SRX

Hi

I am looking for a answer to below basic Question

HOW MUCH WAN LINK BANDWITH A BRANCH SRX LIKE SRX220 OR SRX240 CAN SUPPORT..???

I had been trying to get answer to the same from many people, but had not been able to get any concerete reply.

Some people I inquired from, say that whatever is given in the datasheet about firewall throughput is correct. So in that sense, when I talk about SRX 220 or SRX240, then will these firewalls will be able to support 950Mbps of WAN Link termination and SRX240 will be able to terminate 1.8Gbps of WAN Link, or keeping it conservative, I can think of SRX220 supporting 300 Mbps of WAN Link (IMIX Throughput) and SRX240 Supporting 600Mbps of WAN termination (Again IMIX Throughput)...?????

Second option can be of converting kpps throughput to mbps, which in SRX220 case should be 84.00538 mbps and in SRX240 case should be 134.4086 mbps based on rule of gbps to mpps conversion.

Now, this again is complete throughput of the device.

BUT WHAT IS RECOMMENDED WAN TERMINATION ON THE DEVICE..???

In Cisco's documentation I found for a 2921 router they recommend 50 mbps of WAN Circuit speed and for 3945 they recommend 150 mbps of WAN circuit speed. Both the routers are higher than the Juniper compared models in respect to kpps.

I do understand the difference in processing of packet in Juniper and Cisco, but there is no documented  recommendation from Juniper for SRX.

So what should consider we for the WAN termination on SRX..????

Thanks to everyone who will help me undersgtand the puzzle!!!

Nitin

---

@nitin21 wrote:

 

I am looking for a answer to below basic Question

HOW MUCH WAN LINK BANDWITH A BRANCH SRX LIKE SRX220 OR SRX240 CAN SUPPORT..???

 

I had been trying to get answer to the same from many people, but had not been able to get any concerete reply.

---

There is no "concrete reply" to this question.  There is no absolute answer, because there are too many variables.

Whether it's WAN or LAN, the SRX datasheet lists aggregate throughput that the various devices can move.  It's nice that they give IMIX as well as MAX numbers, because IMIX is closer to real-world performance.  However, do not consider IMIX gospel, because no test can truly simulate all possible real-world scenarios.  It's a "rule of thumb" or approximation.

---

Second option can be of converting kpps throughput to mbps, which in SRX220 case should be 84.00538 mbps and in SRX240 case should be 134.4086 mbps based on rule of gbps to mpps conversion.

---

There is no "rule of gbps to mpps conversion."  Packet sizes are not constant, so how can you convert pps to bps when packet sizes are variable?

---

In Cisco's documentation I found for a 2921 router they recommend 50 mbps of WAN Circuit speed and for 3945 they recommend 150 mbps of WAN circuit speed. Both the routers are higher than the Juniper compared models in respect to kpps.

 

I do understand the difference in processing of packet in Juniper and Cisco, but there is no documented  recommendation from Juniper for SRX.

 

So what should consider we for the WAN termination on SRX..????

---

Cisco's recommendations for their platforms can't be compared directly to Juniper's product lines.

However, a similar concept applies -- the more services you have enabled, the more processing must take place on every packet and therefore there is an effect on throughput.

The ISR routers from Cisco are software/CPU devices, just like the branch SRX from Juniper.  If you start enabling NAT, IPsec, firewall, inspect, etc., the throughput is going to drop.  The "recommended" link speed from Cisco is based around services processing abilities.  The max kpps might be higher, but that's without services enabled.  The "recommended" circuit speed is with services enabled.

The SRX datasheet lists the various devices' performance broken down by feature set.  Depending on which features you plan on using, you can look at the stated performance for the features and figure out the most applicable platform for your particular use case.

A Juniper SE can help you determine the right product fit for your needs.

Hi

Understand that there are many permutation and combinations to be considered while deciding upon the WAN Link terminations on the router (SRX is going to be used as a secured Router only with, may be, few services like NATTing), but still wish I can get a approximate WAN Bandwidth that we can terminate on the device.

As per rule of mpps to gbps, I had seen many industry vetrans to use the rule, wherein 1gbps of throughput is considered for 1.488 mpps routing performance. Considering the same,I had calculated the throughputs.

As per my previous experince, I had terminated 5 mbps of WAN Link on SRX 210 running on 10.4 with UTM enabled, but device performance got below par (Delay even during web browsing, etc was considerable). Considering the prior experince, I never advise for more than 4 mbps to be terminated on SRX210 running UTM services.

Similarly I am looking for recommendations from various other experts for their experince and suggested WAN termination as per their experince.

All the suggestions are welcome

Thanks

Nitin

---

@nitin21 wrote:

 

As per rule of mpps to gbps, I had seen many industry vetrans to use the rule, wherein 1gbps of throughput is considered for 1.488 mpps routing performance. Considering the same,I had calculated the throughputs.

---

This is not a rule -- this is a baseline calculation using minimum packet sizes to determine "wire speed" and does not tell nearly the entire story.

Smaller packets require more processing overhead by a firewall / services router.  Thus, the larger the average packet size traversing the system, the more efficient the system will be, and the higher the throughput will be.

This is why there are numerous metrics on the datasheet.  Large packets, IMIX, minimum packet size, etc.

There is no steadfast absolute "rule" and thus you must apply some judgement and knowledge of your traffic patterns to get a realistic estimate.  You must also understand that the throughput of a firewall is based on significantly more factors than just packets per second and look beyond that number.

---

@nitin21 wrote:

 

As per my previous experince, I had terminated 5 mbps of WAN Link on SRX 210 running on 10.4 with UTM enabled, but device performance got below par (Delay even during web browsing, etc was considerable). Considering the prior experince, I never advise for more than 4 mbps to be terminated on SRX210 running UTM services.

---

Did you ever open a JTAC case for this?  I would consider this abnormal and there must have been some contributing factors to the poor performance.  CPU exhausted?  Firewall low on memory?  Excessive fragmented packets?  Was everything running through AntiVirus?  AV is not fast, that's a fact of life.  JTAC could have helped diagnose the cause of the issue.

---

@nitin21 wrote:

 

Understand that there are many permutation and combinations to be considered while deciding upon the WAN Link terminations on the router (SRX is going to be used as a secured Router only with, may be, few services like NATTing), but still wish I can get a approximate WAN Bandwidth that we can terminate on the device.

---

I understand why you're focused on "WAN Performance" (because that's how Cisco gives their numbers on the small ISR platforms), but please understand that there is no distinction on the SRX on WAN throughput vs. other throughput.  Packets are packets.  Throughput is aggregate.  If the only services you're going to use are NAT and Firewall, the datasheet gives you the numbers you need to think about:

					SRX220		SRX240
Firewall performance (large packets)	950 Mbps	1.8 Gbps
Firewall performance (IMIX)		300 Mbps	600 Mbps
Firewall + routing PPS (64 Byte)	125 Kpps	200 Kpps
Firewall performance (HTTP)		350 Mbps	830 Mbps

Based on that, if you're running "average" traffic through the devices (mixed packet sizes), you can estimate based on the IMIX numbers and I generally use a "fudge factor" of +/- 20%.  Again, these are estimates.  Not rules.

If you're pushing nothing but minimum-sized packets through the devices, yes, performance is going to be abysmal.  Around 8Mbps for the 220 and around 12.8Mbps for the 240.  However, I'm going to guess you're not going to have that type of traffic pattern and if you are, you probably need specialized equipment.  So why fixate on this number if it's not applicable to your situation?

Nobody here will be able to give you an absolute answer in the form of a strict number, and if they do, I'd be quite dubious of such an answer.  The information is there for you to make a reasonable decision based on your factors.  A Juniper SE or your friendly local VAR will be your best resource at this point to discuss your needs and assess the factors.

Hi Keith

Thanks for a very good explanation of every query I had.

Just One last question, how you have arrived at figures of 8 Mbps and 12.8 Mbps for 220 and 240 respectively.

This might help me understand the whole puzzle.

Thanks

---

@nitin21 wrote:

 

Just One last question, how you have arrived at figures of 8 Mbps and 12.8 Mbps for 220 and 240 respectively.

---

Sorry, I should have been more careful.. the "B" should be capitalized.  8MBps and 12.8MBps.

I was simply making my point using "quick and dirty" calculations based on the Kpps throughput at minimum-sized (64 byte) packets.

Just like my rough calculation, those numbers should not be taken as hard truth.  Which is the whole point I was trying to make.