As long as your tunnels don't breach the IPSEC Throughput numbers, you should be rightâ„¢.
I have a few SRX240s out there with upwards of 500 tunnels on them, some dynamic routing (3 core sites only), and they're sitting at around 50% CPU. They're all running DPD with intervals of 10 and 3 (which I think is as low as you can go). The scaling numbers I've seen for SRX1400s (for route-based VPNs) are the same as SRX3600s, and about double what the data sheet numbers currently show. Ben On 06/05/2013, at 10:02 AM, Dale Shaw <dale.shaw+j-...@gmail.com> wrote: > Hi all, > > Just looking for some real-world experience with the maximum practical > number of IPsec tunnel (st0) interfaces supported on SRX-series -- > everything from low end/branch up to high end. > > The data sheets say: > > SRX100: 128 > SRX110: 128 > SRX210: 256 > SRX220: 512 > SRX240: 1,000 > SRX550: 2,000 > SRX650: 3,000 > SRX1400: ? > SRX3x00: 7,500 > SRX5x00: 15,000 > > Those are some pretty hefty numbers as you move up the product family > but as we all know, sometimes data sheets are pure fantasy, dreamt up > by sales/marketing types after lavish and expensive liquid lunches. > > I just wanted to know if anyone's seen control planes turn into molten > goop trying to wrangle, say, 100-150 tunnels. > > (I'm not worried about forwarding performance as all I'm looking at > doing is fully-meshing an existing enterprise WAN where the SRX boxen > are doing a great job shuffling packets (er, I mean flows) around.) > > cheers, > Dale > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp