[j-nsp] SRX100 for dual 100M uplink routing network in packet mode.

Per Westerlund p1 at westerlund.se
Wed Nov 28 15:41:30 EST 2012


Our experience with performance-limited branch SRX systems lately has made us use the 1/3-rule. If you don't use more than 1/3 of the rated max of any one metric the box will perform well and have some headroom for fluctuations.

Going above that, our boxes fill the logs with warnings that the FPC is working over 85% capacity all the time (all the way up to 99%, 100% is apparently not possible :-).

We mainly have experience with SRX240H, where 100 Mbit/s IPsec VPN is OK (rated max 300), and 500 Mbit/s fire walled/routed throughput is ok (1500 Mbit/s rated).

/Per

28 nov 2012 kl. 08:08 skrev Michel de Nostredame:

> On Tue, Nov 27, 2012 at 2:52 PM, 叶雨飞 <sunyucong at gmail.com> wrote:
>> Hi,
>> I currently have 2 100mbps uplink (about 50% bandwidth  utilization,
>> 10kpps each), I am hoping to get a srx100 as the router, run it in
>> packet mode for most traffic except some low traffic nat/ipsec
>> management tunnels.
>> Is that going to be enough? or should I aim for srx210 or higher?
> 
> From the SPEC, SRX100 can runs Firewall+Routing at 64 Byte-Packet to
> 70Kpps. It should able to move your 10Kpps x 2 = 20Kpps traffics
> around with no problem in packet-mode.
> 
> However, if NAT/IPsec are also needed, you will have to run the box in
> flow-mode or selective-packet-mode for certain packets in flow-mode
> and others in packet-mode.
> 
> Not sure if SRX100 can keeps the performance when doing things in
> selective-packet-mode, but consider it is implemented by using ACL
> (stateless firewall filter) on the inbound interfaces. Things sound
> worth a try. LAB testing or POC won't hurt, right?
> 
> If you do able to perform some POC, please share the result to list :)
> 
> PS: I just got a SRX100 and am going to do some POC with
> selective-packet-mode. Basically I want to route my traffic into GRE
> tunnel in packet-mode and route GRE packet over IPsec to remote SSG
> site in flow-mode because IPsec needs flow module. Hopefully this can
> suppress my session-table usage to only one for two records. I hate
> flow-mode JUNOS for a long long long time since J-series, but the SRX
> prices are simply irresistible.
> 
> --
> Michel~
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list