[j-nsp] Maximum IPsec (st0) tunnels for SRX-series
Ben Dale
bdale at comlinx.com.au
Sun May 5 20:33:08 EDT 2013
As long as your tunnels don't breach the IPSEC Throughput numbers, you should be right™.
I have a few SRX240s out there with upwards of 500 tunnels on them, some dynamic routing (3 core sites only), and they're sitting at around 50% CPU. They're all running DPD with intervals of 10 and 3 (which I think is as low as you can go).
The scaling numbers I've seen for SRX1400s (for route-based VPNs) are the same as SRX3600s, and about double what the data sheet numbers currently show.
Ben
On 06/05/2013, at 10:02 AM, Dale Shaw <dale.shaw+j-nsp at gmail.com> wrote:
> Hi all,
>
> Just looking for some real-world experience with the maximum practical
> number of IPsec tunnel (st0) interfaces supported on SRX-series --
> everything from low end/branch up to high end.
>
> The data sheets say:
>
> SRX100: 128
> SRX110: 128
> SRX210: 256
> SRX220: 512
> SRX240: 1,000
> SRX550: 2,000
> SRX650: 3,000
> SRX1400: ?
> SRX3x00: 7,500
> SRX5x00: 15,000
>
> Those are some pretty hefty numbers as you move up the product family
> but as we all know, sometimes data sheets are pure fantasy, dreamt up
> by sales/marketing types after lavish and expensive liquid lunches.
>
> I just wanted to know if anyone's seen control planes turn into molten
> goop trying to wrangle, say, 100-150 tunnels.
>
> (I'm not worried about forwarding performance as all I'm looking at
> doing is fully-meshing an existing enterprise WAN where the SRX boxen
> are doing a great job shuffling packets (er, I mean flows) around.)
>
> cheers,
> Dale
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list