Juniper ex2200 L3 connections limit

Hello, I have a few EX2200 switches in VC mode, and I was wondering if there is a limit for new connections per second when an interface is configured in L3 mode?

For example if I host a website in a VM hosted in a ESXi host connected to the EX2200, is the number of possible connections limited by the forwarding rate of the EX2200?

Mostly I have been using them in L2 mode, but I might be experimenting with connecting my ISP ethernet directly to them.

I couldn't find this info in the specs of the switch. In traditional L3 devices I see that they specify, for example "4,000 new connections per second), etc..

Thank you
Who is Participating?
Jordan MedlenCommented:
With a multi-layer switch, you're no longer talking about a traditional L3 device, where you are CPU dependent. Multi-layer switches use ASICs and CAM/TCAM to build forwarding tables. The real metrics will be how large the FIB (forwarding information base) and RIB (routing information base) is supported in hardware for layer 3 forwarding of packets.

Looking at the specs for your system...

Data Rate	

    EX2200-24P/24T: 56 Gbps
    EX2200-48P/48T: 104 Gbps
    28 Gbps


    EX2200-24P/24T: 42 Mpps (wire speed)
    EX2200-48P/48T: 77 Mpps (wire speed)
    EX2200-C-12T/12P-2G: 21 Mpps

Open in new window

The system will switch up to 42 or 77 Mpps (Million packets per second) with a backplane capacity of up to 104 Gbps, depending on the model of switch that you have.

This device will support up to 6500 IPv4 routes in hardware, so you'll want to make sure to just set a default route to your provider.

Should not be an issue aside from that.
sk391Author Commented:
Thank you, I have the 48P version with 4x GbE ports utilized as VC ports (backplane between the VC member switches)

The switches are connected only to various ESXi hosts (8 GbE NICs each) running about 150 VM's, and a NetApp device (NFS, jumbo frames)

So since I have a DPI firewall with a much smaller capability (4,000 new IPv4 connections per second), it is preferable to insert the firewall inline in my environment, instead of putting it right on my provider's ethernet handoff where it sits now?

My use case is: one 1000 mbit link from my isp, which is used for two things:

1) to provide connectivity to a cloud management portal (all traffic is hitting a Netscaler VPX 3000 which then forwards to the HTTPS portal. VPX also compresses and caches the portal assets). the NetScaler is on its own VLAN, and the portal is in the DMZ, the Management network is on another VLAN. so 3 VLANs are needed here..

2) one more VLAN to provide inbound and outbound connectivity to hosted cloud tenants, each of which has a virtual datacenter. Each tenant has a virtual vmware edge appliance to protect their VM's.... Each virtual vmware edge appliance can handle at a minimum of 64,000 concurrent connections and 8,000 connections per second and 3GBps firewall throughput.. but with a small change in the virtual hardware it can support 1,000,000 concurrent connections and 50,000 new sessions per second.

Right now both of these are served by the border firewall.  I believe that by changing the setup in order to have the EX2200 directly connected to the ISP, and moving the firewall "inline" as transparent mode only for specific tagged VLAN's, then I can remove the current limit of connections.

If I leave it as I have it right now, in the event that a tenant has over >5,000 connections per second, let's say a popular website, the sonicwall might crash and it might make the rest of the environment inaccessible.

Does this sounds like a good approach?

Thank you for the answer
Jordan MedlenCommented:
I would agree with the approach to move the firewall to protect the management and other non-public facing portions of your network, and let the switch handle the rest of the Internet traffic for your clients. I would not put inline as you say, as in the following.

ISP --> Firewall --> Switch --> Client/Management Data

I would do the following...

ISP --> Switch --> Client public traffic
                |------> Firewall --> Back to Switch (Trunk port) --> Management Environment
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.