[j-nsp] EVPN

Michael Hare michael.hare at wisc.edu
Mon Aug 10 08:40:42 EDT 2015 

[resend: sent yesterday from wrong src addr, apologizes to those who are seeing this as a dupe]

Amos [and others]-

We're taking e-vpn to the lab a well as we are greenfield without VPLS, so I'm interested in any cookbooks you are willing to share [sanitized config, etc].

I have been collecting to RRD ddos aggregate stats [show ddos-protection protocols statistics terse | display xml] for quite some time so I can determine sensible juniper ddos policers for our network.

Are others going through the effort of tweaking per FPC policers?  I'm trying to weigh hassle vs reward of moving towards "show ddos-protection protocols statistics detail | display xml".

I'm aware of Sauk's comments re: 100pps/4000pps, and curious if folks are deviating significantly from this [up or down].

-Michael

> > -----Original Message-----
> > From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On
> Behalf
> > Of Amos Rosenboim
> > Sent: Sunday, August 09, 2015 2:43 AM
> > To: juniper-nsp at puck.nether.net; Chuck Anderson <cra at WPI.EDU>
> > Subject: Re: [j-nsp] EVPN
> >
> > Hi,
> >
> > We are in the final stages of testing EVPN for DCI as well as corporate
> > customers access into a small IaaS provider cloud.
> >
> > So far the testing was really good.
> > Few points we encountered:
> >
> > 1. On single active multi homing, when the CE is a L2 switch. When failing
> the
> > active link the switch will learn the remote destination MAC through the
> > standby link very quickly.
> > However, when the active link recovers and becomes active once again,
> the
> > CE MAC table does not flush and the CE keep sending traffic to backup port
> > that is now blocking.
> > Obviously this is only applicable to uni directional traffic scenarios. On bi-
> > directional scenarios MAC learning works like a charm.
> >
> > 2. We couldn't find an elegant way to associate The inner vlan in a QinQ
> stack
> > directly into an EVI. We had to use a an ingress bridge domain and the
> > infamous loop cable to do this.
> > Still searching for a more elegant way.
> >
> > 3. Loop testing- we tested what happens when a customer creates a loop.
> > We looped several vlans, most were L2, but one was L3 running ospf with
> the
> > MX.
> > With the default configuration the results were the expected disaster.
> > After applying interface specific ARP policers, and using flow detection for
> > ddos protection (thanks to Saku Ytti for the pointers on this list), things look
> > much better now.
> >
> > This deployment is planned to go into production in a few weeks once we
> are
> > all back from our various vacations.
> >
> > Any feedback from other deployments will be much appreciated.
> >
> > Cheers,
> >
> > Amos
> >
> > Sent from my iPhone
> >
> > On 9 Aug 2015, at 00:03, Chuck Anderson
> > <cra at WPI.EDU<mailto:cra at WPI.EDU>> wrote:
> >
> > On Wed, May 06, 2015 at 12:13:41PM +0100, Matt Bernstein via juniper-nsp
> > wrote:
> > On 05/05/2015 15:48, Chuck Anderson wrote:
> > On Fri, May 01, 2015 at 05:53:54PM -0400, Chuck Anderson wrote:
> > Is anyone doing EVPN in production yet?
> > I take it from the deafening silence that either no one is doing EVPN
> > in production, or no one is willing to admit it.
> > You could ask me again in a few months :)
> >
> > I'm looking at a 10Gb/s L2 DCI over the Internet. EVPN (I think
> > MPLSoGRE pseudowires), then over IPsec, using active/active MX240
> > routers in each location. Looks elegant on paper, although if our
> > PoC turns up any gremlins we can fall back to boring (but obviously
> > less elegant) VPLSoGREoIPsec.
> >
> > I can report back here, hopefully before August, if people find it
> > interesting. _I_ will be particularly interested in the encryption
> > latency tax, given that without dedicated circuits latency is
> > already potentially an issue.
> >
> > I will also be interested to see if anything cheap can do
> > low-bandwidth encrypted EVPN; this might help those few corner-cases
> > where people insist on a VLAN over our L3 campus fabric. The SRX100
> > can do VPLSoGREoIPsec, but again EVPN strikes me as more elegant.
> >
> > Hi Matt,
> >
> > Do you have any news to report on your EVPN deployment?  Did you have
> > to fall back to VPLS?
> >
> > Thanks,
> > Chuck
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-
> > nsp at puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list