[j-nsp] SRX100 for dual 100M uplink routing network in packet mode.

叶雨飞 sunyucong at gmail.com
Wed Nov 28 03:09:16 EST 2012


11.4 actually, sorry!

On Tue, Nov 27, 2012 at 11:56 PM, 叶雨飞 <sunyucong at gmail.com> wrote:
> Thx,  i am mostly disappointed in their implementation of nat/ipsec
> require flow processing, it's totally unnecessary!  i hate session
> tables too!
>
> Although i heard horrible things about boot time on lower level srx
> devices, it claims to need 5 minutes to boot up.  how is yours ?I'm
> mostly interested in boot time under 10.4 (jtac recommend version)
>
>
>
> On Tue, Nov 27, 2012 at 11:08 PM, Michel de Nostredame
> <d.nostra at gmail.com> wrote:
>> On Tue, Nov 27, 2012 at 2:52 PM, 叶雨飞 <sunyucong at gmail.com> wrote:
>>> Hi,
>>> I currently have 2 100mbps uplink (about 50% bandwidth  utilization,
>>> 10kpps each), I am hoping to get a srx100 as the router, run it in
>>> packet mode for most traffic except some low traffic nat/ipsec
>>> management tunnels.
>>> Is that going to be enough? or should I aim for srx210 or higher?
>>
>> From the SPEC, SRX100 can runs Firewall+Routing at 64 Byte-Packet to
>> 70Kpps. It should able to move your 10Kpps x 2 = 20Kpps traffics
>> around with no problem in packet-mode.
>>
>> However, if NAT/IPsec are also needed, you will have to run the box in
>> flow-mode or selective-packet-mode for certain packets in flow-mode
>> and others in packet-mode.
>>
>> Not sure if SRX100 can keeps the performance when doing things in
>> selective-packet-mode, but consider it is implemented by using ACL
>> (stateless firewall filter) on the inbound interfaces. Things sound
>> worth a try. LAB testing or POC won't hurt, right?
>>
>> If you do able to perform some POC, please share the result to list :)
>>
>> PS: I just got a SRX100 and am going to do some POC with
>> selective-packet-mode. Basically I want to route my traffic into GRE
>> tunnel in packet-mode and route GRE packet over IPsec to remote SSG
>> site in flow-mode because IPsec needs flow module. Hopefully this can
>> suppress my session-table usage to only one for two records. I hate
>> flow-mode JUNOS for a long long long time since J-series, but the SRX
>> prices are simply irresistible.
>>
>> --
>> Michel~



More information about the juniper-nsp mailing list