mercutio: hmm mine doesn't show that ant: mercutio: got that from a debian wheezy machine mercutio: yeah i can't find a way to repeat
it does say that in the man page though
oh i thought you meant it outputted that ant: try "A" and ".a" with en_US.UTF-8 and de_DE.UTF-8
no it just said so in the man page mercutio: yeah
i only use sort to do uniq :/
so as long as it sorts i don't worry too much
and it's usually on numbers anyway mkb: the order wasn't case sensitiv elike it ususually is brycec: mkb: what is your locale normally? mkb: LANG=en_US.UTF-8 on these machines m0unds: patrick.georgi-clan.de/2015/02/17/intel-boot-guard/
err, wrong channel mkb: I can't reproduce, but I've heard of grep matching the wrong case too brycec: Huh, peculiar. mkb: locales are a UI thing and sort is used for a lot more than that so it doesn't seem to make sense to have sort change behavior on different locales
I mean there's a lot of scripts that didn't expect sort to do anything more than by byte number brycec: Yeah it's well-known and documented that if you want consistent and cross-platform results in your programs/scripts, you set LC_*=C before calling out to anything. mkb: I've had LC_ALL=C LC_CTYPE=en_US.UTF-8 on my desktop for a while since that's all that OpenBSD supports anyway
I guess I'll have to make sure I put that in .profile everywhere else brycec: fwiw i can reproduce it on my Linux desktop. Normally, only variable set is LANG=en_CA.UTF-8 and sort does not function case-sensitive. If I unset that, or set LC_ALL=C, it's case-sensitive. ***: dwarren has quit IRC (Remote host closed the connection)
dj_goku has quit IRC (Ping timeout: 244 seconds)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks
_Zodiac has joined #arpnetworks
_Zodiac has left
djkrikke-2 has joined #arpnetworks djkrikke-2: Hi, I'm looking for some common practices on datacenter ip subnetting up_the_irons: RFC 3531 comes to mind (it also works for IPv4, despite its title). It's how we allocate blocks to customers. djkrikke-2: up_the_irons: I'm more interested in the technical aspect, like vlans and inter-vlan routing
like, is it common practice to VLAN customers? mercutio: djkrikke-2: no
djkrikke-2: arp does though
it's common practice to just stick everyone in a huge bridge domain
not that common practice is a good thing djkrikke-2: mercutio: I see
mercutio: doesn't that generate a huge amount of broadcast traffic on switches? mercutio: djkrikke-2: most don't have mac address limits or ip restrictions or reverse path filtering.
djkrikke-2: yes
djkrikke-2: find a random cheap vps like vultr adn do tcpdump -p -l -n -i eth0 ! port 22
the cable network here got so bad that routers started failing under the heavy arp load djkrikke-2: mercutio: do you know a good solution? mercutio: djkrikke-2: well you can do what arp does, you can also do pppoe, and i am struggling to figure out what the best way is
with virtual machines, i've been experiementing with just having ip route default dev eth0 src <src ip>
and having a single /32 routed to it. djkrikke-2: mercutio: I was thinking of keeping a big subnet, but creating vlans, combined with proxy arp on the gateway mercutio: then those routes are picked up by routing domain on the host and propogated. ***: _Zodiac has joined #arpnetworks
_Zodiac has left djkrikke-2: mercutio: what exactly does that ip route command do? mercutio: for physical machines i kind of like the idea of just having routed /29 tbh
djkrikke-2: it means you don't have a gateway, and it relies on proxy arp to get out
so you can have a netmask of 255.255.255.255 on the ip djkrikke-2: oh, so you don't configure a gateway, but tell everything to go through eth0, and proxy arp answers on this? mercutio: yeh
well you have a gateway of the ethernet interface
is this for physical machines or virtual machines? djkrikke-2: well physical, but I'm interested in your approach :)
so you have netmask 255.255.255.255 and a gateway ip
do you really need proxy arp then?
you just use the gateway for everything? mercutio: proxy arp was because i have stuff in bridge mode still
the gateway is just the ethernet interface
i don't know if need proxy arp or not
but it's enabled
if it's physical i would say that a /29 per user is better
the other thing you can do is you can have a /30 in rfc1913 space and route a /29 to /32 to them
depending on how much space they want
and use a normal gateway but you have like ip route add default via 192.168.32.77 src 4.2.2.2
or wehatever ip you give them
i prefer /30 to /31 as it means you can always have low ip for gateway
which is the first ip of the block too
the way arp is doing it uses up a lot of ip addresses.
it's not necessarily bad - and if there were lots of ip addresses available then other hackish solutions wouldn't be so advantageous
but it's getting harder and more expensive to buy ip addresses.
like people are buying old companies to get ip address space!
actually i'm in apnic zone, and arin is apparently not so bad. djkrikke-2: mercutio: yes that's the reason why I'm thinking about this subject, I'm looking into ways to optimize the ip usage
if you need a public ip for every subnet, wel.. mercutio: what kind of customers are you servicing?
as much as i hate the huge bridge domain, most people don't seem to care :/ djkrikke-2: mercutio: it's for a local computer science club mercutio: with hundreds of users? djkrikke-2: not hundreds :) mercutio: like 30? djkrikke-2: but I'm a computer science student myself, so I'm always thinking about optimal solutions
something like that yes mercutio: with 30 it's probably fine to just have a /28 and two broadcast and gateway
or /27 if it's acutally 30, rather than nearly 30
oh god
make that /27 and /26
i went off by one :/ djkrikke-2: mercutio: or... we could keep a big subnet, put them in 3 vlans and proxy arp? mercutio: there are pros and cons. one of the reasons peopel are doing it that way is that some people are doing two router solutions, with 3 ip addresses used for routers.
so each router has an ip on the subnet, then there's one that bounces between them
traffic can be forwarded from either to the host, and out the bouncing one
well the thing is vlans complicate things.
if you have a small setup then suddenly it means you're the only one who understands how it works. djkrikke-2: mercutio: the reason why we want to isolate several "groups" is because it's for testing purposes mercutio: so usually i'd vote in favour of not increasing complexity too much, unless it's necessary.
ok
it's necessary then djkrikke-2: so we want the traffic to be forced through the firewall
and that works with proxy arp and vlans mercutio: yeah djkrikke-2: but I was thinking, can't large hosting providers save on ip's by using this strategy mercutio: large hosting providers usually have heaps of ip addresses they got earlier. djkrikke-2: instead of subnetting, just use vlans per user and filter broadcast traffic mercutio: it's small and medium providers that hav higher requirements for ip's djkrikke-2: and use a large block mercutio: small providers don't usually have expertise, and medium providers ..
well that's where innovation can happen i suppose
i actually have been thinking about pppoe per user more and more recently
now there's in kernel etc for ppp
it's not really that high overhead djkrikke-2: mercutio: I'm not that familiar with pppoe, but it's some kind of tunnel right? mercutio: yeah kind of
8 byte overhead
well it can be 6 i think
but yeah 8 is normal overhead spoken of
basically it means you have a radius server, a ppp server.
the ppp server deals with terminating the connections, the radius server deals with authentication and accounting
bringing easy talleys of data done, making it easy to disconnect users, add ip addresses etc.
and not wasting ip's
that said i'm familiar with ppp/radius so it doesn't seem such a big complexity to me
http://sourceforge.net/projects/accel-ppp/
so you can use something like that
oh which can do rate limits too up_the_irons: djkrikke-2: it is not common to VLAN customers, but I do it because it makes sense and customers like it
djkrikke-2: you're right in that the way most providers do things, it makes arp storms a problem djkrikke-2: up_the_irons: just for internal isolation? So that they can have internal traffic?
or with filtering in between?
mercutio: rate limiting is pretty interesting too ;) up_the_irons: djkrikke-2: well it simply makes sense that each customer have a private network; it segregates things nicely mercutio: djkrikke-2: i have isp background so radius/ppp is more familiar to me too up_the_irons: djkrikke-2: also, it allows mixing of services easily; some customers have VMs and also dedicated servers, or VMs and colo djkrikke-2: up_the_irons: That makes sense, but you combine it with subnetting right?
so that for outer-vlan traffic, the gateway is always used? up_the_irons: i'm not sure what exactly you're referring to when you say subnetting; that's a very general term
yes gateway is always used for outside traffic djkrikke-2: I mean that every customer has a separate subnet, like for example a /29 up_the_irons: yes djkrikke-2: up_the_irons: allright
don't you think that's a waste of public ip's, when you need a gateway for every subnet? mercutio: go rfc1918 :)
oh djkrikke-2 another way people in more commercial environments do things is sometimes direct to direct nat
like one to one mapping... so they'll have internal subnets everywhere, and just remap from an external ip to an internal ip djkrikke-2: mercutio: yes, I was thinking about that too. But...NAT mercutio: djkrikke-2: it's not like normal nat evilness
you can do it stateless
so 1-to-1 mappiung djkrikke-2: mercutio: true, but you can't for example configure a cpanel with an internal ip, then it will create dns records with internal ip's etc
or sip sessions up_the_irons: djkrikke-2: it does tend to use IPs, yes brycec: (And steak does tend to use cows. The world is imperfect, but you do what you gotta do.) mercutio: djkrikke-2: i don't use cpanel djkrikke-2: brycec: maybe we can solve that cow problem too :)
No I'm just wondering if there are better solutions, that's all mercutio: it's more common with people using load balancers etc.
which cpanel isn't really aimed towards.
ipv6 makes everything less painful.
so i registered localdomain.nz does that mean that people with search paths are going to hit my domain? up_the_irons: djkrikke-2: i'm not aware of better solutions, but i haven't investigated it in a long time; do tell if you find something promising :) djkrikke-2: up_the_irons: well my idea is to have a router that knows about all the ips and vlans
then you can create a vlan per customer, take a big subnet, and let the router handle the arp proxying mercutio: djkrikke-2: he's terminating on cisco, which makes these more complicated setups a bit more troublesome.
linux makes it easier to shoot yourself in the foot up_the_irons: djkrikke-2: so you would have a large subnet, but separate VLANs. how would you prevent one node from taking another's IP?
and yeah, i only do hardware packet forwarding for main traffic djkrikke-2: up_the_irons: if the router knows about the IP's in a specific vlan, it can take that into account?
so that when the same IP is in another VLAN, nothing happens? BryceBot: That's what she said!! brycec: So, MAC pinning
(or static MAC)
Which isn't very flexible for the customer mercutio: i hate mac pinning djkrikke-2: well, the customer is always in his VLAN?
more IP pinning mercutio: tbh, pppoe is the easiest solution :/
but it does add a little of complexity to each userr. djkrikke-2: hmm, ok, it's 2 am over here so I'm going to get some sleep. Thanks for the discussion brycec, up_the_irons and mercutio :) mercutio: djkrikke-2: it's a complicated topic
'night djkrikke-2: Thank you up_the_irons: djkrikke-2: on cisco, you can't have the same subnet be in two separate VLANs
djkrikke-2: 'nite! m0unds: sophos sent me fancy unicorn socks ***: _Zodiac has joined #arpnetworks
_Zodiac has left
jlgaddis has quit IRC (Ping timeout: 250 seconds)
jlgaddis has joined #arpnetworks
DaCa has quit IRC (Remote host closed the connection)