Hi Ben, On Mon, May 6, 2013 at 10:33 AM, Ben Dale <bd...@comlinx.com.au> wrote: > As long as your tunnels don't breach the IPSEC Throughput numbers, you should > be rightâ„¢. > > I have a few SRX240s out there with upwards of 500 tunnels on them, some > dynamic routing (3 core sites only), and they're sitting at around 50% CPU. > They're all running DPD with intervals of 10 and 3 (which I think is as low > as you can go).
That's a good point. I'll want to run OSPF over all tunnels, so it's not just IPsec/IKE that'll be wanting control plane resources. The biggest branch SRX I've currently got with the most tunnels is a pair of SRX650s with 40 tunnels each (all w/OSPF p2p adjacencies, albeit with default timers). Control plane CPU sits steady at 20% all day. An SRX240 with only 12 tunnels sits at 40% but I recall this being "normal" due to some strange control plane utilisation metric due to the way flowd works on these boxes. Cheers, Dale _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
