[e-nsp] Extreme newbie questions...

Bruno Lebayle lebayle at esrf.fr
Thu Aug 8 02:16:06 EDT 2013 


On 08/07/2013 07:26 PM, Luis Mercado wrote:
> Oh we are also running ospf v3 for some clients. My issue is not with dynamic routing.
> My issue is filtering on these. It's a hack job essentially. There are no built in functions
> that handle establish/related (TCP/UDP) between vlans so you have to Filter based on
> syn flags and allow 1023 or greater for UDP.
>
>
> There is no concept of object-group like in cisco or juniper. This means what you can accomplish
> with two object groups and a single line acl on a cisco or juniper device, it would take 50 or 60 lines
> on an extreme switch policy file. Their filtering its terrible. It's a throwback to the 90s.

Remember that Extreme policies are downloaded on FPGA chips, programs 
have to remain simple. This guarantees a wirespeed filtering even at 
10Gbps. Of course, you cannot build a firewall on these  - we are using 
Checkpoint and SPLAT (Linux Dell) where intense filtering is needed.
In the 90s, I remember struggling with Cisco5500 that got stuck each 
time filtering took place, because the poor CPU of the Supervisor module 
was clogged - so there is some progress after all. I guess the situation 
will finally become perfect with a powerful CPU per physical port ...
By the way, we also use Clearflow for detecting specific traffic 
patterns, and this is clearly an asset for us.

> We built policy files for a client with 20 vlans on a six node stack (x460s). The filtering is granular
> Host to host/ layer 4. After we modify an policy we can't use the refresh feature because the is a risk
> That the recompiling takes down the switch. (In our case it took down our switch.) This is a bug that
> Is affecting  15.1.2.12 and lower versions. The fix is a patch that requires taking down the entire stack
> which means a complete outage.

We have stopped using large stacks (two switches maximum, above this 
number we use a chassis) because it's far from perfect in terms of 
availability, whatever the manufacturer. Stacks apply to office areas, 
but not to data centers in our view. All our core chassis have 2 MSMs, 
and all of them are now coupled using MLAG, this is why software 
upgrades are not a problem anymore.

Cheers,
Bruno.

> We do nfs ESX mounts through these switches, which means we have to shut down 100s of VMS prior and
> post to maintenance upgrade.
>
> Per extreme networks the refresh feature is not worth it which you have a stack of more than 4 nodes.
> The best approach is to remove the policy from the interface after you modify the file and reattach to
> the interface after bootup is completed.
>
> Extreme Neworks has seen cases where it takes a 6 node stack 4 hours to come up after reboot because of the
> filtering issue. Part of the bootup process is to parse/compile  all policies across all slots  etc...  The fix for that is to remove all
> filters from vlan interfaces prior to the reload. Do the reload and reattach the policies to the interfaces after the
> reload. What a mess..
>
>
> My two cents..
>
>
> -LM
>
>
> -----Original Message-----
> From: Bruno Lebayle [mailto:lebayle at esrf.fr]
> Sent: Wednesday, August 07, 2013 1:47 AM
> To: Luis Mercado
> Cc: Simon Lockhart; extreme-nsp at puck.nether.net
> Subject: Re: [e-nsp] Extreme newbie questions...
>
> Hello,
>
> On 08/06/2013 10:06 PM, Luis Mercado wrote:
>> Hi Simon,
>>
>> [1]
>> We are using extreme switches mainly for their layer 2 functionality
>> (EAPS) . Quite frankly I don't trust them as layer III  devices. We
>> are using x650s and x460s. I don't have a ospf problem you are having.
>> It sounds like
>
> Funny enough, we are using many X670/X650 and BD8810/8910/X8 as layer 3 devices with VRRP. We have even BGP on our site routers (couples of X650s using MLAG).
> Just my two cents.
>
> Cheers,
> Bruno.
> _____________________________________________________________________
>           o
>        o  o  o       Bruno LEBAYLE - Systems and Communications group
>     o   o o o   o    E.S.R.F (European Synchrotron Radiation Facility)
>       o  ooo  o      6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
> o o o ooooo o o o  phone (33)4-7688-2258
>       o  ooo  o      fax   (33)4-7688-2020
>     o   o o o   o    email lebayle at esrf.fr
>        o  o  o
>           o          http://www.esrf.fr
> _____________________________________________________________________
>

-- 
Bruno LEBAYLE.
_____________________________________________________________________
         o
      o  o  o       Bruno LEBAYLE - Systems and Communications group
   o   o o o   o    E.S.R.F (European Synchrotron Radiation Facility)
     o  ooo  o      6 rue Jules Horowitz BP220 38043 GRENOBLE CEDEX 9
o o o ooooo o o o  phone (33)4-7688-2258
     o  ooo  o      fax   (33)4-7688-2020
   o   o o o   o    email lebayle at esrf.fr
      o  o  o
         o          http://www.esrf.fr
_____________________________________________________________________

More information about the extreme-nsp mailing list