Understanding Technology One at a Time!!!

Well i was studying about Routing policy and their implementation and their power in filtering out and filtering in updates … i knew this before as many access lists , distribute lists and other do the same filtering .. but was studying an interesting thing called Radix tree which showed a very basic way in which ’1′ or ’0′ would change the ip address / subnet … i wish i could have showed the same but instead of me telling i would advice you to do some search and feel good after reading !

In the mean while iam working on Quality of service and may be going with some internetwork expert work books … trying to attend Narbik bootcamp in a near by location .. had a chat wid Narbik and waiting for his email for other details

i will post you updated about the ccie and status …. i would be attempting lab some where soon and dnt know how that goes ! iam working with Junipers Adaptive threat Management and Data center architecture   …. some unified solutions

Keep Rocking

Rakesh

Share on Facebook

M and MX series overiew
———————–

juniper is #2 with 48% market share

consolidation , complexity , reliability , security&compliance is evolution

reduce tco, increase roi , profitability

Advance Routing and sofware
—————————

two tiered collapsed architechture

virtualisation , low latency , carrier class reliablity , qos , security

one operating system , one single software release , one common architechture

junos trio chipset

mx 3d industry leader

carrier class reliability,reduced network complexity , sustainablity and operational efficiency , improved end user exp and app perf , improved network flexibility

mcast distribution tree – spt or source tree / shared tree

forwarding delay – advance asic
transmission – user higher port speeds
propagation – reduce distance between source and recievers
end-to-end latency – implement all of them

forwarding path is full of asic based providing low latency

optimized hardware

i-chip asic for intensive services , pfe , redundancy

nsr – non stop routing , issu in-service software upgrade

graceful routing engine switchover
———————————-

backup routing states are maintained with keepalive mechanism

Nonstop Active Routing
———————-

maintains all the state routing engines , hence no routing latency in switchover

Unified in-service software upgrade
———————————–

can be installed with new versions without
reloading the device by installing it in the standby routing engine

quality of service
——————

standard 8 hardware ques with over 1000 to choose from (mcli)

acl and policers
—————–

m/mx/t have the most flexible and sophisticated policers in the industry

memory allocation – dynamic (mad)
———————————

provides right amount of bandwidth to queues

rewrites / marking
——————

ingress dscp rewrite / egress rewrite
802.1p ieee bits

mpls network virtualisation
—————————

support network segmentation and privacy
improve network security
scales for future growth

enterprise routing portifolio
—————————–

mx – optimized for wan gw , campus , dc aggr and core

m – application at campus backbone , wan edge

t – carrier class multi-service routing system,high perf

mx80 , mx240 , mx480 , mx960

ise – intelligent services edge
——————————-

not a product , its a service which enables high performance and scale , service flexibility and operational efficiency

mx 3d aggregation
——————

16x10gbe ports , 120 gbps (mx 240 mx 480 mx 960)

eantc -  european advanced networking test center

mx 3d 100gb3 line card – line rate 100mb

16port ge line card – regional high speed metro network,suitable for large data center

mx80 3d ethernet services router – worlds most powerful 3.5 inch router

mx80 – any where dc

junos space simplicty , reliability ,scalability

mx960 ethernet services router
——————————

14 slot chassis , 172 ports , front to back cooling

dpc – dense port concentrators

re is the daughter card for scb (switch control board)

mx480 ethernet services router
——————————

smaller firm factor than mx960 and offers
half capacity than mx960

8 slot chassis cards (6+2)

side to side cooling

mx240 ethernet services router
——————————

half of mx480 performance

4 slot chassis (2+2 or 3+1)

mx fpc carrier cards (non ethernet intf)

mx architecture
—————-

2-3 switch control boards(scb’s)
scb’s fully redundant
packet order maintained
qos maintained

mx fpc architecture
——————–

pics are hot swappable and support oir
l3 ichip and l2 ese npu as the dpc’s
fpc supports l2 and l3

dpc-r(switching and routing) , dpc-x(scaled-down switching routing) , dpc-q (queing)

mx family has fuller and richer capabilities over ex

M-series
——–

m7i , m10i , m120 , m320

m7i multiservice edge router
—————————-

1 fixed ge or 2 fixed fe ports

16mpps lookup perf

m7i components
————–

4 pic slots , fic 2 fixed fe , side to side cooling , redundant ac or dc pwr supplies,20 g harddrive , pcmcia , 2 serial aux , ethernet card intf, 850 mbps(tunnel services)

m10i multiservice edge router
—————————–

most compact m series w/ fully redundant common hardware

m10i components
—————

8 slots for hot-swappable and exchanble with m5/m7i/m10i pics , redundant re and fe , redundant pwr ac / dc

m120 multiservice edge router
—————————–

120 gigs throughput , 90mpps lookup , 8 queues per intf

m120 arch
———

4+2 fpc slots,one pfe per feb , 10gbps full duplex per slot , 15mpps per feb

m120 10gig capable high-end enterprise router

type 1 : 4pics / fpc 1gig/sec
type 2 : 4pics / fpc 2.5gig/sec
type 3 : 1 pic /fpc 10 gig/sec

two cfpcs for wan intf 10ge or option for no cfpcs

front to back cooled system

routing engineris a daughter card for scb

m120 ip services pic
——————–

provides hw accel
encryption servies pic – ipsec
monitoring services pic – j-flow
tunnel services – gre ipinip
multi-services nat
linkservices – mlppp , mlfr

m320 multiservice edge router
—————————–

same arch as 120 and mx offer with diff type of form factor

8fpc slots , 20gbps full dup , 40mpps per fpc

4 scbs

e3 fpc overview
—————-

type 1(4) , 2(4) , 3(2 – 10gigs each),
redundant power supplies

non – ethernet intfs – then m-series

only ethernet intfs – them mx but you have an option for non-intfs

m-series offer with l3 where as mx can as work as l2

partner solution development platform

customers
———

nyse – new york stock exchange
doe  – department of energy
laboratory of neuro imaging

Regards

Rakesh

Share on Facebook

upgrade path
————-

cisco vs juniper

1600 series vs srx 100

1600->1700->1800 to ssg20, srx210

2500->2600->2800 to srx140,srx240,j2320,j2350,j4350

3600->3700->3800 to srx650,j4350,j6350

7200->7600->M7i srx3000 or srx5000(worlds fastest fw)

7500->7600-> m series or srx3000/srx5000

————-

srx and j-series features
————————-

best in class routing with bgp , rip , ospf , mcst , isis

rich set of wan and lan intf

quality of service

support acl , stateful fw inspect , ipsec , ddos screeing , ids ips , webfilt ,

mpls ce pe and ipv6 routing

fw , nat ,ipsec etc

—————

power of junos
————–

one os(branch and core)  , one release , one architechture

quaterly release process

stand-alone modules and seperation of control and packet forwarding planes

NextGen data plane (alg for instance)

NextGen software is based on screen os
(junos smp kernel with embedded junos features)

firewall processing has been enhanced with best of netscreen and junos with a single lookup and also policy implementation

fw processing  also has DOS and ACL filter with special hardware

session-aware processing avoids policy-matching

SRX series : zones and policies (simplify management)

NEXTGEN NAT : zone based security policy which seperates nat from security policy and no need for loopback-grps or dummy static routes

security policies and NAT are independent

—————————————–

UNIFIED THREAT MANAGEMENT : UTM
——————————-

antivirus – kaspersky
webfiltering – websense / surfcontrol
content filtering
antispan – symantec

url whitelists can be used to bypass scanning of traffic from some sites

mime lists can be set up to bypass scanning of some traffic

webfiltering
———–

Integrated (surfcontrol) and redirect(websense)

a global whitelist/blacklist can be configred

redirect solution

Juniper networks-websense WF soultions
————————————–

Integrated webfiltering and location is in cloud

redirect webfilter is located in same network

ease-of-use is good for integrated webfiltering

latency is good for redirect web filtering

what to use depends on needs of requirement and latency issues

Content Filtering
—————–

control traffic based on MIME type , file extention , protocol commands

ANTISPAM
——–

ip address recognition based on symantec database provider (SPM RBL)

DYNAMIC VPN SERVICE — Access Manager Client
——————————————–

supported on srx100 , srx210 , srx240 not on srx650

layer 3 ipsec client that is automatically downloaded from a junos device
ssl fallback for tcp traversal

will replace NS-REMOTE which was on screen os and NS-REMOTE on srx

SRX FOR THE BRANCH OVERVIEW
—————————

srx100
srx210
srx240
srx650

srx series offers routing and security

all srx will have
——————

routing and switching
firewall and vpn
utm
ids and ips
uac – unified access control
voice services
power over ethernet 802.3at(30watt/port) versus 802.3af (15.4watt/port)

Antivirus

two av engines

full av kaspersky
express av – packet / content security accelarator

full av is high detection and express av is high performance

performance , coverage , memory utilsation

in express av the packet is sent as is and there is no huge av db
in full av the packet is reconstructed as is upto 20 mb and hence more cpu

When performance and memory utilization is a concern , use Express AV

when coverage rate is a concern use fULL av

————-

srx100(small)
——

8xfe , 1 usb , fw 175mbps , vpn 75 mbps , idp 50 mbps , no poe , no voi port , a/a or a/p conn (active , passive) , full utm features

srx210(small)
——

2xge+6 fe , 1 mini pim , 3g slot , usb 2 , voice ports optional 2xfxs 2xfxo or mini-pim , fw perf 250Mbps , vpn 85Mbps , idp 80Mbps , a/a , a/p
4 poe ports (50w total),full utm features

low mem 512mb ram / 1gb flash
high mem 1gb ram / 1 gb flash(comes with regex accelaration for av and idp)

srx240(small to medium)
——

16xge , mini pim 4 , 3g wireless , usb 2 , poe 16ports (150w) , optional 2xfxs , fw 500mbps , vpn 200mbps , idp 250 mbps , a/a a.p (smb) , full  utm

srx650(medium)
——

4xge , gpim 8 , usb 2 per processor,poe upto 48 ports (250w or 500w) , pstn voice ports 8 analog , 2 t1/e1 per gpim , fw 2.5gbps , vpn 1.5 gbps,idp 900mpbs , a/a or a.p or dual power , full utm

2 process module slots (sre services and routing enginer backup sre , application co processor engine ACE card)

uac l3 enforcement points

Mid-plane design and modular ,  8 gpim slots not hot-swap as of now

—————-

Wireless
——–

ax411 blend high perf 802.11n with srx

rapid setup and centralized monitoring of remote sites

integrated

802.11n client adapter choosing should be good

ax411 is 180mbps peak throughput

oversubscription rates 4:1 or 8:1

provisioning model
——————

ap request an ip address using DHCP

DHCP should be configured on SRX gateways

you cannot plug ap into first port of gig eth as it is dhcp client

zero config
———–

except first port of gig e all others are in default-vlan and are in trust zone

plug ap into any of the other ports its as simple as that

L2 Management Mode
——————-

in l2 mode all ports are conn to intf in switching mode

all aps belong to same l3 network

roaming is supported and tranparent to srx series

L3 Management Mode
——————

In l3 mode all ap ports are connected to intf in routing mode

each ap’s belong to diff l3 network

in this mode roaming is not supported

client isolation can be enforced

authentication
————–

local and radius mac

802.1x

wep , wpa , wpa2 with eap based protocols

at srx series gateways
———————-

fw auth with local redirect for local auth

utm,idp,uac,wan accl,ip sec

Junipers Networks 3G Networks
—————————–

Bridge or Integrated with SRX210 integrated 3G

deployment options

on-demand dialing
backup interface
prefix monitoring

rpm monitoring scripts cab be used for failover

Dialer interfaces
—————–

dialer intf are pseudo intfs

J-Series overview
—————–

juniper networks with avaya voip solution with cme configured at remote end

wxc ism200 application accelaration for j2320 , j2350 , j4350 , j6350

unmatched performance when services are turned on

j2320
—–

4ports ge , 3 pims , internal and external c-flash , optional encry card ,supports avaya ip telephony module

j2350
——

5 pim slots , 4 ge , nebs and dc pwr , optional encryp and supports avaya telephony module

j4350
——

4 ge ports , 4pims , 2 epims , supoprts avaya media gateway , dc version available, low mem ver 256mb flash or high end 1gb , optional encryp

j6350
——

4fixed ge lan ports , 2pim slots and 4 epim slots , supports avaya media gateway , dc version available , hardware encryp standard , 1gb dram max 2gb , nebs compliant

pims , enchance pim , universal pim

double the speed whn services when compared with CISCO ISR

30% lower than cisco isr products

Enterprise routing portifolio
—————————–

srx 240 – srx 650 with j-series in between

greenfield acounts – lead with srx series

screen os installed base – go ahead with ssg

existing junos cust – introude srx would be more sense

federal govrnt – then ssg series

managed services – srx

3g connectivity – srx

poe – srx series

wlan today – ssg

ipv6 security – ssg

anything between srx240 – srx650 is j-series

ssg products provides deep inspection are replaced with ips on srx

express av – hardware specific required

srx dosent support wan accel

Regards

Rakesh

Share on Facebook