On Fri, 21 Oct 2022 at 16:39, Chuck Anderson <[email protected]> wrote: > Also, it appears that when Junos was changed to support DHCP Snooping, > Dynamic ARP Inspection, and IP Source Guard on trunk ports, even > though trunk ports are in "trusted" mode by default, the switch is > learning bindings on the trusted trunk ports (i.e. the uplink) and > then *programming them into TCAM* at least for IPSG. If this is true, > then Junos has created a situation where one cannot deploy IPSG > effectively unless the switch can scale to the number of entries > needed for an entire *VLAN* which may have thousands of hosts, rather > than just the access ports on a single switch stack which would > normally have only hundreds of hosts or less.
Thank you for the update, and it sounds plausible to me. Features that cause ingress TCAM consumption can quickly kill EX/QFX scale. It will be very challenging to run most of the EX/QFX devices in L3 role, due to the very modest TCAM. At least if there is any care at all in lo0 and edge filters. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
