[c-nsp] Nexus 7707 as Internet Edge Router?
Saku Ytti
saku at ytti.fi
Sun Jul 30 06:01:25 EDT 2017
On 30 July 2017 at 12:06, <adamv0025 at netconsultings.com> wrote:
Hey,
> So if the backbone is subject to DDoS attacks and carries traffic of
> multiple priority levels, then stay away from Trio.
>
> ASR9k has stupidly long upgrade times but at least it's NPU and Fabric
> architecture is basically alright.
> The LACP QOS is a moot point, there's no right and wrong way of doing the
> split.
I think you're cherry picking examples to highlight architecture
differences. I have some trust in market, if it would be this black
and white, Juniper would be dead.
Just to offer one counter-point, imagine you have 10GE egress port in
ASR9k, either VLANs or satellite subdivided. Now send 20Gbps of
traffic to 1 VLAN or 1 satellite port.
10Gbps of traffic going to that 10Gbps port gets dropped by ingress
NPU, without any knowledge of egress satellite port or egress VLAN. So
all VLANs, all satellite ports are dead, because one customer got
DDoS. You can't fix this by setting 1Gbps policer on egress
VLAN/satellite, as egress NPU never gets the traffic. And ingress NPU
has no awareness of egress VLAN/satellite, so it can't police it,
unless you figure out IP addresses (and they are static, and you only
have one ingress port).
I'm not saying ASR9k is definitely worse, I'm saying like Miercom
tests, you can make any vendor look bad/good against any other vendor,
by knowing both platforms and cherry-picking pathological examples.
For me personally, MX edge has lot less customer impacting issues than
XR edge, but I fully expect situation to be different with different
set of requirements and features. I suspect XR IPC/state
duplication/state share is fundamentally fragile.
I could also argue ASR9k has no functional control-plane protection,
because every BGP neighbour in NPU share same policer, so if one of
them has L2 loop and offers too much BGP, all of them are dead. Or
ICMP6 or ARP or whatever. And you cannot manually intervene, as LPTS
packets are not subject to interface MQC, you just wait for baddies to
stop. Cisco is aware and are working to fix this, but when and how
will fix surface, no one knows.
Out-of-the-box LPTS is superior protection to MX, but MX can be
configured better, but I suspect there single digit networks who are
technically able. JNPR should ship with sensible defaults.
I could also give similarly BGP examples, which would make it appear
like IOS-XR has bad BGP compared to JunOS. But I could of course
choose examples to show how IOS-XR has better BGP than JunOS.
Different network, different set of features and requirements,
different box will appear better.
--
++ytti
More information about the cisco-nsp
mailing list