CDQ: Basic BGP prefix ingress filtering

I’ve been doing a lot of BGP lately. I’ve seen some config that has made me cringe. I’ve also seen a bunch of routing loops and other tomfoolery because people weren’t cleaning their prefixes properly.

This is a very quick inbound prefix list that should be the minimum that you apply to your peers. This is a basic sanity check and is in no way exhaustive.

ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny
ip prefix-list BasicPrefixFilterIn deny
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn deny le 32
ip prefix-list BasicPrefixFilterIn permit ge 8 le 24
ip prefix-list BasicPrefixFilterIn deny le 32

The list starts with RFC5735 (special use) address space being denied. Then, allow things that have a prefix length between a /8 and a /24 (inclusive). Lastly, block everything else.

NOTE: this list will block the default route. Be warned.

This post was inspired by the sample config file that the folks over at OpenBGPd distribute. You guys rock!

Savings account compairison

Let’s say you have a spare $5,000.  You want this money for travel… or a down payment on a car, or something else in the one to two year time frame.  What’s the best current bet for getting a little bit of growth over a year?

Mutual funds and stocks could lose value.  That’s probably not a good bet over the short term.  Bonds could work in some situations, so that may warrant investigation.  For now, I’m just going to focus on savings accounts and the tax implications.

All interest rates were captured on 3 Nov 2012.  Let’s take a look at a few options.  Let’s also have a look at tax implications for 2012.


  • One year investment period
  • Marginal tax rate is 32% (22% federal, 10% provincial)
  • There is contribution room for a TFSA
  • $5000 to invest
  • There is NO inflation adjustment necessary

Some Options:

Institution Rate (%) Interest ($) Taxes ($) Net ($)
AMA/Bridgewater Bank 1.85% $92.50 $29.60 $62.90
Canadian Direct Financial 1.90% $95.00 $30.40 $64.60
Canadian Direct Financial TFSA 3.00% $150.00 $0.00 $150.00
ING Direct Savings 1.35% $67.50 $21.60 $45.90
RBC eSavings 1.20% $60.00 $19.20 $40.80


I find it odd that some institutions are offering a *higher* interest rate for TFSA savings accounts. I won’t fight it – it’s a fantastic option for those who are saving for the short term. Even as an emergency fund the TFSA offers a significant advantage over taxed savings accounts. Naturally, there are limitations placed on TFSAs and it’s important to work within those limitations to ensure that there are no service fees applied to an otherwise exceptional deal.

Why the disparity in interest rates?  I can only assume that it’s because larger banks can get away with offering lower rates and still attracting customers.  Perhaps the inconvenience of dealing with multiple institutions is worth the cost of not keeping up with the rate of inflation.

CDQ: NTP will save you time.

In my second edition of Cisco Done Quick (CDQ) I will talk about how NTP – the network time protocol – will save you time.

Debugging network problems can be challenging. It’s made even worse by time zones and daylight savings time.  Worse still by a clock that has drifted.

Some older Cisco IOSes don’t know the current rules for daylight savings. They can be configured, if necessary. Start with setting a timezone and setting the rules for Mountain Daylight Time (or your time zone as appropriate):

clock timezone MST -7 0
clock summer-time MDT recurring 2 sunday march 02:00 1 sunday november 02:00 60

Next, setup NTP, if you don’t already have it:

ntp server [vrf MANAGEMENT] aaa.bbb.ccc.ddd
[ntp source gig 0/0]
[ntp logging]

Setting the VRF and source interface are only needed if you are using a dedicated management interface. The “ntp logging” line is only useful for debugging information. Remember to TURN IT OFF once you’re satisfied that everything is working.

Doing a “show clock” will tell you whether or not NTP has been able to update your clock.

So how does this save you time?

Well, with properly annotated timezone information and a synchronized clock, you’ll spend less time debugging and converting times or correcting for a drifting system clock.

UPDATE – 26 November 2012:

If your device is already using DNS, rather than hard-coding an IP address for the NTP server, I suggest you pop on over to  For Canadian NTP servers, look here.

Using the NTP servers in a pool will make things a little more fault tolerant.  It will help with:

  • NTP server drift (yes, it does happen)
  • NTP server outages (this happens more regularly)

The config will end up looking more like this:

ntp server [vrf MANAGEMENT]
ntp server [vrf MANAGEMENT]
ntp server [vrf MANAGEMENT]
ntp server [vrf MANAGEMENT]


The reading list

There are a lot of things I would like to read.  It’s often hard to find time, but find time one must.  This is essentially a public to-do list for what I have read, and what I hope to read. I will not normally include fiction in this list.

If you know me, then you likely know just how busy I am.  I implore you not to give me books.  I have more than enough, and I have scarce little time to do any reading.

TitleDate Read
Race Tech’s Motorcycle Suspension Bible2012
The Moneysense guide to Investing in Real Estate(2012)2012
The Moneysense guide to the perfect portfolio (2011)2012
Total Control: High Performance Street Riding Techniques2012
The Millionaire Next DoorDec 2012
The Moneysense guide to investing in stocksDec 2012
The Lazy Investor (DRIP)Nov 2012
The Intelligent Investor2018
Stocks for the Long RunAug 2016
Internet Peering Playbook 2013 EditionAug 2013
Wireshark Network Analysis – 2nd Ed.Jul 2013
Don’t shoot the dogSep 2013
Breaking the time barrierSep 2013
Your Financial Battle PlanJan 2014
Learn Ruby the Hard WayMay 2015
Pro GitMay 2015
CCIE R&S v5.0 Official Cert Guide, Vol 1, 5th Ed.Jun 2015
The Phoenix ProjectOct 2015
CCIE R&S v5.0 Official Cert Guide, Vol 2, 5th Ed.Nov 2015
The GoalJan 2016
High-Tech Heretic: Reflections of a Computer ContrarianApr 2016
So good they can’t ignore youMay 2016
The Age of SelfishnessMay 2016
To sell is humanJul 2016
The Now HabitDec 2016
Deep WorkDec 2016
How to Become a Straight-A StudentApr 2017
Norwegian Wood: Chopping, Stacking, and Drying Wood the Scandinavian WayMay 2017
A Mind for NumbersAug 2017
Your Money or Your LifeAug 2020
The Unicorn ProjectMar 2020
TED Talks The Official TED Guide to Public SpeakingMay 2019
Mindset by Carol DweckNov 2018
The power of habitDec 2018
The 7 habits of highly effective peopleSep 2019
Traction by WickmanJan 2020
The end of averageDec 2017
Thinking fast and slowMar 2018
Astrophysics for people in a hurryJun 2019
BrandwashedJan 2018
Bacteria to Bach and BackJun 2018
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really AreJan 2019
The World beyond your headMay 2019
The richest man in BabylonJuly 2020
The five dysfunctions of a teamMay 2020
The future X networkFeb 2019
Digital MinimalismMar 2019
Atomic habitsJul 2019
Learning how to learnNov 2018
PeakDec 2018
The end of ignoranceNov 2019
FlourishJan 2020
Google Site Reliability Engineering (SRE)Feb 2020
Months are approximate

CDQ: VRF Management Interface

This is the first post in a series that I’m calling Cisco Done Quick (CDQ).

Have you ever had a Cisco router that didn’t have a wired management interface? Serial is all fine and good, but sometimes you don’t have a Serial Console Server but you do have a management network.

If the router supports VRFs, you can easily create a VRF just for management traffic. This is a great option and can be quickly accomplished with a few commands:

Basic config:

In configure mode:

interface GigabitEthernet0/0
 ip vrf forwarding MANAGEMENT
 ip address dhcp

This creates the VRF named “MANAGEMENT” and assigns a single interface to it. Rather than using DHCP, I’d usually statically assign an IP, but you get the idea.

TFTP and other standard protocols:

Let’s say you want all TFTP traffic to use the new management interface… that’s easy with the “ip xxxx source-interface” set of commands:

ip tftp source-interface gi 0/0


logging host aaa.bbb.ccc.ddd vrf MANAGEMENT


ntp server vrf MANAGEMENT aaa.bbb.ccc.ddd
ntp source gig 0/0
ntp logging


I’m a big advocate for separation of management and production traffic. It eases some of my security concerns. These steps are simple and in my experience quite useful. Enjoy.

Linux-based serial console server


Serial links certainly aren’t as common as they once were. They used to be used for long-haul networking, connecting a modem to a PC or router, accessing a management interface, and I’m sure there are many other things that I can’t think of.

These days there are still several devices that use serial ports for various applications. Just to be clear – I’m not talking about USB, or RS-422/485. I’m talking about good old fashioned TIA-232 (formerly known as RS-232). These ports topped-out at around 256kbps. The most common speed that I see in the networking realm is still good old 9600bps.

I recently wanted to setup a serial console server while spending minimal cash in the process. I found that some of the documentation that used to be readily available (late 1990’s) has since disappeared. This post summarizes the steps I took to get a serial console server operational under Unbuntu 10.4 LTS.

What is a serial console?  Rather than using a keyboard and monitor to interact with a device (in this case, a computer), it is sometimes possible to send and receive data from a device over a single serial connection.  This is a fantastic option when high-throughput, low-latency connections are not available.  In fact, it’s possible to configure Linux, Solaris, OpenBSD and many other platforms to use a serial console instead of, or in addition to, the normal keyboard & monitor.

Serial consoles are still used for managing many routers and switches (Cisco, HP).  Some hardware manufacturers equip their gear with only a serial port to act as a console – thus saving cost on video ports (Soekris).

In my case, I often find myself managing a rack or two of switches and routers that are all capable of using a serial console.  The problem is that many new servers don’t come with a serial port – let alone eight.  Cash was tight for this project, so I didn’t opt for a pre-built multiport serial console server and instead decided to build my own.  Here’s how I did it.


I’ve used equipment from Axxeon before.  I’ve been pretty happy with it.  If you’re in need of reasonably priced switching gear for harsh environments, they can help.  It also turns out that they sell multiport serial cards for a PCI-e bus:
Eight ports was all I needed for this particular application, and the price was reasonable.

This card uses the very well supported “Oxford” serial chipset.  Drivers exist for this chipset natively in Ubuntu 10.4.

Be careful not to over-tighten the thumbscrews on the breakout cable.  They are *tiny* and can’t handle much torque.  I managed to snap one on a previous install while tightening by hand.

I used a small PC for this particular setup.  The low-profile PCI-e back plate made install a breeze.

No other changes were required to get this card to work.

Linux Distribution

For a base OS, like I said, I used Ubuntu 10.4 LTS.  You may notice that the current version of LTS is 12.  I’m a little late in doing this writeup.  I would assume that not much would need to change between 10.4 and 12.  If I setup another with 12, I’ll try to remember to update this post.


Ubuntu’s kernel isn’t configured to natively handle more than four serial ports.  There are two ways to fix this:

  1. adjust and re-compile the kernel
  2. pass the kernel a parameter that enables it to use more

I opted for the second option.  It’s been a long time since I built a kernel, and I’d rather not get into that.  All that was necessary was another line in /boot/grub/grub.conf:

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.

GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`

Hint – it was the last line in the above output.  The “8250” was a common serial chipset back in the day.  This line tells the kernel to work with up to 16 serial ports.

After running ‘update-grub’ and rebooting, dmesg had the appropriate information:

tpb@serial:~$ dmesg | grep ttyS
[    0.770319] serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[    0.770410] serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
[    0.770826] 00:06: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[    0.770948] 00:07: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
[    0.771645] ttyS4: detected caps 00000700 should be 00000100
[    0.771650] 0000:08:00.0: ttyS4 at MMIO 0xd5efd000 (irq = 17) is a 16C950/954
[    0.771716] ttyS5: detected caps 00000700 should be 00000100
[    0.771720] 0000:08:00.0: ttyS5 at MMIO 0xd5efd200 (irq = 17) is a 16C950/954
[    0.771782] ttyS6: detected caps 00000700 should be 00000100
[    0.771786] 0000:08:00.0: ttyS6 at MMIO 0xd5efd400 (irq = 17) is a 16C950/954
[    0.771847] ttyS7: detected caps 00000700 should be 00000100
[    0.771851] 0000:08:00.0: ttyS7 at MMIO 0xd5efd600 (irq = 17) is a 16C950/954
[    0.771912] ttyS8: detected caps 00000700 should be 00000100
[    0.771916] 0000:08:00.0: ttyS8 at MMIO 0xd5efd800 (irq = 17) is a 16C950/954
[    0.771977] ttyS9: detected caps 00000700 should be 00000100
[    0.771981] 0000:08:00.0: ttyS9 at MMIO 0xd5efda00 (irq = 17) is a 16C950/954
[    0.772042] ttyS10: detected caps 00000700 should be 00000100
[    0.772046] 0000:08:00.0: ttyS10 at MMIO 0xd5efdc00 (irq = 17) is a 16C950/954
[    0.772108] ttyS11: detected caps 00000700 should be 00000100
[    0.772112] 0000:08:00.0: ttyS11 at MMIO 0xd5efde00 (irq = 17) is a 16C950/954

A couple things to notice:

  1. There is a gap in numbering between the on-board serial and the first PCI-e serial port.
  2. There is no guarantee that the first PCI-e serial port will align with the first port on the break-out cable.  You will need to do some trial-and-error testing to map the logical ports to the physical ports.


There are two “conserver” packages in Ubuntu. The conserver-server package includes the client and the daemon.

tpb@serial:/etc$ apt-cache search conserver
conserver-client - connect to a console server
conserver-server - connect multiple user to a serial console with logging

Rather than using an /etc/init.d/ script to start and stop the daemon, I opted to just throw the command into /etc/rc.local:

tpb@serial:/etc$ cat rc.local

conserver -C /etc/conserver/

Conserver Configuration

The config is fairly straight forward. I used the Alias directive to match the tty number to the octopus cable port number. Because this is a serial console server in a lab, I opted to allow all local users full access to all ports.

tpb@serial:/etc/conserver$ cat
# The character '&' in logfile names are substituted with the console
# name.
config * {
        logfile /data/conserver.log;
        sslrequired off;
        daemonmode yes;
        primaryport 3109;

access * { trusted localhost; }

default * {
        master localhost;
        type device;
        baud 9600;
        parity none;
        logfile /data/console/&.log;
        timestamp "";
        rw *;

console c2950 {
        #alias on-board
        device /dev/ttyS0;
console c2960 {
        #alias P1
        device /dev/ttyS4;
console c2800-bottom {
        #alias P2
        device /dev/ttyS5;
console c3825 {
        #alias P3
        device /dev/ttyS6;

Tab Completion

To finish things off nicely, I decided to configure BASH tab completion for the “console” command:

tpb@serial:/etc/bash_completion.d$ cat console
complete -W "`cat /etc/conserver/ | grep ^console | sed -e "s/^[^ ]* //" -e "s/ .*//"`" console


Setting up a serial console isn’t too rough. There are ways to improve the setup:

  • Use RADIUS authentication rather than allowing all users to have access
  • Allow remote telnet connections in so that users don’t need local accounts

Hopefully this will help either myself or some other future admin do things a little faster and a little less painfully.  If you have any suggestions for how to improve this serial console server, please let me know!

Reasonable, worst case, mortgage rate.

Imagine that I were looking to get a mortgage.  What interest rates could I experience over the course of a 20 year mortgage?  Nobody can give me a good answer, so I thought I might write some python and see what I could come up with.

For the purpose of this exercise I will only be looking at the variable rate.  Fixed versus variable mortgages is a discussion for another time.

First, let’s get some upper and lower bounds for the past 25 years.  This period is interesting as it had some of the highest interest rates in Canada’s history.  In the late 80’s people were losing their houses because of the staggering double-digit mortgage rates.  Can you imagine locking-in at those rates?  April 1990 the 5-year variable mortgage rate hit 14.75%.  A year later it had dropped significantly to 9.75% [1].

Mortgage rates:

Max: 14.75%
Min: 2.25%


Let’s assume that Canadian mortgage rates can change eight times per year [2].

Let’s also assume that on each of these occasions that interest rate can either go up by 0.25%, stay the same, or drop by 0.25%.  Technically is has changed by greater amounts in the past, but we’ll ignore that for this exercise.  Let’s also assume that each of these outcomes is equally likely.  THIS IS NOT A SAFE ASSUMPTION.

Finally, we’ll assume that we are bound to the upper and lower limits seen in the past 25 years.

Oh look… code:

$ cat
#1 - must be recursive.
#2 - number of recurses is controlled by variable at head of program
#3 - at each branch there are three EQUALLY LIKELY options - go up, go down, stay the same
#4 - the amount of the up/down is 0.25%
#5 - It can't go below 2.25%
#6 - it can't go above 14.75%

# recursion depth - 2 years, 8 branches per year:
MAXDEPTH = 8 * 2

DELTA = 0.25

#Let's start with an interest rate of 3%:



def Branch(value, depth):
        # check limits
        if value > LIMIT_UPPER:
                value = LIMIT_UPPER
        elif value < LIMIT_LOWER:
                value = LIMIT_LOWER

        if depth == 0:
                RESULTS[value] = RESULTS[value] + 1
                Branch(value + DELTA, depth - 1)
                Branch(value, depth - 1)
                Branch(value - DELTA, depth - 1)

while x<=LIMIT_UPPER:


while x<=LIMIT_UPPER:
        print repr(x) + ", " + repr(RESULTS[x])

The output for two years looks like this:

$ head 24mo.csv
2.25, 5986176
2.5, 6008616
2.75, 5965368
3.0, 5733267
3.25, 5227722
3.5, 4453608
3.75, 3507168
4.0, 2533664
4.25, 1669076
4.5, 997016

Now, let me be really clear here… this is a piece of code that does geometric expansion through recursion.  If you run a dataset that consists of 8 changes per year, and only 1 year, you’re looking at 6,561 nodes of data being returned.  3^(8*1) = 6,561.  Two years of data is 43,046,721 results.  If you want 5 years of data, it’s 3^(8*5) = 12,157,665,459,056,928,801.  That’s a lot of data.  Luckily, we won’t be storing anywhere near that much, but it’s still going to take a while to run.

I attempted to use R [3] to make the stats a little easier to deal with, but I was unable to figure out how to do the analysis I wanted in a reasonable amount of time.  I already had the frequency distributions, and although R was able to produce those from raw numbers, I was unable to figure out a method to take the summarized data and work back to Mean/Median/Min/Max and a couple different percentile values.  Strangely, Excel helped me do this quickly.  Here are my results:


Months Min Max Mean Median 95th %ile 99th %ile
6 2.25 4 3.003086 3 3.75 4
12 2.25 5 3.032274 3 4 4.25
18 2.25 6 3.074085 3 4.25 4.5
24 2.25 7 3.119716 3 4.25 4.75
30 2.25 8 3.166085 3 4.5 5

The minimum value isn’t surprising.  Nor is the Max.  The average is creeping up simply with time and the opportunity to diverge from the starting point of 3.00.  The median isn’t too surprising.  The percentile values – now those are something I may be able to use.

The 95th percentile value essentially means that for 95% of the cases, the interest rate will be no greater than the corresponding value.  Specifically, in 95% of the cases, the Interest rate over 30 months will not exceed 4.5%.

Although this may be good for some VERY ROUGH planning, keep in mind that interest rates are governed by market forces.  I did not apply any likelihood to increasing / decreasing / unchanging interest rates.  It may be the case that interest rates are twice as likely to rise as they are to fall.  If that’s the case, this exercise is seriously flawed.

Now, as far as planning goes, if one were to take the 99th percentile value, one could expect interest rates to climb by 2% over the next 2.5 years.  This kind of growth has precedents.


This may or may not be a good way to approximate what interest rates will do over a period.  I guess in this case some people *are* betting the house on interest rates.  Do so with caution.  Talk to a financial planner.  Do not rely on the data I have provided.  This was a thought exercise and I can’t be held responsible if these number are nowhere near accurate.

I’d love to hear how others are planning for the inevitable increase in interest rates.  How are you approximating future interest rates?


FreeRADIUS – a step toward a more secure network


FreeRADIUS is a general purpose RADIUS daemon.  RADIUS enables administrators to centralize user accounts (among many other features).  This is quite handy when you have many devices that you are administering.  Imagine updating a couple-hundred switches and routers because an administrator needs to change their password.  With RADIUS, you update a central location rather than each and every node.  When it is time to login, the device you are connecting to can check your credentials against the central RADIUS server to determine whether or not access should be granted.


tpb@$ sudo apt-get install freeradius

That’s it (for Ubuntu, anyway).  What next?  Read the docs:

My focus here isn’t a step-by-step setup guide for FreeRADIUS.  My focus is bridging the gap between FreeRADIUS and the Cisco realm.  That said, here’s what I came across:

  • In Ubuntu the daemon isn’t called “radiusd”, instead it’s “freeradius” (lives in /usr/sbin/).
  • Config files are in /etc/freeradius/
  • To restart the daemon (after, say, editing the ‘users’ file) run: “/etc/init.d/freeradius restart”

Wait, this is on a Linux server, why not just use the database on the server for authentication information?  Good idea:

root@xbmcsrv:/etc/freeradius# head users
DEFAULT   Auth-Type = System

Great – we have users setup.  What next?  Well, I seem to recall needing to generate keys to talk between hosts.  Yep, back to the docs:  Here’s the good news, it’s just one file: /etc/freeradius/clients.conf and the syntax is pretty easy.  Here’s what I added:

client router1 {
        ipaddr =
        secret = ThisIsASecret001

On the Cisco side, I had to do a little more work. Did I read documentation? Of course I did!

aaa new-model
aaa authentication login default group radius local
radius-server host auth-port 1812 acct-port 1813 key ThisIsASecret0

This is a VERY basic configuration.  You can get into groups, privileges, heck you can even have the enable password looked up against RADIUS.

A Quantitative Analysis of Effectiveness of Two Ad Blocking Engines

MINT 709, Capstone Project Report

A Quantitative Analysis of Effectiveness of Two Ad Blocking Engines

(Edited for Web)

Prepared by: Mark Leonard

Prepared for: Dr. M. MacGregor

December 2011



In the past, the target audience of traditional advertising (such as newspapers, magazines, and billboards) has not incurred costs associated with the ads.  This is not necessarily the case when it comes to online advertising.  Presumably, online ads increase the total size of webpages that are downloaded – the extra throughput due to the embedded images and other content inherent in advertising.  Online ads also represent a potential increase in the time required to load web pages.  For companies who pay for Internet usage, increases in page size caused by advertising could have financial consequences.

With some configuration, ad blocking engines can reduce total web page size by approximately 10%.  With poor configuration, it is possible to see an increase in total page size due to filtering.


I would like to express my sincere gratitude to Dr. M. MacGregor for his guidance and encouragement in the completion of this report.  I would also like to thank my parents for their continued support and cooperation throughout my studies.  My sisters deserve thanks for their gracious hospitality and accommodations whenever I was in Edmonton for classes and research.

Continue reading