Solved

Juniper ex2200 L3 connections limit

Posted on 2014-01-07
3
879 Views
Last Modified: 2014-01-07
Hello, I have a few EX2200 switches in VC mode, and I was wondering if there is a limit for new connections per second when an interface is configured in L3 mode?

For example if I host a website in a VM hosted in a ESXi host connected to the EX2200, is the number of possible connections limited by the forwarding rate of the EX2200?

Mostly I have been using them in L2 mode, but I might be experimenting with connecting my ISP ethernet directly to them.

I couldn't find this info in the specs of the switch. In traditional L3 devices I see that they specify, for example "4,000 new connections per second), etc..

Thank you
0
Comment
Question by:sk391
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
Jordan Medlen earned 500 total points
Comment Utility
With a multi-layer switch, you're no longer talking about a traditional L3 device, where you are CPU dependent. Multi-layer switches use ASICs and CAM/TCAM to build forwarding tables. The real metrics will be how large the FIB (forwarding information base) and RIB (routing information base) is supported in hardware for layer 3 forwarding of packets.

Looking at the specs for your system...

Data Rate	

    EX2200-24P/24T: 56 Gbps
    EX2200-48P/48T: 104 Gbps
    EX2200-C-12T/12P-2G:
    28 Gbps

Throughput	

    EX2200-24P/24T: 42 Mpps (wire speed)
    EX2200-48P/48T: 77 Mpps (wire speed)
    EX2200-C-12T/12P-2G: 21 Mpps

Open in new window


The system will switch up to 42 or 77 Mpps (Million packets per second) with a backplane capacity of up to 104 Gbps, depending on the model of switch that you have.

This device will support up to 6500 IPv4 routes in hardware, so you'll want to make sure to just set a default route to your provider.

Should not be an issue aside from that.
0
 
LVL 1

Author Comment

by:sk391
Comment Utility
Thank you, I have the 48P version with 4x GbE ports utilized as VC ports (backplane between the VC member switches)

The switches are connected only to various ESXi hosts (8 GbE NICs each) running about 150 VM's, and a NetApp device (NFS, jumbo frames)

So since I have a DPI firewall with a much smaller capability (4,000 new IPv4 connections per second), it is preferable to insert the firewall inline in my environment, instead of putting it right on my provider's ethernet handoff where it sits now?

My use case is: one 1000 mbit link from my isp, which is used for two things:

1) to provide connectivity to a cloud management portal (all traffic is hitting a Netscaler VPX 3000 which then forwards to the HTTPS portal. VPX also compresses and caches the portal assets). the NetScaler is on its own VLAN, and the portal is in the DMZ, the Management network is on another VLAN. so 3 VLANs are needed here..

2) one more VLAN to provide inbound and outbound connectivity to hosted cloud tenants, each of which has a virtual datacenter. Each tenant has a virtual vmware edge appliance to protect their VM's.... Each virtual vmware edge appliance can handle at a minimum of 64,000 concurrent connections and 8,000 connections per second and 3GBps firewall throughput.. but with a small change in the virtual hardware it can support 1,000,000 concurrent connections and 50,000 new sessions per second.

http://blogs.vmware.com/vsphere/2013/01/differences-between-compact-large-and-x-large-edge-gateway-appliances.html

Right now both of these are served by the border firewall.  I believe that by changing the setup in order to have the EX2200 directly connected to the ISP, and moving the firewall "inline" as transparent mode only for specific tagged VLAN's, then I can remove the current limit of connections.

If I leave it as I have it right now, in the event that a tenant has over >5,000 connections per second, let's say a popular website, the sonicwall might crash and it might make the rest of the environment inaccessible.

Does this sounds like a good approach?

Thank you for the answer
0
 
LVL 6

Expert Comment

by:Jordan Medlen
Comment Utility
I would agree with the approach to move the firewall to protect the management and other non-public facing portions of your network, and let the switch handle the rest of the Internet traffic for your clients. I would not put inline as you say, as in the following.

ISP --> Firewall --> Switch --> Client/Management Data

I would do the following...

ISP --> Switch --> Client public traffic
                |
                |------> Firewall --> Back to Switch (Trunk port) --> Management Environment
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
Let’s list some of the technologies that enable smooth teleworking. 
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now