[c-nsp] Nexus 7707 as Internet Edge Router?

[adamv0025 at netconsultings.com]

Hey,
> From: Saku Ytti [mailto:saku at ytti.fi]
> Sent: Sunday, July 30, 2017 11:01 AM
> 
> On 30 July 2017 at 12:06,  <adamv0025 at netconsultings.com> wrote:
> 
> Hey,
> 
> > So if the backbone is subject to DDoS attacks and carries traffic of
> > multiple priority levels, then stay away from Trio.
> >
> > ASR9k has stupidly long upgrade times but at least it's NPU and Fabric
> > architecture is basically alright.
> > The LACP QOS is a moot point, there's no right and wrong way of doing
> > the split.
> 
> I think you're cherry picking examples to highlight architecture differences. 
I really try to be objective and I acknowledge that ASR9k has some issues on its own.
However the issues I'm most worried about are HW/Architectural flaws, for which it is ever so harder to convince platform architects to make any changes to status quo, especially when there's no support from market. 

> I
> have some trust in market, if it would be this black and white, Juniper would
> be dead.
> 
Well, not really, let me ask a simple pooling question to the list, how many of you folks have a Spirent or IXIA tester in a loop with MX960 or ASR9k to find out how the box behaves under various stress situations?

Market doesn't care, simply because there's no need, the SLAs are not that tight in most cases, there's only handful of ISPs who can afford to have full time tester engineers to truly test the platform or new line-cards they are about to purchase. 
Oh and most of the times the cheaper option is chosen anyways.  

Personally I enjoy the competition on the oblivious market as it allows me to purchase HW I need for lower prices.     


> Just to offer one counter-point, imagine you have 10GE egress port in ASR9k,
> either VLANs or satellite subdivided. Now send 20Gbps of traffic to 1 VLAN or
> 1 satellite port.
> 10Gbps of traffic going to that 10Gbps port gets dropped by ingress NPU,
> without any knowledge of egress satellite port or egress VLAN. So all VLANs,
> all satellite ports are dead, because one customer got DDoS. 
Not exactly,  
1) Traffic waiting to be sent across the fabric has already been processed by the ingress NPU and classified correctly and therefore is sitting in fabric queues of different priority. 
2) Arbiter will always try to place packets in high-priority fabric queue onto the fabric first and only if the high-priority queues are empty it will try to service lower-priority queues. 
3) So if back-pressure is initiated by the egress NPU, then up to 10Gbps of high priority traffic makes it through to the egress satellite ports or egress VLANs hosted on a particular physical 10GE port and is therefore treated by their individual policers on egress NPU. 
4) so only low priority traffic is affected in this scenario. 
 
Oh and this is the best case scenario, as some ASICs out there won't send back-pressure per individual port but only after the overall compute capacity of the ASIC is depleted so all ports on the egress ASIC suffer from the backpressure, not just the one getting the DDOS.  
And some ASICs won't send backpressure until theoretical max forwarding capacity of the ASIC is depleted, which obviously results in massive overload of the ASIC and mayhem dropping regardless of packet priority. 
  
 
> I'm not saying ASR9k is definitely worse, I'm saying like Miercom tests, you
> can make any vendor look bad/good against any other vendor, by knowing
> both platforms and cherry-picking pathological examples.
> 
I bet that all these "independent" folks have no idea about the HW architecture of boxes they are testing and how to test them properly.  

> For me personally, MX edge has lot less customer impacting issues than XR
> edge, but I fully expect situation to be different with different set of
> requirements and features. I suspect XR IPC/state duplication/state share is
> fundamentally fragile.
> 
I'm more concerned about the basic traffic forwarding through the box, and that is more robust on ASR9k than it is on MX. 

> I could also argue ASR9k has no functional control-plane protection, because
> every BGP neighbour in NPU share same policer, so if one of them has L2
> loop and offers too much BGP, all of them are dead. Or
> ICMP6 or ARP or whatever. And you cannot manually intervene, as LPTS
> packets are not subject to interface MQC, you just wait for baddies to stop.
> Cisco is aware and are working to fix this, but when and how will fix surface,
> no one knows.
> Out-of-the-box LPTS is superior protection to MX, but MX can be configured
> better, but I suspect there single digit networks who are technically able.
> JNPR should ship with sensible defaults.
> 
Yes I agree, MX has also great FW filter versatility and combined with 2nd gen trio on MPC3 is excellent for edge filtering and DDoS protection. 

> I could also give similarly BGP examples, which would make it appear like IOS-
> XR has bad BGP compared to JunOS. 
I'd like to hear those actually.

> But I could of course choose examples
> to show how IOS-XR has better BGP than JunOS.
> 
> Different network, different set of features and requirements, different box
> will appear better.
> 
Yup agree, that's why I said MX is good for dedicated internet infrastructure (all traffic BE).

adam
 
netconsultings.com
::carrier-class solutions for the telecommunications industry::