05-19-2012 10:58 AM
I am struggling a little bit here about determining the required cards for the SRX3x00 firewall.
Our needs are the following:
- 10Gbps firewall
- 3Gbps IPS
As far as I understand, the SPC card supports upto 10Gbps throughput but shared between supporting firewall, IPS, VPN, and Application security. How can one determine the %s that the SPC will give to each service?
Also, the NPC card supports 10Gbps throughput, will that means that if my requirments are for example 11Gbps firewall performance that means I need at least 2xNPC cards in addition to the SPC cards, is that correct?
05-21-2012 07:09 AM
For 10Gbps of firewall and 3Gbps of IPS, I would say you would need the following:
The correct combination of IOC's for your environment (1 x 2-port 10-gig IOC?)
1-2 x NPC (depending on the number of IOC's... you can only tie a single IOC to one NPC, so two may not benefit you unless you have multiple IOC's, or unless you use the onboard interfaces)
2-3 x SPC (depending on your packet-size, and your IPS policies)
05-21-2012 02:58 PM
>>Also, the NPC card supports 10Gbps throughput, will that means that if my requirments are for example 11Gbps firewall performance
Yes, you'd need a 2nd NPC, and a 2nd IOC. Multiple IOCs can be bound to one NPC, but no more than one NPC can be bound to one IOC. That means even a 2x10G IOC will not scale beyond 10G total throughput.
3 SPCs will give you about 8Gb/s of IMIX throughput. AppSecure gives you about a 25% performance hit. The same 3 SPCs support about 4Gb/s of IDP. That's cumulative, of course. If your IDP throughput is part of your firewalled traffic, you don't need to "double-count" it. If it's 3Gb/s of IDP and then another 10Gb/s of firewall traffic on top of that, you're likely looking at a maxed-out 3600 with 7SPCs, 2 NPCs and 2 IOCs. At which point a 5800 would offer much greater headroom, at a much greater price.
05-21-2012 05:41 PM
Nice summary by tbehrens. The big takeaway to me is that you cannot just add NPC's to increase throughput as they can only be tied to a single IOC. SPC's on the other hand can be added to achieve an almost linear gain in service processing capability.