03-23-2011 08:46 AM
Hello. We have an offer from an Internet Providel for a 1Gbps SA-SH fiber and I want to make sure that a pair of SRX 240 1GB Gateways is up to it. Currently I am setting them up for high availability.
Would I need to implement load balancing? Currently we have a 80mbps fiber that averages around 60mbps and CPU load seems very low. I wonder how that will scale.
Thank's in advance
03-23-2011 10:45 AM
The SRX240 is rated at 1.5 Gbps max throughput. Max throughput numbers are always advertised using full-sized packets to get maximum efficiency in testing (and so the marketing people have something to try and brag about).
In reality, your network is full of mixed packet sizes. If you look at the SRX Datasheet you can see the SRX240 is rated at 500 Mbps for mixed packet sizes (IMIX), this is a much more realistic throughput number.
Also keep in mind that firewalls are stateful devices, and throughput isn't the only number that matters. Be sure to look for max concurrent connections and the new connections per second (ramp-up rate) to see if the device can keep up with the types of traffic your network supports.
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
03-27-2011 03:24 AM
Indeed, the IMIX number is more realistic and personally I would even estimate it a little lower than that, just to be safe. It really depends on your expectations, do you want guaranteed performance or just bursts to higher throughput? The SRX240 will definitely become the bottleneck if the line is upgraded.
Also, if there are more networks connected to the SRX (like some DMZs), you also need to take the internal traffic into account when estimating the firewall throughput.
And don't forget, if you have a 1gbit fiber, that typically means you could get 1gbit/s download and 1gbit/s upload at the same time. No way the 240 can handle that much, even with large packets
As to load-balancing across the nodes, I wouldn't do that. It really complicates the setup and what happens if 1 node fails? The other node won't be able to handle the combined throughput and everything will become extremely slow.
03-27-2011 12:13 PM
Thank's for everyone's reply. Currently our bandwidth use is around 60mbps download/30mbps upload. There's a lot of P2P involved that inflates this number and I'm struggling to take measures against it. We are serving around 200 offices and about 150 MPLS VPN points that mostly consume local traffic. The upgrade to the 1gbps will allow us to switch from SIP PRI to SIP trunking and we have some plans for occasional video streaming. Still at no poing I can imagine a line utilization over 200-300mbps either way.
Local routing is done by the routing engine of our core switch, an Extreme Networks Black Diamond 8080. The fiber from the ISP and the MPLS VPN end at the switch and the SRX only handles outbount traffic.
I am familiar with load balancing and the setup is not that scary. What are the reasons against it other than complication?
Many thanks and best regards.