[c-nsp] Rec for full-table multi-peer bgp router?
Jiri Prochazka
jiri.prochazka at superhosting.cz
Wed Dec 7 14:28:10 EST 2016
CoPP on EOS is not the best, to say the least. But this will get better
- in a few months. Now, it's almost useless (it's processed in SW, not
in HW).
There are few caveats which need special care, but securing of those
boxes against DoSes is doable.
loong iACL on ALL edge ports together with ttl security (introduced in
EOS 4.17.1), combined with tweaked values in default copp-system-policy
makes (almost) a trick.
If you are fine with RIB limitations, you need a LOT of line-rate ports
and you do not do any super-fancy stuff, I think that 7280SR is great
box for you. You can push 400Gbit of Internet traffic, having installed
full BGP v4&v6 feed, and everything is absolutely fine.
Deep buffers, full BGP, fast CPU, 100GbE ports, 1U, low power
consumption, EOS on the top of this - for me - this box is - for the
money it costs - the best network device in the last 10 years.
Bugs..one of the funniest we discovered was 'The Rib agent may restart
if it receives a malformed BGP UPDATE message.' (Bug ID: 166815). Not
7280SR specific, it was spread across all platforms.
One malformed BGP update caused total meltdown of our network in one
POP. Routing protocol did not restart. It crashed and did not restart.
One of the best troubleshooting sessions I have ever encountered.
What was even more funny - that malformed packet was generated/created
by another bug in EOS.
Still, I do not think that number of bugs is worse than with any other
vendor. As I said, we are using Arista switches VERY extensively - which
means we see issues more often than normally :).
Jiri
On 12/5/2016 8:51 PM, Jared Mauch wrote:
>
>> On Dec 5, 2016, at 2:46 PM, Raphael Mazelier <raph at futomaki.net> wrote:
>>
>>
>> Very interesting.
>>
>> 7280SR look perfect for us. (if the price is OK; I will call my local Arista representative).
>>
>> We are another content AS and we push 150gps approx in peak.
>> We plan to upgrade from our current routers to something with a lower TCO by port (which is our currently limiting factor).
>>
>> We do need full view in RIB as we target only 5/6 ASes for 99% of our traffic, so we are not concerned by the RIB size.
>>
>> So do you recommended them ? or another model from Arista ?
>> What kind of bug did you encounter or discover ? are the platform enough stable for using them in production without any action ? (we are a really small team, and we have no to time to spend in the network side, unfortunately).
>
> Be mindful of how you do your control plane filtering and testing on such a device. Many people forget about this until you are on the wrong-side of a three digit (in gigabits) attack pointed at a link-ip address. Some devices handle it well, others poorly.
>
> - Jared
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list