Per Granath writes:
> For the record, the Miercom report is from tests without services
> offload - so that's without 'hardware offload'.
It is great to hear that.
> In general, with that 22Gbps on the SPC processing, the processing
> power could also be eaten up by IPSec termination and 'new
> > Even 'independent tests' from Cisco's friends do not argue that SRX3k
> > can do 20G+.
> >
> http://www.cisco.com/en/US/prod/collateral/vpndevc/miercom_vs_juniper
> .
> > pdf
> >
> > I am sorry for that sort of a link in such a respectful place :)
>
> I am sure the SRX3600 can do 22Gbps+. The
Phil Mayers writes:
> It's only a factor of two up, and they've had 6/7 years to get there.
> I'm assuming the 5600/5800 can do 10Gbit/sec (of basic firewalling -
> no deep inspection etc.) unless anyone has compelling evidence
> otherwise.
Yes, I am assuming that too.
But does it do 10Gbps fir
Pavel Lunin writes:
> Even 'independent tests' from Cisco's friends do not argue that SRX3k
> can do 20G+.
> http://www.cisco.com/en/US/prod/collateral/vpndevc/miercom_vs_juniper.pdf
>
> I am sorry for that sort of a link in such a respectful place :)
I am sure the SRX3600 can do 22Gbps+. The qu
19.06.2012 03:25, Benny Amorsen wrote:
>> Em… isn't 10G+ possible on SRX HE without offloading?
> I don't know, that is part of what I am trying to find out :)
Even 'independent tests' from Cisco's friends do not argue that SRX3k
can do 20G+.
http://www.cisco.com/en/US/prod/collateral/vpndevc/mi
On 06/19/2012 12:25 AM, Benny Amorsen wrote:
Pavel Lunin writes:
Em… isn't 10G+ possible on SRX HE without offloading?
I don't know, that is part of what I am trying to find out :)
Well, you can certainly do 5Gbit/sec on the (much older) Netscreen 5400
hardware with M2 linecards - we have
Pavel Lunin writes:
> Em… isn't 10G+ possible on SRX HE without offloading?
I don't know, that is part of what I am trying to find out :)
/Benny
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/junip
2012/6/19 Benny Amorsen
>
> > To be honest, by now it looks like a feature for a particular customer.
>
> To me it seems like a feature for every customer... Without offloading,
> how would you do stateful firewalling at 10Gbps+?
>
Em… isn't 10G+ possible on SRX HE without offloading?
Well, don
Pavel Lunin writes:
> To be honest, by now it looks like a feature for a particular customer.
To me it seems like a feature for every customer... Without offloading,
how would you do stateful firewalling at 10Gbps+?
To put it another way, is there a hardware/software configuration for an
SRX340
18.06.2012 16:31, Phil Mayers wrote:
> However, the docs suggest that it might be possible to enable offload
> on a per-policy basis.
>
> This might be good for certain latency-sensitive flows, if true.
Yep, as I understood, it's only per-policy based (please correct, if I'm
not right), which is,
ichip would used for interface with fabric as xlr would not be capable of doing
that.
Regards
Abhijeet.C
From: Saku Ytti
To: juniper-nsp@puck.nether.net
Sent: Sunday, June 17, 2012 12:44 PM
Subject: Re: [j-nsp] SRX hardware acceleration caveats
On
On 18/06/12 12:22, Pavel Lunin wrote:
hops. But I really wonder how (if) it affects the new session setup rate
and concurrent session scaling. I really doubt, a single EZchip is
capable to handle states of millions of sessions, all of which can
easily pass a single 10G interface (and, consequent
18.06.2012 15:22, Pavel Lunin wrote:
> easily pass a single 10G interface (and, consequently, NPC).
NPU, to be precise.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
18.06.2012 14:47, Phil Mayers wrote:
> This is interesting. I was not aware of the EZchip offload in the
> high-end stuff.
As of the docs, it seems like the only advantage is reduced latency:
http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/security/software-a
On 17/06/12 08:14, Saku Ytti wrote:
This is true for branch (multicore cavium octeon). But not for
1k/3k/5k. And there is no where to offload in branch.
This is interesting. I was not aware of the EZchip offload in the
high-end stuff.
Can anyone comment on the expected (or observed) differe
Benny Amorsen writes:
> It is pretty sad that when it comes to >1Gbps firewalling, CNG is
> cheaper and easier to buy than native IPv6...
Carrier Grade NAT, not CNG.
/Benny
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether
Thank you very much again. "No fragmentation" is a potential DoS vector
but probably ok. The other limitations are similar to other vendors.
However, "No IPv6" is really unfortunate. With Google, Youtube and
Facebook on IPv6 already, that could be a serious limitation.
It is pretty sad that when
On (2012-06-17 13:10 +0200), Benny Amorsen wrote:
> However, I am still wondering if all traffic is eligible for services
> offload. Multicast traffic with fan-out > 1 is not, but that is not a
> large concern for me. Is there any other traffic which cannot be
> offloaded?
Release notes has list
Saku Ytti writes:
> EZchip is very much not software, ES+ linecards and ASR9k routers use
> EZchip (albeit faster versions 3 and 4, SRX uses 2) for lookups also.
> This 'service-offload' does what box should have been doing all along, punt
> only first packet to RMI/Netlogic and use EZChip for s
On (2012-06-17 11:07 +0800), Chen Jiang wrote:
> SRX is the 2rd pure-software forwarding equipment from Juniper(the 1st is J
> series routers), it just use multi-core CPU does all the forwarding and
> security things in software. But in recent releases(maybe from JUNOS 10.4)
> there is a new feat
> This 'service-offload' does what box should have been doing all along, punt
> only first packet to RMI/Netlogic and use EZChip for subsequent packets.
>
>
> SPU http://www.ezchip.com/p_np2.htm
> NPC http://www.netlogicmicro.com/Products/ProductBriefs/MultiCore/XLR500.htm
Obviously these are w
Hi!
SRX is the 2rd pure-software forwarding equipment from Juniper(the 1st is J
series routers), it just use multi-core CPU does all the forwarding and
security things in software. But in recent releases(maybe from JUNOS 10.4)
there is a new feature called "service-offload" that could use NPC in
After having a few surprises from non-Juniper firewall equipment, I just
thought I would ask here...
Are there any surprises waiting when it comes to SRX enterprise
firewalls and hardware acceleration? Is hardware acceleration limited to
UDP and TCP, or does it work with e.g. ESP or SCTP? What abo
23 matches
Mail list logo
