[j-nsp] SRX100 for dual 100M uplink routing network in packet mode.

Michel de Nostredame d.nostra at gmail.com
Wed Nov 28 02:08:04 EST 2012


On Tue, Nov 27, 2012 at 2:52 PM, 叶雨飞 <sunyucong at gmail.com> wrote:
> Hi,
> I currently have 2 100mbps uplink (about 50% bandwidth  utilization,
> 10kpps each), I am hoping to get a srx100 as the router, run it in
> packet mode for most traffic except some low traffic nat/ipsec
> management tunnels.
> Is that going to be enough? or should I aim for srx210 or higher?

>From the SPEC, SRX100 can runs Firewall+Routing at 64 Byte-Packet to
70Kpps. It should able to move your 10Kpps x 2 = 20Kpps traffics
around with no problem in packet-mode.

However, if NAT/IPsec are also needed, you will have to run the box in
flow-mode or selective-packet-mode for certain packets in flow-mode
and others in packet-mode.

Not sure if SRX100 can keeps the performance when doing things in
selective-packet-mode, but consider it is implemented by using ACL
(stateless firewall filter) on the inbound interfaces. Things sound
worth a try. LAB testing or POC won't hurt, right?

If you do able to perform some POC, please share the result to list :)

PS: I just got a SRX100 and am going to do some POC with
selective-packet-mode. Basically I want to route my traffic into GRE
tunnel in packet-mode and route GRE packet over IPsec to remote SSG
site in flow-mode because IPsec needs flow module. Hopefully this can
suppress my session-table usage to only one for two records. I hate
flow-mode JUNOS for a long long long time since J-series, but the SRX
prices are simply irresistible.

--
Michel~



More information about the juniper-nsp mailing list