[j-nsp] SRX performance

Payam Chychi pchychi at gmail.com
Tue Dec 22 12:10:05 EST 2015


Hi Mike,

Here is what i got so far, from the testing i had done in the past using 
the SRX240H, no issues with 800Mbps and 90K pps... also, no issues with 
300 Mbps and 150K pps.
I am Not running it in Packet mode since i have no need to do so.

I am not doing nay IDS/Anti-Virus/IPSEC.

As of last year, the 240H was updated with better hardware and more RAM, 
really notice the difference.

Hope this helps.
-Payam



On 2015-12-22, 8:14 AM, Stepan Kucherenko wrote:
>> Can anyone share real world SRX performance? ?I am looking at the SRX220
>> or SRX240 for a small website ~150-200Mbps in a co-location environment.
>> The performance charts state the SRX220 can do 300Mbps with a mix of
>> traffic and  up to 900Mbps with mostly large packet sizes.
>
> SRX240 can give required bandwidth but it has no redundant power. 
> Anyway, I don't think it's a good idea, see below.
>
> > If you go down the path of an SRX240 I’d suggest using the
> > screen features and tuning it for your needs. It can really
> > save the device from dealing with junk / attack traffic at
> > higher levels. Can’t help you with a 100Gbps DDoS but can
> > help deal with SYN floods and other junk.
>
> Um. No. It'll die under SYN flood even faster than a server would. 
> I've tested its screen options against SYN floods and it's pathetic, 
> epsecially compared to what a Linux box with synproxy can do. Not 
> surprising, SRX CPU is very slow compared to Xeons and it can't 
> offload everything.
>
> That "other junk" will probably kill it as well.
>
> Even 550/650 or "datacenter" models are not robust enough because 
> state exhaustion attacks are easy and cheap. Magic "screen" is far 
> from a panacea. Any stateful firewall in datacenter is just a fragile 
> SPOF that will eventually keep over, taking your whole setup with it.
>
> With that said, SRX is a very nice box when it's used correctly. I 
> have lots of them in branch offices and some in datacenter, but I 
> wouldn't put it before servers expecting them to hold their ground 
> under attack.  And I'm not bashing SRXes specifically, I'm talking 
> about any stateful firewall from any vendor, they all suck.
>
>
> Don't use stateful firewalls before servers. Ever. Grab an l3 switch 
> and do stateless filtering at ingress and filter everything else on 
> servers.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list