Multiservices Pic (ms-pic)

Transcript

DATASHEET MULTISERVICES PIC (MS-PIC) Product Overview Juniper Networks Multiservices PIC significantly expands the services flexibility of Juniper Networks M Series Multiservice Edge Routers and T Series Core Routers by enabling a broad range of services and applications in a single PIC form factor. Advanced services like stateful firewall, Dynamic Application Awareness (DAA), Session Border Control (SBC), L2TP Network Server (LNS) be layered simultaneously on Product Description Juniper Networks® Multiservices PIC (MS-PIC) are modules that supply hardware acceleration for an array of packet processing-intensive services in the Juniper Networks M Series Multiservice Edge Routers and T Series Core Routers. Today these services include stateful firewall, NAT, IPsec, Dynamic Application Awareness (DAA), Session Border Control (SBC), L2TP Network Server (LNS), J-Flow monitoring and collection, (cflowd version 5, version 8 and version 9), Lawful Intercept, Link Services like Multilink Frame Relay (MLFR), Multilink Point-to-Point Protocol (MLPPP), Lawful Intercept, Link Fragmentation and Interleaving (LFI), Compressed Real-Time Transport Protocol (CRTP), and tunnel services. This wide array of services can be layered simultaneously, creating a rich, scalable services plane and enabling enterprises and service providers to secure their network infrastructure; collect rich statistics for billing, capacity planning, and security purposes; and deliver new revenue-generating services, all with a single module. each MS-PIC, creating a rich, scalable The MS-PIC implements all services on the router itself, eliminating discrete devices and services plane that enables enterprises layers of network and management complexity, which results in lower cost of ownership. and service providers to deliver new The modules can provide hardware acceleration for any PIC present in the router chassis, revenue-generating services. As a allowing providers to deliver consistent services across all interfaces. Multiple MS-PICs PIC platform, the MS-PIC’s flexible can be deployed in one router, increasing performance incrementally and cost-effectively architecture and silicon innovation in order to meet growing demand. Packing all these services onto a single PIC enables provides high-performance service providers to conserve Flexible PIC Concentrator (FPC) slots in their routers, which reduces processing, which is extensible to a capital expenses and dramatically simplifies sparing. The MS-PIC family consists of three variety of applications. types: MS-PIC Type 1, MS-PIC Type 2, and MS-PIC Type 3. Each MS-PIC type matches up with a corresponding FPC Type (FPC Type 1, FPC Type 2, and FPC Type 3). 1 Architecture and Key Components by one secondary PIC. If the primary PICs fail, all services on the The following services can be run on Juniper Networks MS-PICs. primary PIC will be migrated to the secondary PIC. MLPPP and Each service requires a software license. IPsec benefit from a “hot standby” mechanism which further • Stateful firewall provides a per-flow state table and performs packet inspection, which drops packets not complying with the reduces the failover time by synchronizing the service states between the primary and secondary PICs. protocol state. A stateful firewall includes attack detection, Features and Benefits which provides anomaly-based attack detection and protection. Protecting the Stateful Firewall • NAT supports the static or dynamic translation of private IP The Juniper Networks MS-PIC can be used to provide stateful addresses to public IP addresses, as well as Port Address firewall services integrated with the router to provide protection Translation (PAT). for the enterprise or service provider network, as well as a • IPsec provides high-performance Data Encryption Standard revenue-generating managed service that protects customer (DES) encryption, triple Data Encryption Standard (3DES) infrastructure. Traffic from any ingress PIC can be classified and encryption, and Advanced Encryption Standard (AES) routed to the stateful firewall, then either dropped or forwarded encryption for protecting the router. from the proper egress PIC. This integration allows customers • SBC functions, which include both Signaling Gateway functions to eliminate external firewalls that consume router ports and as well as Media Gateway functions, support a wide variety of additional management resources. Alternately, the integrated IP multimedia subsystem (IMS) and non-IMS applications by firewall function can be used as a first line of defense in layered permitting the M Series and T Series to dynamically control security architecture and can offload bulk stateful filtering from and manage real-time multimedia traffic flows at the network the standalone firewall. edge (between the IP edge and the access network). The SBC application also permits critical functions such as bandwidth policing and granular quality-of-service (QoS), as well as access control and accounting features. • Dynamic Application Awareness provides intrusion prevention system (IPS) technology and Deep Packet Inspection (DPI) functions that together enable the stateful detection, identification, and analysis of application layer traffic (L4-L7) on a per subscriber, per session, and per application basis. • Compressed Real-Time Transport Protocol (CRTP) compresses the 40-byte IP/UDP/RTP header down to two bytes to reduce the overhead for small packets such as voice. • LNS is available on Juniper Networks M7i, M10i, and M120 the specific flows they belong to and performs IP packet integrity checks, enabling the PIC to identify and isolate malicious payloads that are slipped into active data streams. It also performs statistical modeling to identify unusual traffic patterns, such as denial of service (DoS), distributed denial of service (DDoS), network scanning, or probing. This powerful solution identifies and isolates a wide range of attacks including: • DoS attacks like SYN flood • Network-level attacks such as IP fragmentation or the Internet Control Message Protocol (ICMP) “ping of death” • Transport layer attacks such as port scans or teardrop attacks Multiservice Edge Routers only, providing tunnel termination Today, Juniper Networks supports more than 27 different services for L2TP clients. application-level gateways (ALGs) and protocols. The stateful • J-Flow monitoring offers a high-performance, flow-based firewall function also supports ALGs for special handling of unique monitoring solution by statefully tracking flows and exporting protocols such as H.323, FTP, Session Initiation Protocol (SIP), standards-based v5, v8 and v9 flow records to an external and ICMP. collector. Alternatively, these records can also be gathered locally on an MS-PIC, via the flow collector function, and Intrusion Prevention System, Deep Packet Inspection via Dynamic Application Awareness exported to an FTP server periodically. Dynamic Application Awareness uses stateful monitoring to • Lawful Intercept capabilities enable the capture of packet flows provide comprehensive details of application layer traffic patterns on the basis of dynamic filtering criteria, using Dynamic Tasking and statistics that service providers can use to support revenue- Control Protocol (DTCP) requests. generating residential and business broadband services. From a • Link Services provides simultaneous support for two separate services perspective, Juniper Networks Junos® operating system’s capabilities: enhanced multilink bundling and queuing, and link Dynamic Application Awareness can identify and enforce premium fragmentation and interleaving (LFI). class services, ensure adherence to service-level agreements, • Tunnel services provides a broad set of capabilities that allows ensure subscriber fairness, and align network resources to providers to use different encapsulation mechanisms such application requirements. Network planners can also use this as IP over IP, PIM sparse mode (PIM SM), and generic routing information to design new revenue-generating differentiated service encapsulation (GRE), including enhanced GRE functions such as offerings. Enterprises can use Dynamic Application Awareness to prefragmentation, key stamping, and verification of GRE packets. monitor traffic by application, and use QoS to adjust application • High Availability is supported for Layer 2 and Layer 3 services through a “warm standby” mechanism. This functionality allows Juniper Networks routers to have multiple primary PICs spared 2 The MS-PIC’s stateful firewall evaluates packets in the context of performance to satisfy organizational goals and policies. The application layer information gathered by Junos operating Increasing Internet Access Security via NAT system’s Dynamic Application Awareness also is useful to service In addition to supporting both IP version 4 (IPv4) and IP version providers and enterprises that are seeking to streamline and 6 (IPv6), the Juniper Networks MS-PIC family provides static and improve their operations environment. Dynamic Application dynamic NAT, as well as PAT. NAT shields private (internal) IP Awareness integrated IPS capability can detect and mitigate addresses behind a public (global) IP address, thus preventing attacks against the network infrastructure, which increases hackers from hijacking network resources or using network network security and promotes service uptime. Statistics resources to launch distributed DoS attacks. It also keeps concerning these events can be exported to reporting tools for use companies from engaging in fruitless searches for blocks of with security planning, bandwidth provisioning, traffic engineering, public IP addresses, instead allowing them to maintain internal capacity planning, and forecasting activities. addresses without sacrificing Internet access. A rich set of Enabling Multimedia Applications with Session Border Control ALGs provides appropriate treatment for applications requiring Session Border Control Border Gateway Function for Junos OS a network-based NAT service, offloading the task of IP address provides many important VoIP functions such Network Address management from the customer. Translation (NAT) and Network Address Port Translation (NAPT) Also, CoS services for the Juniper Networks MS-PIC adds a new for topology hiding, Differentiated Services Code Point (DSCP) rule-based service that provides DSCP marking and forwarding- marking and rate limiting to insure proper QoS handling, as well class assignment for traffic transiting the MS-PIC. This service as support for Real-time Transport Control Protocol (RTCP) and enables you to specify matching by application, application set, Real-time Transport Protocol (RTP) monitoring, and security source, destination address, and match direction, using a similar related services such as media inactivity detection. It also provides structure to other rule-based services such as stateful firewall. advanced operational features such as IPv4/IPv6 interworking, The service actions allow you to associate the DSCP alias or value, lawful intercept, high-availability support, and firewall integration. forwarding-class name, system log activity, or a preconfigured SBC Border Signaling Gateway (BSG) for Junos OS handles the application profile with the matched packet flows. signalling portion of the VoIP calls and behaves as a Back to Back User Agent (B2BUA). The BSG terminates and re-establishes Network-Based Security Service via VPN-Aware NAT/Firewall sessions on both sides of the network boundary and controls The Juniper Networks MS-PIC can invoke a stateful firewall/NAT BGF(s) using the H.248 based Ia compatible protocol. instance on a per-VPN basis, intelligently classifying packets and Integrated Multiservice Gateway (IMSG) combines both signaling translating IP addresses for traffic bound for the Internet, while and media functions, and optionally adds to them IPsec leaving them unchanged for packets traveling over a Layer 3 VPN. termination, as well as IDP and Firewall protection. With this This allows providers to offer a single access circuit to businesses multiservice architecture the IMSG replaces several products for both Internet access and L3 2547 VPN services. This function which results in reduction of Capex and Opex. The IMSG allows for also enables fully secure extranet solutions by providing firewall/ router-integrated features which are not otherwise possible. NAT functions between two separate Layer 3 VPNs. multiple flows, such as H.323, FTP, and ICMP. Providers can offer These capabilities ensure the appropriate handling of voice traffic at the access and peer edges of converged IP service networks. With this comprehensive solution, Juniper delivers true service convergence that increases service velocity, accelerates network monetization and improves operational efficiencies for enterprises, wireline and wireless service providers alike. SBC functions are supported on the MS-PIC Type 2 and Type 3. 3 Protecting User Data via IPsec Encryption The MS-PIC implements IPsec encryption using AES, DES, and High-Quality VoIP over Low-Speed Links with Multilink and CRTP Triple DES. Providers can offer IPsec encryption of access links The link services package on the MS-PIC and Layer 2 Service PIC from the customer device to the provider edge router, charging a provides simultaneous support for three separate capabilities: premium for secure access to the network. The packets can then • Enhanced multilink capabilities offered by the link services be securely forwarded or mapped into Layer 3 VPNs for transport intelligent queuing interface (LSQ) functionality on the MS- across the provider network. This application is particularly useful PIC and Layer 2 Service PIC include support for FRF.12, FRF.16, when offering a service to a customer whose access links are and FRF.15, which facilitates the efficient and cost-effective provisioned by a third-party provider. Providers can also offer aggregation and bundling of Frame Relay links. MLPPP is also IPsec encryption of unicast or multicast traffic over Layer 3 VPNs, supported, providing PPP over multiple discrete links such as for an added layer of security for the most concerned customers. N x T1/E1. Multiclass MLPPP (MCMLPPP) is also supported to IPsec may also be used to encrypt backhaul traffic by setting up allow distinct quality of service (QoS) treatment of the MLPPP encrypted tunnels across third-party wholesale networks that may not be trusted. links in a bundle. • Link fragmentation and interleaving (LFI) is designed to optimize converged environments by improving QoS on lower- Lawful Intercept Capabilities Dynamic Flow Capture (DFC) and Flow-tap provide the ability to intercept IP packets and send a copy of the packets that match filter criteria to one or more content destinations. DFC requires a dedicated MS-PIC for increased performance while Flow-tap allows the concurrent use of other services. Some applications include flexible trend analysis for the detection of new security threats and Lawful Intercept. Filter criteria are specified using Dynamic Tasking Control Protocol (DTCP) over SSH. Filters are not persistent and speed links to ensure a high-quality user experience. LFI is an essential feature for providers offering latency-sensitive services over low-speed links, since it minimizes delay and jitter that are characteristic of high-payload packets. By breaking up large datagrams resulting from file transfers and interleaving lowlatency traffic with the resulting smaller packets, serialization delay is minimized to significantly improve overall service levels. • CRTP compresses the 40-byte IP/UDP/RTP header down to when filters are installed by one user, they are not visible to others. two bytes, allowing providers the ability to extend quality VoIP Both DFC and Flow-tap provide a strong administrative model, over low-speed links and use high-speed links more efficiently. which includes access control through user classes. By reducing packet headers to one-tenth or one-twentieth their original size, CRTP reduces latency on slow connections due to Traffic Profiling via J-Flow Accounting serialization delay. J-Flow builds a state table of flows, collects statistics on each flow, and exports standard v5 and, v8 and v9 records. The flow export is compatible with industry-standard flow collectors and applications designed to receive flow export. J-Flow can monitor traffic at the department or application level for customer billing or interdepartmental charge back purposes. It can also provide usage statistics between IP addresses, enabling providers to plan for capacity and traffic engineering implementations, or provide an outsourced traffic planning service to enterprise customers. J-Flow can also assist in tracking security violations by including Tunnel Services Tunnel services can be used for a number of revenue-generating services. Supporting GRE and IP over IP encapsulation, tunnel services can be used to provide transport for Layer 3 VPNs in non-MPLS networks. Using PIM-SM tunnel services can support efficient communications between members of sparsely distributed multicast groups. Virtual tunnel interfaces can support virtual private LAN service (VPLS). Juniper Networks also offers the standalone integrated firewall/VPN platforms. counts for certain packets that might be executing a DoS attack or other form of malicious activity. Multiservice100 4 Multiservice 400 Multiservice 500 Specifications Internet Key Exchange (IKE) Modes MS-PIC • Main/aggressive mode supported for IKE security association Stateful Firewall • Stateful packet filtering • Checks for the packets in IP stack • Assists in the detection of DoS attacks • Firewall for inter-VPN traffic • TCP Intercept, flow and session limits NAT • NAT, Network Address Port Translation (NAPT) and Proxy Address Resolution Protocol (ARP) Stateful firewall/NAT ALGs • BOOTP, DCE RPC and DCE RPC portmap, Exec, FTP, H.323, ICMP, IIOP, Login, NetBIOS, NetShow, RealAudio, RPC and (SA) setup • Quick mode supported for IPsec SA setup • Digital Certificates (X.509) VeriSign • Entrust IPsec Features • Dynamic endpoints • Fully qualified domain name (FQDN) • IPv6 for IPsec (RFC 2460) Monitoring and J-Flow Accounting • cflowd v5 v8 and v9 format CRTP • CRTP (RFC 2508; supports UDP only) RPC portmap, RTSP, Shell, SNMP, SQLNet, TFTP, Traceroute, Link Services WinFrame and SIP ML protocols support: Attack Detection • Anomaly-based attack detection • Active and expired flow recording • System logging • SYN-cookie activation IPS • Intrusion Prevention System Application Signature Support • Application signatures supported include: 100Bao, Aimstar, Applejuice, Ares, BitTorrent, DirectConnect, eDonkey2000, FastTrack, Freenet, GoBoogy, GnucleusLAN, Gnutella, Gnutella2, HotLine, ICQ, IRC, Jabber/XMPP, Joltid PeerEnabler, Kademlia, KuGoo, Kuro, MMS, MSNPv10, MSNPv11, MSNPv12, MSNPv13, Mute, Napster, Oscar (AOL), OpenFT (giFT), Poco, QQ, RTSP, • MLPPP (RFC 1990) • MCMLPPP (RFC 2686) • MLFR (FRF.15) • MLFR (FRF.16) LFI protocols support: • LFI over PPP (RFC-1990) • LFI over MLPPP bundles • FRF.12 L2TP Network Server (LNS) • Available on M7i, M10i, and M120 Multiservice Edge Routers • Interface to AAA system (RADIUS) • PPP and L2TP termination • PAP and CHAP for authentication • Terminates L2TP into VRFs SCTP, Skype, Soribada, Telsa, TOC (AOL) WinNY, WPNP, Yahoo Tunneling Services IM, Peercast, IceShare, Freecast, Soulseel, Xunlei • GRE Session Border Control Protocols • SIP, H.248 Functions • BGF: NAT, NAPT, DSCP marking and rate limiting, RTCP and RTCP monitoring, media inactivity detection, IPv4 /IPv6 interworking • IMSG: B2BUA SBC signaling function, topology hiding, chained IDP, IPsec termination, SIP headers validation, DSCP control, Call Admission Control (CAC), SIP header manipulation IPsec Encryption • IP-IP • PIM-SM • PIM-SIM-DM • Virtual tunnel interfaces (VT) • Multicast tunnel interfaces (MT) Hardware Memory • MS-100-1: 1 GB memory • MS-400-2: 2 GB memory • MS-500-3: 3.5 GB memory Encryption algorithms (RFC 2405, RFC 2410) • AES (128, 192, and 256 bits) • 3DES • DES • Null Authentication hash algorithms (RFC 2403, RFC 2404) • Message Digest 5 (MD5) • SHA-1 5 LEDs (All MS-PICs) One tricolor Status LED • Green: PIC is online and operating normally • Amber: PIC is initializing • Red: PIC has an error or failure • Off: PIC is not enabled One bicolor Application LED • Green: Service is running under acceptable load • Amber: Service is overloaded Performance MULTISERVICES PIC TYPE 1 PERFORMANCE MULTISERVICES PIC TYPE 2 MULTISERVICES PIC TYPE 3 Layer 3 Services 1000 Kpps 920 Mbps 1200 Kpps 2.6 Gbps 1300 Kpps 2.8 Gbps Layer 2 Services 550 Kpps 450 Mbps 600 Kpps 900 Mbps 700 Kpps 1000 Mbps PPS at 64 bytes packets BPS at 256 bytes packets Software License Platforms Model Number • Off: Flow is not enabled SOFTWARE LICENSE PLATFORM MODEL NUMBER Safety and Compliance CRTP All M Series and T Series S-CRTP NAT/Firewall Multi Instance All M Series and T Series S-NAT-FW-MULTI NAT/Firewall Single Instance All M Series and T Series S-NAT-FW-SINGLE J-Flow Accounting All M Series and T Series S-ACCT IPsec All M Series and T Series S-ES Safety • CAN/CSA-C22.2 No. 60950-00/UL 60950 – Third Edition, Safety of Information Technology Equipment • EN 60950, Safety of Information Technology Equipment Certification • FIPS 140-2 Level 1 certification • Stateful Firewall - ICSA certified EMC • AS / NZS 3548 Class A (Australia/New Zealand) J-Flow Collection S-COLLECTOR M120, M320, T Series • BSMI Class A (Taiwan) J-Flow Collection 100 Kpps S-COLLECTOR-100K M120, M320, T Series Dynamic Flow Capture S-DFC M120, M320, T Series Immunity Dynamic Flow Capture 100 Kpps* S-DFC-100K M120, M320, T Series • EN-61000-3-2 Power Line Harmonics Tunnel All M Series and T Series S-TUNNEL LNS All M Series and T Series S-LNS Multilink* All M Series and T Series S-LSSL-4, S-LSSL-64, S-LSSL-255 • EN 55022 Class A Emissions (Europe) • FCC Part 15 Class A (USA) • VCCI Class A (Japan) • EN-61000-4-2 ESD • EN-61000-4-3 Radiated Immunity • EN-61000-4-4 EFT • EN-61000-4-5 Surge • EN-61000-4-6 Low Frequency Common Immunity • EN-61000-4-11 Voltage Dips and Sags NEBS – Designed to meet these standards • GR-63-CORE; NEBS, Physical Protection • GR-1089-CORE; EMC and Electrical Safety for Network Telecommunications Equipment • SR-3580 NEBS Criteria Levels (Level 3 Compliance) • ETSI • ETS-300386-2 Telecommunications Network Equipment Electromagnetic Compatibility Requirements Stateful Failover All S-Service-SFO VoIP BGF license for 500 sessions* M120, M320, T640 S-BGF-500 VoIP BGF license for 1,000 sessions* M120, M320, T640 S-BGF-1K VoIP BGF license for 2,000 sessions* M120, M320, T640 S-BGF-2K VoIP BGF license for 4,000 sessions* M120, M320, T640 S-BGF-4K VoIP BGF license for 8,000 sessions* M120, M320, T640 S-BGF-8K VoIP BGF license for 16,000 sessions* M120, M320, T640 S-BGF-16K VoIP BGF license for 20,000 sessions* M120, M320, T640 S-BGF-20K * Chassis-based licenses 6 Juniper Networks Services and Support About Juniper Networks Juniper Networks is the leader in performance-enabling services Juniper Networks is in the business of network innovation. From and support, which are designed to accelerate, extend, and devices to data centers, from consumers to cloud providers, optimize your high-performance network. Our services allow Juniper Networks delivers the software, silicon and systems that you to bring revenue-generating capabilities online faster so transform the experience and economics of networking. The you can realize bigger productivity gains and faster rollouts of company serves customers and partners worldwide. Additional new business models and ventures. At the same time, Juniper information can be found at www.juniper.net. Networks ensures operational excellence by optimizing your network to maintain required levels of performance, reliability, and availability. For more details, please visit www.juniper.net/us/en/ products-services. Ordering Information MODEL NUMBER DESCRIPTION PLATFORMS SUPPORTED PE-MS-100-1 Multiservices PIC Type 1 M7i, M10i PB-MS-100-1 Multiservices PIC Type 1 M40e, M120, M320, T320, T640, T1600, TX Matrix PB-MS-400-2 Multiservices PIC Type 2 M40e, M120, M320, T320, T640, T1600, TX Matrix PC-MS-500-3 Multiservices PIC Type 3 M120, M320, T320, T640, T1600, TX Matrix 7 Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks 1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland representative at 1-866-298-6428 or Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600 or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737 Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601 www.juniper.net Copyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 1000199-004-EN 8 May 2011 Printed on recycled paper authorized reseller.