subject:"\[j\-nsp\] Best device to fit for a project"

Re: [j-nsp] Best device to fit for a project

2014-04-02 Thread Jared Mauch

On Apr 1, 2014, at 2:37 AM, R S  wrote:

> For a project (70 branch offices and 2 Headquarters connected in an hub&spoke 
> topology with IPSEC over MPLS among branch and HQ) I’m looking for the best 
> device which cover the following items:
> 
> Branch:
> Single device 
> At least two Ethernet interfaces (WAN/LAN)
> Ipsec supporting 10-50-100 Mbs
> Routing protocols such as BGP-OSPF
> NAT
> Redundant power supply (some site not but in principle I need it)
> 
> HeadQuarter:
> Single device with XE intf 
> At least two Ethernet interfaces (WAN/LAN)
> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
> Routing protocols such as BGP-OSPF
> NAT
> Redundant power supply
> 
> Firewall is not needed, MPLS will be runned by the carrier, the devices and 
> IPSEC are on-top of MPLS.
> I’m looking for the best solution in terms of scalability and price (very 
> important).
> 
> Also any advice with experience for the decision is appreciated.

If you're not opposed to something "newer", you may want to look at the UBNT 
EdgeRouter devices.

They're basically a Linux box with Vyatta on it, with the ability to do OpenVPN.

Because of the CLI, etc.. you can do automation/SDN against them.

They're also inexpensive and can support pluggable optics with the right "pro" 
model.  I know one person replacing their J2300 with this, and I similarly use 
one at home now.  

Supports BGP/OSPF without issue.

- Jared
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best device to fit for a project

2014-04-01 Thread Per Granath

The smaller SRX100/SRX210 have external power supply, so you can always 
consider using a single SRX but install a spare power supply at each site.


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best device to fit for a project

2014-04-01 Thread Ben Dale

I've always felt that clusters in the branch isn't much of an advantage 
availability-wise when you only have a single WAN service.  You still you have 
to have a way of delivering a single carrier port into two physical boxes, 
which generally involves more hardware (switches) to try and move the SPOF 
closer to the NTU for very little gain.

And if the branch is small enough that you're actually connecting devices 
directly to the SRX (say a 240), then you actually make things more complicated 
than they need to be.

Granted if you trust your branch staff to move a cable for you when node0 dies 
and it saves you a long drive, then it's probably worthwhile.

On 2 Apr 2014, at 3:01 pm, Morgan McLean 
mailto:wrx...@gmail.com>> wrote:

As already mentioned, run an SRX220 cluster (two devices) at each branch, and 
then use something like an SRX1400 for the core. Could even run two of them at 
the core in a cluster and be super fancy :).

Thanks,
Morgan


On Tue, Apr 1, 2014 at 3:40 PM, Ben Dale 
mailto:bd...@comlinx.com.au>> wrote:
Check out AutoVPN as well:

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-autovpn-spoke-authentication-understanding.html

It's hub-and-spoke (as opposed to full-mesh) and a little simpler than GDOI, 
but you do take the overhead of having to managing PKI across your fleet.

Ben

On 1 Apr 2014, at 6:17 pm, Per Westerlund 
mailto:p...@westerlund.se>> wrote:

> Another possibility is a cluster of units to take care of the dual PSU 
> requirement.
>
> For the low end you can mount 2 SRX100 in a 1U tray, and make them a cluster. 
> Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps 50 Mbps 
> depending on how you count and configure (50 bidir is actually 100 in 
> processing power etc). None of the branch SRX have crypto chip, all IPsec is 
> done in CPU, have to watch that.
>
> Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but 
> unfortunately two boxes.
>
> I don’t have pricing available and don’t run any of these myself, but what 
> about a small MX5 (or similar) with service-card (MS-MIC) for the hub site? 
> It claims throughput of 9Gbps. Would that fit the bill instead of the bigger 
> SRX boxes?
>
> /Per
>
> PS: With plain IPsec, no internet tunnel requirement, and SRX everywhere, you 
> can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately that does not 
> work with clusters. Can’t have both right now, sorry. Saves lots of problems 
> managing pre-shared keys etc.
>
> 1 apr 2014 kl. 09:36 skrev Ben Dale 
> mailto:bd...@comlinx.com.au>>:
>
>> SRX550 is pretty much your only option in the branch if you require dual 
>> power supply, but is in every other way overspecced (and thus priced) for 
>> the remainder of your branch requirements.  If you can do without the RPS, 
>> then I'd go with either an SRX220 or 240, which will easily handle the 
>> remainder of your requirements.
>>
>> Are you sure you want 7-10GBps of IPSEC?  I'm not sure what market you're 
>> in, but I don't imagine a 10Gbps WAN port is particularly cheap from your 
>> carrier (since you list price as being important).
>>
>> If you absolutely need this much crypto though, then you'll be looking at 
>> somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC.
>>
>> As for scalability - no issues - the 650 will support up to 3,000 tunnels 
>> and the 1400 was good for about 15,000 last time I looked - it's probably 
>> gotten better since then.
>>
>> Ben
>>
>> On 1 Apr 2014, at 4:37 pm, R S 
>> mailto:dim0...@hotmail.com>> wrote:
>>
>>> For a project (70 branch offices and 2 Headquarters connected in an 
>>> hub&spoke topology with IPSEC over MPLS among branch and HQ) I’m looking 
>>> for the best device which cover the following items:
>>>
>>> Branch:
>>> Single device
>>> At least two Ethernet interfaces (WAN/LAN)
>>> Ipsec supporting 10-50-100 Mbs
>>> Routing protocols such as BGP-OSPF
>>> NAT
>>> Redundant power supply (some site not but in principle I need it)
>>>
>>> HeadQuarter:
>>> Single device with XE intf
>>> At least two Ethernet interfaces (WAN/LAN)
>>> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
>>> Routing protocols such as BGP-OSPF
>>> NAT
>>> Redundant power supply
>>>
>>> Firewall is not needed, MPLS will be runned by the carrier, the devices and 
>>> IPSEC are on-top of MPLS.
>>> I’m looking for the best solution in terms of scalability and price (very 
>>> important).
>>>
>>> Also any advice with experience for the decision is appreciated.
>>>
>>> Regards
>>>
>>> ___
>>> juniper-nsp mailing list 
>>> juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>> ___
>> juniper-nsp mailing list 
>> juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

Re: [j-nsp] Best device to fit for a project

2014-04-01 Thread Morgan McLean

As already mentioned, run an SRX220 cluster (two devices) at each branch,
and then use something like an SRX1400 for the core. Could even run two of
them at the core in a cluster and be super fancy :).

Thanks,
Morgan


On Tue, Apr 1, 2014 at 3:40 PM, Ben Dale  wrote:

> Check out AutoVPN as well:
>
>
> http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-autovpn-spoke-authentication-understanding.html
>
> It's hub-and-spoke (as opposed to full-mesh) and a little simpler than
> GDOI, but you do take the overhead of having to managing PKI across your
> fleet.
>
> Ben
>
> On 1 Apr 2014, at 6:17 pm, Per Westerlund  wrote:
>
> > Another possibility is a cluster of units to take care of the dual PSU
> requirement.
> >
> > For the low end you can mount 2 SRX100 in a 1U tray, and make them a
> cluster. Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps
> 50 Mbps depending on how you count and configure (50 bidir is actually 100
> in processing power etc). None of the branch SRX have crypto chip, all
> IPsec is done in CPU, have to watch that.
> >
> > Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but
> unfortunately two boxes.
> >
> > I don't have pricing available and don't run any of these myself, but
> what about a small MX5 (or similar) with service-card (MS-MIC) for the hub
> site? It claims throughput of 9Gbps. Would that fit the bill instead of the
> bigger SRX boxes?
> >
> > /Per
> >
> > PS: With plain IPsec, no internet tunnel requirement, and SRX
> everywhere, you can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately
> that does not work with clusters. Can't have both right now, sorry. Saves
> lots of problems managing pre-shared keys etc.
> >
> > 1 apr 2014 kl. 09:36 skrev Ben Dale :
> >
> >> SRX550 is pretty much your only option in the branch if you require
> dual power supply, but is in every other way overspecced (and thus priced)
> for the remainder of your branch requirements.  If you can do without the
> RPS, then I'd go with either an SRX220 or 240, which will easily handle the
> remainder of your requirements.
> >>
> >> Are you sure you want 7-10GBps of IPSEC?  I'm not sure what market
> you're in, but I don't imagine a 10Gbps WAN port is particularly cheap from
> your carrier (since you list price as being important).
> >>
> >> If you absolutely need this much crypto though, then you'll be looking
> at somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC.
> >>
> >> As for scalability - no issues - the 650 will support up to 3,000
> tunnels and the 1400 was good for about 15,000 last time I looked - it's
> probably gotten better since then.
> >>
> >> Ben
> >>
> >> On 1 Apr 2014, at 4:37 pm, R S  wrote:
> >>
> >>> For a project (70 branch offices and 2 Headquarters connected in an
> hub&spoke topology with IPSEC over MPLS among branch and HQ) I'm looking
> for the best device which cover the following items:
> >>>
> >>> Branch:
> >>> Single device
> >>> At least two Ethernet interfaces (WAN/LAN)
> >>> Ipsec supporting 10-50-100 Mbs
> >>> Routing protocols such as BGP-OSPF
> >>> NAT
> >>> Redundant power supply (some site not but in principle I need it)
> >>>
> >>> HeadQuarter:
> >>> Single device with XE intf
> >>> At least two Ethernet interfaces (WAN/LAN)
> >>> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
> >>> Routing protocols such as BGP-OSPF
> >>> NAT
> >>> Redundant power supply
> >>>
> >>> Firewall is not needed, MPLS will be runned by the carrier, the
> devices and IPSEC are on-top of MPLS.
> >>> I'm looking for the best solution in terms of scalability and price
> (very important).
> >>>
> >>> Also any advice with experience for the decision is appreciated.
> >>>
> >>> Regards
> >>>
> >>> ___
> >>> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >>
> >> ___
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best device to fit for a project

2014-04-01 Thread Ben Dale

Check out AutoVPN as well:

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-autovpn-spoke-authentication-understanding.html

It's hub-and-spoke (as opposed to full-mesh) and a little simpler than GDOI, 
but you do take the overhead of having to managing PKI across your fleet.

Ben

On 1 Apr 2014, at 6:17 pm, Per Westerlund  wrote:

> Another possibility is a cluster of units to take care of the dual PSU 
> requirement.
> 
> For the low end you can mount 2 SRX100 in a 1U tray, and make them a cluster. 
> Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps 50 Mbps 
> depending on how you count and configure (50 bidir is actually 100 in 
> processing power etc). None of the branch SRX have crypto chip, all IPsec is 
> done in CPU, have to watch that.
> 
> Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but 
> unfortunately two boxes.
> 
> I don’t have pricing available and don’t run any of these myself, but what 
> about a small MX5 (or similar) with service-card (MS-MIC) for the hub site? 
> It claims throughput of 9Gbps. Would that fit the bill instead of the bigger 
> SRX boxes?
> 
> /Per
> 
> PS: With plain IPsec, no internet tunnel requirement, and SRX everywhere, you 
> can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately that does not 
> work with clusters. Can’t have both right now, sorry. Saves lots of problems 
> managing pre-shared keys etc.
> 
> 1 apr 2014 kl. 09:36 skrev Ben Dale :
> 
>> SRX550 is pretty much your only option in the branch if you require dual 
>> power supply, but is in every other way overspecced (and thus priced) for 
>> the remainder of your branch requirements.  If you can do without the RPS, 
>> then I'd go with either an SRX220 or 240, which will easily handle the 
>> remainder of your requirements.
>> 
>> Are you sure you want 7-10GBps of IPSEC?  I'm not sure what market you're 
>> in, but I don't imagine a 10Gbps WAN port is particularly cheap from your 
>> carrier (since you list price as being important).  
>> 
>> If you absolutely need this much crypto though, then you'll be looking at 
>> somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC.
>> 
>> As for scalability - no issues - the 650 will support up to 3,000 tunnels 
>> and the 1400 was good for about 15,000 last time I looked - it's probably 
>> gotten better since then.
>> 
>> Ben
>> 
>> On 1 Apr 2014, at 4:37 pm, R S  wrote:
>> 
>>> For a project (70 branch offices and 2 Headquarters connected in an 
>>> hub&spoke topology with IPSEC over MPLS among branch and HQ) I’m looking 
>>> for the best device which cover the following items:
>>> 
>>> Branch:
>>> Single device 
>>> At least two Ethernet interfaces (WAN/LAN)
>>> Ipsec supporting 10-50-100 Mbs
>>> Routing protocols such as BGP-OSPF
>>> NAT
>>> Redundant power supply (some site not but in principle I need it)
>>> 
>>> HeadQuarter:
>>> Single device with XE intf 
>>> At least two Ethernet interfaces (WAN/LAN)
>>> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
>>> Routing protocols such as BGP-OSPF
>>> NAT
>>> Redundant power supply
>>> 
>>> Firewall is not needed, MPLS will be runned by the carrier, the devices and 
>>> IPSEC are on-top of MPLS.
>>> I’m looking for the best solution in terms of scalability and price (very 
>>> important).
>>> 
>>> Also any advice with experience for the decision is appreciated.
>>> 
>>> Regards
>>>   
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
>> 
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best device to fit for a project

2014-04-01 Thread R S

2 x SRX1k or 2k could be a good idea but it's not what I was asked for... I'll 
try a poll

from the price list seems cheaper SRX6k or SRX14k than MX5...

GDOI works just with single box ?

and what about SSG ?

regards

> Subject: Re: [j-nsp] Best device to fit for a project
> From: p...@westerlund.se
> Date: Tue, 1 Apr 2014 10:17:00 +0200
> CC: juniper-nsp@puck.nether.net; bd...@comlinx.com.au
> To: dim0...@hotmail.com
> 
> Another possibility is a cluster of units to take care of the dual PSU 
> requirement.
> 
> For the low end you can mount 2 SRX100 in a 1U tray, and make them a cluster. 
> Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps 50 Mbps 
> depending on how you count and configure (50 bidir is actually 100 in 
> processing power etc). None of the branch SRX have crypto chip, all IPsec is 
> done in CPU, have to watch that.
> 
> Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but 
> unfortunately two boxes.
> 
> I don’t have pricing available and don’t run any of these myself, but what 
> about a small MX5 (or similar) with service-card (MS-MIC) for the hub site? 
> It claims throughput of 9Gbps. Would that fit the bill instead of the bigger 
> SRX boxes?
> 
> /Per
> 
> PS: With plain IPsec, no internet tunnel requirement, and SRX everywhere, you 
> can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately that does not 
> work with clusters. Can’t have both right now, sorry. Saves lots of problems 
> managing pre-shared keys etc.
> 
> 1 apr 2014 kl. 09:36 skrev Ben Dale :
> 
> > SRX550 is pretty much your only option in the branch if you require dual 
> > power supply, but is in every other way overspecced (and thus priced) for 
> > the remainder of your branch requirements.  If you can do without the RPS, 
> > then I'd go with either an SRX220 or 240, which will easily handle the 
> > remainder of your requirements.
> > 
> > Are you sure you want 7-10GBps of IPSEC?  I'm not sure what market you're 
> > in, but I don't imagine a 10Gbps WAN port is particularly cheap from your 
> > carrier (since you list price as being important).  
> > 
> > If you absolutely need this much crypto though, then you'll be looking at 
> > somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC.
> > 
> > As for scalability - no issues - the 650 will support up to 3,000 tunnels 
> > and the 1400 was good for about 15,000 last time I looked - it's probably 
> > gotten better since then.
> > 
> > Ben
> > 
> > On 1 Apr 2014, at 4:37 pm, R S  wrote:
> > 
> >> For a project (70 branch offices and 2 Headquarters connected in an 
> >> hub&spoke topology with IPSEC over MPLS among branch and HQ) I’m looking 
> >> for the best device which cover the following items:
> >> 
> >> Branch:
> >> Single device 
> >> At least two Ethernet interfaces (WAN/LAN)
> >> Ipsec supporting 10-50-100 Mbs
> >> Routing protocols such as BGP-OSPF
> >> NAT
> >> Redundant power supply (some site not but in principle I need it)
> >> 
> >> HeadQuarter:
> >> Single device with XE intf 
> >> At least two Ethernet interfaces (WAN/LAN)
> >> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
> >> Routing protocols such as BGP-OSPF
> >> NAT
> >> Redundant power supply
> >> 
> >> Firewall is not needed, MPLS will be runned by the carrier, the devices 
> >> and IPSEC are on-top of MPLS.
> >> I’m looking for the best solution in terms of scalability and price (very 
> >> important).
> >> 
> >> Also any advice with experience for the decision is appreciated.
> >> 
> >> Regards
> >>  
> >> ___
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > 
> > 
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best device to fit for a project

2014-04-01 Thread R S

the hub have to support the sum of all the branches, hence definetely more than 
1 Gbs...
you're arrived to my same conclusion, I'd a look to MX but it's a bit more 
expensive...

tks

> From: bd...@comlinx.com.au
> To: dim0...@hotmail.com
> CC: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] Best device to fit for a project
> Date: Tue, 1 Apr 2014 07:36:37 +
> 
> SRX550 is pretty much your only option in the branch if you require dual 
> power supply, but is in every other way overspecced (and thus priced) for the 
> remainder of your branch requirements.  If you can do without the RPS, then 
> I'd go with either an SRX220 or 240, which will easily handle the remainder 
> of your requirements.
> 
> Are you sure you want 7-10GBps of IPSEC?  I'm not sure what market you're in, 
> but I don't imagine a 10Gbps WAN port is particularly cheap from your carrier 
> (since you list price as being important).  
> 
> If you absolutely need this much crypto though, then you'll be looking at 
> somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC.
> 
> As for scalability - no issues - the 650 will support up to 3,000 tunnels and 
> the 1400 was good for about 15,000 last time I looked - it's probably gotten 
> better since then.
> 
> Ben
> 
> On 1 Apr 2014, at 4:37 pm, R S  wrote:
> 
> > For a project (70 branch offices and 2 Headquarters connected in an 
> > hub&spoke topology with IPSEC over MPLS among branch and HQ) I’m looking 
> > for the best device which cover the following items:
> > 
> > Branch:
> > Single device 
> > At least two Ethernet interfaces (WAN/LAN)
> > Ipsec supporting 10-50-100 Mbs
> > Routing protocols such as BGP-OSPF
> > NAT
> > Redundant power supply (some site not but in principle I need it)
> > 
> > HeadQuarter:
> > Single device with XE intf 
> > At least two Ethernet interfaces (WAN/LAN)
> > IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
> > Routing protocols such as BGP-OSPF
> > NAT
> > Redundant power supply
> > 
> > Firewall is not needed, MPLS will be runned by the carrier, the devices and 
> > IPSEC are on-top of MPLS.
> > I’m looking for the best solution in terms of scalability and price (very 
> > important).
> > 
> > Also any advice with experience for the decision is appreciated.
> > 
> > Regards
> >   
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best device to fit for a project

2014-04-01 Thread Per Westerlund

Another possibility is a cluster of units to take care of the dual PSU 
requirement.

For the low end you can mount 2 SRX100 in a 1U tray, and make them a cluster. 
Will not handle 100Mbps IPsec, but will do 10 Mbps easily, perhaps 50 Mbps 
depending on how you count and configure (50 bidir is actually 100 in 
processing power etc). None of the branch SRX have crypto chip, all IPsec is 
done in CPU, have to watch that.

Clustered 220/240 would take care of dual PSU for 100 Mbps IPsec, but 
unfortunately two boxes.

I don’t have pricing available and don’t run any of these myself, but what 
about a small MX5 (or similar) with service-card (MS-MIC) for the hub site? It 
claims throughput of 9Gbps. Would that fit the bill instead of the bigger SRX 
boxes?

/Per

PS: With plain IPsec, no internet tunnel requirement, and SRX everywhere, you 
can use GDOI (Group VPN, Cisco: GET VPN), but unfortunately that does not work 
with clusters. Can’t have both right now, sorry. Saves lots of problems 
managing pre-shared keys etc.

1 apr 2014 kl. 09:36 skrev Ben Dale :

> SRX550 is pretty much your only option in the branch if you require dual 
> power supply, but is in every other way overspecced (and thus priced) for the 
> remainder of your branch requirements.  If you can do without the RPS, then 
> I'd go with either an SRX220 or 240, which will easily handle the remainder 
> of your requirements.
> 
> Are you sure you want 7-10GBps of IPSEC?  I'm not sure what market you're in, 
> but I don't imagine a 10Gbps WAN port is particularly cheap from your carrier 
> (since you list price as being important).  
> 
> If you absolutely need this much crypto though, then you'll be looking at 
> somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC.
> 
> As for scalability - no issues - the 650 will support up to 3,000 tunnels and 
> the 1400 was good for about 15,000 last time I looked - it's probably gotten 
> better since then.
> 
> Ben
> 
> On 1 Apr 2014, at 4:37 pm, R S  wrote:
> 
>> For a project (70 branch offices and 2 Headquarters connected in an 
>> hub&spoke topology with IPSEC over MPLS among branch and HQ) I’m looking for 
>> the best device which cover the following items:
>> 
>> Branch:
>> Single device 
>> At least two Ethernet interfaces (WAN/LAN)
>> Ipsec supporting 10-50-100 Mbs
>> Routing protocols such as BGP-OSPF
>> NAT
>> Redundant power supply (some site not but in principle I need it)
>> 
>> HeadQuarter:
>> Single device with XE intf 
>> At least two Ethernet interfaces (WAN/LAN)
>> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
>> Routing protocols such as BGP-OSPF
>> NAT
>> Redundant power supply
>> 
>> Firewall is not needed, MPLS will be runned by the carrier, the devices and 
>> IPSEC are on-top of MPLS.
>> I’m looking for the best solution in terms of scalability and price (very 
>> important).
>> 
>> Also any advice with experience for the decision is appreciated.
>> 
>> Regards
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best device to fit for a project

2014-04-01 Thread Ben Dale

SRX550 is pretty much your only option in the branch if you require dual power 
supply, but is in every other way overspecced (and thus priced) for the 
remainder of your branch requirements.  If you can do without the RPS, then I'd 
go with either an SRX220 or 240, which will easily handle the remainder of your 
requirements.

Are you sure you want 7-10GBps of IPSEC?  I'm not sure what market you're in, 
but I don't imagine a 10Gbps WAN port is particularly cheap from your carrier 
(since you list price as being important).  

If you absolutely need this much crypto though, then you'll be looking at 
somewhere between an SRX650 and an SRX1400 plus appropriate 10G XPM/IOC.

As for scalability - no issues - the 650 will support up to 3,000 tunnels and 
the 1400 was good for about 15,000 last time I looked - it's probably gotten 
better since then.

Ben

On 1 Apr 2014, at 4:37 pm, R S  wrote:

> For a project (70 branch offices and 2 Headquarters connected in an hub&spoke 
> topology with IPSEC over MPLS among branch and HQ) I’m looking for the best 
> device which cover the following items:
> 
> Branch:
> Single device 
> At least two Ethernet interfaces (WAN/LAN)
> Ipsec supporting 10-50-100 Mbs
> Routing protocols such as BGP-OSPF
> NAT
> Redundant power supply (some site not but in principle I need it)
> 
> HeadQuarter:
> Single device with XE intf 
> At least two Ethernet interfaces (WAN/LAN)
> IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
> Routing protocols such as BGP-OSPF
> NAT
> Redundant power supply
> 
> Firewall is not needed, MPLS will be runned by the carrier, the devices and 
> IPSEC are on-top of MPLS.
> I’m looking for the best solution in terms of scalability and price (very 
> important).
> 
> Also any advice with experience for the decision is appreciated.
> 
> Regards
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Best device to fit for a project

2014-03-31 Thread R S

For a project (70 branch offices and 2 Headquarters connected in an hub&spoke 
topology with IPSEC over MPLS among branch and HQ) I’m looking for the best 
device which cover the following items:

Branch:
Single device 
At least two Ethernet interfaces (WAN/LAN)
Ipsec supporting 10-50-100 Mbs
Routing protocols such as BGP-OSPF
NAT
Redundant power supply (some site not but in principle I need it)

HeadQuarter:
Single device with XE intf 
At least two Ethernet interfaces (WAN/LAN)
IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
Routing protocols such as BGP-OSPF
NAT
Redundant power supply

Firewall is not needed, MPLS will be runned by the carrier, the devices and 
IPSEC are on-top of MPLS.
I’m looking for the best solution in terms of scalability and price (very 
important).

Also any advice with experience for the decision is appreciated.

Regards
  
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Best device to fit for a project

Re: [j-nsp] Best device to fit for a project

Re: [j-nsp] Best device to fit for a project

Re: [j-nsp] Best device to fit for a project

Re: [j-nsp] Best device to fit for a project

Re: [j-nsp] Best device to fit for a project

Re: [j-nsp] Best device to fit for a project

Re: [j-nsp] Best device to fit for a project

Re: [j-nsp] Best device to fit for a project

[j-nsp] Best device to fit for a project

10 matches

Site Navigation

Mail list logo

Footer information