下载文档原格式
Juniper Networks NetScreen-ISG 2000(1)Maximum Performance and Capacity (2)Firewall performance 2 Gbps 3DES performance1 Gbps Deep Inspection performance 300 Mbps Concurrent sessions 512,000New sessions/second 30,000Policies 30,000Interfaces Up to 8 Mini GBIC (SX or LX),up to 28 10/100Mode of OperationLayer 2 mode (transparent mode)(5)Yes Layer 3 mode (route and/or NA T mode) Yes NA T (Network Address Translation)Yes PA T (Port Address Translation)Yes Policy-based NA T Yes Virtual IP 8(4)Mapped IP8,192(3)Users supportedUnrestrictedFirewallNumber of network attacks detected 31Network attack detection Yes DoS and DDoS protections Yes TCP reassembly for fragmented packet protection Yes Malformed packet protections Yes Deep Inspection firewall Yes Stateful protocol signatures Yes Protocols supported HTTP , FTP , SMTP , POP 3, IMAP , DNS Content Inspection Yes Malicious Web filtering up to 128 URLs External Web filtering (Websense)Yes Integrated Web filtering No VPNConcurrent VPN tunnels up to 10,000(3)Tunnel interfacesup to 1,024(3)DES (56-bit), 3DES (168-bit) and AES encryption Yes MD-5 and SHA-1 authentication Yes Manual Key, IKE, PKI (X.509)Yes Perfect forward secrecy (DH Groups)1,2,5Prevent replay attack Yes Remote access VPN Yes L2TP within IPSec Yes IPSec NA T traversalYes Redundant VPN gateways YesFirewall and VPN User Authentication Built-in (internal) database - user limit 1,500(3)3rd Party user authentication RADIUS, RSA SecurID, and LDAPXAUTH VPN authentication Yes Web-based authentication Yes System ManagementWebUI (HTTP and HTTPS)Yes Command Line Interface (console)Yes Command Line Interface (telnet)YesCommand Line Interface (SSH)Yes, v1.5 and v2.0 compatibleJuniper Networks NetScreen-ISG 2000(1)System ManagementNetScreen-Security ManagerYes All management via VPN tunnel on any interface Yes SNMP full custom MIB Yes Rapid deployment NoLogging/MonitoringSyslog (multiple servers)External, up to 4 serversE-mail (2 addresses)Yes NetIQ WebTrends External SNMP (v2)Yes TracerouteYes VPN tunnel monitorYes VirtualizationMaximum number of Virtual Systems 0 default, upgradeable to 50(6)Maximum number of security zones 26 default, upgradeable to 126(6)Maximum number of virtual routers 3 default, upgradeable to 53(6)Number of VLANs supported 500 max RoutingOSPF/BGP dynamic routing up to 8 instances each (3)RIPv2 dynamic routing up to 50 instances supported (3)Static routes20,000Source-based routingYesHigh Availability (HA)Active/Active Yes Active/PassiveYes Redundant interfacesYes Configuration synchronizationYes Session synchronization for firewall and VPN Yes Session failover for routing change Yes Device failure detection Yes Link failure detectionYes Authentication for new HA members Yes Encryption of HA traffic Yes IP Address Assignment StaticYes DHCP , PPPoE client No Internal DHCP server No DHCP relayYes PKI SupportPKI Certificate requests (PKCS 7 and PKCS 10)Yes Automated certificate enrollment (SCEP)Yes Online Certificate Status Protocol (OCSP)Yes Certificate Authorities Supported Verisign Yes Entrust Yes Microsoft Yes RSA KeonYes iPlanet (Netscape)Yes Baltimore Yes DOD PKIYesJuniper Network’s Integrated Security Gateway,the NetScreen-ISG 2000,is a purpose-built,high-performance system designed to deliver scalable network and application security for large enterprise,carrier and data center networks. Integrating best-of-breed Deep Inspection firewall,VPN and DoS solutions,the JuniperNetworks NetScreen-ISG 2000 enables secure,reliable connectivity along with network and application-level protection for key,high-traffic network segments. The NetScreen-ISG 2000 is built on Juniper Network’s next-generation architecture which includes a fourth generation security ASIC,the GigaScreen 3,high speedmicroprocessors and add-on security modules to provide the predictable,multi-Gigabit performance needed for the most demanding network segments.Juniper Networks NetScreen-ISG 2000Juniper NetworksNetScreen-ISG 2000(1)AdministrationLocal administrators database20External administrator database RADIUS/LDAP/SecurID Restricted administrative networks6Root Admin, Admin, and Read Only user levels YesSoftware upgrades TFTP/WebUI/NSMConfiguration Roll-back YesTraffic ManagementGuaranteed bandwidth NoMaximum bandwidth Yes, per physical interface Priority-bandwidth utilization NoDiffServ stamp Yes, per policyExternal FlashCompactFlash™Supports 128 or 512 MBIndustrial-Grade SanDisk Event logs and alarms YesSystem config script YesNetScreen ScreenOS Software YesDimensions and PowerDimensions (H/W/L) 5.25/17.5/23 inchesWeight52 lbs.Rack mountable19” standard, 23” optional Power Supply (AC)90 to 264 VAC, 250 watts Power Supply (DC)-36 to -72 VDC, 250 wattsLicensing Options: The NetScreen-ISG 2000 is available with two licensing options to provide two different levels of functionality and capacity.Advanced Models: The Advanced software license provides all of the features and capacities listed within this specsheet.Baseline Models: The Baseline software license provides an entry-level solution for customer environments where features such as Deep Inspection™, OSPF and BGP dynamic routing, advanced High Availabilty, and full capacity are not criticalrequirements. The following table shows the features and capacities that are different than the Advanced models:NetScreen-ISG 2000 Baseline AdvancedSessions256,000512,000Concurrent VPN tunnels1,00010,000Deep Inspection Firewall No YesVLANs100500OSPF/BGP No YesHigh Availability (HA)Active/Passive Active/ActiveCertificationsSafety CertificationsUL, CUL, CSA, CBEMC CertificationsFCC class A, CE class A, C-Tick, VCCI class AEnvironmentOperational temperature: 32°to 122°F, 0°to 50°CNon-operational temperature: -4°to 158°F, -20°to 70°CHumidity: 10 to 90% non-condensingMTBF (Bellcore model)7.6 yearsSecurityPending Ordering InformationProduct Part NumberNetScreen-ISG 2000 Bundles Advanced*NetScreen-ISG 2000 system 1 4 port 10/100 I/O Module NS-ISG-2000-P00A-S00 NetScreen-ISG 2000 system 1 8 port 10/100 I/O Module NS-ISG-2000-P01A-S00 NetScreen-ISG 2000 system 1 Dual-Port mini-GBIC NS-ISG-2000-P02A-S00I/O ModuleNetScreen-ISG 2000 system 1 dual port 10/100/1000NS-ISG-2000-P03A-S00Copper I/O ModuleNetScreen-ISG 2000 Bundles Baseline*Netscreen-ISG 2000 system 1 4 port 10/100 I/O Module NS-ISG-2000B-P00A-S00 Netscreen-ISG 2000 system 1 8 port 10/100 I/O Module NS-ISG-2000B-P01A-S00 Netscreen-ISG 2000 system 1 Dual port mini-GBIC NS-ISG-2000B-P02A-S00I/O ModuleNetScreen-ISG 2000 system 1 dual port 10/100/1000NS-ISG-2000B-P03A-S00Copper I/O Module*All systems include 2 AC power supplies and 0 virtual systemsNetScreen-ISG 2000 Virtual System UpgradesVSYS Upgrade 0 to 5NS-ISG-2000-VSYS-5 VSYS Upgrade 5 to 25NS-ISG-2000-VSYS-25 VSYS Upgrade 25 to 50NS-ISG-2000-VSYS-50 VSYS Upgrade 0 to 25NS-ISG-2000-VSYS-025 VSYS Upgrade 0 to 50NS-ISG-2000-VSYS-050Every Virtual System includes 1 virtual router and 2 security zones, usable in the virtual or root systemNetScreen-ISG 2000 ComponentsI/O Module - Dual Port Mini GBIC-SX NS-ISG-2000-SX2I/O Module - Dual Port Mini GBIC-LX NS-ISG-2000-LX2I/O Module - 4 Port 10/100 Fast Ethernet NS-ISG-2000-FE4I/O Module - 8 Port 10/100 Fast Ethernet NS-ISG-2000-FE8I/O Module - Dual Port 10/100/1000 Gig Ethernet NS-ISG-2000-TX2SX transceiver (mini-GBIC)NS-SYS-GBIC-MSXLX transceiver (mini-GBIC)NS-SYS-GBIC-MLXAC power supply NS-ISG-2000-PWR-AC DC power supply NS-ISG-2000-PWR-DC Japan power cord option NS-ISG-2000-JAPANFan module NS-ISG-2000-FANRack Mount Kit (19 in., all mounting hardware)NS-ISG-2000-RCK-01 Rack Mount Kit (23 in., all mounting hardware)NS-ISG-2000-RCK-02 Blank Interface Panel NS-ISG-2000-IPAN Blank Power Supply Cover NS-ISG-2000-PPAN(1)Performance, capacity and features listed are based upon systems ScreenOS 5.0.0 and may vary with other ScreenOS releases. Actual throughput may vary based upon packet size and enabled features.(2)Performance and capacity provided are the measured maximums under ideal testing conditions. May vary by deployment.(3)Shared among all Virtual Systems(4)Not available with Virtual Systems(5) NA T, PA T, policy based NA T, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA,and IP address assignment are not available in layer 2 transparent mode(6)Requires purchase of virtual system key. Every virtual system includes one virtual router and two security zones, usable inthe virtual or root system.1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888-JUNIPER (888-586-4737) or 408-745-2000 Fax: 408-745-2100Copyright © 2004 Juniper Networks, Inc. All rights reserved.Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.Part Number: 110011-003 Sept 2004。
Ipsec VPN调研总结一、Ipsec原理Ipsec vpn指采用IPSec协议来实现远程接入的一种VPN技术,IPSec全称为Internet Protocol Security,是由Internet Engineering Task Force (IETF) 定义的安全标准框架,用以提供公用和专用网络的端对端加密和验证服务。
Ipsec是一个协议集,包括AH协议、ESP协议、密钥管理协议(IKE协议)和用于网络验证及加密的一些算法。
1、IPSec支持的两种封装模式传输(transport)模式:只是传输层数据被用来计算AH或ESP头,AH或ESP头以及ESP加密的用户数据被放置在原IP包头后面。
隧道(tunnel)模式:用户的整个IP数据包被用来计算AH或ESP头,AH或ESP头以及ESP加密的用户数据被封装在一个新的IP数据包中。
2、数据包结构◆传输模式:不改变原有的IP包头,通常用于主机与主机之间。
◆隧道模式:增加新的IP头,通常用于私网与私网之间通过公网进行通信。
3、场景应用图4、网关到网关交互图5、Ipsec体系结构:6、ipsec中安全算法●源认证用于对对等体的身份确认,具体方法包含:PSK(pre-share key);PK3(public key infrustructure公钥基础设施)数字证书,RSA等,后两种为非对称加密算法。
●数据加密对传输的数据进行加密,确保数据私密性,具体对称加密算法包含:des(data encrypt standard)共有2种密钥长度40bits,56bits,3des密钥长度为56bits的3倍;aes(advanced encrypted standard)AES 加密共有三种形式,分为AES 128(128-bit 长度加密),AES 192(192-bit 长度加密)以及AES 256(256-bit 长度加密)。
●完整性校验对接收的数据进行检查,确保数据没有被篡改,主要使用hash算法(HMAC hashed message authentication code),包含MD5(message digest输出128bit校验结果);SHA-1(secure hash algorithm 1)输出160bits校验结果。
博科BrocadeSAN交换机常用命令博科Brocade SAN交换机通用命令1。
查看IP地址命令............................................................................................................2 2.查看固件版本.......................................................................................................2 3.查看开关状态 (2)4.查看交换机许可证-id........................................................................................35.配置ZONE........................................................................................................... .......36.查看区域配置文件.................................................................................................………47.查看区域..................................................................................................................5 8.检查系统日志信息...................................................................................................6 9.停工.................................................................................................................. ................6 10.设置博科锦交换机的IP地址.............................................................................6 11.博科brocade交换机查看操作系统版本信息.................................................................6 12.锦缎交换机添加许可证授权信息 (7)13.查看锦缎交换机许可证授权信息..........................................................7 14.Brocade Slikworm 300交换机许可证......................................................7 15.博科锦缎交换机密码更改命令..........................................................................7 16.博科锦缎交换机密码重置..................................................................................7 17.登录后,使用passwddefault命令恢复出厂密码................................................9 18.交换机升级..................................................................................................................9 19.帮助信息 (13)1。
RVN4126 3.59100-386-9100-386/T DEVICERVN41772-CD2-3.5MCS/MTSRVN41821-CD2-3.5XTS3000/SABER PORTABLE YES RKN4046KHVN9085 3.51-20 R NO HLN9359 PROG. STAND RVN4057 3.532 X 8 CODEPLUG NO3080385B23 & 5880385B30 MDVN4965 3.59100-WS/T CONFIG KITRVN4053 3.5ASTRO DIGITAL INTERFACE NO3080385B23RVN41842-CD RKN4046A (Portable) 2-3.5ASTRO PORTABLE /MOBILE YES3080369B73 or0180300B10 (Mobile) RVN41831-CD3080369B732-3.5ASTRO SPECTRA MOBILE YES(Low / Mid Power)0180300B10 (High Power) RVN4185CD ASTRO SPECTRA PLUS MOBILE NO MANY OPTIONS; SEESERVICE BRIEF#SB-MO-0101RVN4186CD ASTRO SPECTRA PLUS MANY OPTIONS;MOBILE/PORTABLE COMB SEE SERVICE BRIEF#SB-MO-0101RVN4154 3.5ASTROTAC 3000 COMPAR.3080385B23RVN5003 3.5ASTROTAC COMPARATORS NO3080399E31 Adpt.5880385B34RVN4083 3.5BSC II NO FKN5836ARVN4171 3.5C200RVN4029 3.5CENTRACOM SERIES II NO VARIOUS-SEE MANUAL6881121E49RVN4112 3.5COMMAND PLUS NORVN4149 3.5COMTEGRA YES3082056X02HVN6053CD CT250, 450, 450LS YES AAPMKN4004RVN4079 3.5DESKTRAC CONVENTIONAL YES3080070N01RVN4093 3.5DESKTRAC TRUNKED YES3080070N01RVN4091 3.5DGT 9000 DESKSET YES0180358A22RVN4114 3.5GLOBAL POSITIONING SYS.NO RKN4021AHVN8177 3.5GM/GR300/GR500/GR400M10/M120/130YES3080070N01RVN4159 3.5GP60 SERIES YES PMLN4074AHVN9128 3.5GP300 & GP350RVN4152 3.5GP350 AVSRVN4150 3.5GTX YES HKN9857 (Portable)3080070N01(Mobile) HVN9025CD HT CDM/MTX/EX SERIES YES AARKN4083/AARKN4081RiblessAARKN4075RIBLESS NON-USA RKN4074RVN4098H 3.5HT1000/JT1000-VISAR YES3080371E46(VISAR CONV)RVN4151 3.5HT1000 AVSRVN4098 3.5HT1000/ VISAR CONV’L.YES RKN4035B (HT1000) HVN9084 3.5i750YES HLN-9102ARVN4156 3.5LCS/LTS 2000YES HKN9857(Portable)3080070N01(Mobile) RVN4087 3.5LORAN C LOC. RECV’R.NO RKN4021ARVN4135 3.5M100/M200,M110,M400,R100 includesHVN9173,9177,9646,9774YES3080070N01RVN4023 3.5MARATRAC YES3080070N01RVN4019 3.5MAXTRAC CONVENTIONAL YES3080070N01RVN4139 3.5MAXTRAC LS YES3080070N01RVN4043 3.5MAXTRAC TRK DUPLEX YES3080070N01RVN4178CD MC SERIES, MC2000/2500DDN6124AW/DB25 CONNECTORDDN6367AW/DB9 CONNECTOR RVN41751-CD Rib to MIC connector 1-3.5MCS2000 RKN4062BRVN41131-3.5MCS2000RVN4011 3.5MCX1000YES3000056M01RVN4063 3.5MCX1000 MARINE YES3000056M01RVN4117 3.5MDC/RDLAP DEVICESRVN4105 3.5MOBILE PROG. TOOLRVN4119 3.5MOBITEX DEVICESRVN4128 3.5MPT1327-1200 SERIES YES SEE MANUALRVN4025 3.5MSF5000/PURC/ANALOG YES0180355A30RVN4077 3.5MSF5000/10000FLD YES0180355A30RVN4017K 3.5MT 1000YES RTK4205CRVN4148 3.5MTR 2000YES3082056X02RVN4140 3.5MTRI 2000NORVN41761-CD MTS2000, MT2000*, MTX8000, MTX90001-3.5*programmed by DOS which is included in the RVN4176RVN4131 3.5MTVA CODE PLUG FIXRVN4142 3.5MTVA DOCTOR YES3080070N01RVN4131 3.5MTVA3.EXERVN4013 3.5MTX800 & MTX800S YES RTK4205CRVN4097 1-CD MTX8000/MTX9000,MTS2000,MT2000*,* programmed by DOS which is included in the RVN4176HVN9067CD MTX850/MTX8250MTX950,MTX925RVN4138 3.5MTX-LS YES RKN4035DRVN4035 3.5MX 1000YES RTK4203CRVN4073 3.5MX 800YES RKN4006BHVN9395 P100, P200 LB, P50+, P210, P500, PR3000RVN4134 3.5P100 (HVN9175)P200 LB (HVN9794)P50+ (HVN9395)P210 (HVN9763)P500 (HVN9941)PR3000 (HVN9586)YES RTK4205HVN9852 3.5P110YES HKN9755A/REX1143 HVN9262 3.5P200 UHF/VHF YES RTK4205RVN4129 3.5PDT220YVN4051 3.5PORTABLE REPEATER Portable rptr.P1820/P1821AXRVN4061C 3.5PP 1000/500NO3080385B23 & 5880385B30 RVN5002 3.5QUANTAR/QUANTRO NO3O80369E31RVN4135 3.5R100 (HVN9177)M100/M200/M110/M400YES0180358A52RVN4146 3.5RPM500/660RVN4002 3.5SABER YES RTK4203CRVN4131 3.5SETTLET.EXEHVN9007 3.5SM50 & SM120YESRVN4039 3.5SMART STATUS YES FKN5825AHVN9054 3.5SOFTWARE R03.2 P1225YES3080070N01HVN9001 3.5SOFTWARE R05.00.00 1225LS YES HLN9359AHVN9012 3.5SP50RVN4001N 3.5SPECTRA YES3080369B73 (STANDARD)0180300B10 (HIGH POWER) RVN4099 3.5SPECTRA RAILROAD YES3080369B73RVN4110 3.5STATION ACCESS MODULE NO3080369E31RVN4089A 3.5STX TRANSIT YES0180357A54RVN4051 3.5SYSTEMS SABER YES RTK4203BRVN4075 3.5T5600/T5620 SERIES NO3080385B23HVN9060CD TC3000, TS3000, TR3000RVN4123 3.5VISAR PRIVACY PLUS YES3080371E46FVN4333 3.5VRM 100 TOOLBOX FKN4486A CABLE &ADAPTORRVN4133 3.5VRM 500/600/650/850NORVN4181CD XTS 2500/5000 PORTABLES RKN4105A/RKN4106A RVN41002- 3.5XTS3000 ASTRO PORTABLE/MOBILERVN4170 3.5XTS3500YES RKN4035DRIB SET UPRLN4008E RADIO INTERFACE BOX (RIB)0180357A57RIB AC POWER PACK 120V0180358A56RIB AC POWER PACK 220V3080369B71IBM TO RIB CABLE (25 PIN) (USE WITH XT & PS2)3080369B72IBM TO RIB CABLE (9 PIN)RLN443825 PIN (F) TO 9 PIN (M) ADAPTOR (USE W/3080369B72 FOR AT APPLICATION) 5880385B308 PIN MODULAR TO 25 PIN ”D” ADAPTOR (FOR T5600 ONLY)0180359A29DUPLEX ADAPTOR (MOSTAR/TRAXAR TRNK’D ONLY)Item Disk Radio RIB Cable Number Size Product Required Number Item Disk Radio RIB Cable Number Size Product Required NumberUtilizing your personal computer, Radio Service Software (RSS)/Customer Programming Software (CPS)/CustomerConfiguration Software (CCS) enables you to add or reprogram features/parameters as your requirements change. RSS/CPS/CCS is compatible with IBM XT, AT, PS/2 models 30, 50, 60 and 80.Requires 640K RAM. DOS 3.1 or later. Consult the RSS users guide for the computer configuration and DOS requirements. (ForHT1000, MT/MTS2000, MTX838/8000/9000, Visar and some newer products —IBM model 386, 4 MEG RAM and DOS 5.0 or higher are recommended.) A Radio Interface Box (RIB) may be required as well as the appropriate cables. The RIB and cables must be ordered separately.Licensing:A license is required before a software (RVN) order is placed. The software license is site specific (customer number and ultimate destination tag). All sites/locations must purchase their own software.Be sure to place subsequent orders using the original customer number and ship-to-tag or other licensed sites; ordering software without a licensed customer number and ultimate tag may result in unnecessary delays. To obtain a no charge license agreement kit, order RPX4719. To place an order in the U.S. call 1-800-422-4210. Outside the U.S., FAX 847-576-3023.Subscription Program:The purchase of Radio ServiceSoftware/Customer Programming/Customer ConfigurationSoftware (RVN & HVN kits) entitles the buyer/subscriber to three years of free upgrades. At the end of these three years, the sub-scriber must purchase the same Radio Service Software kit to receive an additional three years of free upgrades. If the sub-scriber does not elect to purchase the same Radio Service Software kit, no upgrades will be sent. Annually a subscription status report is mailed to inform subscribers of the RSS/CPS/CCS items on our database and their expiration dates.Notes:1)A subscription service is offered on “RVN”-Radio Service Software/Customer Programming/Customer Configuration Software kits only.2)“RVN” software must only be procured through Radio Products and Services Division (RPSD). Software not procured through the RPSD will not be recorded on the subscription database; upgrades will not be mailed.3)Upgrades are mailed to the original buyer (customer number & ultimate tag).4)SP software is available through the radio product groups.The Motorola General Radio Service Software Agreement is now available on Motorola Online. If you need assistance please feel free to submit a “Contact Us” or call 800-422-4210.SMART RIB SET UPRLN1015D SMART RIB0180302E27 AC POWER PACK 120V 2580373E86 AC POWER PACK 220V3080390B49SMARTRIB CABLE (9 PIN (F) TO 9 PIN (M) (USE WITH AT)3080390B48SMARTRIB CABLE (25 PIN (F) TO 9 PIN (M) (USE WITH XT)RLN4488ASMART RIB BATTERY PACKWIRELESS DATA GROUP PRODUTS SOFTWARERVN4126 3.59100-386/9100T DEVICES MDVN4965 3.59100-WS/T CONFIG’TN RVN41173.5MDC/RDLAP DEVICESPAGING PRODUCTS MANUALS6881011B54 3.5ADVISOR6881029B90 3.5ADVISOR ELITE 6881023B20 3.5ADVISOR GOLD 6881020B35 3.5ADVISOR PRO FLX 6881032B30 3.5BR8506881032B30 3.5LS3506881032B30 3.5LS5506881032B30 3.5LS7506881033B10 3.5LS9506881035B20 3.5MINITOR III8262947A15 3.5PAGEWRITER 20008262947A15 3.5PAGEWRITER 2000X 6881028B10 3.5TALKABOUT T3406881029B35 3.5TIMEPORT P7308262947A15 3.5TIMEPORT P930NLN3548BUNIVERSAL INTERFACE KITItem Disk Radio NumberSize Product。
Supporting Brocade 5600 vRouter, VNF Platform, and DistributedServices PlatformsFEATURE GUIDE53-1004752-01© 2016, Brocade Communications Systems, Inc. All Rights Reserved.Brocade, the B-wing symbol, and MyBrocade are registered trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands, product names, or service names mentioned of Brocade Communications Systems, Inc. are listed at /en/legal/ brocade-Legal-intellectual-property/brocade-legal-trademarks.html. Other marks may belong to third parties.Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. T o find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit /support/oscd.ContentsBrocade Vyatta Network OS (5)Overview (5)Brocade Vyatta Network OS Use Cases (7)Brocade 5600 vRouter (7)Brocade Vyatta Network OS as a VNF platform (7)Brocade Vyatta Network OS as a Distributed Services platform (8)Contacting Brocade (11)Brocade Vyatta Network OS•Overview (5)OverviewThe Brocade Vyatta Network OS lays the foundation for a flexible, easy-to-use, and high-performance network services architecture capable of meeting current and future network demands. The Brocade Vyatta Network OS can be deployed across a wide variety of use cases. For example, it can be deployed as a Brocade 5600 vRouter, VNF platform, or distributed services platform to integrate into cloud, virtual, physical, or on-premises environments. It also can be deployed as a co-resident on the hardware that houses the data planes, or centralized to manage a number of distributed data planes, depending on the requirements of an organization.With the Brocade Vyatta Network OS, organizations can bridge the gap between traditional and new architectures, leverage existing investments, and maximize operational efficiencies when enabling new services. The Brocade vPlane technology comprises these main components:•Control plane—Carries signaling traffic and manages configuration and protocol operations; it also serves the data plane. The control plane consists of the following components:–Vyatta CLI, API, and GUI—Provide the user interfaces to the router–System daemons—Provide control plane services, such as BGP, DHCP, OSPF, RIP, and SNMP–Controller daemon—Provides the data plane interface to the Linux kernel and CLI and manages the data plane •Data plane—Forwards traffic between ports and passes local traffic to the controller. The data plane consists of the following components:–Data plane daemon—Provides packet forwarding, QoS, and firewall services–User space I/O drivers—Provide the network interface•Linux kernel—Hosts the data plane and other processes for the user space.Figure 2 on page 7 illustrates the Brocade Vyatta Network OS Architecture diagramFIGURE 1 Brocade Vyatta Network OS ArchitectureBrocade Vyatta Network OS Use Cases •Brocade 5600 vRouter (7)•Brocade Vyatta Network OS as a VNF platform (7)•Brocade Vyatta Network OS as a Distributed Services platform (8)Brocade 5600 vRouterThe Brocade 5600 vRouter employs the innovative Brocade vPlane technology, which enables hardware-like routing performance in a software-based network appliance. The Brocade vPlane technology comprises these main components:•Control plane: Carries signaling traffic and manages configuration and protocol operations; it also serves the data plane.•Data plane—Forwards traffic between ports and passes local traffic to the controller.•Linux kernel—Hosts the data plane and other processes for the user space.Figure 2 illustrates the Brocade 5600 vRouter in a single node instantiation.FIGURE 2 Architecture of Brocade Vyatta Network OS as a 5600 vRouter deploymentCustomarily, packet processing in Linux runs in the kernel space. However, with the vPlane architecture, packet processing runs in the Linux user space. By using the vPlane architecture and leveraging the Intel Data Plane Development Kit (Intel DPDK), the Brocade vRouter delivers breakthrough levels of performance. Depending on the configuration, one or two cores are dedicated to each interface. The core or cores are able to run at 100-percent efficiency when processing packets and support performance scaling. Brocade Vyatta Network OS as a VNF platformThe Brocade Vyatta Network OS as a VNF platform supports foundation networking services and can eliminate the need for at least one virtual network function (VNF) in a multiservice design. This platform also eliminates manual provisioning by supporting zero-touch deployment for the on-premise VNF platform, which automates configuration and software updates and allows service providers to scale services as needed. NETCONF supports the VNF life cycle, service chains, and further configuration.The Brocade Vyatta Network OS as a VNF platform is based on the Brocade Vyatta Network OS of the Brocade 5600 vRouter.Brocade Vyatta Network OS as a Distributed Services platformThe VNF platform allows the virtualization of the hardware that is required to run your business and provides a set of value-added services, including network connectivity.You can use the VNF platform to run various VNF devices.The following figure illustrates the VNF platform architecture. The VNF platform is a use case of the Vyatta Network OS. You install the hypervisor image and then create guests for various VNF roles.Architecture of Brocade Vyatta Network OS as a VNF platform deploymentFIGURE 3The Brocade Vyatta Network OS as a Distributed Services platform is a large-scale distributed router consisting of a single Distributed Services platform controller and multiple virtual data planes (vPlanes) that operate together as a large distributed system across many hypervisors. The Distributed Services Platform provides the following:•Horizontal scaling of VNFs, with numerous tenant-facing interfaces that are distributed across multiple vPlanes for Internet service providers.• A Layer 2 virtual overlay network for cloud service providers.The following figure provides a high-level view of the Distributed Services platform architecture, which is based on the following elements:•Controller—Virtual machine (VM) that provides control and management functions for the Distributed Services platform infrastructure.•vPlane—VM that forwards data as an instance of the data-forwarding plane. A single Distributed Services platform can include up to 32 vPlanes. Internal vPlanes connect to tenant servers, and gateway vPlanes connect to the external network.•Control network—Network that provides control plane and status communications between the Distributed Services Platform controller and vPlanes.•Fabric network—Full mesh of VXLAN-GPE tunnels between all the vPlanes that is used to forward packets between vPlanes.FIGURE 4Architecture of Brocade Vyatta Network OS as a Distributed Services platform deployment Brocade Vyatta Network OS as a Distributed Services platformContacting BrocadeT o provide document feedback use the online feedback form in the HTML documents posted on or contact*************************.For product support information and the latest information on contacting the T echnical Assistance Center, go to / services-support/index.html.If you have purchased Brocade product support directly from Brocade, use one of the following methods to contact the BrocadeT echnical Assistance Center 24x7. Brocade OEM customers contact their OEM/Solutions provider.Brocade Vyatta Network OS Product Guide, 5.2R153-1004752-0111。
1. Strongswan InstallationGet installation package from and install (tested with Strongswanversion 2.8.4 and direct PPPOE DSL connection with fixed public IP on the linux (Debian 4.0) machine)2. Digi Connect WAN 3G / VPN configuration with firmware 2.14 andearlierIP: 192.168.241.1, Netmask 255.255.255.0VPN Settings – Phase 1:Main Mode, Grp. 5, PFS activatedPSK / 3DES / SHA1 / 3600s key lifetimeVPN Settings - Phase 2:Endpoint: fixed public DSL IPIdentity:00:40:9D:2E:54:***********Local network: 192.168.241.0/24 , Netmask 255.255.255.0 Remote network: 192.168.240.0/20 , Netmask 255.255.240.0 ID: fixed public DSL IPPSK: nBnP5243DES / MD5 / 5400s key lifetime3. Connect WAN VPN configuration with firmware 2.7 and later4. Strongswan 2.8.4 Software Configurationeth0 static IP 192.168.255.1firestarter installed (apt-get install firestarter)firestarter started and set to “firewall off” (Pause icon)/etc/ipsec.conf:# /etc/ipsec.conf - strongSwan IPsec configuration file# RCSID $Id: ipsec.conf.in,v 1.7 2006/01/31 13:09:10 as Exp $# Manual: ipsec.conf.5# Help: /docs/readme.htmversion 2.0 # conforms to second version of ipsec.confspecification# basic configurationconfig setup# THIS SETTING MUST BE CORRECT or almost nothing will work;# %defaultroute is okay for most simple cases.interfaces=%defaultroute# Debug-logging controls: "none" for (almost) none, "all" forlots.klipsdebug=noneplutodebug=none#crlcheckinterval=600#strictcrlpolicy=yes#cachecrls=yes# Use auto= parameters in conn descriptions to control startup actions.#plutoload=%search#plutostart=%search# Close down old connection when new one using same ID showsup.uniqueids=yesnat_traversal=no# defaults for subsequent connection descriptions# (mostly to fix internal defaults which, in retrospect, were badly chosen)conn %defaultauthby=rsasigleftrsasigkey=%certrightrsasigkey=%certleft=217.91.93.51#leftnexthop=217.91.93.51leftid="C=DE, ST=Dortmund, O=Customer Inc., OU=Test, CN=head" leftsubnet=192.168.240.0/20leftcert=/etc/ipsec.d/certs/head-cert-2007.pemleftsourceip=192.168.255.1right=%anykeyingtries=0#disablearrivalcheck=yesauto=addcompress=noike=aes128-sha-modp1536,aes256-sha-modp1536,3des-shamodp1536,3des- md5-modp1536,3des-md5-modp1024,3des-sha-modp1024esp=aes128-sha1,aes256-sha1,3des-sha1,3des-md5dpdaction=holddpddelay=120dpdtimeout=1200keylife = 3hikelifetime = 2h### test connections for Customer and Digiconn "head-user1"#rightid="00:40:9D:2E:A2:***********"#leftsubnet=192.168.255.0/24rightid="C=DE, ST=Dortmund, O=Customer Inc., OU=Test, CN=digi1" rightsubnet=192.168.240.0/24conn "head-user2"authby=secretrightid="00:40:9D:2E:54:***********"rightsubnet=192.168.241.0/24/etc/ipsec.secrets:# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $# This file holds shared secrets or RSA private keys for inter-Pluto# authentication. See ipsec_pluto(8) manpage, and HTML documentation.# RSA private key for this host, authenticating it to any other host# which knows the public part. Suitable public keys, for ipsec.conf, DNS,# or configuration of other implementations, can be extracted conveniently# with "ipsec showhostkey".: PSK "nBnP524"3. VPN Operation / DebuggingMake sure the firewall is turned off (firestarter or iptables)- If verbose debug output is needed, go to console 1 and do atcpdump -i eth0 not port ssh and not port domain and not arp- To monitor VPN exchange messages, go to console 2 and do atail –f /var/log/auth.log- To start IPsec on the linux side, go to console 3 and do aipsec startandipsec status(other commands are ipsec stop and ipsec restart)- Make sure the Digi device has established mobile connection. From the Digi’s localnetwork, do a ping 192.168.255.1Console 1 & 2 on the linux machine should generate positive output – SA established.。
ASVMP• Storage Area Networks(SATA, SAS, Fiber Channel)• Passive Optical Networks (EPON, 10G-EPON, GPON, 10G-PON)• Ethernet (1G, 10GBASE-T,/KR/LR/SR, FCoE • PCI Express • Display port• Low Power Consumption for high speed communication • Exceptional Stability Over Temp. at -40 to +85°C, ±15ppm• Extended Automotive Grade Temp. stability at -55 to +125°C, ±25ppm • Available in 50kG Shock Resistance Configuration upon request • MIL-STD-883 shock and vibration compliant • Durable QFN Plastic Compact Packaging • Standby or Disable Tri-state function• Low jitter (Period jitter RMS and Phase jitter RMS)• High power supply noise reduction, -50dBcLow Jitter High Performance Moisture Sensitivity Level – MSL 1Common Key Electrical Specifications – CMOS, LVPECL, LVDS, and HCSL* For 2.3000MHz < F0 < 9.9999MHz, 6-8 weeks lead-time applies Key Electrical Specifications – CMOSFrequency RangeCMOS 2.3000* 170.0000 MHzCMOS3.3000* 170.0000 LVPECL 2.3000* 460.0000 Commercial, Industrial temp. rangeLVDS 2.3000* 460.0000 Commercial, Industrial temp rangeHCSL2.3000*460.0000Commercial, Industrial temp. rangeOperating Temperature -20 +70 °C See optionsC ° 051+ 55-e r u t a r e p m e T e g a r o t S Overall Frequency Stability -50 +50 ppm See options Supply Voltage (Vdd) +2.25 +3.6 Vs m 5 e m i T p u t r a t S Enable Time 20 ns STD (Tri-state)5 ms PD option (Power Down)s n 5 e m i T e l b a s i D Disable Current20 22 mA STD (Tri-state)0.095 PD option (Power Down)Tri-state Function (Standby/Disable) "1" (VIH 0.75*Vdd) or Open: Oscillation "0" (VIL<0.25*Vdd) : Hi ZV 40k pull-up resister embeddedr a e y t s r i F m p p0.5+ 0.5-g n i g A Supply Current (I dd ) 31 35 mA CL=15pF, 125MHz Output Logic Level V OH 0.9*V ddV I=±6mA V OL 0.1*V dd V Rise Time Tr 1.1 2.0 ns CL=15pF 20% to 80%Fall Time Tf1.32.0 ns% 55 54e l c y C y t u D Integrated Phase Jitter (J PH ) 0.30 2 ps 200kHz ~ 20MHz@125MHz 0.38 2 100kHz ~ 20MHz@125MHz 1.70 2 12kHz ~ 20MHz@125MHzPeriod Jitter RMS (J PERs p0.3)PbRoHS/RoHS II compliant7.0 x 5.0 x 0.85mm-20 ~ +70°C -40 ~ +85°C -40 ~ +105°C -55 ~ +125°CKey Electrical Specifications – LVPECLKey Electrical Specifications – LVDS NotesSupply Current (I dd)56.5 58 mA RL=50 Output Logic Level V OH V dd-1.08 V RL=50V OL V dd-1.55 VPeak to Peak Output Swing (V pp) 800 mV Single endedRise Time Tr 250ps RL=50 , CL=0pFFall Time Tf 250l a i t n e r e f f i D%2584e l c y Cy t u DIntegrated Phase Jitter (J PH) 0.25 2ps200kHz ~ 20MHz@156.25MHz0.38 2 100kHz ~ 20MHz@156.25MHz1.70 2 12kHz ~ 20MHz@156.25MHzPeriod Jitter RMS (J PER s p5.2)Notes Supply Current (I dd)29 32 mA RL=100Output Offset Voltage (V OS) 1.125 1.4 V RL=100 differential Delta Offset Voltage (V OS) 50 mVPeak to Peak Output Swing (V pp) 350 mV Single endedRise Time Tr 200ps RL=50 , CL=2pFFall Time Tf 200l a i t n e r e f f i D%2584e l c y Cy t u DIntegrated Phase Jitter (J PH) 0.28 2ps200kHz ~ 20MHz@156.25MHz0.40 2 100kHz ~ 20MHz@156.25MHz1.70 2 12kHz ~ 20MHz@156.25MHzPeriod Jitter RMS (J PER s p5.2)Key Electrical Specifications – HCSLNotes Supply Current (I dd)40 42 mA RL=50Output Logic Level V OH0.725 V RL=50V OL0.1 V Peak to Peak Output Swing (V pp) 750 mV Single endedRise Time Tr 200 400ps RL=50 , CL=2pFFall Time Tf 200 400l a i t n e r e f f i D%2584e l c y Cy t u DIntegrated Phase Jitter (J PH) 0.25 2ps200kHz ~ 20MHz@156.25MHz0.37 2 100kHz ~ 20MHz@156.25MHz1.70 2 12kHz ~ 20MHz@156.25MHzPeriod Jitter RMS (J PER s p5.2)20% to 80% 20% to 80% 20% to 80%Absolute Maximum RatingsSupply Voltage -0.3 +4.0 VInput Voltage -0.3 V dd+0.3 VJunction Temp. +150 °CStorage Temp. -55 +150 °CSoldering Temp. +260 °C 40sec maxESDHBM MM CDM 4,0004001,500VCMOS OUTPUTTest Circuit(Unless specified otherwise: T=25° C, VDD=3.3 V) LVPECL outputTest CircuitASVMPTest CircuitLVDS OUTPUTHCSL OUTPUTASVMPPbRoHS/RoHS II compliantTest Circuit7.0 x 5.0 x 0.85mmASVMPASVMPFunction Tri-state NC GND Output NC (CMOS)Output (LVPECL, LVDS, HCSL)VddNote: Recommend using an approximately 0.01uF bypass capacitor between PIN 6and 3.Center pad: NC / GNDRecommended Land Pattern for CMOSRecommended Land Pattern for LVPECL, LVDS, HCSLPbRoHS/RoHS II compliant7.0 x 5.0 x 0.85mm6413ASVMPTube: 50pcs/tubeUnit orientation in tube:Dimensions: mmPbRoHS/RoHS II compliant7.0 x 5.0 x 0.85mm。
