1 / 65

效能卓越 毫不妥协 —— SRX 产品介绍

效能卓越 毫不妥协 —— SRX 产品介绍. 目标. 学习本教程后,应掌握以下内容: SRX 有那些产品?各具有什么特性? SRX 与 SSG 、 J 系列有那些主要区别? SRX 有那些竞争优势?. 产品介绍. NSM. 基于动态服务架构 DSA 加速新服务的应用. SRX 产品家族概览. 120G. SRX5800. 60G. SRX5600. 30G. SRX3600. 20G. SRX3400. 7G. SRX650. Centrally managed by NSM. 1.5G. SRX240. 750M.

damali
Download Presentation

效能卓越 毫不妥协 —— SRX 产品介绍

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 效能卓越 毫不妥协 ——SRX 产品介绍

  2. 目标 • 学习本教程后,应掌握以下内容: • SRX有那些产品?各具有什么特性? • SRX与SSG、J系列有那些主要区别? • SRX有那些竞争优势?

  3. 产品介绍

  4. NSM 基于动态服务架构DSA加速新服务的应用 SRX产品家族概览 120G SRX5800 60G SRX5600 30G SRX3600 20G SRX3400 7G SRX650 Centrally managedby NSM 1.5G SRX240 750M SRX210 600M SRX100 分布式企业 数据中心

  5. 产品定位

  6. SRX100 • 8 x FE(桌面式) • 固定配置 • 全UTM特性(1G高内存) • IDP\Antivirus\Anti-spam\Web filtering • 性能 • 防火墙吞吐率 (大包) – 600 Mbps • 并发连接数– 16/32K • SOHO用户(1-25U) *Q3 2009开始供货

  7. Q3 2009 SRX100 • Ideal for micro-branch, managed telecommuters, SOHO • Fixed I/O—8 x 10/100 Ethernet ports • Full UTM features • IDP • Antivirus • Anti-spam • Web filtering • UAC Enforcement • UTM requires High Memory model (UTM, license), no CSA

  8. SRX210 • 2 x GE + 6 x FE (桌面式) • 1 x 扩展插槽(非热插拔) • Serial / T1E1 / ADSL2+/ SFP • 全UTM特性(1G高内存) • IDP / Antivirus / Anti-spam / Web filtering • 内容安全加速器 • 4*端口支持POE供电(802.3af / at) • 支持3G接入 • 性能 • 防火墙吞吐率 (大包) – 750 Mbps • 并发连接数– 32/ 64K • 小型分支用户(20-200U) *Q3 2009支持语音

  9. Q2 2009 SRX210 • Ideal for Small branches • Full UTM features • IDP, Antivirus, Anti-spam, Web filtering, Content filtering • UAC Enforcement • UTM requires High Memory model • Available Voice version with mini-PIM options • Factory-configured voice model

  10. SRX240 • 16 x GE (1U机架) • 4 x 扩展插槽(非热插拔) • Serial / T1E1 / ADSL2+ / SFP • 全UTM特性(1G高内存) • IDP / Antivirus / Anti-spam / Web filtering • 内容安全加速器 • 16*端口支持POE供电(802.3af / at) • 性能 • 防火墙吞吐率 (大包) – 1.5Gbps • 并发连接数– 64/128K • 中型分支用户(100-500U) *Q4 2009支持语音、3G

  11. Q2 2009 SRX240 • Ideal for small–medium branches • Full UTM features • IDP, Antivirus, Anti-spam, Web filtering, Content filtering • UAC Enforcement • UTM requires High Memory model • Available Voice version with mini-PIM options • Factory-configured voice model * Supported in JUNOS 9.6

  12. SRX650 • 4 x GE (2U机架) • 8 x扩展插槽(非热插拔) • 2T1E1 / 4T1E1 / 16GE / 24GE • 多核架构 • 独立的硬件控制及转发面板 • 电源冗余(热插拔) • 支持POE供电(802.3af / at) • 全UTM特性 • IDP / Antivirus / Anti-spam / Web filtering • 内容安全加速器 • 性能 • 防火墙吞吐率 (大包) –7Gbps • 并发连接数– 512K • 大型分支用户(200-1000U) * Junos9.6SRE支持冗余,2010支持语音,ACE

  13. Q2 2009 SRX650 • Ideal for regional sites, large branches • Modular- • LAN switching • Services Routing Processors with optional redundancy (future) • power supplies with optional redundancy (at FRS) • voice configurations (field upgradable via PIMs in 2010) • Full UTM features • IDP, Antivirus, Anti-spam, Web filtering, Content filtering • UAC Enforcement • Max Gig E 52 ports (2 x 24 GE PIM + 4 integrated ports) * Supported in JUNOS 9.6 *Supported in JUNOS 9.6

  14. SRX分布企业系列参数汇总

  15. Q3 2009 SRX210 with Integrated Convergence Services FXS ports – connect your analog phone or FAX machine here E1/T1 or FXOs for carrier trunk or FXS for additional analog phones/ fax machines FXO ports – connect to your wall phone socket SRX Voice Elements • Survivable SIP server • SIP Media Gateway • SIP Security • Base and expandable voice ports • PoE Ports • PoE Ports scaling with EX switch

  16. 5 SIP VoIP handset 5 X 2H 2009 X Juniper Integrated Convergence ServicesStage 1: Survivable Media Gateway SERVICE PROVIDERVOIP Failover to PSTN SIP Trunking to Corporate to PSTN (typical) Local PSTN Local PSTN 3 SIP Soft Switch SIP Trunking “VoIP to PSTN” S.P. VoIP Channelized T-1 / E1/ FXO 4 CORPORATE OFFICE INTERNET SRX210 / SRX240 4 SIP VoIP handset 4 SIP Server 3 3 3 WAN MPLS 2 2 2 SIP VoIP handset to digital or analog phone 1 SIP Trunking “Toll bypass”, “extension” 1 PBX, Key System Analog FAX Soft Phones Digital • SIP Server and SIP Soft switch Enterprise choice and flexibility • SIP standards • Choice of sip phones, call servers and applications

  17. 3G Wireless WAN Deployments- Primary connection where wired broadband is not available Back up connectivity with wired primary. Out of band management, remote deployment. Available on SRX210 支持的是Verizon的CDMA/EVDO 3G 2H 2009 Datacenter HQ INTERNET 3G Wireless Dynamic VPN Services SRX210 Branch Retail Regional

  18. Branch Wireless AP Solution • Juniper 802.11n indoor Solution • Backwards compatible to .11a/b/g • Dual mode radio support 300Mbps (Aggregate) • Single radio 200Mbps (160Mbps typical) • Spatial Streams: 2x2:2, 2x3:2, 3x3:2 • UL2043 Plenum rated for over ceiling mounting. • 50 Meter range (indoor) • Unit can be mounted on ceiling or wall • Virtual AP technology – Support of up to 16 simultaneous SSIDs • 802.11e WMM capable • 1 Gigabit Ethernet POE support • Optional External Power Supply • Serial Consol Support • L2 Managed by SRX Branch Products • Additional licensing cost for Branch SRX to manage multiple access points – Clusters of 4,8,16 APs. • SRX在不增加AP软件许可的情况下最多可以管理2个AP设备 • 目前只在SRX210(4个AP)、240(8个AP)、650(16个AP)上支持无线AP

  19. Ethernet Switching SRX100 SRX210 SRX240 SRX650 Hardware (Onboard Ethernet) • SRX100 • 8 Fixed 10/100 (Switched or Routed) • SRX210 • Fixed 2 10/100/1000 + 6 10/100 (Switched or Routed) • 802.3af optional POE (2FE + 2GE) • SRX240 • Fixed 16 Ports 10/100/1000 (Switched or Routed) • Power over Ethernet (optional all ports) • 802.3af, 802.3at • SRX650 • Fixed 4 ports 10/100/1000 (Routed) Software Features • 802.1Q VLAN support • Up to 4,096 VLAN support (platform dependent) • Routed VLAN Interface (RVI) • GARP VLAN Registration Protocol (GVRP) • QOS on VLAN interface • L3 Strict priority queuing (LLQ) • L3 Smoothed Deficit Weighted Round Robin (SDWRR) • L3 Weighted Random Early Discard (WRED) • L3 Per port and per queue shaping • 802.1x Port based Authentication • 802.3ad (AX) link aggregation* • STP, Spanning Tree Protocol • 802.1D Spanning Tree Protocol • 802.1S Multiple STP • 802.1w Rapid STP • Jumbo Frame Support (9,216 Byte)* Hardware Ethernet PIMs • SRX Mini-PIM (SRX210/SRX240) • 1 Port SFP • 16 port GigE XPIM for SRX650 • Double-high • Full-duplex 20 Gbps backplane • 16 port GE and optional PoE • 24 port GigE including 4 SFP slots XPIM for SRX650 • Double-high - double-wide • Optional POE - 24 port GE with PoE incl 4 SFP slots • Full-duplex 20 Gbps backplane • Optics • SRX GE SFP LH | SRX GE SFP LX | SRX GE SFP SX |SRX GE SFP 1000 Base-T | SRX FE FX SFP * Not supported on SRX100

  20. SRX Series—Firewall, Zones, and Policies ZONE “UNTRUST” Originating Zone INTERNET Default Policy—Deny All Default Policy—Allow All SRX Originating Zone ZONE “TRUST” ZONE “TRUST”

  21. Unified Threat Management (UTM) Features External Threats Internal Threats INTERNET IPS Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans Websense to block to unapproved site access Web Filtering Antivirus Kaspersky Lab AV stops viruses, file-based trojans or spread of spyware, adware, keyloggers Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware, Keyloggers Anti-spam Symantec stops Spam / Phishing SRX Series blocks transmission of files for Data Loss Prevention Content Filtering Core Security Firewall, VPN, Unified Access Control Firewall, VPN, Unified Access Control

  22. ISG SSG NS SRX Juniper Networks Unified Access Control (UAC) POLICY SERVER Comprehensive, vendor-agnostic, standards-based access control across heterogeneous environments delivering investment protection 1 IC Series Identity Stores Authenticate User, Profile Endpoint, Determine Location 1 2 Dynamically Provision Policy Enforcement 2 APPLICATIONS 3 Control Access to Protected Resources Data App Internet UAC Agent EX Series L2 Switch Juniper Firewall Platforms 802.1X Switches & Access Points UAC Enforcement Points

  23. Remote Access Dynamic VPN Service – Access Manager Client A dynamic IPSEC Client that is automatically downloaded 5-user, 10-user, 25-user, 50-user (SRX240) license option with simultaneous tunnel enforcement Supported on the SRX100, SRX210, and SRX240 Not supported on SRX650 Automatic client upgrade capabilities Self-provisioning from SRX210, SRX240 IPSec with TCP-based fallback for NAT traversal Initial release to support Windows platforms—XP, Vista, Win 2000 Q2 2009 Wireless Wired 3G Wireless INTERNET Dynamic VPN Services SRX210

  24. SRX功能特性 IPSec VPN 加密通信 防火墙 细腻的访问控制 UTM IDP、防病毒、防垃圾邮件、网页过滤 UTM Stateful Firewall IPSec VPN Switch Voice 语音 VoIP Routing 交换 VLAN,STP,LAG… 路由 RIP,OSPF,BGP,PBR…

  25. SRX • Unified Threat Management • Full IDP—Juniper • Antivirus—Kaspersky • Web filtering—Websense • Anti-spam—Symantec • VoIP • Juniper OpenCommunications • Power over Ethernet • FW, VPN, NAT, UAC SSG140 J Series • FW, VPN, NAT, UAC • Routing, Switching, QOS, MPLS • WX—ISM 200 Application Acceleration • VoIP—Avaya Integ. Gway • Unified Threat Management • Full IDP—Juniper • Antivirus—Kaspersky • Web filtering—Websense • Anti-spam—Symantec SSG Family • FW, VPN, NAT, UAC • IPv6 Security • Wireless (WLAN) • Unified Threat Management • Intrusion Prevention: DI • Antivirus—Kaspersky • Web filtering—Websense • Anti-spam—Symantec SRX 100 SRX 210 SRX 240 SRX 650 ScreenOS 对比SSG & J Serial产品 SSG20 Wireless J2320 SSG5 Wireless J2350 SSG320M SSG520 SSG520M J4350 SSG350M SSG550 SSG550M J6350

  26. NOC Access Point NSM Express Private WAN POE STRM DATA CENTER PSTN Local Printer Internet SRX SRX 典型部署 连接 安全 管理 • SRX240可提供高达16个千兆以太网端口,支持高达16个POE设备(IP电话,无线AP) • 支持8个无线AP • 提供4个E1捆绑的广域网连接 • 冗余电源提高稳定性 • 使用EX4200的集群技术(virtual chassis)支持设备的增加 • 内置IDP, FW的功能 • 通过许可证,支持防病毒,防垃圾邮件,网页过滤等,实现全面的UTM功能 • 和Juniper UAC全面融合 • NSM, STRM, J-Web and CLI mgmt • JUNOS Software • Unified Open Management Virtual Chassis EX4200 DC POE WX Client

  27. 竞争优势

  28. 总体竞争优势 • 集成服务 • 交换、路由、防火墙、VPN、UTM、VoIP、PoE、WLAN… • 高性能 • 业界性能最高的防火墙(SRX5800) • 大幅提高防火墙、防病毒、VPN、IDP性能 • 更高的新建连接数 • 更先进的架构 • Junos系统(久经验证的模块化系统) • 控制层面与转发层面分离 • 更低的TCO • 更高性价比 • 更易部署、管理 • 更灵活的配置 • 更易扩展、保护用户投资

  29. SRX Vs SSG

  30. SRX Vs SSG

  31. SRX Vs ISG & NS

  32. SRX Vs Cisco

  33. SRX Vs H3C

  34. 其他厂家安全产品和Juniper相对应的产品

  35. 场景—降低分支机构的TCO 60台PC的小型分支机构,通过两条E1线路与总部连接,互为备份。本地有服务器,通过Web对总部进行业务访问 要求: 设备之间进行高速通讯 要配置一定的安全措施,如防火墙 防火墙的吞吐量要求要达到200Mbps+ 预计: PC机的数量在1-2年之内增长一倍 移动办公需要使用POE端口支持5-6个802.11n AP的接入 安全扩展到全面的UTM功能

  36. Juniper Vs. Cisco开始阶段 1 x Cisco 2821 1 x VWIC2-2MFT-T1/E1 1 x IOS advanced security 1 x WS-C2960G-48TC-L 1 x WS-C2960G-24TC-L 1 x SRX240H 2 x SRX-MP-1T1E1 1 x EX3200-48T Note: SRX机箱还提供IDP功能 EX3200还有8个POE端口

  37. Juniper Vs. Cisco实现UTM, POE功能,网络扩容 新增switch 1 x WS-C2960G-48TC-L 1 x WS-C3560G-24PS-S 实现UTM功能 1 x ASA5520-CSC10-K9 1 x ASA-CSC10-PLUS 1 x NME-IPS模块 新增switch 2 x EX3200-48T 实现UTM 1 x SRX240-SMB-CS Note: 未来EX2200非POE的交换机+SRX240H-POE的解决方案更经济

  38. SRX高端系列 • SRX 3400/3600/5600/5800

  39. SRX3400 • 机箱式设计(3U) • 7个插槽 (前4后3) • 最大4块IOC;4块SPC;2块NPC • 固定接口(SCB) • 8-10/100/1000 + 4-SFP • 模块化接口(IOC) • 16-10/100/1000;16-SFP;2-XFP • 多核架构 • 2电源冗余(N+1) • 性能 • 防火墙吞吐率 (大包) – 10 /20 Gbps • 并发连接数– 2.25M *最少需配1SPC,1NPC

  40. SRX3600 • 机箱式设计(5U) • 12个插槽 (前6后6) • 最大7块IOC;7块SPC;3块NPC • 固定接口(SCB) • 8-10/100/1000 + 4-SFP • 模块化接口 • 16-10/100/1000;16-SFP;2-XFP • 多核架构 • 4电源冗余(N+1) • 性能 • 防火墙吞吐率 (大包) – 10/20/30 Gbps • 并发连接数– 2.25M *最少需配1SPC,1N

  41. Component Review Dual-height SFB option cover (SRX 3600 only) Switch Fabric Board (SFB) Air Intake IOC 16xSFP IOC 2x10GE Services Processing Card (SPC) IOC 16xCopper Front Slot guide Fan tray door Services Processing Cards (SPC) Network Processing Cards (NPC) [ or SPCs ] Routing Engine (RE) Rear Slot guide

  42. SRX 3x00 SFB – Switch Fabric Board Control Panel Virtual IOC HA-control Port 1 HA-control Port 0 BITS clock^ Single Stoli chip provides 16 10Gbps full-duplex, non-blocking endpoints (320Gbps). Note ^: BITS clock support will require daughter-card

  43. SRX 3x00 SFB - Control Panel SFB status LED RE0 Console Master RE^ AUX/USB Aggregated CFM status LEDs YellowAlarm LED RedAlarm LED Power Button RE0 Ethernet RE1^ Ethernet RE1^ Console HA status LED Note ^: Only RE in slot 0 supported at FRS. For future use.

  44. SRX 3x00 SFB – Virtual IOC Port 0/0/6 Port 0/0/0 Port 0/0/7 Port 0/0/11 Port 0/0/1 Port 0/0/8 Note: these “built-in” ports will not work unless an NPC and an SPC are installed in the system.

  45. Total System Capacity • SRX 3400 maximum capacities at FRS • AC (1000W – C19 straight) • 4 SPCs, 2 NPCs, 1 IOCs: • 20 Gbps Stateful Firewall • 1M total sessions • 120K Sessions / Second • 6 Gbps IDP • 8 Gbps IPSEC VPN • DC (850W) • 3 SPCs, 2 NPCs, 1 IOCs (optimized for FW performance): • 20 Gbps Stateful Firewall • 1M total sessions • 120K Sessions / Second • 4 Gbps IDP • 6 Gbps IPSEC VPN • SRX3600 Maximum capacities at FRS • 7 SPCs, 3 NPCs, 2 IOCs • 30 Gbps Stateful Firewall • 2M total sessions • 120K Sessions / Second • 11 Gbps IDP • 14 Gbps IPSEC VPN SRX 3400-DC limited by power supply capacity. No HA limitations.

  46. Combo-CP • Unlike the SRX 5Ks, the first SPC installed on an SRX 3K splits its resources between CP and FLOW duty. • The first SPC only contributes to FLOW: • 50% of its memory – 500K sessions instead of 1M • ~85% of its CPU if only one SPC in the system • ~67% of its CPU if two or more SPCs in the system • Initially, weighted round-robin distribution 2:1 with other SPUs. • This session/CPU imbalance leads test tools to underrate performance in approximately 50% of an SPU.

  47. SRX 3000 with JUNOS 9.4Performance / Scalability

  48. SRX5600 • 水平式机箱(8U) • 8个插槽 • 最多6块SPC / IOC • 最多2块SCB(冗余) • 模块化接口 • 40-SFP; 4-10Gig • 多核架构 • 4电源冗余(N+n/N+1) • 性能 • 防火墙吞吐率 (大包) – 60 Gbps • 并发连接数– 9M *最少需配1SPC

  49. SRX5800 • 垂直式机箱(16U) • 14个插槽 • 最多11块SPC / IOC • 最多3块SCB(冗余) • 模块化接口 • 40-SFP; 4-10Gig • 多核架构 • 4电源冗余(N+n/N+1) • 性能 • 防火墙吞吐率 (大包) – 120 Gbps • 并发连接数– 10M *最少需配1SPC

  50. Component Review Control Panel Upper Fan tray Switch Control Boards (SCB) IOC 40x1GE IOC 4x10GE Service Processing Cards (SPC) Route Engine (RE) Lower Fan tray Air Intake

More Related