On 21/03/10 02:03, Richard A Steenbergen wrote: > We just deployed our first EX8208 a few days ago, running 10.1R1. > Gotchas so far: > > * Obviously this is a very different architecture from Juniper's normal > boxes, so be prepared for vlan space being shared across the entire box, > not a per-interface basis.
So far, apart from the MX I'm not aware of any Juniper gear that does switching with multiple VLAN spaces. > * In a move straight out of Foundry's playbook of how to fail at making > a useable product, EX has no packet counters (cli or snmp) available for > L3 vlan interfaces. It DOES have working counters if you do traditional > Juniper subinterface style vlans (interface blah, vlan-tagging, unit 123 > vlan-id 123), but it does NOT work if you have to do RVI style (vlan > blah l3-interface vlan.123 and then put vlan blah in an ethernet > switching interface). Subinterface style is my preference anyways, so as > long as you only ever use vlans on point-to-point links this isn't a > problem, but the instant you need to put a VLAN on more than one port > you no longer get packet counters. Thank you for doing the testing on this, I was assuming this was a bug as I'd thought they couldn't be *that* stupid. To make things worse counters for vlan.XXX traffic are also only the traffic destined *to* the interface, not counting traffic routed *through*. > * Related to the issue above, you can't mix "subinterface style" and > "RVI style" vlans on the same trunk port. The instant you need to do > anything more than classic subinterface style vlans, you have to convert > everything on the trunk to vlan/rvi style. For example, where I might > otherwise be able to get away with doing interface xe-1/0/0 unit 123 > vlan-id 123 family inet blah, if I want to trunk a layer 2 vlan on that > same interface I now have to convert unit 123 to RVI style. One possible > workaround I have yet to test is doing a CCC instead of a vlan, to keep > the subinterface style. This would only work with 2-port member vlans > though, and I have yet to test the implications for mixing tagged and > untagged ports on EX, so this may not actually work for anyone at all. Either way please post. > * Firewall filters are still a bit of a mess. You can't count or log > anything, you can't use policers on either control plane or egress > filters (heck you can't even commit a firewall filter with a policer in > it if applied as an output filter), you can't match frags, etc, etc. Lack of outbound policers also makes it fairly useless in many roles where enforcing max bandwidth on a WAN link is required (At least here in Australia carriers complain if you actually dump 100Mbit of traffic on a 100Mbit point-to-point link). > * I don't know who thought 2GB of storage on an RE was sufficient, but > it isn't. The best idea I've come up with so far is to grab some small > USB flash devices like http://www.geckoandfly.com/tag/small-usb/ and > deploy them on every RE so you have a little bit of working space. I've only just upgraded a bunch of stuff *to* 2GB, and don't have any real space issues. I would very much appreciate if Juniper would just give us two, externally accessible CF slots for storage and have that be it. > Other than that we haven't found any fundamental flaws in the box yet > (though that may change by the time MPLS features get implemented :P). > Plenty of bugs to be sure, DOM isn't working right on any of our > interfaces, pfe statistics don't work right, monitor interface on vlans > isn't displaying correctly, prior to 10.1 the FPCs crashed if you tried > to speak BGP flowspec to the box, etc, but we have cases open on all of > the above. IMHO it definitely has the potential to be a very good box in > the long term, but whoever didn't think to put vlan counters into the > hardware really screwed the pooch something fierce. :) So the EX (4200) bits from my personal list: * EX4200 - bootp relay doesn't work when configured inside a routing-instance, works when configured at top to use an instance * The commands in http://kb.juniper.net/index?page=content&id=KB13206&cat=JUNOS_EX&actp=LIST don't exist in 9.5 I'm mostly on 10.0R2.10, but all our EX's are still 9.5. -- Julien Goodwin Studio442 "Blue Sky Solutioneering"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
