Thursday, 11 October 2012

Juniper SRX Hardware Overview - Data Centre

As the previous post outlined the Juniper SRX portfolio is divided into two main categories; Branch SRX Series & Data Centre SRX Series. This post will focus on the Data Centre SRX Series.


Data Centre SRX Gateways

Models
This group consists of SRX model numbers which are 4 digits long (SRX1400,3400,3600,5600,5800).

Junos
Unlike the branch models, all of the data centre SRX models do not share the same distributions of Junos. Here is the breakdown:

  • SRX1400, 3400, 3600 share a single distribution. Here is a sample of the Junos software file: [junos-srx1k3k-11.1R6.4-domestic.tgz]. In the file name "srx1k3k" identifies this distribution for use with SRX1400, 3400 and 3600.
  • SRX5600 and 5800 share a single distribution. Here is a sample of the Junos sofware file: [junos-srx5000-11.1R6.4-domestic.tgz]. In the file name "srx5000" identifies this distribution for use with the SRX5600 and 5800.

Architecture
The hardware architecture used for the data centre models is distributed across different hardware components. The allows the product to scale into very high performance environments. It also allows the product to be tailored to the requirements of the network. For example additional pieces of hardware can be added to increase performance.

Hardware Components (used for traffic processing)
I/O Card (Input Output Card) is as the name describes, a card with interfaces on it that pass traffic to and from the device.
NPU (Network Processing Card) provides traffic handling between I/O cards and SPU modules. On the SRX1400, SRX3400 and SRX3600 the NPU cards are standalone modules. On the SRX5600 and SRX5800 the NPU cards are located on the I/O cards.
SPU (Services Processing Unit) provides processing for all firewall related services such as (session set-up and firewall processing, NAT, VPN etc).
SPC (Services Processing Card) contains one ore more Service Processing Units.
CP (Central Point) is a single SPU that has been designated to contain a global session table and load balance traffic accordingly across all available SPUs.

Packet Processing (how the hardware components are used in packet processing)
The following describes the steps of a new session setup as related to the hardware components. Additional details can be found in the Junos 11.1 documentation.

  1. Traffic arrives at the ingress interface and is forwarded to the NPU.
  2. The NPU checks its local session table for a traffic match. There is not a match at this point so the NPU forwards the packet to a designated SPU called the CP (Central Point).
  3. The CP selects and forwards the packet to the designated SPU where the session is setup and the packet is processed. 
  4. The SPU installs the session in both the CP and the ingress/egress NPUs and forwards the packet to the egress NPU.
  5. The egress NPU passes the packet to the egress I/O card.
First Path Processing

Once the session is established the following steps would take place.
  1. Traffic arrives at the ingress interface and is forwarded to the NPU.
  2. The NPU checks its local session table for a traffic match. There is a match in the session table, the NPU references this table to send the packet to the correct SPU. 
  3. The designated SPU processes the packet and forwards the packet to the egress NPU.
  4. The egress NPU passes the packet to the egress I/O card.
Processing After Session Setup



I/O Options
For I/O and transciever options please reference the respective product data sheets.
SRX1400 data sheet
SRX3400 and SRX3600 data sheet
SRX5600 and SRX5800 data sheet


UTM (Unified Threat Management)
UTM is not supported on the data centre SRX series.

No comments:

Post a Comment