[j-nsp] SRX1400 opinions

[Pavel Lunin]

Hi James,

So basically SRX1400 will do fine as BGP router + firewall?
>

Yes, it will though using a stateful firewall as ASBR has implications:
traffic must go symmetrically, meaning forward and reverse flow of a given
session must always go through same ASBR. In practice, it means that either
you have a single stateful ASBR (clustered for redundancy) or you better
build external routing domain with dedicated routers. Rule of thumb: if
your AS has a single site with all external links terminated there — OK to
use a firewall, if you have 2+ sites with external links here and there —
you need routers.

A thing to consider about SRX1400 is its price/performance in comparison to
SRX650. If you look at the performance numbers, you'll see it differs not
as much as the price :) In terms of bps and concurrent sessions they are
about of same capability. In terms of pps and cps SRX1400 is (IIRC) about
1.5 times more powerful. So in case of a limited budget, I would recommend
to consider two SRX650 with clustering (if you wish, even active/active,
though I think it's no use for most cases) instead of a single SRX1400. In
this case you wull also need additional interface cards (not that
expensive), as clustering consume three ports on each node.

On the other hand, SRX1400 is a hardware box with dedicated hardware for
control and data plane, some screen options (way not all) are done in the
packet ASIC, etc. So for the DC environment SRX1400 can be a better choice,
especially if you are going to have more full BGP feeds in future and/or
serve cps-intensive or short-packet applications. So if two boxes fits your
budget, this might be a better way.