when last we saw our hero (Tuesday, Sep 02, 2003), 
 Adam Maloney was madly tapping out:
> If you can't reach the 3 nameservers then it's unlikely you'd be able to
> reach the web and e-mail servers.
> 
> No, I know it's bad karma - I have an agreement for an off-site
> nameserver, but I haven't thrown the box together yet.  It's so far down
> on my priority list, with everything else I have to do.  Rightly so, since
> the circumstances requiring it are pretty outragous.  

uhh - you might want to bump that up the priority list a bit there...

the conditions aren't at all outrageous, in fact they're quite
realistic, and can happen anytime.

the netblock this comes out of is only a /19.  some tier 1/2 providers
will filter on prefix lengths this long and you won't have quite the
visibility to the outside world that you think you do.   

e.g.: here's how this announcement looks to a very well connected
      route reflector in europe.  from this perspective you only have
      a single provider to this network through TWT. 

BGP routing table entry for 207.195.192.0/19, version 14796556
Paths: (2 available, best #2)
  Not advertised to any peer
  4323 19550
    198.32.160.35 (metric 270) from 166.49.166.197 (166.49.166.197)
      Origin IGP, localpref 180, valid, internal
      Community: 4323:1001 4323:21220 5400:3001 5400:3003
      Originator: 166.49.205.2, Cluster list: 0.0.0.116
  4323 19550
    198.32.160.35 (metric 270) from 166.49.166.196 (166.49.166.196)
      Origin IGP, localpref 180, valid, internal, best
      Community: 4323:1001 4323:21220 5400:3001 5400:3003
      Originator: 166.49.205.2, Cluster list: 0.0.0.116

as an aside, i haven't seen any AS paths for this network that didn't
have 4323 as the first external AS, so if you are multi-homed to
different providers you might want to see what options you've got for
getting your network(s) out there. 

some instability on the link(s) or within the network, you get
dampened and you drop off the map.  mail starts to bounce, customers
bitch, etc.

the other gotcha here is the fact that this is all on a single network
segment, which means you can be hard bitten by an outage on the local
network.  mercifully, this is pretty trivial to address in a short
time period and you've got options for mitigating this (HSRP, VRRP,
etc).  but if you lose a switch or something nasty happens on this
segment you may have some issues which knock dns on its butt for a
while, in the meantime mail bounces, customers bitch, etc.


> Our net connections come from two providers over 2 different
> OC-12's, diverse entry points, SONET, etc. They connect to two
> different routers on two different cards (PA-A3-T3 and PA-2T3+ into
> two 7206-VXR/300s), and we have spares of both.  All of our gear is
> on generator-backed outlets running on our own transformer (seperate
> from the rest of the building).  If the transformer goes, we have
> enough battery to last until the building engineer re-routes our
> circuits into one of the building's transformers in the same closet.
> 
> The TWT fiber enters on the East and West sides of the building and
> terminates in the 5th floor closet, and they have enough battery
> power to run for a day or two.  The Qworst fiber comes into the
> North side of the building (collapsed ring) into the 1st floor, and
> is similarly protected by battery.  Both plug into diesel outlets,
> and the generator has fuel enough to run for 3 or 4 days.  The Qwest
> fiber goes to what M.H. calls "The Ghetto" (Bloomington CO).  TWT
> takes two seperate routes to their Minneapolis POP.
> 
> Of course, if all that breaks we have some PRI's coming over an OC-3
> from KMC, and our relationship with them is such that they could
> turn up an emergency DS-3 pretty quick, and I could just announce
> out that direction.  I could probably even have TDS turn up a couple
> of emergency T-1's at our Monticello POP, and run my traffic out
> there.
> 
> Worst case, we pack sh*t up and drive over to another friendly
> neighborhood ISP :)  We've done that for someone before.

i think that a couple of dns boxen spread around the map would make
you happier. ;-)


> On Tue, 2 Sep 2003, steve ulrich wrote:
> 
> > when last we saw our hero (Tuesday, Sep 02, 2003), 
> >  Adam Maloney was madly tapping out:
> > > *shrug*
> > > 
> > > Registrant:
> > > Country Inn & Suites (COUNTRYINNSUITES-DOM)
> > >    1204 S. Ramsey
> > >    Shakopee, MN 55379
> > >    US
> > > ...
> > >    Domain servers in listed order:
> > > 
> > >    NS1.SIHOPE.COM               207.195.195.185
> > >    NS2.SIHOPE.COM               207.195.195.186
> > >    NS3.SIHOPE.COM               207.195.195.187
> > > 
> > > But we have nothing to do with their room access...
> > 
> > all nameservers in 1 netblock?  doesn't that raise eyebrows?





-- 
steve ulrich                       sulrich at botwerks.org
PGP: 8D0B 0EE9 E700 A6CF ABA7  AE5F 4FD4 07C9 133B FAFC

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list