So, in an earlier post, we spoke of a high end Juniper SRX 5800 in a battle for it’s life. It was oversubscribed and there was not a whole lot we could do for it other than police traffic and possibly make more customers unhappy. Now that we have a semi healthy firewall, it’s time to improve the situation. We have a few options.
- Option 1 – How about no link aggregation. We can effectively double our throughput by simply adding another card. Instead of combining the redundant ethernet interfaces onto one card, we can split them up. Let’s put reth0 on one card and reth1 on the other. This means we now have a solid 10 gigabit of capable throughput on each reth.
- Option 2 – We can add another card just like before but we can double our bandwidth because we now have a 20Gb LAG on each card and we are splitting the redundant ethernet interfaces on each card…. But wait a sec. We have not changed the fact that a single SRX-IOC-4XGE-XFP can only do 10Gb. Does this really help us any? Well maybe if you are doing some bridging on your layer three devices and you are trying to create some resiliency…yeah I could see that….but wait… That’s why we bought the second firewall right? neah… Let’s not go down this road. This will end up causing confusion and delay for the next poor sap supporting this solution.
- Option 3 – I won’t diagram option 3 because it is basically option 2 but instead of each card being dedicated to a redundant ethernet interface, we split the cards. And like before, I can kinda see the desire to do this for resiliency…that is if you only had a single firewall. But we have two, so let’s not go there.
I’ll break now and leave you with some food for thought. How can we we crank some serious bandwidth through these guys? I’ll post a follow up with my thoughts.