SRX210 Throughput



  • Hi all,
    Does anybody know the actual port throughput on a SRX210? Recently I was doing some testing on a FastEthernet port with the RFC 2544. It turned out that the throughput on the port was no more than 6 Mbps.

    According to Juniper´s documentation the maximum Firewall Performance of the device is 750 Mbps. So I was expecting a better performance on the FE port.

    Can anyone please advice??

    Thanks a lot



  • The same thread is also over here if anyone is interested:
    http://forums.juniper.net/t5/SRX-Services-Gateway/SRX210-port-throughput/td-p/32117



  • I see you have the speed and duplex hard set on the port, but you do not have auto-negotiation(sp) shut off.  Have you confirmed the port is actually coming up 100/full?  Other than that, it is a pretty simple config.

    Clay



  • Hi Clay,
    Our environment so far is for testing purposes only. I think it is a very straight forward configuration and I don´t know what I might be missing to get expected results on the test.
    Anyway, this is the configuration:

    Last commit: 2009-12-19 00:11:08 CST by root

    version 9.6R1.13;
    system {
        host-name SRXtest;
        time-zone America/Mexico_City;
        root-authentication {
            encrypted-password “$1$G9nFDreC$pupkKttSk9Hi9Bc2Vxvga0”;
        }
        services {
            ssh;
            web-management {
                http {
                    interface [ ge-0/0/0.0 fe-0/0/2.0 ];
                }
            }
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
        fe-0/0/2 {
            unit 0 {
                family inet {
                    address 201.148.5.17/30;
                }
            }
        }
        fe-0/0/6 {
            speed 100m;
            mtu 9192;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 192.168.10.1/30;
                }
            }
        }
        fe-0/0/7 {
            speed 100m;
            mtu 9192;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 192.168.11.1/30;
                }
            }
        }
        t1-1/0/0 {
            encapsulation cisco-hdlc;
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 201.148.5.18;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        queue-size 2000;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        zones {
            security-zone trust {
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        http;
                        ping;
                        ssh;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                http;
                                https;
                                ssh;
                                telnet;
                                dhcp;
                                ping;
                            }
                        }
                    }
                    fe-0/0/6.0;
                    fe-0/0/7.0;
                    fe-0/0/2.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy default-deny {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
    }

    Thanks for your help!
    Happy Holidays



  • Do you mind posting the config you are using on the 210?  That would let me see what all you have enabled and such.

    Thanks,
    Clay



  • Hi Clay,

    Let me explain you the exact methodology to see if you have any more comments.

    We are using a FLUKE NETWORKS Metro Scope Service Provider Assistant as traffic injector on the fe-0/0/6 and a FLUKE NETWORKS LinkRunner DUO as Reflector on the fe-0/0/7 port. The latter is configured with the 192.168.10.0/30 subnet whereas the former has the 192.168.11.1/30. We inject variable length packets to the ports: 64, 128, 256, 512, 1024 and 1512 bytes. Only at a rate of 6Mbps we didn´t have packet loss.

    We are thinking to use the SRX210 as CPE devices but we can´t afford such a low performance.

    Thanks a lot for your help.

    Regards,



  • What size of packet are you testing with?  If you are following the RFC then you should be seeing different results based on packet size.  As the documentation states.  Large packet max is 750Mb/s, IMIX traffic (which is the most realistic) is 250Mb/s and small packets (64 byte) is 80kpps.  Which calculates out to about 40Mb/s.  So the range is quite large depending on packet size.  That is just one of many things that would come into account.  I would first check the config to make sure all is programmed correctly.  Then I would check your testing methods and try again.  You should easily get more than 6Mb/s.  And are you sure it was 6 million bits and not bytes per second?  Because if it was bytes and you were using small packets, then that would pry be correct.

    Hope that helps,
    Clay


 

17
Online

38.4k
Users

12.7k
Topics

44.5k
Posts