Copyright © 2015 Juniper Networks, Inc. 1 Services Offload 12.3X48 Wei Ling Neo Technical Marketing...

Copyright © 2015 Juniper Networks, Inc. 1

Services Offload 12.3X48

Wei Ling Neo

Technical Marketing HE SRX

[email protected]

Copyright © 2015 Juniper Networks, Inc. 2 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY:

AGENDA

1 Use case & Deployment Scenarios

2 Express Path Flow Architecture

3 Express Path Configuration

4 Express Path Performance

5 Q & A

JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY:

Copyright © 2015 Juniper Networks, Inc. 3

Use Cases & Deployment Scenarios


Elephant Flows of 100Gbps/40Gbps Deployments

10G/ 40G/ 100G links

Site/ Campus LAN

Data Transfer Cluster

SRX

Project Y DTN

Project X Data Transfer Node

Science DMZ Switch/Router

Area Border Router Enterprise Border Firewall

Site/Campus Access to

Science DMZ resources

10G/ 40G/ 100G links

Security posture well matched to high-performance science applications

Reduce packet path latency

Support DTN/DTC large data flows

Price/ Performance gains

100Gbps Large Packet 3xSPCIIHardware Pricelist Qty Subtotal

SRX5600BASE-HC-AC $65,000.00 1 $65,000.00SRX5K-SCBE $20,000.00 1 $20,000.00SRX5K-SPC-4-15-320 $100,000.00 3 $300,000.00SRX5K-MPC $89,500.00 1 $89,500.00SRX-MIC-10XG-SFPP $45,000.00 1 $45,000.00

TOTAL $519,500.00

100Gbps Large Packet 1xSPCIIHardware Pricelist Qty Subtotal

SRX5400E-B1-AC $180,000.00 1 $180,000.00TOTAL $180,000.00$180K

$519K


10Gbps @ 64byte line rate ~14MPPS 1xSPCIIHardware Pricelist Qty Subtotal

SRX5400E-B1-AC $180,000.00 1 $180,000.00TOTAL $180,000.00

10Gbps @ 64byte line rate ~14MPPS 3xSPCIIHardware Pricelist Qty Subtotal


TOTAL $519,500.00

Financial/ Trading Deployments

Brokerage A

Content Provider Content Provider Content Provider

Financial Service Provider

SRX

Brokerage B

SRX

Brokerage C

SRX

Security posture well matched to trading/financial applications


Support 10G line rate @64 bytes 14MPPS Requirement

SPC available for high touch services like IPS for Compliance

$180K

$519K


Data Center Deployment

SRXMX

Internet

VR

VRVirtualized Host

Multi-Tenant

VR

vSRX

Virtualized HostSingle Tenant

VM

vSRX

VM

Security posture well matched to data-center applications


Support large data flows for East West traffic

Improved price performance, TCO per bandwidth

10Gbps IPSEC + 70G Large Packet 3xSPCIIHardware Pricelist Qty Subtotal


TOTAL $519,500.00

10Gbps IPSEC + 70G Large Packet 3xSPCIIHardware Pricelist Qty Subtotal


TOTAL $419,500.00$419K

$519K


Services Offload

SOF data path Fast data pathFirst packet path

NG- SPC

NG- SPCSCB 1

NG- IOC

IXIA

10x 100 G+

4x40G+

4x 10 G=

1200 G=

1.2 Tbps

NG- IOCNG-IOC

100 /40/10 G/1 GMIC

100/40/10G/1GMIC

XF

1x 100 G or2x 40 G or10x 10 G LULU

SCB 0 NG-SPC

CP

SPU

SPU

SPU

LULU

XM

Security Services Offloaded from SPU to IOC First packet fast data path SOF (hardware fast) path


XM

I

I LU

SPU

SPU

SPU

SPU

Packet Flow: First Packet of New Session–SOF

XM

LU LU

LU LU

IOC

SPC #1

SPC #N

Fabr

ic

Same as normal session setup, but– Only one LU used per NG-IOC– SPU installs SOF session on ingress and

egress IOCs (#6)XM

CP

I

I LU

SPU

SPU

SPU

XM

LU LU

LU LU 5

12

3

4

6

X.X.X.X ->Y.Y.Y.Y

Y.Y.Y.Y ->X.X.X.X


XM CP

I

I LU

SPU

SPU

SPU

XM

I

I LU

SPU

SPU

SPU

SPU

SOF Packet Flow: SOF Fast-Path

SPC #1

SPC #N

Fabr

ic

1. Packet is received by IOC, matches SOF session

2. IOC processes and sends packet to egress IOC

3. Packet is forwarded out egress port

4. Session keep-alive to SPU

XM

LU LU

LU LU

IOC

XM

LU LU

LU LU


et-0/0/0

et-0/0/1

et-0/2/0

et-0/2/1

RETH0.0

RETH1.0

Node 0

• et-0/X/Y are on the same IOCII

• SOF has been enabled on the FPC

• LAG interfaces can be configured and the ingress and egress for the LAG would need to be on the same FPC to maintain latency requirements for SOF

• Next stage planned to support cross IOC LAG with SOF

• 100G interfaces are excluded from LAG as only 2x100G interfaces are supported on IOCII

Supported LAG Configuration in SOF Mode


Express Path Configuration Steps

SOF also needs to be enabled on a per policy basis

SOF configured on the FPC vs SOF configured on FPC and PIC prior to 12.3X48


Verifying Express Path (SOF) Status


Useful Commands for SOF FlowsCLI:show chassis fpc pic-status

show security flow session

show security flow session services-offload


Useful Commands for SOF FlowsVTY:show jnh 0 exceptions

show jnh 0 security sof statistics

show jnh 0 security sof table brief

show jnh 0 security sof table


System-wide Performance with Express Path (SOF)

SRX5400 SRX5600 SRX5800

Normal Mode FW Perf Max (G) 64 137 320

Express Path (SOF) FW Perf Max (G) 240 480 1200

100

300

500

700

900

1100

1300

Express Path vs Normal Mode Performance

Max

Thr

ough

put (

G )

240Gbps

1.2Tbps

480Gbps

Useful numbers in an RFP


System-wide Performance with Express Path (SOF)

120Gbps120Gbps

System Performance Max is based on Inter-PFE (Inter-IOC) Traffic pattern and is achievable and is a useful number to use in RFPs

Not always realistic depending on customer requirements eg services like ALG, L7 inspection


Latency with Express Path (SOF) across SRX 3k/5k

NP-IOC (Intra PFE) IOC (Intra PFE) IOCII (Intra PFE) NP-IOC (Inter PFE) IOC (Inter PFE) FIOC (Inter PFE) IOCII (Inter PFE)SRX3K SRX5K SRX5K SRX3K SRX5K SRX5K SRX5K

0

2

4

6

8

10

12

14

16

18

8.6

6.5 7

15.4 15

11.2

15

Latency in microseconds

Latency in microseconds


Latency with Express Path (SOF) for IOCII

64B @50% 512B @50% 1514B @50%

Inter-PFE Latency (Be-tween 2x100G IOCII)

15 17 17.8

13.75

14.25

14.75

15.25

15.75

16.25

16.75

17.25

17.75

18.25

15

17

17.8

Inter-PFE Latency (with 100G-MIC 2x IOCII)

Late

ncy

in m

icros

econ

ds

64B @50% 64B @90% 512B @50% 512B @90% 1514B @50% 1514B @90%

Intra-PFE Latency (with 1xIOCII) 7 7.4 7 8.5 7.5 9.5

0.5

1.5

2.5

3.5

4.5

5.5

6.5

7.5

8.5

9.5

77.4

7

8.5

7.5

9.5

Intra-PFE Latency (with 100G-MIC 1xIOCII)

Late

ncy

in m

icros

econ

ds

*Tested with 1 session


Scaling and Performance–Intra-PFE

Intra PFE: UDP Throughput with intra PFE/IOC ( 1 IOC2 with 2 * 100G)

Feature Num of Sessions

64B 512B 1514B

MPPS Gbps MPPS Gbps MPPS Gbps

FW 1 27.4 18.4 22.4 95.3 16.3 200.0

FW 2 38.6 25.9 22.6 96.2 16.3 200.0

FW 300 38.7 26.0 22.8 97.0 16.3 200.0

Intra PFE: UDP Throughput with intra PFE/IOC with ( 4 IOC2 + 6 SPC2*)

Feature Num of Sessions

64B 512B 1514B

MPPS Gbps MPPS Gbps MPPS Gbps

FW 300 154 103.5 91 387.3 65.18 800.0

*Note Preliminary Performance Estimates**Note 6SPC is an example, if session scale, L4-L7 inspection is needed then SPCs need to be sized appropriately


Session Scale with Express Path (SOF)

IOCII (SRX5K) IOCI/ FIOC (SRX5K) NPC & IOC (SRX1K/3K) NP-IOC (SRX1K/3K)

Express Path (SOF) Mode Express Path (SOF) Mode Express Path (SOF) Mode Express Path (SOF) Mode

Max Performance 28MPPS 5.5MPPS per NP 5.5MPPS 5.5MPPS

Sessions Cache Scale TCP/UDP w stats: 900K

w stats: 450K udp or 200K tcp w stats: 128K udp or 64K tcp w stats: 1.2M udp or 750K tcp

w/o stats: 900K udp or 300K tcp w/o stats: 256K udp or 85K tcp w/o stats: 1.2M udp or 1M tcp

Pricing SRX5K-MPC + 10XG: $134.5K SRX5K-FIOC + 4X10G: $65KNPC:$12K

NPC-IOC: $24K

IOC :12K


SOF Caveat Summary – Data Center FocusCaveat/Unsupported feature Comments regarding DC deployment

Cross-NP support Supported for NPC/NP-IOCNote that for CGIOC cross NP will need to be across I-Chip and Fabric and was not originally supported during FRS.For IOCII, no NP restriction, all traffic is handled by LU/XM complex, no restrictions across PFE for IOCII (Latency will take a hit for cross PFE due to traversing fabric). Only restriction is Express Path (SOF) can not be from IOCI <-> IOCII combination.

LAG support 11.4/12.1X44 : Express Path (SOF) works with LAG but is not supported 12.1X47-D10: Supported for LAG (RLI22835) tested with NP-IOC12.3X48-D10: LAG can be configured and supported with SOF (if ingress LAG interface and egress LAG interface are on same IOC)

LSYS support No support for intra-lsys traffic with Express Path (SOF) at present as this has not been fully qualifiedInter-lsys would increase latency dramatically, defeating the purpose of Express Path (SOF)VR/Zone virtualisation can be considered as an alternative for traffic separation with Express Path (SOF)

Wing limitations Standard NPC wing count enough for most small to medium DCs NP-IOC has much higher wing count in SOF mode (2M+) IOCII has less wing count in Express Path (SOF) mode (1800K) compared to NP-IOC, this has to be planned out to prevent overloading of session cache on IOCII

IPv6 support Express Path (SOF) can work selectively (handle v4, ignore v6). Understood and could be planned for future requirements

Multicast fan-out Current architecture uses SPU for multicast replication (1:N). With Express Path (SOF), only 1:1 replication is supported

Transparent mode support Not supported at present release (12.3X48 and below) but is noted that L2 mode has been requested by some customers.

Fragmentation In current design, fragment packets are not supported in SOF mode. All fragments will be forwarded to Defrag-SPU based on 3-tuple hash. Defrag-SPU then determines if there is a session for this fragment and does associated handling. In such scenarios, there are possibilities that fragment and non-fragmented traffic could arrive out of sequence.

ALGs/ IPSEC/ L4-L7 Services/ Egress QoS Services (including egress qos) that require additional SPU handling are not supported in Express Path (SOF) mode. (No change from 11.4/12.1X44 timeframe)

Copyright © 2015 Juniper Networks, Inc. 1 Services Offload 12.3X48 Wei Ling Neo Technical Marketing...

Documents

Transcript of Copyright © 2015 Juniper Networks, Inc. 1 Services Offload 12.3X48 Wei Ling Neo Technical Marketing...