Quantcast
Channel: All Ethernet Switching posts
Viewing all 10307 articles
Browse latest View live

Re: SRX Switching vs. Cisco

January 28, 2018, 5:17 am
$
0
0

Obviously the step up for the layer 3 traffic from the srx240 to the srx650 is big.  So there would be no issues there.

 

The difference will be with intra vlan traffic between hosts in the same subnet that is currently passing on your switch.  Most switches these days are line rate or pretty close to it so lots of host to host traffic is no problem.  But a firewall runs a packet inspect process on everthing so the capacity is a lot lower than line rate.  You will need to see if the specs on the srx650 will work for your intra vlan traffic.

 

https://www.juniper.net/us/en/local/pdf/datasheets/1000281-en.pdf

 

Search

Re: SRX Switching vs. Cisco

January 28, 2018, 9:25 am
$
0
0

Thanks for the prompt response.

 

Forgot to mention the switch in question is older Cisco switch:

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 28 WS-C2970G-24TS-E 12.2(44)SE6 C2970-LANBASEK9-M

 

QUESTIONS:

1. what page should I be looking at on the pdf?

2. what exactly do you mean by intra vlan traffic?

3. Overall what is your feeling regarding SRX650 being the only solution?

Re: EX4550 lots of mac learning and delete within 2 sec

January 28, 2018, 5:08 pm
$
0
0

Hi

I ve noticed the same on my VC EX4550 running Junos 15.1R5.5.

 

Mon Jan 29 02:02:42 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was deleted on ae11.0
Mon Jan 29 02:02:52 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was learned on ae11.0
Mon Jan 29 02:02:52 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was deleted on ae11.0
Mon Jan 29 02:03:01 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was learned on ae11.0
Mon Jan 29 02:03:01 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was deleted on ae11.0
Mon Jan 29 02:03:03 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was learned on ae11.0
Mon Jan 29 02:03:03 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was deleted on ae11.0
Mon Jan 29 02:03:12 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was learned on ae11.0
Mon Jan 29 02:03:12 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was deleted on ae11.0
Mon Jan 29 02:03:22 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was learned on ae11.0
Mon Jan 29 02:03:22 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was deleted on ae11.0
Mon Jan 29 02:03:32 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was learned on ae11.0
Mon Jan 29 02:03:32 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was deleted on ae11.0
Mon Jan 29 02:03:42 2018 vlan_name dedyki2 mac d2:0b:4f:d5:16:0e was learned on ae11.0

 

 

 

Re: EX4550 lots of mac learning and delete within 2 sec

January 28, 2018, 5:09 pm
$
0
0

Hi,

 

Did You solve this problem? There is the same on my EX4550 in VC Smiley Sad

Re: EX4550 lots of mac learning and delete within 2 sec

January 28, 2018, 5:39 pm

Re: Where did these packets go?

January 28, 2018, 7:51 pm
$
0
0

Can you get the output of "show chassis hardware" command? Are there any chassis alarms currently active in "show chassis alarms"? Do you see errors in syslog messages?

 

Also, can you confirm if this the topology -

 

Ixia-1 <----> et-5/1/2 ---- et-5/1/5 <----> Ixia-2

 

How did you learn of the packet loss (apart from the show interfaces extensive command output)? Can you configure a traffic flow on Ixia-1 to send 1000 packets to Ixia-2 and see how many you recieve? 

 

If there are drops on ingress-side on et-5/1/2, we might be able to trace them, depending upon the hardware config.

 

 

Re: Where did these packets go?

January 28, 2018, 9:51 pm
$
0
0

The service-provider style configuration you are using for the interface bridge configuration may not work if you are not receiving tagged frames. If you configure an interface for tagging in the following manner, but receive untagged frames, those will be dropped and recorded in the "Input Packet Reject" 

 

et-5/1/2 {

vlan-tagging;

encapsulation extended-vlan-bridge;

unit 1600 {

vlan-id 1600;

}

 

"If non-tagged packets are entering an interface, which is configured with a VLAN, they will be dropped. To verify, examine the output of show interface <interface-name> extensive. All packets will be rejected and reflect in the filter statistics. However, the Input DA rejects and Input SA rejects counters will not increment. The L2 channel errors counter will also not increment. If L2 channel errors are incrementing, it indicates that the packets are tagged with a vlan-id, which is not configured on the interface."

 

From this KB article - 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB12923

 

For what you are trying to accomplish, consider using the following config interface configuration - 

 

interfaces {
    et-5/1/2 {
        flexible-vlan-tagging;

        native-vlan-id 1600;

        encapsulation flexible-ethernet-services;
        unit 1600 {
            encapsulation vlan-bridge;
        }
    }
}

 

   et-5/1/5 {
        flexible-vlan-tagging; 
        native-vlan-id 1600;

        encapsulation flexible-ethernet-services;
        unit 1600 {
            encapsulation vlan-bridge;
            vlan-id 1600;
        }
    }
}

 

Let me know if this works and if you see "input packet reject".

 

Details on Input Packet Rejects -

 

Receive and Transmit statistics reported by the PIC's MAC address filter subsystem. The filtering is done by the content-addressable memory (CAM) on the PIC. The filter examines a packet's source and destination MAC addresses to determine whether the packet may enter the system or be rejected.

  • Input packet count—Number of packets received from the MAC hardware that the filter processed.
  • Input packet rejects—Number of packets that the filter rejected because of either the source MAC address or the destination MAC address.

 

When the show interfaces extensive command is executed on a router with an MPC or a T4000 Type 5 FPC, the Input packet rejects counter of the Filter statistics field also displays statistics related to the following packet errors:

  • Invalid VLAN range
  • Tagged packet received on an untagged interface

Re: SRX Switching vs. Cisco

January 28, 2018, 10:53 pm
$
0
0

As long as you keep all access ports in the SRX650 XPIM module, you should have linerate switching performance within the same vlan. routing between different vlans will obviously hit the CPU and therefore limit performance according to the datasheet.

 

There can be specific switching features like bpdu-guard, dhcp snooping which aren't supported on the XPIM module so I suggest you read the release notes for the Junos version you intend to run to avoid any missing features.

 

Switching from the XPIM module to another module or the onboard ports are not supported. These can only be routed.

Search

Re: EX4550 lots of mac learning and delete within 2 sec

January 28, 2018, 11:21 pm
$
0
0

Thanks for the update.

In our sitation, I believe it was related to some STP issue somwhere else in the network.

Just before the mac-addresses were dropped, we could see that "show spanning-tree bridge detail" updated the "time since last topology change" to 0 and increased "number of topology changes" by 1.  

I guess an STP-change could lead the the switch wanting to re learn the mac-addresses...

But if the problem turns up again we will remember to look at this setting as well.

Re: SRX Switching vs. Cisco

January 29, 2018, 12:58 am
$
0
0

HI

All branch firewalls can do a DUAL mode, which means they can be a transparent switch for some interfaces and a stateful L3-firewall for other interfaces, the connection between are vlan-interfaces ( is the same as irb )

( only on most versions you need to reboot after first commir to switch mode )

the layer 2 part consists of interfaces with family ethernet-switching and either trunk or access with different vlans

each vlan, which should be reachable via other vlans need to have a vlan.## interface with a family inet... L3 configuration, and those interfaces need to be put into security zones and need security policy in order to forward traffic.

so the layer 2 part is stateless and unfiltered, the intravlan traffic is locally switched , the L3 area is a normal firewall.

 

without having exact performance data the switch-part in my experience is a normal ethernet switch, with adequate wirespeed throughput, and does not at all affect the L3-firewall performance

we used such a config in a smaller datacenter with 2 srx240 in cluster, (by the way to have better redundancy why not using 2 smaller SRX instead of one srx 650 ?)

regards

 

alexander

Re: SRX Switching vs. Cisco

January 29, 2018, 3:18 am
$
0
0

Sorry for not being clear.  The slolution moves traffic from the external switch to the SRX so you need to be sure there is capacity for the volume of that traffic.

 

1. what page should I be looking at on the pdf?

the spec table at the end shows the maximum traffic that can be moved through the SRX IMIX would be the number to check versus all the traffic on the current SRX plus the traffic locally switched on the switch.

 

2. what exactly do you mean by intra vlan traffic?

I mean traffic between two hosts that are in the same vlan.  This traffic today does not hit the SRX.  In this new setup it will pass the SRX so needs to be included in your capacity numbers.

 

3. Overall what is your feeling regarding SRX650 being the only solution?

There are pluses and minuses.  I would consider it for a small office.

Plus there is only one device to manage and power.

Minus there will be lower capacity and less switching features as other have mentioned.  If you don't need these then it is not an issue at all.

Minus one device failure takes down everything. Also mentioned above cost wise you might get two lower SRX and add redundancy instead of simplicity.  Again, your preference on which is more important.

Minus the SRX650 is end of sale so will lose support in a couple years.

 

Re: QFX5100 and DHCP snooping

January 25, 2018, 5:36 am
$
0
0

I tested next config :

 

 

am> show configuration vlans                  
DATA {
    vlan-id 500;
    l3-interface irb.500;
    forwarding-options {
        dhcp-security {
            group TRUST {
                overrides {
                    trusted;
                }
                interface ge-0/0/20.0;
            }
            group UNTRUST {
                overrides {
                    ##
                    ## Warning: statement ignored: unsupported platform (qfx5100-48s-6q)
                    ##
                    untrusted;
                }
                interface ge-0/0/21.0;
            }
        }
    }
}

But this dont work to..

 

 

So. I have answer from JTAC: "The warning is self explanatory. It is not supported on QFX5100. This is a product limitation."

Re: Where did these packets go?

January 29, 2018, 12:33 pm
$
0
0

Hi,

The Input packet rejects counter of the Filter statistics field displays statistics related to the following packet errors:

  • Invalid VLAN range.
  • Tagged packet received on an untagged interface.

 

//BR

AD

Re: Where did these packets go?

January 29, 2018, 12:57 pm
$
0
0

If you send line-rate traffic (via flood) into say 2 x 10GE interfaces, that both need to go out (egress) a single 10GE interface, you have 20GE into 10GE which should provide 50% packet loss, no?

 

I see other responses are looking at probability of either untagged packets or invalid vlan traffic as part of your traffic flow.

Re: Where did these packets go?

January 29, 2018, 1:39 pm
$
0
0

pranavs you are a god send! This did the trick, thank you VERY much!

 

I noticed you missed a vlan tag id in the et-5/1/2 unit 1600 definition, but I figure that was a typo, let me know if not.

Search

Re: Where did these packets go?

January 29, 2018, 2:15 pm
$
0
0

et-5/1/2 { flexible-vlan-tagging; native-vlan-id 1600; encapsulation flexible-ethernet-services; unit 1600 { vlan-id 1600; encapsulation vlan-bridge; } } }

 

Hi Zbrock,

 

That;s correct, you may use vlan-id 1600 in the configuration statement. 

 

Glad to know it worked, and thanks for the confirmation. 

 

Please consider marking the solution as accepted and a kudos if you think it helped Smiley Happy

Re: ex2200 default gateway

January 30, 2018, 4:11 am
$
0
0

Simplified scheme in attache.
We talk about switch2. Do should i configure DHCP-relay on switch2?

 

Juniper.png

Re: ex2200 default gateway

January 30, 2018, 4:24 am
$
0
0

Switch1 already doing DHCP Relay.. yes?

Why cascade Relay on switch2.. how about a trunk link between the Switch2 to switch1.

 

For instance:

PC DHCP/BOOTP => SW1 <Trunk> SW2 => DHCP SERVER

 

 

 

 

Re: ex2200 default gateway

January 30, 2018, 5:21 am
$
0
0

"witch1 already doing DHCP Relay.. yes?"

Yes.

 

"Why cascade Relay on switch2.. how about a trunk link between the Switch2 to switch1.

 For instance:

PC DHCP/BOOTP => SW1 <Trunk> SW2 => DHCP SERVER"

Such a network design, DHCP server is outside location. New switch  need for connect new users. Of course between switch1 and switch2 trunk link.

 

 

 

 

Re: ex2200 default gateway

January 30, 2018, 6:35 am
$
0
0

Okay, So Relay on SW2 for new users, grabs DHCP Req & points to DHCP Server IP.

SW1 which is L3 knows how to route towards DHCP server IP just does IPforwarding then.

 

 

 

 

 

Viewing all 10307 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>