[j-nsp] SRX performance

harbor235 harbor235 at gmail.com
Tue Dec 22 21:16:24 EST 2015


Great information, thanks for all the input.



Mike



On Tue, Dec 22, 2015 at 12:10 PM, Payam Chychi <pchychi at gmail.com> wrote:

> Hi Mike,
>
> Here is what i got so far, from the testing i had done in the past using
> the SRX240H, no issues with 800Mbps and 90K pps... also, no issues with 300
> Mbps and 150K pps.
> I am Not running it in Packet mode since i have no need to do so.
>
> I am not doing nay IDS/Anti-Virus/IPSEC.
>
> As of last year, the 240H was updated with better hardware and more RAM,
> really notice the difference.
>
> Hope this helps.
> -Payam
>
>
>
>
> On 2015-12-22, 8:14 AM, Stepan Kucherenko wrote:
>
>> Can anyone share real world SRX performance? ?I am looking at the SRX220
>>> or SRX240 for a small website ~150-200Mbps in a co-location environment.
>>> The performance charts state the SRX220 can do 300Mbps with a mix of
>>> traffic and  up to 900Mbps with mostly large packet sizes.
>>>
>>
>> SRX240 can give required bandwidth but it has no redundant power. Anyway,
>> I don't think it's a good idea, see below.
>>
>> > If you go down the path of an SRX240 I’d suggest using the
>> > screen features and tuning it for your needs. It can really
>> > save the device from dealing with junk / attack traffic at
>> > higher levels. Can’t help you with a 100Gbps DDoS but can
>> > help deal with SYN floods and other junk.
>>
>> Um. No. It'll die under SYN flood even faster than a server would. I've
>> tested its screen options against SYN floods and it's pathetic, epsecially
>> compared to what a Linux box with synproxy can do. Not surprising, SRX CPU
>> is very slow compared to Xeons and it can't offload everything.
>>
>> That "other junk" will probably kill it as well.
>>
>> Even 550/650 or "datacenter" models are not robust enough because state
>> exhaustion attacks are easy and cheap. Magic "screen" is far from a
>> panacea. Any stateful firewall in datacenter is just a fragile SPOF that
>> will eventually keep over, taking your whole setup with it.
>>
>> With that said, SRX is a very nice box when it's used correctly. I have
>> lots of them in branch offices and some in datacenter, but I wouldn't put
>> it before servers expecting them to hold their ground under attack.  And
>> I'm not bashing SRXes specifically, I'm talking about any stateful firewall
>> from any vendor, they all suck.
>>
>>
>> Don't use stateful firewalls before servers. Ever. Grab an l3 switch and
>> do stateless filtering at ingress and filter everything else on servers.
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


More information about the juniper-nsp mailing list