SRX Services Gateway
Reply
Contributor
khaled.kamal
Posts: 12
Registered: ‎01-13-2012
0

SRX3x00 card requirements

Hello all,

 

  I am struggling a little bit here about determining the required cards for the SRX3x00 firewall.

 

Our needs are the following:

- 10Gbps firewall

- 3Gbps IPS

 

As far as I understand, the SPC card supports upto 10Gbps throughput but shared between supporting firewall, IPS, VPN, and Application security. How can one determine the %s that the SPC will give to each service?

 

Also, the NPC card supports 10Gbps throughput, will that means that if my requirments are for example 11Gbps firewall performance that means I need at least 2xNPC cards in addition to the SPC cards, is that correct?

 

Thanks

Khaled
Recognized Expert
ronf
Posts: 233
Registered: ‎04-04-2011
0

Re: SRX3x00 card requirements

For 10Gbps of firewall and 3Gbps of IPS, I would say you would need the following:

 

The correct combination of IOC's for your environment (1 x 2-port 10-gig IOC?)

 

1-2 x NPC (depending on the number of IOC's... you can only tie a single IOC to one NPC, so two may not benefit you unless you have multiple IOC's, or unless you use the onboard interfaces)

2-3 x SPC (depending on your packet-size, and your IPS policies)

 

Ron

 

 

JNCIE-SEC #127
Super Contributor
tbehrens
Posts: 348
Registered: ‎04-30-2010
0

Re: SRX3x00 card requirements

>>Also, the NPC card supports 10Gbps throughput, will that means that if my requirments are for example 11Gbps firewall performance

 

Yes, you'd need a 2nd NPC, and a 2nd IOC. Multiple IOCs can be bound to one NPC, but no more than one NPC can be bound to one IOC. That means even a 2x10G IOC will not scale beyond 10G total throughput.

 

3 SPCs will give you about 8Gb/s of IMIX throughput. AppSecure gives you about a 25% performance hit. The same 3 SPCs support about 4Gb/s of IDP. That's cumulative, of course. If your IDP throughput is part of your firewalled traffic, you don't need to "double-count" it. If it's 3Gb/s of IDP and then another 10Gb/s of firewall traffic on top of that, you're likely looking at a maxed-out 3600 with 7SPCs, 2 NPCs and  2 IOCs. At which point a 5800 would offer much greater headroom, at a much greater price.

 

Recognized Expert
ronf
Posts: 233
Registered: ‎04-04-2011
0

Re: SRX3x00 card requirements

Nice summary by tbehrens.  The big takeaway to me is that you cannot just add NPC's to increase throughput as they can only be tied to a single IOC.  SPC's on the other hand can be added to achieve an almost linear gain in service processing capability.

 

Ron

JNCIE-SEC #127
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.