Screen OS

When I connect my perimeter SSG-520 to my ISP's Cisco gateway box I get 100Mbit up/down, but when I throw a switch between the two I get around 5Mbit up/down. I've tried two different switches, a ProCurve 24 port GigE and a Netgear test 8 port GigE and they both seem to do the same thing, could my SSG-520 be getting shaky or is there some other explanation? Here's the diagram:

The ProCurve has a VLAN set up, the Netgear is just a ProSafe 8 port unmanaged.

It's possible that you have a negociation issue with the switch.  Check to make sure that it is showing 100/full on both sides.

Okay, thanks, I'll take a look at that

I'm sort of new to Juniper ScreenOS CLI (though Linux CLI native). I *think* what I need to do is force the SSG eth0/0 to 1000 full non-auto? When I check it now, it says:

get int e0/0
     ...
     bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
     ...

But I don't really know if that's auto or not, so I tell myself I should set it, but not sure how to do non-auto. How should I set/check that, and how should I complete this command?

SSG520-> set int ethernet0/0 phy full ?
1000mb               1000Mbps
100mb                100Mbps
10mb                 10Mbps

Default is auto.  If you check the ouput of "get interface eth0/0, you should see something like

Interface ethernet0/0:
  description ethernet0/0
  number 0, if_info 0, if_index 0, mode route
  link up, phy-link up/full-duplex, admin status up

You can change it to manual by using the command "set interface <interface> phy <duplex> <speed>"

If you change it on one side, you need to change it on the other.

Okay, well I got:

SSG520-> get int e0/0
Interface ethernet0/0:
  description ethernet0/0
  number 0, if_info 0, if_index 0, mode route
  link up, phy-link up/full-duplex, admin status up

 The other side is my upstream ISP's Cisco 3400 fiber > electical box, which doesn't have an LED showing whether its 100, 1000 or 10, so if I set my to 1000M non-auto and there's is anything else, will it puke (I can't imagine their speed being set to non-auto <1000M)? I could call them and confirm I guess. I'm passing live traffic in production, so I want to be sure. Also, I'm wondering if Cisco and Juniper play nice together in this respect.

I plan to set mine as:

SSG520-> set int e0/0 phy full 1000mb

 and then re-insert my switch between the two boxes if that still works okay.

so I ran

set int e0/0 phy full 1000mb

 and it brought down the link, so I quick set it back to:

set int e0/0 phy auto

 and it came back up.

Along the way, I figured out that the reason my speed was dropping with the intermediate switch was because the SSG was dropping to 100M half-duplex for some reason. I also noticed that my provider's box seems to be running at 100M, not 1000M, which makes sense why the link dropped when I set the SSG to 1000M. I'm going to call the provider and ask them to set their port to 1000M, but I still don't know why the SSG went to half-duplex all of a sudden.

Edit: the provider confirmed their port was set to 100M and changed it to 1000M while I was logged into the SSG and changed my e0/0 to 1000M full and it worked!

Sounds like there might be a faulty interface.  The speeds are negociated between the two devices, so if you are seeing it change, that means the negociations are failing.

Yeah, weird. I just inserted my ProCurve GigE switch inline with the connection, and now both connections seem to be stable at 1000M and my speed seems to be sane. I'll continue to monitor, but thanks a lot @rseibert, I appreciate heading me in the right direction 🙂