[c-nsp] Rec for full-table multi-peer bgp router?

Jiri Prochazka jiri.prochazka at superhosting.cz
Wed Dec 7 14:28:10 EST 2016


CoPP on EOS is not the best, to say the least. But this will get better 
- in a few months. Now, it's almost useless (it's processed in SW, not 
in HW).

There are few caveats which need special care, but securing of those 
boxes against DoSes is doable.

loong iACL on ALL edge ports together with ttl security (introduced in 
EOS 4.17.1), combined with tweaked values in default copp-system-policy 
makes (almost) a trick.

If you are fine with RIB limitations, you need a LOT of line-rate ports 
and you do not do any super-fancy stuff, I think that 7280SR is great 
box for you. You can push 400Gbit of Internet traffic, having installed 
full BGP v4&v6 feed, and everything is absolutely fine.

Deep buffers, full BGP, fast CPU, 100GbE ports, 1U, low power 
consumption, EOS on the top of this - for me - this box is  - for the 
money it costs - the best network device in the last 10 years.

Bugs..one of the funniest we discovered was 'The Rib agent may restart 
if it receives a malformed BGP UPDATE message.' (Bug ID: 166815). Not 
7280SR specific, it was spread across all platforms.

One malformed BGP update caused total meltdown of our network in one 
POP. Routing protocol did not restart. It crashed and did not restart. 
One of the best troubleshooting sessions I have ever encountered.

What was even more funny - that malformed packet was generated/created 
by another bug in EOS.

Still, I do not think that number of bugs is worse than with any other 
vendor. As I said, we are using Arista switches VERY extensively - which 
means we see issues more often than normally :).



Jiri



On 12/5/2016 8:51 PM, Jared Mauch wrote:
>
>> On Dec 5, 2016, at 2:46 PM, Raphael Mazelier <raph at futomaki.net> wrote:
>>
>>
>> Very interesting.
>>
>> 7280SR look perfect for us. (if the price is OK; I will call my local Arista representative).
>>
>> We are another content AS and we push 150gps approx in peak.
>> We plan to upgrade from our current routers to something with a lower TCO by port (which is our currently limiting factor).
>>
>> We do need full view in RIB as we target only 5/6 ASes for 99% of our traffic, so we are not concerned by the RIB size.
>>
>> So do you recommended them ? or another model from Arista ?
>> What kind of bug did you encounter or discover ? are the platform enough stable for using them in production without any action ? (we are a really small team, and we have no to time to spend in the network side, unfortunately).
>
> Be mindful of how you do your control plane filtering and testing on such a device.  Many people forget about this until you are on the wrong-side of a three digit (in gigabits) attack pointed at a link-ip address.  Some devices handle it well, others poorly.
>
> - Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list