[j-nsp] Maximum IPsec (st0) tunnels for SRX-series
Dale Shaw
dale.shaw+j-nsp at gmail.com
Sun May 5 21:11:18 EDT 2013
Hi Ben,
On Mon, May 6, 2013 at 10:33 AM, Ben Dale <bdale at comlinx.com.au> wrote:
> As long as your tunnels don't breach the IPSEC Throughput numbers, you should be right™.
>
> I have a few SRX240s out there with upwards of 500 tunnels on them, some dynamic routing (3 core sites only), and they're sitting at around 50% CPU. They're all running DPD with intervals of 10 and 3 (which I think is as low as you can go).
That's a good point. I'll want to run OSPF over all tunnels, so it's
not just IPsec/IKE that'll be wanting control plane resources.
The biggest branch SRX I've currently got with the most tunnels is a
pair of SRX650s with 40 tunnels each (all w/OSPF p2p adjacencies,
albeit with default timers). Control plane CPU sits steady at 20% all
day. An SRX240 with only 12 tunnels sits at 40% but I recall this
being "normal" due to some strange control plane utilisation metric
due to the way flowd works on these boxes.
Cheers,
Dale
More information about the juniper-nsp
mailing list