[j-nsp] SRX performance

[Brad Fleming]

In our testing ~3years ago the SRX240H1 with RAM upgrade it seemed the device performed fine at 180Kpps total. After that point we started seeing jitter. At ~190Kpps we started seeing out-of-orders and even some completely dropped packets. Our test was using a single firewall policy passing traffic between two connected ports in different security zones. We connected a JDSU to each and inched traffic up. We used 64Byte packets so we could hammer the forwarding plane as hard as possible. As we increased the packet size we eventually ran out of port capacity but the 180Kpps seemed to hold no matter the size of the packets.

As stated previously performance will take a pretty big hit if your policy enacts any of the UTM or other advanced featuresets. We’ve never done any hard bench testing looking for absolute breakpoints on the more advanced features but Junipers guidelines seem to be fairly accurate in that regard (in our experience). A/V and IPSec hit the branch boxes fairly hard while IPS and web filtering are a little more manageable.

If you go down the path of an SRX240 I’d suggest using the screen features and tuning it for your needs. It can really save the device from dealing with junk / attack traffic at higher levels. Can’t help you with a 100Gbps DDoS but can help deal with SYN floods and other junk.


> On Dec 20, 2015, at 8:16 AM, harbor235 <harbor235 at gmail.com> wrote:
> 
> Can anyone share real world SRX performance? ?I am looking at the SRX220
> or SRX240 for a small website ~150-200Mbps in a co-location environment.
> The performance charts state the SRX220 can do 300Mbps with a mix of
> traffic and  up to 900Mbps with mostly large packet sizes.
> 
> 
> thanks in advance,
> 
> 
> Mike
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp