Discussion:
[j-nsp] Speed/Duplex Issue
Paul Stewart
2010-03-23 12:50:01 UTC
Permalink
Hi folks...



We just cut in another couple of EX4200's into production overnight. These
are the first deployments that don't have pure GigE ports - several ports
100/full.



When I did the configuration I set the ether-options for 100/full ... most
of the ports are facing Cisco switches. All the ports that were hard coded
would not come up at all - the minute I removed the ether-options they came
up and appear to be ok.



Is this normal? Also, I'm wondering how you verify what duplex the port is
running at? Sorry for basic question but for the life of me I can't find
this in the output or the docs...;)



Paul
Mark Tinka
2010-03-24 04:36:36 UTC
Permalink
Post by Paul Stewart
When I did the configuration I set the ether-options for
100/full ... most of the ports are facing Cisco
switches. All the ports that were hard coded would not
come up at all - the minute I removed the ether-options
they came up and appear to be ok.
Did you hard-code the speed/duplex setting on both the Juniper
and Cisco switches, or just the Juniper's?

We've been happy with auto-nego'ing all connections, including
with upstreams. Life has been much easier going that route. I can't
remember the last time anything good came out of hard-coding these
settings, or when we last did that, for that matter.
Post by Paul Stewart
Is this normal? Also, I'm wondering how you verify what
duplex the port is running at? Sorry for basic question
but for the life of me I can't find this in the output
or the docs...;)
[edit]
test at lab# run show interfaces ge-0/1/3 | match Duplex
Link-level type: Ethernet, MTU: 9014, Speed: 1000mbps, Duplex: Full-Duplex, MAC-REWRITE Error: None, Loopback: Disabled, Source
filtering: Disabled, Flow control: Enabled ^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^
[edit]
test at lab#

The above is taken off an EX3200.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20100324/70c8843f/attachment.bin>
Paul Stewart
2010-03-24 09:55:32 UTC
Permalink
Did you hard-code the speed/duplex setting on both the Juniper and Cisco
switches, or just the Juniper's?
We've been happy with auto-nego'ing all connections, including with
upstreams. Life has been much easier going that route. I can't remember the
last time anything good came out of hard-coding these settings, or when we
last did that, for that matter.

The Cisco's (customer equipment) were already hard coded as per our
instructions at the time. Coming from the Cisco world we had a lot of
issues with auto-neg towards various makes/models of switch vendors.

Anyways, we're fixed now after understanding Juniper's approach to auto-neg
... thanks...;)

Paul
Ibariouen Khalid
2010-03-24 09:55:12 UTC
Permalink
Hi all

Actually we are Nating around 11500 active internet users by a ISG-2000 with 4 public Ip addresses

As my understanding the NAT is done per session not per user.
Can you please tell me how to check if those ip addresses are enough or not ?

BR/
Pavel Lunin
2010-03-24 21:06:15 UTC
Permalink
Hi Ibariouen,

Enough in this case can mean different things. Enough for what?

Usually not enough means that each external IP ?generate? too many
simultaneous and new (per second) sessions. This can trigger an attack
defence mechanisms on popular sites, etc.

But ?too many? is also quite not clear definition, but it is harder to
justify.

You can check how many sessions has each IP as a source with ?get session
info? command. You see total sessions and dividing them by the number of IPs
you can get the number of sessions per external IP. The same with new
sessions: issue ?get perf session detail?.

There is one tricky thing here. The values you get dividing the total
numbers of [new] sessions by the number of external IP, can be either exact
or average.

If you do not use dip stickiness (by default it is off), the sessions are
distributed uniformly over the pool?each new session is translated to the
next IP on round-robin basis. If you do, than there is a dispersion due to
each internal IP is always hardly mapped to an external one while it has
active sessions. In most situations people switch the stickiness on to get
multisession services (like IKE without ALG or even FTP) work properly.

You can check if the stickness is on with ?get dip? command. If you see
?Port-xlated dip stickness on? in its output, then the numbers of sessions
per IP are average, not exact. In this case you have to keep in mind that
the actual maximum of sessions per IP can be much higher that the average
since there are more and less active users. The numbers of sessions
generated by them can differ tenfold and more.

I believe in your particular case you will receive tens of thousands of
simultaneous and at least early thousands of new sessions per external IP.
Believe me, it s TOO many. ICQ and others should definitely block your
users.

--
Regards,
Pavel

2010/3/24 Ibariouen Khalid <ibariouen.khalid at ericsson.com>
Post by Ibariouen Khalid
Hi all
Actually we are Nating around 11500 active internet users by a ISG-2000
with 4 public Ip addresses
As my understanding the NAT is done per session not per user.
Can you please tell me how to check if those ip addresses are enough or not ?
BR/
Loading...