[AusNOG] Cisco 7201 vs Juniper SRX 550 for border routers

Luke Iggleden luke+ausnog at sisgroup.com.au
Tue Apr 15 16:40:11 EST 2014 

An SRX550 as a border router with a 100Mbit/s interface on it would be ok.

The limit is its ability to forward packets under worst conditions.  The 
srx550 is only capable of 700k pps. It's not 'border router' material if 
you're thinking of anything delivered on a gig-e port. (never take 
Juniper's IMIX statement as Real World performance)

As a 'border' you will be using packet mode on the SRX will means you 
won't be 'clustering' them? If you want to do NAT on them and you will 
be using state you're going to run out of Grunt to deal with new 
sessions per second, only 27k new sessions per second. (severely under 
the 700k pps the cpu is capable of forwarding)

A linux router, with new cpu's + decent intel nics will run rings around 
a SRX550. If you don't have any needs for MPLS then linux is a better 
option IMO. Cant speak for high end mikrotik but that may be worth 
exploring.

My suggestion, linux until you can afford MX or ASR.



On 15/04/2014 3:44 pm, Rhys Hanrahan wrote:
> Hi Skeeve,
>
> Appreciate the feedback. Would you suggest that a cluster of SRX 550s on
> the edge, with 7201s as dedicated LNSs could work in our situation?
> Would it be likely that the SRX 550 can obtain the kind of throughput
> (or close to) that I'm looking for?
>
> Multiple roles on our edge is hard for us to avoid since we're coming
> from a router on a stick setup. Bringing in a collapsed core and
> distribution layer is new for us. 1:1 NAT is also hard to avoid, given
> the difficulty of obtaining IPs - just filling out our current cage will
> likely more than use up the maximum /22 allocation. So it's something
> we've always done for customer servers, to try and conserve space as
> much as possible.
>
> I've looked at ASR1Ks and MX5 bundles, and it's just too much of a jump
> in price for us right now (considering what hardware we're coming from -
> think Linux router). I could go for MikroTik, but rather something that
> can be more widely supported and with more documentation, so it's easier
> for our team to support.
>
> Moving to something like those is definitely on the road-map, but we
> need an affordable border router to get us half-way there, and build up
> the customer base before we move all the way to MX or ASR routers.
>
> Rhys Hanrahan
> Chief Information Officer
> Nexus One Pty Ltd
>
> E: support at nexusone.com.au <mailto:support at nexusone.com.au>
> P: +61 2 9191 0606
> W: http://www.nexusone.com.au/
> M: PO Box 127, Royal Exchange NSW 1225
> A: Level 10 307 Pitt St, Sydney NSW 2000
> ------------------------------------------------------------------------
> *From:* Skeeve Stevens [skeeve+ausnog at eintellegonetworks.com]
> *Sent:* Tuesday, 15 April 2014 3:13 PM
> *To:* Rhys Hanrahan
> *Cc:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] Cisco 7201 vs Juniper SRX 550 for border routers
>
> Rhys,
>
> Firstly, the 7201's are great LNS's... the only issue is throughput (max
> 1Gb)
>
> The SRX500's are great - firewalls.  We generally use them as such, with
> MX5's in front of them, but they can face the world just fine by themselves.
>
> You cannot compare a 7201 and SRX550 - completely different devices for
> different purposes.
>
> The MX5's can be LNS's (up to 4000 users), but they aren't that cheap.
>
> The SRX platform is excellent, but not all models... for example, I
> avoid the 650's.  The 550's I run in cluster in multiple locations and
> they seem to work great, with little or no issues and doing a multitude
> of tasks on the same box.
>
> If you want cheap (and nasty) go the Mikrotik, but wash yourself
> afterwards :)
>
> You should also not be doing BGP edge and LNS on the same device...
> separate for a happier life.
>
> Regarding features of the 7201.  They start at 1Gb TP with doing nothing
> else... but degrade quickly of you throw ACL's, QoS and rate-limiting at
> it, and if you want to destroy it, through PBR as well.  Then it will
> end up as an 877 :)
>
>
>
> ...Skeeve
>
> *Skeeve Stevens - *eintellego Networks Pty Ltd
> skeeve at eintellegonetworks.com <mailto:skeeve at eintellegonetworks.com> ;
> www.eintellegonetworks.com <http://www.eintellegonetworks.com/>
>
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
>
> facebook.com/eintellegonetworks
> <http://facebook.com/eintellegonetworks> ;
> <http://twitter.com/networkceoau>linkedin.com/in/skeeve
> <http://linkedin.com/in/skeeve>
>
> twitter.com/theispguy <http://twitter.com/theispguy> ; blog:
> www.theispguy.com <http://www.theispguy.com/>
>
>
> The Experts Who The Experts Call
>
> Juniper - Cisco - Cloud- Consulting- IPv4 Brokering
>
>
> On Tue, Apr 15, 2014 at 2:20 PM, Rhys Hanrahan <rhys at nexusone.com.au
> <mailto:rhys at nexusone.com.au>> wrote:
>
>     Hi Everyone, ____
>
>     __ __
>
>     We are currently in the middle of upgrading some our network
>     hardware, and was hoping that I could get some input on deciding on
>     a pair of border routers.____
>
>     __ __
>
>     Initially we were looking at the Juniper MX series for this role,
>     but found it's a bit outside our price range (for now). In trying to
>     keep it all Juniper (as we'll most likely use EX-series for our core
>     and access layers), we have been looking at the Juniper SRX 550
>     routers for our border. They seem like they will do the job for our
>     needs, but are missing LNS functionality, which is something we'd
>     have to purchase 7201s for in the future, and so therefore I’m also
>     looking at just buying 7201s instead.____
>
>     __ __
>
>     Logically to me, since the SRX is (apparently) newer hardware, it
>     should perform better than the 7201s. My anecdotal evidence,
>     however, suggests otherwise, and I'm looking to confirm that in
>     terms of real-world performance. Comparing the spec sheets between
>     the SRX 550 and the 7201, on paper it looks like the 7201 beats out
>     the SRX in terms of performance (mainly PPS). It also sounds like
>     the SRXs store multiple copies of BGP routes in memory and so where
>     a pair of full sets of internet routes for the SRX is not possible,
>     it's still possible on 7201s.____
>
>     __ __
>
>      From all that I've read and heard from various people, it seems
>     that generally, the Juniper SRX series is not held in a high regard
>     in terms of reliability or performance, compared to something like
>     the MX series (which is to be expected really). Whereas I hear a lot
>     of good things of the 7200 series, despite the fact it's EOL, it's
>     still being used and is a reliable range. Due to these factors,
>     despite it being an older router, I am leaning towards the 7201s as
>     it seems like an all-around better choice in terms of reliability
>     and performance.____
>
>     __ __
>
>     My main hesitation in going with the 7201s is that, we'll be using
>     them for quite a lot, and I'm unsure of how quickly the performance
>     will drop if I start using more features. So I was hoping that
>     someone could give some real-world input so say which would likely
>     be the better choice. Overall right now, I’m still siding with a
>     pair of 7201s.____
>
>     __ __
>
>     Here is a summary of what we'll be using the border routers for:____
>
>       * BGP (Initially only a default route, but potentially 2xfull
>         internet routes in future. Plus IX routes.)____
>       * OSPF (Up to 50 or so routes)____
>       * Static NAT (up to 100K active translations) ____
>       * Up to 400 Mbps IP Transit____
>       * Up to around 25K ACLs (we currently firewall customer servers on
>         the border. We're looking at moving the firewalling off to a
>         dedicated box like an SRX or ASA, but probably not at our
>         current size, if possible).____
>       * NAT64 ____
>       * IPSec (around 10 Mbps of AES256/SHA traffic).____
>       * NetFlow____
>       * HSRP / VRRP____
>       * IPv6 Support____
>       * LNS (Up to 200 sessions).____
>       * MPLS PE____
>       * QinQ Tunnel / QinQ Termination____
>
>     Appreciate any insights that can be given on which path to take.____
>
>     __ __
>
>     Thanks!____
>
>     __ __
>
>     Rhys Hanrahan____
>
>     Chief Information Officer____
>
>     Nexus One Pty Ltd____
>
>     ____
>
>     E: support at nexusone.com.au <mailto:support at nexusone.com.au>____
>
>     P: +61 2 9191 0606____
>
>     W: http://www.nexusone.com.au/____
>
>     M: PO Box 127, Royal Exchange NSW 1225____
>
>     A: Level 10, 307 Pitt Street, Sydney NSW 2000____
>
>     ____
>
>     cid:AC695111-1B5F-45C1-B097-6093A0880284____
>
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

More information about the AusNOG mailing list