NLNOG RING from a user perspective Bartek Gajda gajda@man.poznan.pl
Source: Job Snijders https://ripe65.ripe.net/presentations/105-RIPE65_NLNOG_RING_Job_Snijders.pdf 2
Source: Job Snijders https://ripe65.ripe.net/presentations/105-RIPE65_NLNOG_RING_Job_Snijders.pdf 3
NLNOG RING - Motivation Debug network issues and troubleshoot ‘from the outside’ A point of view outside your network is absolutely essential Seeing what others see is a useful thing with a variety of network problems Source: ring.nlnog.net 4
NLNOG RING - Solution Provide a streamlined way of cooperating ”NLNOG RING” – simple essence: You make a (virtual) machine available to the RING, You gain access on all servers which are part of the project, hence the name “RING”. Great example would be to launch a traceroute from 173 servers in different networks and quickly get the results instead of waiting till somebody has the time to run some tests for you. Source: ring.nlnog.net 5
NLNOG RING – how to use it CLI interface: ring scripts ring-all – run commands on all servers ring-ping – run comands from all servers ring-trace - ICMP traceroutes from all servers allows to create graphs which visualise traceroutes from a number of ring sources Distributed Smokeping Web based statistics A smokeping Master/Slave setup has been created to graph latency between all nodes thus graphing nodes in context of a torus. BGP Looking glass Web based on-line interface 6
CLI interface ring-ping [-6v] host poznan@poznan01:~$ ring-ping -v www.terena.org sidn01: 3.934 fnutt01: 25.511 a2binternet01: 2.007 melbourne01: 16.713 digiweb01: 17.661 … ring-ping www.terena.org connect: Network is unreachable www.terena.org - 173 servers: 44ms average www.terena.org - unreachable via: nlnetlabs01 ssh connection failed: atrato01 bahnhof01 bci01 digmia01 occaid01 solnet01 teamix0 7
CLI interface usage: ring-trace [-h] -a, --asn group by ASN instead of IP -c, --show-country show country codes for IP addresses -n RANDOM, pick a given number of hosts at random -b send output to a pastebin instead of saving it to file -B remove broken hops from output image -e exclude a specific host -i include this host -l {dot,neato,fdp,sfdp,twopi,circo}] layout style -o output filename -p pick top N and bottom N hosts based on hopcount -r try to resolve all addresses (WARNING: can take long!) -t {dot,gif,pdf,png,jpg,ps,svg} output filetype -T TIMEOUT -u username for SSH logins -U use UDP instead of ICMP ECHO -v -vv -x, remove IXP hops from traces -X, highlight IXP hops in output -4 | -6 destination 8
CLI interface poznan@poznan01:~$ ring-trace -a -4 -b -B -n 5 www.terena.org ring-trace v1.6.1 - written by Teun Vink <teun@teun.tv> picked 5 hosts at random: imagine01 heanet01 solido01 claranet04 rootlu01 Performing ICMP traceroutes towards www.terena.org from 5 ring hosts, ssh-timeout is 10 seconds. Image uploaded to https://ring.nlnog.net/paste/p/1t1kmf13ocmuzj0 Done in 12.5 seconds. Or (Created file: trace-www.terena.org.jpg) 9
CLI interface ring-trace -c -B -n 10 www.terena.org 10
Distributed Smokeping AMP (AcIve Measurement Project) Developed by WAND Network Research Group http://amp.ring.nlnog.net/ • Ping • Historic Traceroutes • MTU testing • Jitter • loss, etc 11
Distributed Smokeping 12
Distributed Smokeping 13
BGP looking glass 14
BGP looking glass – BGP map 15
NLNOG RING - Participation Open to everybody who meets the following requirements: You are a network operator The organisation you work for has BGP routers connected to the ”Default Free Zone” and maybe even IXP’s. Your organisation has its own ASN, IPv4 and IPv6 prefix(es). You have enable or configure rights on those routers. You are involved in the networkers community. You have permission from your organisation to become involved in the NLNOG RING. Source: ring.nlnog.net 16
NLNOG RING – Hardware • Hardware requirements • Mandatory: – Clean Ubuntu 12.04 Precise Pangolin 64-bit (amd64/x86_64) Server Edition installation (no special packages are required except openssh-server) – 64 bit CPU – 1 globally reachable and unique statically configured IPv4 address – 1 globally reachable and unique statically configured IPv6 address – You are willing to give full sudo access to the Ring-Admins • The following suggestions are indicative: – 1 core or CPU – 20 gigabyte disk space – at least 512 megabyte RAM, but more is better – 10mbit NIC (more is fine) Source: ring.nlnog.net 17
NLNOG RING – Management All regular nodes (machines provided by organisations) are managed through a centralized puppet system. Ring-Admins will take care of software and security updates, installation and user management. The goal: make it as easy as possible for organisations Not to worry about it afterwards. Machine owners are allowed and encouraged to install software which they deem necessary to comply with the standards of their organisation, examples are: n2, backup programs or a snmp daemon. Source: ring.nlnog.net 18
NLNOG RING – Participants PSNC joined in October 2012 https://ring.nlnog.net/participants/ 19
NLNOG RING – Security considerations A ‘zero tolerance’ policy RING box – regarded as (your) enduser Should be placed outside internal network Separate VLAN etc. 20
NLNOG RING – aditional information Link to RIPE presentation pdf & video(!) https://ripe65.ripe.net/programme/meeting-plan/plenary- agenda/#tues2 21
Recommend
More recommend