upgrade path
————-

cisco vs juniper

1600 series vs srx 100

1600->1700->1800 to ssg20, srx210

2500->2600->2800 to srx140,srx240,j2320,j2350,j4350

3600->3700->3800 to srx650,j4350,j6350

7200->7600->M7i srx3000 or srx5000(worlds fastest fw)

7500->7600-> m series or srx3000/srx5000

————-

srx and j-series features
————————-

best in class routing with bgp , rip , ospf , mcst , isis

rich set of wan and lan intf

quality of service

support acl , stateful fw inspect , ipsec , ddos screeing , ids ips , webfilt ,

mpls ce pe and ipv6 routing

fw , nat ,ipsec etc

—————

power of junos
————–

one os(branch and core)  , one release , one architechture

quaterly release process

stand-alone modules and seperation of control and packet forwarding planes

NextGen data plane (alg for instance)

NextGen software is based on screen os
(junos smp kernel with embedded junos features)

firewall processing has been enhanced with best of netscreen and junos with a single lookup and also policy implementation

fw processing  also has DOS and ACL filter with special hardware

session-aware processing avoids policy-matching

SRX series : zones and policies (simplify management)

NEXTGEN NAT : zone based security policy which seperates nat from security policy and no need for loopback-grps or dummy static routes

security policies and NAT are independent

—————————————–

UNIFIED THREAT MANAGEMENT : UTM
——————————-

antivirus – kaspersky
webfiltering – websense / surfcontrol
content filtering
antispan – symantec

url whitelists can be used to bypass scanning of traffic from some sites

mime lists can be set up to bypass scanning of some traffic

webfiltering
———–

Integrated (surfcontrol) and redirect(websense)

a global whitelist/blacklist can be configred

redirect solution

Juniper networks-websense WF soultions
————————————–

Integrated webfiltering and location is in cloud

redirect webfilter is located in same network

ease-of-use is good for integrated webfiltering

latency is good for redirect web filtering

what to use depends on needs of requirement and latency issues

Content Filtering
—————–

control traffic based on MIME type , file extention , protocol commands

ANTISPAM
——–

ip address recognition based on symantec database provider (SPM RBL)

DYNAMIC VPN SERVICE — Access Manager Client
——————————————–

supported on srx100 , srx210 , srx240 not on srx650

layer 3 ipsec client that is automatically downloaded from a junos device
ssl fallback for tcp traversal

will replace NS-REMOTE which was on screen os and NS-REMOTE on srx

SRX FOR THE BRANCH OVERVIEW
—————————

srx100
srx210
srx240
srx650

srx series offers routing and security

all srx will have
——————

routing and switching
firewall and vpn
utm
ids and ips
uac – unified access control
voice services
power over ethernet 802.3at(30watt/port) versus 802.3af (15.4watt/port)

Antivirus

two av engines

full av kaspersky
express av – packet / content security accelarator

full av is high detection and express av is high performance

performance , coverage , memory utilsation

in express av the packet is sent as is and there is no huge av db
in full av the packet is reconstructed as is upto 20 mb and hence more cpu

When performance and memory utilization is a concern , use Express AV

when coverage rate is a concern use fULL av

————-

srx100(small)
——

8xfe , 1 usb , fw 175mbps , vpn 75 mbps , idp 50 mbps , no poe , no voi port , a/a or a/p conn (active , passive) , full utm features

srx210(small)
——

2xge+6 fe , 1 mini pim , 3g slot , usb 2 , voice ports optional 2xfxs 2xfxo or mini-pim , fw perf 250Mbps , vpn 85Mbps , idp 80Mbps , a/a , a/p
4 poe ports (50w total),full utm features

low mem 512mb ram / 1gb flash
high mem 1gb ram / 1 gb flash(comes with regex accelaration for av and idp)

srx240(small to medium)
——

16xge , mini pim 4 , 3g wireless , usb 2 , poe 16ports (150w) , optional 2xfxs , fw 500mbps , vpn 200mbps , idp 250 mbps , a/a a.p (smb) , full  utm

srx650(medium)
——

4xge , gpim 8 , usb 2 per processor,poe upto 48 ports (250w or 500w) , pstn voice ports 8 analog , 2 t1/e1 per gpim , fw 2.5gbps , vpn 1.5 gbps,idp 900mpbs , a/a or a.p or dual power , full utm

2 process module slots (sre services and routing enginer backup sre , application co processor engine ACE card)

uac l3 enforcement points

Mid-plane design and modular ,  8 gpim slots not hot-swap as of now

—————-

Wireless
——–

ax411 blend high perf 802.11n with srx

rapid setup and centralized monitoring of remote sites

integrated

802.11n client adapter choosing should be good

ax411 is 180mbps peak throughput

oversubscription rates 4:1 or 8:1

provisioning model
——————

ap request an ip address using DHCP

DHCP should be configured on SRX gateways

you cannot plug ap into first port of gig eth as it is dhcp client

zero config
———–

except first port of gig e all others are in default-vlan and are in trust zone

plug ap into any of the other ports its as simple as that

L2 Management Mode
——————-

in l2 mode all ports are conn to intf in switching mode

all aps belong to same l3 network

roaming is supported and tranparent to srx series

L3 Management Mode
——————

In l3 mode all ap ports are connected to intf in routing mode

each ap’s belong to diff l3 network

in this mode roaming is not supported

client isolation can be enforced

authentication
————–

local and radius mac

802.1x

wep , wpa , wpa2 with eap based protocols

at srx series gateways
———————-

fw auth with local redirect for local auth

utm,idp,uac,wan accl,ip sec

Junipers Networks 3G Networks
—————————–

Bridge or Integrated with SRX210 integrated 3G

deployment options

on-demand dialing
backup interface
prefix monitoring

rpm monitoring scripts cab be used for failover

Dialer interfaces
—————–

dialer intf are pseudo intfs

J-Series overview
—————–

juniper networks with avaya voip solution with cme configured at remote end

wxc ism200 application accelaration for j2320 , j2350 , j4350 , j6350

unmatched performance when services are turned on

j2320
—–

4ports ge , 3 pims , internal and external c-flash , optional encry card ,supports avaya ip telephony module

j2350
——

5 pim slots , 4 ge , nebs and dc pwr , optional encryp and supports avaya telephony module

j4350
——

4 ge ports , 4pims , 2 epims , supoprts avaya media gateway , dc version available, low mem ver 256mb flash or high end 1gb , optional encryp

j6350
——

4fixed ge lan ports , 2pim slots and 4 epim slots , supports avaya media gateway , dc version available , hardware encryp standard , 1gb dram max 2gb , nebs compliant

pims , enchance pim , universal pim

double the speed whn services when compared with CISCO ISR

30% lower than cisco isr products

Enterprise routing portifolio
—————————–

srx 240 – srx 650 with j-series in between

greenfield acounts – lead with srx series

screen os installed base – go ahead with ssg

existing junos cust – introude srx would be more sense

federal govrnt – then ssg series

managed services – srx

3g connectivity – srx

poe – srx series

wlan today – ssg

ipv6 security – ssg

anything between srx240 – srx650 is j-series

ssg products provides deep inspection are replaced with ips on srx

express av – hardware specific required

srx dosent support wan accel

Regards

Rakesh

Share on Facebook