[j-nsp] EX 8200 deployment

Julien Goodwin jgoodwin at studio442.com.au
Sun Mar 21 03:08:33 EDT 2010


On 21/03/10 02:03, Richard A Steenbergen wrote:
> We just deployed our first EX8208 a few days ago, running 10.1R1. 
> Gotchas so far:
> 
> * Obviously this is a very different architecture from Juniper's normal 
> boxes, so be prepared for vlan space being shared across the entire box, 
> not a per-interface basis.

So far, apart from the MX I'm not aware of any Juniper gear that does
switching with multiple VLAN spaces.

> * In a move straight out of Foundry's playbook of how to fail at making
> a useable product, EX has no packet counters (cli or snmp) available for
> L3 vlan interfaces. It DOES have working counters if you do traditional 
> Juniper subinterface style vlans (interface blah, vlan-tagging, unit 123 
> vlan-id 123), but it does NOT work if you have to do RVI style (vlan 
> blah l3-interface vlan.123 and then put vlan blah in an ethernet 
> switching interface). Subinterface style is my preference anyways, so as 
> long as you only ever use vlans on point-to-point links this isn't a 
> problem, but the instant you need to put a VLAN on more than one port 
> you no longer get packet counters.

Thank you for doing the testing on this, I was assuming this was a bug
as I'd thought they couldn't be *that* stupid.

To make things worse counters for vlan.XXX traffic are also only the
traffic destined *to* the interface, not counting traffic routed *through*.

> * Related to the issue above, you can't mix "subinterface style" and 
> "RVI style" vlans on the same trunk port. The instant you need to do 
> anything more than classic subinterface style vlans, you have to convert 
> everything on the trunk to vlan/rvi style. For example, where I might 
> otherwise be able to get away with doing interface xe-1/0/0 unit 123 
> vlan-id 123 family inet blah, if I want to trunk a layer 2 vlan on that 
> same interface I now have to convert unit 123 to RVI style. One possible 
> workaround I have yet to test is doing a CCC instead of a vlan, to keep 
> the subinterface style. This would only work with 2-port member vlans 
> though, and I have yet to test the implications for mixing tagged and 
> untagged ports on EX, so this may not actually work for anyone at all. 

Either way please post.

> * Firewall filters are still a bit of a mess. You can't count or log
> anything, you can't use policers on either control plane or egress
> filters (heck you can't even commit a firewall filter with a policer in
> it if applied as an output filter), you can't match frags, etc, etc.

Lack of outbound policers also makes it fairly useless in many roles
where enforcing max bandwidth on a WAN link is required (At least here
in Australia carriers complain if you actually dump 100Mbit of traffic
on a 100Mbit point-to-point link).

> * I don't know who thought 2GB of storage on an RE was sufficient, but 
> it isn't. The best idea I've come up with so far is to grab some small 
> USB flash devices like http://www.geckoandfly.com/tag/small-usb/ and 
> deploy them on every RE so you have a little bit of working space.

I've only just upgraded a bunch of stuff *to* 2GB, and don't have any
real space issues. I would very much appreciate if Juniper would just
give us two, externally accessible CF slots for storage and have that be it.

> Other than that we haven't found any fundamental flaws in the box yet
> (though that may change by the time MPLS features get implemented :P). 
> Plenty of bugs to be sure, DOM isn't working right on any of our
> interfaces, pfe statistics don't work right, monitor interface on vlans
> isn't displaying correctly, prior to 10.1 the FPCs crashed if you tried
> to speak BGP flowspec to the box, etc, but we have cases open on all of
> the above. IMHO it definitely has the potential to be a very good box in
> the long term, but whoever didn't think to put vlan counters into the
> hardware really screwed the pooch something fierce. :)

So the EX (4200) bits from my personal list:
* EX4200 - bootp relay doesn't work when configured inside a
routing-instance, works when configured at top to use an instance
* The commands in
http://kb.juniper.net/index?page=content&id=KB13206&cat=JUNOS_EX&actp=LIST
don't exist in 9.5

I'm mostly on 10.0R2.10, but all our EX's are still 9.5.

-- 
Julien Goodwin
Studio442
"Blue Sky Solutioneering"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20100321/e5df125c/attachment-0001.bin>


More information about the juniper-nsp mailing list