[j-nsp] SRX1400 opinions

James Howlett jim.howlett at outlook.com
Sun Apr 28 15:49:31 EDT 2013 

Hi Paul,

Thank You very much for the clarification. I will have only one ASBR. As for redundancy I'll go with a single 1400 unit and add a second in the future. Still, a single SRX1400 will be probably more stable then a single J6350. 

On the side note - does Juniper plan to have a replacement for J-series? Or we should switch to MX now?

Thanks again,
jim

From: plunin at senetsy.ru
Date: Sun, 28 Apr 2013 23:30:44 +0400
Subject: Re: [j-nsp] SRX1400 opinions
To: jim.howlett at outlook.com
CC: jjones at danrj.com; juniper-nsp at puck.nether.net


Hi James,


So basically SRX1400 will do fine as BGP router + firewall?

Yes, it will though using a stateful firewall as ASBR has implications: traffic must go symmetrically, meaning forward and reverse flow of a given session must always go through same ASBR. In practice, it means that either you have a single stateful ASBR (clustered for redundancy) or you better build external routing domain with dedicated routers. Rule of thumb: if your AS has a single site with all external links terminated there — OK to use a firewall, if you have 2+ sites with external links here and there — you need routers.



A thing to consider about SRX1400 is its price/performance in comparison to SRX650. If you look at the performance numbers, you'll see it differs not as much as the price :) In terms of bps and concurrent sessions they are about of same capability. In terms of pps and cps SRX1400 is (IIRC) about 1.5 times more powerful. So in case of a limited budget, I would recommend to consider two SRX650 with clustering (if you wish, even active/active, though I think it's no use for most cases) instead of a single SRX1400. In this case you wull also need additional interface cards (not that expensive), as clustering consume three ports on each node.



On the other hand, SRX1400 is a hardware box with dedicated hardware for control and data plane, some screen options (way not all) are done in the packet ASIC, etc. So for the DC environment SRX1400 can be a better choice, especially if you are going to have more full BGP feeds in future and/or serve cps-intensive or short-packet applications. So if two boxes fits your budget, this might be a better way.

More information about the juniper-nsp mailing list