jo Rhett <jrhett at netconsonance.com>
> Subject: Re: Yahoo and their mail filters..
> To: Ray Corbin <rcorbin at traffiq.com>
> Cc: "nanog at nanog.org" <nanog at nanog.org>
> Message-ID: <A7F2327C-EA78-480E-812C-D6FDD7008978 at netconsonance.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> On Feb 25, 2009, at 8:14 AM, Ray Corbin wrote:
> > It depends on your environment. I've seen where it is helpful and
> > where it is overwhelming. If you are a smaller company and want to
> > know why you keep getting blocked then those should help. If you are
> > a larger company and get a several hundred a day, but you send 100k
> > emails to AOL then it is not as big of a deal. If you are a shared
> > hosting provider and you get a lot of them you should look into what
> > is being sent to AOL, such as forwarded spam from customers 'auto
> > forwards' (isolate the auto forwards to a separate IP address and
> > simply don't sign up for the FBL for it).... If you have a good
> > setup where only customer-originated email is being sent through the
> > IP's you have a FBL on, then it is useful and you shouldn't get as
> > many complaints.
>
>
> Ray, you don't get it.   What comes from AOL is literally every step
> in a mother-daughter conversion.  You get to read the entire thread.
> Loving chat, mother and daughter back and forth.  But one of them is
> hitting SPAM on the e-mail *AFTER* replying to it and writing a nice
> letter back.
>
> This is abuse of the abuse department.  This isn't spam.  Reading
> through ~3k of these not-spams every day doesn't help us solve any
> actual abuse problems.
>
> Feedback loops will not be useful until the providers of the feedback
> loops accept reports about use of the spam reporting tools, and are
> willing to go fix their user behavior.
>
> --
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source
> and other randomness
>
>
>
>
>
> ------------------------------
>
> Message: 11
> Date: Thu, 26 Feb 2009 20:47:35 -0800
> From: Ricardo Oliveira <rveloso at cs.ucla.edu>
> Subject: Road Runner DNS servers
> To: nanog at nanog.org
> Message-ID: <9F40AFA3-DABB-4DDC-8CE5-09393FF4E73A at cs.ucla.edu>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> Is there anyone clueful in this list from Road Runner(Time Warner
> Cable) that can explain what's going on with their DNS servers - just
> contacted their tech support and heard their DNS servers have been
> under attack over the last 3 days..
> thanks,
>
> --Ricardo
>
>
>
> ------------------------------
>
> _______________________________________________
> NANOG mailing list
> NANOG at nanog.org
> http://mailman.nanog.org/mailman/listinfo/nanog
>
> End of NANOG Digest, Vol 13, Issue 145
> **************************************
>



-- 
Thanks & Regards
shivlu jain
http://shivlu.blogspot.com/
09312010137



More information about the NANOG mailing list