Juniper ex2200 L3 connections limit

Posted on 2014-01-07
Last Modified: 2014-01-07
Hello, I have a few EX2200 switches in VC mode, and I was wondering if there is a limit for new connections per second when an interface is configured in L3 mode?

For example if I host a website in a VM hosted in a ESXi host connected to the EX2200, is the number of possible connections limited by the forwarding rate of the EX2200?

Mostly I have been using them in L2 mode, but I might be experimenting with connecting my ISP ethernet directly to them.

I couldn't find this info in the specs of the switch. In traditional L3 devices I see that they specify, for example "4,000 new connections per second), etc..

Thank you
Question by:sk391
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

Jordan Medlen earned 500 total points
ID: 39761921
With a multi-layer switch, you're no longer talking about a traditional L3 device, where you are CPU dependent. Multi-layer switches use ASICs and CAM/TCAM to build forwarding tables. The real metrics will be how large the FIB (forwarding information base) and RIB (routing information base) is supported in hardware for layer 3 forwarding of packets.

Looking at the specs for your system...

Data Rate	

    EX2200-24P/24T: 56 Gbps
    EX2200-48P/48T: 104 Gbps
    28 Gbps


    EX2200-24P/24T: 42 Mpps (wire speed)
    EX2200-48P/48T: 77 Mpps (wire speed)
    EX2200-C-12T/12P-2G: 21 Mpps

Open in new window

The system will switch up to 42 or 77 Mpps (Million packets per second) with a backplane capacity of up to 104 Gbps, depending on the model of switch that you have.

This device will support up to 6500 IPv4 routes in hardware, so you'll want to make sure to just set a default route to your provider.

Should not be an issue aside from that.

Author Comment

ID: 39762026
Thank you, I have the 48P version with 4x GbE ports utilized as VC ports (backplane between the VC member switches)

The switches are connected only to various ESXi hosts (8 GbE NICs each) running about 150 VM's, and a NetApp device (NFS, jumbo frames)

So since I have a DPI firewall with a much smaller capability (4,000 new IPv4 connections per second), it is preferable to insert the firewall inline in my environment, instead of putting it right on my provider's ethernet handoff where it sits now?

My use case is: one 1000 mbit link from my isp, which is used for two things:

1) to provide connectivity to a cloud management portal (all traffic is hitting a Netscaler VPX 3000 which then forwards to the HTTPS portal. VPX also compresses and caches the portal assets). the NetScaler is on its own VLAN, and the portal is in the DMZ, the Management network is on another VLAN. so 3 VLANs are needed here..

2) one more VLAN to provide inbound and outbound connectivity to hosted cloud tenants, each of which has a virtual datacenter. Each tenant has a virtual vmware edge appliance to protect their VM's.... Each virtual vmware edge appliance can handle at a minimum of 64,000 concurrent connections and 8,000 connections per second and 3GBps firewall throughput.. but with a small change in the virtual hardware it can support 1,000,000 concurrent connections and 50,000 new sessions per second.

Right now both of these are served by the border firewall.  I believe that by changing the setup in order to have the EX2200 directly connected to the ISP, and moving the firewall "inline" as transparent mode only for specific tagged VLAN's, then I can remove the current limit of connections.

If I leave it as I have it right now, in the event that a tenant has over >5,000 connections per second, let's say a popular website, the sonicwall might crash and it might make the rest of the environment inaccessible.

Does this sounds like a good approach?

Thank you for the answer

Expert Comment

by:Jordan Medlen
ID: 39762231
I would agree with the approach to move the firewall to protect the management and other non-public facing portions of your network, and let the switch handle the rest of the Internet traffic for your clients. I would not put inline as you say, as in the following.

ISP --> Firewall --> Switch --> Client/Management Data

I would do the following...

ISP --> Switch --> Client public traffic
                |------> Firewall --> Back to Switch (Trunk port) --> Management Environment

Featured Post

Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question