270 likes | 804 Vues
SRX Servces Gateways Dynamic Services Architecture. Niklas Henriksson Systems Engineer, Sr. nhenriksson@juniper.net. Traditional approaches to software releases. Software Train. Duplicate Customized Train for Big Customer. Another Copy for Another Customer.
 
                
                E N D
SRX Servces GatewaysDynamic Services Architecture Niklas Henriksson Systems Engineer, Sr. nhenriksson@juniper.net
Traditional approaches to software releases Software Train DuplicateCustomized Trainfor Big Customer Another Copy for Another Customer Customized Train Ports Acquisition CustomizedTrain AcceleratesNew Feature Different EngineersDevelop the Same Feature And so on …
OSPF BGP MGMT IPv6 NSM One operating system Less time and effort to plan, deploy, and operate … • Reduce complexity • Consistent operating environment • One person can manage many devices • Ease training on new features • Streamline upgrade testing, qualification & deployment • Leverage common management • NSM is a single enterprise management platform for Juniper devices • Common interfaces for systems integration Service Provider Core Service ProviderAccess/Edge Corporate HQ Data Center Branch Office
J-Web NSM CLI Scripts One modular software architecture • Tailored services flexibility • Deep integration of new functionality • Dedicated hardware in many platforms • Create customized service chains • Open management and development Interfaces • NETCONF/XML • Partner development platform Toolkit Open Management Interfaces Service App 1 Management Interfaces Routing Module n Control Plane ... Service App 2 Services Plane Kernel Services Interfaces Service App 3 ... Packet Forwarding Data Plane Service App n Physical Interfaces
JUNOS Solution portfolio SRX5000 Series EX8216 SRX3000 Series MX Series SERVICES GATEWAYS SRX650 EX8208 ROUTERS SWITCHES SRX240 EX4200 M & T Series SRX210 EX3200 J Series SRX100 EX2200 Unified Management (NSM)
Branch SRX Gateways SRX 100, SRX 210, SRX 240 & SRX 650
SRX100 • Ideal for micro-branch, managed telecommuters, SOHO • Fixed I/O—8 x 10/100 Ethernet ports • Full UTM features • IDP* • Antivirus • Antispam* • Web filtering • UAC Enforcement • UTM requires High Memory model (UTM, license), no CSA *Supported in JUNOS 10.0
SRX210 • Ideal for Small branches • Full UTM features • IDP, Antivirus, Antispam, Web filtering, Content filtering • UAC Enforcement • UTM requires High Memory model • Available Voice version with mini-PIM options—Q4 2009 • Factory-configured voice model (Q4 2009)
SRX240 • Ideal for small–medium branches • Full UTM features • IDP, Antivirus, Antispam, Web filtering, Content filtering • UAC Enforcement • UTM requires High Memory model • Available Voice version with mini-PIM options—Q4 2009 • Factory-configured voice model (Q4 2009)
SRX650 • Ideal for regional sites, large branches • Modular- • LAN switching • Services Routing Processors with optional redundancy (future) • power supplies with optional redundancy (at FRS) • voice configurations (field upgradable via PIMs in 2010) • Full UTM features • IDP, Antivirus, Antispam, Web filtering, Content filtering • UAC Enforcement • Max Gig E 52 ports (2 x 24 GE PIM + 4 integrated ports) *Supported in JUNOS 9.6
Ethernet Switching SRX100 SRX210 SRX240 SRX650 Hardware (Onboard Ethernet) • SRX100 • 8 Fixed 10/100 (Switched or Routed) • SRX210 • Fixed 2 10/100/1000 + 6 10/100 (Switched or Routed) • 802.3af optional POE (2FE + 2GE) • SRX240 • Fixed 16 Ports 10/100/1000 (Switched or Routed) • Power over Ethernet (optional all ports) • 802.3af, 802.3at • SRX650 • Fixed 4 ports 10/100/1000 (Routed) Software Features • 802.1Q VLAN support • Up to 4,096 VLAN support (platform dependent) • Routed VLAN Interface (RVI) • GARP VLAN Registration Protocol (GVRP) • QOS on VLAN interface • L3 Strict priority queuing (LLQ) • L3 Smoothed Deficit Weighted Round Robin (SDWRR) • L3 Weighted Random Early Discard (WRED) • L3 Per port and per queue shaping • 802.1x Port based Authentication • 802.3ad (AX) link aggregation* • STP, Spanning Tree Protocol • 802.1D Spanning Tree Protocol • 802.1S Multiple STP • 802.1w Rapid STP • Jumbo Frame Support (9,216 Byte)* Hardware Ethernet PIMs • SRX Mini-PIM (SRX210/SRX240) • 1 Port SFP • 16 port GigE XPIM for SRX650 • Double-high • Full-duplex 20 Gbps backplane • 16 port GE and optional PoE • 24 port GigE including 4 SFP slots XPIM for SRX650 • Double-high - double-wide • Optional POE - 24 port GE with PoE incl 4 SFP slots • Full-duplex 20 Gbps backplane • Optics • SRX GE SFP LH | SRX GE SFP LX | SRX GE SFP SX |SRX GE SFP 1000 Base-T | SRX FE FX SFP * Not supported on SRX100
Unified Threat Management (UTM) Features External Threats Internal Threats INTERNET IPS Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans Websense to block to unapproved site access Web Filtering Antivirus Kaspersky Lab AV stops viruses, file-based trojans or spread of spyware, adware, keyloggers Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware, Keyloggers Antispam Symantec stops Spam / Phishing SRX Series blocks transmission of files for Data Loss Prevention Content Filtering Core Security Firewall, VPN, Unified Access Control Firewall, VPN, Unified Access Control
Remote Access Dynamic VPN Service – Access Manager Client A dynamic IPSEC Client that is automatically downloaded 5-user, 10-user, 25-user, 50-user (SRX240) license option with simultaneous tunnel enforcement Supported on the SRX100*, SRX210, and SRX240 Not supported on SRX650 Automatic client upgrade capabilities Self-provisioning from SRX210, SRX240 IPSec with TCP-based fallback for NAT traversal Initial release to support Windows platforms—XP, Vista, Win 2000 Wireless Wired 3G Wireless INTERNET Dynamic VPN Services SRX210 *Supported in JUNOS 10.0
Juniper Networks Unified Access Control (UAC) SRX POLICY SERVER Comprehensive, vendor-agnostic, standards-based access control across heterogeneous environments delivering investment protection 1 IC Series Identity Stores Authenticate User, Profile Endpoint, Determine Location 1 2 Dynamically Provision Policy Enforcement 2 APPLICATIONS 3 Control Access to Protected Resources Data App Internet UAC Agent EX Series L2 Switch Juniper Firewall Platforms 802.1X Switches & Access Points UAC Enforcement Points
SRX210 with Integrated Convergence Services Q4 2009 FXS ports – connect your analog phone or FAX machine here E1/T1 or FXOs for carrier trunk or FXS for additional analog phones/ fax machines FXO ports – connect to your wall phone socket SRX Voice Elements • Survivable SIP server • SIP Media Gateway • SIP Security • Base and expandable voice ports • PoE Ports • PoE Ports scaling with EX switch
3G Bridge Slots to take in USB or ExpressCard 3G Modem Connect to SRX over Ethernet Supports POE LED bars displays signal strength Juniper will not supply 3G modems and data plans. These are region specific and customer/regional team to work on procuring modems & data plans FRS Nov 15 Q4 2009
Branch Wireless AP Solution Q4 2009 • Juniper 802.11n indoor Solution • Backwards compatible to .11a/b/g • Dual mode radio support 300Mbps (Aggregate) • Single radio 200Mbps (160Mbps typical) • Spatial Streams: 2x2:2, 2x3:2, 3x3:2 • UL2043 Plenum rated for over ceiling mounting. • 50 Meter range (indoor) • Unit can be mounted on ceiling or wall • Virtual AP technology – Support of up to 16 simultaneous SSIDs • 802.11e WMM capable • 1 Gigabit Ethernet POE support • Optional External Power Supply • Serial Consol Support • L2 Managed by SRX Branch Products • Additional licensing cost for Branch SRX to manage multiple access points – Clusters of 4,8,16 APs.
High End SRX Gateways SRX 3000 & SRX 5000
Hardware Modular chassis 12 slots (6 front, 6 rear) MGT module – dual, hot swap 5U chassis height Fixed Interfaces 12 built-in (8-10/100/1000 + 4-SFP) 2 Ethernet Management Ports Modular Interfaces 16-10/100/1000 16-SFP 2-XFP Performance & Capacities FW – 10 - 30 Gbps VPN – 10 Gbps IDP – 10 Gbps Concurrent sessions – 2M New and sustained CPS – 175k Concurrent IPSec VPN tunnels – 20k SRX 3600 Front Rear
RE 1.5 Network Processing Cards Fabric Fabric Services Processing Cards Input/Output Cards SRX 3K Packet Flow – Fully Integrated Flow Lookup Classification DoS/DDoS Policing Routing / Device MGT Services FW/VPN/IDP NAT/Routing Integrated in SRX 5000 IOC Oversubscrptn. Control  Ingress Packet  Egress Packet QoS/Shaping
14 Slot Chassis Physical size Height: 16RU Dependable hardware Passive back-plane Redundant fans & power supplies Power and cooling Front-to-back cooling with separate push-pull fans Holds up to 2 fan trays (1+1 redundancy) Holds up to 4 power supplies (2+2 DC, 3+1 AC) 5100 watt capacity System capacity 14 slots - 2 for Fabric Cards Up to 480Gbps (full-duplex) capacity Performance & Capacities FW – 120 Gbps IDP – 30 Gbps Concurrent sessions – 8M Connections/sec – 350k SRX5800: Product Overview
NP SPU CP I I I NP I I I NP I SPU SPU I I NP I I I SPC #N SPC #1 Packet Flow: First packet of new flow 1. Packet Received by NP NP flow lookup, no match 2. NP send packet to CP 3. CP chooses SPU, forwards packet SPU does session setup 4. Packet forwarded out egress port   Fabric   IOC
NP SPU CP I I I NP I I I NP I SPU SPU I I NP I I I SPC #N SPC #1 Packet Flow: Session setup messages 1. SPU sends insert session to CP 2. SPU sends insert session to ingress NP 3. SPU sends insert session to egress NP  Fabric   IOC
NP SPU CP I I I NP I I I NP I SPU SPU I I NP I I I SPC #N SPC #1 Packet Flow: Fast path 1. Packet Received by NP NP flow lookup, match 2. NP send packet to SPU SPU does fast path processing 3. Packet forwarded to egress NP 4. Packet egresses card   Fabric   DPC
25 | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net THANKYOU