Charakterystyka urządzeń sieciowych: Switch, Router, Firewallluk.kis.p.lodz.pl/UIS/v2017/wyklad/JUNIPER...EX8208 EX4500 EX2200 EX4200-PX EX6200 EX3300 1 TB/slot chassis 40G and 100G

Juniper - Switch, Router, Firewall 1

Charakterystyka urządzeń sieciowych: Switch, Router, Firewall

dr inż. Łukasz Sturgulewski, [email protected], http://luk.kis.p.lodz.pl/

mailto:[email protected]


Plan prezentacji

Charakterystyka urządzeń sieciowych:

Switch

Router

Firewall

Urządzenia sieciowe –portfolio na przykładzie Juniper


Security Switches Routers

SRX Series

SSL VPN (SA Series) Radius (SBR Series)

EX Series

M Series MX Series

J SeriesT Series

Network Access Control (UAC Series)

Management

vGW Virtual

Gateway (Altor)

RingMaster - SmartPass

WL Series

WLAN

Rodziny przełączników JuniperFIX

ED

Core

Aggregation

Access

MO

DU

LAR

Core

Aggregation

Access

2008 2009 2010 2011 2012

EX8216

EX4200

EX8208

EX4500

EX2200

EX4200-PX

EX6200

EX3300

1 TB/slot chassis

40G and 100G LC

EX8200 Virtual Chassis

EX4500Virtual Chassis

EX2200-C

EX3200

Faster Virtual Chassis Backplane

8x10G

1G-Copper

1G-Fiber

40x10G

Extra-Scale

10G Copper

Service Modules

Industrial Grade

External RPS

EX4200Virtual ChassisEX3300

Virtual Chassis


Switch EX3300

5

24-48 Port Fixed Configuration Access Switch POE+ Model Option

4 SFP/SFP+ uplinks

Fixed power supply (AC/DC) and fans

Data center airflow

RPS support

Virtual Chassis technology

10 - member Virtual Chassis

Virtual Chassis over 10GbE uplinks

Virtual Chassis between switches up to 40Km apart.

Proven Juniper technology

Junos operating system

Layer 3 (OSPF, PIM)

SKU Airflow PoE/+

ports

PSU Total PoE

Power

EX3300-24T F-to-B 0 AC 0

EX3300-48T F-to-B 0 AC 0

EX3300-24P F-to-B 24 AC 405W

EX3300-48P F-to-B 48 AC 740W

EX3300-24T-DC F-to-B 0 DC 0

EX3300-48T-BF B-to-F 0 AC 0

Juniper - Switch, Router, Firewall

Switch EX3300

6

Front View

Rear View

LCD

Gb/10Gbe SFP+

Uplink Ports

1GbE Management Port

Console Port System Fan

AC Power Supply

USB Fan Exhaust

1GbE Network Ports, PoE+ capable

RPS Connector

Fixed, standalone configuration

17.4W x 12.0D x 1.75H inches

1 RU height

Internal power

Fixed uplinks

Environmental Ranges

Operating Temp: 0 to 45° C*

Operating Altitude: up to 10K ft*

Low acoustics: 40-45dB

Management interfaces

LCD – easy bringup

Console (RJ45)

Out-of-band Ethernet (RJ45)


Switch EX3300 VC

7

Up to 10 members in a virtual chassis over 10GE uplinks

• Last two uplinks configured as VC ports by default

• All four uplinks can be configured as non-VC uplink port

• All four uplinks can be configured as virtual chassis ports

• 80 Gbps uplink/VC bandwidth

Each uplink auto-detect for GE/10 GE

10GE DAC cables recommended for VC (one per EX3300)

• No VC cable shipped with EX3300 system by default

• No mixed-mode VC with EX4200 or EX4500

Supported Optics

EX-SFP-10GE-DAC-1M

EX-SFP-10GE-DAC-7M

EX-SFP-10GE-LR

EX-SFP-10GE-LRM

EX-SFP-10GE-SR

EX-SFP-10GE-USR

EX-SFP-1GE-LX

EX-SFP-1GE-SX


Switch EX3300 RPS

8

Non-Stop Operation • Protection against power supply &

feed failure

• Enough power to support wireless

APs and Unified communication

devices (POE+)

Provide N+N redundancy • Supports up to 6 devices

• Can simultaneously power 3 devices

Supply up to 2790W AC• Holds 3 independent power supplies

• Ships with one 930W power supply

Flexible Configuration

• Configurable priorities

– Decide which devices to backup

first

• Supports EX2200 and EX3300

FRS Q1’12 with Junos 12.1

SKU Description

EX-RPS-PWR-930-ACEX Series RPS with 1 AC power

supply and 1 RPS connector

EX-RPS-CBL 1.5m RPS connector

EX-RPS-PWR-BLNK Black for power supply slot

EX-PWR2-930-AC Power supply supported on RPS


Redundant power system (RPS)

9

RPS connector side

Power supply side

Fixed Configuration 17.4W x 17.0D x 1.75H inches

1 U height

RPS cable 1.5 m long

Flexible Mounting Options RPS connector side

Power supply side

Power Supply• EX-PWR2-930-AC

Environmental Ranges Operating temp: 0° to 45° C

Operating altitude: up to 10K ft

Low acoustics: 45-50dB

Management Interfaces Managed via switch

Console port

Cover Panel Switch connector port

Protective

Earthing

terminal

Power supplies

Status LEDs

AlarmLED

SYS LED



Switch EX3300

IDLE

STATUS

MAINT


Switch EX3300

IDLE

STATUS

MAINT


Switch EX3300

IDLE

STATUS

MAINT


Switch EX3300

IDLE

STATUS

MAINT

Juniper EX4550


1U 32-port 1/10GbE Switch Wire-rate performance on all ports

2 expansion slots

8x1/10GbE SFP/SFP+, 128 Gbps Virtual Chassis module

1/10G BASE-T module

2x40G QSFP+ module

~2us Latency

Front-back and back-front airflow

SFP+ version is MACSec capable

Virtual Chassis Technology

256 Gbps virtual backplane (up to 320 Gbps with 40GbE module)

Manage up to 10 as a single device

Extend over 10GbE uplinks (40GbE)

Virtual Chassis with EX4200 & EX4500

Software Parity with 12.1 MPLS (L2VPN, L3VPN)

RE-SDK

Juniper EX4550


1U 32-port 100M/1G/10GT Switch Wire-rate performance on all ports

2 Expansion Slots

8x100M/1/10G-BaseT, 8x1/10G SFP/SFP+ , 128 Gbps VC module

~3.8us Latency

Cat5e, Cat6 and Cat6a

Virtual Chassis Technology

320 Gbps virtual backplane

Manage up to 10 as a single device

Extend over 10GbE uplinks ( SFP+ or 10GT)

Virtual Chassis with EX4200 & EX4500

Software Parity with EX4550-32F 12.2r4 or 12.3r1

MPLS (L2VPN, L3VPN)

RE-SDK

EX4550 – Rear View

Redundant Power modules

Redundant Cooling modules

Expansion Module slot

Juniper EX4550


Ease of Migration to higher speeds

Deploy as 1G migrate to 10G as you grow.

4550-32T can also operate at 100mbps

Reduce deployment cost by removing

Optics.

EX4550-32T is 25 % cheaper with Cat 6a

cables compared with EX4550-32F with

DAC cables

Cat6a cables 90% cheaper than similar

DAC cables

Cat6a supports up to 100m

Flexibility of Deployment – Mix and

Match with Fiber

Up to 16 x 10G SFP+ ports with expansion

slots

Cat5e10 Gigabit Ethernet up to 45 meters

Cat610 Gigabit Ethernet up to 55 meters

Cat6a10 Gigabit Ethernet up to 100 meters

Juniper EX4550


Rear View

Front View

Expansion Slot

(PIC 1)

32 built in Tri-speed 100M/G/10G portsMgmt Con Mini

USB

Con

Redundant PSUs

Both AC/DC optionsExpansion Slot

(PIC 2)

USB

Redundant FAN modules

Routery Juniper


M-series RoutersHead office, backbone, and data centers

M7i M10i M320

MX240 MX960

MX-series RoutersCore/Edge MPLS P/PE,

Data Center, BRAS/BNG

T-series RoutersMPLS Core, OTN,

GMPLS

MX480

SRXRemote, branch, and regional offices

M120

MX5/10/40/80

T640 T1600 T4000

Routery Juniper – seria MX


New MX - 2012

MX 3D Family Same Trio Chipset, Same Services

Extending Scale, Reach & Access

MX 10 MX 960MX 480MX 40 MX 80 MX 5

2.88 Tb/s

5.3 Tb/s

960Gb/s

MX 240

80Gbps40x1GE 2x10GE40xGE20x1GE

16-40Tbps

32-80Tbps

10-slot

New MX20-slot

New MX

Routery Juniper – seria MX


One JUNOS

One TRIO CHIPSET

One UNIVERSAL EDGE

MX 10 MX 960MX 480MX 40 MX 80 MX 5 MX 240

80Gbps60Gbps40Gbps20Gbps

MX 2010 MX 2020

4.8Tbps

2.8Tbps

1.4Tbps

8.8Tbps

5.3Tbps

2.6Tbps

1.6Tbps

40Tbps

17Tbps

80Tbps

34Tbps

80Gbps

MX104

Firewall – Juniper SRX

Small Office/Branch Office Data Center


Firewall – Juniper SRX (DC)


3U, 4+3 CFM, 8+4 GE, 1+1 PS,

30/8/8G, 2.5M sess, 150kcps

5U, 6+6 CFM, 8+4 GE,

2+2 PS, 55/15/15G, 6M sess,

150kcps

8U, 6 slot, 1+1 SCB,

2+2 PS, 100/50/75G,

60M sess, 300kcps

16U, 12 slot, 2+1 SCB,

2+2 AC, 3+1 DC, 200/110/150G,

100M sess, 450kcps

3U, 3 CFM, 12GE or 3XGE+9GE , 1+1

PS, 10/3/4G, 1.5M sess, 70kcps

SRX3600

SRX5600

SRX3400

SRX1400

Scalable PerformanceRich Standard Services

• Firewall

• VPN

• IPS

• Routing

• QoS

• AppSecure

• more to come…

• Extensible Security Services

Integrated Networking Services

Branch SRX

SRX54005U, 3 open slots, 2+2 PS,

60/25/40G, 28M sess, 460kcps

SRX5800

Firewall – SRX 1400


Entry-level Data Center SRX Services Gateway:

Dynamic Services Architecture™

Wide range of services: FW, IPS, NAT, IPSec VPN, DDoS, QoS, and Routing

Apply any service(s) per flow

Separation of control and data planes

No need for service specific hardware – shared hardware components with SRX3000

Powered by Junos Software

Multi-threaded and Modular

Scriptable

Firewall – Juniper SRX (BRANCH)




Highly configurable

Fixed & modular form factors

WAN, WLAN, and LAN interfaces

Extensive integration

Routing and switching capabilities

Unmatched core and UTM security

Exceptional performance

Magnitude greater performance

HW Content Security Acceleration

Control & data plane separation,

redundant processing and power

Model Configuration

ContentSEC H/W

AccelerationFW/IPS

Performance

SRX100/ SRX110

Fixed No 700/60 Mbps

SRX210E1 mini PIM

slotOptional 850/85 Mbps

SRX2202 mini PIM

slotsStandard 950/100 Mbps

SRX2404 mini PIM

slotsOptional 1800/230 Mbps

SRX5502 mini PIM,

6 GPIM slots Standard 5500/800 Mbps

SRX650 8 GPIM slots Standard 7000/900 Mbps

Highly configurable

Extensive integration

Exceptional performance and availability

• Fixed and modular form factors

• Choice of WAN – DSL, T1 / E1, DS3

• Wireless WAN and LAN

• On-board modular switching

Full suite of JUNOS routing and switching

capabilities

Unmatched security, including FW, VPN, UTM,

AppSecure, UAC, and full IPS

Hardware-assisted Content Security Acceleration

(CSA) for ExpressAV and IPS

Control & data plane separation, redundant

processing and power



Features SRX240

On-board Ethernet 16 x GE

Power over Ethernet (802.3af, 802.3at) 16 ports GE, 150 W

WAN slots 4 x mini PIM

USB ports (flash) 2

Content Security Accelerator—ExpressAVand Intrusion Detection and Prevention

Yes

JUNOS Software version support JUNOS 11.4R5

Firewall performance (Large Packets) 1.8 Gbps

Firewall performance (IMIX) 600 Mbps

Firewall performance (Firewall + Routing PPS 64byte)

200 Kpps

VPN Performance—AES256+SHA-1 3DES+SHA-1

300 Mbps

IPS Performance 230 Mbps

Connections Per Second (CPS) 9K CPS

Maximum Concurrent Sessions (1GB RAM/2GB RAM)

128K / 256K

Antivirus performance 85 Mbps

AppSecure Throughput (HTTP) 750 Mbps

High Availability A/A or A/P

SRX240H2:

2GB DRAM, 2GB Flash


FEATURES SRX100 (110)

SRX210E SRX220 SRX240 SRX550 SRX650

On-board Ethernet 8 x FE2 x GE + 6 x

FE8 x GE 16 x GE 6 x GE + 4 x SFP 4 x GE

Memory/Flash 1 GB / 1 GB 1 GB / 1 GB 1 GB / 1 GB 2 GB / 2 GB 2 GB* / 2 GB 2 GB / 2 GB

Power over Ethernet (802.3af, 802.3at)

None 4 ports,

50 W total8 ports GE,

120 W16 ports GE,

150 W40 Port GE, 250

W or 500 W48 ports GE,

250 W or 500 W

WAN slots None (1) 1 x mini PIM 2 x mini PIM 4 x mini PIM 2 x mini PIM + 4

x GPIM8 x GPIM

USB ports (flash) 1 (2) 2 2 2 2 2 per processor

JUNOS Software version support

JUNOS 11.1* JUNOS 11.1* JUNOS 11.1* JUNOS 11.1* JUNOS 12.1 JUNOS 11.1*

Routing YES YES YES YES YES YES

Content Security Acceleration (IPS, ExpressAV)

No YES YES YES YES YES

Firewall performance (Large Packets)

700 Mbps 850 Mbps 950 Mbps 1.8 Gbps 5.5 Gbps 7.0 Gbps

Firewall performance (IMIX) 200 Mbps 250 Mbps 300 Mbps 600 Mbps 1.7 Gbps 2.5 Gbps

Firewall performance (Firewall + Routing PPS 64byte)

70 Kpps 95 Kpps 125 Kpps 200 Kpps 700 Kpps 850 Kpps

IPSec VPN throughput 65 Mbps 85 Mbps 100 Mbps 300 Mbps 1.0 Gbps 1.5 Gbps

Intrusion Prevention System 60Mbps 85 Mbps 100 Mbps 230 Mbps 800 Mbps 1 Gbps

Connections Per Second (CPS) 2K 2.2K 3K 9K 27K 35K

Maximum Concurrent Sessions (512MB/1GB RAM)

16 K / 32K 32K / 64K 96K 128K / 256K 375K 512 K

Antivirus 25 Mbps 30 Mbps 35 Mbps 85 Mbps 300 Mbps 350 Mbps

High Availability A/A or A/P A/A or A/P A/A or A/P A/A or A/P

A/A or A/P,Hot swap GPIMs,

Dual power

A/A or A/P,Hot swap GPIMs,

Dual power

Firewall: strefy i polityki


ZONE “UNTRUST”Originating Zone

SRX

ZONE “Accounting”

Default Policy—Deny AllDefault Policy—Allow All

INTERNET

ZONE “Trust”

Originating Zone

ZONE “Guest”

Originating Zone



Block access to unapproved sites

Real time threat score for each URLEnhanced Web Filtering

Antivirus Stops viruses, file-based trojans or spread of

spyware, adware, keyloggers

Antispam

IPS

Firewall, VPN, Unified Access Control

SRX Series blocks transmission of files for

Data Loss Prevention Content Filtering

Internal Threats

ExternalThreats

INTERNET

IDP detects/stops Worms, Trojans,

DoS (L4 & L7), Scans

AppSecure

Core Security

Application level visibility and classification

Application level policies tied to user roles

Stops Spam/Phishing

Strefa (ang. Zone)

Strefa (zone) jest zbiorem (jednego albo wielu segmentów sieci) współdzielących identyczne wymagania związane z bezpieczeństwem.

Polityka bezpieczeństwa (security policy) kontroluje ruch pomiędzy strefami.

Null zone:

domyślna strefa,

zabrania/blokuje/kasuje każdy ruch.

Interfejsy mogą przepuszczać/akceptować ruch tylko gdy należą do innej strefy niż Null zone,

wyjątkiem są specjalne interfejsy takie jak np. fxp0.


Strefa Junos-host (ang. Junos-host zone)

Można skonfigurować junos-host zone w polityce

bezpieczeństwa do kontroli ruchu przychodzącego (host-inbound)i wychodzącego (host-outbound) z urządzenia Juniper.

Ruch przychodzący musi być w pierwszej kolejności zezwolony jako host-inbound traffic w konfiguracji strefy.

Strefa management nie może być użyta w polityce bezpieczeństwa.

Untrust

Zone

Trust

Zone

Junos-host Zone

Web Server

Internet


Analiza przepływu pakietów (ang. Packet Flow)

Screen

OptionsServices

ALGS-NATPolicyD-NAT Zones SessionRoute

Per-Packet Policer Per-Packet Shaper

First Path

Fast Path

TCP NATYes

No

Flow Module

MatchSession

?

Services

ALG

Per-Packet Filters

SCREEN

Options

Ingress

PacketEgress

Packet

Session-based

Packet-based



Charakterystyka urządzeń sieciowych: Switch, Router, Firewall

Documents

Charakterystyka urządzeń sieciowych: Switch, Router, Firewallluk.kis.p.lodz.pl/UIS/v2017/wyklad/JUNIPER...EX8208 EX4500 EX2200 EX4200-PX EX6200 EX3300 1 TB/slot chassis 40G and 100G