Juniper Networks J2320 Services Routers

J2320 Overview:

The Juniper Networks J2320 is a modular router for enterprises running desktops, servers, VoIP, CRM/ERP/SCM applications. It offers three PIM slots for additional LAN/WAN connectivity, Avaya VoIP Gateway, and WAN acceleration.

Juniper Networks J Series Services Routers extend enterprise applications and deliver reliable connectivity to remote offices with a powerful blend of high-performance network protection and advanced services. J Series Services Routers leverage the modular JUNOS Software and Juniper’s rich product and partner portfolio to consolidate market leading security, application optimization, and voice capabilities onto a single, easy to manage platform. Our innovative security approach inseparably integrates routing and firewalls for exceptional performance. Available options, including integrated Juniper Networks WX application acceleration and integrated voice gateway technology from Avaya, make the J Series the ideal choice for closing the distance between central resources and remote locations.

Enterprises are faced with a number of challenges and opportunities by converging voice, video and data to one network. This consolidation of network elements reduces cost by easing deployment of SIP enabled VoIP, real-time high-definition Telepresence and standardizing on a consistent infrastructure network operating system like Juniper Networks® JUNOS® Software. These new technologies improve; customer relations, interactions with suppliers, and employee productivity. This mission-critical multi-media network must be always on and always available. To accomplish this, fully integrated stateful security is a key requirement, not merely forwarding packets without regard to the intended application or individual user session. JUNOS Software with enhanced services provides the high-performance networking infrastructure that helps enterprises implement key initiatives that:

• Secure critical information and protect the network from vulnerabilities and attacks. Enterprises need to protect confidential information from external and internal attacks as they connect with their customers and suppliers. The inseparable routing and firewall offered by JUNOS Software with enhanced services secures every location in the network and allows departmental segmentation out to remote locations of the network. Implementing IPsec VPNs with firewalls at remote sites allows for flexible network connectivity with security for split tunneling configurations.
   
• Minimize the cost of installing and operating the network. With the modular, protected mode design of JUNOS Software and the rigorous JUNOS Software development and testing process, there are fewer system process failures.
   
• Superior configuration management reduces human errors that could lead to network downtime. The single code source of JUNOS Software makes the qualification of new releases across the network much simpler.
   
• Simplify the operation of the branch network. JUNOS Software with enhanced services integrates best-in-class routing with best-in-class stateful inspection firewall. In addition, an active-active network topology provides stateful High Availability and systems level resiliency for mission critical networks. The Juniper Networks J Series Services Routers deliver “branch in a box” simplicity. This integrated package is easier to install, configure, and operate compared with discrete devices in the network.

 

Features & Benefits:

Key features of the J2320 router include the following:

• Support for T1, E1, Synchronous Serial, ISDN Basic Rate Interface, ADSL2/ADSL2+, G.SHDSL, and Gigabit Ethernet interfaces
• Support for integrated IP telephony using the Avaya IG550 Integrated Gateway
• Support for application acceleration using the Juniper Networks ISM200 Integrated Services Module
• 4 fixed Gigabit Ethernet LAN ports, and 3 PIM slots
• 512 MB DRAM default, expandable to 1 GB DRAM
• 512 MB compact flash default, upgradeable to 1 GB
• Hardware encryption acceleration (optional)

Key benefits of the J Series routers include the following:

• Security - Juniper Networks delivers the most advanced set of mechanisms for fully protecting enterprise routers from outside threats. The J-series routers give network staff complete control even while under attack, with the console port always available to add new filters and policies with just a few fast and simple steps.
   
• High uptime - The modular and fault-protected software design of the JUNOS operating system delivers high levels of resiliency and stability in the J-series routers. Unlike traditional enterprise routers, which any small bug can quickly spread into a larger problem, each software module in the JUNOS operating system runs independently and cannot impact other areas. Other resiliency features include next-generation CLI for accurate configuration, and a rescue button for fast system recovery.
   
• Predictable performance - The J-series routers maintain high levels of QoS control and throughput when needed for the most demanding periods of network congestion. Modular software architectures are essential for the sorting and scheduling of traffic to ensure that the most important applications have first priority with networking resources.
   
• Unmatched value - No licensing fees are required for advanced services such as IPv6, MPLS, IPSec and stateful firewall. No port licenses are required to operate onboard or modular interfaces.

Architecture and Key Components of JUNOS Software:

 

With the release of 9.1, we have enhanced the JUNOS Software with a secure firewall and VPN module that combines the functionality of two boxes into one. This fundamental advancement in the architecture is based on the requirement that forwarding packets at wire-speed, while great in a lab with test equipment, may not be best practice in a real network where security threats can be propagated just as quickly. Simplifying the branch deployment by reducing multiple appliances or boxes performing specialized tasks like; stateful firewalling, security zones and Application Level Gateways, which reduces costs and manageability efforts. Juniper has taken the approach of integrating a flow based stateful firewall into the core of JUNOS Software in the J Series Services Routers for the branch to reduce the number of boxes, consolidate configurations onto one device and leverage the key intellectual property of ScreenOS® as an integral component of JUNOS Software.

Packet-Based Forwarding

A router’s main purpose is to connect clients and servers at wire speed with implied trust. This routing is performed on a packet by packet basis without regard to flow or state information. This architectural choice relies on firewalls to inspect traffic on a flow and state basis to determine potential attacks on the network of clients and servers. A router will keep track of TCP traffic session information with a simple hash algorithm to make sure that traffic that takes multiple links arrives at the destination in the correct order. This JUNOS Software architecture is based on deployments as the core operating systems on some of the Internet’s largest Tier 1 networks’ core routers. This architecture has the benefit of massive scaling since it has a fundamentally easier task of forwarding packets without regard to keeping track of individual flows or state. Service Providers have a different view of network topology compared to branch enterprises since they have many links between routers and locations. By forwarding traffic on a packet by packet basis, link utilization or link load balancing through various protocols (OSPF ECMP, OSPF TE, RSVP TE, IS-IS, BGP and MLPP) can be achieved to keep throughput within Service Level Agreement terms. The typical enterprise deployment of Virtual Router Redundancy Protocol (VRRP) runs two routers in an active-standby format, and if a link or router should fail, then the back-up link or router can be activated. This is a common deployment scenario for enterprise networks.

Session-Based Forwarding: Key Advancement

A firewall’s main purpose is to inspect traffic flows and state to ensure that returning information in the same session is expected and permitted. This architectural choice receives packets from a wide variety of clients and servers and keeps track of every session, of every application of every user. These flows can vary considerably based on the client/server loads as opposed to link load balancing of routers and the overall decentralized or centralized nature of the branch to headquarters/data center topology.

To secure all network connections, Juniper Networks J Series Services Routers with JUNOS Software with enhanced services devices use a dynamic packet filtering method known as stateful inspection. Using this method, the J Series Service Routers with JUNOS Software with enhanced services collect information on various components in a packet header—source and destination IP addresses, source and destination port numbers, and protocol. The J Series Services Routers then maintain the state of each TCP session or UDP pseudo-session traversing the firewall, performing TCP reassembly when necessary to ensure proper interpretation of the communication session. When a responding packet arrives, the firewall will compare the information reported in its header with the state of its associated session stored in the inspection table. If they match, the responding packet is allowed to pass the firewall. If the two do not match, the packet is dropped. The Juniper Networks firewall can secure a network by inspecting, and then allowing or denying, all connection attempts that require crossing an interface from and to that network.

By default, the Juniper Networks J Series Services Router with JUNOS Software with enhanced services denies all traffic in all directions, and this is in comparison to a router that forwards all traffic without regard to flow and state. Using centralized, policy-based management, enterprises can create a series of security policies that will control the traffic flow from clients to servers by defining the kinds of traffic permitted to pass from specified sources to specified destinations at scheduled times. At the broadest level, all types of traffic can be allowed from any source in security zones to any destination in all other zones without any scheduling restrictions. At the narrowest level, policies can be created that allow only one kind of traffic between a specified host in one zone and another specified host in another zone during a scheduled period of time.

High Availability

Figure 1: System redundancy in an active-passive configuration maintains all session information on a standby J Series Services Router in the event of a box failure. Network capacity is always one half of the maximum.

Figure 2: System redundancy in an active-active configuration maintains all session information load balanced across two active J Series Services Routers. Since Network capacity is load balanced, using all availablt resources when active-active and half the capacity in the event of a failure.

Stateful inspection is more secure than other firewall or Access Control List router technology such as packet filtering because it opens smaller “holes” through which traffic can pass. For example, instead of permitting any host or program to send any kind of TCP traffic on port 80, a stateful inspection firewall ensures that packets belong to an existing legitimate session. Furthermore, it can authenticate the user when the session is established, determine whether the packets really carry HTTP, and enforce granular constraints at the application layer (e.g., filtering URLs to deny access to black-listed sites).

By combining the JUNOS Services Redundancy Protocol (JSRP) and firewalling features, a pair of J Series Services Routers can be easily integrated into a High Availability network architecture, with redundant physical connections between the Services Routers and the adjacent networks. With link redundancy, Juniper Networks can address many common causes of system failures, such as a physical port going bad or a cable getting disconnected, to ensure the connection is available, without having to fail over the entire system. This is consistent with a typical active-standby nature of routing resiliency protocols.

When J Series Services Routers are configured as an active-active pair using JUNOS Software with enhanced services, traffic and configuration will be automatically mirrored to provide active firewall and VPN session maintenance. The J Series Services Routers can now synchronize both static information, such as the configuration, and dynamic run-time information. As a result, during failover, synchronization of the following information is shared: connection/session state and flow information, IPsec security associations, Network Address Translation (NAT traffic), address book information, configuration changes, and more. In contrast to the typical router active-standby resiliency protocols, VRRP for instance, in the event of a router failover all dynamic flow and session information is lost and must be reestablished. Some or all applications sessions will have to restart depending on the convergence time of the links or routers. J Series Services Routers with JUNOS Software with enhanced services, maintain state, and not only is the session preserved, but security is intact.

Session-Based Forwarding without the Performance Hit

In order to optimize the throughput and latency of the combined router and firewall, JUNOS Software with enhanced services implements session-based forwarding, an innovation that combines the session state information of a traditional firewall and the next-hop forwarding of a classic router into a single operation. With JUNOS Software, a session that is permitted by the forwarding policy is added to the forwarding table along with a pointer to the next-hop route. Established sessions have a single table lookup to verify that the session has been permitted and to find the next hop. This efficient algorithm improves throughput and lowers latency for session traffic when compared with a classic router that performs multiple table lookups to verify session information and then to find a next-hop route.

JUNOS Software with enhanced services brings high-performance routing together with best-in-class integrated security to branch locations in the distributed enterprise. JUNOS tightly integrates security services by bringing the power of sessions to deliver a true security device. This inseparable joining of routing and security improves performance and latency compared with classic routers. JUNOS Software with enhanced services is available on the Juniper Networks J Series Services Routers.

Figure 3 shows the session-based forwarding algorithm. When a new session is established, the session-based architecture within JUNOS Software verifies that the session is allowed by the forwarding policies. If the session is allowed, JUNOS will look up the next-hop route in the routing table. It inserts the session and the next-hop route into the session and forwarding table and forwards the packet. Subsequent packets for the established session require a single table lookup in the session and forwarding table, and are forwarded to the egress interface.

Figure 3: Session-Based Forwarding Algorithm

Important Notes

Juniper realizes that every customer may not be ready to make the change to JUNOS Software with enhanced services. We will continue to support packet based JUNOS Software according to our standard lifecycle policy and customers with support contracts can implement either version of JUNOS 9.1 at no additional cost. This, in the simplest terms, turns your router into a router plus a firewall for no additional costs. It is also important to realize that a configuration from packet-based JUNOS Software will need additional configuration to enable traffic to flow by implementing the appropriate security zone policies. This additional configuration is easily offset by the peace of mind of securing your traffic from network attack by using a best-in-class firewall, reduction in network elements (firewall), and active-active session synchronization in a pair topology (instead of active-standby).

Network Deployments

The J Series Services Routers are deployed at branch and remote locations in the network to provide all-in-one secure WAN connectivity, IP telephony, and connection to local PCs and servers via integrated Ethernet switching.

Operating System

All J Series Services Routers ship with the worldwide version of JUNOS Software, which has standard encryption, as opposed to the US and Canada version, which has strong encryption. You can download the strong encryption version at no charge so long as you can certify eligibility. The download is available from Juniper’s Customer Support Center Web site: https://www.juniper.net/customers/csc/software/.

Feature Licenses

Licenses are required to operate the J-Flow Accounting and Advanced BGP features on Juniper Networks J Series Services Routers. To acquire licenses, order JX-JFlow-ADV-LTU (for J-Flow Accounting) or JX-BGP-ADV-LTU (for Advanced BGP). Each license is good for one chassis.

 

Product Options:

Juniper Networks J2320, J2350, J4350, and J6350 Services Routers offer a number of options in terms of LAN and WAN ports, hardware encryption acceleration, power supplies, DRAM, compact flash, and feature licenses.

LAN Ports

All J2320, J2350, J4350, and J6350 Services Routers ship with four fixed 10/100/1000 Ethernet ports. You can add more modular LAN interfaces by ordering the appropriate PIMs, Enhanced PIMs (EPIMs), or Universal PIMs (UPIMs).

WAN Ports

All J2320, J2350, J4350, and J6350 Services Routers ship without fixed WAN ports. The customer can add modular WAN interfaces by ordering the appropriate PIMs.

Hardware Encryption Acceleration

The J2320, J2350, and J4350 are available with optional hardware encryption acceleration. All J6350 models include hardware encryption acceleration by default. If you purchase a J2320, J2350, or J4350 without hardware encryption, you can add it later by ordering the appropriate encryption card.

Power Supply

All J2350, J4350, and J6350 Services Routers ship with either a DC power supply or an AC power supply and include a region-specific power cord. (The J2320 is available with AC power only.) The J6350 supports a second redundant AC or DC power supply, which can be added by ordering SSG-PS-DC or SSG-PS-AC. The region-specific AC power cable for SSG-PS-AC must be ordered separately.

DRAM

The J2320 and J2350 are upgradeable to a maximum of 1 GB DRAM. The J2320 and J2350 models without hardware encryption acceleration (J2320-JB-SC and J2350-JB-SC) come with 512 MB DRAM. All other models come with 1 GB of DRAM.

All J4350 models are upgradeable to a maximum of 2 GB DRAM. The J4350 model that ships without hardware encryption acceleration (J-4350-JB-SC) ships with 512 MB of DRAM. All other J4350 models ship with 1 GB of DRAM.

All J6350 Services Routers ship with 1 GB of DRAM and are upgradeable to 2 GB of DRAM. Order and install two additional JXX50-MEM-512M-S DIMMs.

Note that when upgrading DRAM, DIMMs should always be installed in pairs; for example, to upgrade to 1 GB DRAM, order two JXX50-MEM-512M-S DIMMs. To upgrade to 2 GB DRAM, order four JXX50-MEM-512M-S DIMMs.

With JUNOS Release 9.1 and later, all J Series Services Routers (J2320, J2350, J4350, J6350) must run at least 512 MB of DRAM.

Compact Flash

All J2320, J2350, J4350, and J6350 Services Routers ship with 512 MB of primary compact flash. You can replace that with a larger compact flash by ordering one either JX-CF-512M-S (for 512 MB) or JX-CF-1G-S (for 1 GB).

 

Diagram:

A typical network scenario is depicted for a distributed or branch enterprise. By using IPsec VPNs over the Internet, remote sites, branch offices, small datacenters and the headquarters are all connected as if they were in the same location. variety of WAN connections are depicted.

 

Technical Specifications:

 

*Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases

J Series Comparison Matrix:

 

 

Documentation:

Download the Juniper Networks J Series Services Routers Datasheet (PDF).