12-22-2009 02:24 PM
Does anybody know the actual port throughput on a SRX210? Recently I was doing some testing on a FastEthernet port with the RFC 2544. It turned out that the throughput on the port was no more than 6 Mbps.
According to Juniper´s documentation the maximum Firewall Performance of the device is 750 Mbps. So I was expecting a better performance on the FE port.
Can anyone please advice??
Thanks a lot
12-22-2009 03:36 PM
Can you describe your test methodology more thoroughly? This is such a high variance to our own and third-party testing that I suspect there is an issue somewhere.
12-23-2009 12:09 PM
Let me explain you our methodology to do the testing:
We are using a FLUKE NETWORKS Metro Scope Service Provider Assistant as traffic injector on the fe-0/0/6 and a FLUKE NETWORKS LinkRunner DUO as Reflector on the fe-0/0/7 port. The latter is configured with the 192.168.10.0/30 subnet whereas the former has the 192.168.11.1/30. We inject variable length packets to the ports: 64, 128, 256, 512, 1024 and 1512 bytes. Only at a rate of 6Mbps we didn´t have packet loss.
We are thinking to use the SRX210 as CPE devices but we can´t afford such a low performance.
Thanks a lot for your help.
12-23-2009 04:55 PM
Use the first 2 gigE ports for throughout measurement. Also what is configuration you have on the device?
How many policies? Any UTM services enabled? Logging and counting enabled. All of these can affect the performance of the device.
The performance is measured by creating bidirectional UDP flows using the ports ge-0/0/0 and ge-0/0/1 and a single firewall policy.
12-23-2009 06:24 PM
I don't know about your testing methodologies. But I am posting this from a computer behind an srx-210 running 9.6r2. We have 6 policies from trust to untrust allowing web traffic and ftp in one rule and a couple other allowed services in others. On the untrust to trust polices we allow some service going to static nat'd devices, other than that we have a default-deny rule. All policies are logged to local files and 3 corporate syslog servers which I personally think is excessive. The first port ge-0/0/0 is connected to our 300mb metro line to the internet. looking at my logs and bandwidth usage, we have anywhere between 120 and 200 mbps of constant throughput inbound. And about 40mbps of constant outbound traffic. I have yet to purchase a branch internet connection that these srx-210's would not have enough power to handle. They are simply amazingly fast. We replaced asa-5510 and checkpoint branch office products with them, in many cases we didn't even realize that those products were limiting the speed of our sites, in many of our sites we were getting 6-9mbps of throughput on our asa5510's once we added the juniper the speeds went up to anywhere between 16-22mbps depending on our contracted speeds.
12-27-2009 11:43 AM
Hi Keith, John,
Our environment so far is only for testing purposes so we have clean policies, namely we are allowing any to any communications. We don´t have any UTM configured. Since I´ve been working circa 1 year with NetScreen devices I´m aware of how powerful they are. The point here is that we never did a UDP testing before and the poor results really amazed me.
Anyway, I´m attaching th config file so that you can see what´s going on. It is a very straight forward test and I might be missing something I just don´t know what.
And again, they are planning to use the FE interfaces, we are doing the test there.
Thanks a lot for your help
12-27-2009 05:41 PM
I would try an MTU of 1500 on 100mbit ports. I don't even think the SRX supports an MTU that high on 100mbit ports (only gig).
As far as I can find in the documentation 9192 is a supported MTU for FE interfaces. However, I'm wondering if the "larger than normal" jumbo MTU could be causing problems as well. I'd be curious to see throughput at the default MTU of 1518 and at 9000.
12-27-2009 06:31 PM
Yeah the only reason I say this is because the data sheet shows that the SRX100 doesn't support Jumbo frames, yet the SRX210 does (so maybe only on gig ports?).
Not sure, it would be interesting to try anyway.
12-29-2009 08:24 PM
To add to the conversation, why do you have MTU of 9192? This is not common configuration for Internet connected devices since probability is high that there would be a device in the path that would not support such large frame sizes and that can result in fragmentation. Fragmentation can cause lots of problems on some devices since it takes more system resources to handle fragments. You can definitely see performance hit with fragmentation on your network. Can you test with standard MTU of 1514 instead and report your results? I suspect that with standard 1514 MTU you will see much different results.