[j-nsp] SRX hardware acceleration caveats

Per Granath per.granath at gcc.com.cy
Tue Jun 19 08:09:44 EDT 2012


> > Even 'independent tests' from Cisco's friends do not argue that SRX3k
> > can do 20G+.
> >
> http://www.cisco.com/en/US/prod/collateral/vpndevc/miercom_vs_juniper
> .
> > pdf
> >
> > I am sorry for that sort of a link in such a respectful place :)
> 
> I am sure the SRX3600 can do 22Gbps+. The question is not whether you can
> do 22Gbps+ using an SRX3k at all, instead the question is whether there
> exists a well-behaved unicast traffic profile which can force an
> SRX3600 which otherwise handles 20Gbps to only handle less than 10Gbps.
> 
> I am asking this because a competing box I have experience with happens to
> have such limitations: IPv6 traffic and IPSEC passthrough do not get hardware
> offloaded, and CPU forwarding limits throughput to much less than we were
> hoping for from the specifications.
> 
> So, can the the SRX3k handle 10Gbps+ IPv6? 10Gbps+ IPSEC passthrough?
> 10Gbps+ SCTP? (ok 10Gbps+ SCTP is unlikely to happen in practice...)

For the record, the Miercom report is from tests without services offload - so that's without 'hardware offload'.

In general, with that 22Gbps on the SPC processing, the processing power could also be eaten up by IPSec termination and 'new connections per second' processing, or IPS, which would lower amount of processing left to 'firewall' traffic.

No idea about how firewalling different types of traffic affects performance.

There are also the "screen options" which are mostly done in NPC - but some on SPC...



More information about the juniper-nsp mailing list