sk391
asked on
Juniper ex2200 L3 connections limit
Hello, I have a few EX2200 switches in VC mode, and I was wondering if there is a limit for new connections per second when an interface is configured in L3 mode?
For example if I host a website in a VM hosted in a ESXi host connected to the EX2200, is the number of possible connections limited by the forwarding rate of the EX2200?
Mostly I have been using them in L2 mode, but I might be experimenting with connecting my ISP ethernet directly to them.
I couldn't find this info in the specs of the switch. In traditional L3 devices I see that they specify, for example "4,000 new connections per second), etc..
Thank you
For example if I host a website in a VM hosted in a ESXi host connected to the EX2200, is the number of possible connections limited by the forwarding rate of the EX2200?
Mostly I have been using them in L2 mode, but I might be experimenting with connecting my ISP ethernet directly to them.
I couldn't find this info in the specs of the switch. In traditional L3 devices I see that they specify, for example "4,000 new connections per second), etc..
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would agree with the approach to move the firewall to protect the management and other non-public facing portions of your network, and let the switch handle the rest of the Internet traffic for your clients. I would not put inline as you say, as in the following.
ISP --> Firewall --> Switch --> Client/Management Data
I would do the following...
ISP --> Switch --> Client public traffic
|
|------> Firewall --> Back to Switch (Trunk port) --> Management Environment
ISP --> Firewall --> Switch --> Client/Management Data
I would do the following...
ISP --> Switch --> Client public traffic
|
|------> Firewall --> Back to Switch (Trunk port) --> Management Environment
ASKER
The switches are connected only to various ESXi hosts (8 GbE NICs each) running about 150 VM's, and a NetApp device (NFS, jumbo frames)
So since I have a DPI firewall with a much smaller capability (4,000 new IPv4 connections per second), it is preferable to insert the firewall inline in my environment, instead of putting it right on my provider's ethernet handoff where it sits now?
My use case is: one 1000 mbit link from my isp, which is used for two things:
1) to provide connectivity to a cloud management portal (all traffic is hitting a Netscaler VPX 3000 which then forwards to the HTTPS portal. VPX also compresses and caches the portal assets). the NetScaler is on its own VLAN, and the portal is in the DMZ, the Management network is on another VLAN. so 3 VLANs are needed here..
2) one more VLAN to provide inbound and outbound connectivity to hosted cloud tenants, each of which has a virtual datacenter. Each tenant has a virtual vmware edge appliance to protect their VM's.... Each virtual vmware edge appliance can handle at a minimum of 64,000 concurrent connections and 8,000 connections per second and 3GBps firewall throughput.. but with a small change in the virtual hardware it can support 1,000,000 concurrent connections and 50,000 new sessions per second.
http://blogs.vmware.com/vsphere/2013/01/differences-between-compact-large-and-x-large-edge-gateway-appliances.html
Right now both of these are served by the border firewall. I believe that by changing the setup in order to have the EX2200 directly connected to the ISP, and moving the firewall "inline" as transparent mode only for specific tagged VLAN's, then I can remove the current limit of connections.
If I leave it as I have it right now, in the event that a tenant has over >5,000 connections per second, let's say a popular website, the sonicwall might crash and it might make the rest of the environment inaccessible.
Does this sounds like a good approach?
Thank you for the answer