[j-nsp] Managing large route-filter-lists

Fri Jun 1 16:42:25 EDT 2018

On 5/22/2018 11:46 AM, Brian Rak wrote:
>
> On 5/22/2018 10:03 AM, Brian Rak wrote:
>>
>>
>> On 5/22/2018 12:58 AM, Phil Shafer wrote:
>>> Brian Rak writes:
>>>> The downside seems to be that these can blow up the router somehow...
>>> Not blow up, but obfuscate.  Imagine a user (or support person) who
>>> is unaware that ephemeral databases are in use and resorts to pulling
>>> out hair, muttering profanity, and sticking pins in their "Mr. Phil
>>> Voodoo Doll" (tm) [batteries sold separately] when their "show
>>> configuration" output doesn't correlate to their true operational
>>> state.   The warning is more about "yes, I'm aware" than about
>>> voiding warranties, explosions, or sharks with lasers.
>>>
>>> Thanks,
>>>   Phil
>> Ah, I can imagine a number of situations where using an ephemeral 
>> configuration can cause all sorts of confusion.  At least for us, the 
>> efficiency advantages definitely outweigh the additional complexity 
>> here.
>>
>> Thanks!
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> Well, actually they can blow up the router too.  I just managed to 
> crash the routing process by committing an invalid bgp community to an 
> ephemeral config:
>
> This takes out routing until you delete it:
> <config>
>     <configuration>
>         <policy-options>
>             <community>
>                 <name>cl-FROM-AS13030</name>
>                 <members>
>                     large:20473:300:13030
>                 </members>
>             </community>
>         </policy-options>
>     </configuration>
> </config>
>
> This works fine:
> <config>
>     <configuration>
>         <policy-options>
>             <community operation="replace">
>                 <name>cl-FROM-AS13030</name>
> <members>large:20473:300:13030</members>
>             </community>
>         </policy-options>
>     </configuration>
> </config>
>
> Under normal configuration mode, the former isn't actually accepted.  
> Junos seems to be parsing the former as:
>
> policy-options {
>     community cl-FROM-AS13030 members " 
> large:20473:300:13030\n                         ";
> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

Trip report:

Don't use these for massive IRR configs.

There's seemingly no garbage collection done on IRR configs, so you'll 
be having to wipe the database via shell and start over around once a 
week (we've got a config that's about 100k lines, and we only change the 
BGP peers that actually have changes in IRR)

They have a size limit of 400mb, and that's pretty easy to hit. Once you 
hit that size limit, you'll start getting weird errors back when 
changing the normal configuration (it *seems* like it ends up committing 
a fraction of the ephemeral configs, so for us it complaints about 
missing communities and policy statements)

I'm considering changing over to prefix-lists (instead of 
route-filter-lists), and moving to the dynamic DB instead.  I'm not even 
sure if this will help :/