Equipment Support > Hardware By Brand > Cisco > [OT] Peering Project

[OT] Peering Project

Will keep this in mind, definately interested in the learning aspects of it.

One question is whether the FAQ section is working or not, or I'm just crazy. Tried clicking
on the links present but didn't seem to bring up anything.

Regards

yea i havent finished writing them and i accidentally included it in the upload of the latest revision of the site.

Ill more than likely have them written up in the next day or so.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

reply to RyanG1
I would suggest something more than a /29 for each user.

A /27 is slightly more useful for a small-mediumish sized LAN that you could expect to find at a geeks house.

And I only say this because blegh, NAT. This should be the type of project you use to avoid having to use NAT and provide pure IP routing from end to end.

Plus, with almost 17.9 million IPs to dish out (around 560,000 users worth at /27), you wont be running into any shortages any time soon.

reply to RyanG1
Well the only reason to use NAT is in the event theres an IP overlap with the subnets a user is announcing and they still want their network accessible. But i agree, the /29 can be changed with no ill effect.

Thanks for the input =)

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

I just registered, but received no activation email so far.

reply to RyanG1
It may have gone to spam, checked the email server and im showing the message was delivered.

i went ahead and activated your account none the less. Sorry about that.

---

edit:

corrected the issues with the emails, there was a bad SPF entry

Ryan

It seems we are peering now and I'm the only one announcing /27.

What is 192.168.10.0/23 for? Any plans to enable IPv6?

192.168.10.0/23 is my home network (really just 192.168.10.0/24 .11.0/24 is my lab). As for IPv6, that may get added in the future but it would require a bit more updating of the back-end. Once i finish the automation entirely for Ipv4 i can focus on that.

you can announce your own subnets at home, for testing i have not filtered anything inbound other than the backbone subnets and default routes. You can announce as large a block as a /24 from the tunnel server you are on.

Im still working on the peering portion to aid in configuring direct peers between users (rather than backbone only).

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

I had to filter inbound 192.168.10.0/23 because I have the same block in my network. However I saw you changed it to .10.0/24 just now.
I just added 10.0.0.0/24 to my announcement. Not sure what else I can do from there, maybe setting up a proxy server to bridge to the internet?

reply to RyanG1
while you are certainly free to do that and allow internet sharing, be aware your ISP may look down upon sharing connections. I know my carrier (time warner) does not approve of sharing but in all honesty they cannot actively detect it (as far as i know).

Yup i see your anouncements on my edge router, good stuff! As far as what else can be done, well thats up to the users that join =)

Let me know if you find any bugs!
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

Major ISPs here do their best to detect internet sharing. But unless there's a cap on the number of simultaneous connections, I don't see how it can be detected. One meaningful use of sharing is when someone wants to visit websites blocked by ISP on either side, or sites that limit content access to certain IP address blocks.

One suggestion: lose the password login on the looking-glass server. It doesn't make much sense to type the extra letters since the server is open to public access.

reply to RyanG1
Why is the tunnel status on my side UNKNOWN?
Please filter the outbound PtP prefix, it causes FIB-failure here.

reply to RyanG1
With Quagga it will not allow null/empty/no passwords and complains at start/connection.

The tunnel shows as unknown because the poller is disabled (its tied in with the one that polls the tunnel servers) because there was an issue with the code and i need to fix it before i turn it back on.

The prefix filters for your tunnel have been adjusted and i have modified the automation to apply the filters to new tunnels going forward. Thanks for that =)

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

I'm trying to activate the tunnel however it pops up another window with just a couple of links and no option to activate the tunnels.

reply to RyanG1
You are welcome. The prefix filter is working nicely.

Try route-server.he.net which logs users in automatically. I'm not familiar with Quagga and don't know how they did it.

How is the poller supposed to work? I thought it was because my ACL blocking ICMP packets. While tweaking it, I discovered that my ISP blocks them for me...
Your poller should work if it pings my PtP address.

BTW, how's that IPSec tunnel test going?

reply to RyanG1
the poller is just a PHP script but there was a bug with how i was processing the devices and it causes a memory leak. I disabled it until i fix the code; Nothing is wrong on your end!

As for the route server, ill check and see what can be changed.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

Your reply came sooner than I could add an extra sentence:
BTW, how's that IPSec tunnel test going?

reply to RyanG1
The ipsec setup is on one tunnel server but its all manual config and not tied into the automation. So far ive found a stable kernel but the problem with it is that sometimes one tunnel gets locked up and requires the server to reboot (even when other tunnels are working fine).

Other than that its working fine so far. My setup is an ASA as my gateway and firewall that does an IPsec tunnel to the backbone and behind my ASA is an 1841 that handles my BGP sessions and tunnels.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

reply to RyanG1
Hey I think we should get a forum up for this project. on its website that way everyone who is interested can also post there.