11.4 actually, sorry! On Tue, Nov 27, 2012 at 11:56 PM, 叶雨飞 <sunyuc...@gmail.com> wrote: > Thx, i am mostly disappointed in their implementation of nat/ipsec > require flow processing, it's totally unnecessary! i hate session > tables too! > > Although i heard horrible things about boot time on lower level srx > devices, it claims to need 5 minutes to boot up. how is yours ?I'm > mostly interested in boot time under 10.4 (jtac recommend version) > > > > On Tue, Nov 27, 2012 at 11:08 PM, Michel de Nostredame > <d.nos...@gmail.com> wrote: >> On Tue, Nov 27, 2012 at 2:52 PM, 叶雨飞 <sunyuc...@gmail.com> wrote: >>> Hi, >>> I currently have 2 100mbps uplink (about 50% bandwidth utilization, >>> 10kpps each), I am hoping to get a srx100 as the router, run it in >>> packet mode for most traffic except some low traffic nat/ipsec >>> management tunnels. >>> Is that going to be enough? or should I aim for srx210 or higher? >> >> From the SPEC, SRX100 can runs Firewall+Routing at 64 Byte-Packet to >> 70Kpps. It should able to move your 10Kpps x 2 = 20Kpps traffics >> around with no problem in packet-mode. >> >> However, if NAT/IPsec are also needed, you will have to run the box in >> flow-mode or selective-packet-mode for certain packets in flow-mode >> and others in packet-mode. >> >> Not sure if SRX100 can keeps the performance when doing things in >> selective-packet-mode, but consider it is implemented by using ACL >> (stateless firewall filter) on the inbound interfaces. Things sound >> worth a try. LAB testing or POC won't hurt, right? >> >> If you do able to perform some POC, please share the result to list :) >> >> PS: I just got a SRX100 and am going to do some POC with >> selective-packet-mode. Basically I want to route my traffic into GRE >> tunnel in packet-mode and route GRE packet over IPsec to remote SSG >> site in flow-mode because IPsec needs flow module. Hopefully this can >> suppress my session-table usage to only one for two records. I hate >> flow-mode JUNOS for a long long long time since J-series, but the SRX >> prices are simply irresistible. >> >> -- >> Michel~
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp