high end srx - westcon-comstormedia.gswi.westcon.com/media/1._westcon_-_he_srx… · ·...
TRANSCRIPT
Agenda
1 HE SRX – Overview
2 Architecture – What makes an High End an High End?
3 Architecture – Session Setup / Packet Flow / SOF
4 New Components (RE/SCBE)
5 Q&A
Application visibility and control
• Better heuristics for evasive and tunneled apps
• More application signatures
• Open signature language
App Tracking • Understand security risks • Address new user behaviors
App Firewall • Block access to risky apps • Allows user tailored policies
App QoS • Prioritize important apps • Rate limit less important apps
SSL Proxy • SSL packet inspection
IPS • Remediate security threats
Ingress Egress
Internet
User firewall controls
Finance
Sales
CEO No apps blocked Anti-virus applied
P2P apps blocked YouTube allowed Anti-virus applied
P2P, YouTube blocked Anti-virus applied
Unified Threat Management Services
• Protection from top-tier AV partner
• Reputation-enhanced capabilities
• Filter out extraneous or malicious content
• Maintain bandwidth for essential traffic
• Multilayered spam protection from security experts
• Protection against APTs
• Block malicious URLs • Prevent lost productivity
Anti-Virus Web Filtering Content Filtering Anti-Spam
Spotlight Secure threat intelligence platform
• Open platform for threat detection and advanced malware prevention
• Connects multiple intelligence sources to the enforcement points
• Single point of administrative control • Enables security efficiencies that matter
to the business
Taking action at the point of enforcement
16 RU Modular chassis
– Vertical design – 12 expansion slots – Modules for flexible I/O and service
processing – Junos software
Massive Scale – Up to 450,000 new & sustained
connections per second (CPS) – Up to 100 million sessions
High performance – Up to 300 Gbps firewall – Up to 100 Gbps IPS – Up to 200 Gbps IPSec VPN
High availability – Redundant management modules – Redundant switching fabrics – Redundant fans & power supplies – Modular Junos Software
SRX5800 Front View
SRX5800 Rear View
Power supplies
FRU
SRX5800:Front and rear view
8 RU Modular chassis
– Horizontal design – 6 expansion slots – Modules for flexible I/O and service
processing – Junos software
Massive scale – Up to 450,000 new & sustained
connections per second (CPS) – Up to 100 million sessions
High performance – Up to 130 Gbps firewall – Up to 50 Gbps IPS – Up to 90 Gbps IPSec VPN
High availability – Redundant management modules – Redundant switching fabrics – Redundant fans & power supplies – Modular Junos Software
Power supplies
FRU
SRX5600 Front View
SRX5600 Rear View
SRX5600:Front and rear views
SRX5400 Latest high end SRX platform, launched Dec‘13 Based on successful high volume MX240 platform
design Ideal for medium to large enterprises and Service
Provider networks 5 RU; 3 open card slots Software Security Services
– AppSecure and IPS – AV and web filtering
Next-generation, high-performance line cards
NG-IOC introduced in 12.1X46-D10
Only support on 5k Platform
100G PFE for SRX5800, SRX5600 and SRX5400
Single PFE complex with 2 MIC slots
Modular Port Concentrator (MPC)
NEXT GENERATION I/O CARD (NG-IOC) OVERVIEW
Modular Interface Card (MIC) SRX5K-MIC-1X100GE-CFP SRX5K-MIC-2X40GE-QSFPP SRX5K-MIC-10XGE-SFPP SRX5K-MIC-20GE-SFP
( Supported in 12.1X47-D10)
5 RU Modular chassis
– 12 expansion slots (6 front and 6 rear)
– Compact form factor modules for I/O and service processing
– Dual, hot swappable management modules – Junos Software
Massive scale – Up to 150,000 new, sustained connections
per second (CPS) – Up to 2.25 million sessions – With Extreme license, up to 6M sessions and
300k CPS High performance
– Up to 55 Gbps firewall – Up to 15 Gbps IPS – Up to 15 Gbps IPSec VPN
High availability – Redundant power and fans – Redundant management – Modular Junos Software
Routing Engine
Expansion slot (NP-
IOC/IOC/SPC)
Power supplies FRU
12 on-board GigE ports USB
Redundant Routing Engine (future) or SCM
Redundant power supplies
(optional)
16 x 10/100/1000 I/O card
Fan tray
16 x GbE SFP I/O
card
Expansion slot (SPC/NP-IOC))
SRX3600 Front View
SRX3600 Rear View
2 x 10 GigE I/O card
Switch Fabric Board (SFB)
Fan tray door
Expansion slot (SPC/NPC/NP-
IOC)
Front slot guide
Rear slot guide
SRX3600:SPC/NPC/NP-IOC Front and rear views
Note: Power cords (“straight” C19 plug) not included with BASE system. Right-Angled power cords interfere with cards but are usable.
3 RU Modular chassis
– 7 expansion slots (4 front and 3 rear)
– Compact form factor modules for I/O and service processing
– Dual, hot swappable management modules – Junos Software
Massive scale – Up to 180,000 new, sustained connections
per second (CPS) – Up to 2.25 million sessions
High performance – Up to 30 Gbps firewall – Up to 8 Gbps IPS – Up to 8 Gbps IPSec VPN
High availability – Redundant power and fans – Redundant management – Modular Junos Software
SRX3400 Front View
SRX3400 Rear View
Routing Engine
Expansion Slot (IOC/SPC)
Power supply FRU
12 on-board GbE ports USB
Expansion Slot (SPC/NPC)
Redundant power supply
(optional)
16 x 10/100/1000 I/O card
Fan tray
16 x GbE SFP I/O
card
Expansion Slot (SPC/NPC)
Redundant Routing Engine (future) or SCM
2 x 10 GigE I/O card
Front slot guide
Rear slot guide
Fan tray door
Switch Fabric Board (SFB)
SRX3400:SPC/NPC/NP-IOCFront and rear views
Note: Power cords (“straight” C19 plug) not included with BASE system. Right-Angled power cords interfere with cards but are usable.
3 RU Modular chassis
– 3 expansion slots Compact form factor modules shared with SRX3000
– Junos Software scale
– Up to 45,000 new, sustained connections per second (CPS)
– Up to 1.5 million sessions High performance
– Up to 10 Gbps firewall – Up to 4 Gbps IPS – Up to 5 Gbps IPSec VPN
High availability – Redundant power and fans – Chassis Clustering – Modular Junos Software – Shared HA-control ports – High availability
SRX3000 technology – Common sparing possible
Management Module (RE)
Expansion Slot (IOC/NP-IOC/SPC)
12 on-board ports: 1400GE: 6+4+2 GE
1400XGE: 3 XGE plus 6+1+2 GE
Power supply FRU
Redundant power supply
(optional)
Fan tray (rear)
Expansion Slots (NSPC or SPC+NPC)
SRX1400 Front view
Slot guide
Note: Region-appropriate Power Cord (“straight” C13 plug) is included with BASE system but not with spare (redundant) power supplies.
Packet Flow: First packet of new flow
I NP
I NP
I NP
I NP
IOC
SPC #1
I CP
I SPU
SPC #N
I SPU
I SPU
1. Packet Received by NP
NP flow lookup, no match
2. NP send packet to CP
3. CP chooses SPU, forwards packet
SPU does session setup
4. Packet forwarded out egress port
Fabr
ic
Packet Flow: Session setup Messages
I NP
I NP
I NP
I NP
IOC
SPC #1
I CP
I SPU
SPC #N
I SPU
I SPU
Fabr
ic
1. SPU sends insert session to CP
2. SPU sends insert session to ingress NP
3. SPU sends insert session to egress NP
17 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
SRX3x00 cards
Fabr
ic
Fabr
ic
I/O Cards Network
Processing Cards
Services Processing
Cards
18 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Fab
ric –
SPC
dom
ain
PACKET FLOW : FIRST PACKET OF NEW FLOW
CP SPU
FPGA
SPU FPGA Fab
ric –
IOC
dom
ain
FPGA NP FPGA
FPGA NP FPGA
FPGA SWI
FPGA SWI
1. Packet Received by NP NP flow lookup, no match
SPC #1
IOC #Y NPC #S
IOC #X NPC #R
SPC #N
3. CP chooses SPU, forwards packet SPU does session setup
4. Packet forwarded out egress port via NPC for queuing
2. NP sends packet to CP
19 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Fab
ric –
SPC
dom
ain
PACKET FLOW : SETUP MESSAGES 1. SPU sends insert session to CP 2. SPU sends insert session to ingress NP 3. SPU sends insert session to egress NP
CP SPU
FPGA
SPU FPGA
FPGA NP FPGA
FPGA NP FPGA
FPGA SWI
FPGA SWI
SPC #1
IOC #Y NPC #S
IOC #X NPC #R
SPC #N
Fab
ric –
IOC
dom
ain
20 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Fab
ric –
SPC
dom
ain
Fab
ric –
IOC
dom
ain
PACKET FLOW : FAST PATH
CP SPU
FPGA
SPU FPGA
FPGA NP FPGA
FPGA NP FPGA
FPGA SWI
FPGA SWI
SPC #1
IOC #Y NPC #S
IOC #X NPC #R
SPC #N
1. Packet Received by NP NP flow lookup, match 2. NP send packet to SPU - SPU does fast path processing 3. Packet forwarded to egress NP 4. Packet egresses card
21 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
INTRODUCING THE NP-IOC Two 10GE SFP+ revenue traffic interfaces (IOC)
+ Network Processing Card (NPC)
= NP-IOC
Packet Flow: Fast Path
I NP
I NP
I NP
I NP
IOC
SPC #1
I CP
I SPU
SPC #N
I SPU
I SPU
Fabr
ic
1. Packet Received by NP
NP flow lookup, match
2. NP send packet to SPU
SPU does fast path processing
3. Packet forwarded to egress NP
4. Packet egresses card
NP-IOC First path In Standard & SOF mode
NP
IOC
SPC #1
I CP
SPC #N
I SPU
1. Packet Received by NP
NP flow lookup, no match
2. NP send packet to CP
3. CP chooses SPU, forwards packet
SPU does session setup
4. Packet forwarded out egress port
Fabr
ic
NP-IOC Fast Path in standard mode
NP
IOC
SPC #1
I CP
SPC #N
I SPU
Fabr
ic
1. Packet Received by NP
NP flow lookup, match
2. NP send packet to SPU
SPU does fast path processing
3. Packet forwarded to egress NP
4. Packet egresses card
NP-IOC Intra-NP fast path in SOF mode
NP
IOC
SPC #1
I CP
SPC #N
I SPU
Fabr
ic
1. Packet Received by NP
2. NP flow/session lookup, match
3. NP forwarded to egress port
NP-IOC Inter-NP fast path in SOF mode
NP
IOC
SPC #1
I CP
SPC #N
I SPU
Fabr
ic
1. Packet Received by NP
2. NP flow/session lookup, match
3. NP forwarded it to egress NP through switch fabric
4. NP forwarded to egress port
NP
SRX5000 Line – What’s New • New high performance line cards now available for the
SRX5800/5600/5400 Series: Routing Engine Refresh (RE-1800X4) New Enhanced System Control Board (SCBE)
• Corporate rebranding from Blue to Charcoal for SRX5000 chassis and most line cards (all Gen2)
SRX5K-RE-1800x4 – Routing Engine Refresh
FXP0 – 1GE
4G CF: - Stores Junos - Stores configs
Quad-core Intel Xeon
128G SSD: - Stores coredumps - Stores logs
Key Enhancements with Routing Engine Refresh
Higher performance through Xeon processor Better performance with single core compared to RE-1300
Performance
Improved Mean Time Before Failure with SSDs 6-nines Reliability equates to <20 seconds downtime/year**
Reliability
Increased memory in DRAM Hardware enablement for 64-bit Junos *
Scale
*@ FRS for 12.1X47-D15, we still run 32bit Junos **Telcordia Reliability Analysis and Test Report, November 2014 – independent testing, not related to RE Refresh
Performance Improvements with RE Refresh
• Better performance, scalability and reliability • Improved memory utilization • Improved CPU utilization
Activity RE-1300 RE-1800X4
Time taken to push 1800 routes from RE to PFE 8 Mins 3 Mins
l2ald(output of top -S command) 2.54% 1.03%
User CPU 4% 3%
Kernel CPU 58% 20%
Interrupt CPU 24% 12%
IDLE CPU 13% 64%
Memory Utilization 20% 13%
Routing Engine Specs SRX5K-RE-1300 (Existing) SRX5K-RE-1800X4
Processor Celeron-M@1300MHz Quad-core Intel Xeon @ 1800 Mhz
Memory (RE-DRAM) 2G DRAM 16G DRAM**
Compact flash storage 1G 4G
Hard Disk storage 40G 120G SSD
Min JUNOS supported All releases of Junos 12.1X47-D15
Supported platforms/ components
SRX5K with all CG/NG SPC/IOC SRX5K with only NGSPC/NGIOC
*note the current capacity scaling numbers remain unchanged **Only 4G in 32-bit kernel
NEW
SCBE: Key Highlights • Leverages MX SCBE which uses XF chip
• Supports 120Gbps fabric data throughput per slot
• Supports In-Service-Hardware-Upgrade (ISHU) from CG-SCB to NG-SCB for smooth upgrade transition
Scaling and Performance with SCBE Release X47-D15
Firewall max throughput 320Gbps
Per NG-IOC slot max throughput 120Gbps
Firewall max throughput for IMIX traffic 140Gbps
RE-1800 & SCBE – Platforms Supported
Model Description Product Platform
Supported with Junos 12.1X47-D15 and above releases (*SW FRS 1st Dec, 2014 HW FRS 8th Dec, 2014)
SRX5K-SCBE SRX5K Enhanced Switch Control Board SRX5400, SRX5600, SRX5800
SRX5K-RE-1800X4 SRX5K Route Engine, 1.8Ghz quad-core Xeon, 16GB DRAM, 128GB SSD SRX5400, SRX5600, SRX5800
Model Description Supported with SRX5K-SCBE and SRX5K-RE-1800X4 ?
SRX5K-SPC-4-15-320 High performance services processing card for SRX5K Yes
SRX5K-MPC MPC for 100GE, 40GE, 10GE, and 1GE MIC Interfaces Yes
SRX5K-40GE-SFP 40x1Gig SFP Ethernet I/O Card for SRX5000 No
SRX5K-4XGE-XFP 4x10Gig XFP Ethernet I/O Card for SRX5000 No
SRX5K-FPC-IOC SRX 5000 Flex IOC. Supports 2 pluggable port modules. No
SRX5K-RE-13-20 SRX5K Route Engine, 1.3Ghz, 2GB DRAM No
SRX5K-SCB SRX5K Switch Control Board No
SRX5K-SPC-2-10-40 SRX5K Service Processing Card No
Approved Pricing / SKUs Model Description List Price
SRX5K-SCBE SRX5K Enhanced Switch Control Board $20,000
SRX5K-RE-1800X4 SRX5K Route Engine, 1.8Ghz quad-core Xeon, 16GB DRAM, 128GB SSD $35,000
SRX5400E-B1-AC SRX5400 Enhanced Configuration 1 includes chassis, midplane, SRX5K-RE-1800X4, SRX5K-SCBE, 2xAC HC PEM, HC fan tray, SRX5K-SPC-4-15-320, SRX5K-MPC, and SRX-MIC-10XG-SFPP
$180,000
SRX5400E-B1-DC SRX5400 Enhanced Configuration 1 includes chassis, midplane, SRX5K-RE-1800X4, SRX5K-SCBE, 2xDC HC PEM, HC fan tray, SRX5K-SPC-4-15-320, SRX5K-MPC, and SRX-MIC-10XG-SFPP
$180,000
SRX5400E-B2-AC SRX5400 Enhanced Configuration 2 includes chassis, midplane, SRX5K-RE-1800X4, SRX5K-SCBE, 2xAC HC PEM, HC fan tray, 2xSRX5K-SPC-4-15-320, SRX5K-MPC, and SRX-MIC-10XG-SFPP
$280,000
SRX5400E-B2-DC SRX5400 Enhanced Configuration 2 includes chassis, midplane, SRX5K-RE-1800X4, SRX5K-SCBE, 2xDC HC PEM, HC fan tray, 2xSRX5K-SPC-4-15-320 , SRX5K-MPC, and SRX-MIC-10XG-SFPP
$280,000
SRX5600E-BASE-AC SRX5600 Enhanced chassis includes chassis, midplane, SRX5K-RE-1800X4, SRX5K-SCBE, 2xAC HC PEM, HC fan
$65,000
SRX5600E-BASE-DC SRX5600 Enhanced chassis includes chassis, midplane, SRX5K-RE-1800X4, SRX5K-SCBE, 2xDC HC PEM, HC fan
$65,000
SRX5800E-BASE-AC SRX5800 Enhanced chassis includes chassis, midplane, SRX5K-RE-1800X4, 2xSRX5K-SCBE, 2xAC HC PEM, 2X HC fan
$89,000
SRX5800E-BASE-DC SRX5800 Enhanced chassis includes chassis, midplane, SRX5K-RE-1800X4, 2xSRX5K-SCBE, 2xDC HC PEM, 2X HC fan
$89,000
Available on Price List Requires 12.1X47-D15