Juniper ex2200 L3 connections limit

Posted on 2014-01-07
Last Modified: 2014-01-07
Hello, I have a few EX2200 switches in VC mode, and I was wondering if there is a limit for new connections per second when an interface is configured in L3 mode?

For example if I host a website in a VM hosted in a ESXi host connected to the EX2200, is the number of possible connections limited by the forwarding rate of the EX2200?

Mostly I have been using them in L2 mode, but I might be experimenting with connecting my ISP ethernet directly to them.

I couldn't find this info in the specs of the switch. In traditional L3 devices I see that they specify, for example "4,000 new connections per second), etc..

Thank you
Question by:sk391
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

Jordan Medlen earned 500 total points
ID: 39761921
With a multi-layer switch, you're no longer talking about a traditional L3 device, where you are CPU dependent. Multi-layer switches use ASICs and CAM/TCAM to build forwarding tables. The real metrics will be how large the FIB (forwarding information base) and RIB (routing information base) is supported in hardware for layer 3 forwarding of packets.

Looking at the specs for your system...

Data Rate	

    EX2200-24P/24T: 56 Gbps
    EX2200-48P/48T: 104 Gbps
    28 Gbps


    EX2200-24P/24T: 42 Mpps (wire speed)
    EX2200-48P/48T: 77 Mpps (wire speed)
    EX2200-C-12T/12P-2G: 21 Mpps

Open in new window

The system will switch up to 42 or 77 Mpps (Million packets per second) with a backplane capacity of up to 104 Gbps, depending on the model of switch that you have.

This device will support up to 6500 IPv4 routes in hardware, so you'll want to make sure to just set a default route to your provider.

Should not be an issue aside from that.

Author Comment

ID: 39762026
Thank you, I have the 48P version with 4x GbE ports utilized as VC ports (backplane between the VC member switches)

The switches are connected only to various ESXi hosts (8 GbE NICs each) running about 150 VM's, and a NetApp device (NFS, jumbo frames)

So since I have a DPI firewall with a much smaller capability (4,000 new IPv4 connections per second), it is preferable to insert the firewall inline in my environment, instead of putting it right on my provider's ethernet handoff where it sits now?

My use case is: one 1000 mbit link from my isp, which is used for two things:

1) to provide connectivity to a cloud management portal (all traffic is hitting a Netscaler VPX 3000 which then forwards to the HTTPS portal. VPX also compresses and caches the portal assets). the NetScaler is on its own VLAN, and the portal is in the DMZ, the Management network is on another VLAN. so 3 VLANs are needed here..

2) one more VLAN to provide inbound and outbound connectivity to hosted cloud tenants, each of which has a virtual datacenter. Each tenant has a virtual vmware edge appliance to protect their VM's.... Each virtual vmware edge appliance can handle at a minimum of 64,000 concurrent connections and 8,000 connections per second and 3GBps firewall throughput.. but with a small change in the virtual hardware it can support 1,000,000 concurrent connections and 50,000 new sessions per second.

Right now both of these are served by the border firewall.  I believe that by changing the setup in order to have the EX2200 directly connected to the ISP, and moving the firewall "inline" as transparent mode only for specific tagged VLAN's, then I can remove the current limit of connections.

If I leave it as I have it right now, in the event that a tenant has over >5,000 connections per second, let's say a popular website, the sonicwall might crash and it might make the rest of the environment inaccessible.

Does this sounds like a good approach?

Thank you for the answer

Expert Comment

by:Jordan Medlen
ID: 39762231
I would agree with the approach to move the firewall to protect the management and other non-public facing portions of your network, and let the switch handle the rest of the Internet traffic for your clients. I would not put inline as you say, as in the following.

ISP --> Firewall --> Switch --> Client/Management Data

I would do the following...

ISP --> Switch --> Client public traffic
                |------> Firewall --> Back to Switch (Trunk port) --> Management Environment

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
The ideal material to secure cables 7 45
Personal Secured Home Networking 2 49
Outlook PST (cloud) backup 3 31
VLAN Questions 3 18
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question