QFX5k question

Sat Mar 23 22:32:56 UTC 2019

On 2019-03-23 12:41 -0700, Mehmet Akcin wrote:

> I am trying to get my hands on some QFX5000s and I have a rather quick
> question.

First, there is no model named QFX5000.  There is QFX5100, QFX5110,
QFX5120, QFX5200 and QFX5210 (and some of them have several submodels,
e.g. QFX5100-48T, QFX5100-48S and QFX5100-24Q).

> in QFX, I am trying to see if I need EX or not? more importantly (besides
> from what juniper papers say) are there any known issues people run into
> for a small scale deployment. (100mbps-1gbps range 1 rack, 20 servers)
> 
> my plan is to have QFX to it all, but i am worried, if this is too much for
> QFX, if you have relative experience on this , feel free to let me know

Presumably you are then interrested in the QFX5100-48S or QFX5100-48T,
as the other QFX5k models have even more performance available, and
thus cost a bit more.  (Cheaper than most MX:es, though.)  You might
also consider the EX4600: only 24 SFP+ (10G) ports and 4 QSFP (40G)
ports, but otherwise identical hardware to the QFX5100-48S.  I think
there are some features that Juniper has disabled in Junos for the
EX4600, though (VXLAN isn't mentioned in the EX4600 datasheet, for
example).

We have both QFX5100-48S and EX4600, and are quite happy with them.
They can easily handle the traffic volumes you are speaking about,
for both L2 and L3.  The Broadcom Trident II chip inside of them is
what has been powering L3 switches at the big cloud providers for
years, and they push much more traffic through them than that.

They do have limited feature set, though.  E.g, they only look at
the first 64 octets of each packet (and that includes L2 and L2.5
headers) when deciding what to do with a packet, and can't chase
the IPv6 header chain; thus, if there is an extension header before
the TCP/UDP header, they won't know what TCP/UDP ports are used,
or even if it is TCP, UDP or something else.  Dealing with packets
exiting tunnels (MPLS, VXLAN, et.c) is also limited.

However:

On 2019-03-23 12:52 -0700, Mehmet Akcin wrote:

> thanks for quick reply. I forgot to mention, 2 x 10G providers with full
> routing table on each.

As others have told you, and a quick glance at the datasheets from
Juniper will show, no way.  128k routes for IPv4, 64k routes for
IPv6.  And several caveats hiding, e.g. you can't reach both limits
at the same time.  And even reaching those will require careful
configuration.

First question: do you *need* full Internet DFZ tables?  Or can you
get away with just getting, e.g, 10k important prefixes from each
uplink, and punt everything else through a default route?  If those
prefixes are chosen well, they might catch 95-99% of all the traffic,
and the remaining 1-5% will just have to suffer sub-optimal routing.

I have heard of people who get a full BGP feed from their providers,
but only program a small portion of the prefixes into FIB, using some
filter list.  Then they monitor their outgoing traffic to notice when
significant amounts of traffic go out the wrong way, and then change
their filter lists.  I don't know any details about how they do it,
though.

If you *do* need full Internet tables, have you considered using a
Linux or BSD server with a couple of 10G interfaces and running Bird,
Quagga, or any of the other BGP implementations for Unix/Linux?  Or
perhaps Junipers virtual MX, which you run on a Linux server?  That
is probably quite a bit cheaper than an MX router, and should easily
be able to handle two 10G uplinks.

And by the way, remember that you need to buy an extra license to
use BGP on the QFX5k and EX4600 switches.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190323/9f1c5f95/attachment.sig>