JUNOS software for SRX-series devices provides Domain Name System
(DNS) support. The DNS ALG monitors DNS query and reply packets and
closes the session if the DNS flag indicates the packet is a reply
message.
To configure the DNS ALG, use the edit security alg dns statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide.
FTP ALG
Now supported on SRX 240 and SRX650 devices. Existing support
on SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
For information on functionality, see the “JUNOS for SRX-Series
Services Gateways Product Overview” section.
To configure these ALGs, use the edit security alg ftp and edit security alg ftp statements at the [edit security
alg] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
H.323 ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides H.323 standard
and H.323 Avaya support. The H.323 standard is a legacy VoIP protocol
defined by the International Telecommunication Union Telecommunication
Standardization (ITU-T). H.323 consists of a suite of protocols (such
as H.225.0 and H.245) that are used for call signaling and call control
for VoIP.
To configure the H.323 ALG, use the edit security alg h323 statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
MGCP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Media Gateway
Control Protocol (MGCP) support. MGCP is a text-based Application
Layer protocol used for call setup and call control between the media
gateway and the media gateway controller (MGC).
To configure the MGCP ALG, use the edit security alg mgcp statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
PPTP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Point-to-Point
Tunneling Protocol (PPTP) support. PPTP is a Layer 2 protocol that
tunnels PPP data across TCP/IP networks. The PPTP client is freely
available on Windows systems and is widely deployed for building virtual
private networks (VPNs).
To configure the PPTP ALG, use the edit security alg pptp statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
RPC ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides basic Remote
Procedure Call (RPC) support. RPC is a protocol that allows an application
running in one address space to access the resources of applications
running in another address space as if the resources were local to
the first address space. The RPC ALG is responsible for RPC packet
processing.
To configure the RPC ALG, use the edit security alg rpc statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
RSH ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Remote Shell
(RSH) support. The RSH ALG handles TCP packets destined for port 514
and processes the RSH port command. The RSH ALG performs
NAT on the port in the port command and opens gates as necessary.
To configure the RSH ALG, use the edit security alg rsh statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
RTSP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Real-Time Streaming
Protocol support.
To configure the RTSP ALG, use the edit security alg rtsp statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
SCCP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Skinny Client
Control Protocol (SCCP) support. SCCP is a Cisco proprietary protocol
for call signaling. Skinny is based on a call-agent-based call-control
architecture. The control protocol uses binary-coded frames encoded
on TCP frames sent to well-known TCP port number destinations to set
up and tear down RTP media sessions. The SCCP protocol, just as other
call control protocols, negotiates media endpoint parameters, specifically
the RTP port number and the IP address of media termination by embedding
information in the control packets. The SCCP ALG parses these control
packets and facilitates media and control packets to flow through
the SRX-series devices.
To configure the SCCP ALG, use the edit security alg sccp statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
SIP ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Session Initiation
Protocol (SIP) support. SIP is an Internet Engineering Task Force
(IETF)-standard protocol for initiating, modifying, and terminating
multimedia sessions over the Internet. Such sessions might include
conferencing, telephony, or multimedia, with features such as instant
messaging and application-level mobility in network environments.
To configure the SIP ALG, use the edit security alg sip statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
SQLNET ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides Structured Query
Language (SQL) support. The SQLNET ALG processes SQL TNS response
frames from the server side. It parses the packet and looks for (HOST
= ipaddress) , (PORT = port) patterns and performs NAT and gate opening on the client side for
the TCP data channel.
To configure the SQLNET ALG, use the edit security alg sqlnet statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
TALK ALG
Now supported on SRX 210 devices.
JUNOS software for SRX-series devices provides TALK protocol
support. The TALK protocol uses UDP port 517 and port 518 for control
channel connections. The <ui>talk</ui> program consists of a
server and a client. The server handles client notifications and helps
to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of
both ntalk and talkd formats. It also performs NAT
and gate opening as necessary.
To configure the TALK ALG, use the edit security alg talk statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
TFTP ALG
Now supported on SRX 240 and SRX650 devices. Existing support
on SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices.
For information on functionality, see the “JUNOS for SRX-Series
Services Gateways Product Overview.”
To configure the TFTP ALG, use the edit security alg tftp statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide
Chassis Clustering
Active/active chassis clustering
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and
SRX 5800 devices.
The data plane now supports active/active chassis clustering
for these SRX-series devices. The chassis clustering on these SRX-series
devices is no longer restricted to the creation of only one redundancy
group beyond redundancy group 0. You can now configure one or more
redundancy groups numbered 1 through 128. Multiple redundancy groups
make it possible for traffic to arrive on an interface of one redundancy
group and egress on an interface that belongs to another redundancy
group. In this situation, the ingress and egress interfaces might
not be active on the same node. When this happens, the traffic is
forwarded over the fabric link to the appropriate node. SRX-series
chassis clusters operate with an active/backup control plane.
Control link recovery
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and
SRX 5800 devices.
Prior to this release, when a node was disabled due to control
link failure, after fixing the issue, you had to manually reboot the
disabled node to make the disabled node rejoin the cluster. With this
release, you can specify that control link recovery be done automatically
by the system by using the set chassis cluster control-link-recovery command (this feature is disabled by default). Once the system determines
that the control link is healthy, it issues an automatic reboot on
the disabled node. When the disabled node reboots, the node rejoins
the cluster. There is no need for any manual intervention.
Cold synchronization monitoring
This feature is now supported on SRX 210, SRX 240, and SRX650
devices. Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX
5800 devices.
The process of synchronizing data plane RTOs (runtime objects)
on the startup of the Services Processing Units (SPUs) or flowd is
called cold sync. Chassis clustering supports
the process of monitoring the cold-sync state of all SPUs or flowd
on a node. Also, if you enable preempt, cold-sync monitoring prevents
the node from taking over mastership until the cold-sync process
is completed for all the SPUs or flowd on the node.
Flowd monitoring
This feature is supported on SRX 210 devices.
Chassis clustering supports the process of monitoring the health
of the flowd process. A failed flowd process causes failover of redundancy
group x to the secondary node.
SNMP failover traps
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and
SRX 5800 devices.
Chassis clustering supports SNMP traps, which are triggered
whenever there is a redundancy group failover. You can specify that
a trace log be generated by using the set chassis cluster traceoptions
flag snmp command.
SPU monitoring
This feature is supported on SRX 3400, SRX 3600, SRX 5600,
and SRX 5800 devices.
Chassis clustering supports the process of monitoring the health
of the SPUs and of the central point (CP). A single, failed SPU
causes failover of redundancy group x to the
secondary node. A central point failure triggers failover to the
secondary node.
Intrusion Detection and Prevention (IDP)
Configuring IDP test conditions in custom
anomaly attacks
This feature is supported on SRX 210, SRX 240, SRX650, SRX 3400,
SRX 3600, SRX 5600, and SRX 5800 devices.
The user can now see the supported test conditions for a protocol
in the CLI.
When configuring IDP custom attacks, you can now list supported
test conditions for a specific protocol. For example, to configure
test conditions for ICMP:
List supported test conditions for ICMP and choose
the one you want to configure:
Possible completions:
<test> Protocol anomaly condition to be checked
ADDRESSMASK_REQUEST
DIFF_CHECKSUM_IN_RESEND
DIFF_CHECKSUM_IN_RESPONSE
DIFF_LENGTH_IN_RESEND
Configure the service for which you want to configure
the test condition.
This feature is now supported on SRX 210, SRX 240, and SRX650
devices. Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX
5800 devices.
CoS allows you to divide traffic into classes and specify various
levels of throughput and packet loss when congestion occurs. This
allows packet loss to happen occur according to the rules you configure.
For more information about the JUNOS implementation of CoS and about
configuring CoS, see the JUNOS Software Interfaces and Routing
Configuration Guide.
Configuring simple filters and policers
This feature is supported on SRX 3400 and SRX 3600 devices.
To handle oversubscribed traffic in the SRX 3400 and SRX 3600
series devices, you can configure simple filters and policing. The
simple filter functionality comprises of the following:
Classifying packets according to configured policies
Taking appropriate actions based on the results of classification
Intermediate System-to-Intermediate System
(IS-IS)
This feature is supported on SRX 210, SRX 240, SRX650, SRX 3400,
SRX 3600, SRX 5600, and SRX 5800 devices.
IS-IS protocol, a classless interior routing protocol developed
by the International Organization for Standardization (ISO) as part
of the development of the Open Systems Interconnection (OSI) protocol
suite. Like OSPF routing, IS-IS uses hello packets that allow
network convergence to occur quickly when network changes are detected.
For more information about the IS-IS protocol and about configuring
IS-IS, see the JUNOS Software Interfaces and Routing Configuration
Guide.
Jumbo frame support
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and
SRX 5800 devices.
Jumbo frames, or 9192 byte MTUs, on Gigabit Ethernet interfaces
and 10-Gigabit Ethernet interfaces. To configure jumbo frame support,
see the JUNOS Software Interfaces and Routing Configuration
Guide.
Layer 2 bridging and transparent mode
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and
SRX 5800 devices.
This release provides Layer 2 bridging with transparent mode.
Transparent mode provides full security services on top of Layer 2
bridging functions. An SRX services gateway operates in Layer 2 transparent
mode when all physical interfaces on the device are configured as
Layer 2 logical interfaces. There is no command to enable transparent
mode on the device.
Note:
You cannot define both Layer 2 and Layer 3 logical interfaces
on a physical interface.
To configure a Layer 2 logical interface, use the unit statement at the [edit interfaces] hierarchy, and configure
the logical interface with the bridge family type. You can
configure the logical interface as an access or a trunk interface.
A bridge domain is a set of logical interfaces that share the
same flooding or broadcast characteristics. You can configure a set
of bridge domains that are associated with a trunk interface. The
set of bridge domains then functions as a switch: a packet received
on a trunk interface is forwarded based on the VLAN ID (a packet is
forwarded within the bridge domain that has the same VLAN ID as the
packet) and destination MAC. VLAN-based MAC learning, forwarding,
and aging are supported. To configure a bridge domain, use the [edit bridge-domains] hierarchy to specify the VLAN ID(s) for
packets that will be forwarded on the bridge domain.
Note:
In this release, Layer 2 bridging does not support STP. It is
the user’s responsibility to ensure that no flooding loops exist
in the network topology.
You can optionally configure an integrated routing and bridging
(IRB) interface for management traffic on the device. For this release,
the IRB interface does not support traffic forwarding or routing.
To configure an IRB interface, create an irb logical interface
in the [edit interfaces] hierarchy, and then reference the
IRB interface in the [edit bridge-domains] hierarchy.
When packets are forwarded through a bridge domain, security
policies can be applied between Layer 2 security zones. To create
Layer 2 security zones, use the security-zone statement at
the [edit security zones] hierarchy, and specify the interfaces
that belong to the zone. (The IRB interface cannot be assigned to
any security zone.) You can configure screen options, address books,
or TCP-RST for Layer 2 security zones.
Note:
You can configure the same screen options for a Layer 2 security
zone as for a Layer 3 security zone, with the exception of IP spoofing.
You configure a transparent mode security policy in the same
way as for policies configured for Layer 3 zones, with the following
exceptions:
NAT is not supported
Layer 2 IPsec VPN is not supported
ALGs are not supported
IDP policies are not supported for Layer 2 traffic
To configure a transparent mode security policy, use
the [edit security policies] hierarchy.
Note:
Chassis clustering of SRX devices in transparent mode is not
supported in this release.
For more information, see the JUNOS Software Interfaces
and Routing Configuration Guide.
3G wireless network connections
This feature is supported on SRX 210 devices.
This release allows SRX 210 devices to use 3G networks as primary
or backup WAN links. Juniper supports the following 3G wireless modem
cards installed in the ExpressCard slot of the SRX 210 services gateway:
Sierra Wireless AirCard Global System for Mobile communications
(GSM) High-Speed Downlink Packet Access (HSDPA) ExpressCard
Sierra Wireless AirCard Code-Division Multiple Access
(CDMA) 1xEvolution-Data Optimized (EV-DO) rev. A ExpressCard
The physical interface cl-0/0/8 is created automatically
when the 3G modem is installed in the SRX 210 services gateway. To
configure the interface, use the set interfaces cl-0/0/8 statement
at the [set interfaces] hierarchy level. To configure the
logical dialer interface, use the set interfaces dln statement
at the [set interfaces] hierarchy level. For more information,
see the JUNOS Software Interfaces and Routing Configuration
Guide.
Multicast Interfaces
This feature is supported on SRX 3400, SRX 3600, SRX 5600, and
SRX 5800 devices.
Multicast traffic streams between a single source and multiple
destinations. In Protocol Independent Multicast (PIM) sparse mode,
the first-hop routing platform encapsulates packets destined for the
rendezvous point device. The packets are encapsulated with a unicast
header and are forwarded through a unicast tunnel to the rendezvous
point. The rendezvous point then de-encapsulates the packets and transmits
them through its multicast tree.
Within a device, packets are routed to the PIM interfaces pe-0/0/0 for encapsulation and pd-0/0/0 for de-encapsulation.
These interfaces are not associated with physical network interfaces
and are created internally when you issue the set protocol pim command. You must configure PIM with the [edit protocols pim] hierarchy to perform PIM encapsulation or de-encapsulation.
For more information about multicast protocols and configuring
multicast protocols on Juniper Networks devices, see the JUNOS Multicast Protocols Configuration Guide
IPsec
IPsec multiple flow thread architecture
This feature is now supported on SRX 210, SRX 240 and SRX650
devices. Existing support on SRX 3400, SRX 3600, SRX 5600, and SRX
5800 devices.
These devices provide a multiple flow thread architecture that
results in increased IPsec performance. For more information, see
the JUNOS Software Security Configuration Guide.
Dynamic VPN
This feature is supported on SRX 210 and SRX 240 devices.
The dynamic VPN feature uses Internet Protocol Security (IPsec)
technology to create secure VPN tunnels. This feature simplifies remote
access by enabling users to establish VPN tunnels without having to
manually configure VPN settings on their PCs or laptops. Instead,
the client is dynamically delivered to users from the SRX 210 or SRX
240 devices upon successful authentication. This Layer 3 remote access
client uses client-side configuration settings that it receives from
the server to create and manage a secure VPN tunnel to the server.
For more information, see the JUNOS Software Security Configuration Guide.
Management and Administration
Support for the TFTPBOOT installation method
This feature is supported on SRX 210 devices.
You install the JUNOS software by using the Trivial File Transfer
Protocol BOOT (TFTPBOOT) method. During installation of the JUNOS
software, the secondary boot loader in the services gateway retrieves
the JUNOS software package from a TFTP server. The software image
is then installed on the internal flash. Using TFTP installation to
install a new image will wipe out any user-generated configurations
on the router. The router will come up with the factory default configuration.
Note:
The TFTPBOOT method can be used only on LANs.
To install the software image on the internal flash, issue the
following command at the loader prompt.
Loader > installURL
where URL is tftp://<tftp
server ip> <package name>
You can use the TFTPBOOT method in the following scenarios:
To bring up the SRX 210 services gateway if the standard
boot process fails
To install the JUNOS software on the SRX 210 services
gateway for the first time
To start JUNOS without using the NAND flash
For more information about the other installation methods,
see the JUNOS Software Administration Guide.
Security
Unified Access Control (UAC) integration
This feature is now supported on SRX 240, and SRX650 devices.
Existing support on SRX 210, SRX 3400, SRX 3600, SRX 5600, and SRX
5800 devices.
You can configure an SRX-series services gateway to act as a
JUNOS Enforcer in a Unified Access Control (UAC) deployment. When
deployed as a JUNOS Enforcer, the SRX-series device enforces the policies
that are defined on the UAC’s Infranet Controller. To configure
the SRX-series device as a JUNOS Enforcer, enable the application-services statement at the [edit security policies from-zone zone-name to-zone zone-name policy
match then permit] hierarchy level. Then use the unified-access-control statement at the [edit services] hierarchy level to configure
UAC features. For more information, see the JUNOS Software Security Configuration Guide.
Unified Threat Management (UTM)
features
These features are supported on SRX 210, SRX 240, and SRX650
devices.
Antispam—E-mail spam consists
of unwanted e-mail messages, usually sent by commercial, malicious,
or fraudulent entities. The antispam feature examines transmitted
e-mail messages to identify e-mail spam. When the device detects
an e-mail message deemed to be spam, it either drops the message or
tags the message header or subject field with a preprogrammed string.
The antispam feature uses a constantly updated spam block list
(SBL). Sophos updates and maintains the IP-based SBL. The antispam
feature is a separately licensed subscription service.
To configure antispam, use the antispam statement at
the [set security utm feature-profile] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide.
Content filtering—Content filtering
blocks or allows certain types of traffic based on the MIME type,
file extension, protocol command, and embedded object type. Content
filtering does not require a separate license.
To configure redirect content filtering, use the content-filtering statement at the [set security utm feature-profile] hierarchy
level. For more information, see the JUNOS Software Security Configuration Guide.
Express antivirus—Express antivirus
scanning is offered as a less CPU intensive alternative to the full
file-based antivirus feature. The express antivirus feature, like
the full antivirus feature, scans specific Application Layer traffic
for viruses against a virus signature database. However, unlike full
antivirus, express antivirus does not reconstruct the original application
content. Rather, it just sends (streams) the received data packets,
as is, to the scan engine. With express antivirus, the virus scanning
is executed by a hardware pattern matching engine. This improves
performance while scanning is occurring, but the level of security
provided is lessened. Juniper Networks provides the scan engine.
The express antivirus scanning feature is a separately licensed subscription
service.
To configure express antivirus, use the antivirus juniper-express-engine statement at the [set security utm feature-profile] hierarchy
level. For more information, see the JUNOS Software Security Configuration Guide.
Full file-based antivirus—A virus is executable
code that infects or attaches itself to other executable code to
reproduce itself. Some malicious viruses erase files or lock up systems.
Other viruses merely infect files and overwhelm the target host or
network with bogus data. The full file-based antivirus feature provides
file-based scanning on specific Application Layer traffic checking
for viruses against a virus signature database. It collects the received
data packets until it has reconstructed the original application
content, such as an e-mail file attachment, and then scans this content.
Kaspersky Lab provides the internal scan engine. The full file-based
antivirus scanning feature is a separately licensed subscription service.
To configure full file-based antivirus, use the antivirus
kaspersky-lab-engine statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Integrated Web filtering—Web filtering lets you manage Internet usage by preventing
access to inappropriate Web content. With the integrated Web filtering
solution, the decision-making for blocking or permitting Web access
is done on the device after it identifies the category for a URL
either from user-defined categories or from a category server (Websense
provides the CPA Server). The integrated Web filtering feature is
a separately licensed subscription service.
To configure integrated Web filtering, use the web-filtering
surf-control-integrated statement at the [set security utm
feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Redirect Web filtering—Web filtering lets you manage Internet usage by preventing
access to inappropriate Web content. The redirect Web filtering solution
intercepts HTTP requests and forwards the server URL to an external
URL filtering server provided by Websense to determine whether to
block or permit the requested Web access. Redirect Web filtering
does not require a separate license.
To configure redirect Web filtering, use the web-filtering
websense-redirect statement at the [set security utm feature-profile] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
UTM Licensing—The majority of UTM features function as a subscription service
requiring a license. You can redeem this license once you have purchased
your subscription license SKUs.
To apply your UTM license, use the system license update statement at the [request] hierarchy level. For more information,
see the JUNOS Software Security Configuration Guide.
Antivirus SNMP Support—SNMP support is provided for the following antivirus functionality:
scan engine monitoring, signature database update status, and scan
statistics.
For more information, see the JUNOS Network Management
Guide.
Hardware Features—SRX 210 Services Gateways
Hardware
JUNOS software for the SRX 210 services gateway integrates the
world-class network security and routing capabilities of Juniper Networks.
JUNOS software for the SRX 210 includes a wide range of security services,
including policies, screens, Network Address Translation (NAT), and
other flow-based services, that are also supported on the other SRX-series
services gateways.
The SRX 210 services gateway offers features that provide complete
functionality and flexibility for delivering secure Internet and intranet
access. This services gateway offers stable, reliable, and efficient
IP routing along with WAN and LAN connectivity. The gateway provides
Internet Protocol Security (IPsec), virtual private network (VPN),
and firewall services for small and medium companies and enterprise
branch and remote offices.
The SRX 210 services gateway can be connected directly to traditional
private networks, such as leased line, Frame Relay, and MPLS networks,
or the public Internet.
There are three variants of the SRX 210 services gateway:
Low Memory
High Memory
Power over Ethernet (PoE)
The SRX 210 services gateway has redundant and resilient hardware.
The following table provides the SRX 210 services gateway chassis
specifications.
The following table provides information about the SRX 210 services
gateway hardware features.
Table 4: SRX 210 Services Gateway Hardware Features
Feature
Description
Gigabit Ethernet
Two ports on the front panel provide LAN and WAN connectivity
to hubs, switches, local servers, and workstations with link speeds
of 10/100/1000 Mbps.
In the PoE version, the PoE is supported on both ports.
Fast Ethernet
Six ports on the front panel provide LAN and WAN connectivity
to hubs, switches, local servers, and workstations with link speeds
of 10/100 Mbps.
In the PoE version, the PoE is supported on the first two Fast
Ethernet ports.
Universal serial bus
Two ports on the front panel support a USB storage device that
can function as a secondary boot device in the event of internal flash
failure. USB ports also provide interfaces for communicating with
peripherals such as USB storage devices and USB storage device adapters.
Console
One port on the front panel functions as a management port for
directly logging into a device to configure it by using the CLI.
ExpressCards
One slot on the rear panel can hold a 3G wireless ExpressCard.
Mini-PIM
One slot on the front panel supports the following Mini-Physical
Interface Modules (Mini-PIMs) to provide LAN and WAN functionality,
along with access to the T1, E1, Gigabit Ethernet, ADSL, and Serial
interfaces:
T1/E1 Mini-PIM
1-port SFP Mini-PIM
ADSL2+ Mini-PIM
Serial Mini-PIM
External power supply
The total power consumption by the three SRX 210 services gateway
variants is as follows:
Low Memory—35.5 W @12 V
High Memory—36.5 W @ 12 V
PoE—36.5 W @ 12 V
50 W @ 48 V
Memory
Fixed Random Access:
Low Memory—512 MB
High Memory—1GB
PoE—1GB
Boot flash—4 MB
Internal flash—1 GB
For more information, see the SRX 210 Services Gateway
Hardware Guide.
Support for the 3G ExpressCard
Wireless WAN access is becoming widely available and comparable
in cost to ISDN and DSL. The SRX 210 services gateway provides support
for a wireless interface that serves both as a backup and as the primary
WAN connection.
Juniper Networks supports 3G wireless modem cards that you can
install into the ExpressCard slot in SRX 210 services gateways.
The 3G ExpressCard provides the following key features:
Operating Mode Selection—You
can select the operating mode you want to use for the 3G ExpressCard.
The supported operating modes are EVDO, HSPDA, and Automatic.
Activation of New Cards Through the CLI—You can activate CDMA ExpressCards through the JUNOS CLI.
Unlocking ExpressCards—You
can unlock both CDMA and Global System for Mobile (GSM) ExpressCards
through the JUNOS CLI.
Call Logging Support—Call
logging provides details about the calling number, dialed number,
direction and duration of the call, and traffic.
For more information, see the SRX 210 Services Gateway
Hardware Guide.
Support for PoE
Power over Ethernet (PoE) is the implementation of the IEEE
802.3 AF standard, allowing both data and electric power to pass over
a copper Ethernet LAN cable.
The SRX 210 services gateway supports PoE on Gigabit Ethernet
ports. The PoE ports transfer electrical power, along with data, to
remote devices over standard twisted-pair cable in an Ethernet network.
PoE ports allow you to plug in devices that require both network connectivity
and electric power, such as VOIP phones, wireless LAN access points,
and IP telephones.
You can configure the gateway to act as power sourcing equipment
to supply the power to powered devices connected on the designated
ports.
The following table lists the SRX 210 services gateway PoE specifications.
PoE is supported on the two Gigabit Ethernet ports and two Fast
Ethernet ports.
Total PoE power sourcing capacity
50 W
Per port power limit
15.4 W
Power management modes
Static: power allocated for each interface can be configured
Class: power allocation for interfaces is decided based
on the class of powered device connected
ADSL Interface Support on SRX 210
The SRX 210 services gateway provides a single-port ADSL2+ Mini-Physical
Interface Module (Mini-PIM). The ADSL2+ Mini-PIM provides a single
physical interface for ADSL network media types.
The ADSL2+ Mini-PIM supports the following operational modes:
ADSL mode for ANNEX-A
ADSL mode for ANNEX-B
ADSL mode for ANNEX-M
The ADSL interface provides the following key features:
Automatic configuration of the ADSL line after negotiation
with the DSLAM, minimizing configuration
Supports ADSL, ADSL2, and ADSL2+ protocols on the same
interface card
Gasp support
MLPPP over two ADSL cards
Asynchronous Transfer Mode (ATM) Adaptation Layer 5 (AAL5)
encapsulation
For more information, see the JUNOS Software Interfaces and Routing Configuration Guide.
Support for the T1 and E1 Interfaces
The T1/E1 Mini-Physical Interface Module (Mini-PIM) provides
the physical connection to T1 or E1 network media types and also performs
T1 or E1 framing and line-speed signaling.
The T1 and E1 interfaces provide the following key features:
Integrated channel service unit (CSU) or data service
unit (DSU) to eliminate the need for a separate external device.
56-Kbps and 64-Kbps operating modes
Independent internal and external clocking option
Alarm reporting with a 24-hour history
Loopback, bit error rate test (BERT), facilities data
link [FDL (T1 only)], and Long Buildout (T1 only) diagnostics
Multilink Frame Relay and Multilink PPP support
Complete configuration and management by CLI and J-Web
For more information, see the JUNOS Software Interfaces and Routing Configuration Guide.
Support for Connectivity to a Gigabit Ethernet Device or Network
The 1-Port Small Form factor Pluggable (SFP) Mini-Physical Interface
Module (Mini-PIM) provides connectivity to a single Gigabit Ethernet
device or network.
The 1-Port SFP Mini-PIM provides the following key features:
Enables you to install and remove transceivers without
powering down the device
Provides real-time visual status of connectivity and traffic
flows
Provides Link Up/Down alarm
Supports different transceiver types
For more information, see the SRX 210 Services Gateway
Hardware Guide.
Serial Mini-Physical Interface Module
Serial WAN links provide bidirectional links that require very
few control signals. In a basic serial setup, the data circuit-terminating
equipment (DCE) is responsible for establishing, maintaining, and
terminating a connection. A modem is a typical DCE device. A serial
cable connects the DCE to a telephony network where, ultimately, a
link is established with data terminal equipment (DTE). DTE is typically
where a link terminates.
Key Features
Autoselection of operation modes based on DTE or DCE cables
Local and remote loopback diagnostics
Configurable clock rate for the transmit (TX) clock and
receive (RX) clock
Complete configuration and management by CLI and J-Web
configuration editor
Hardware Features—SRX 240 Services Gateways
Hardware
JUNOS software for the SRX 240 services gateway integrates the
world-class network security and routing capabilities of Juniper Networks
products. JUNOS software for the SRX 240 services gateway includes
a wide range of security services, including policies, screens, NAT,
and other flow-based services that are also supported on the other
SRX-series services gateways.
The SRX 240 device offers features that provide complete functionality
and flexibility for delivering secure Internet and intranet access.
The SRX 240 device offers stable, reliable, and efficient IP routing
and WAN and LAN connectivity. The device provides IP Security (IPsec),
virtual private network (VPN), and firewall services for small and
medium companies and enterprise branch and remote offices.
The SRX 240 services gateway can be connected directly to a
traditional private network such as leased line, Frame Relay, or Multi
Protocol Label Switching (MPLS) networks as well as the public Internet.
There are three types of SRX 240 services gateways:
Low Memory
High Memory
PoE
Table 6 lists
the hardware features supported on the SRX 240 services gateway.
Table 6: Hardware
Features of the SRX 240 Services Gateway
Features
SRX 240 Services Gateway
Low Memory
SRX 240 Services Gateway
High Memory
SRX 240 Services Gateway
PoE
DDR Memory
512 MB
1 GB
1 GB
PoE Support
No
No
Yes
Input Power
119 W
128 W
317 W
AC input voltage
100 to 240 VAC
100 to 240 VAC
100 to 240 VAC
The SRX 240 services gateway has redundant and resilient hardware.
Table 7 describes the SRX
240 services gateway hardware specifications.
Table 7: Hardware Specifications
of the SRX 240 Services Gateway
Description
Value
Chassis height
1 Rack Unit (U)
Chassis width
17.5 in (444 mm)
Chassis depth
16 in (408.23)
Maximum thermal output
SRX 240 Low Memory:
AC Power: 396 BTU/hour (116W)
DC Power: 338 BTU/hour (99W)
SRX 240 High Memory:
AC Power: 427 BTU/hour (125W)
DC Power: 365 BTU/hour (107W)
SRX 240 PoE:
AC Power: 560 BTU/hour (164W)
DC Power: 478 BTU/hour (140W)
Temperature
Normal operation ensured in temperature range of 32°F (0°C)
to 104°F (–40°C)
Nonoperating storage temperature in shipping container: –40°F
(–40°C) to 158°F (70°C)
Table 8 describes the SRX
240 services gateway hardware features.
Table 8: SRX 240 Services
Gateway Hardware Features
Features
Description
Gigabit Ethernet
Sixteen ports on the front panel provide LAN and WAN connectivity
to hubs, switches, local servers, and workstations with link speeds
of 10/100/1000 Mbps.
Note:
On the PoE version of the SRX 240 services gateway, all 16 Gigabit
Ethernet ports support PoE.
Universal Serial Bus (USB)
Two ports on the front panel support a USB storage device that
can function as a secondary boot device in the event of internal flash
failure. USB ports also provide interfaces for communicating with
peripherals such as USB storage devices and USB storage device adapters.
Console
One port on the front panel functions as a management port for
directly logging into a device to configure it using the CLI.
Mini-PIM
Four slots on the front panel support the following Mini-Physical
Interface Modules (Mini-PIMs) to provide LAN and WAN functionality,
along with access to the T1, E1, Gigabit Ethernet, and ADSL interfaces:
T1/E1 Mini-PIM
1-port SFP Mini-PIM
ADSL2+ Mini-PIM
Serial Mini-PIM
Power supply
100 to 240 VAC (Integrated single AC power supply)
Memory
Fixed Random Access — 512 MB Memory (RAM)
Boot flash — 4 MB
Internal flash — 1 GB
For more information, see the SRX 240 Services Gateway
Hardware Guide.
Serial Mini-Physical Interface Module
Serial WAN links provide bidirectional links that require very
few control signals. In a basic serial setup, the data circuit-terminating
equipment (DCE) is responsible for establishing, maintaining, and
terminating a connection. A modem is a typical DCE device. A serial
cable connects the DCE to a telephony network where, ultimately, a
link is established with data terminal equipment (DTE). DTE is typically
where a link terminates.
Key Features
Autoselection of operational modes based on DTE or DCE
cables
Local and remote loopback diagnostics.
Configurable clock rate for transmit (TX) and receive
(RX) clocks.
Complete configuration and management by CLI and J-Web
configuration editor.
For more information, see the SRX 240 Services Gateway
Hardware Guide.
Power Over Ethernet
Introduction
Power over Ethernet (PoE) is the implementation of the IEEE
802.3 AF standard, allowing both data and electric power to pass over
a copper Ethernet LAN cable.
The SRX 240 services gateway supports PoE on Gigabit Ethernet
ports. The PoE ports transfer electrical power, along with data, to
remote devices over standard twisted-pair cable in an Ethernet network.
PoE ports allow you to plug in devices that require both network connectivity
and electric power, such as VOIP phones, wireless LAN access points,
and IP telephones.
You can configure the gateway to act as power sourcing equipment
to supply the power to powered devices connected on the designated
ports.
SRX 240 Services Gateway PoE Specifications
Table 9 lists the SRX 240 Services
Gateway PoE specifications:
Static: power allocated for each interface can
be configured
Class: power allocation for interfaces is decided
based on the class of powered device connected
Hardware Features—SRX650 Services Gateways
Hardware
The SRX650 is a mid-range dynamic services gateway that consolidates
network infrastructure and security applications for regional offices,
large branch offices, and small to medium enterprises. The services
gateway provides cost-effective, scalable integration of routing,
security, and other mid-range applications for these sites.
The SRX650 services gateway has a modular 2U chassis that fits
a 19-inch rack with a depth of approximately 18.1 inches. It contains
a rear-pluggable Services and Routing Engine (SRE) module that improves
processing performance for mid-range applications, particularly routing
and firewall services.
The SRX650 services gateway provides the following features:
Symmetric Multiprocessing (SMP)-based data forwarding.
A Services and Routing Engine with 1 GB memory configuration,
which contains the management ports (console and USB) for the services
gateway.
Support for dual AC power supplies with a redundant configuration
in the chassis (approximately 645 W power supply is supported). The
AC power supplies are hot-swappable.
Support for 2 GB CompactFlash (CF) storage devices. The
SRE contains a hot-pluggable CF storage device used to upload and
download files, and the chassis contains a CF storage device used
to store the operating system.
JUNOS support for advanced security and routing services
on the SRE.
Services and Routing Engine Module—The Services and Routing Engine (SRE) module provides processing
power for security services, routing protocol processes, and other
software processes that control the services gateway interfaces, some
of the chassis components, system management, and user access to the
device.
The services gateway must have at least one SRE installed. You
can install additional SREs to increase processing power or to create
SRE redundancy. SREs install horizontally in the back of the chassis
in slots SRE0 and SRE1/SRE1.1. An SRE weighs 3 lbs 13.6 oz (1.75 kg).
Caution:
SREs are not Online Insertion and Removal (OIR) capable. You
must power off the services gateway before removing or inserting an
SRE.
Note:
Slot SRE0 is a full-length slot capable of holding a full-slot
module such as an SRE. The SRE1 and SRE1.1 slots are capable of holding
either two half-slot modules or one full-slot module.
If a slot is not occupied by a card, a blank panel must be installed
to shield the empty slot and to maintain proper cooling of the services
gateway.
Note:
For this release, the SRE must be installed into the lower slot
(SRE0).
Gigabit-Backplane Pluggable Interface Modules—The SRX650 services gateway supports the following Gigabit-backplane
Pluggable Interface Modules (GPIMs):
16-Port Gigabit Ethernet XGPIM
16-Port Gigabit Ethernet with PoE XGPIM
24-Port Gigabit Ethernet XPIM
24-Port Gigabit Ethernet with PoE XPIM
Dual T1/E1 GPIM-contains 2 fixed T1/E1 ports labeled
0 to 1 which supports framed clear channel
Quad T1/E1 GPIM-contains 4 fixed T1/E1 ports labeled 0
to 3 which supports framed clear channel
A GPIM is a network interface card that installs in the front
slots of the services gateway to provide physical connections to a
LAN or a WAN. The GPIM receives incoming packets from a network and
transmits outgoing packets to a network.
PIM Terminology:
GPIM — Gigabit-backplane PIM (GPIM) includes standard
GPIMs that are installed in a single high, single wide GPIM slot and
has gigabit connectivity to the system backplane.
XGPIM — The XGPIM can only be installed in the 20-gigabit
GPIM slots (slots 2 and 6 on the front panel).
XPIM — The XGPIM can only be installed in the 20-gigabit
GPIM slots (slots 2 and 6 on the front panel).
Caution:
GPIMs are not Online Insertion and Removal (OIR) capable. You
must power off the services gateway before removing or inserting a
GPIM. Ensure that the GPIM is installed in the appropriate GPIM slot
before powering on the services gateway.
The services gateway GPIMs communicate with the backplane at
various performance levels and might require specific GPIM slot placement.
GPIM slots are located in the front of the chassis and can hold up
to 8 standard GPIMs. The Dual T1/E1 GPIM and Quad T1/E1 GPIM can be
plugged into any GPIM slot on the services gateway and provide the
physical connection to T1 or E1 network media types. The SRX650 services
gateway chassis can also hold GPIMs that use more than one standard
slot:
Double-high single-wide, which uses two standard slots
vertically
Double-high double-wide, which uses two vertical and two
horizontal slots for a total of four standard slots
Note:
When installing the 24-Port Gigabit Ethernet XPIM, which uses
four slots, you must install it in the 20-gigabit GPIM slots 2 and
6, which refer to the bottom four slots 1 to 4, or the top four slots
5 to 8.
The Dual T1/E1 GPIM and Quad T1/E1 GPIM provide the following
common key features for both T1 and E1 modes:
HDLC operating mode supports 56-Kbps and 64-Kbps
Independent internal and external clocking option
Alarm reporting with 24-hour history
MTU supports 9K bytes
The Dual T1/E1 GPIM and Quad T1/E1 GPIM provide the following
key features specific to either T1 or E1 modes as listed in Table 10.
Table 10: Dual T1/E1 GPIM and
Quad T1/E1 Specific T1 or E1 Features
Description
T1 Mode
E1 Mode
Operation modes
Framed clear channel
Fractional operation mode supports flexible configuration
for time slots (numbered 1-24)
Framed clear channel (64-Kbps)
Unframed clear channel
Fractional operation mode supports flexible configuration
for time slots (numbered 0-31)
Framing
Superframe (D4/SF)
Extended Superframe (ESF)
G704
G704 with no CRC4
G703 Unframed
Line encoding
B8ZS
AMI
HDB3
USB Support
The following USB devices have been tested with SRX650 devices:
Sandisk micro (1 and 2 GB)
Lexar (1 and 2 GB)
Note:
Contact a customer service representative for more information
on supported USB devices.
Power over Ethernet
Both 16-Port XGPIM and 24-Port XPIM support Power over Ethernet
(PoE) if a PoE-capable power supply and PIM module are installed in
the chassis. PoE is the implementation of the IEEE 802.3 AF standard,
which allows both data and electric power to pass over a copper Ethernet
LAN cable. The active Services and Routing Engine (SRE) manages the
overall system PoE power.
The SRX650 services gateway provides PoE ports, which supply
electric power over the same ports that are used to connect network
devices. PoE ports allow you to plug in devices that require both
network connectivity and electric power, such as VOIP, IP phones,
and wireless access points. You can configure the services gateway
to act as power sourcing equipment to supply the power to the GPIMs
connected on the designated PoE ports.
Table 11 lists the SRX650 Services
Gateway PoE Specifications.
PoE is supported on the following front panel slots:
2
4
6
8
Total PoE power sourcing capacity
250 W with one power supply
500 W with two power supplies
Per-port power limit
31.2 W
Power management modes
Static: power allocated for each interface can
be configured
Class: power allocation for interfaces is decided
based on the class of powered device connected
For more information, see the SRX650 Services Gateway
Hardware Guide.
Hardware Features—SRX 5600 and SRX 5800 Services Gateways
Flex I/O Card
This release of JUNOS supports the new SRX5K-FPC-IOC modular
Flex I/O Card (IOC) for the SRX 5600 and SRX 5800 services gateways.
Flex IOCs are IOCs that have two slots and accept port modules
that add Ethernet ports to your services gateway. A flex IOC with
port modules installed in it functions in the same way as a regular
IOC, but allows greater flexibility in adding different types of Ethernet
ports to your services gateway.
Table 12 lists
the Port Modules for SRX 5600 and SRX 5800 services gateway Flex IOC.
Table 12: Port
Modules for SRX 5600 and SRX 5800 Services Gateway Flex IOC
Module
Port type
Ports
SRX-IOC-16GE-TX
10/100/1000 RJ-45
16
SRX-IOC-4XGE-XFP
10 Gigabit XFP
4
Note:
A third port module type, the SRX-IOC-16GE-SFP, is described
in the SRX 5600 Services Gateway Hardware Guide and SRX 5800 Services Gateway Hardware Guide, but this is not available in the 9.5 release.
