[AusNOG] Cisco 7201 vs Juniper SRX 550 for border routers

Shane Short shane at short.id.au
Tue Apr 15 15:11:01 EST 2014 

It honestly sounds like you're probably expecting too much from a single 
unit-- having all that on a single device is just asking for a software 
bug to bite you in the ass and take everything offline.

I personally wouldn't be putting LNS on your upstream edge, I'd be 
pushing it down to your actual customer edge. For the 200 or so LNS 
customers you're looking for you'll probably be fine with a 7201.
As mentioned before you probably don't want to use anything software 
driven for this role, because you'll likely pummel it. Have you looked 
at the MX5,10 etc bundles? They'll probably fit the bill for your border 
scenario.

I probably also wouldn't be doing all your NAT related connection 
tracking at your upstream edge either, this again sounds like something 
you should push down to the customer edge.

If budget's a concern, you might find that you can get away with using 
several smaller boxes to achieve the tasks,, 7201 for LNS, one of the 
Smaller SRX for your NAT and something low-end but hardware for your border.

That's my 2c, anyway.

-Shane

Rhys Hanrahan wrote:
>
> Hi Everyone,
>
> We are currently in the middle of upgrading some our network hardware, 
> and was hoping that I could get some input on deciding on a pair of 
> border routers.
>
> Initially we were looking at the Juniper MX series for this role, but 
> found it's a bit outside our price range (for now). In trying to keep 
> it all Juniper (as we'll most likely use EX-series for our core and 
> access layers), we have been looking at the Juniper SRX 550 routers 
> for our border. They seem like they will do the job for our needs, but 
> are missing LNS functionality, which is something we'd have to 
> purchase 7201s for in the future, and so therefore I'm also looking at 
> just buying 7201s instead.
>
> Logically to me, since the SRX is (apparently) newer hardware, it 
> should perform better than the 7201s. My anecdotal evidence, however, 
> suggests otherwise, and I'm looking to confirm that in terms of 
> real-world performance. Comparing the spec sheets between the SRX 550 
> and the 7201, on paper it looks like the 7201 beats out the SRX in 
> terms of performance (mainly PPS). It also sounds like the SRXs store 
> multiple copies of BGP routes in memory and so where a pair of full 
> sets of internet routes for the SRX is not possible, it's still 
> possible on 7201s.
>
> From all that I've read and heard from various people, it seems that 
> generally, the Juniper SRX series is not held in a high regard in 
> terms of reliability or performance, compared to something like the MX 
> series (which is to be expected really). Whereas I hear a lot of good 
> things of the 7200 series, despite the fact it's EOL, it's still being 
> used and is a reliable range. Due to these factors, despite it being 
> an older router, I am leaning towards the 7201s as it seems like an 
> all-around better choice in terms of reliability and performance.
>
> My main hesitation in going with the 7201s is that, we'll be using 
> them for quite a lot, and I'm unsure of how quickly the performance 
> will drop if I start using more features. So I was hoping that someone 
> could give some real-world input so say which would likely be the 
> better choice. Overall right now, I'm still siding with a pair of 7201s.
>
> Here is a summary of what we'll be using the border routers for:
>
>   * BGP (Initially only a default route, but potentially 2xfull
>     internet routes in future. Plus IX routes.)
>   * OSPF (Up to 50 or so routes)
>   * Static NAT (up to 100K active translations)
>   * Up to 400 Mbps IP Transit
>   * Up to around 25K ACLs (we currently firewall customer servers on
>     the border. We're looking at moving the firewalling off to a
>     dedicated box like an SRX or ASA, but probably not at our current
>     size, if possible).
>   * NAT64
>   * IPSec (around 10 Mbps of AES256/SHA traffic).
>   * NetFlow
>   * HSRP / VRRP
>   * IPv6 Support
>   * LNS (Up to 200 sessions).
>   * MPLS PE
>   * QinQ Tunnel / QinQ Termination
>
> Appreciate any insights that can be given on which path to take.
>
> Thanks!
>
> Rhys Hanrahan
>
> Chief Information Officer
>
> Nexus One Pty Ltd
>
> E: support at nexusone.com.au <mailto:support at nexusone.com.au>
>
> P: +61 2 9191 0606
>
> W: http://www.nexusone.com.au/
>
> M: PO Box 127, Royal Exchange NSW 1225
>
> A: Level 10, 307 Pitt Street, Sydney NSW 2000
>
> cid:AC695111-1B5F-45C1-B097-6093A0880284
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140415/b3a2b355/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 3090 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140415/b3a2b355/attachment-0001.png>

More information about the AusNOG mailing list