Understanding the CFEB
Purpose
Monitor the CFEB so that it can provide route lookup, filtering, and switching on incoming data packets and direct outbound packets to the appropriate interface for transmission to the network.
What Is an CFEB
The CFEB processes 16 Mpps. The CFEB performs the following functions:
- Route lookups—Performs route lookups using the forwarding table stored in synchronous SRAM (SSRAM).
- Management of shared memory —Uniformly allocates incoming data packets throughout the router's shared memory.
- Transfer of outgoing data packets—Passes data packets to the destination FIC or Physical Interface Card (PIC) when the data is ready to be transmitted.
- Transfer of exception and control packets—Passes exception packets to the microprocessor on the CFEB, which processes almost all of them. The remainder are sent to the Routing Engine for further processing. Any errors originating in the Packet Forwarding Engine and detected by the CFEB are sent to the Routing Engine using system log messages.
- (M7i router only) Built-in tunnel interface—Encapsulates arbitrary packets inside a transport protocol, providing a private, secure path through an otherwise public network.
The built-in tunnel interface on the CFEB is configured the same way as a PIC. For information about configuring the built-in tunnel interface, see the JUNOS Services Interfaces Configuration Guide.
- (M7i router only) Optional Adaptive Services PIC-Integrated (ASP-I)—Provides one or more services on one PIC. See "Adaptive Services PIC-Integrated (ASP-I)" on page 11 for more information.
Figure 168 shows the M7i router CFEB component.
Figure 169 shows the M7i router CFEB with ASP-I.
The ASP-I is an optional component of the CFEB. The ASP-I is similar to the standalone Adaptive Services PIC, but operates at a reduced bandwidth. The ASP-I enables you to perform one or more services on the same PIC by configuring a set of services and applications.
The ASP-I provides the following services:
- Stateful firewall—A type of firewall filter that considers state information derived from previous communications and other applications when evaluating traffic.
- Network Address Translation (NAT)—A security procedure for concealing host addresses on a private network behind a pool of public addresses.
- Intrusion detection services (IDS)—A set of tools for detecting, redirecting, and preventing certain kinds of network attack and intrusion.
The configuration for these three services comprises a series of rules that you can arrange in order of precedence as a rule set. Each rule follows the structure of a firewall filter, with a from statement containing input or match conditions and a then statement containing actions to be taken if the match conditions are met. For information about configuring interfaces on the ASP-I, see the JUNOS Services Interfaces Configuration Guide.
Figure 170 shows the M10i router CFEB component.
You can install one CFEB in the M7i router from the rear of the router above the power supplies. You can install one or two CFEBs from the rear of the M10i router chassis above the fan tray (see Figure 171).
