mercutio: from sort(1): "*** WARNING *** The locale specified by the environment affects sort order. Set LC_ALL=C to get the traditional sort order that uses native byte values." hmm mine doesn't show that mercutio: got that from a debian wheezy machine yeah i can't find a way to repeat it does say that in the man page though oh i thought you meant it outputted that try "A" and ".a" with en_US.UTF-8 and de_DE.UTF-8 no it just said so in the man page yeah i only use sort to do uniq :/ so as long as it sorts i don't worry too much and it's usually on numbers anyway the order wasn't case sensitiv elike it ususually is mkb: what is your locale normally? LANG=en_US.UTF-8 on these machines patrick.georgi-clan.de/2015/02/17/intel-boot-guard/ err, wrong channel I can't reproduce, but I've heard of grep matching the wrong case too Huh, peculiar. locales are a UI thing and sort is used for a lot more than that so it doesn't seem to make sense to have sort change behavior on different locales I mean there's a lot of scripts that didn't expect sort to do anything more than by byte number Yeah it's well-known and documented that if you want consistent and cross-platform results in your programs/scripts, you set LC_*=C before calling out to anything. I've had LC_ALL=C LC_CTYPE=en_US.UTF-8 on my desktop for a while since that's all that OpenBSD supports anyway I guess I'll have to make sure I put that in .profile everywhere else fwiw i can reproduce it on my Linux desktop. Normally, only variable set is LANG=en_CA.UTF-8 and sort does not function case-sensitive. If I unset that, or set LC_ALL=C, it's case-sensitive. Hi, I'm looking for some common practices on datacenter ip subnetting RFC 3531 comes to mind (it also works for IPv4, despite its title). It's how we allocate blocks to customers. up_the_irons: I'm more interested in the technical aspect, like vlans and inter-vlan routing like, is it common practice to VLAN customers? djkrikke-2: no djkrikke-2: arp does though it's common practice to just stick everyone in a huge bridge domain not that common practice is a good thing mercutio: I see mercutio: doesn't that generate a huge amount of broadcast traffic on switches? djkrikke-2: most don't have mac address limits or ip restrictions or reverse path filtering. djkrikke-2: yes djkrikke-2: find a random cheap vps like vultr adn do tcpdump -p -l -n -i eth0 ! port 22 the cable network here got so bad that routers started failing under the heavy arp load mercutio: do you know a good solution? djkrikke-2: well you can do what arp does, you can also do pppoe, and i am struggling to figure out what the best way is with virtual machines, i've been experiementing with just having ip route default dev eth0 src and having a single /32 routed to it. mercutio: I was thinking of keeping a big subnet, but creating vlans, combined with proxy arp on the gateway then those routes are picked up by routing domain on the host and propogated. mercutio: what exactly does that ip route command do? for physical machines i kind of like the idea of just having routed /29 tbh djkrikke-2: it means you don't have a gateway, and it relies on proxy arp to get out so you can have a netmask of 255.255.255.255 on the ip oh, so you don't configure a gateway, but tell everything to go through eth0, and proxy arp answers on this? yeh well you have a gateway of the ethernet interface is this for physical machines or virtual machines? well physical, but I'm interested in your approach :) so you have netmask 255.255.255.255 and a gateway ip do you really need proxy arp then? you just use the gateway for everything? proxy arp was because i have stuff in bridge mode still the gateway is just the ethernet interface i don't know if need proxy arp or not but it's enabled if it's physical i would say that a /29 per user is better the other thing you can do is you can have a /30 in rfc1913 space and route a /29 to /32 to them depending on how much space they want and use a normal gateway but you have like ip route add default via 192.168.32.77 src 4.2.2.2 or wehatever ip you give them i prefer /30 to /31 as it means you can always have low ip for gateway which is the first ip of the block too the way arp is doing it uses up a lot of ip addresses. it's not necessarily bad - and if there were lots of ip addresses available then other hackish solutions wouldn't be so advantageous but it's getting harder and more expensive to buy ip addresses. like people are buying old companies to get ip address space! actually i'm in apnic zone, and arin is apparently not so bad. mercutio: yes that's the reason why I'm thinking about this subject, I'm looking into ways to optimize the ip usage if you need a public ip for every subnet, wel.. what kind of customers are you servicing? as much as i hate the huge bridge domain, most people don't seem to care :/ mercutio: it's for a local computer science club with hundreds of users? not hundreds :) like 30? but I'm a computer science student myself, so I'm always thinking about optimal solutions something like that yes with 30 it's probably fine to just have a /28 and two broadcast and gateway or /27 if it's acutally 30, rather than nearly 30 oh god make that /27 and /26 i went off by one :/ mercutio: or... we could keep a big subnet, put them in 3 vlans and proxy arp? there are pros and cons. one of the reasons peopel are doing it that way is that some people are doing two router solutions, with 3 ip addresses used for routers. so each router has an ip on the subnet, then there's one that bounces between them traffic can be forwarded from either to the host, and out the bouncing one well the thing is vlans complicate things. if you have a small setup then suddenly it means you're the only one who understands how it works. mercutio: the reason why we want to isolate several "groups" is because it's for testing purposes so usually i'd vote in favour of not increasing complexity too much, unless it's necessary. ok it's necessary then so we want the traffic to be forced through the firewall and that works with proxy arp and vlans yeah but I was thinking, can't large hosting providers save on ip's by using this strategy large hosting providers usually have heaps of ip addresses they got earlier. instead of subnetting, just use vlans per user and filter broadcast traffic it's small and medium providers that hav higher requirements for ip's and use a large block small providers don't usually have expertise, and medium providers .. well that's where innovation can happen i suppose i actually have been thinking about pppoe per user more and more recently now there's in kernel etc for ppp it's not really that high overhead mercutio: I'm not that familiar with pppoe, but it's some kind of tunnel right? yeah kind of 8 byte overhead well it can be 6 i think but yeah 8 is normal overhead spoken of basically it means you have a radius server, a ppp server. the ppp server deals with terminating the connections, the radius server deals with authentication and accounting bringing easy talleys of data done, making it easy to disconnect users, add ip addresses etc. and not wasting ip's that said i'm familiar with ppp/radius so it doesn't seem such a big complexity to me http://sourceforge.net/projects/accel-ppp/ so you can use something like that oh which can do rate limits too djkrikke-2: it is not common to VLAN customers, but I do it because it makes sense and customers like it djkrikke-2: you're right in that the way most providers do things, it makes arp storms a problem up_the_irons: just for internal isolation? So that they can have internal traffic? or with filtering in between? mercutio: rate limiting is pretty interesting too ;) djkrikke-2: well it simply makes sense that each customer have a private network; it segregates things nicely djkrikke-2: i have isp background so radius/ppp is more familiar to me too djkrikke-2: also, it allows mixing of services easily; some customers have VMs and also dedicated servers, or VMs and colo up_the_irons: That makes sense, but you combine it with subnetting right? so that for outer-vlan traffic, the gateway is always used? i'm not sure what exactly you're referring to when you say subnetting; that's a very general term yes gateway is always used for outside traffic I mean that every customer has a separate subnet, like for example a /29 yes up_the_irons: allright don't you think that's a waste of public ip's, when you need a gateway for every subnet? go rfc1918 :) oh djkrikke-2 another way people in more commercial environments do things is sometimes direct to direct nat like one to one mapping... so they'll have internal subnets everywhere, and just remap from an external ip to an internal ip mercutio: yes, I was thinking about that too. But...NAT djkrikke-2: it's not like normal nat evilness you can do it stateless so 1-to-1 mappiung mercutio: true, but you can't for example configure a cpanel with an internal ip, then it will create dns records with internal ip's etc or sip sessions djkrikke-2: it does tend to use IPs, yes (And steak does tend to use cows. The world is imperfect, but you do what you gotta do.) djkrikke-2: i don't use cpanel brycec: maybe we can solve that cow problem too :) No I'm just wondering if there are better solutions, that's all it's more common with people using load balancers etc. which cpanel isn't really aimed towards. ipv6 makes everything less painful. so i registered localdomain.nz does that mean that people with search paths are going to hit my domain? djkrikke-2: i'm not aware of better solutions, but i haven't investigated it in a long time; do tell if you find something promising :) up_the_irons: well my idea is to have a router that knows about all the ips and vlans then you can create a vlan per customer, take a big subnet, and let the router handle the arp proxying djkrikke-2: he's terminating on cisco, which makes these more complicated setups a bit more troublesome. linux makes it easier to shoot yourself in the foot djkrikke-2: so you would have a large subnet, but separate VLANs. how would you prevent one node from taking another's IP? and yeah, i only do hardware packet forwarding for main traffic up_the_irons: if the router knows about the IP's in a specific vlan, it can take that into account? so that when the same IP is in another VLAN, nothing happens? That's what she said!! So, MAC pinning (or static MAC) Which isn't very flexible for the customer i hate mac pinning well, the customer is always in his VLAN? more IP pinning tbh, pppoe is the easiest solution :/ but it does add a little of complexity to each userr. hmm, ok, it's 2 am over here so I'm going to get some sleep. Thanks for the discussion brycec, up_the_irons and mercutio :) djkrikke-2: it's a complicated topic 'night Thank you djkrikke-2: on cisco, you can't have the same subnet be in two separate VLANs djkrikke-2: 'nite! sophos sent me fancy unicorn socks