Charakterystyka urządzeń sieciowych: Switch, Router,...
Transcript of Charakterystyka urządzeń sieciowych: Switch, Router,...
Juniper - Switch, Router, Firewall 1
Charakterystyka urządzeń sieciowych: Switch, Router, Firewall
dr inż. Łukasz Sturgulewski, [email protected], http://luk.kis.p.lodz.pl/
Juniper - Switch, Router, Firewall 2
Plan prezentacji
Charakterystyka urządzeń sieciowych:
Switch
Router
Firewall
Urządzenia sieciowe –portfolio na przykładzie Juniper
Juniper - Switch, Router, Firewall 3
Security Switches Routers
SRX Series
SSL VPN (SA Series) Radius (SBR Series)
EX Series
M Series MX Series
J SeriesT Series
Network Access Control (UAC Series)
Management
vGW Virtual
Gateway (Altor)
RingMaster - SmartPass
WL Series
WLAN
Rodziny przełączników JuniperFIX
ED
Core
Aggregation
Access
MO
DU
LAR
Core
Aggregation
Access
2008 2009 2010 2011 2012
EX8216
EX4200
EX8208
EX4500
EX2200
EX4200-PX
EX6200
EX3300
1 TB/slot chassis
40G and 100G LC
EX8200 Virtual Chassis
EX4500Virtual Chassis
EX2200-C
EX3200
Faster Virtual Chassis Backplane
8x10G
1G-Copper
1G-Fiber
40x10G
Extra-Scale
10G Copper
Service Modules
Industrial Grade
External RPS
EX4200Virtual ChassisEX3300
Virtual Chassis
Juniper - Switch, Router, Firewall 4
Switch EX3300
5
24-48 Port Fixed Configuration Access Switch POE+ Model Option
4 SFP/SFP+ uplinks
Fixed power supply (AC/DC) and fans
Data center airflow
RPS support
Virtual Chassis technology
10 - member Virtual Chassis
Virtual Chassis over 10GbE uplinks
Virtual Chassis between switches up to 40Km apart.
Proven Juniper technology
Junos operating system
Layer 3 (OSPF, PIM)
SKU Airflow PoE/+
ports
PSU Total PoE
Power
EX3300-24T F-to-B 0 AC 0
EX3300-48T F-to-B 0 AC 0
EX3300-24P F-to-B 24 AC 405W
EX3300-48P F-to-B 48 AC 740W
EX3300-24T-DC F-to-B 0 DC 0
EX3300-48T-BF B-to-F 0 AC 0
Juniper - Switch, Router, Firewall
Switch EX3300
6
Front View
Rear View
LCD
Gb/10Gbe SFP+
Uplink Ports
1GbE Management Port
Console Port System Fan
AC Power Supply
USB Fan Exhaust
1GbE Network Ports, PoE+ capable
RPS Connector
Fixed, standalone configuration
17.4W x 12.0D x 1.75H inches
1 RU height
Internal power
Fixed uplinks
Environmental Ranges
Operating Temp: 0 to 45° C*
Operating Altitude: up to 10K ft*
Low acoustics: 40-45dB
Management interfaces
LCD – easy bringup
Console (RJ45)
Out-of-band Ethernet (RJ45)
Juniper - Switch, Router, Firewall
Switch EX3300 VC
7
Up to 10 members in a virtual chassis over 10GE uplinks
• Last two uplinks configured as VC ports by default
• All four uplinks can be configured as non-VC uplink port
• All four uplinks can be configured as virtual chassis ports
• 80 Gbps uplink/VC bandwidth
Each uplink auto-detect for GE/10 GE
10GE DAC cables recommended for VC (one per EX3300)
• No VC cable shipped with EX3300 system by default
• No mixed-mode VC with EX4200 or EX4500
Supported Optics
EX-SFP-10GE-DAC-1M
EX-SFP-10GE-DAC-7M
EX-SFP-10GE-LR
EX-SFP-10GE-LRM
EX-SFP-10GE-SR
EX-SFP-10GE-USR
EX-SFP-1GE-LX
EX-SFP-1GE-SX
Juniper - Switch, Router, Firewall
Switch EX3300 RPS
8
Non-Stop Operation • Protection against power supply &
feed failure
• Enough power to support wireless
APs and Unified communication
devices (POE+)
Provide N+N redundancy • Supports up to 6 devices
• Can simultaneously power 3 devices
Supply up to 2790W AC• Holds 3 independent power supplies
• Ships with one 930W power supply
Flexible Configuration
• Configurable priorities
– Decide which devices to backup
first
• Supports EX2200 and EX3300
FRS Q1’12 with Junos 12.1
SKU Description
EX-RPS-PWR-930-ACEX Series RPS with 1 AC power
supply and 1 RPS connector
EX-RPS-CBL 1.5m RPS connector
EX-RPS-PWR-BLNK Black for power supply slot
EX-PWR2-930-AC Power supply supported on RPS
Juniper - Switch, Router, Firewall
Redundant power system (RPS)
9
RPS connector side
Power supply side
Fixed Configuration 17.4W x 17.0D x 1.75H inches
1 U height
RPS cable 1.5 m long
Flexible Mounting Options RPS connector side
Power supply side
Power Supply• EX-PWR2-930-AC
Environmental Ranges Operating temp: 0° to 45° C
Operating altitude: up to 10K ft
Low acoustics: 45-50dB
Management Interfaces Managed via switch
Console port
Cover Panel Switch connector port
Protective
Earthing
terminal
Power supplies
Status LEDs
AlarmLED
SYS LED
Juniper - Switch, Router, Firewall
Juniper EX4550
Juniper - Switch, Router, Firewall 14
1U 32-port 1/10GbE Switch Wire-rate performance on all ports
2 expansion slots
8x1/10GbE SFP/SFP+, 128 Gbps Virtual Chassis module
1/10G BASE-T module
2x40G QSFP+ module
~2us Latency
Front-back and back-front airflow
SFP+ version is MACSec capable
Virtual Chassis Technology
256 Gbps virtual backplane (up to 320 Gbps with 40GbE module)
Manage up to 10 as a single device
Extend over 10GbE uplinks (40GbE)
Virtual Chassis with EX4200 & EX4500
Software Parity with 12.1 MPLS (L2VPN, L3VPN)
RE-SDK
Juniper EX4550
Juniper - Switch, Router, Firewall 15
1U 32-port 100M/1G/10GT Switch Wire-rate performance on all ports
2 Expansion Slots
8x100M/1/10G-BaseT, 8x1/10G SFP/SFP+ , 128 Gbps VC module
~3.8us Latency
Cat5e, Cat6 and Cat6a
Virtual Chassis Technology
320 Gbps virtual backplane
Manage up to 10 as a single device
Extend over 10GbE uplinks ( SFP+ or 10GT)
Virtual Chassis with EX4200 & EX4500
Software Parity with EX4550-32F 12.2r4 or 12.3r1
MPLS (L2VPN, L3VPN)
RE-SDK
EX4550 – Rear View
Redundant Power modules
Redundant Cooling modules
Expansion Module slot
Juniper EX4550
Juniper - Switch, Router, Firewall 16
Ease of Migration to higher speeds
Deploy as 1G migrate to 10G as you grow.
4550-32T can also operate at 100mbps
Reduce deployment cost by removing
Optics.
EX4550-32T is 25 % cheaper with Cat 6a
cables compared with EX4550-32F with
DAC cables
Cat6a cables 90% cheaper than similar
DAC cables
Cat6a supports up to 100m
Flexibility of Deployment – Mix and
Match with Fiber
Up to 16 x 10G SFP+ ports with expansion
slots
Cat5e10 Gigabit Ethernet up to 45 meters
Cat610 Gigabit Ethernet up to 55 meters
Cat6a10 Gigabit Ethernet up to 100 meters
Juniper EX4550
Juniper - Switch, Router, Firewall 17
Rear View
Front View
Expansion Slot
(PIC 1)
32 built in Tri-speed 100M/G/10G portsMgmt Con Mini
USB
Con
Redundant PSUs
Both AC/DC optionsExpansion Slot
(PIC 2)
USB
Redundant FAN modules
Routery Juniper
Juniper - Switch, Router, Firewall 18
M-series RoutersHead office, backbone, and data centers
M7i M10i M320
MX240 MX960
MX-series RoutersCore/Edge MPLS P/PE,
Data Center, BRAS/BNG
T-series RoutersMPLS Core, OTN,
GMPLS
MX480
SRXRemote, branch, and regional offices
M120
MX5/10/40/80
T640 T1600 T4000
Routery Juniper – seria MX
Juniper - Switch, Router, Firewall 19
New MX - 2012
MX 3D Family Same Trio Chipset, Same Services
Extending Scale, Reach & Access
MX 10 MX 960MX 480MX 40 MX 80 MX 5
2.88 Tb/s
5.3 Tb/s
960Gb/s
MX 240
80Gbps40x1GE 2x10GE40xGE20x1GE
16-40Tbps
32-80Tbps
10-slot
New MX20-slot
New MX
Routery Juniper – seria MX
Juniper - Switch, Router, Firewall 20
One JUNOS
One TRIO CHIPSET
One UNIVERSAL EDGE
MX 10 MX 960MX 480MX 40 MX 80 MX 5 MX 240
80Gbps60Gbps40Gbps20Gbps
MX 2010 MX 2020
4.8Tbps
2.8Tbps
1.4Tbps
8.8Tbps
5.3Tbps
2.6Tbps
1.6Tbps
40Tbps
17Tbps
80Tbps
34Tbps
80Gbps
MX104
Firewall – Juniper SRX (DC)
Juniper - Switch, Router, Firewall 22
3U, 4+3 CFM, 8+4 GE, 1+1 PS,
30/8/8G, 2.5M sess, 150kcps
5U, 6+6 CFM, 8+4 GE,
2+2 PS, 55/15/15G, 6M sess,
150kcps
8U, 6 slot, 1+1 SCB,
2+2 PS, 100/50/75G,
60M sess, 300kcps
16U, 12 slot, 2+1 SCB,
2+2 AC, 3+1 DC, 200/110/150G,
100M sess, 450kcps
3U, 3 CFM, 12GE or 3XGE+9GE , 1+1
PS, 10/3/4G, 1.5M sess, 70kcps
SRX3600
SRX5600
SRX3400
SRX1400
Scalable PerformanceRich Standard Services
• Firewall
• VPN
• IPS
• Routing
• QoS
• AppSecure
• more to come…
• Extensible Security Services
Integrated Networking Services
Branch SRX
SRX54005U, 3 open slots, 2+2 PS,
60/25/40G, 28M sess, 460kcps
SRX5800
Firewall – SRX 1400
Juniper - Switch, Router, Firewall 23
Entry-level Data Center SRX Services Gateway:
Dynamic Services Architecture™
Wide range of services: FW, IPS, NAT, IPSec VPN, DDoS, QoS, and Routing
Apply any service(s) per flow
Separation of control and data planes
No need for service specific hardware – shared hardware components with SRX3000
Powered by Junos Software
Multi-threaded and Modular
Scriptable
Firewall – Juniper SRX (BRANCH)
Juniper - Switch, Router, Firewall 25
Highly configurable
Fixed & modular form factors
WAN, WLAN, and LAN interfaces
Extensive integration
Routing and switching capabilities
Unmatched core and UTM security
Exceptional performance
Magnitude greater performance
HW Content Security Acceleration
Control & data plane separation,
redundant processing and power
Model Configuration
ContentSEC H/W
AccelerationFW/IPS
Performance
SRX100/ SRX110
Fixed No 700/60 Mbps
SRX210E1 mini PIM
slotOptional 850/85 Mbps
SRX2202 mini PIM
slotsStandard 950/100 Mbps
SRX2404 mini PIM
slotsOptional 1800/230 Mbps
SRX5502 mini PIM,
6 GPIM slots Standard 5500/800 Mbps
SRX650 8 GPIM slots Standard 7000/900 Mbps
Highly configurable
Extensive integration
Exceptional performance and availability
• Fixed and modular form factors
• Choice of WAN – DSL, T1 / E1, DS3
• Wireless WAN and LAN
• On-board modular switching
Full suite of JUNOS routing and switching
capabilities
Unmatched security, including FW, VPN, UTM,
AppSecure, UAC, and full IPS
Hardware-assisted Content Security Acceleration
(CSA) for ExpressAV and IPS
Control & data plane separation, redundant
processing and power
Firewall – Juniper SRX (BRANCH)
Juniper - Switch, Router, Firewall 26
Features SRX240
On-board Ethernet 16 x GE
Power over Ethernet (802.3af, 802.3at) 16 ports GE, 150 W
WAN slots 4 x mini PIM
USB ports (flash) 2
Content Security Accelerator—ExpressAVand Intrusion Detection and Prevention
Yes
JUNOS Software version support JUNOS 11.4R5
Firewall performance (Large Packets) 1.8 Gbps
Firewall performance (IMIX) 600 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
200 Kpps
VPN Performance—AES256+SHA-1 3DES+SHA-1
300 Mbps
IPS Performance 230 Mbps
Connections Per Second (CPS) 9K CPS
Maximum Concurrent Sessions (1GB RAM/2GB RAM)
128K / 256K
Antivirus performance 85 Mbps
AppSecure Throughput (HTTP) 750 Mbps
High Availability A/A or A/P
SRX240H2:
2GB DRAM, 2GB Flash
Juniper - Switch, Router, Firewall 27
FEATURES SRX100 (110)
SRX210E SRX220 SRX240 SRX550 SRX650
On-board Ethernet 8 x FE2 x GE + 6 x
FE8 x GE 16 x GE 6 x GE + 4 x SFP 4 x GE
Memory/Flash 1 GB / 1 GB 1 GB / 1 GB 1 GB / 1 GB 2 GB / 2 GB 2 GB* / 2 GB 2 GB / 2 GB
Power over Ethernet (802.3af, 802.3at)
None 4 ports,
50 W total8 ports GE,
120 W16 ports GE,
150 W40 Port GE, 250
W or 500 W48 ports GE,
250 W or 500 W
WAN slots None (1) 1 x mini PIM 2 x mini PIM 4 x mini PIM 2 x mini PIM + 4
x GPIM8 x GPIM
USB ports (flash) 1 (2) 2 2 2 2 2 per processor
JUNOS Software version support
JUNOS 11.1* JUNOS 11.1* JUNOS 11.1* JUNOS 11.1* JUNOS 12.1 JUNOS 11.1*
Routing YES YES YES YES YES YES
Content Security Acceleration (IPS, ExpressAV)
No YES YES YES YES YES
Firewall performance (Large Packets)
700 Mbps 850 Mbps 950 Mbps 1.8 Gbps 5.5 Gbps 7.0 Gbps
Firewall performance (IMIX) 200 Mbps 250 Mbps 300 Mbps 600 Mbps 1.7 Gbps 2.5 Gbps
Firewall performance (Firewall + Routing PPS 64byte)
70 Kpps 95 Kpps 125 Kpps 200 Kpps 700 Kpps 850 Kpps
IPSec VPN throughput 65 Mbps 85 Mbps 100 Mbps 300 Mbps 1.0 Gbps 1.5 Gbps
Intrusion Prevention System 60Mbps 85 Mbps 100 Mbps 230 Mbps 800 Mbps 1 Gbps
Connections Per Second (CPS) 2K 2.2K 3K 9K 27K 35K
Maximum Concurrent Sessions (512MB/1GB RAM)
16 K / 32K 32K / 64K 96K 128K / 256K 375K 512 K
Antivirus 25 Mbps 30 Mbps 35 Mbps 85 Mbps 300 Mbps 350 Mbps
High Availability A/A or A/P A/A or A/P A/A or A/P A/A or A/P
A/A or A/P,Hot swap GPIMs,
Dual power
A/A or A/P,Hot swap GPIMs,
Dual power
Firewall: strefy i polityki
Juniper - Switch, Router, Firewall 28
ZONE “UNTRUST”Originating Zone
SRX
ZONE “Accounting”
Default Policy—Deny AllDefault Policy—Allow All
INTERNET
ZONE “Trust”
Originating Zone
ZONE “Guest”
Originating Zone
Firewall – Juniper SRX (BRANCH)
Juniper - Switch, Router, Firewall 29
Block access to unapproved sites
Real time threat score for each URLEnhanced Web Filtering
Antivirus Stops viruses, file-based trojans or spread of
spyware, adware, keyloggers
Antispam
IPS
Firewall, VPN, Unified Access Control
SRX Series blocks transmission of files for
Data Loss Prevention Content Filtering
Internal Threats
ExternalThreats
INTERNET
IDP detects/stops Worms, Trojans,
DoS (L4 & L7), Scans
AppSecure
Core Security
Application level visibility and classification
Application level policies tied to user roles
Stops Spam/Phishing
Strefa (ang. Zone)
Strefa (zone) jest zbiorem (jednego albo wielu segmentów sieci) współdzielących identyczne wymagania związane z bezpieczeństwem.
Polityka bezpieczeństwa (security policy) kontroluje ruch pomiędzy strefami.
Null zone:
domyślna strefa,
zabrania/blokuje/kasuje każdy ruch.
Interfejsy mogą przepuszczać/akceptować ruch tylko gdy należą do innej strefy niż Null zone,
wyjątkiem są specjalne interfejsy takie jak np. fxp0.
Juniper - Switch, Router, Firewall 30
Strefa Junos-host (ang. Junos-host zone)
Można skonfigurować junos-host zone w polityce
bezpieczeństwa do kontroli ruchu przychodzącego (host-inbound)i wychodzącego (host-outbound) z urządzenia Juniper.
Ruch przychodzący musi być w pierwszej kolejności zezwolony jako host-inbound traffic w konfiguracji strefy.
Strefa management nie może być użyta w polityce bezpieczeństwa.
Untrust
Zone
Trust
Zone
Junos-host Zone
Web Server
Internet
Juniper - Switch, Router, Firewall 31
Analiza przepływu pakietów (ang. Packet Flow)
Screen
OptionsServices
ALGS-NATPolicyD-NAT Zones SessionRoute
Per-Packet Policer Per-Packet Shaper
First Path
Fast Path
TCP NATYes
No
Flow Module
MatchSession
?
Services
ALG
Per-Packet Filters
SCREEN
Options
Ingress
PacketEgress
Packet
Session-based
Packet-based
Juniper - Switch, Router, Firewall 32