[j-nsp] Best device to fit for a project
Morgan McLean
wrx230 at gmail.com
Wed Apr 2 01:01:44 EDT 2014
As already mentioned, run an SRX220 cluster (two devices) at each branch,
and then use something like an SRX1400 for the core. Could even run two of
them at the core in a cluster and be super fancy :).
Thanks,
Morgan
On Tue, Apr 1, 2014 at 3:40 PM, Ben Dale <bdale at comlinx.com.au> wrote:
> Check out AutoVPN as well:
>
>
> http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-autovpn-spoke-authentication-understanding.html
>
> It's hub-and-spoke (as opposed to full-mesh) and a little simpler than
> GDOI, but you do take the overhead of having to managing PKI across your
> fleet.
>
> Ben
>
> On 1 Apr 2014, at 6:17 pm, Per Westerlund <p1 at westerlund.se> wrote:
>
> > Another possibility is a cluster of units to take care of the dual PSU
> requirement.
> >
> > For the low end you can mount 2 SRX100 in a 1U tray, and make them a
> cluster. Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps
> 50 Mbps depending on how you count and configure (50 bidir is actually 100
> in processing power etc). None of the branch SRX have crypto chip, all
> IPsec is done in CPU, have to watch that.
> >
> > Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but
> unfortunately two boxes.
> >
> > I don't have pricing available and don't run any of these myself, but
> what about a small MX5 (or similar) with service-card (MS-MIC) for the hub
> site? It claims throughput of 9Gbps. Would that fit the bill instead of the
> bigger SRX boxes?
> >
> > /Per
> >
> > PS: With plain IPsec, no internet tunnel requirement, and SRX
> everywhere, you can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately
> that does not work with clusters. Can't have both right now, sorry. Saves
> lots of problems managing pre-shared keys etc.
> >
> > 1 apr 2014 kl. 09:36 skrev Ben Dale <bdale at comlinx.com.au>:
> >
> >> SRX550 is pretty much your only option in the branch if you require
> dual power supply, but is in every other way overspecced (and thus priced)
> for the remainder of your branch requirements. If you can do without the
> RPS, then I'd go with either an SRX220 or 240, which will easily handle the
> remainder of your requirements.
> >>
> >> Are you sure you want 7-10GBps of IPSEC? I'm not sure what market
> you're in, but I don't imagine a 10Gbps WAN port is particularly cheap from
> your carrier (since you list price as being important).
> >>
> >> If you absolutely need this much crypto though, then you'll be looking
> at somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC.
> >>
> >> As for scalability - no issues - the 650 will support up to 3,000
> tunnels and the 1400 was good for about 15,000 last time I looked - it's
> probably gotten better since then.
> >>
> >> Ben
> >>
> >> On 1 Apr 2014, at 4:37 pm, R S <dim0sal at hotmail.com> wrote:
> >>
> >>> For a project (70 branch offices and 2 Headquarters connected in an
> hub&spoke topology with IPSEC over MPLS among branch and HQ) I'm looking
> for the best device which cover the following items:
> >>>
> >>> Branch:
> >>> Single device
> >>> At least two Ethernet interfaces (WAN/LAN)
> >>> Ipsec supporting 10-50-100 Mbs
> >>> Routing protocols such as BGP-OSPF
> >>> NAT
> >>> Redundant power supply (some site not but in principle I need it)
> >>>
> >>> HeadQuarter:
> >>> Single device with XE intf
> >>> At least two Ethernet interfaces (WAN/LAN)
> >>> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
> >>> Routing protocols such as BGP-OSPF
> >>> NAT
> >>> Redundant power supply
> >>>
> >>> Firewall is not needed, MPLS will be runned by the carrier, the
> devices and IPSEC are on-top of MPLS.
> >>> I'm looking for the best solution in terms of scalability and price
> (very important).
> >>>
> >>> Also any advice with experience for the decision is appreciated.
> >>>
> >>> Regards
> >>>
> >>> _______________________________________________
> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list