-
Product Overview
The SRX1500 is a next-generation firewall and security services gateway offering outstanding protection, performance, scalability, availability, and security service integration. Designed for port density, a high-performance security services architecture, and seamless integration of networking and security in a single platform, the SRX1500 is best suited for client protection in enterprise campus, regional headquarters, or cloud-based security solutions with a focus on application visibility and control, intrusion prevention, and advanced threat protection. The SRX1500 is powered by Junos OS, the industry-leading operating system that keeps the world’s largest and most mission-critical enterprise networks secure.
Product Description
The Juniper Networks® SRX1500 is a high-peformance next-generation firewall and security services gateway that protects mission-critical networks at campuses and regional headquarters. The SRX1500 provides best-in-class security and threat detection and mitigation capabilities, integrating carrier-class routing and feature-rich switching in a single platform. The SRX1500 delivers a next-generation security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services in an enterprise campus, connecting to the cloud, complying with industry standards, or achieving operational efficiency, the SRX1500 helps organizations realize their business objectives while providing scalable, easy-to-manage, secure connectivity and advanced threat detection and mitigation capabilities. The SRX1500 protects critical corporate assets as a next-generation firewall, acts as an enforcement point for cloud-based security solutions, and provides application visibility and control to improve the user and application experience. A combination of hardware and software architectures on the SRX1500 add significant performance improvements to a small 1 U form factor. The key to the SRX1500 hardware is the security flow accelerator, a programmable high-speed Layer 4 firewall chip, and a robust x86-based security compute engine for advanced security services like application visibility, intrusion prevention, and threat mitigation capabilities. The SRX1500 software architecture leverages these programmable hardware components and virtualization to deliver high-speed firewall performance, application visibility, and intrusion prevention while lowering total cost of ownership (TCO). The SRX1500 is purpose-built to protect 10GbE network environments, consolidating multiple security services and networking functions in a highly available appliance. It supports up to 9.2 Gbps of firewall performance, 3.3 Gbps of intrusion prevention, and 4.5 Gbps of IPsec VPN in enterprise campus, regional headquarters, and data center deployments.SRX1500 Highlights
The SRX1500 delivers a full complement of next-generation firewall capabilities that use advanced application identification and classification to enable greater visibility, enforcement, control, and protection over the network. It provides a detailed analysis of application volume and usage, fine-grained application control policies to allow or deny traffic based on dynamic application name or group names, and prioritization of traffic based on application information and context. The SRX1500 recognizes more than 4,275 applications and nested applications in plain-text or SSL encrypted transactions. The SRX1500 also integrates with Microsoft Active Directory and combines user information with application data to provide network-wide application and user visibility and control.For the perimeter, the SRX1500 Firewall offers a comprehensive suite of application security services, threat defenses, and intelligence services to protect networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks ATP Cloud offers adaptive threat protection against command and control (C&C)-related botnets and policy enforcement based on GeoIP. Integrating the Juniper Networks Advanced Threat Prevention Cloud solution, or working with the Juniper Networks ATP Appliance, the SRX1500 detects and enforces automated protection against known malware and zero-day threats with an extremely high degree of accuracy. The SRX1500 enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management. The SRX1500 delivers fully automated SD-WAN to both enterprises and service providers. A Zero-Touch Provisioning (ZTP) capability simplifies branch network connectivity for initial deployment and ongoing management. Due to its high performance and scale, the SRX1500 acts as a VPN hub and terminates VPN/secure overlay connections in the various SD-WAN topologies. The SRX1500 Firewall runs Juniper Networks Junos® operating system, a proven, carrier-hardened network OS that powers the top 100 service provider networks worldwide. These rigorously tested carrier-class routing features of IPv4/IPv6, OSPF, BGP, and multicast have been proven in over 15 years of worldwide deployments.Features and Benefits
Business Requirement Feature/Solution SRX1500 Advantages High performance Up to 9 Gbps of firewall performance - Best suited for enterprise campus and data center edge deployments
- Addresses future needs for scale and feature capacity
High quality end-user experience Application visibility and control - Detects 4,275 Layer 3-7 applications, including Web 2.0
- Controls and prioritizes traffic based on application and user role
- Inspects and detects applications inside the SSL encrypted traffic
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Restores visibility lost due to encryption, without the heavy burden of full TLS/SSL decryption
Professional-grade networking services Routing, switching, and secure wire - Supports carrier-class advanced routing, quality of service (QoS), and services
- Offers flexible deployment modes (L1/L2/L3)
Highly secure IPsec VPN, remote access/SSL VPN, secure boot - Provides high-performance IPsec VPN with dedicated crypto engine
- Simplifies large VPN deployments with auto VPN and group VPN
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
- Verifies binaries that execute on the hardware with secure boot
High reliability Chassis cluster, redundant power supply - Provides stateful configuration and session synchronization
- Supports active/active and active/backup deployment scenarios
- Offers highly available hardware with dual PSU, redundant fans
Easy to manage and scale On-box GUI, Security Director - Enables centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments
- Includes simple easy-to-use on-box GUI for local management
Lower TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces OpEx with Junos OS automation capabilities
SRX1500 Firewall Specifications
Software Specifications
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomalies
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/IPv6/Dual Stack)
- Juniper Secure Connect: Remote access/SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH)/Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Service Software Upgrade (ISSU)
- IP monitoring with route and interface failover
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
- Advanced/application policy-based routing (APBR)
- Application Quality of Experience (AppQoE)
- Application-based multipath routing
Threat Defense and Intelligence Services1
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention, a cloud-based SaaS offering, to detect and block zero-day attacks
- Juniper ATP Appliance, a distributed, on-premises advanced threat prevention solution to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
Routing Protocols
- IPv4, IPv6
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2; Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM); Session Description Protocol (SDP); Distance Vector Multicast Routing Protocol (DVMRP); Multicast Source Discovery Protocol (MSDP); Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP monitoring
- Juniper flow monitoring (J-Flow)
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L2 MPLS VPN, pseudo-wires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Juniper Networks Junos Space and Security Director
- Python
- Junos OS event, commit and OP scripts
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
Hardware Specifications
2Performance numbers based on UDP packets and RFC2544 test methodology. 3Performance numbers based on HTTP traffic with 44 KB transaction size. 4Next-Generation firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 5Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions -
Product Overview
The SRX Series are next-generation firewalls based on a revolutionary architecture offering outstanding performance, scalability, availability, and security services integration. Custom designed for flexible processing scalability, I/O scalability, and services integration, the SRX Series Firewalls exceed the security requirements of data center consolidation and services aggregation. The award-winning SRX Series is powered by Junos OS, the same industry-leading operating system that keeps the world’s largest data center networks available, manageable, and secure.
Product Description
The Juniper Networks® SRX5400, SRX5600, and SRX5800 are next-generation firewalls (NGFWs) that deliver outstanding protection, market-leading performance, six nines reliability and availability, scalability, and services integration. These devices are ideally suited for service provider, large enterprise, and public sector networks, including:- Cloud and hosting provider data centers
- Mobile operator environments
- Managed service providers
- Core service provider infrastructures
- Large enterprise data centers
Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each firewall can support near near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 3.36 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization. The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the firewall can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables the realization of maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection. The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Series is equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), Content Security, quality of service (QoS), and large-scale multitenancy. In addition to the benefit of individual services, the SRX5000 line provides a low latency solution. Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800
The SRX5800 Firewall is the market-leading security solution supporting up to 3.36 Tbps firewall throughput and latency as low as 32 microseconds for the stateful firewall. The SRX5800 also supports 638 Gbps IPS and 338 million concurrent sessions. The SRX5800 is equipped with the full range of advanced security services and is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 1.44 Tbps firewall throughput, 182 million concurrent sessions, and 245 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregating various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments.SRX5400
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 960 Gbps firewall throughput, 90 million concurrent sessions, and 172 Gbps IPS. The SRX5400 is a small footprint, high-performance firewall ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments.Service Processing Cards (SPCs)
As the “brains” behind the SRX5000 line, SPCs are designed to process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxed to the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, significantly reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Firewalls.I/O Cards (IOCs)
To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. The third generation of IOCs from Juniper, the IOC3, delivers high throughput along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800. The fourth generation of IOCs delivers the highest throughput of all available linecards of up to 480 Gbps and offers multiple connectivity options from 10GbE and 40GbE to 100GbE. IOC4 can deliver up to 480 Gbps of hardware-accelerated throughput per linecard.Routing Engine (RE3) and Enhanced System Control Board (SCB4)
The SRX5K-RE3-128G Routing Engine (RE3) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 2000 MHz. It delivers improved performance, scalability, and reliability with 128 GB DRAM and includes a TPM module. The SRX5K-SCB4 enables 480 Gbps throughput per SCB and can be configured with intra- and interchassis redundancy.Features and Benefits
Networking and Security
The Juniper Networks SRX5000 line of Firewalls has been designed from the ground up to offer robust networking and security services.Feature Feature Description Benefits Purpose-built platform Built from the ground up on dedicated hardware designed for networking and security services. Delivers unrivaled performance and flexibility to protect high-speed network environments. Scalable performance Offers scalable processing based on Juniper’s Dynamic Services Architecture. Offers a simple and cost-effective solution to leverage new services with appropriate processing. System and network resiliency Provides carrier-class hardware design and proven OS. Offers the reliability needed for any critical high-speed network deployments without service interruption. Utilizes a unique architectural design based on multiple processing cores and a separation of the data and control planes. High availability (HA) Active/passive and active/active HA configurations use dedicated HA interfaces. Achieves availability and resiliency necessary for critical networks. Interface flexibility Offers flexible I/O options with modular cards based on the Dynamic Services Architecture. Offers flexible I/O configuration and independent I/O scalability (options include 1GbE, 10GbE, 40GbE, and 100GbE) to meet the port density requirements of demanding network environments. Network segmentation Security zones, virtual LANs (VLANs), and virtual routers allow administrators to deploy security policies to isolate subnetworks and use overlapping IP address ranges. Features the capability to tailor unique security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups. Robust Routing Engine Dedicated RE provides physical and logical separation to data and control planes. Enables deployment of consolidated routing and security devices, as well as ensuring the security of routing infrastructure—all via a dedicated management environment. Advanced threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance. - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Stops rogue and compromised devices to disseminate malware
- Restores visibility that was lost due to encryption, without the heavy burden of full TLS/SSL decryption
AppTrack Detailed analysis on application volume/usage throughout the network based on bytes, packets, and sessions. Provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control. AppFirewall Fine-grained application control policies to allow or deny traffic based on dynamic application name or group names. Enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis. AppQoS Leverage Juniper’s rich QoS capabilities to prioritize applications based on customers’ business and bandwidth needs. Provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance. Application signatures Open signature library for identifying applications and nested applications with more than 3000 application signatures. Accurately identifies applications so that the resulting information can be used for visibility, enforcement, control, and protection. SSL proxy (forward and reverse) Performs SSL encryption and decryption between the client and the server. Combines with application identification to provide visibility and protection against threats embedded in SSL encrypted traffic. Stateful GTP and SCTP inspection Support for General Packet Radio Service Tunneling Protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewall in mobile operator networks. Enables the SRX5000 line to provide stateful firewall capabilities for protecting key GPRS nodes within mobile operator networks. IOC3 The third-generation I/O card offers very high levels of firewall throughput and low latency. The card includes two board choices: six 40GbE interfaces and 24 10GbE interfaces, or two 100GbE interfaces and four 10GbE interfaces. The IOC3 pairs well with existing SPC2/SPC3 for maximum firewall performance in any of the SRX5000 line of Firewalls. Provides vastly superior, top-of-the-line connectivity efficiency and record-breaking high throughput I/O interfaces. Reduces the need for link aggregation to the firewall and enables very high firewall throughput of up to 2 Tbps with Express Path enabled. IOC4 The fourth-generation I/O card is being offered in two flavors. The first delivers 40x10GbE interfaces while the second, depending on the chosen optics, delivers 48x10GbE, 12x40GbE, or 4x100GbE interfaces. Provides the fastest throughput per slot and, in combination with Express Path, can deliver up to 480 Gbps of throughput per I/O card. SPC3 card Enables performance and scale with backwards compatibility to the SPC2 service cards. These cards support in-service software and in-service hardware upgrades. Delivers always-on security resiliency to meet your growing network performance needs. AutoVPN One-time hub configuration for site-to-site VPN for all spokes, even newly added ones. Configuration options include: routing, interfaces, Internet Key Exchange (IKE), and IPsec. Enables IT administrative time and cost savings with easy, zero-touch deployment for IPsec VPN networks. Remote access/SSL VPN Secure and flexible remote access SSL VPN with Juniper Secure Connect. Extends secure access to corporate resources from anywhere. Multitenancy Offers logical, large-scale segmentation and separation of security functions and features. Enables separate, logical instances to be deployed with dedicated security policies, zones, and other features and functions. Removes the need to deploy several physical or virtual firewalls. IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Feature Feature Description Benefits Stateful signature inspection Signatures are applied only to relevant portions of the network traffic determined by the appropriate protocol context. This minimizes false positives and offers flexible signature development. Protocol decodes This feature enables highly accurate detection and helps reduce false positives. Accuracy of signatures is improved through precise contexts of protocols. Signatures There are more than 8500 signatures for identifying anomalies, attacks, spyware, and applications. Attacks are accurately identified and attempts to exploit a known vulnerability are detected. Traffic normalization Reassembly, normalization, and protocol decoding are provided. Overcome attempts to bypass other IPS detections by using obfuscation methods. Zero-day protection Protocol anomaly detection and same-day coverage for newly found vulnerabilities are provided. Your network is already protected against any new exploits. Recommended policy Group of attack signatures are identified by Juniper Networks Security Team as critical for the typical enterprise to protect against. Installation and maintenance are simplified while ensuring the highest network security. Active/active traffic monitoring IPS monitoring on active/active SRX5000 line chassis clusters is provided. Includes support for active/active IPS monitoring, including advanced features such as in-service software upgrade. Packet capture IPS policy supports packet capture logging per rule. Conduct further analysis of surrounding traffic and determine further steps to protect target. Content Security Capabilities
The Content Security services offered on the SRX5000 line of Firewalls include industry-leading antivirus, antispam, content filtering, and additional content security services.Feature Feature Description Benefits Antivirus Antivirus includes reputation enhanced, cloud-based antivirus capabilities that detect and block spyware, adware, viruses, keyloggers, and other malware over POP3 HTTP, SMTP, IMAP, and FTP protocols. This service is provided in cooperation with Sophos Labs, a dedicated security company. Sophisticated protection from respected antivirus experts against malware attacks that can lead to data breaches and lost productivity. Antispam Multilayered spam protection, up-to-date phishing URL detection, standards-based S/MIME, Open PGP and TLS encryption, MIME type, and extension blockers are provided in cooperation with Sophos Labs, a dedicated security company. Protection against advanced persistent threats perpetrated through social networking attacks and the latest phishing scams with sophisticated e-mail filtering and content blockers. Enhanced Web filtering Enhanced Web filtering includes extensive category granulation (95+ categories) and a real-time threat score delivered with Forcepoint, an expert Web security provider. Protection against lost productivity and the impact of malicious URLs as well as helping to maintain network bandwidth for business essential traffic. Content filtering Effective content filtering is based on MIME type, file extension, and protocol commands. Protection against lost productivity and the impact of extraneous or malicious content on the network to help maintain bandwidth for business essential traffic. Advanced Threat Prevention
Advanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper ATP Cloud, a SaaS-based service, and the Juniper ATP Appliance, an on-premises solution.Feature Feature Description Benefits Advanced malware detection and remediation Malware analysis and sandboxing are based on machine learning and behavioral analysis. Protects enterprise users from a spectrum of malicious attacks, including advanced malware that exploits “zero-day” vulnerabilities. Comprehensive threat feeds (C2, GeoIP, custom) Curated, actionable threat intelligence feeds are delivered in near real time to SRX Series devices. Proactively blocks malware communication channels and protects from botnets, phishing, and other attacks. Encrypted Traffic Insights SRX Series firewalls collect relevant TLS/SSL connection data, including certificates used, cipher suites negotiated, and connection behavior. This information is processed by Juniper ATP Cloud, which uses network behavioral analysis and machine learning to determine whether the connection is benign or malicious. Policies configured on SRX Series firewalls can be used to block encrypted traffic identified as malicious. Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption. HTTP, HTTPs, e-mail Web- and e-mail-based threats are analyzed, including encrypted sessions. Protects users from all major threat vectors, including e-mail. Provides flexible message handling options for e-mail. The Juniper ATP Appliance includes support for cloud-based e-mail services such as Office 365 and Google Mail, and detects threats in SMB traffic. Integration with Security Director and JSA Juniper Networks Secure Analytics portfolio (JSA Series) security information and event management (SIEM) can consume and correlate threat events. Juniper ATP Cloud is also fully integrated with Security Director for provisioning and monitoring. The Juniper ATP Appliance includes a built-in management console and is not integrated with Security Director. Single pane-of-glass management with Security Director and JSA Series integration delivers a simplified policy application and monitoring experience. More information about Juniper Advanced Threat Prevention products can be found at https://www.juniper.net/us/en/products/security/advanced-threat-prevention.html.Centralized Management
Juniper Networks® Security Director is the central manager for all SRX Series Firewalls. It provides security policy management for all physical, logical, and virtual firewalls through an innovative, intuitive, and centralized web-based interface that offers enforcement across emerging and traditional threat vectors. It provides detailed visibility into application performance, reduces risk while enabling users to diagnose, and it resolves problems quickly. More information about Juniper Networks Security Director can be found at https://www.juniper.net/us/en/products/security/security-director-network-security-management.html.
Specifications
Note: Performance, capacity, and features are measured under ideal lab testing conditions. Actual results may vary based on Junos OS release and by deployment.SRX5400 SRX5600 SRX5800 Maximum Performance and Capacity1 Junos OS version tested Junos OS 21.2 Junos OS 21.2 Junos OS 21.2 Firewall Performance, IMIX 960 Gbps 1.44 Tbps 3.36 Tbps Maximum performance per chassis 960 Gbps 1440 Tbps 3.36 Tbps Next-Generation Datacenter Firewall Performance2 136 Gbps 194 Gbps 504 Gbps Secure Web Access Firewall Performance3 75 Gbps 107 Gbps 277 Gbps Latency (stateful firewall) ~11µsec ~11µsec ~11µsec IPsec VPN AES-256-GCM (IMIX) 188 Gbps 269 Gbps 699 Gbps Maximum IPS performance 172 Gbps 245 Gbps 638 Gbps Maximum concurrent sessions 91 Million 182 Million 338 Million New sessions/second (sustained, tcp, 3way, firewall NAT) 1.7/1 million 3.4/2 Million 6.3/4 Million Maximum users supported Unrestricted Unrestricted Unrestricted Network Connectivity IOC4 options (SRX5K-IOC4-MRAT; SRX5K-IOC4-10G) 40x10GbE SFP+ or 12xQSFP+/QSFP28 multirate IOC3 options (SRX5K-MPC3-100G10G; SRX5K-MPC3-40G10G) 2x100GbE CFP2 and 4x10GbE SFP+ or 6x40GbE QSFP+ and 24x10GbE SFP+ Firewall Network attack detection Yes Yes Yes DoS and distributed denial of service (DDoS) protection Yes Yes Yes TCP reassembly for fragmented packet protection Yes Yes Yes Brute force attack mitigation Yes Yes Yes SYN cookie protection Yes Yes Yes Zone-based IP spoofing Yes Yes Yes Malformed packet protection Yes Yes Yes IPsec VPN Site-to-site tunnels 15,000 15,000 15,000 Tunnel interfaces 15,000 15,000 15,000 Number of remote access / SSL VPN (concurrent) users 25,000 40,000 50,000 Tunnels Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4 / IPv6 / Dual Stack) Internet Key Exchange IKEv1, IKEv2 Configuration Payload Yes Yes Yes IKE Authentication Algorithms MD5, SHA1, SHA-256, SHA-384, SHA-512 IKE Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Authentication Pre-shared key and public key infrastructure (PKI X.509) IPsec (Internet Protocol Security) Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol Perfect forward secrecy Yes IPsec Authentication Algorithms hmac-md5, hmac-sha-196, hmac-sha-256, hmac-sha-384, hmac-sha-512 IPsec Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Monitoring Standard-based Dead peer detection (DPD), VPN monitoring Prevent replay attack Yes Yes Yes VPNs (GRE, IP-in-IP, MPLS) Yes Yes Yes Redundant VPN gateways Yes Yes Yes Intrusion Prevention System (IPS) Signature-based and customizable (via templates) Yes Yes Yes Active/active traffic monitoring Yes Yes Yes Stateful protocol signatures Yes Yes Yes Attack detection mechanisms Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Attack response mechanisms Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Attack notification mechanisms Structured system logging Structured system logging Structured system logging Worm protection Yes Yes Yes Simplified installation through recommended policies Yes Yes Yes Trojan protection Yes Yes Yes Spyware/adware/keylogger protection Yes Yes Yes Advanced malware protection Yes Yes Yes Protection against attack proliferation from infected systems Yes Yes Yes Reconnaissance protection Yes Yes Yes Request and response side attack protection Yes Yes Yes Compound attacks—combines stateful signatures and protocol anomalies Yes Yes Yes Custom attack signatures creation Yes Yes Yes Contexts accessible for customization 600+ 600+ 600+ Attack editing (port range, other) Yes Yes Yes Stream signatures Yes Yes Yes Protocol thresholds Yes Yes Yes Stateful protocol signatures Yes Yes Yes Frequency of updates Daily and emergency Daily and emergency Daily and emergency Content Security Antivirus Yes Yes Yes Content filtering Yes Yes Yes Enhanced Web filtering Yes Yes Yes Redirect Web filtering Yes Yes Yes Antispam Yes Yes Yes AppSecure AppTrack (application visibility and tracking) Yes Yes Yes AppFirewall (policy enforcement by application name) Yes Yes Yes AppQoS (network traffic prioritization by application name) Yes Yes Yes User-based application policy enforcement Yes Yes Yes GPRS Security GPRS stateful firewall Yes Yes Yes Destination Network Address Translation Destination NAT with Port Address Translation (PAT) Yes Yes Yes Destination NAT within same subnet as ingress interface IP Yes Yes Yes Destination addresses and port numbers to one single address and a specific port number (M:1P) Yes Yes Yes Destination addresses to one single address (M:1) Yes Yes Yes Destination addresses to another range of addresses (M:M) Yes Yes Yes Source Network Address Translation Static Source NAT—IP-shifting Dynamic Internet Protocol (DIP) Yes Yes Yes Source NAT with PAT—port translated Yes Yes Yes Source NAT without PAT—fix port Yes Yes Yes Source NAT—IP address persistency Yes Yes Yes Source pool grouping Yes Yes Yes Source pool utilization alarm Yes Yes Yes Source IP outside of the interface subnet Yes Yes Yes Interface source NAT—interface DIP Yes Yes Yes Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted Yes Yes Yes Symmetric NAT Yes Yes Yes Allocate multiple ranges in NAT pool Yes Yes Yes Proxy Address Resolution Protocol (ARP) for physical port Yes Yes Yes Source NAT with loopback grouping—DIP with loopback grouping Yes Yes Yes User Authentication and Access Control Built-in (internal) database Yes Yes Yes RADIUS accounting Yes Yes Yes Web-based authentication Yes Yes Yes Public Key Infrastructure (PKI) Support PKI certificate requests (PKCS 7, PKCS 10, and CMPv2) Yes Yes Yes Automated certificate enrollment (SCEP) Yes Yes Yes Certificate authorities supported Yes Yes Yes Self-signed certificates Yes Yes Yes Virtualization Maximum custom routing instances with data plane separation 2000 2000 2000 Maximum security zones 2000 2000 2000 Maximum virtual firewalls with data plane and administrative separation (logical/tenant systems) 500 500 500 Additional off-platform virtual firewall option with Juniper Networks vSRX Virtual Firewall (VM based) Unlimited Unlimited Unlimited Maximum number of VLANs 4096 4096 4096 Routing BGP instances 1000 1000 1000 BGP peers 2000 2000 2000 BGP routes 1 Million 1 Million 1 Million OSPF instances 400 400 400 OSPF routes 1 Million 1 Million 1 Million RIP v1/v2 instances 50 50 50 RIP v2 table size 30,000 30,000 30,000 Dynamic routing Yes Yes Yes Static routes Yes Yes Yes Source-based routing Yes Yes Yes Policy-based routing Yes Yes Yes Equal cost multipath (ECMP) Yes Yes Yes Reverse path forwarding (RPF) Yes Yes Yes Multicast Yes Yes Yes IPv6 Firewall/stateless filters Yes Yes Yes Dual-stack IPv4/IPv6 firewall Yes Yes Yes RIPng Yes Yes Yes BFD, BGP Yes Yes Yes ICMPv6 Yes Yes Yes OSPFv3 Yes Yes Yes Class of service (CoS) Yes Yes Yes Mode of Operation Layer 2 (transparent) mode Yes Yes Yes Layer 3 (route and/or NAT) mode Yes Yes Yes IP Address Assignment Static Yes Yes Yes Dynamic Host Configuration Protocol (DHCP) Yes Yes Yes Internal DHCP server Yes Yes Yes DHCP relay Yes Yes Yes Traffic Management Quality of Service (QoS) Maximum bandwidth Yes Yes Yes RFC2474 IP Diffserv in IPv4 Yes Yes Yes Firewall filters for CoS Yes Yes Yes Classification Yes Yes Yes Scheduling Yes Yes Yes Shaping Yes Yes Yes Intelligent Drop Mechanisms (WRED) Yes Yes Yes Three-level scheduling Yes Yes Yes Weighted round robin for each level of scheduling Yes Yes Yes Priority of routing protocols Yes Yes Yes Traffic management/policing in hardware Yes Yes Yes High Availability (HA) Active/passive, active/active Yes Yes Yes Unified in-service software upgrade (unified ISSU) Yes Yes Yes Configuration synchronization Yes Yes Yes Session synchronization for firewall and IPsec VPN Yes Yes Yes Session failover for routing change Yes Yes Yes Device failure detection Yes Yes Yes Link and upstream failure detection Yes Yes Yes Dual control links Yes Yes Yes Interface link aggregation/Link Aggregation Control Protocol (LACP) Yes Yes Yes Redundant fabric links Yes Yes Yes Management WebUI (HTTP and HTTPS) Yes Yes Yes Command line interface (console, telnet, SSH) Yes Yes Yes Junos Space Security Director Yes Yes Yes Administration Local administrator database support Yes Yes Yes External administrator database support Yes Yes Yes Restricted administrative networks Yes Yes Yes Root admin, admin, and read-only user levels Yes Yes Yes Software upgrades Yes Yes Yes Configuration rollback Yes Yes Yes Logging/Monitoring Structured syslog Yes Yes Yes SNMP (v2 and v3) Yes Yes Yes Traceroute Yes Yes Yes Certifications Safety certifications Yes Yes Yes Electromagnetic Compatibility (EMC) certifications Yes Yes Yes RoHS2 Compliant (European Directive 2011/65/EU) Yes Yes Yes NIST FIPS-140-2 Level 2 Yes Yes Yes Common Criteria NDPP+TFFW EP + VPN EP Yes Yes Yes USGv6 Yes Yes Yes Dimensions and Power Dimensions (W x H x D) 17.45 x 8.7 x 24.5 in (44.3 x 22.1 x 62.2 cm) 17.5 x 14 x 23.8 in (44.5 x 35.6 x 60.5 cm) 17.5 x 27.8 x 23.5 in (44.5 x 70.5 x 59.7 cm) Weight Fully configured 128 lb (58.1 kg) Fully Configured: 180 lb (81.7 kg) Fully Configured: 334 lb (151.6 kg) Power supply (AC) 100 to 240 VAC 100 to 240 VAC 200 to 240 VAC Power supply (DC) -40 to -60 VDC -40 to -60 VDC -40 to -60 VDC Maximum power 4,100 watts (AC high capacity) 4,100 watts (AC high capacity) 8,200 watts (AC high capacity) Typical Power 1540 watts 2440 watts 5015 watts Environmental Operating temperature – long term 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C Humidity – long term 5% to 85% noncondensing 5% to 85% noncondensing 5% to 85% noncondensing Humidity – short term 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 1 Performance, capacity and features listed are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. 2Next-Generation Datacenter firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions. 3Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions. -
Product Overview
The SRX Series are next-generation firewalls based on a revolutionary architecture offering outstanding performance, scalability, availability, and security services integration. Custom designed for flexible processing scalability, I/O scalability, and services integration, the SRX Series Firewalls exceed the security requirements of data center consolidation and services aggregation. The award-winning SRX Series is powered by Junos OS, the same industry-leading operating system that keeps the world’s largest data center networks available, manageable, and secure.Product Description
The Juniper Networks® SRX5400, SRX5600, and SRX5800 are next-generation firewalls (NGFWs) that deliver outstanding protection, market-leading performance, six nines reliability and availability, scalability, and services integration. These devices are ideally suited for service provider, large enterprise, and public sector networks, including:- Cloud and hosting provider data centers
- Mobile operator environments
- Managed service providers
- Core service provider infrastructures
- Large enterprise data centers
Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each firewall can support near near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 3.36 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization. The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the firewall can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables the realization of maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection. The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Series is equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), Content Security, quality of service (QoS), and large-scale multitenancy. In addition to the benefit of individual services, the SRX5000 line provides a low latency solution. Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800
The SRX5800 Firewall is the market-leading security solution supporting up to 3.36 Tbps firewall throughput and latency as low as 32 microseconds for the stateful firewall. The SRX5800 also supports 638 Gbps IPS and 338 million concurrent sessions. The SRX5800 is equipped with the full range of advanced security services and is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 1.44 Tbps firewall throughput, 182 million concurrent sessions, and 245 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregating various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments.SRX5400
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 960 Gbps firewall throughput, 90 million concurrent sessions, and 172 Gbps IPS. The SRX5400 is a small footprint, high-performance firewall ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments.Service Processing Cards (SPCs)
As the “brains” behind the SRX5000 line, SPCs are designed to process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxed to the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, significantly reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Firewalls.I/O Cards (IOCs)
To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. The third generation of IOCs from Juniper, the IOC3, delivers high throughput along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800. The fourth generation of IOCs delivers the highest throughput of all available linecards of up to 480 Gbps and offers multiple connectivity options from 10GbE and 40GbE to 100GbE. IOC4 can deliver up to 480 Gbps of hardware-accelerated throughput per linecard.Routing Engine (RE3) and Enhanced System Control Board (SCB4)
The SRX5K-RE3-128G Routing Engine (RE3) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 2000 MHz. It delivers improved performance, scalability, and reliability with 128 GB DRAM and includes a TPM module. The SRX5K-SCB4 enables 480 Gbps throughput per SCB and can be configured with intra- and interchassis redundancy.Features and Benefits
Networking and Security
The Juniper Networks SRX5000 line of Firewalls has been designed from the ground up to offer robust networking and security services.Feature Feature Description Benefits Purpose-built platform Built from the ground up on dedicated hardware designed for networking and security services. Delivers unrivaled performance and flexibility to protect high-speed network environments. Scalable performance Offers scalable processing based on Juniper’s Dynamic Services Architecture. Offers a simple and cost-effective solution to leverage new services with appropriate processing. System and network resiliency Provides carrier-class hardware design and proven OS. Offers the reliability needed for any critical high-speed network deployments without service interruption. Utilizes a unique architectural design based on multiple processing cores and a separation of the data and control planes. High availability (HA) Active/passive and active/active HA configurations use dedicated HA interfaces. Achieves availability and resiliency necessary for critical networks. Interface flexibility Offers flexible I/O options with modular cards based on the Dynamic Services Architecture. Offers flexible I/O configuration and independent I/O scalability (options include 1GbE, 10GbE, 40GbE, and 100GbE) to meet the port density requirements of demanding network environments. Network segmentation Security zones, virtual LANs (VLANs), and virtual routers allow administrators to deploy security policies to isolate subnetworks and use overlapping IP address ranges. Features the capability to tailor unique security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups. Robust Routing Engine Dedicated RE provides physical and logical separation to data and control planes. Enables deployment of consolidated routing and security devices, as well as ensuring the security of routing infrastructure—all via a dedicated management environment. Advanced threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance. - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Stops rogue and compromised devices to disseminate malware
- Restores visibility that was lost due to encryption, without the heavy burden of full TLS/SSL decryption
AppTrack Detailed analysis on application volume/usage throughout the network based on bytes, packets, and sessions. Provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control. AppFirewall Fine-grained application control policies to allow or deny traffic based on dynamic application name or group names. Enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis. AppQoS Leverage Juniper’s rich QoS capabilities to prioritize applications based on customers’ business and bandwidth needs. Provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance. Application signatures Open signature library for identifying applications and nested applications with more than 3000 application signatures. Accurately identifies applications so that the resulting information can be used for visibility, enforcement, control, and protection. SSL proxy (forward and reverse) Performs SSL encryption and decryption between the client and the server. Combines with application identification to provide visibility and protection against threats embedded in SSL encrypted traffic. Stateful GTP and SCTP inspection Support for General Packet Radio Service Tunneling Protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewall in mobile operator networks. Enables the SRX5000 line to provide stateful firewall capabilities for protecting key GPRS nodes within mobile operator networks. IOC3 The third-generation I/O card offers very high levels of firewall throughput and low latency. The card includes two board choices: six 40GbE interfaces and 24 10GbE interfaces, or two 100GbE interfaces and four 10GbE interfaces. The IOC3 pairs well with existing SPC2/SPC3 for maximum firewall performance in any of the SRX5000 line of Firewalls. Provides vastly superior, top-of-the-line connectivity efficiency and record-breaking high throughput I/O interfaces. Reduces the need for link aggregation to the firewall and enables very high firewall throughput of up to 2 Tbps with Express Path enabled. IOC4 The fourth-generation I/O card is being offered in two flavors. The first delivers 40x10GbE interfaces while the second, depending on the chosen optics, delivers 48x10GbE, 12x40GbE, or 4x100GbE interfaces. Provides the fastest throughput per slot and, in combination with Express Path, can deliver up to 480 Gbps of throughput per I/O card. SPC3 card Enables performance and scale with backwards compatibility to the SPC2 service cards. These cards support in-service software and in-service hardware upgrades. Delivers always-on security resiliency to meet your growing network performance needs. AutoVPN One-time hub configuration for site-to-site VPN for all spokes, even newly added ones. Configuration options include: routing, interfaces, Internet Key Exchange (IKE), and IPsec. Enables IT administrative time and cost savings with easy, zero-touch deployment for IPsec VPN networks. Remote access/SSL VPN Secure and flexible remote access SSL VPN with Juniper Secure Connect. Extends secure access to corporate resources from anywhere. Multitenancy Offers logical, large-scale segmentation and separation of security functions and features. Enables separate, logical instances to be deployed with dedicated security policies, zones, and other features and functions. Removes the need to deploy several physical or virtual firewalls. IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Feature Feature Description Benefits Stateful signature inspection Signatures are applied only to relevant portions of the network traffic determined by the appropriate protocol context. This minimizes false positives and offers flexible signature development. Protocol decodes This feature enables highly accurate detection and helps reduce false positives. Accuracy of signatures is improved through precise contexts of protocols. Signatures There are more than 8500 signatures for identifying anomalies, attacks, spyware, and applications. Attacks are accurately identified and attempts to exploit a known vulnerability are detected. Traffic normalization Reassembly, normalization, and protocol decoding are provided. Overcome attempts to bypass other IPS detections by using obfuscation methods. Zero-day protection Protocol anomaly detection and same-day coverage for newly found vulnerabilities are provided. Your network is already protected against any new exploits. Recommended policy Group of attack signatures are identified by Juniper Networks Security Team as critical for the typical enterprise to protect against. Installation and maintenance are simplified while ensuring the highest network security. Active/active traffic monitoring IPS monitoring on active/active SRX5000 line chassis clusters is provided. Includes support for active/active IPS monitoring, including advanced features such as in-service software upgrade. Packet capture IPS policy supports packet capture logging per rule. Conduct further analysis of surrounding traffic and determine further steps to protect target. Content Security Capabilities
The Content Security services offered on the SRX5000 line of Firewalls include industry-leading antivirus, antispam, content filtering, and additional content security services.Feature Feature Description Benefits Antivirus Antivirus includes reputation enhanced, cloud-based antivirus capabilities that detect and block spyware, adware, viruses, keyloggers, and other malware over POP3 HTTP, SMTP, IMAP, and FTP protocols. This service is provided in cooperation with Sophos Labs, a dedicated security company. Sophisticated protection from respected antivirus experts against malware attacks that can lead to data breaches and lost productivity. Antispam Multilayered spam protection, up-to-date phishing URL detection, standards-based S/MIME, Open PGP and TLS encryption, MIME type, and extension blockers are provided in cooperation with Sophos Labs, a dedicated security company. Protection against advanced persistent threats perpetrated through social networking attacks and the latest phishing scams with sophisticated e-mail filtering and content blockers. Enhanced Web filtering Enhanced Web filtering includes extensive category granulation (95+ categories) and a real-time threat score delivered with Forcepoint, an expert Web security provider. Protection against lost productivity and the impact of malicious URLs as well as helping to maintain network bandwidth for business essential traffic. Content filtering Effective content filtering is based on MIME type, file extension, and protocol commands. Protection against lost productivity and the impact of extraneous or malicious content on the network to help maintain bandwidth for business essential traffic. Advanced Threat Prevention
Advanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper ATP Cloud, a SaaS-based service, and the Juniper ATP Appliance, an on-premises solution.Feature Feature Description Benefits Advanced malware detection and remediation Malware analysis and sandboxing are based on machine learning and behavioral analysis. Protects enterprise users from a spectrum of malicious attacks, including advanced malware that exploits “zero-day” vulnerabilities. Comprehensive threat feeds (C2, GeoIP, custom) Curated, actionable threat intelligence feeds are delivered in near real time to SRX Series devices. Proactively blocks malware communication channels and protects from botnets, phishing, and other attacks. Encrypted Traffic Insights SRX Series firewalls collect relevant TLS/SSL connection data, including certificates used, cipher suites negotiated, and connection behavior. This information is processed by Juniper ATP Cloud, which uses network behavioral analysis and machine learning to determine whether the connection is benign or malicious. Policies configured on SRX Series firewalls can be used to block encrypted traffic identified as malicious. Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption. HTTP, HTTPs, e-mail Web- and e-mail-based threats are analyzed, including encrypted sessions. Protects users from all major threat vectors, including e-mail. Provides flexible message handling options for e-mail. The Juniper ATP Appliance includes support for cloud-based e-mail services such as Office 365 and Google Mail, and detects threats in SMB traffic. Integration with Security Director and JSA Juniper Networks Secure Analytics portfolio (JSA Series) security information and event management (SIEM) can consume and correlate threat events. Juniper ATP Cloud is also fully integrated with Security Director for provisioning and monitoring. The Juniper ATP Appliance includes a built-in management console and is not integrated with Security Director. Single pane-of-glass management with Security Director and JSA Series integration delivers a simplified policy application and monitoring experience. More information about Juniper Advanced Threat Prevention products can be found at https://www.juniper.net/us/en/products/security/advanced-threat-prevention.html.Centralized Management
Juniper Networks® Security Director is the central manager for all SRX Series Firewalls. It provides security policy management for all physical, logical, and virtual firewalls through an innovative, intuitive, and centralized web-based interface that offers enforcement across emerging and traditional threat vectors. It provides detailed visibility into application performance, reduces risk while enabling users to diagnose, and it resolves problems quickly. More information about Juniper Networks Security Director can be found at https://www.juniper.net/us/en/products/security/security-director-network-security-management.html.Specifications
Note: Performance, capacity, and features are measured under ideal lab testing conditions. Actual results may vary based on Junos OS release and by deployment.SRX5400 SRX5600 SRX5800 Maximum Performance and Capacity1 Junos OS version tested Junos OS 21.2 Junos OS 21.2 Junos OS 21.2 Firewall Performance, IMIX 960 Gbps 1.44 Tbps 3.36 Tbps Maximum performance per chassis 960 Gbps 1440 Tbps 3.36 Tbps Next-Generation Datacenter Firewall Performance2 136 Gbps 194 Gbps 504 Gbps Secure Web Access Firewall Performance3 75 Gbps 107 Gbps 277 Gbps Latency (stateful firewall) ~11µsec ~11µsec ~11µsec IPsec VPN AES-256-GCM (IMIX) 188 Gbps 269 Gbps 699 Gbps Maximum IPS performance 172 Gbps 245 Gbps 638 Gbps Maximum concurrent sessions 91 Million 182 Million 338 Million New sessions/second (sustained, tcp, 3way, firewall NAT) 1.7/1 million 3.4/2 Million 6.3/4 Million Maximum users supported Unrestricted Unrestricted Unrestricted Network Connectivity IOC4 options (SRX5K-IOC4-MRAT; SRX5K-IOC4-10G) 40x10GbE SFP+ or 12xQSFP+/QSFP28 multirate IOC3 options (SRX5K-MPC3-100G10G; SRX5K-MPC3-40G10G) 2x100GbE CFP2 and 4x10GbE SFP+ or 6x40GbE QSFP+ and 24x10GbE SFP+ Firewall Network attack detection Yes Yes Yes DoS and distributed denial of service (DDoS) protection Yes Yes Yes TCP reassembly for fragmented packet protection Yes Yes Yes Brute force attack mitigation Yes Yes Yes SYN cookie protection Yes Yes Yes Zone-based IP spoofing Yes Yes Yes Malformed packet protection Yes Yes Yes IPsec VPN Site-to-site tunnels 15,000 15,000 15,000 Tunnel interfaces 15,000 15,000 15,000 Number of remote access / SSL VPN (concurrent) users 25,000 40,000 50,000 Tunnels Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4 / IPv6 / Dual Stack) Internet Key Exchange IKEv1, IKEv2 Configuration Payload Yes Yes Yes IKE Authentication Algorithms MD5, SHA1, SHA-256, SHA-384, SHA-512 IKE Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Authentication Pre-shared key and public key infrastructure (PKI X.509) IPsec (Internet Protocol Security) Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol Perfect forward secrecy Yes IPsec Authentication Algorithms hmac-md5, hmac-sha-196, hmac-sha-256, hmac-sha-384, hmac-sha-512 IPsec Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Monitoring Standard-based Dead peer detection (DPD), VPN monitoring Prevent replay attack Yes Yes Yes VPNs (GRE, IP-in-IP, MPLS) Yes Yes Yes Redundant VPN gateways Yes Yes Yes Intrusion Prevention System (IPS) Signature-based and customizable (via templates) Yes Yes Yes Active/active traffic monitoring Yes Yes Yes Stateful protocol signatures Yes Yes Yes Attack detection mechanisms Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Attack response mechanisms Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Attack notification mechanisms Structured system logging Structured system logging Structured system logging Worm protection Yes Yes Yes Simplified installation through recommended policies Yes Yes Yes Trojan protection Yes Yes Yes Spyware/adware/keylogger protection Yes Yes Yes Advanced malware protection Yes Yes Yes Protection against attack proliferation from infected systems Yes Yes Yes Reconnaissance protection Yes Yes Yes Request and response side attack protection Yes Yes Yes Compound attacks—combines stateful signatures and protocol anomalies Yes Yes Yes Custom attack signatures creation Yes Yes Yes Contexts accessible for customization 600+ 600+ 600+ Attack editing (port range, other) Yes Yes Yes Stream signatures Yes Yes Yes Protocol thresholds Yes Yes Yes Stateful protocol signatures Yes Yes Yes Frequency of updates Daily and emergency Daily and emergency Daily and emergency Content Security Antivirus Yes Yes Yes Content filtering Yes Yes Yes Enhanced Web filtering Yes Yes Yes Redirect Web filtering Yes Yes Yes Antispam Yes Yes Yes AppSecure AppTrack (application visibility and tracking) Yes Yes Yes AppFirewall (policy enforcement by application name) Yes Yes Yes AppQoS (network traffic prioritization by application name) Yes Yes Yes User-based application policy enforcement Yes Yes Yes GPRS Security GPRS stateful firewall Yes Yes Yes Destination Network Address Translation Destination NAT with Port Address Translation (PAT) Yes Yes Yes Destination NAT within same subnet as ingress interface IP Yes Yes Yes Destination addresses and port numbers to one single address and a specific port number (M:1P) Yes Yes Yes Destination addresses to one single address (M:1) Yes Yes Yes Destination addresses to another range of addresses (M:M) Yes Yes Yes Source Network Address Translation Static Source NAT—IP-shifting Dynamic Internet Protocol (DIP) Yes Yes Yes Source NAT with PAT—port translated Yes Yes Yes Source NAT without PAT—fix port Yes Yes Yes Source NAT—IP address persistency Yes Yes Yes Source pool grouping Yes Yes Yes Source pool utilization alarm Yes Yes Yes Source IP outside of the interface subnet Yes Yes Yes Interface source NAT—interface DIP Yes Yes Yes Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted Yes Yes Yes Symmetric NAT Yes Yes Yes Allocate multiple ranges in NAT pool Yes Yes Yes Proxy Address Resolution Protocol (ARP) for physical port Yes Yes Yes Source NAT with loopback grouping—DIP with loopback grouping Yes Yes Yes User Authentication and Access Control Built-in (internal) database Yes Yes Yes RADIUS accounting Yes Yes Yes Web-based authentication Yes Yes Yes Public Key Infrastructure (PKI) Support PKI certificate requests (PKCS 7, PKCS 10, and CMPv2) Yes Yes Yes Automated certificate enrollment (SCEP) Yes Yes Yes Certificate authorities supported Yes Yes Yes Self-signed certificates Yes Yes Yes Virtualization Maximum custom routing instances with data plane separation 2000 2000 2000 Maximum security zones 2000 2000 2000 Maximum virtual firewalls with data plane and administrative separation (logical/tenant systems) 500 500 500 Additional off-platform virtual firewall option with Juniper Networks vSRX Virtual Firewall (VM based) Unlimited Unlimited Unlimited Maximum number of VLANs 4096 4096 4096 Routing BGP instances 1000 1000 1000 BGP peers 2000 2000 2000 BGP routes 1 Million 1 Million 1 Million OSPF instances 400 400 400 OSPF routes 1 Million 1 Million 1 Million RIP v1/v2 instances 50 50 50 RIP v2 table size 30,000 30,000 30,000 Dynamic routing Yes Yes Yes Static routes Yes Yes Yes Source-based routing Yes Yes Yes Policy-based routing Yes Yes Yes Equal cost multipath (ECMP) Yes Yes Yes Reverse path forwarding (RPF) Yes Yes Yes Multicast Yes Yes Yes IPv6 Firewall/stateless filters Yes Yes Yes Dual-stack IPv4/IPv6 firewall Yes Yes Yes RIPng Yes Yes Yes BFD, BGP Yes Yes Yes ICMPv6 Yes Yes Yes OSPFv3 Yes Yes Yes Class of service (CoS) Yes Yes Yes Mode of Operation Layer 2 (transparent) mode Yes Yes Yes Layer 3 (route and/or NAT) mode Yes Yes Yes IP Address Assignment Static Yes Yes Yes Dynamic Host Configuration Protocol (DHCP) Yes Yes Yes Internal DHCP server Yes Yes Yes DHCP relay Yes Yes Yes Traffic Management Quality of Service (QoS) Maximum bandwidth Yes Yes Yes RFC2474 IP Diffserv in IPv4 Yes Yes Yes Firewall filters for CoS Yes Yes Yes Classification Yes Yes Yes Scheduling Yes Yes Yes Shaping Yes Yes Yes Intelligent Drop Mechanisms (WRED) Yes Yes Yes Three-level scheduling Yes Yes Yes Weighted round robin for each level of scheduling Yes Yes Yes Priority of routing protocols Yes Yes Yes Traffic management/policing in hardware Yes Yes Yes High Availability (HA) Active/passive, active/active Yes Yes Yes Unified in-service software upgrade (unified ISSU) Yes Yes Yes Configuration synchronization Yes Yes Yes Session synchronization for firewall and IPsec VPN Yes Yes Yes Session failover for routing change Yes Yes Yes Device failure detection Yes Yes Yes Link and upstream failure detection Yes Yes Yes Dual control links Yes Yes Yes Interface link aggregation/Link Aggregation Control Protocol (LACP) Yes Yes Yes Redundant fabric links Yes Yes Yes Management WebUI (HTTP and HTTPS) Yes Yes Yes Command line interface (console, telnet, SSH) Yes Yes Yes Junos Space Security Director Yes Yes Yes Administration Local administrator database support Yes Yes Yes External administrator database support Yes Yes Yes Restricted administrative networks Yes Yes Yes Root admin, admin, and read-only user levels Yes Yes Yes Software upgrades Yes Yes Yes Configuration rollback Yes Yes Yes Logging/Monitoring Structured syslog Yes Yes Yes SNMP (v2 and v3) Yes Yes Yes Traceroute Yes Yes Yes Certifications Safety certifications Yes Yes Yes Electromagnetic Compatibility (EMC) certifications Yes Yes Yes RoHS2 Compliant (European Directive 2011/65/EU) Yes Yes Yes NIST FIPS-140-2 Level 2 Yes Yes Yes Common Criteria NDPP+TFFW EP + VPN EP Yes Yes Yes USGv6 Yes Yes Yes Dimensions and Power Dimensions (W x H x D) 17.45 x 8.7 x 24.5 in (44.3 x 22.1 x 62.2 cm) 17.5 x 14 x 23.8 in (44.5 x 35.6 x 60.5 cm) 17.5 x 27.8 x 23.5 in (44.5 x 70.5 x 59.7 cm) Weight Fully configured 128 lb (58.1 kg) Fully Configured: 180 lb (81.7 kg) Fully Configured: 334 lb (151.6 kg) Power supply (AC) 100 to 240 VAC 100 to 240 VAC 200 to 240 VAC Power supply (DC) -40 to -60 VDC -40 to -60 VDC -40 to -60 VDC Maximum power 4,100 watts (AC high capacity) 4,100 watts (AC high capacity) 8,200 watts (AC high capacity) Typical Power 1540 watts 2440 watts 5015 watts Environmental Operating temperature – long term 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C Humidity – long term 5% to 85% noncondensing 5% to 85% noncondensing 5% to 85% noncondensing Humidity – short term 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 1 Performance, capacity and features listed are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. 2Next-Generation Datacenter firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions. 3Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions. -
Product Overview
The SRX Series are next-generation firewalls based on a revolutionary architecture offering outstanding performance, scalability, availability, and security services integration. Custom designed for flexible processing scalability, I/O scalability, and services integration, the SRX Series Firewalls exceed the security requirements of data center consolidation and services aggregation. The award-winning SRX Series is powered by Junos OS, the same industry-leading operating system that keeps the world’s largest data center networks available, manageable, and secure.Product Description
The Juniper Networks® SRX5400, SRX5600, and SRX5800 are next-generation firewalls (NGFWs) that deliver outstanding protection, market-leading performance, six nines reliability and availability, scalability, and services integration. These devices are ideally suited for service provider, large enterprise, and public sector networks, including:- Cloud and hosting provider data centers
- Mobile operator environments
- Managed service providers
- Core service provider infrastructures
- Large enterprise data centers
Based on Juniper’s Dynamic Services Architecture, the SRX5000 line provides unrivaled scalability and performance. Each firewall can support near near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 3.36 Tbps firewall throughput. The SPCs are designed to support a wide range of services, enabling future support of new capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing hardware utilization. The scalability and flexibility of the SRX5000 line is supported by equally robust interfaces. The SRX5000 line employs a modular approach, where each platform can be equipped with a flexible number of IOCs that offer a wide range of connectivity options, including 1GbE, 10GbE, 40GbE, and 100GbE interfaces. With the IOCs sharing the same interface slot as the SPCs, the firewall can be configured as needed to support the ideal balance of processing and I/O. Hence, each deployment of the SRX Series can be tailored to specific network requirements. The scalability of both SPCs and IOCs in the SRX5000 line is enabled by the custom-designed switch fabric. Supporting up to 960 Gbps of data transfer, the fabric enables the realization of maximum processing and I/O capability available in any particular configuration. This level of scalability and flexibility enables future expansion and growth of the network infrastructure, providing unrivaled investment protection. The tight service integration on the SRX Series is enabled by Juniper Networks Junos® operating system. The SRX Series is equipped with a robust set of services that include stateful firewall, intrusion prevention system (IPS), denial of service (DoS), application security, VPN (IPsec), Network Address Translation (NAT), Content Security, quality of service (QoS), and large-scale multitenancy. In addition to the benefit of individual services, the SRX5000 line provides a low latency solution. Junos OS also delivers carrier-class reliability with six nines system availability, the first in the industry to achieve independent verification by Telcordia. Furthermore, the SRX Series enjoys the benefit of a single source OS, and single integrated architecture traditionally available on Juniper’s carrier-class routers and switches.SRX5800
The SRX5800 Firewall is the market-leading security solution supporting up to 3.36 Tbps firewall throughput and latency as low as 32 microseconds for the stateful firewall. The SRX5800 also supports 638 Gbps IPS and 338 million concurrent sessions. The SRX5800 is equipped with the full range of advanced security services and is ideally suited for securing large enterprise, hosted, or colocated data centers, service provider core and cloud provider infrastructures, and mobile operator environments. The massive performance, scalability, and flexibility of the SRX5800 make it ideal for densely consolidated processing environments, and the service density makes it ideal for cloud and managed service providers.SRX5600
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 1.44 Tbps firewall throughput, 182 million concurrent sessions, and 245 Gbps IPS. The SRX5600 is ideally suited for securing enterprise data centers as well as aggregating various security solutions. The capability to support unique security policies per zone and its ability to scale with the growth of the network infrastructure make the SRX5600 an ideal deployment for consolidation of services in large enterprise, service provider, or mobile operator environments.SRX5400
The SRX5600 Firewall uses the same SPCs and IOCs as the SRX5800 and can support up to 960 Gbps firewall throughput, 90 million concurrent sessions, and 172 Gbps IPS. The SRX5400 is a small footprint, high-performance firewall ideally suited for securing large enterprise campuses as well as data centers, either for edge or core security deployments. The ability to support unique security policies per zone and a compelling price/performance/footprint ratio make the SRX5400 an optimal solution for edge or data center services in large enterprise, service provider, or mobile operator environments.Service Processing Cards (SPCs)
As the “brains” behind the SRX5000 line, SPCs are designed to process all available services on the platform. Without the need for dedicated hardware for specific services or capabilities, there are no instances in which a piece of hardware is taxed to the limit while other hardware is sitting idle. SPCs are designed to be pooled together, allowing the SRX5000 line to expand performance and capacities with the introduction of additional SPCs, significantly reducing management overhead and complexity. The high-performance SPC3 cards are supported on the SRX5400, SRX5600, and SRX5800 Firewalls.I/O Cards (IOCs)
To provide the most flexible solution, the SRX5000 line employs the same modular architecture for SPCs and IOCs. The SRX5000 line can be equipped with one or several IOCs, supporting the ideal mix of interfaces. With the flexibility to install an IOC or an SPC on any available slot, the SRX5000 line can be equipped to support the perfect blend of interfaces and processing capabilities, meeting the needs of the most demanding environments while ensuring investment protection. The third generation of IOCs from Juniper, the IOC3, delivers high throughput along with superior connectivity options including 100GbE, 40GbE, and high-density 10GbE interfaces. The IOC3 cards are supported on the SRX5400, SRX5600, and SRX5800. The fourth generation of IOCs delivers the highest throughput of all available linecards of up to 480 Gbps and offers multiple connectivity options from 10GbE and 40GbE to 100GbE. IOC4 can deliver up to 480 Gbps of hardware-accelerated throughput per linecard.Routing Engine (RE3) and Enhanced System Control Board (SCB4)
The SRX5K-RE3-128G Routing Engine (RE3) is the latest in the family of REs for the SRX5000 line with a multicore processor running at 2000 MHz. It delivers improved performance, scalability, and reliability with 128 GB DRAM and includes a TPM module. The SRX5K-SCB4 enables 480 Gbps throughput per SCB and can be configured with intra- and interchassis redundancy.Features and Benefits
Networking and Security
The Juniper Networks SRX5000 line of Firewalls has been designed from the ground up to offer robust networking and security services.Feature Feature Description Benefits Purpose-built platform Built from the ground up on dedicated hardware designed for networking and security services. Delivers unrivaled performance and flexibility to protect high-speed network environments. Scalable performance Offers scalable processing based on Juniper’s Dynamic Services Architecture. Offers a simple and cost-effective solution to leverage new services with appropriate processing. System and network resiliency Provides carrier-class hardware design and proven OS. Offers the reliability needed for any critical high-speed network deployments without service interruption. Utilizes a unique architectural design based on multiple processing cores and a separation of the data and control planes. High availability (HA) Active/passive and active/active HA configurations use dedicated HA interfaces. Achieves availability and resiliency necessary for critical networks. Interface flexibility Offers flexible I/O options with modular cards based on the Dynamic Services Architecture. Offers flexible I/O configuration and independent I/O scalability (options include 1GbE, 10GbE, 40GbE, and 100GbE) to meet the port density requirements of demanding network environments. Network segmentation Security zones, virtual LANs (VLANs), and virtual routers allow administrators to deploy security policies to isolate subnetworks and use overlapping IP address ranges. Features the capability to tailor unique security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups. Robust Routing Engine Dedicated RE provides physical and logical separation to data and control planes. Enables deployment of consolidated routing and security devices, as well as ensuring the security of routing infrastructure—all via a dedicated management environment. Advanced threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, Threat Intelligence Feeds, and Juniper ATP Appliance. - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Delivers open threat intelligence platform that integrates with third-party feeds
- Protects against zero-day attacks
- Stops rogue and compromised devices to disseminate malware
- Restores visibility that was lost due to encryption, without the heavy burden of full TLS/SSL decryption
AppTrack Detailed analysis on application volume/usage throughout the network based on bytes, packets, and sessions. Provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control. AppFirewall Fine-grained application control policies to allow or deny traffic based on dynamic application name or group names. Enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis. AppQoS Leverage Juniper’s rich QoS capabilities to prioritize applications based on customers’ business and bandwidth needs. Provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance. Application signatures Open signature library for identifying applications and nested applications with more than 3000 application signatures. Accurately identifies applications so that the resulting information can be used for visibility, enforcement, control, and protection. SSL proxy (forward and reverse) Performs SSL encryption and decryption between the client and the server. Combines with application identification to provide visibility and protection against threats embedded in SSL encrypted traffic. Stateful GTP and SCTP inspection Support for General Packet Radio Service Tunneling Protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewall in mobile operator networks. Enables the SRX5000 line to provide stateful firewall capabilities for protecting key GPRS nodes within mobile operator networks. IOC3 The third-generation I/O card offers very high levels of firewall throughput and low latency. The card includes two board choices: six 40GbE interfaces and 24 10GbE interfaces, or two 100GbE interfaces and four 10GbE interfaces. The IOC3 pairs well with existing SPC2/SPC3 for maximum firewall performance in any of the SRX5000 line of Firewalls. Provides vastly superior, top-of-the-line connectivity efficiency and record-breaking high throughput I/O interfaces. Reduces the need for link aggregation to the firewall and enables very high firewall throughput of up to 2 Tbps with Express Path enabled. IOC4 The fourth-generation I/O card is being offered in two flavors. The first delivers 40x10GbE interfaces while the second, depending on the chosen optics, delivers 48x10GbE, 12x40GbE, or 4x100GbE interfaces. Provides the fastest throughput per slot and, in combination with Express Path, can deliver up to 480 Gbps of throughput per I/O card. SPC3 card Enables performance and scale with backwards compatibility to the SPC2 service cards. These cards support in-service software and in-service hardware upgrades. Delivers always-on security resiliency to meet your growing network performance needs. AutoVPN One-time hub configuration for site-to-site VPN for all spokes, even newly added ones. Configuration options include: routing, interfaces, Internet Key Exchange (IKE), and IPsec. Enables IT administrative time and cost savings with easy, zero-touch deployment for IPsec VPN networks. Remote access/SSL VPN Secure and flexible remote access SSL VPN with Juniper Secure Connect. Extends secure access to corporate resources from anywhere. Multitenancy Offers logical, large-scale segmentation and separation of security functions and features. Enables separate, logical instances to be deployed with dedicated security policies, zones, and other features and functions. Removes the need to deploy several physical or virtual firewalls. IPS Capabilities
Juniper Networks IPS capabilities offer several unique features that assure the highest level of network security.Feature Feature Description Benefits Stateful signature inspection Signatures are applied only to relevant portions of the network traffic determined by the appropriate protocol context. This minimizes false positives and offers flexible signature development. Protocol decodes This feature enables highly accurate detection and helps reduce false positives. Accuracy of signatures is improved through precise contexts of protocols. Signatures There are more than 8500 signatures for identifying anomalies, attacks, spyware, and applications. Attacks are accurately identified and attempts to exploit a known vulnerability are detected. Traffic normalization Reassembly, normalization, and protocol decoding are provided. Overcome attempts to bypass other IPS detections by using obfuscation methods. Zero-day protection Protocol anomaly detection and same-day coverage for newly found vulnerabilities are provided. Your network is already protected against any new exploits. Recommended policy Group of attack signatures are identified by Juniper Networks Security Team as critical for the typical enterprise to protect against. Installation and maintenance are simplified while ensuring the highest network security. Active/active traffic monitoring IPS monitoring on active/active SRX5000 line chassis clusters is provided. Includes support for active/active IPS monitoring, including advanced features such as in-service software upgrade. Packet capture IPS policy supports packet capture logging per rule. Conduct further analysis of surrounding traffic and determine further steps to protect target. Content Security Capabilities
The Content Security services offered on the SRX5000 line of Firewalls include industry-leading antivirus, antispam, content filtering, and additional content security services.Feature Feature Description Benefits Antivirus Antivirus includes reputation enhanced, cloud-based antivirus capabilities that detect and block spyware, adware, viruses, keyloggers, and other malware over POP3 HTTP, SMTP, IMAP, and FTP protocols. This service is provided in cooperation with Sophos Labs, a dedicated security company. Sophisticated protection from respected antivirus experts against malware attacks that can lead to data breaches and lost productivity. Antispam Multilayered spam protection, up-to-date phishing URL detection, standards-based S/MIME, Open PGP and TLS encryption, MIME type, and extension blockers are provided in cooperation with Sophos Labs, a dedicated security company. Protection against advanced persistent threats perpetrated through social networking attacks and the latest phishing scams with sophisticated e-mail filtering and content blockers. Enhanced Web filtering Enhanced Web filtering includes extensive category granulation (95+ categories) and a real-time threat score delivered with Forcepoint, an expert Web security provider. Protection against lost productivity and the impact of malicious URLs as well as helping to maintain network bandwidth for business essential traffic. Content filtering Effective content filtering is based on MIME type, file extension, and protocol commands. Protection against lost productivity and the impact of extraneous or malicious content on the network to help maintain bandwidth for business essential traffic. Advanced Threat Prevention
Advanced threat prevention (ATP) solutions that defend against sophisticated malware, persistent threats, and ransomware are available for the SRX5000 line. Two versions are available: Juniper ATP Cloud, a SaaS-based service, and the Juniper ATP Appliance, an on-premises solution.Feature Feature Description Benefits Advanced malware detection and remediation Malware analysis and sandboxing are based on machine learning and behavioral analysis. Protects enterprise users from a spectrum of malicious attacks, including advanced malware that exploits “zero-day” vulnerabilities. Comprehensive threat feeds (C2, GeoIP, custom) Curated, actionable threat intelligence feeds are delivered in near real time to SRX Series devices. Proactively blocks malware communication channels and protects from botnets, phishing, and other attacks. Encrypted Traffic Insights SRX Series firewalls collect relevant TLS/SSL connection data, including certificates used, cipher suites negotiated, and connection behavior. This information is processed by Juniper ATP Cloud, which uses network behavioral analysis and machine learning to determine whether the connection is benign or malicious. Policies configured on SRX Series firewalls can be used to block encrypted traffic identified as malicious. Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption. HTTP, HTTPs, e-mail Web- and e-mail-based threats are analyzed, including encrypted sessions. Protects users from all major threat vectors, including e-mail. Provides flexible message handling options for e-mail. The Juniper ATP Appliance includes support for cloud-based e-mail services such as Office 365 and Google Mail, and detects threats in SMB traffic. Integration with Security Director and JSA Juniper Networks Secure Analytics portfolio (JSA Series) security information and event management (SIEM) can consume and correlate threat events. Juniper ATP Cloud is also fully integrated with Security Director for provisioning and monitoring. The Juniper ATP Appliance includes a built-in management console and is not integrated with Security Director. Single pane-of-glass management with Security Director and JSA Series integration delivers a simplified policy application and monitoring experience. More information about Juniper Advanced Threat Prevention products can be found at https://www.juniper.net/us/en/products/security/advanced-threat-prevention.html.Centralized Management
Juniper Networks® Security Director is the central manager for all SRX Series Firewalls. It provides security policy management for all physical, logical, and virtual firewalls through an innovative, intuitive, and centralized web-based interface that offers enforcement across emerging and traditional threat vectors. It provides detailed visibility into application performance, reduces risk while enabling users to diagnose, and it resolves problems quickly. More information about Juniper Networks Security Director can be found at https://www.juniper.net/us/en/products/security/security-director-network-security-management.html.Specifications
Note: Performance, capacity, and features are measured under ideal lab testing conditions. Actual results may vary based on Junos OS release and by deployment.SRX5400 SRX5600 SRX5800 Maximum Performance and Capacity1 Junos OS version tested Junos OS 21.2 Junos OS 21.2 Junos OS 21.2 Firewall Performance, IMIX 960 Gbps 1.44 Tbps 3.36 Tbps Maximum performance per chassis 960 Gbps 1440 Tbps 3.36 Tbps Next-Generation Datacenter Firewall Performance2 136 Gbps 194 Gbps 504 Gbps Secure Web Access Firewall Performance3 75 Gbps 107 Gbps 277 Gbps Latency (stateful firewall) ~11µsec ~11µsec ~11µsec IPsec VPN AES-256-GCM (IMIX) 188 Gbps 269 Gbps 699 Gbps Maximum IPS performance 172 Gbps 245 Gbps 638 Gbps Maximum concurrent sessions 91 Million 182 Million 338 Million New sessions/second (sustained, tcp, 3way, firewall NAT) 1.7/1 million 3.4/2 Million 6.3/4 Million Maximum users supported Unrestricted Unrestricted Unrestricted Network Connectivity IOC4 options (SRX5K-IOC4-MRAT; SRX5K-IOC4-10G) 40x10GbE SFP+ or 12xQSFP+/QSFP28 multirate IOC3 options (SRX5K-MPC3-100G10G; SRX5K-MPC3-40G10G) 2x100GbE CFP2 and 4x10GbE SFP+ or 6x40GbE QSFP+ and 24x10GbE SFP+ Firewall Network attack detection Yes Yes Yes DoS and distributed denial of service (DDoS) protection Yes Yes Yes TCP reassembly for fragmented packet protection Yes Yes Yes Brute force attack mitigation Yes Yes Yes SYN cookie protection Yes Yes Yes Zone-based IP spoofing Yes Yes Yes Malformed packet protection Yes Yes Yes IPsec VPN Site-to-site tunnels 15,000 15,000 15,000 Tunnel interfaces 15,000 15,000 15,000 Number of remote access / SSL VPN (concurrent) users 25,000 40,000 50,000 Tunnels Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4 / IPv6 / Dual Stack) Internet Key Exchange IKEv1, IKEv2 Configuration Payload Yes Yes Yes IKE Authentication Algorithms MD5, SHA1, SHA-256, SHA-384, SHA-512 IKE Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Authentication Pre-shared key and public key infrastructure (PKI X.509) IPsec (Internet Protocol Security) Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol Perfect forward secrecy Yes IPsec Authentication Algorithms hmac-md5, hmac-sha-196, hmac-sha-256, hmac-sha-384, hmac-sha-512 IPsec Encryption Algorithms Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB Monitoring Standard-based Dead peer detection (DPD), VPN monitoring Prevent replay attack Yes Yes Yes VPNs (GRE, IP-in-IP, MPLS) Yes Yes Yes Redundant VPN gateways Yes Yes Yes Intrusion Prevention System (IPS) Signature-based and customizable (via templates) Yes Yes Yes Active/active traffic monitoring Yes Yes Yes Stateful protocol signatures Yes Yes Yes Attack detection mechanisms Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Attack response mechanisms Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Drop connection, close connection, session packet log, session summary, e-mail Attack notification mechanisms Structured system logging Structured system logging Structured system logging Worm protection Yes Yes Yes Simplified installation through recommended policies Yes Yes Yes Trojan protection Yes Yes Yes Spyware/adware/keylogger protection Yes Yes Yes Advanced malware protection Yes Yes Yes Protection against attack proliferation from infected systems Yes Yes Yes Reconnaissance protection Yes Yes Yes Request and response side attack protection Yes Yes Yes Compound attacks—combines stateful signatures and protocol anomalies Yes Yes Yes Custom attack signatures creation Yes Yes Yes Contexts accessible for customization 600+ 600+ 600+ Attack editing (port range, other) Yes Yes Yes Stream signatures Yes Yes Yes Protocol thresholds Yes Yes Yes Stateful protocol signatures Yes Yes Yes Frequency of updates Daily and emergency Daily and emergency Daily and emergency Content Security Antivirus Yes Yes Yes Content filtering Yes Yes Yes Enhanced Web filtering Yes Yes Yes Redirect Web filtering Yes Yes Yes Antispam Yes Yes Yes AppSecure AppTrack (application visibility and tracking) Yes Yes Yes AppFirewall (policy enforcement by application name) Yes Yes Yes AppQoS (network traffic prioritization by application name) Yes Yes Yes User-based application policy enforcement Yes Yes Yes GPRS Security GPRS stateful firewall Yes Yes Yes Destination Network Address Translation Destination NAT with Port Address Translation (PAT) Yes Yes Yes Destination NAT within same subnet as ingress interface IP Yes Yes Yes Destination addresses and port numbers to one single address and a specific port number (M:1P) Yes Yes Yes Destination addresses to one single address (M:1) Yes Yes Yes Destination addresses to another range of addresses (M:M) Yes Yes Yes Source Network Address Translation Static Source NAT—IP-shifting Dynamic Internet Protocol (DIP) Yes Yes Yes Source NAT with PAT—port translated Yes Yes Yes Source NAT without PAT—fix port Yes Yes Yes Source NAT—IP address persistency Yes Yes Yes Source pool grouping Yes Yes Yes Source pool utilization alarm Yes Yes Yes Source IP outside of the interface subnet Yes Yes Yes Interface source NAT—interface DIP Yes Yes Yes Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted Yes Yes Yes Symmetric NAT Yes Yes Yes Allocate multiple ranges in NAT pool Yes Yes Yes Proxy Address Resolution Protocol (ARP) for physical port Yes Yes Yes Source NAT with loopback grouping—DIP with loopback grouping Yes Yes Yes User Authentication and Access Control Built-in (internal) database Yes Yes Yes RADIUS accounting Yes Yes Yes Web-based authentication Yes Yes Yes Public Key Infrastructure (PKI) Support PKI certificate requests (PKCS 7, PKCS 10, and CMPv2) Yes Yes Yes Automated certificate enrollment (SCEP) Yes Yes Yes Certificate authorities supported Yes Yes Yes Self-signed certificates Yes Yes Yes Virtualization Maximum custom routing instances with data plane separation 2000 2000 2000 Maximum security zones 2000 2000 2000 Maximum virtual firewalls with data plane and administrative separation (logical/tenant systems) 500 500 500 Additional off-platform virtual firewall option with Juniper Networks vSRX Virtual Firewall (VM based) Unlimited Unlimited Unlimited Maximum number of VLANs 4096 4096 4096 Routing BGP instances 1000 1000 1000 BGP peers 2000 2000 2000 BGP routes 1 Million 1 Million 1 Million OSPF instances 400 400 400 OSPF routes 1 Million 1 Million 1 Million RIP v1/v2 instances 50 50 50 RIP v2 table size 30,000 30,000 30,000 Dynamic routing Yes Yes Yes Static routes Yes Yes Yes Source-based routing Yes Yes Yes Policy-based routing Yes Yes Yes Equal cost multipath (ECMP) Yes Yes Yes Reverse path forwarding (RPF) Yes Yes Yes Multicast Yes Yes Yes IPv6 Firewall/stateless filters Yes Yes Yes Dual-stack IPv4/IPv6 firewall Yes Yes Yes RIPng Yes Yes Yes BFD, BGP Yes Yes Yes ICMPv6 Yes Yes Yes OSPFv3 Yes Yes Yes Class of service (CoS) Yes Yes Yes Mode of Operation Layer 2 (transparent) mode Yes Yes Yes Layer 3 (route and/or NAT) mode Yes Yes Yes IP Address Assignment Static Yes Yes Yes Dynamic Host Configuration Protocol (DHCP) Yes Yes Yes Internal DHCP server Yes Yes Yes DHCP relay Yes Yes Yes Traffic Management Quality of Service (QoS) Maximum bandwidth Yes Yes Yes RFC2474 IP Diffserv in IPv4 Yes Yes Yes Firewall filters for CoS Yes Yes Yes Classification Yes Yes Yes Scheduling Yes Yes Yes Shaping Yes Yes Yes Intelligent Drop Mechanisms (WRED) Yes Yes Yes Three-level scheduling Yes Yes Yes Weighted round robin for each level of scheduling Yes Yes Yes Priority of routing protocols Yes Yes Yes Traffic management/policing in hardware Yes Yes Yes High Availability (HA) Active/passive, active/active Yes Yes Yes Unified in-service software upgrade (unified ISSU) Yes Yes Yes Configuration synchronization Yes Yes Yes Session synchronization for firewall and IPsec VPN Yes Yes Yes Session failover for routing change Yes Yes Yes Device failure detection Yes Yes Yes Link and upstream failure detection Yes Yes Yes Dual control links Yes Yes Yes Interface link aggregation/Link Aggregation Control Protocol (LACP) Yes Yes Yes Redundant fabric links Yes Yes Yes Management WebUI (HTTP and HTTPS) Yes Yes Yes Command line interface (console, telnet, SSH) Yes Yes Yes Junos Space Security Director Yes Yes Yes Administration Local administrator database support Yes Yes Yes External administrator database support Yes Yes Yes Restricted administrative networks Yes Yes Yes Root admin, admin, and read-only user levels Yes Yes Yes Software upgrades Yes Yes Yes Configuration rollback Yes Yes Yes Logging/Monitoring Structured syslog Yes Yes Yes SNMP (v2 and v3) Yes Yes Yes Traceroute Yes Yes Yes Certifications Safety certifications Yes Yes Yes Electromagnetic Compatibility (EMC) certifications Yes Yes Yes RoHS2 Compliant (European Directive 2011/65/EU) Yes Yes Yes NIST FIPS-140-2 Level 2 Yes Yes Yes Common Criteria NDPP+TFFW EP + VPN EP Yes Yes Yes USGv6 Yes Yes Yes Dimensions and Power Dimensions (W x H x D) 17.45 x 8.7 x 24.5 in (44.3 x 22.1 x 62.2 cm) 17.5 x 14 x 23.8 in (44.5 x 35.6 x 60.5 cm) 17.5 x 27.8 x 23.5 in (44.5 x 70.5 x 59.7 cm) Weight Fully configured 128 lb (58.1 kg) Fully Configured: 180 lb (81.7 kg) Fully Configured: 334 lb (151.6 kg) Power supply (AC) 100 to 240 VAC 100 to 240 VAC 200 to 240 VAC Power supply (DC) -40 to -60 VDC -40 to -60 VDC -40 to -60 VDC Maximum power 4,100 watts (AC high capacity) 4,100 watts (AC high capacity) 8,200 watts (AC high capacity) Typical Power 1540 watts 2440 watts 5015 watts Environmental Operating temperature – long term 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C) 41° to 104° F (5° to 40° C Humidity – long term 5% to 85% noncondensing 5% to 85% noncondensing 5% to 85% noncondensing Humidity – short term 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 5% to 93% noncondensing but not to exceed 0.026 kg water/kg of dry air 1 Performance, capacity and features listed are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployments. 2Next-Generation Datacenter firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions. 3Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions. -
Product Overview
The SRX300 line of firewalls combines security, SD-WAN, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for cost-effective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).
Product Description
Juniper Networks® SRX300 line of firewalls delivers a next-generation secure SD-WAN and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience. The SRX300 line consists of five models:- SRX300: Securing small branch or retail offices, the SRX300 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 4.7 Gbps firewall and 733 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 977 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX380: A high-performance and secure SD-WAN gateway, the SRX380 offers superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. The SRX380 features greater port density than other SRX300 models, with 16x1GbE PoE+ and 4x10GbE ports, and includes redundant dual power supplies, all in a 1 U form factor. The SRX380 supports up to 20Gbps firewall and 4.4 Gbps IPSec VPN in a single, consolidated, cost-effective networking and security platform.
SRX300 Highlights
The SRX300 line of firewalls consists of secure SD-WAN routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. WAN or Internet connectivity and Wi-Fi module options include:- Ethernet, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance
Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Firewalls, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
Simplifying Branch Deployments (Secure Connectivity/SD-WAN)
The SRX300 line delivers fully automated SD-WAN to both enterprises and service providers.- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX300 firewalls offer best-in-class secure connectivity.
- The SRX300 firewalls efficiently utilize multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
The SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.Industry-Certified Junos Operating System
SRX300 Firewalls run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX300 line also enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features and Benefits
Business Requirement Feature/Solution SRX300 Advantages High performance Up to 20 Gbps of routing and firewall performance - Best suited for small, medium and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Advanced Policy-Based Routing (APBR) orchestrates business intent policies across the enterprise WAN
- Application quality of experience (AppQoE) measures application SLAs and improves end-user experience
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Complements the Juniper Secure SD-WAN solution with AI-powered automation and service levels
- Provides visibility and insights into users, applications, WAN links, control and data plane, and CPU for proactive remediation
Highly secure IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public internet
- Employs anti-counterfeit features to protect from unauthorized hardware spares
- Includes high-performance CPU with built-in hardware to assist IPsec acceleration
- Provides TPM-based protection of device secrets such as passwords and certificates
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Protects from zero-day attacks
- Implements industry-leading antivirus and URL filtering
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Application visibility On-box GUI, Security Director - Detects 4,275 Layer 3-7 applications, including Web 2.0
- Inspects and detects applications inside the SSL encrypted traffic
Easy to manage and scale On-box GUI, Security Director - Includes centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments, or simple, easy-to-use on-box GUI for local management
Minimize TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operation expense with Junos automation capabilities
SRX300 Specifications
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 Forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/ Dual Stack)
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)1
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- Zero-Touch Provisioning with Contrail Service Orchestration
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
- Application-based advanced policy-based routing
- Application quality of experience (AppQoE)
Enhanced SD-WAN Services
- Application-based advanced policy-based routing (APBR)
- Application-based link monitoring and switchover with Application quality of experience (AppQoE)
Threat Defense and Intelligence Services1
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
Hardware Specifications
2SRX320 with PoE+ ports available as a separate SKU: SRX320-POE. 3SRX345 with dual AC PSU model. 4SRX320 non PoE model. 5SRX320-POE with 6 ports PoE+ model. 6SRX345 with DC power supply (operating temperature as per GR-63 Issue 4 2012 test criteria). 7As per GR63 Issue 4 (2012) test criteria. Specification SRX300 SRX320 SRX340 SRX345 SRX380 Connectivity Total onboard ports 8x1GbE 8x1GbE 16x1GbE 16x1GbE 20 (16x1GbE, 4x10GbE) Onboard RJ-45 ports 6x1GbE 6x1GbE 8x1GbE 8x1GbE 16x1GbE Onboard small form-factor pluggable (SFP) transceiver ports 2x1GbE 2x1GbE 8x1GbE 8x1GbE 4x10GbE SFP+ MACsec-capable ports 2x1GbE 2x1GbE 16x1GbE 16x1GbE 16x1GbE 4x10GbE Out-of-band (OOB) management ports 0 0 1x1GbE 1x1GbE 1x1GbE Mini PIM (WAN) slots 0 2 4 4 4 Console (RJ-45 + miniUSB) 1 1 1 1 1 USB 3.0 ports (type A) 1 1 1 1 1 PoE+ ports N/A 62 0 0 16 Memory and Storage System memory (RAM) 4 GB 4 GB 4 GB 4 GB 4GB Storage 8 GB 8 GB 8 GB 8 GB 100GB SSD SSD slots 0 0 1 1 1 Dimensions and Power Form factor Desktop Desktop 1 U 1 U 1U Size (WxHxD) 12.63 x 1.37 x 7.52 in. (32.08 x 3.47 x 19.10 cm) 11.81 x 1.73 x 7.52 in. (29.99 x 4.39 x 19.10 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) / 17.36 x 1.72 x 18.7 in. (44.09 x 4.36 x 47.5 cm)3 17.36 x 1.72 x 18.7 in. (44.09 x 4.37 x 47.5 cm) / 17.36 x 1.72 x 20.47 in. (44.09 x 4.37 x 52 cm) Weight (device and PSU) 4.38 lb (1.98 kg) 3.28 lb (1.51 kg)4 / 3.4 lb (1.55 kb)5 10.80 lb (4.90 kg) 10.80 lb (4.90 kg) / 11.02 lb (5 kg)6 15 lb (6.8 kg) with 1xPSU / 16.76 lb (7.6 kg) with 2xPSU Redundant PSU No No No No Yes Power supply AC (external) AC (external) AC (internal) AC (internal) / DC (internal)6 1+1 hot-swappable AC PSU Rated DC voltage range N/A N/A N/A -48 to -60 VDC (with -15% and +20% tolerance) NA Rated DC operating voltage range N/A N/A N/A -40.8 VDC to -72 VDC6 N/A Maximum PoE power N/A 180 W5 N/A N/A 480W Average power consumption 24.9 W 46 W4/221 W5 122 W 122 W 150 W (without PoE) 510 W (with PoE) Average heat dissipation 85 BTU/h 157 BTU/h4/755 BTU/h5 420 BTU/h 420 BTU/h 511.5 BTU/hr (without PoE) Maximum current consumption 0.346 A 0.634 A4/2.755 A5 1.496 A 1.496 A / 6A @ -48 VDC6 1.79A/7.32A Acoustic noise level 0dB (fanless) 37 dBA4/40 dBA5 45.5 dBA 45.5 dBA < 50dBA @ room temperature 27C Airflow/cooling Fanless Front to back Front to back Front to back Front to back Environmental, Compliance, and Safety Certification Operational temperature -4° to 140° F (-20° to 60° C)7 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) -22° to 131° F (-30° to 55° C) for SRX345-DC 32° to 104° F (0° to 40° C) with MPIMs32° to 122° F (0° to 50° C) without MPIMs Nonoperational temperature -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -22° to 158° F (-30° to 70° C) for SRX345-DC -4° to 158° F (-20° to 70° C) Operating humidity 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing Nonoperating humidity 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing Meantime between failures (MTBF) 44.5 years 32.5 years4/ 26 years5 27 years 27.4 years 28.1 years FCC classification Class A Class A Class A Class A Class A RoHS compliance RoHS 2 RoHS 2 RoHS 2 RoHS 2 RoHS 2 FIPS 140-2 Level 2 (Junos 15.1X49-D60) Level 1 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) N/A Common Criteria certification NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) N/A Performance and Scale
8Throughput numbers based on UDP packets and RFC2544 test methodology. 9Throughput numbers based on HTTP traffic with 44 KB transaction size. 10Route scaling numbers are with enhanced route-scale features turned on. 11Next-Generation firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 12Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions -
Product Overview
The SRX300 line of firewalls combines security, SD-WAN, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for cost-effective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).Product Description
Juniper Networks® SRX300 line of firewalls delivers a next-generation secure SD-WAN and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience. The SRX300 line consists of five models:- SRX300: Securing small branch or retail offices, the SRX300 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 4.7 Gbps firewall and 733 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 977 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX380: A high-performance and secure SD-WAN gateway, the SRX380 offers superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. The SRX380 features greater port density than other SRX300 models, with 16x1GbE PoE+ and 4x10GbE ports, and includes redundant dual power supplies, all in a 1 U form factor. The SRX380 supports up to 20Gbps firewall and 4.4 Gbps IPSec VPN in a single, consolidated, cost-effective networking and security platform.
SRX300 Highlights
The SRX300 line of firewalls consists of secure SD-WAN routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. WAN or Internet connectivity and Wi-Fi module options include:- Ethernet, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance
Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Firewalls, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
Simplifying Branch Deployments (Secure Connectivity/SD-WAN)
The SRX300 line delivers fully automated SD-WAN to both enterprises and service providers.- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX300 firewalls offer best-in-class secure connectivity.
- The SRX300 firewalls efficiently utilize multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
The SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.Industry-Certified Junos Operating System
SRX300 Firewalls run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX300 line also enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features and Benefits
Business Requirement Feature/Solution SRX300 Advantages High performance Up to 20 Gbps of routing and firewall performance - Best suited for small, medium and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Advanced Policy-Based Routing (APBR) orchestrates business intent policies across the enterprise WAN
- Application quality of experience (AppQoE) measures application SLAs and improves end-user experience
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Complements the Juniper Secure SD-WAN solution with AI-powered automation and service levels
- Provides visibility and insights into users, applications, WAN links, control and data plane, and CPU for proactive remediation
Highly secure IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public internet
- Employs anti-counterfeit features to protect from unauthorized hardware spares
- Includes high-performance CPU with built-in hardware to assist IPsec acceleration
- Provides TPM-based protection of device secrets such as passwords and certificates
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Protects from zero-day attacks
- Implements industry-leading antivirus and URL filtering
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Application visibility On-box GUI, Security Director - Detects 4,275 Layer 3-7 applications, including Web 2.0
- Inspects and detects applications inside the SSL encrypted traffic
Easy to manage and scale On-box GUI, Security Director - Includes centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments, or simple, easy-to-use on-box GUI for local management
Minimize TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operation expense with Junos automation capabilities
SRX300 Specifications
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 Forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/ Dual Stack)
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)1
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- Zero-Touch Provisioning with Contrail Service Orchestration
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
- Application-based advanced policy-based routing
- Application quality of experience (AppQoE)
Enhanced SD-WAN Services
- Application-based advanced policy-based routing (APBR)
- Application-based link monitoring and switchover with Application quality of experience (AppQoE)
Threat Defense and Intelligence Services1
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
Hardware Specifications
2SRX320 with PoE+ ports available as a separate SKU: SRX320-POE. 3SRX345 with dual AC PSU model. 4SRX320 non PoE model. 5SRX320-POE with 6 ports PoE+ model. 6SRX345 with DC power supply (operating temperature as per GR-63 Issue 4 2012 test criteria). 7As per GR63 Issue 4 (2012) test criteria. Specification SRX300 SRX320 SRX340 SRX345 SRX380 Connectivity Total onboard ports 8x1GbE 8x1GbE 16x1GbE 16x1GbE 20 (16x1GbE, 4x10GbE) Onboard RJ-45 ports 6x1GbE 6x1GbE 8x1GbE 8x1GbE 16x1GbE Onboard small form-factor pluggable (SFP) transceiver ports 2x1GbE 2x1GbE 8x1GbE 8x1GbE 4x10GbE SFP+ MACsec-capable ports 2x1GbE 2x1GbE 16x1GbE 16x1GbE 16x1GbE 4x10GbE Out-of-band (OOB) management ports 0 0 1x1GbE 1x1GbE 1x1GbE Mini PIM (WAN) slots 0 2 4 4 4 Console (RJ-45 + miniUSB) 1 1 1 1 1 USB 3.0 ports (type A) 1 1 1 1 1 PoE+ ports N/A 62 0 0 16 Memory and Storage System memory (RAM) 4 GB 4 GB 4 GB 4 GB 4GB Storage 8 GB 8 GB 8 GB 8 GB 100GB SSD SSD slots 0 0 1 1 1 Dimensions and Power Form factor Desktop Desktop 1 U 1 U 1U Size (WxHxD) 12.63 x 1.37 x 7.52 in. (32.08 x 3.47 x 19.10 cm) 11.81 x 1.73 x 7.52 in. (29.99 x 4.39 x 19.10 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) / 17.36 x 1.72 x 18.7 in. (44.09 x 4.36 x 47.5 cm)3 17.36 x 1.72 x 18.7 in. (44.09 x 4.37 x 47.5 cm) / 17.36 x 1.72 x 20.47 in. (44.09 x 4.37 x 52 cm) Weight (device and PSU) 4.38 lb (1.98 kg) 3.28 lb (1.51 kg)4 / 3.4 lb (1.55 kb)5 10.80 lb (4.90 kg) 10.80 lb (4.90 kg) / 11.02 lb (5 kg)6 15 lb (6.8 kg) with 1xPSU / 16.76 lb (7.6 kg) with 2xPSU Redundant PSU No No No No Yes Power supply AC (external) AC (external) AC (internal) AC (internal) / DC (internal)6 1+1 hot-swappable AC PSU Rated DC voltage range N/A N/A N/A -48 to -60 VDC (with -15% and +20% tolerance) NA Rated DC operating voltage range N/A N/A N/A -40.8 VDC to -72 VDC6 N/A Maximum PoE power N/A 180 W5 N/A N/A 480W Average power consumption 24.9 W 46 W4/221 W5 122 W 122 W 150 W (without PoE) 510 W (with PoE) Average heat dissipation 85 BTU/h 157 BTU/h4/755 BTU/h5 420 BTU/h 420 BTU/h 511.5 BTU/hr (without PoE) Maximum current consumption 0.346 A 0.634 A4/2.755 A5 1.496 A 1.496 A / 6A @ -48 VDC6 1.79A/7.32A Acoustic noise level 0dB (fanless) 37 dBA4/40 dBA5 45.5 dBA 45.5 dBA < 50dBA @ room temperature 27C Airflow/cooling Fanless Front to back Front to back Front to back Front to back Environmental, Compliance, and Safety Certification Operational temperature -4° to 140° F (-20° to 60° C)7 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) -22° to 131° F (-30° to 55° C) for SRX345-DC 32° to 104° F (0° to 40° C) with MPIMs32° to 122° F (0° to 50° C) without MPIMs Nonoperational temperature -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -22° to 158° F (-30° to 70° C) for SRX345-DC -4° to 158° F (-20° to 70° C) Operating humidity 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing Nonoperating humidity 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing Meantime between failures (MTBF) 44.5 years 32.5 years4/ 26 years5 27 years 27.4 years 28.1 years FCC classification Class A Class A Class A Class A Class A RoHS compliance RoHS 2 RoHS 2 RoHS 2 RoHS 2 RoHS 2 FIPS 140-2 Level 2 (Junos 15.1X49-D60) Level 1 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) N/A Common Criteria certification NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) N/A Performance and Scale
8Throughput numbers based on UDP packets and RFC2544 test methodology. 9Throughput numbers based on HTTP traffic with 44 KB transaction size. 10Route scaling numbers are with enhanced route-scale features turned on. 11Next-Generation firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 12Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions Parameter SRX300 SRX320 SRX340 SRX345 SRX380 Routing with packet mode (64 B packet size) in Kpps8 300 300 550 750 1700 Routing with packet mode (IMIX packet size) in Mbps8 800 800 1,600 2,300 5000 Routing with packet mode (1,518 B packet size in Mbps8 1,500 1,500 3,000 5,500 10,000 Stateful firewall (64 B packet size) in Kpps8 200 200 350 550 1700 Stateful firewall (IMIX packet size) in Mbps8 600 600 1,100 1,500 6,500 Stateful firewall (1,518 B packet size) in Mbps8 1,900 1,900 4,700 5,000 20,000 IPsec VPN (IMIX packet size) in Mbps8 116 116 239 325 1400 IPsec VPN (1,400 B packet size) in Mbps8 336 336 733 977 4,400 Application visibility and control in Mbps9 500 500 1,000 1,700 6,000 Recommended IPS in Mbps9 200 200 400 600 2,000 Next-generation firewall in Mbps11 226 226 420 430 2,500 Secure Web Access firewall in Mbps12 171 171 280 295 1,800 Route table size (RIB/FIB) (IPv4 or IPv6) 256,000/256,000 256,000/256,000 1 million/600,00010 1 million/600,00010 1 million/600,00010 Maximum concurrent sessions (IPv4 or IPv6) 64,000 64,000 256,000 375,000 380,000 Maximum security policies 1,000 1,000 2,000 4,000 4,000 Connections per second 5,000 5,000 10,000 15,000 50,000 NAT rules 1,000 1,000 2,000 2,000 3,000 MAC table size 15,000 15,000 15,000 15,000 16,000 IPsec VPN tunnels 256 256 1,024 2,048 2,048 Number of remote access/SSL VPN (concurrent) users 25 50 150 250 500 GRE tunnels 256 256 512 1,024 2,048 Maximum number of security zones 16 16 64 64 128 Maximum number of virtual routers 32 32 64 128 128 Maximum number of VLANs 1,000 1,000 2,000 3,000 3,000 AppID sessions 16,000 16,000 64,000 64,000 64,000 IPS sessions 16,000 16,000 64,000 64,000 64,000 URLF sessions 16,000 16,000 64,000 64,000 64,000 WAN and Wi-Fi Interface Support Matrix
WAN and Wi-Fi Interface SRX300 SRX320 SRX340 SRX345 SRX380 1 port T1/E1 MPIM (SRX-MP-1T1E1-R) No Yes Yes Yes Yes 1 port VDSL2 Annex A/M MPIM (SRX-MP-1VDSL2-R) No Yes Yes Yes Yes 4G / LTE MPIM (SRX-MP-LTE-AA and SRX-MP-LTE-AE) No Yes Yes Yes Yes 802.11ac Wave 2 Wi-Fi MPIM No Yes Yes Yes Yes WAN and Wi-Fi Interface Module Performance Data
Interface Module Description Performance 4G/LTE Dual SIM 4G/LTE-A CAT 6 Up to 300 Mbps download and 50 Mbps upload Wi-Fi MPIM Dual band 802.11 a/b/g/n/ac Wave 2 (2x2 MIMO) Up to 866 Mbps at 5GHz / 300 Mbps at 2.4GHz Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Ordering Information
To order Juniper Networks SRX Series Firewalls, and to access software licensing information, please visit the How to Buy page at https://www.juniper.net/us/en/how-to-buy/form.html11 Based on concurrent users; two free licenses included SRXnnn-SYS-JB Hardware Included Management (CLI, JWEB, SNMP, Telnet, SSH) Included Ethernet switching (L2 Forwarding, IRB, LACP etc) Included L2 Transparent, Secure Wire Included Routing (RIP, OSPF, BGP, Virtual router) Included Multicast (IGMP, PIM, SSDP, DMVRP) Included Packet Mode Included Overlay (GRE, IP-IP) Included Network Services (J-Flow, DHCP, QOS, BFD) Included Stateful Firewall, Screens, ALGs Included NAT (static, SNAT, DNAT) Included IPSec VPN (Site-to-Site VPN, Auto VPN, Group VPN) Included Firewall policy enforcement (UAC, Aruba CPPM) Included Remote Access/SSL VPN (concurrent users)11 Optional Chassis Cluster, VRRP, ISSU/ICU Included Automation (Junos scripting, auto-installation) Included MPLS, LDP, RSVP, L3 VPN, pseudo-wires, VPLS Included Base System Model Numbers
Product Number Description SRX300-SYS-JB SRX300 Firewalls includes hardware (8GbE, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX320-SYS-JB SRX320 Firewalls includes hardware (8GbE, 2x MPIM slots, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX320-SYS-JB-P SRX320 Firewalls includes hardware (8GbE, 6-port POE+, 2x MPIM slots, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX340-SYS-JB SRX340 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB-2AC SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, dual AC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB-DC SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, single DC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX380-P-SYS-JB-AC SRX380 Firewalls includes hardware (16GbE PoE+, 4x10GbE, 4x MPIM slots, 4GB RAM, 100GB SSD, single AC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) Software Licenses
12The S-SRXnnn-P2-1/3/5 year SKUs are only available for the SRX340, SRX345, and SRX380 models. Product Number Description S-SRXnnn-A1-1 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 1-year subscription (example: S-SRX380-A1-1) S-SRXnnn-A1-3 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 3-year subscription (example: S-SRX380-A1-3) S-SRXnnn-A1-5 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 5-year subscription (example: S-SRX380-A1-5] S-SRXnnn-P1-1 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 1-year subscription (example: S-SRX380-P1-1) S-SRXnnn-P1-3 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 3-year subscription (example: S-SRX380-P1-3) S-SRXnnn-P1-5 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 5-year subscription (example: S-SRX380-P1-5) S-SRXnnn-A2-1 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 1-year subscription (example: S-SRX380-A2-1) S-SRXnnn-A2-3 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 3-year subscription (example: S-SRX380-A2-3) S-SRXnnn-A2-5 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 5-year subscription (example: S-SRX380-A2-5) S-SRXnnn-P2-112 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 1-year subscription (example: S-SRX380-P2-1) S-SRXnnn-P2-312 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 3-year subscription (example: S-SRX380-P2-3) S-SRXnnn-P2-512 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 5-year subscription (example: S-SRX380-P2-5) Remote Access/Juniper Secure Connect VPN Licenses
Product Number Description S-RA3-SRX300-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX320-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX340-S-1 SW, Remote Access VPN - Juniper, 150 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX345-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX380-S-1 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 1 Year S-RA3-5CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 1 Year S-RA3-25CCU-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-50CCU-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-100CCU-S-1 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 1 Year S-RA3-250CCU-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-500CCU-S-1 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX300-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX320-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX340-S-3 SW, Remote Access VPN - Juniper, 150 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX345-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX380-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year S-RA3-5CCU-S-3 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year S-RA3-25CCU-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-50CCU-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-100CCU-S-3 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 3 Year S-RA3-250CCU-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-500CCU-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year Interface Modules
Product Number Description SRX-MP-1T1E1-R 1 port T1E1, MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M. ROHS complaint SRX-MP-1VDSL2-R 1 port VDSL2 (backward compatible with ADSL / ADSL2+), MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M. ROHS complaint SRX-MP-LTE-AA 4G / LTE MPIM support 1, 3, 5, 7-8, 18-19, 21, 28, 38-41 LTE bands (for Asia and Australia). Supported on SRX320, SRX340, SRX345, SRX380, and SRX550M SRX-MP-LTE-AE 4G / LTE MPIM support 1-5, 7-8, 12-13, 30, 25-26, 29-30, 41 LTE bands (for Americas and EMEA). Supported on SRX320, SRX340, SRX345, SRX380, and SRX550M SRX-MP-WLAN-US Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for U.S. regulatory bands only. SRX-MP-WLAN-WW Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for worldwide regulatory bands (excluding U.S. and Israel). SRX-MP-WLAN-IL Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for Israel regulatory bands only. SRX-MP-ANT-EXT Antenna extension cable for WLAN MPIM on SRX Series platforms Accessories
Product Number Description SRX300-RMK0 SRX300 rack mount kit with adaptor tray SRX300-RMK1 SRX300 rack mount kit without adaptor tray SRX300-WALL-KIT0 SRX300 wall mount kit with brackets SRX320-P-RMK0 SRX320-POE rack mount kit with adaptor tray SRX320-P-RMK1 SRX300-POE rack mount kit without adaptor tray SRX320-RMK0 SRX320 rack mount kit with adaptor tray SRX320-RMK1 SRX320 rack mount kit without adaptor tray SRX320-WALL-KIT0 SRX320 wall mount kit with brackets SRX34X-RMK SRX340 and SRX345 rack mount kit EX-4PST-RMK SRX380 rack mount kit JSU-SSD-MLC-100 Juniper Storage Unit, SSD, MLC, 100GB JPSU-600-AC-AFO SRX380 600W AC PSU, front-to-back -
Product Overview
The SRX300 line of firewalls combines security, SD-WAN, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for cost-effective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).Product Description
Juniper Networks® SRX300 line of firewalls delivers a next-generation secure SD-WAN and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience. The SRX300 line consists of five models:- SRX300: Securing small branch or retail offices, the SRX300 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Firewall consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1.9 Gbps firewall and 336 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 4.7 Gbps firewall and 733 Mbps IPsec VPN in a single, cost-effective networking and security platform.
- SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Firewall consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 977 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX380: A high-performance and secure SD-WAN gateway, the SRX380 offers superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. The SRX380 features greater port density than other SRX300 models, with 16x1GbE PoE+ and 4x10GbE ports, and includes redundant dual power supplies, all in a 1 U form factor. The SRX380 supports up to 20Gbps firewall and 4.4 Gbps IPSec VPN in a single, consolidated, cost-effective networking and security platform.
SRX300 Highlights
The SRX300 line of firewalls consists of secure SD-WAN routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. WAN or Internet connectivity and Wi-Fi module options include:- Ethernet, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance
Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Firewalls, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
Simplifying Branch Deployments (Secure Connectivity/SD-WAN)
The SRX300 line delivers fully automated SD-WAN to both enterprises and service providers.- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX300 firewalls offer best-in-class secure connectivity.
- The SRX300 firewalls efficiently utilize multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
The SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.Industry-Certified Junos Operating System
SRX300 Firewalls run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX300 line also enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features and Benefits
Business Requirement Feature/Solution SRX300 Advantages High performance Up to 20 Gbps of routing and firewall performance - Best suited for small, medium and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Advanced Policy-Based Routing (APBR) orchestrates business intent policies across the enterprise WAN
- Application quality of experience (AppQoE) measures application SLAs and improves end-user experience
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Complements the Juniper Secure SD-WAN solution with AI-powered automation and service levels
- Provides visibility and insights into users, applications, WAN links, control and data plane, and CPU for proactive remediation
Highly secure IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public internet
- Employs anti-counterfeit features to protect from unauthorized hardware spares
- Includes high-performance CPU with built-in hardware to assist IPsec acceleration
- Provides TPM-based protection of device secrets such as passwords and certificates
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Protects from zero-day attacks
- Implements industry-leading antivirus and URL filtering
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Application visibility On-box GUI, Security Director - Detects 4,275 Layer 3-7 applications, including Web 2.0
- Inspects and detects applications inside the SSL encrypted traffic
Easy to manage and scale On-box GUI, Security Director - Includes centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments, or simple, easy-to-use on-box GUI for local management
Minimize TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operation expense with Junos automation capabilities
SRX300 Specifications
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 Forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/ Dual Stack)
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)1
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- Zero-Touch Provisioning with Contrail Service Orchestration
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
- Application-based advanced policy-based routing
- Application quality of experience (AppQoE)
Enhanced SD-WAN Services
- Application-based advanced policy-based routing (APBR)
- Application-based link monitoring and switchover with Application quality of experience (AppQoE)
Threat Defense and Intelligence Services1
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
Hardware Specifications
2SRX320 with PoE+ ports available as a separate SKU: SRX320-POE. 3SRX345 with dual AC PSU model. 4SRX320 non PoE model. 5SRX320-POE with 6 ports PoE+ model. 6SRX345 with DC power supply (operating temperature as per GR-63 Issue 4 2012 test criteria). 7As per GR63 Issue 4 (2012) test criteria. Specification SRX300 SRX320 SRX340 SRX345 SRX380 Connectivity Total onboard ports 8x1GbE 8x1GbE 16x1GbE 16x1GbE 20 (16x1GbE, 4x10GbE) Onboard RJ-45 ports 6x1GbE 6x1GbE 8x1GbE 8x1GbE 16x1GbE Onboard small form-factor pluggable (SFP) transceiver ports 2x1GbE 2x1GbE 8x1GbE 8x1GbE 4x10GbE SFP+ MACsec-capable ports 2x1GbE 2x1GbE 16x1GbE 16x1GbE 16x1GbE 4x10GbE Out-of-band (OOB) management ports 0 0 1x1GbE 1x1GbE 1x1GbE Mini PIM (WAN) slots 0 2 4 4 4 Console (RJ-45 + miniUSB) 1 1 1 1 1 USB 3.0 ports (type A) 1 1 1 1 1 PoE+ ports N/A 62 0 0 16 Memory and Storage System memory (RAM) 4 GB 4 GB 4 GB 4 GB 4GB Storage 8 GB 8 GB 8 GB 8 GB 100GB SSD SSD slots 0 0 1 1 1 Dimensions and Power Form factor Desktop Desktop 1 U 1 U 1U Size (WxHxD) 12.63 x 1.37 x 7.52 in. (32.08 x 3.47 x 19.10 cm) 11.81 x 1.73 x 7.52 in. (29.99 x 4.39 x 19.10 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) / 17.36 x 1.72 x 18.7 in. (44.09 x 4.36 x 47.5 cm)3 17.36 x 1.72 x 18.7 in. (44.09 x 4.37 x 47.5 cm) / 17.36 x 1.72 x 20.47 in. (44.09 x 4.37 x 52 cm) Weight (device and PSU) 4.38 lb (1.98 kg) 3.28 lb (1.51 kg)4 / 3.4 lb (1.55 kb)5 10.80 lb (4.90 kg) 10.80 lb (4.90 kg) / 11.02 lb (5 kg)6 15 lb (6.8 kg) with 1xPSU / 16.76 lb (7.6 kg) with 2xPSU Redundant PSU No No No No Yes Power supply AC (external) AC (external) AC (internal) AC (internal) / DC (internal)6 1+1 hot-swappable AC PSU Rated DC voltage range N/A N/A N/A -48 to -60 VDC (with -15% and +20% tolerance) NA Rated DC operating voltage range N/A N/A N/A -40.8 VDC to -72 VDC6 N/A Maximum PoE power N/A 180 W5 N/A N/A 480W Average power consumption 24.9 W 46 W4/221 W5 122 W 122 W 150 W (without PoE) 510 W (with PoE) Average heat dissipation 85 BTU/h 157 BTU/h4/755 BTU/h5 420 BTU/h 420 BTU/h 511.5 BTU/hr (without PoE) Maximum current consumption 0.346 A 0.634 A4/2.755 A5 1.496 A 1.496 A / 6A @ -48 VDC6 1.79A/7.32A Acoustic noise level 0dB (fanless) 37 dBA4/40 dBA5 45.5 dBA 45.5 dBA < 50dBA @ room temperature 27C Airflow/cooling Fanless Front to back Front to back Front to back Front to back Environmental, Compliance, and Safety Certification Operational temperature -4° to 140° F (-20° to 60° C)7 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) -22° to 131° F (-30° to 55° C) for SRX345-DC 32° to 104° F (0° to 40° C) with MPIMs32° to 122° F (0° to 50° C) without MPIMs Nonoperational temperature -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -22° to 158° F (-30° to 70° C) for SRX345-DC -4° to 158° F (-20° to 70° C) Operating humidity 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing 10% to 90% noncondensing Nonoperating humidity 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing 5% to 95% noncondensing Meantime between failures (MTBF) 44.5 years 32.5 years4/ 26 years5 27 years 27.4 years 28.1 years FCC classification Class A Class A Class A Class A Class A RoHS compliance RoHS 2 RoHS 2 RoHS 2 RoHS 2 RoHS 2 FIPS 140-2 Level 2 (Junos 15.1X49-D60) Level 1 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) N/A Common Criteria certification NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) N/A Performance and Scale
8Throughput numbers based on UDP packets and RFC2544 test methodology. 9Throughput numbers based on HTTP traffic with 44 KB transaction size. 10Route scaling numbers are with enhanced route-scale features turned on. 11Next-Generation firewall performance is measured with Firewall, Application Security and IPS enabled using 64KB transactions 12Secure Web Access firewall performance is measured with Firewall, Application Security, IPS, SecIntel, and URL Filtering enabled using 64KB transactions Parameter SRX300 SRX320 SRX340 SRX345 SRX380 Routing with packet mode (64 B packet size) in Kpps8 300 300 550 750 1700 Routing with packet mode (IMIX packet size) in Mbps8 800 800 1,600 2,300 5000 Routing with packet mode (1,518 B packet size in Mbps8 1,500 1,500 3,000 5,500 10,000 Stateful firewall (64 B packet size) in Kpps8 200 200 350 550 1700 Stateful firewall (IMIX packet size) in Mbps8 600 600 1,100 1,500 6,500 Stateful firewall (1,518 B packet size) in Mbps8 1,900 1,900 4,700 5,000 20,000 IPsec VPN (IMIX packet size) in Mbps8 116 116 239 325 1400 IPsec VPN (1,400 B packet size) in Mbps8 336 336 733 977 4,400 Application visibility and control in Mbps9 500 500 1,000 1,700 6,000 Recommended IPS in Mbps9 200 200 400 600 2,000 Next-generation firewall in Mbps11 226 226 420 430 2,500 Secure Web Access firewall in Mbps12 171 171 280 295 1,800 Route table size (RIB/FIB) (IPv4 or IPv6) 256,000/256,000 256,000/256,000 1 million/600,00010 1 million/600,00010 1 million/600,00010 Maximum concurrent sessions (IPv4 or IPv6) 64,000 64,000 256,000 375,000 380,000 Maximum security policies 1,000 1,000 2,000 4,000 4,000 Connections per second 5,000 5,000 10,000 15,000 50,000 NAT rules 1,000 1,000 2,000 2,000 3,000 MAC table size 15,000 15,000 15,000 15,000 16,000 IPsec VPN tunnels 256 256 1,024 2,048 2,048 Number of remote access/SSL VPN (concurrent) users 25 50 150 250 500 GRE tunnels 256 256 512 1,024 2,048 Maximum number of security zones 16 16 64 64 128 Maximum number of virtual routers 32 32 64 128 128 Maximum number of VLANs 1,000 1,000 2,000 3,000 3,000 AppID sessions 16,000 16,000 64,000 64,000 64,000 IPS sessions 16,000 16,000 64,000 64,000 64,000 URLF sessions 16,000 16,000 64,000 64,000 64,000 WAN and Wi-Fi Interface Support Matrix
WAN and Wi-Fi Interface SRX300 SRX320 SRX340 SRX345 SRX380 1 port T1/E1 MPIM (SRX-MP-1T1E1-R) No Yes Yes Yes Yes 1 port VDSL2 Annex A/M MPIM (SRX-MP-1VDSL2-R) No Yes Yes Yes Yes 4G / LTE MPIM (SRX-MP-LTE-AA and SRX-MP-LTE-AE) No Yes Yes Yes Yes 802.11ac Wave 2 Wi-Fi MPIM No Yes Yes Yes Yes WAN and Wi-Fi Interface Module Performance Data
Interface Module Description Performance 4G/LTE Dual SIM 4G/LTE-A CAT 6 Up to 300 Mbps download and 50 Mbps upload Wi-Fi MPIM Dual band 802.11 a/b/g/n/ac Wave 2 (2x2 MIMO) Up to 866 Mbps at 5GHz / 300 Mbps at 2.4GHz Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Ordering Information
To order Juniper Networks SRX Series Firewalls, and to access software licensing information, please visit the How to Buy page at https://www.juniper.net/us/en/how-to-buy/form.html11 Based on concurrent users; two free licenses included SRXnnn-SYS-JB Hardware Included Management (CLI, JWEB, SNMP, Telnet, SSH) Included Ethernet switching (L2 Forwarding, IRB, LACP etc) Included L2 Transparent, Secure Wire Included Routing (RIP, OSPF, BGP, Virtual router) Included Multicast (IGMP, PIM, SSDP, DMVRP) Included Packet Mode Included Overlay (GRE, IP-IP) Included Network Services (J-Flow, DHCP, QOS, BFD) Included Stateful Firewall, Screens, ALGs Included NAT (static, SNAT, DNAT) Included IPSec VPN (Site-to-Site VPN, Auto VPN, Group VPN) Included Firewall policy enforcement (UAC, Aruba CPPM) Included Remote Access/SSL VPN (concurrent users)11 Optional Chassis Cluster, VRRP, ISSU/ICU Included Automation (Junos scripting, auto-installation) Included MPLS, LDP, RSVP, L3 VPN, pseudo-wires, VPLS Included Base System Model Numbers
Product Number Description SRX300-SYS-JB SRX300 Firewalls includes hardware (8GbE, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX320-SYS-JB SRX320 Firewalls includes hardware (8GbE, 2x MPIM slots, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX320-SYS-JB-P SRX320 Firewalls includes hardware (8GbE, 6-port POE+, 2x MPIM slots, 4G RAM, 8G Flash, power adapter and cable) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching). RMK not included. SRX340-SYS-JB SRX340 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB-2AC SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, dual AC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX345-SYS-JB-DC SRX345 Firewalls includes hardware (16GbE, 4x MPIM slots, 4G RAM, 8G Flash, single DC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) SRX380-P-SYS-JB-AC SRX380 Firewalls includes hardware (16GbE PoE+, 4x10GbE, 4x MPIM slots, 4GB RAM, 100GB SSD, single AC power supply, cable and RMK) and Junos Software Base (firewall, NAT, IPSec, routing, MPLS and switching) Software Licenses
12The S-SRXnnn-P2-1/3/5 year SKUs are only available for the SRX340, SRX345, and SRX380 models. Product Number Description S-SRXnnn-A1-1 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 1-year subscription (example: S-SRX380-A1-1) S-SRXnnn-A1-3 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 3-year subscription (example: S-SRX380-A1-3) S-SRXnnn-A1-5 SRXnnn Advanced 1 - JSE/SD-WAN, includes SD-WAN features App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack) and IPS; 5-year subscription (example: S-SRX380-A1-5] S-SRXnnn-P1-1 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 1-year subscription (example: S-SRX380-P1-1) S-SRXnnn-P1-3 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 3-year subscription (example: S-SRX380-P1-3) S-SRXnnn-P1-5 SRXnnn Premium 1, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Juniper ATP; 5-year subscription (example: S-SRX380-P1-5) S-SRXnnn-A2-1 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 1-year subscription (example: S-SRX380-A2-1) S-SRXnnn-A2-3 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 3-year subscription (example: S-SRX380-A2-3) S-SRXnnn-A2-5 SRXnnn Advanced 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS and Content Security (UTM, Cloud AV, URLF and AS); 5-year subscription (example: S-SRX380-A2-5) S-SRXnnn-P2-112 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 1-year subscription (example: S-SRX380-P2-1) S-SRXnnn-P2-312 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 3-year subscription (example: S-SRX380-P2-3) S-SRXnnn-P2-512 SRXnnn Premium 2, includes App+ (AppID, AppFW, AppQoS, AppRoute, AppQoE, AppTrack), IPS, Content Security (UTM, Cloud AV, URLF and AS) and Juniper Sky ATP; 5-year subscription (example: S-SRX380-P2-5) Remote Access/Juniper Secure Connect VPN Licenses
Product Number Description S-RA3-SRX300-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX320-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX340-S-1 SW, Remote Access VPN - Juniper, 150 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX345-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX380-S-1 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 1 Year S-RA3-5CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 1 Year S-RA3-25CCU-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-50CCU-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-100CCU-S-1 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 1 Year S-RA3-250CCU-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-500CCU-S-1 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 1 Year S-RA3-SRX300-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX320-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX340-S-3 SW, Remote Access VPN - Juniper, 150 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX345-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-SRX380-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year S-RA3-5CCU-S-3 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year S-RA3-25CCU-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-50CCU-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-100CCU-S-3 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 3 Year S-RA3-250CCU-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-500CCU-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year Interface Modules
Product Number Description SRX-MP-1T1E1-R 1 port T1E1, MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M. ROHS complaint SRX-MP-1VDSL2-R 1 port VDSL2 (backward compatible with ADSL / ADSL2+), MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M. ROHS complaint SRX-MP-LTE-AA 4G / LTE MPIM support 1, 3, 5, 7-8, 18-19, 21, 28, 38-41 LTE bands (for Asia and Australia). Supported on SRX320, SRX340, SRX345, SRX380, and SRX550M SRX-MP-LTE-AE 4G / LTE MPIM support 1-5, 7-8, 12-13, 30, 25-26, 29-30, 41 LTE bands (for Americas and EMEA). Supported on SRX320, SRX340, SRX345, SRX380, and SRX550M SRX-MP-WLAN-US Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for U.S. regulatory bands only. SRX-MP-WLAN-WW Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for worldwide regulatory bands (excluding U.S. and Israel). SRX-MP-WLAN-IL Wireless access point (Wi-Fi) MPIM for SRX320, SRX34x, SRX380, and SRX550M. Supported for Israel regulatory bands only. SRX-MP-ANT-EXT Antenna extension cable for WLAN MPIM on SRX Series platforms Accessories
Product Number Description SRX300-RMK0 SRX300 rack mount kit with adaptor tray SRX300-RMK1 SRX300 rack mount kit without adaptor tray SRX300-WALL-KIT0 SRX300 wall mount kit with brackets SRX320-P-RMK0 SRX320-POE rack mount kit with adaptor tray SRX320-P-RMK1 SRX300-POE rack mount kit without adaptor tray SRX320-RMK0 SRX320 rack mount kit with adaptor tray SRX320-RMK1 SRX320 rack mount kit without adaptor tray SRX320-WALL-KIT0 SRX320 wall mount kit with brackets SRX34X-RMK SRX340 and SRX345 rack mount kit EX-4PST-RMK SRX380 rack mount kit JSU-SSD-MLC-100 Juniper Storage Unit, SSD, MLC, 100GB JPSU-600-AC-AFO SRX380 600W AC PSU, front-to-back -
SRX380 Overview:
The SRX300 line of services gateways combines security, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for costeffective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).Product Description
Juniper Networks SRX300 line of services gateways delivers a next-generation networking and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience. The SRX300 line consists of four models:- SRX300: Securing small branch or retail offices, the SRX300 Services Gateway consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1 Gbps firewall and 300 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Services Gateway consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1 Gbps firewall and 300 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Services Gateway consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 3 Gbps firewall and 600 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Services Gateway consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 800 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.
- SRX380: A high-performance and secure SD-WAN gateway, the SRX380 offers superior and reliable WAN connectivity while consolidating security, routing, and switching for distributed enterprise offices. The SRX380 features greater port density than other SRX300 models, with 16x1GbE PoE+ and 4x10GbE ports, and includes redundant dual power supplies, all in a 1 U form factor.
Highlights
The SRX300 line of services gateways consists of secure SD-WAN routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. WAN or Internet connectivity and Wi-Fi module options include:- Ethernet, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Services Gateways, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX300 firewalls offer best-in-class secure connectivity.
- The SRX300 firewalls efficiently utilize multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
The SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.Industry-Certified Junos Operating System
SRX300 Services Gateways run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX300 line also enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features & Benefits:
Business Requirement Feature/Solution SRX300 Advantages High performance Up to 5 Gbps of routing and firewall performance - Best suited for small, medium and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Advanced Policy-Based Routing (APBR) orchestrates business intent policies across the enterprise WAN
- Application quality of experience (AppQoE) measures application SLAs and improves end-user experience
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Complements the Juniper Secure SD-WAN solution with AI-powered automation and service levels
- Provides visibility and insights into users, applications, WAN links, control and data plane, and CPU for proactive remediation
Highly secure IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public internet
- Employs anti-counterfeit features to protect from unauthorized hardware spares
- Includes high-performance CPU with built-in hardware to assist IPsec acceleration
- Provides TPM-based protection of device secrets such as passwords and certificates
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, anti-spam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Protects from zero-day attacks
- Implements industry-leading antivirus and URL filtering
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Application visibility On-box GUI, Security Director - Detects 3500+ Layer 3-7 applications, including Web 2.0
- Inspects and detects applications inside the SSL encrypted traffic
Easy to manage and scale On-box GUI, Security Director - Includes centralized management for auto-provisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments, or simple, easy-to-use on-box GUI for local management
Minimize TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operation expense with Junos automation capabilities
Technical Specifications:
Model: SRX300 SRX320 SRX340 SRX345 SRX380 Connectivity Total onboard ports 8x1GbE 8x1GbE 16x1GbE 16x1GbE 20 (16x1GbE, 4x10GbE) Onboard RJ-45 ports 6x1GbE 6x1GbE 8x1GbE 8x1GbE 16x1GbE Onboard small form-factor pluggable (SFP) transceiver ports 2x1GbE 2x1GbE 8x1GbE 8x1GbE 4x10GbE SFP+ MACsec-capable ports 2x1GbE 2x1GbE 16x1GbE 16x1GbE 16x1GbE 4x10GbE Out-of-Band (OOB) management ports 0 0 1x1GbE 1x1GbE 1x1GbE Mini PIM (WAN) slots 0 2 4 4 4 Console (RJ-45 + miniUSB) 1 1 1 1 1 USB 3.0 ports (type A) 1 1 1 1 1 Optional PoE+ ports N/A 61 0 0 16 Memory and Storage System memory (RAM) 4 GB 4 GB 4 GB 4 GB 4GB Storage (flash) 8 GB 8 GB 8 GB 8 GB 100GB SSD SSD slots 0 0 1 1 1 Dimensions and Power SRX300 SRX320 SRX340 SRX345 SRX380 Form factor Desktop Desktop 1U 1U 1U Size (WxHxD) 12.63 x 1.37 x 7.52 in. (32.08 x 3.47 x 19.10 cm) 11.81 x 1.73 x 7.52 in. (29.99 x 4.39 x 19.10 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) 17.36 x 1.72 x 14.57 in. (44.09 x 4.36 x 37.01 cm) / 17.36 x 1.72 x 18.7 in. (44.09 x 4.36 x 47.5 cm)2 17.36 x 1.72 x 18.7 in. (44.09 x 4.37 x 47.5 cm) / 17.36 x 1.72 x 20.47 in. (44.09 x 4.37 x 52 cm) Weight (device and PSU) 4.38 lb (1.98 kg) 3.28 lb (1.51 kg)3 / 3.4 lb (1.55 kb)4 10.80 lb (4.90 kg) 10.80 lb (4.90 kg) / 11.02 lb (5 kg)5 15 lb (6.8 kg) with 1xPSU / 16.76 lb (7.6 kg) with 2xPSU Redundant PSU No No No Yes Yes Power supply AC (external) AC (external) AC (external) AC (internal) / DC (internal)5 1+1 hot-swappable AC PSU DC Input N/A N/A N/A -40.8 VDC to -72 VDC5 N/A Maximum PoE power N/A 180 W4 N/A N/A 480W Average power consumption 15.4 W 27 W3 / 112 W4 122 W 122 W 150 W (without PoE) 510 W (with PoE) Average heat dissipation 85 BTU/h 157 BTU/h3 / 755 BTU/h4 420 BTU/h 420 BTU/h 511.5 BTU/hr (without PoE) Maximum current consumption 0.346 A 0.634 A3 / 2.755 A4 1.496 A 1.496 A / 6A @ -48 VDC5 1.79A/7.32A Acoustic noise level 0dB (fanless) 37 dBA3 / 40 dBA4 45.5 dBA 45.5 dBA < 50dBA @ room temperature 27C Airflow/cooling Fanless Front to back Front to back Front to back Front to back Environmental, Compliance, and Safety Certification SRX300 SRX320 SRX340 SRX345 SRX380 Operating temperature 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) -22° to 131° F (-30° to 55° C) for SRX345-DC 32° to 104° F (0° to 40° C) with MPIMs 32° to 122° F (0° to 50° C) without MPIMs Nonoperating temperature 4° to 158° F (-20° to 70° C) -4° to 158° F (-20° to 70° C) -22° to 158° F (-30° to 70° C) for SRX345-DC -4° to 158° F (-20° to 70° C) Operating humidity 10% to 90% noncondensing Nonoperating humidity 5% to 95% noncondensing Meantime between failures (MTBF) 44.5 years 32.5 years3 / 26 years4 27 years 27.4 years 28.1 years FCC classification Class A Class A Class A Class A Class A RoHS compliance RoHS 2 RoHS 2 RoHS 2 RoHS 2 RoHS 2 FIPS 140-2 Level 2 (Junos 15.1X49-D60) Level 1 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) Level 2 (Junos 15.1X49-D60) N/A Common Criteria certification NDPP, VPNEP, FWEP, IPSEP (based on Junos 15.1X49-D60) N/A Performance and Scale SRX300 SRX320 SRX340 SRX345 SRX380 Routing with packet mode (64 B packet size) in Kpps7 300 300 550 750 1,700 Routing with packet mode (IMIX packet size) in Mbps7 800 800 1,600 2,300 5,000 Routing with packet mode (1,518 B packet size in Mbps7 1,500 1,500 3,000 5,500 10,000 Stateful firewall (64 B packet size) in Kpps7 200 200 350 550 1,700 Stateful firewall (IMIX packet size) in Mbps7 500 500 1,100 1,700 4,000 Stateful firewall (1,518 B packet size) in Mbps7 1,000 1,000 3,000 5,000 10,000 IPsec VPN (IMIX packet size) in Mbps7 100 100 200 300 1,000 IPsec VPN (1,400 B packet size) in Mbps7 300 300 600 800 3,500 Application visibility and control in Mbps8 500 500 1,000 1,700 6,000 Recommended IPS in Mbps8 200 200 400 600 2,000 Next-generation firewall in Mbps8 100 100 200 300 1,000 Route table size (RIB/FIB) (IPv4 or IPv6) 256,000/256,000 256,000/256,000 1 million/600,0009 1 million/600,0009 1 million/600,0009 Maximum concurrent sessions (IPv4 or IPv6) 64,000 64,000 256,000 375,000 380,000 Maximum security policies 1,000 1,000 2,000 4,000 4,000 Connections per second 5,000 5,000 10,000 15,000 50,000 NAT rules 1,000 1,000 2,000 2,000 3,000 MAC table size 15,000 15,000 15,000 15,000 16,000 IPsec VPN tunnels 256 256 1,024 2,048 2,048 Number of remote access uses 25 50 150 250 500 GRE tunnels 256 256 512 1,024 2,048 Maximum number of security zones 16 16 64 64 128 Maximum number of virtual routers 32 32 64 128 128 Maximum number of VLANs 1,000 1,000 2,000 3,000 3,000 AppID sessions 16,000 16,000 64,000 64,000 64,000 IPS sessions 16,000 16,000 64,000 64,000 64,000 URLF sessions 16,000 16,000 64,000 64,000 64,000 WAN Interface SRX300 SRX320 SRX340 SRX345 SRX380 1 port T1/E1 MPIM (SRX-MP-1T1E1-R) No Yes Yes Yes Yes 1 port VDSL2 Annex A/M MPIM (SRX-MP-1VDSL2-R) No Yes Yes Yes Yes 1 port serial MPIM (SRX-MP-1SERIAL-R) No Yes Yes Yes Yes 4G / LTE MPIM (SRX-MP-LTE-AA & SRX-MP-LTE-AE) No Yes Yes Yes Yes Additional Specification Features:
Routing Protocols- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with Route Reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
- ASIC-based Layer 2 Forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- LLDP and LLDP-MED
- STP, RSTP, MSTP
- MVRP
- 802.1X authentication
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
- Tunnels: Generic routing encapsulation (GRE)3, IP-IP3, IPsec
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
- Virtual Router Redundancy Protocol (VRRP)10
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- Zero-Touch Provisioning with Contrail Service Orchestration
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
- Application visibility and control
- Application-based firewall
- Application QoS
- Application-based advanced policy-based routing
- Application quality of experience (AppQoE)
- Application-based advanced policy-based routing (APBR)
- Application-based link monitoring and switchover with Application quality of experience (AppQoE)
- Intrusion prevention
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- SecIntel to provide threat intelligence
1 SRX320 with PoE+ ports available as a separate SKU: SRX320-POE. 2 3SRX345 with dual AC PSU model. 3 4SRX320 non PoE model. 4 5SRX320-POE with 6 ports PoE+ model. 5 6SRX345 with DC power supply (operating temperature as per GR-63 Issue 4 2012 test criteria). 6 7As per GR63 Issue 4 (2012) test criteria. 7 Throughput numbers based on UDP packets and RFC2544 test methodology. 8 9Throughput numbers based on HTTP traffic with 44 KB transaction size. 9 10Route scaling numbers are with enhanced route-scale features turned on. 10 Offered as advanced security services subscription licenses.
Views:
Top Front View
Front View
Rear View
Left Angle View
Right Angle ViewDocumentation:
Download the Juniper Networks SRX300 Line of Services Gateways Datasheet (PDF). -
Product Overview
The SRX550M Firewall combines security, SD-WAN, routing, switching, and WAN interfaces with next-generation firewall and advanced threat mitigation capabilities for secure, cost-effective connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership.
Product Description
Juniper Networks® SRX550M Firewall delivers a next-generation secure SD-WAN and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX550M helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall (NGFW) and advanced security also make it easier to detect and proactively mitigate threats to improve the user and application experience.Architecture and Key Components
The SRX550M Firewall is a secure router that brings high performance and proven deployment capabilities to enterprises building a worldwide network composed of thousands of remote sites. WAN or Internet connectivity module options include:- Ethernet, serial, T1/E1, ADSL2/2+, and VDSL
- 3G/4G LTE wireless
- 802.11ac Wave 2 Wi-Fi
Mist AI
WAN Assurance
Mist WAN Assurance is a cloud service that brings AI-powered automation and service levels to Juniper SRX Series Firewalls, complementing the Juniper Secure SD-WAN solution. Mist WAN Assurance transforms IT operations from reactive troubleshooting to proactive remediation, turning insights into actions and delivering operational simplicity with seamless integration into existing deployments.- SRX Series firewalls, deployed as secure SD-WAN edge devices, deliver the rich Junos streaming telemetry that provides the insights needed for WAN health metrics and anomaly detection. This data is leveraged within the Mist Cloud and AI engine, driving simpler operations, reducing mean time to repair (MTTR) and providing greater visibility into end-user experiences.
- Insights derived from SRX Series SD-WAN gateway telemetry data allows WAN Assurance to compute unique “User Minutes” that indicate whether users are having a good experience.
- The Marvis assistant for WAN allows you to ask direct questions like “Why is my Zoom call bad?” and provides complete insights, correlation, and actions.
- Marvis Actions identifies and summarizes issues such as application latency conditions, congested WAN circuits, or negotiation mismatches.
Simplifying Branch Deployments (Secure Connectivity/SD-WAN)
The SRX550M line delivers fully automated SD-WAN to both enterprises and service providers.- A Zero-Touch Provisioning (ZTP) feature simplifies branch network connectivity for initial deployment and ongoing management.
- SRX550M firewalls offer best-in-class secure connectivity.
- The SRX550M firewall efficiently utilizes multiple links and load balance traffic across the enterprise WAN, blending traditional MPLS with other connectivity options such as broadband internet, leased lines, 4G/LTE, and more.
- Policy- and application-based forwarding capabilities enforce business rules created by the enterprise to steer application traffic towards a preferred path.
Comprehensive Security Suite
At the perimeter, the SRX550M offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls and cloud-based antivirus, antispam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks SecIntel offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Advanced Threat Protection solution, the SRX550M detects and enforces automated protection against known malware and zero-day threats with a high degree of accuracy.Industry-Certified Junos Operating System
SRX550M Firewalls run the Junos operating system, a proven, carrier-hardened OS that powers the top 100 service provider networks in the world. The rigorously tested, carrier-class, rich routing features such as IPv4/IPv6, OSPF, BGP, and multicast have been proven over 15 years of worldwide deployments. The SRX550M enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management.Features and Benefits
Business Requirement Feature/Solution SRX550M Advantages High performance Up to 7 Gbps of routing and firewall performance - Meets the needs of small, medium, and large branch office deployments
- Addresses future needs for scale and feature capacity
Business continuity Stateful high availability (HA), IP monitoring - Uses stateful HA to synchronize configuration and firewall sessions
- Supports multiple WAN interface with dial-on-demand backup
- Performs route/link failover based on real-time link performance
SD-WAN Better end-user application and cloud experience and lower operational costs - ZTP simplifies remote device provisioning
- Orchestrates business intent policies across the enterprise WAN via centralized or local advanced policy-based routing (APBR)
- Measures application service-level agreements (SLAs) and improves end-user experience through application quality of experience (AppQoE)
- Detects 4,275 Layer 3-7 applications, including Web 2.0
- Inspects and detects applications in SSL-encrypted traffic
- Controls and prioritizes traffic based on application and user role
End-user experience WAN assurance - Provides AI-powered automation and service levels that complement the Juniper secure SD-WAN solution
- Provides visibility and insights into users, applications, WAN links, controls, and data plane CPU for proactive remediation
High security IPsec VPN, Remote Access/SSL VPN, Media Access Control Security (MACsec) - Creates secure, reliable, and fast overlay link over public Internet
- Employs anti-counterfeit features to defend against unauthorized hardware spares
- Includes high-performance CPU with built-in hardware assist IPsec acceleration
- Offers secure and flexible remote access SSL VPN with Juniper Secure Connect
Threat protection IPS, antivirus, antispam, enhanced web filtering, Juniper Advanced Threat Prevention Cloud, Encrypted Traffic Insights, and Threat Intelligence Feeds - Provides real-time updates to IPS signatures and protects against exploits
- Implements industry-leading antivirus and URL filtering
- Protects against zero-day attacks
- Integrates open threat intelligence platform with third-party feeds
- Restores visibility that was lost due to encryption without the heavy burden of full TLS/SSL decryption
Easy management and scale On-box GUI, Security Director - Includes centralized management for autoprovisioning, firewall policy management, Network Address Translation (NAT), and IPsec VPN deployments
- Includes simple, easy-to-use on-box GUI for local management
Minimal TCO Junos OS - Integrates routing, switching, and security in a single device
- Reduces operational expense with Junos OS automation capabilities
SRX550M Specifications
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- BGP with route reflector
- IS-IS
- Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Switching Features
- ASIC-based Layer 2 forwarding
- MAC address learning
- VLAN addressing and integrated routing and bridging (IRB) support
- Link aggregation and LACP
- Link Layer Discovery Protocol (LLDP) and Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED)
- Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), Multiple Spanning Tree Protocol (MSTP)
- Multiple VLAN Registration Protocol (MVRP)
- 802.1X authentication
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/IPv6/Dual Stack)
- Juniper Secure Connect: Remote access/SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH)/Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
Network Services
- Dynamic Host Configuration Protocol (DHCP) client/server/relay
- Domain Name System (DNS) proxy, dynamic DNS (DDNS)
- Juniper real-time performance monitoring (RPM) and IP-monitoring
- Juniper flow monitoring (J-Flow)
- Bidirectional Forwarding Detection (BFD)
- Two-Way Active Measurement Protocol (TWAMP)
- IEEE 802.3ah Link Fault Management (LFM)
- IEEE 802.1ag Connectivity Fault Management (CFM)
High Availability Features
- Virtual Router Redundancy Protocol (VRRP)
- Stateful high availability
- Dual box clustering
- Active/passive
- Active/active
- Configuration synchronization
- Firewall session synchronization
- Device/link detection
- In-Band Cluster Upgrade (ICU)
- Dial on-demand backup interfaces
- IP monitoring with route and interface failover
Management, Automation, Logging, and Reporting
- SSH, Telnet, SNMP
- Smart image download
- Juniper CLI and Web UI
- Mist AI
- Simplified management
- WAN Assurance
- Junos Space and Security Director
- Python, PyEz, and Ansible modules
- Junos OS event, commit, and OP script
- Application and bandwidth usage reporting
- Auto installation
- Debug and troubleshooting tools
- ZTP with Contrail Service Orchestration
Advanced Routing Services
- Packet mode
- MPLS (RSVP, LDP)
- Circuit cross-connect (CCC), translational cross-connect (TCC)
- L2/L3 MPLS VPN, pseudowires
- Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)
- MPLS traffic engineering and MPLS fast reroute
Application Security Services1
- Application visibility and control
- Application-based firewall
- Application QoS
Enhanced SD-WAN Services
- Application-based advanced policy-based routing (APBR)
- Application quality of experience (AppQoE)
- Application-based link monitoring and switchover with AppQoE
Threat Defense and Intelligence Services1
- Intrusion prevention system (IPS)
- Antivirus
- Antispam
- Category/reputation-based URL filtering
- Protection from botnets (command and control)
- Adaptive enforcement based on GeoIP
- Juniper Advanced Threat Prevention to detect and block zero-day attacks
- Adaptive Threat Profiling
- Encrypted Traffic Insights
- Juniper SecIntel to provide threat intelligence
Hardware Specifications
Network Connectivity
- Fixed I/O: 6 x 10/100/1000 BASE-T + 4 small form-factor pluggable transceivers (SFP transceivers)
- I/O slots: 2 x SRX Series Mini-PIM, 6 x Gigabit-Backplane Physical Interface Module (GPIM) or multiple GPIM and XPIM combinations
- Services and Routing Engine slots: No
- WAN/LAN interface options: See ordering information
- Maximum number of PoE ports (PoE optional on some SRX Series models): Up to 40 ports of 802.3af/at with maximum 247 W
- USB: 2
Flash and Memory
- Memory (DRAM): 4 GB
- Memory slots: 2 DIMM
- Flash memory: 8 GB, CF internal
- USB port for external storage: Yes
Dimensions and Power
- Dimensions (W x H x D): 17.5 x 3.5 x 18.2 in (44.4 x 8.8 x 46.2 cm)
- Weight (device and power supply): 21.96 lb (9.96 kg) (no interface modules, 1 power supply)
- Rack-mountable: Yes, 2 U
- Power supply (AC): 100-240 VAC, single 645 W or dual 645 W
- Maximum PoE power: 247 W redundant, or 494 W non-redundant
- Average power consumption: 85 W
- Input frequency: 50-60 Hz
- Maximum current consumption: 7.5 A @ 100 VAC with single PSU with PoE, 10.5 A @ 100 VAC with dual PSU with PoE
- Maximum inrush current: 45 A for half-cycle
- Average heat dissipation: 238 BTU/hr
- Maximum heat dissipation: 1449 BTU/hr
- Redundant power supply (hot swappable): Yes (up to maximum capacity of single PSU)
- Acoustic noise level (per ISO 7779 Standard): 51.8 dB
Environmental, Compliance, and Safety Certification
- Operational temperature: 32° to 104° F (0° to 40° C)
- Nonoperational temperature: 4° to 158° F, (-20° to 70° C)
- Humidity (operating): 10% to 90% noncondensing
- Humidity (nonoperating): 5% to 95% noncondensing
- Mean time between failures (Telcordia model): 9.6 years with redundant power
- FCC classification: Class A
- RoHS compliance: Yes
Performance and Scale
- Firewall performance (large packets)2: 7 Gbps
- Firewall performance (IMIX)2: 2 Gbps
- Firewall + routing pps (64 Byte)2: 700 Kpps
- Firewall performance (HTTP)3: 2 Gbps
- IPsec VPN throughput (large packets): 1.0 Gbps
- IPsec VPN tunnels: 2000
- Application firewall4: 2.0 Gbps
- Intrusion prevention system (IPS)3: 800 Mbps
- Antivirus: 300 Mbps (Sophos antivirus)
- Connections per second: 27,000
- Maximum concurrent sessions: 375,000
- Maximum security policies: 8000
- Maximum users supported: Unrestricted
- Route table size (RIB/FIB) (IPv4 or IPv6): 1.5 million/750,000
- NAT rules: 6144
- MAC table size: 15,000
- Number of remote access/SSL VPN (concurrent) users: 500
- GRE tunnels: 1500
- Maximum number of security zones: 96
- Maximum number of virtual routers: 128
- Maximum number of VLANs: 3967
- AppID sessions: 65,000
- IPS sessions: 64,000
- URL filtering (URLF) sessions: 64,000
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Ordering Information
To order Juniper Networks SRX Series Firewalls, and to access software licensing information, please visit the How to Buy page at https://www.juniper.net/us/en/how-to-buy/form.html.Product Number Description SRX550M Base System SRX550-645AP-M SRX550M Firewall with 4 GB DRAM and 8 GB CF, 2 U height, 6 GPIM slots, 2 Mini-PIM slots, 6 10/100/1000BASE-T ports, 4GbE SFP ports, dual PS slots, and fans; ships with one 645 W AC power supply with 247 W PoE power (power cord and rack-mount kit included) SRX550-645DP-M SRX550M Firewall with 4 GB DRAM and 8 GB CF, 2 U height, 6 GPIM slots, 2 Mini-PIM slots, 6 10/100/1000BASE-T ports, 4GbE SFP ports, dual PS slots, and fans; ships with one 645 W DC power supply with 247 W PoE power (no power cord or rack-mount kit included) SRX550M Power Supplies and Accessories SRX600-PWR-645AC-POE Spare 645 W AC PoE power supply unit for SRX550M systems; one is included in SRX550M base system (SRX550M-645AC) SRX600-PWR-645DC-POE 645 W DC source power supply for SRX550M provides 397 W system power @ 12 V and 248 W PoE power @ 50 VDC; works with 43-56 VDC input; no power cord SRX550-CHAS-M SRX550M Firewall, 2 U height, 6 GPIM slots, 2 Mini-PIM slots, 6 10/100/1000BASE-T ports, 4 GbE SFP ports, dual PS slots, and fans (power supply not included) SRX550M Software Licenses SRX550-IDP One-year subscription for intrusion detection and prevention (IDP) updates on SRX550M SRX550-S2-AS One-year subscription for Juniper-Sophos antispam updates on SRX550M SRX550-W-EWF One-year subscription for Juniper Web filtering updates on SRX550M SRX550-S-SMB4-CS One-year security subscription for enterprise; includes Sophos antivirus, enhanced Web filtering, Sophos antispam, AppSecure, and IDP on SRX550M SRX550-ATP-1 One-year subscription for Advanced Threat Prevention Cloud for SRX550M SRX550-S-AV-3 Three-year subscription for Juniper-Sophos antivirus updates on SRX550M SRX550-IDP-3 Three-year subscription for IDP updates on SRX550M SRX550-S2-AS-3 Three-year subscription for Juniper-Sophos antispam updates on SRX550M SRX550-W-EWF-3 Three-year subscription for Juniper Web filtering updates on SRX550M SRX550-S-SMB4-CS-3 Three-year subscription for enterprise-includes Sophos antivirus, enhanced Web filtering, Sophos antispam, AppSecure, and IDP on SRX550M SRX550-ATP-3 Three-year subscription for Advanced Threat Prevention Cloud for SRX550M SRX550-IDP-5 Five-year license for IDP updates on SRX550M SRX550-W-EWF-5 Five-year subscription for Juniper Web filtering updates on SRX550M SRX550-S-SMB4-CS-5 Five year security subscription for enterprise; includes Sophos antivirus, enhanced Web filtering, Sophos antispam, AppSecure, and IDP on SRX550M SRX550-APPSEC-A-1 One-year subscription for Application Security and IPS updates for SRX550M SRX550-APPSEC-A-3 Three-year subscription for Application Security and IPS updates for SRX550M SRX550-APPSEC-A-5 Five-year subscription for Application Security and IPS updates for SRX550M SRX550-ATP-5 Five-year subscription for Advanced Threat Prevention Cloud for SRX550 Remote Access/Juniper Secure Connect VPN Licenses S-RA3-5CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 1 Year S-RA3-25CCU-S-1 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 1 Year S-RA3-50CCU-S-1 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 1 Year S-RA3-100CCU-S-1 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 1 Year S-RA3-250CCU-S-1 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 1 Year S-RA3-500CCU-S-1 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year S-RA3-5CCU-S-3 SW, Remote Access VPN - Juniper, 5 Concurrent Users, Standard, with SW support, 3 Year S-RA3-25CCU-S-3 SW, Remote Access VPN - Juniper, 25 Concurrent Users, Standard, with SW support, 3 Year S-RA3-50CCU-S-3 SW, Remote Access VPN - Juniper, 50 Concurrent Users, Standard, with SW support, 3 Year S-RA3-100CCU-S-3 SW, Remote Access VPN - Juniper, 100 Concurrent Users, Standard, with SW support, 3 Year S-RA3-250CCU-S-3 SW, Remote Access VPN - Juniper, 250 Concurrent Users, Standard, with SW support, 3 Year S-RA3-500CCU-S-3 SW, Remote Access VPN - Juniper, 500 Concurrent Users, Standard, with SW support, 3 Year Interface Modules SRX-GP-16GE-POE 16-port 10/100/1000BASE-T PoE XPIM SRX-GP-8SFP 8-port GbE copper, fiber SFP XPIM SRX-GP-DUAL-T1-E1 Dual T1/E1 GPIM SRX-GP-QUAD-T1-E1 Quad T1/E1 GPIM SRX-GP-1DS3-E3 1-port clear channel DS3/E3 GPIM single GPIM slot SRX-MP-1T1E1-R 1 port T1E1, MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; ROHS compliant SRX-MP-1VDSL2-R 1 port VDSL2 (backward compatible with ADSL/ADSL2+), MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; ROHS compliant SRX-MP-1SERIAL-R 1 port Synchronous Serial, MPIM form factor supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; ROHS compliant SRX-MP-LTE-AA 4G/LTE MPIM support for 1, 3, 5, 7-8, 18-19, 21, 28, 38-41 LTE bands (for Asia and Australia); supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls SRX-MP-LTE-AE 4G/LTE MPIM support for 1-5, 7-8, 12-13, 30, 25-26, 29-30, 41 LTE bands (for Americas and EMEA); supported on SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls SRX-MP-WLAN-US Wireless access point (Wi-Fi) MPIM for SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; supported for U.S. regulatory bands only SRX-MP-WLAN-WW Wireless access point (Wi-Fi) MPIM for SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; supported for worldwide regulatory bands (excluding U.S. and Israel) SRX-MP-WLAN-IL Wireless access point (Wi-Fi) MPIM for SRX320, SRX340, SRX345, SRX380, and SRX550M Firewalls; supported for Israel regulatory bands only SRX-MP-ANT-EXT Antenna extension cable for WLAN MPIM on SRX Series platforms -
Product Overview
The EX4100 line of Ethernet access switches offers secure, cloud-ready access for enterprise campus, branch, and data center networks in the AI era and optimized for the cloud. These platforms boost network performance and visibility, meeting the security demands of today—as well as for networks of the next decade. As part of the underlying infrastructure for Juniper Mist Wired Assurance, the EX4100 line is purpose-built for, and managed by, the cloud. The switches leverage Mist AI to simplify operations and provide better visibility into the experience of connected devices, delivering a refreshing, experience-first approach to access layer switching.
Product Description
The Juniper Networks® EX4100 line of Ethernet Switches offers a secure, cloud-ready portfolio of access switches ideal for enterprise branch, campus, and data center networks. The EX4100 switches combine the simplicity of the cloud, the power of Mist AI™, and a robust hardware foundation with best-in-class security and performance to deliver a differentiated approach to access switching in the cloud, mobile, and IoT era. With Juniper® Mist™ Wired Assurance, the EX4100 line of Switches can be effortlessly onboarded, configured, and managed from the cloud. This simplifies operations, improves visibility, and ensures a much better experience for connected devices. Key features of the EX4100 include:- Cloud-ready, driven by Mist AI with Juniper Mist Wired Assurance and Marvis Virtual Network Assistant
- Ethernet VPN–Virtual Extensible LAN (EVPN-VXLAN) to the access layer
- Standards-based microsegmentation using group-based policies (GBPs)
- Switch-to-switch encryption using Media Access Control Security (MACsec) AES256
- IEEE 802.3bt Power over Ethernet Plus (PoE++)
- Flow-based telemetry to monitor traffic flows for anomaly detection, ability to measure packet delays and report drop reasons
- Precision Timing Protocol–Transparent Clock
- 10-member Virtual Chassis support
- The EX4100-48MP, which offers 16 x 100 MB/1GbE/2.5GbE and 32 x 10 MB/100 MB/1GbE Power over Ethernet (PoE++) access ports, delivering up to 90 W per PoE port with an overall total 1620 W of PoE power budget (using two power supplies)
- The EX4100-24MP, which offers 8 x 100 MB/1GbE/2.5GbE/5GbE/10GbE and 16 x 10 MB/100 MB/1GbE PoE++ access ports, delivering up to 90 W per port with an overall total 1620 W of PoE power budget (using two power supplies)
- The EX4100-24T, which offers 24 x 1GbE non-PoE access ports
- The EX4100-24P, which offers 24 x 1GbE PoE+ access ports, delivering up to 30 W per port with an overall total 1440 W of PoE power budget (using two power supplies)
- The EX4100-48T, which offers 48 x 1GbE non PoE-access ports
- The EX4100-48P, which offers 48 x 1GbE PoE+ access ports, delivering up to 30 W per port with an overall total 1440 W of PoE power budget (using two power supplies)
Each EX4100 model offers 4 x 1/10GbE small form-factor pluggable plus transceiver (SFP+) fixed uplink ports. The EX4100 switches include 4 x 10GbE/25GbE SFP28 ports to support Virtual Chassis connections, which can be reconfigured for use as Ethernet ports for uplink connectivity. EX4100 switches also include high availability (HA) features such as redundant, hot-swappable power supplies and field-replaceable fans to ensure maximum uptime. In addition, -24 port and -48 port Multi-Gigabit Ethernet EX4100 switch models offer standards-based 802.3af/at/bt (PoE/PoE+/PoE++) for delivering up to 90 watts on any access port. The EX4100 switches can be configured to deliver fast PoE capability, which enables the switches to deliver PoE power to connected PoE devices within a few seconds of power being applied to the switches.Architecture and Key Components
Cloud Management with Juniper Mist Wired Assurance Driven by Mist AI
EX4100 switches can be quickly and easily onboarded (Day 0), provisioned (Day 1), and managed (Day 2+) from the cloud with Juniper Mist Wired Assurance, which brings AI-powered automation and insights that optimize experiences for end users and connected devices. The EX4100 provides rich Junos® operating system telemetry data for Mist AI, which helps achieve simpler operations, shorter mean time to repair (MTTR), and streamlined troubleshooting. For more information, read the Juniper Mist Wired Assurance datasheet. In addition to Juniper Mist Wired Assurance, Marvis Virtual Network Assistant—a key part of The Self-Driving Network™— makes the Mist AI engine interactive. A digital extension of the IT team, Marvis offers automatic fixes or recommended actions, allowing IT teams to streamline how they troubleshoot and manage their network operations.
Figure 1: EX4100 Virtual Chassis configuration interconnected via dedicated front-panel 25GbE portsEVPN-VXLAN Technology
Most traditional campus networks have a single-vendor, chassis-based architecture that worked well for smaller, static campuses with few endpoints. However, this approach is too rigid to support the changing needs of modern campus networks. The EX4100 supports EVPN-VXLAN, extending an end-to-end fabric from campus core to distribution to the access layer. An EVPN-VXLAN fabric is a simple, programmable, highly scalable architecture built on open standards. This technology can be applied in both data centers and campuses for architectural consistency. A campus EVPN-VXLAN architecture uses a Layer 3 IP-based underlay network and an EVPN-VXLAN overlay network. A flexible overlay network based on a VXLAN overlay with an EVPN control plane efficiently provides Layer 2 and/or Layer 3 connectivity throughout the network. EVPN-VXLAN also offers a scalable way to build and interconnect multiple campus sites, delivering:- Greater consistency and scalability across all network layers
- Multivendor deployment support
- Reduced flooding and learning
- Location-agnostic connectivity
- Consistent network segmentation
- Simplified management
Virtual Chassis Technology
Juniper’s Virtual Chassis technology allows multiple interconnected switches to operate as a single, logical unit, enabling users to manage all platforms as one virtual device. Up to 10 EX4100 switches can be interconnected as a Virtual Chassis using 4 x 25GbE SFP28 dedicated front-panel ports. Although configured as Virtual Chassis ports by default, the 4 x 25GbE SFP28 uplinks can also be configured as uplink ports. The EX4100 switches can form a Virtual Chassis with any other models within the EX4100 product line.Microsegmentation Using Group-Based Policy
GBP leverages underlying VXLAN technology to provide location-agnostic endpoint access control. This allows network administrators to implement consistent security policies across the enterprise network domains. The EX4100 supports a standards-based GBP solution, allowing different levels of access control for endpoints and applications even within the same VLAN. Customers can simplify their network configuration by using GBP, avoiding the need to configure large numbers of firewall filters on all their switches. GBP can block lateral threats by ensuring consistent application of security group policies throughout the network, regardless of the location of endpoints and/or users.Flow-Based Telemetry
Flow-based telemetry enables flow-level analytics, allowing network administrators to monitor thousands of traffic flows on the EX4100 without burdening the CPU. This improves network security by monitoring, baselining, and detecting flow anomalies. For example, if predefined flow thresholds are breached due to an attack, IP Flow Information Export (IPFIX) alerts can be sent to an external server to quickly identify the attack. Network administrators can also automate specific workflows, such as further examining the traffic or quarantining a port, to triage the issue. In addition to DOS attacks, Flow-Based Telemetry on EX4100 switches can measure packet delays at ingress, chip, and egress points, as well as report drop reasons.Features and Benefits
Simplified Operations with Juniper Mist Wired Assurance
The EX4100 is fully cloud onboarded, provisioned, and managed by Juniper Mist Wired Assurance. The EX4100 is designed from the ground up to deliver the rich telemetry that enables AI for IT Operations (AIOps) with simplified operations from Day 0 to Day 2 and beyond. Juniper Mist Wired Assurance provides detailed switch insights for easier troubleshooting and improved time to resolution by offering the following features:- Day 0 operations—Onboard switches seamlessly by claiming a greenfield switch or adopting a brownfield switch with a single activation code for true plug-and-play simplicity.
- Day 1 operations—Implement a template-based configuration model for bulk rollouts of traditional and campus fabric deployments, while retaining the flexibility and control required to apply custom site- or switch-specific attributes. Automate provisioning of ports via Dynamic Port Profiles.
- Day 2 operations—Leverage the AI in Juniper Mist Wired Assurance to meet service-level expectations such as throughput, successful connects, and switch health with key pre- and post-connection metrics (see Figure 1). Add the self-driving capabilities in Marvis Actions to detect loops, add missing VLANs, fix misconfigured ports, identify bad cables, isolate flapping ports, and discover persistently failing clients (see Figure 2). And perform software upgrades easily through Juniper Mist Cloud.
Figure 2: Juniper Mist Wired Assurance service-level expectations screen
Figure 3: Marvis Actions for wired switchesThe complimentary addition of Marvis Virtual Network Assistant, driven by Mist AI, lets you start building a Self-Driving Network that simplifies network operations and streamlines troubleshooting via automatic fixes for Juniper Networks EX Series Switches or recommended actions for external systems. For more information, see Juniper Mist Wired Assurance.Campus Fabric Deployments
EVPN-VXLAN for Campus Core, Distribution, and Access
The main advantages of EVPN-VXLAN in campus networks are:- Flexibility of consistent VLANs across the network: Endpoints can be placed anywhere in the network and remain connected to the same logical L2 network, enabling a virtual topology to be decoupled from the physical topology.
- Microsegmentation: The EVPN-VXLAN-based architecture lets you deploy a common set of policies and services across campuses with support for L2 and L3VPNs.
- Scalability: With an EVPN control plane, enterprises can scale out easily by adding more core, aggregation, and access layer devices as the business grows without having to redesign the network or perform a forklift upgrade. Using an L3 IP-based underlay coupled with an EVPN-VXLAN overlay, campus network operators can deploy much larger and more resilient networks than would otherwise be possible with traditional L2 Ethernet-based architectures.
Figure 4: Campus fabrics showing Virtual Chassis and EVPN-VXLAN-based architecturesAll three topologies are standards-based and interoperable with third-party vendors. The EX4100 switches can be deployed in campus and branch access layer networks in the EVPN-VXLAN architectures shown in Figure 4.Managing AI-Driven Campus Fabric with the Juniper Mist Cloud
Juniper Mist Wired Assurance brings cloud management and Mist AI to the campus fabric. It sets a new standard that moves away from traditional network management towards AI-driven operations, while delivering better experiences to connected devices. Juniper Mist Cloud streamlines deployment and management of campus fabric architectures by allowing:- Automated deployment and zero-touch deployment (ZTD)
- Anomaly detection
- Root cause analysis
Figure 5: EVPN multihoming configuration via the Juniper Mist cloudChassis-Class Availability
The EX4100 switches deliver high availability through redundant power supplies and fans, graceful Routing Engine switchover (GRES), and nonstop bridging and routing when deployed in a Virtual Chassis configuration. In a Virtual Chassis configuration, each EX4100 switch is capable of functioning as a Routing Engine (RE). When two or more EX4100 switches are interconnected, a single control plane is shared among all Virtual Chassis member switches. Junos OS automatically initiates an election process to assign a primary (active) and backup (hot-standby) RE. An integrated L2 and L3 GRES feature maintains uninterrupted access to applications, services, and IP communications in the unlikely event of a primary RE failure. When more than two switches are interconnected in a Virtual Chassis configuration, the remaining switch elements act as line cards and are available to assume the backup RE position should the designated primary RE fail. Primary, backup, and line card priority status can be assigned to dictate the order of ascension; this N+1 RE redundancy, coupled with the GRES, nonstop active routing (NSR), and nonstop bridging (NSB) capabilities of Junos OS, assures a smooth transfer of control plane functions following unexpected failures. The EX4100 implements the same slot/module/port numbering scheme as other Juniper chassis-based products when numbering Virtual Chassis ports, providing true chassis-like operations. By using a consistent operating system and a single configuration file, all switches in a Virtual Chassis configuration are treated as a single device, greatly simplifying overall system maintenance and management. Individually, the EX4100 offers a number of HA features that are typically associated with modular chassis-based switches. When combined with the field-proven Junos OS and L2/L3 failover capabilities, these features provide the EX4100 with true carrier-class reliability.- Redundant power supplies: The EX4100 line of switches supports redundant, load-sharing, hot-swappable, and field-replaceable power supplies to maintain uninterrupted operations. Thanks to its compact footprint, the EX4100 requires significantly less power than chassis-based switches delivering equivalent port densities.
- Hot-swappable fans: The EX4100 includes hot-swappable fans, providing sufficient cooling (for a short duration) even if one of the fans were to fail.
- Nonstop bridging and nonstop active routing: NSB and NSR on the EX4100 ensure that control plane protocols, states, and tables are synchronized between primary and standby REs to prevent protocol flaps or convergence issues following an RE failover.
- Redundant trunk group (RTG): To avoid the complexities of STP without sacrificing network resiliency, the EX4100 employs redundant trunk groups to provide the necessary port redundancy and simplify switch configuration.
- Cross-member link aggregation: Cross-member link aggregation allows redundant link aggregation connections between devices in a single Virtual Chassis configuration, providing an additional level of reliability and availability.
- IPv4 and IPv6 routing support: IPv4 and IPv6 Layer 3 routing (OSPF and BGP) is available with a Flex license, enabling highly resilient networks.
MACsec AES256
The EX4100 switches support IEEE 802.1ae MACsec with AES-256-bit encryption to increase security of point-to-point traffic communications. MACsec provides encrypted communication at the link layer that is capable of identifying and preventing threats from denial of service (DoS) and other intrusion attacks, as well as man-in-the-middle, masquerading, passive wiretapping, and playback attacks launched from behind the firewall. When MACsec is deployed on ports, the traffic is encrypted on the wire, but the traffic inside the switch is not. This allows the switch to apply network policies such as quality of service (QoS) or deep packet inspection (DPI) to each packet without compromising the security of packets on the wire.PoE/PoE+/PoE++ Power, Perpetual and Fast PoE
The EX4100 delivers PoE for supporting connected devices such as phones, surveillance cameras, IoT devices, and 802.11AX/Wi-Fi 6 access points, offering a PoE power budget of up to 1620W and supporting up to 90W per port based on the IEEE 802.3bt PoE standard. EX4100 switches support perpetual PoE, which provides uninterrupted power to connected PoE powered devices (PDs) even when the EX4100 switch is rebooting. The EX4100 switches also support a fast PoE capability that delivers PoE power to connected endpoints during a switch power-up, even before the switch is fully operational. This is especially beneficial in situations where the endpoint only needs the power and is not necessarily dependent on network connectivity.Junos Telemetry Interface
The EX4100 supports Junos telemetry interface (JTI), a modern telemetry streaming feature designed for switch health and performance monitoring. Sensor data can be streamed to a management system at configurable periodic intervals, enabling network administrators to monitor individual link and node utilization as well as troubleshoot issues such as network congestion in real time. JTI delivers the following features:- Performance management by provisioning sensors to collect and stream data and analyze application and workload flow paths through the network
- Capacity planning and optimization by proactively detecting hotspots and monitoring latency and microbursts
- Troubleshooting and root cause analysis via high-frequency monitoring and correlation of overlay and underlay networks
Junos Operating System
The EX4100 switches run Junos OS, Juniper’s powerful and robust network operating system that powers all Juniper switches, routers, and firewalls. By utilizing a common operating system, Juniper delivers a consistent implementation and operation of control plane features across all products. To maintain that consistency, Junos OS adheres to a highly disciplined development process that uses a single source code and employs a highly available modular architecture to prevent isolated failures from bringing down an entire system. These attributes are fundamental to the core value of the software, enabling all Junos OS-powered products to be updated simultaneously with the same software release. All features are fully regression tested, making each new release a true superset of the previous version. Customers can deploy the software with complete confidence that all existing capabilities are maintained and operate in the same way.Flex Licensing
Juniper Flex licensing offers a common, simple, and flexible licensing model for EX Series access switches, enabling customers to purchase features based on their network and business needs. Flex licensing is offered in Standard, Advanced, and Premium tiers. Standard tier features are available with the Junos OS image that ships with EX Series switches. Additional features can be unlocked with the purchase of a Flex Advanced or Flex Premium license. The Flex Advanced and Flex Premium licenses for the EX Series platforms are class-based, determined by the number of access ports on the switch. Class 1 (C1) switches have 12 ports, Class 2 (C2) switches have 24 ports, and Class 3 (C3) switches have 32 or 48 ports. The EX4100 switches support both subscription and perpetual Flex licenses. Subscription licenses are offered for three- and five-year terms. In addition to Junos OS features, the Flex Advanced and Flex Premium subscription licenses include Juniper Mist Wired Assurance. Flex Advanced and Flex Premium subscription licenses also allow portability across the same tier and class of switches, ensuring investment protection for the customer. For a complete list of features supported by the Flex Standard, Advanced, and Premium tiers, or to learn about Junos OS EX Series licenses, please visit: https://www.juniper.net/documentation/us/en/software/license/licensing/topics/concept/ flex-licenses-for-ex.html.Enhanced Limited Lifetime Warranty
The EX4100 includes an enhanced limited lifetime hardware warranty that provides return-to-factory switch replacement for as long as the original purchaser owns the product. The warranty includes lifetime software updates, advanced shipping of spares within one business day, and 24x7 Juniper Networks Technical Assistance Center (JTAC) support for 90 days after the purchase date. Power supplies and fan trays are covered for a period of five years. For complete details, please visit https://support.juniper.net/support/pdf/warranty/990240.pdf.Product Options
Available EX4100 models are listed in Table 1.Table 1. EX4100 Line of Ethernet SwitchesModel/Product SKU Access Port Configuration PoE/PoE+Ports PoE++Ports PoE Budget 1 PSU/2 PSU 10GbE Ports 25GbE Ports Power Supply Rating Cooling EX4100-24T 24-port 10/100/1000BASE-T 0 0 N/A 4 4 150 W AC AFO (front-to-back airflow) EX4100-48T 48-port 10/100/1000BASE-T 0 0 N/A 4 4 150 W AC AFO (front-to-back airflow) EX4100-48T-AFI 48-port 10/100/1000BASE-T 0 0 N/A 4 4 150 W AC AFI (back-to-front airflow) EX4100-24T-DC 24-port 10/100/1000BASE-T 0 0 N/A 4 4 150 W DC AFO (front-to-back airflow) EX4100-48T-DC 48-port 10/100/1000BASE-T 0 0 N/A 4 4 150 W DC AFO (front-to-back airflow) EX4100-24P 24-port 10/100/1000BASE-T 24 0 740 W/1440 W 4 4 920 W AC AFO (front-to-back airflow) EX4100-48P 48-port 10/100/1000BASE-T 48 0 740 W/1440 W 4 4 920 W AC AFO (front-to-back airflow) EX4100-24MP 8x 100 MB/1GbE/2.5GbE/5GbE/10GbE + 16x 10 MB/100 MB/1GbE 0 24 740W/1620 W 12 4 920 W AC AFO (front-to-back airflow) EX4100-48MP 16x 100 MB/1GbE/2.5GbE + 32x 10 MB/100 MB/1GbE 0 48 740 W/1620 W 4 4 920 W AC AFO (front-to-back airflow) The EX4100 also offers spare chassis options without power supplies or fans, providing customers with the flexibility to stock SKUs (see Table 2). See the Ordering Information section for additional details.Table 2. EX4100 Spare Chassis SKUsSpare Chassis SKU Description JPSU-150-AC-AFO + EX4100-FAN-AFO JPSU-150-AC-AFI + EX4100-FAN-AFI JPSU-150-DC-AFO + EX4100-FAN-AFO JPSU-920-AC-AFO + EX4100-FAN-AFO EX4100-24T-CHAS Spare chassis, 24-port 10/100/1000BASE-T Y X Y X EX4100-48T-CHAS Spare chassis, 48-port 10/100/1000BASE-T Y Y X X EX4100-24P-CHAS Spare chassis, 24-port 10/100/1000BASE-T X X X Y EX4100-48T-CHAS Spare chassis, 48-port 10/100/1000BASE-T X X Y X EX4100-24MP-CHAS Spare chassis, 8x100 MB/1GbE/2.5GbE/5GbE/10GbE + 16x10 MB/100 MB/1GbE ports X X X Y EX4100-48MP-CHAS Spare chassis, 16x100 MB/1GbE/2.5GbE + 32x10 MB/100 MB/1GbE ports X X X Y 
Figure 6: EX4100 line of SwitchesEX4100 Line Specifications
Physical Specifications
Backplane
- 200 Gbps Virtual Chassis interconnect to combine up to 10 units as a single logical device
Power Options
- Power supplies: Autosensing; 100-120 V/200-240 V; 150 W, 920 W AC AFO, and 150 W AC AFI dual load sharing hot-swappable internal redundant power supplies
- Maximum current inrush: 30 amps
- DC power supply: 150 W DC AFO; input voltage range 48-60 V max; dual load-sharing hot-swappable internal redundant power supplies
- Minimum number of PSUs required for fully loaded chassis: 1 per switch
Dimensions (W x H x D)
- Base Unit: 17.36 x 1.72 x 13.78 in (44.1 x 4.37 x 35 cm)
- With power supply installed: 17.36 x 1.72 x 15.05 in (44.1 x 4.37 x 38.24 cm)
- Height: 1 U
System Weight
- EX4100-24T switch (with no power supply or fan module): 9.72 lb (4.41 kg)
- EX4100-24P switch (with no power supply or fan module): 10 lb (4.54 kg)
- EX4100-48T switch (with no power supply or fan module): 10 lb (4.54 kg)
- EX4100-48P switch (with no power supply or fan module): 10.27 lb (4.66 kg)
- EX4100-24MP switch (with no power supply or fan module): 10.06 lb (4.57 kg)
- EX4100-48MP switch (with no power supply or fan module): 10.41 lb (4.72 kg)
- 150 W AC power supply: 1.43 lb (0.65 kg)
- 150 W DC power supply: 1.43 lb (0.65 kg)
- 920 W AC power supply: 1.87 lb (0.85 kg)
- Fan module: 0.16 lb (0.07 kg)
Environmental Ranges
- Operating temperature: 32° to 113° F (0° to 45° C)
- Storage temperature: -40° to 158° F (-40° to 70° C)
- Operating altitude: Up to 5000 ft at 40° C (1828.8 m)
- Nonoperating altitude: Up to 16,000 ft (4877 m)
- Relative humidity operating: 5% to 90% (noncondensing)
- Relative humidity non-operating: 0% to 90% (noncondensing)
Cooling [CFM] - Total maximum airflow with two power supplies and fans
- Field-replaceable fans: 2
- EX4100-24MP : 60.9
- EX4100-48MP : 61.7
- EX4100-24T : 65.6
- EX4100-24T-DC : 64.8
- EX4100-24P : 61.6
- EX4100-48T : 65.8
- EX4100-48T-DC : 66.2
- EX4100-48T-AFI : 61.8
- EX4100-48P : 64.1
Hardware Specifications Switching Engine Mode
- Store and forward
Memory
- DRAM: 4 GB with Error Correcting Code (ECC) on all models
- Storage: 8 GB on all models
CPU
- 1.7 GHz ARM CPU on all models
GbE Port Density per System
- EX4100-24P/24T: 32 (24 1GbE host ports + 4 10GbE/25GbE ports + 4 1GbE/10GbE ports)
- EX4100-48P/48T: 56 (48 1GbE host ports + 4 10GbE/25GbE ports + 4 1GbE/10GbE ports)
- EX4100-24MP: 32 (8 10GbE host ports + 16 1GbE host ports + 4 10GbE/25GbE ports + 4 1GbE/10GbE ports)
- EX4100-48MP: 56 (16 2.5GbE host ports + 32 1GbE host ports + 4 10GbE/25GbE ports + 4 port 1GbE/10GbE ports)
Physical Layer
- Time domain reflectometry (TDR) for detecting cable breaks and shorts: EX4100-24P/T and EX4100-48P/T, EX4100-24MP and EX4100-48MP
- Auto medium-dependent interface/medium-dependent interface crossover (MDI/MDIX) support: EX4100-24P/T, EX4100-48P/T, EX4100-24MP and EX4100-48MP
- Port speed downshift/setting maximum advertised speed on
- 10/100/1000BASE-T ports on EX4100-24P/T and EX4100-48P/T
- 100/1000BASE-T/2.5GBASE-T/5GBASE-T/10GBASE-T on EX4100-24MP
- 100/1000BASE-T/2.5GBASE-T on EX4100-48MP
Packet Switching Capacities (Maximum with 64 Byte Packets)
- EX4100-24P/24T: 164 Gbps (unidirectional)/328 Gbps (bidirectional)
- EX4100-48P/48T: 188 Gbps (unidirectional)/376 Gbps (bidirectional)
- EX4100-24MP: 236 Gbps (unidirectional)/472 Gbps (bidirectional)
- EX4100-48MP: 212 Gbps (unidirectional)/424 Gbps (bidirectional)
Software Specifications
Layer 2/Layer 3 Throughput (Mpps) (Maximum with 64 Byte Packets)
- EX4100-48P/T 279 Mpps
- EX4100-24P/T 244 Mpps
- EX4100-48MP 315 Mpps
- EX4100-24MP 351 Mpps
Security
- Media Access Control (MAC) limiting (per port and per VLAN)
- Allowed MAC addresses: 64,000
- Dynamic Address Resolution Protocol (ARP) dynamic ARP inspection (DAI)
- IP source guard
- Local proxy ARP
- Static ARP support
- Dynamic Host Configuration Protocol (DHCP) snooping
- Captive portal
- Persistent MAC address configurations
- Distributed denial of service (DDoS) protection (CPU control path flooding protection)
Layer 2 Switching
- Maximum MAC addresses per system: 64,000
- Jumbo frames: 9216 bytes
- Range of possible VLAN IDs: 1 to 4094
- Virtual Spanning Tree (VST) instances: 253
- Port-based VLAN
- Voice VLAN
- Physical port redundancy: Redundant trunk group (RTG)
- Compatible with Per-VLAN Spanning Tree Plus (PVST+)
- Routed VLAN interface (RVI)
- Uplink failure detection (UFD)
- ITU-T G.8032: Ethernet Ring Protection Switching
- IEEE 802.1AB: Link Layer Discovery Protocol (LLDP)
- LLDP-MED with VoIP integration
- Default VLAN and multiple VLAN range support
- MAC learning deactivate
- Persistent MAC learning (sticky MAC)
- MAC notification
- Private VLANs (PVLANs)
- Explicit congestion notification (ECN)
- Layer 2 protocol tunneling (L2PT)
- IEEE 802.1ak: Multiple VLAN Registration Protocol (MVRP)
- IEEE 802.1p: Class of service (CoS) prioritization
- IEEE 802.1Q: VLAN tagging
- IEEE 802.1X: Port Access Control
- IEEE 802.1ak: Multiple Registration Protocol
- IEEE 802.3: 10BASE-T
- IEEE 802.3u: 100BASE-T
- IEEE 802.3ab: 1000BASE-T
- IEEE 802.3z: 1000BASE-X
- IEEE 802.3ae: 10-Gigabit Ethernet
- IEEE 802.3by: 25-Gigabit Ethernet
- IEEE 802.3af: Power over Ethernet
- IEEE 802.3at: Power over Ethernet Plus
- IEEE 802.3bt: 90 W Power over Ethernet
- IEEE 802.3x: Pause Frames/Flow Control
- IEEE 802.3ah: Ethernet in the First Mile
Spanning Tree
- IEEE 802.1D: Spanning Tree Protocol
- IEEE 802.1s: Multiple Spanning Tree Protocol (MSTP)
- Number of MST instances supported: 64
- Number of VLAN Spanning Tree Protocol (VSTP) instances supported: 253
- IEEE 802.1w: Rapid reconfiguration of Spanning Tree Protocol
Link Aggregation
- IEEE 802.3ad: Link Aggregation Control Protocol
- 802.3ad (LACP) support:
- Number of LAGs supported: 128
- Maximum number of ports per LAG: 8
- LAG load-sharing algorithm bridged or routed (unicast or multicast) traffic:
- IP: S/D IP
- TCP/UDP: S/D IP, S/D Port
- Non-IP: S/D MAC
- Tagged ports support in LAG
Layer 3 Features: IPv4
- Maximum number of ARP entries: 32,000
- Maximum number of IPv4 unicast routes in hardware: 32,650 prefixes; 32,150 host routes
- Maximum number of IPv4 multicast routes in hardware: 16,100 multicast routes
- Routing protocols: RIPv1/v2, OSPF, BGP, IS-IS
- Static routing
- Routing policy
- Bidirectional Forwarding Detection (BFD)
- L3 redundancy: Virtual Router Redundancy Protocol (VRRP)
- VRF-Lite
Layer 3 Features: IPv6
- Maximum number of neighbor discovery (ND) entries: 16,000
- Maximum number of IPv6 unicast routes in hardware: 16,200 prefixes; 16,050 host routes
- Maximum number of IPv6 multicast routes in hardware: 8000 multicast routes
- Routing protocols: RIPng, OSPFv3, IPv6, IS-IS
- Static routing
Access Control Lists (ACLs) (Junos OS Firewall Filters)
- ACL entries (ACE) in hardware per system:
- Port-based ACL (PACL) ingress: 4092
- VLAN-based ACL (VACL) ingress: 4092
- Router-based ACL (RACL) ingress: 4092
- Port-based ACL (PACL) egress: 1022
- VLAN-based ACL (VACL) egress: 511
- Egress across RACL: 1022
- ACL counter for denied packets
- ACL counter for permitted packets
- Ability to add/remove/change ACL entries in middle of list (ACL editing)
- L2-L4 ACL
Access Security
- 802.1X port-based
- 802.1X multiple supplicants
- 802.1X with VLAN assignment
- 802.1X with authentication bypass access (based on host MAC address)
- 802.1X with VoIP VLAN support
- 802.1X dynamic ACL based on RADIUS attributes
- 802.1X Supported Extensible Authentication Protocol (EAP) types: Message Digest 5 (MD5), Transport Layer Security (TLS), Tunneled TLS (TTLS), Protected Extensible Authenticated Protocol (PEAP)
- MAC authentication (RADIUS)
- Control plane DoS protection
- Radius functionality over IPv6 for authentication, authorization, and accounting (AAA)
- DHCPv6 snooping
- IPv6 neighbor discovery
- IPv6 source guard
- IPv6 router advertisement (RA) guard
- IPv6 Neighbor Discovery Inspection
- MACsec
High Availability
- Redundant, hot-swappable power supplies
- Redundant, field-replaceable, hot-swappable fans
- GRES for Layer 2 hitless forwarding and Layer 3 protocols on RE failover
- Graceful protocol restart (OSPF, BGP)
- Layer 2 hitless forwarding on RE failover
- Nonstop bridging: LACP, xSTP
- Nonstop routing: PIM, OSPF v2 and v3, RIP v2, RIPng, BGP, BGPv6, IS-IS, IGMP v1, v2, v3
Quality of Service
- L2 QoS
- L3 QoS
- Ingress policing: 1 rate 2 color
- Hardware queues per port: 12 (8 unicast + 4 multicast)
- Scheduling methods (egress): Strict priority (SP), weighted deficit round-robin (WDRR)
- 802.1p, DiffServ code point (DSCP)/IP precedence trust and marking
- L2-L4 classification criteria: Interface, MAC address, Ethertype, 802.1p, VLAN, IP address, DSCP/IP precedence, TCP/UDP port numbers, and more
- Congestion avoidance capabilities: Tail drop, weighted random early detection (WRED)
Multicast
- IGMP: v1, v2, v3
- IGMP snooping
- Multicast Listener Discovery (MLD) snooping
- Protocol Independent Multicast-Sparse Mode (PIM-SM), PIM Source-Specific Mode (PIM-SSM), PIM Dense Mode (PIM-DM)
Management and Analytics Platforms
- Juniper Mist Wired Assurance for campus
- Junos Space® Network Director for campus
- Junos Space Management Applications
Device Management and Operations
- Junos OS CLI
- Out-of-band management: Serial; 10/100/1000BASE-T Ethernet
- Rescue configuration
- Configuration rollback
- Image rollback
- RMON (RFC2819) groups 1, 2, 3, 9
- Remote performance monitoring
- SNMP: v1, v2c, v3
- Network Time Protocol (NTP)
- DHCP server
- DHCP client and DHCP proxy
- DHCP relay and helper
- DHCP local server support
- RADIUS
- TACACS+
- SSHv2
- Secure copy
- HTTP/HTTPs
- Domain Name System (DNS) resolver
- System logging
- Temperature sensor
- Configuration backup via FTP/secure copy
Supported RFCs
- RFC 768 UDP
- RFC 783 TFTP
- RFC 791 IP
- RFC 792 ICMP
- RFC 793 TCP
- RFC 826 ARP
- RFC 854 Telnet client and server
- RFC 894 IP over Ethernet
- RFC 903 RARP
- RFC 906 TFTP Bootstrap
- RFC 951, 1542 BootP
- RFC 1027 Proxy ARP
- RFC 1058 RIP v1
- RFC 1112 IGMP v1
- RFC 1122 Host Requirements
- RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments (TCP/IP transport only)
- RFC 1256 IPv4 ICMP Router Discovery (IRDP)
- RFC 1492 TACACS+RFC 1519 CIDR
- RFC 1587 OSPF NSSA Option
- RFC 1591 DNS
- RFC 1812 Requirements for IP Version 4 Routers
- RFC 1981 Path MTU Discovery for IPv6
- RFC 2030 SNTP, Simple Network Time Protocol
- RFC 2068 HTTP server
- RFC 2080 RIPng for IPv6
- RFC 2131 BOOTP/DHCP relay agent and DHCP server
- RFC 2138 RADIUS Authentication
- RFC 2139 RADIUS Accounting
- RFC 2154 OSPF w/Digital Signatures (password, MD-5)
- RFC 2236 IGMP v2
- RFC 2267 Network Ingress Filtering
- RFC 2328 OSPF v2 (edge-mode)
- RFC 2338 VRRP
- RFC 2362 PIM-SM (edge-mode)
- RFC 2370 OSPF Opaque LSA Option
- RFC 2453 RIP v2
- RFC 2460 Internet Protocol, Version 6 (IPv6) Specification
- RFC 2461 Neighbor Discovery for IP Version 6 (IPv6)
- RFC 2463 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
- RFC 2464 Transmission of IPv6 Packets over Ethernet Networks
- RFC 2474 DiffServ Precedence, including 12 queues/port
- RFC 2475 DiffServ Core and Edge Router Functions
- RFC 2526 Reserved IPv6 Subnet Anycast Addresses
- RFC 2597 DiffServ Assured Forwarding (AF)
- RFC 2598 DiffServ Expedited Forwarding (EF)
- RFC 2740 OSPF for IPv6
- RFC 2925 MIB for Remote Ping, Trace
- RFC 3176 sFlow
- RFC 3376 IGMP v3
- RFC 3484 Default Address Selection for Internet Protocol Version 6 (IPv6)
- RFC 3513 Internet Protocol Version 6 (IPv6) Addressing Architecture
- RFC 3569 draft-ietf-ssm-arch-06.txt PIM-SSM PIM Source Specific Multicast
- RFC 3579 RADIUS EAP support for 802.1x
- RFC 3618 Multicast Source Discovery Protocol (MSDP)
- RFC 3623 OSPF Graceful Restart
- RFC 4213 Basic Transition Mechanisms for IPv6 Hosts and Routers
- RFC 4291 IPv6 Addressing Architecture
- RFC 4443 ICMPv6 for the IPv6 Specification
- RFC 4541 IBMP and MLD snooping services
- RFC 4552 OSPFv3 Authentication
- RFC 4861 Neighbor Discovery for IPv6
- RFC 4862 IPv6 Stateless Address Autoconfiguration
- RFC 4915 MT-OSPF
- RFC 5095 Deprecation of Type 0 Routing Headers
- RFC 5176 Dynamic Authorization Extensions to RADIUS
- RFC 5798 VRRPv3 for IPv6
- Draft-ietf-bfd-base-05.txt Bidirectional Forwarding Detection
- Draft-ietf-idr-restart-10.txt Graceful Restart Mechanism
- Draft-ietf-isis-restart-02 Restart Signaling for IS-IS
- Draft-ietf-isis-wg-multi-topology-11 Multi Topology (MT) Routing in IS-IS for BGP
- Internet draft-ietf-isis-ipv6-06.txt, Routing IPv6 with IS-IS
- LLDP Media Endpoint Discovery (LLDP-MED), ANSI/ TIA-1057, draft 08
- PIM-DM Draft IETF PIM Dense Mode draft-ietf-idmr- pimdm-05.txt, draft-ietf-pim-dm-new-v2-04.txt
Supported MIBs
- RFC 1155 SMI
- RFC 1157 SNMPv1
- RFC 1212, RFC 1213, RFC 1215 MIB-II, Ethernet-Like MIB and TRAPs
- RFC 1493 Bridge MIB
- RFC 1643 Ethernet MIB
- RFC 1657 BGP-4 MIB
- RFC 1724 RIPv2 MIB
- RFC 1850 OSPFv2 MIB
- RFC 1905 RFC 1907 SNMP v2c, SMIv2 and Revised MIB-II
- RFC 2011 SNMPv2 for Internet Protocol using SMIv2
- RFC 2012 SNMPv2 for transmission control protocol using SMIv2
- RFC 2013 SNMPv2 for user datagram protocol suing SMIv2
- RFC 2096 IPv4 Forwarding Table MIB
- RFC 2287 System Application Packages MIB
- RFC 2570–2575 SNMPv3, user based security, encryption, and authentication
- RFC 2576 Coexistence between SNMP Version 1, Version 2, and Version 3
- RFC 2578 SNMP Structure of Management Information MIB
- RFC 2579 SNMP Textual Conventions for SMIv2
- RFC 2665 Ethernet-like interface MIB
- RFC 2787 VRRP MIB
- RFC 2819 RMON MIB
- RFC 2863 Interface Group MIB
- RFC 2863 Interface MIB
- RFC 2922 LLDP MIB
- RFC 2925 Ping/Traceroute MIB
- RFC 2932 IPv4 Multicast MIB
- RFC 3413 SNMP Application MIB
- RFC 3414 User-based Security model for SNMPv3
- RFC 3415 View-based Access Control Model for SNMP
- RFC 3621 PoE-MIB (PoE switches only)
- RFC 4188 STP and Extensions MIB
- RFC 4363 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering, and VLAN extensions
- RFC 5643 OSPF v3 MIB support
- Draft – blumenthal – aes – usm - 08
- Draft – reeder - snmpv3 – usm - 3desede -00
- Draft-ietf-bfd-mib-02.txt
- Draft-ietf-idmr-igmp-mib-13
- Draft-ietf-idmr-pim-mib-09
- Draft-ietf-idr-bgp4-mibv2-02.txt – Enhanced BGP-4 MIB
- Draft-ietf-isis-wg-mib-07
Troubleshooting
- Debugging: CLI via console, Telnet, or SSH
- Diagnostics: Show and debug command, statistics
- Traffic mirroring (port)
- Traffic mirroring (VLAN)
- IP tools: Extended ping and trace
- Juniper Networks commit and rollback
Traffic Monitoring
- ACL-based mirroring
- Mirroring destination ports per system: 4
- LAG port monitoring
- Multiple destination ports monitored to 1 mirror (N:1)
- Maximum number of mirroring sessions: 4
- Mirroring to remote destination (over L2): 1 destination VLAN
Safety and Compliance
Electromagnetic Compatibility (EMC) Requirements
- FCC 47 CFR Part 15
- ICES-003 / ICES-GEN
- EN 300 386 V1.6.1
- EN 300 386 V2.1.1
- EN 55032
- CISPR 32
- EN 55024
- CISPR 24
- EN 55035
- CISPR 35
- IEC/EN 61000 Series
- AS/NZS CISPR 32
- VCCI-CISPR 32
- BSMI CNS 13438
- KN 32 and KN 35
- KN 61000 Series
- TEC/SD/DD/EMC-221/05/OCT-16
- TCVN 7189
- TCVN 7317
Safety Requirements Chassis and Optics
- CAN/CSA-C22.2 No. 62368-1 and 60950-1
- UL 62368-1 and 60950-1
- IEC 62368-1 and 60950-1 (All country deviations): CB Scheme report
- IEC 62368-3 for USB and PoE: CB Scheme report
- CFR, Title 21, Chapter 1, Subchapter J, Part 1040
- REDR c 1370 OR CAN/CSA-E 60825-1- Part 1
- IEC 60825-1
- IEC 60825-2
Energy Efficiency
- AT&T TEER (ATIS-06000015.03.2013)
- ECR 3.0.1
- ETSI ES 203 136 V.1.1.1
- Verizon TEEER (VZ.TPR.9205)
Environmental
- Reduction of Hazardous Substances (ROHS) 6/6
Telco
- CLEI code
Noise Specifications
- Noise measurements based on operational tests taken from bystander position (front) and performed at 23° C in compliance with ISO 7779.
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, -
Product Overview
The EX4100-F line of Ethernet access switches offers a secure, cloud-ready, economical solution for access layer deployments in branch and remote offices, as well as enterprise campus networks. These platforms boost network performance and visibility, meeting the security demands of today—as well as for networks of the next decade. As part of the underlying infrastructure for Juniper Mist Wired Assurance, the EX4100-F is purpose-built for, and managed by, the cloud. The switches leverage Mist AI to simplify operations and provide better visibility into the experience of connected devices, delivering a refreshing, experience-first approach to access layer switching.
Product Description
The Juniper Networks® EX4100-F line of Switches offers a secure, cloud-ready portfolio of access switches ideal for enterprise branch, remote office, and enterprise campus networks. The EX4100-F switches combine the simplicity of the cloud, the power of Mist AI™, and a robust hardware foundation with high performance to deliver a differentiated approach to access switching in the cloud, mobile, and IoT era. With Juniper® Mist™ Wired Assurance, the EX4100-F line of Switches can be effortlessly onboarded, configured, and managed from the cloud. This simplifies operations, improves visibility, and ensures a much better experience for connected devices. Key features of the EX4100-F include:- Cloud-ready, driven by Mist AI with Juniper Mist Wired Assurance and Marvis Virtual Network Assistant
- Ethernet VPN–Virtual Extensible LAN (EVPN-VXLAN) to the access layer
- Standards-based microsegmentation using group-based policies (GBPs)
- Flow-based telemetry to monitor traffic flows for anomaly detection, ability to measure packet delays and report drop reasons
- 10-member Virtual Chassis support
- The EX4100-F-12T, which is a compact, fanless switch offering 12 x 1GbE non-PoE access ports.
- The EX4100-F-12P, which is a compact, fanless switch offering 12 x 1GbE Power over Ethernet Plus (PoE+) access ports and delivering up to 30 W per port with a total of 180 W of PoE power budget with an external power adapter. EX4100-F-12P can also be powered from an external 90 W power sourcing equipment (PSE) device connected via the uplink port. Additional 90 W of PoE budget is available if the second uplink port is connected to a PSE device. With external power adapter and the two uplink ports connected to 90 W external PSE, total PoE power budget supported is up to 300 W.
- The EX4100-F-24T, which offers 24 x 1GbE non-PoE access ports.
- The EX4100-F-24P, which offers 24 x 1GbE PoE+ access ports, delivering up to 30 W per port with an overall total 370 W of PoE power budget.
- The EX4100-F-48T, which offers 48 x 1GbE non-PoE access ports.
- The EX4100-F-48P, which offers 48 x 1GbE PoE+ access ports and delivers up to 30 W per port with an overall total PoE Power budget of 740 W.
Each EX4100-F -24 port and -48 port model offers a fixed power supply and 4 x 1GbE/10GbE small form-factor pluggable plus transceiver (SFP+ transceiver) fixed uplink ports. Each EX4100-F-12 port model offers 2 x 10GbE fixed copper uplink ports. The EX4100-F switches include 4 x 1GbE/10GbE SFP+ ports to support Virtual Chassis connections, which can be reconfigured for use as Ethernet ports for uplink connectivity. EX4100-F switch models offer standards-based 802.3af/at (PoE/PoE+) for delivering up to 30 watts on any access port. The EX4100-F switches can be configured to deliver Fast PoE capability and Perpetual PoE capability.Architecture and Key Components
Cloud Management with Juniper Mist Wired Assurance Driven by Mist AI
EX4100-F switches can be quickly and easily onboarded (Day 0), provisioned (Day 1), and managed (Day 2+) from the cloud with Juniper Mist Wired Assurance, which brings AI-powered automation and insights that optimize experiences for end users and connected devices. The EX4100-F provides rich Junos® operating system telemetry data for Mist AI, which helps achieve simpler operations, shorter mean time to repair (MTTR), and streamlined troubleshooting. For more information, read the Juniper Mist Wired Assurance datasheet. In addition to Juniper Mist Wired Assurance, Marvis Virtual Network Assistant—a key part of The Self-Driving Network™— makes the Mist AI engine interactive. A digital extension of the IT team, Marvis offers automatic fixes or recommended actions, allowing IT teams to streamline how they troubleshoot and manage their network operations.
Figure 1: EX4100-F Virtual Chassis configuration interconnected via dedicated front-panel 10GbE portsEVPN-VXLAN Technology
Most traditional campus networks have a single-vendor, chassis-based architecture that worked well for smaller, static campuses with few endpoints. However, this approach is too rigid to support the changing needs of modern campus networks. The EX4100-F supports EVPN-VXLAN, extending an end-to-end fabric from campus core to distribution to the access layer. An EVPN-VXLAN fabric is a simple, programmable, highly scalable architecture built on open standards. This technology can be applied in both data centers and campuses for architectural consistency. A campus EVPN-VXLAN architecture uses a Layer 3 IP-based underlay network and an EVPN-VXLAN overlay network. A flexible overlay network based on a VXLAN overlay with an EVPN control plane efficiently provides Layer 2 and/or Layer 3 connectivity throughout the network. EVPN-VXLAN also offers a scalable way to build and interconnect multiple campus sites, delivering:- Greater consistency and scalability across all network layers
- Multivendor deployment support
- Reduced flooding and learning
- Location-agnostic connectivity
- Consistent network segmentation
- Simplified management
Virtual Chassis Technology
Juniper’s Virtual Chassis technology allows multiple interconnected switches to operate as a single, logical unit, enabling users to manage all platforms as one virtual device. Up to 10 EX4100-F switches can be interconnected as a Virtual Chassis using 4 x 10GbE SFP+ dedicated front-panel ports. Although configured as Virtual Chassis ports by default, the 4 x 10GbE SFP+ ports can also be configured as uplink ports. The EX4100-F switches can form a Virtual Chassis with any other models within the EX4100-F product line.Microsegmentation Using Group-Based Policy
GBP leverages underlying VXLAN technology to provide location-agnostic endpoint access control. This allows network administrators to implement consistent security policies across the enterprise network domains. The EX4100-F supports a standards-based GBP solution, allowing different levels of access control for endpoints and applications even within the same VLAN. Customers can simplify their network configuration by using GBP, avoiding the need to configure large numbers of firewall filters on all their switches. GBP can block lateral threats by ensuring consistent application of security group policies throughout the network, regardless of the location of endpoints and/or users.Flow-Based Telemetry
Flow-based telemetry enables flow-level analytics, allowing network administrators to monitor thousands of traffic flows on the EX4100-F without burdening the CPU. This improves network security by monitoring, baselining, and detecting flow anomalies. For example, if predefined flow thresholds are breached due to an attack, IP Flow Information Export (IPFIX) alerts can be sent to an external server to quickly identify the attack. Network administrators can also automate specific workflows, such as further examining the traffic or quarantining a port, to triage the issue. In addition to DOS attacks, Flow-Based Telemetry on EX4100-F can measure packet delays at ingress, chip, and egress points as well as report drop reasons.Features and Benefits
Simplified Operations with Juniper Mist Wired Assurance
The EX4100-F is fully cloud onboarded, provisioned, and managed by Juniper Mist Wired Assurance. The EX4100-F is designed from the ground up to deliver the rich telemetry that enables AI for IT Operations (AIOps) with simplified operations from Day 0 to Day 2 and beyond. Juniper Mist Wired Assurance provides detailed switch insights for easier troubleshooting and improved time to resolution by offering the following features:- Day 0 operations—Onboard switches seamlessly by claiming a greenfield switch or adopting a brownfield switch with a single activation code for true plug-and-play simplicity.
- Day 1 operations—Implement a template-based configuration model for bulk rollouts of traditional and campus fabric deployments, while retaining the flexibility and control required to apply custom site- or switch-specific attributes. Automate provisioning of ports via Dynamic Port Profiles.
- Day 2 operations—Leverage the AI in Juniper Mist Wired Assurance to meet service-level expectations such as throughput, successful connects, and switch health with key pre-and post-connection metrics (see Figure 1). Add the self- driving capabilities in Marvis Actions to detect loops, add missing VLANs, fix misconfigured ports, identify bad cables, isolate flapping ports, and discover persistently failing clients (see Figure 2). And perform software upgrades easily through Juniper Mist Cloud.
Figure 2: Juniper Mist Wired Assurance service-level expectations screenFigure 3: Marvis Actions for wired switchesThe complementary addition of Marvis Virtual Network Assistant, driven by Mist AI, lets you start building a Self-Driving Network that simplifies network operations and streamlines troubleshooting via automatic fixes for Juniper Networks EX Series Switches or recommended actions for external systems. For more information, see Juniper Mist Wired Assurance.Campus Fabric Deployments
EVPN-VXLAN for Campus Core, Distribution, and Access
The main advantages of EVPN-VXLAN in campus networks are:- Flexibility of consistent VLANs across the network: Endpoints can be placed anywhere in the network and remain connected to the same logical L2 network, enabling a virtual topology to be decoupled from the physical topology.
- Microsegmentation: The EVPN-VXLAN-based architecture lets you deploy a common set of policies and services across campuses with support for L2 and L3VPNs.
- Scalability: With an EVPN control plane, enterprises can scale out easily by adding more core, aggregation, and access layer devices as the business grows without having to redesign the network or perform a forklift upgrade. Using an L3 IP-based underlay coupled with an EVPN-VXLAN overlay, campus network operators can deploy much larger and more resilient networks than would otherwise be possible with traditional L2 Ethernet-based architectures.
Figure 4: Campus fabrics showing Virtual Chassis and EVPN-VXLAN-based architecturesAll three topologies are standards-based and interoperable with third-party vendors. The EX4100 switches can be deployed in campus and branch access layer networks in the EVPN-VXLAN architectures shown in Figure 4.Managing AI-Driven Campus Fabric with the Juniper Mist Cloud
Juniper Mist Wired Assurance brings cloud management and Mist AI to the campus fabric. It sets a new standard that moves away from traditional network management towards AI-driven operations, while delivering better experiences to connected devices. Juniper Mist Cloud streamlines deployment and management of campus fabric architectures by allowing:- Automated deployment and zero-touch deployment (ZTD)
- Anomaly detection
- Root cause analysis
Figure 5: EVPN multihoming configuration via the Juniper Mist cloudChassis-Class Availability
The EX4100-F switches deliver high availability (HA) through graceful Routing Engine switchover (GRES), and nonstop bridging and routing when deployed in a Virtual Chassis configuration. In a Virtual Chassis configuration, each EX4100-F switch is capable of functioning as a Routing Engine (RE). When two or more EX4100-F switches are interconnected, a single control plane is shared among all Virtual Chassis member switches. Junos OS automatically initiates an election process to assign a primary (active) and backup (hot-standby) RE. An integrated L2 and L3 GRES feature maintains uninterrupted access to applications, services, and IP communications in the unlikely event of a primary RE failure. When more than two switches are interconnected in a Virtual Chassis configuration, the remaining switch elements act as line cards and are available to assume the backup RE position should the designated primary RE fail. Primary, backup, and line card priority status can be assigned to dictate the order of ascension; this N+1 RE redundancy, coupled with the GRES, nonstop active routing (NSR), and nonstop bridging (NSB) capabilities of Junos OS, assures a smooth transfer of control plane functions following unexpected failures. The EX4100-F implements the same slot/module/port numbering schema as other Juniper chassis-based products when numbering Virtual Chassis ports, providing true chassis-like operations. By using a consistent operating system and a single configuration file, all switches in a Virtual Chassis configuration are treated as a single device, greatly simplifying overall system maintenance and management. Individually, the EX4100-F offers a number of HA features that are typically associated with modular chassis-based switches. When combined with the field-proven Junos OS and L2/L3 failover capabilities, these features provide the EX4100-F with true carrier- class reliability.- Nonstop bridging and nonstop active routing: NSB and NSR on the EX4100-F ensure that control plane protocols, states, and tables are synchronized between primary and standby REs to prevent protocol flaps or convergence issues following an RE failover.
- Redundant trunk group (RTG): To avoid the complexities of STP without sacrificing network resiliency, the EX4100-F employs redundant trunk groups to provide the necessary port redundancy and simplify switch configuration.
- Cross-member link aggregation: Cross-member link aggregation allows redundant link aggregation connections between devices in a single Virtual Chassis configuration, providing an additional level of reliability and availability.
- IPv4 and IPv6 routing support: IPv4 and IPv6 Layer 3 routing (OSPF and BGP) is available with a Flex license, enabling highly resilient networks.
PoE/PoE+ Power, Perpetual and Fast PoE
The EX4100-F delivers PoE for supporting connected devices such as phones, surveillance cameras, IoT devices, and 802.11AX/Wi-Fi 6 access points, offering a PoE power budget of up to 740 W and supporting up to 30 W per port based on the IEEE 802.3at PoE standard. EX4100-F switches support perpetual PoE, which provides uninterrupted power to connected PoE powered devices (PDs) even when the power sourcing equipment switch (PSE) is rebooting. The EX4100-F switches also support a Fast PoE capability that delivers PoE power to connected endpoints during a switch power-up, even before the switch is fully operational. This is especially beneficial in situations where the endpoint only needs the power and is not necessarily dependent on network connectivity.Junos Telemetry Interface
The EX4100-F supports Junos telemetry interface (JTI), a modern telemetry streaming feature designed for switch health and performance monitoring. Sensor data can be streamed to a management system at configurable periodic intervals, enabling network administrators to monitor individual link and node utilization as well as troubleshoot issues such as network congestion in real time. JTI delivers the following features:- Performance management by provisioning sensors to collect and stream data and analyze application and workload flow paths through the network
- Capacity planning and optimization by proactively detecting hotspots and monitoring latency and microbursts
- Troubleshooting and root cause analysis via high-frequency monitoring and correlation of overlay and underlay networks
Junos Operating System
The EX4100-F switches run Junos OS, Juniper’s powerful and robust network operating system that powers all Juniper switches, routers, and firewalls. By utilizing a common operating system, Juniper delivers a consistent implementation and operation of control plane features across all products. To maintain that consistency, Junos OS adheres to a highly disciplined development process that uses a single source code and employs a highly available modular architecture to prevent isolated failures from bringing down an entire system. These attributes are fundamental to the core value of the software, enabling all Junos OS-powered products to be updated simultaneously with the same software release. All features are fully regression tested, making each new release a true superset of the previous version. Customers can deploy the software with complete confidence that all existing capabilities are maintained and operate in the same way.Flex Licensing
Juniper Flex licensing offers a common, simple, and flexible licensing model for EX Series access switches, enabling customers to purchase features based on their network and business needs. Flex licensing is offered in Standard, Advanced, and Premium tiers. Standard tier features are available with the Junos OS image that ships with EX Series switches. Additional features can be unlocked with the purchase of a Flex Advanced or Flex Premium license. The Flex Advanced and Flex Premium licenses for the EX Series platforms are class-based, determined by the number of access ports on the switch. Class 1 (C1) switches have 12 ports, Class 2 (C2) switches have 24 ports, and Class 3 (C3) switches have 32 or 48 ports. The EX4100-F switches support both subscription and perpetual Flex licenses. Subscription licenses are offered for three- and five-year terms. In addition to Junos OS features, the Flex Advanced and Flex Premium subscription licenses include Juniper Mist Wired Assurance. Flex Advanced and Flex Premium subscription licenses also allow portability across the same tier and class of switches, ensuring investment protection for the customer. For a complete list of features supported by the Flex Standard, Advanced, and Premium tiers, or to learn about Junos OS EX Series licenses, please visit: https://www.juniper.net/documentation/us/en/software/license/licensing/topics/concept/flex-licenses-for-ex.html.Enhanced Limited Lifetime Warranty
The EX4100-F includes an enhanced limited lifetime hardware warranty that provides return-to-factory switch replacement for as long as the original purchaser owns the product. The warranty includes lifetime software updates, advanced shipping of spares within one business day, and 24x7 Juniper Networks Technical Assistance Center (JTAC) support for 90 days after the purchase date. Power supplies and fan trays are covered for a period of five years. For complete details, please visit https://support.juniper.net/support/pdf/warranty/990240.pdfProduct Options
Available EX4100-F models are listed in Table 1.Table 1. EX4100-F Line of Ethernet SwitchesModel/Product SKU Access Port Configuration PoE/PoE+ Ports PoE Power Budget 10GbE Ports (Uplinks) 10GbE Ports (Stacking/Uplinks) Cooling EX4100-F-12T 12-port 10/100/1000BASE-T 0 N/A 2 4 AFO (front-to-back airflow) EX4100-F-12P 12-port 10/100/1000BASE-T 12 300 W1 2 4 AFO (front-to-back airflow) EX4100-F-24T 24-port 10/100/1000BASE-T 0 N/A 4 4 AFO (front-to-back airflow) EX4100-F-48T 48-port 10/100/1000BASE-T 0 N/A 4 4 AFO (front-to-back airflow) EX4100-F-24P 24-port 10/100/1000BASE-T 24 370 W 4 4 AFO (front-to-back airflow) EX4100-F-48P 48-port 10/100/1000BASE-T 48 740 W 4 4 AFO (front-to-back airflow) 
Figure 6: EX4100-F line of SwitchesTable 2. EX4100-F Switch Power OptionsModel Number Max System Power Consumption (Input Power without PoE) Total PoE Power Budget EX4100-F-12T 55 W 0 EX4100-F-12P 80 W 300 W1 EX4100-F-24T 55 W 0 EX4100-F-24P 80 W 370 W EX4100-F-48T 70 W 0 EX4100-F-48P 100 W 740 W EX4100-F Specifications
Physical Specifications
Backplane
- 80 Gbps Virtual Chassis interconnect to combine up to 10 units as a single logical device
Dimensions (W x H x D)
- EX4100-F-48P, EX4100-F-24P with power supply installed: 17.36 x 1.72 x 12.26 in. (44.09 x 4.37 x 31.14 cm)
- EX4100-F-48T, EX4100-F-24T with power supply installed: 17.36 x 1.72 x 10.1 in. (44.09 x 4.37 x 25.65 cm)
- EX4100-F-12P/12T: 10.59 x 1.75 x 9.66 in. (26.9 x 4.45 x 23.83 cm)
- Height: 1 U
System Weight
- EX4100-F-12T: 5.95 lb (2.7 kg)
- EX4100-F-12P: 6.61 lb (3 kg)
- EX4100-F-24T: 7.76 lb (3.52 kg)
- EX4100-F-48T: 8.57 lb (3.89 kg)
- EX4100-F-24P: 10.46 lb (4.75 kg)
- EX4100-F-48P: 11.46 lb (5.2 kg)
- EX4100-F-PWR-75W: 1.65 lb (0.75 kg)
- EX4100-F-PWR-280W: 2.98 lb (1.35 kg)
Environmental Ranges
- Operating temperature:
- -24 Port and -48 Port EX4100-F SKUs: 32° to 113° F (0° to 45°C)
- Storage temperature: -40° to 158° F (-40° to 70° C)
- Operating altitude: Up to 5000 ft at 40° C (1828.8 m)
- Nonoperating altitude: Up to 16,000 ft (4,877 m)
- Relative humidity operating: 5% to 90% (noncondensing)
- Relative humidity non-operating: 0% to 90% (noncondensing)
Cooling
- Airflow (CFM):
- EX4100-F-12T: 0
- EX4100-F-12P: 0
- EX4100-F-24T: 14.5
- EX4100-F-48T: 15.0
- EX4100-F-24P: 30.0
- EX4100-F-48P: 29.0
Hardware Specifications
Switching Engine Mode
- Store and forward
Memory
- DRAM: 4 GB with Error Correcting Code (ECC) on all models
- Storage: 8 GB on all models
CPU
- 1.7 GHz ARM CPU on all models
GbE Port Density per System
- EX4100-F-12T/12P: 20 (12 host ports + 2 port RJ45 1GbE/2GbE/5GbE/10GbE uplinks + 4 port 10GbE SFP+ Virtual Chassis/uplinks)
- EX4100-F-24T/24P: 24 (24 host ports + 4 port SFP/SFP+ uplinks + 4 port 10GbE SFP+ Virtual Chassis/uplinks)
- EX4100-F-48T/48P: 48 (48 host ports + 4 port SFP/SFP+ uplinks + 4 port 10GbE SFP+ Virtual Chassis/uplinks)
Physical Layer
- Time domain reflectometry (TDR) for detecting cable breaks and shorts: EX4100-F-24P/T and EX4100-F-48P/T
- Auto medium-dependent interface/medium-dependent interface crossover (MDI/MDIX) support: EX4100-F-24P/T and EX4100-F-48P/T
- Port speed downshift/setting maximum advertised speed on 10/100/1000BASE-T ports: EX4100-F-24P/T and EX4100-F-48P/T only
- Digital optical monitoring for optical ports
Packet Switching Capacities (Maximum with 64 Byte Packets)
- EX4100-F12P/12T: 72 Gbps (unidirectional)/144 Gbps (bidirectional)
- EX4100-F-24P/24T: 104 Gbps (unidirectional)/208 Gbps (bidirectional)
- EX4100-F-48P/48T: 128 Gbps (unidirectional)/256 Gbps (bidirectional)
Software Specifications
Layer 2/Layer 3 Throughput (Mpps) (Maximum with 64 Byte Packets)
- EX4100-F-12P/T 107 Mpps
- EX4100-F-24P/T 154 Mpps
- EX4100-F-48P/T 190 Mpps
Security
- Media Access Control (MAC) limiting (per port and per VLAN)
- Allowed MAC addresses: 64,000
- Dynamic Address Resolution Protocol (ARP) dynamic ARP inspection (DAI)
- IP source guard
- Local proxy ARP
- Static ARP support
- Dynamic Host Configuration Protocol (DHCP) snooping
- Captive portal
- Persistent MAC address configurations
- Distributed denial of service (DDoS) protection (CPU control path flooding protection)
Layer 2 Switching
- Maximum MAC addresses per system: 64,000
- Jumbo frames: 9216 bytes
- Range of possible VLAN IDs: 1 to 4094
- Virtual Spanning Tree (VST) instances: 253
- Port-based VLAN
- Voice VLAN
- Physical port redundancy: Redundant trunk group (RTG)
- Compatible with Per-VLAN Spanning Tree Plus (PVST+)
- Routed VLAN interface (RVI)
- Uplink failure detection (UFD)
- ITU-T G.8032: Ethernet Ring Protection Switching
- IEEE 802.1AB: Link Layer Discovery Protocol (LLDP)
- LLDP-MED with VoIP integration
- Default VLAN and multiple VLAN range support
- MAC learning deactivate
- Persistent MAC learning (sticky MAC)
- MAC notification
- Private VLANs (PVLANs)
- Explicit congestion notification (ECN)
- Layer 2 protocol tunneling (L2PT)
- IEEE 802.1ak: Multiple VLAN Registration Protocol (MVRP)
- IEEE 802.1p: Class of Service (CoS) prioritization
- IEEE 802.1Q: VLAN tagging
- IEEE 802.1X: Port Access Control
- IEEE 802.1ak: Multiple Registration Protocol
- IEEE 802.3: 10BASE-T
- IEEE 802.3u: 100BASE-T
- IEEE 802.3ab: 1000BASE-T
- IEEE 802.3z: 1000BASE-X
- IEEE 802.3ae: 10-Gigabit Ethernet
- IEEE 802.3by: 25-Gigabit Ethernet
- IEEE 802.3af: Power over Ethernet
- IEEE 802.3at: Power over Ethernet Plus
- IEEE 802.3x: Pause Frames/Flow Control
- IEEE 802.3ah: Ethernet in the First Mile
Spanning Tree
- IEEE 802.1D: Spanning Tree Protocol
- IEEE 802.1s: Multiple Spanning Tree Protocol (MSTP)
- Number of MSTP instances supported: 64
- Number of VLAN Spanning Tree Protocol (VSTP) instances supported: 253
- IEEE 802.1w: Rapid reconfiguration of Spanning Tree Protocol
Link Aggregation
- IEEE 802.3ad: Link Aggregation Control Protocol
- 802.3ad (LACP) support:
- Number of LAGs supported: 128
- Maximum number of ports per LAG: 8
- LAG load-sharing algorithm bridged or routed (unicast or multicast) traffic:
- IP: S/D IP
- TCP/UDP: S/D IP, S/D Port
- Non-IP: S/D MAC
- Tagged ports support in LAG
Layer 3 Features: IPv4
- Maximum number of ARP entries: 32,000
- Maximum number of IPv4 unicast routes in hardware: 32,650 prefixes; 32,150 host routes
- Maximum number of IPv4 multicast routes in hardware: 16,100 multicast routes
- Routing protocols: RIPv1/v2, OSPF, BGP, IS-IS
- Static routing
- Routing policy
- Bidirectional Forwarding Detection (BFD)
- L3 redundancy: Virtual Router Redundancy Protocol (VRRP)
- VRF-Lite
Layer 3 Features: IPv6
- Maximum number of neighbor discovery (ND) entries: 16,000
- Maximum number of IPv6 unicast routes in hardware: 16,200 prefixes; 16,050 host routes
- Maximum number of IPv6 multicast routes in hardware: 8000 multicast routes
- Routing protocols: RIPng, OSPFv3, IPv6, IS-IS
- Static routing
Access Control Lists (ACLs) (Junos OS Firewall Filters)
- ACL entries (ACE) in hardware per system:
- Port-based ACL (PACL) ingress: 4092
- VLAN-based ACL (VACL) ingress: 4092
- Router-based ACL (RACL) ingress: 4092
- Port-based ACL (PACL) egress: 1022
- VLAN-based ACL (VACL) egress: 511
- Egress across RACL: 1022
- ACL counter for denied packets
- ACL counter for permitted packets
- Ability to add/remove/change ACL entries in middle of list (ACL editing)
- L2-L4 ACL
Access Security
- 802.1X port-based
- 802.1X multiple supplicants
- 802.1X with VLAN assignment
- 802.1X with authentication bypass access (based on host MAC address)
- 802.1X with VoIP VLAN support
- 802.1X dynamic ACL based on RADIUS attributes
- 802.1X Supported Extensible Authentication Protocol (EAP) types: Message Digest 5 (MD5), Transport Layer Security (TLS), Tunneled TLS (TTLS), Protected Extensible Authenticated Protocol (PEAP)
- MAC authentication (RADIUS)
- Control plane DoS protection
- Radius functionality over IPv6 for authentication, authorization, and accounting (AAA)
- DHCPv6 snooping
- IPv6 neighbor discovery
- IPv6 source guard
- IPv6 router advertisement (RA) guard
- IPv6 Neighbor Discovery Inspection
High Availability
- GRES for Layer 2 hitless forwarding and Layer 3 protocols on RE failover
- Graceful protocol restart (OSPF, BGP)
- Layer 2 hitless forwarding on RE failover
- Nonstop bridging: LACP, xSTP
- Nonstop routing: PIM, OSPF v2 and v3, RIP v2, RIPng, BGP, BGPv6, IS-IS, IGMP v1, v2, v3
Quality of Service
- L2 QoS
- L3 QoS
- Ingress policing: 1 rate 2 color
- Hardware queues per port: 12 (8 unicast + 4 multicast)
- Scheduling methods (egress): Strict priority (SP), weighted deficit round-robin (WDRR)
- 802.1p, DiffServ code point (DSCP)/IP precedence trust and marking
- L2-L4 classification criteria: Interface, MAC address, Ethertype, 802.1p, VLAN, IP address, DSCP/IP precedence, TCP/UDP port numbers, and more
- Congestion avoidance capabilities: Tail drop, weighted random early detection (WRED)
Multicast
- IGMP: v1, v2, v3
- IGMP snooping
- Multicast Listener Discovery (MLD) snooping
- Protocol Independent Multicast-Sparse Mode (PIM-SM), PIM Source-Specific Mode (PIM-SSM), PIM Dense Mode (PIM-DM)
Management and Analytics Platforms
- Juniper Mist Wired Assurance for campus
- Junos Space® Network Director for campus
- Junos Space Management Applications
Device Management and Operations
- Junos OS CLI
- Out-of-band management: Serial; 10/100/1000BASE-T Ethernet
- Rescue configuration
- Configuration rollback
- Image rollback
- RMON (RFC2819) groups 1, 2, 3, 9
- Remote performance monitoring
- SNMP: v1, v2c, v3
- Network Time Protocol (NTP)
- DHCP server
- DHCP client and DHCP proxy
- DHCP relay and helper
- DHCP local server support
- RADIUS
- TACACS+
- SSHv2
- Secure copy
- HTTP/HTTPs
- Domain Name System (DNS) resolver
- System logging
- Temperature sensor
- Configuration backup via FTP/secure copy
Supported RFCs
- RFC 768 UDP
- RFC 783 TFTP
- RFC 791 IP
- RFC 792 ICMP
- RFC 793 TCP
- RFC 826 ARP
- RFC 854 Telnet client and server
- RFC 894 IP over Ethernet
- RFC 903 RARP
- RFC 906 TFTP Bootstrap
- RFC 951, 1542 BootP
- RFC 1027 Proxy ARP
- RFC 1058 RIP v1
- RFC 1112 IGMP v1
- RFC 1122 Host Requirements
- RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments (TCP/IP transport only)
- RFC 1256 IPv4 ICMP Router Discovery (IRDP)
- RFC 1492 TACACS+RFC 1519 CIDR
- RFC 1587 OSPF NSSA Option
- RFC 1591 DNS
- RFC 1812 Requirements for IPv4 Routers
- RFC 1981 Path MTU Discovery for IPv6
- RFC 2030 SNTP, Simple Network Time Protocol
- RFC 2068 HTTP server
- RFC 2080 RIPng for IPv6
- RFC 2131 BOOTP/DHCP relay agent and DHCP server
- RFC 2138 RADIUS Authentication
- RFC 2139 RADIUS Accounting
- RFC 2154 OSPF w/Digital Signatures (password, MD-5)
- RFC 2236 IGMP v2
- RFC 2267 Network Ingress Filtering
- RFC 2328 OSPF v2 (edge-mode)
- RFC 2338 VRRP
- RFC 2362 PIM-SM (edge-mode)
- RFC 2370 OSPF Opaque LSA Option
- RFC 2453 RIP v2
- RFC 2460 Internet Protocol, Version 6 (IPv6) Specification
- RFC 2461 Neighbor Discovery for IP Version 6 (IPv6)
- RFC 2463 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
- RFC 2464 Transmission of IPv6 Packets over Ethernet Networks
- RFC 2474 DiffServ Precedence, including 12 queues/port
- RFC 2475 DiffServ Core and Edge Router Functions
- RFC 2526 Reserved IPv6 Subnet Anycast Addresses
- RFC 2597 DiffServ Assured Forwarding (AF)
- RFC 2598 DiffServ Expedited Forwarding (EF)
- RFC 2740 OSPF for IPv6
- RFC 2925 MIB for Remote Ping, Trace
- RFC 3176 sFlow
- RFC 3376 IGMP v3
- RFC 3484 Default Address Selection for Internet Protocol Version 6 (IPv6)
- RFC 3513 Internet Protocol Version 6 (IPv6) Addressing Architecture
- RFC 3569 draft-ietf-ssm-arch-06.txt PIM-SSM PIM Source Specific Multicast
- RFC 3579 RADIUS EAP support for 802.1x
- RFC 3618 Multicast Source Discovery Protocol (MSDP)
- RFC 3623 OSPF Graceful Restart
- RFC 4213 Basic Transition Mechanisms for IPv6 Hosts and Routers
- RFC 4291 IPv6 Addressing Architecture
- RFC 4443 ICMPv6 for the IPv6 Specification
- RFC 4541 IBMP and MLD snooping services
- RFC 4552 OSPFv3 Authentication
- RFC 4861 Neighbor Discovery for IPv6
- RFC 4862 IPv6 Stateless Address Autoconfiguration
- RFC 4915 MT-OSPF
- RFC 5095 Deprecation of Type 0 Routing Headers
- RFC 5176 Dynamic Authorization Extensions to RADIUS
- RFC 5798 VRRPv3 for IPv6
- Draft-ietf-bfd-base-05.txt Bidirectional Forwarding Detection
- Draft-ietf-idr-restart-10.txt Graceful Restart Mechanism
- Draft-ietf-isis-restart-02 Restart Signaling for IS-IS
- Draft-ietf-isis-wg-multi-topology-11 Multi Topology (MT) Routing in IS-IS for BGP
- Internet draft-ietf-isis-ipv6-06.txt, Routing IPv6 with IS-IS
- LLDP Media Endpoint Discovery (LLDP-MED), ANSI/ TIA-1057, draft 08
- PIM-DM Draft IETF PIM Dense Mode draft-ietf-idmr- pimdm-05.txt, draft-ietf-pim-dm-new-v2-04.txt
Supported MIBs
- RFC 1155 SMI
- RFC 1157 SNMPv1
- RFC 1212, RFC 1213, RFC 1215 MIB-II, Ethernet-Like MIB and TRAPs
- RFC 1493 Bridge MIB
- RFC 1643 Ethernet MIB
- RFC 1657 BGP-4 MIB
- RFC 1724 RIPv2 MIB
- RFC 1850 OSPFv2 MIB
- RFC 1905 RFC 1907 SNMP v2c, SMIv2 and Revised MIB-II
- RFC 2011 SNMPv2 for Internet Protocol using SMIv2
- RFC 2012 SNMPv2 for transmission control protocol using SMIv2
- RFC 2013 SNMPv2 for user datagram protocol suing SMIv2
- RFC 2096 IPv4 Forwarding Table MIB
- RFC 2287 System Application Packages MIB
- RFC 2570–2575 SNMPv3, user based security, encryption, and authentication
- RFC 2576 Coexistence between SNMP Version 1, Version 2, and Version 3
- RFC 2578 SNMP Structure of Management Information MIB
- RFC 2579 SNMP Textual Conventions for SMIv2
- RFC 2665 Ethernet-like interface MIB
- RFC 2787 VRRP MIB
- RFC 2819 RMON MIB
- RFC 2863 Interface Group MIB
- RFC 2863 Interface MIB
- RFC 2922 LLDP MIB
- RFC 2925 Ping/Traceroute MIB
- RFC 2932 IPv4 Multicast MIB
- RFC 3413 SNMP Application MIB
- RFC 3414 User-based Security model for SNMPv3
- RFC 3415 View-based Access Control Model for SNMP
- RFC 3621 PoE-MIB (PoE switches only)
- RFC 4188 STP and Extensions MIB
- RFC 4363 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering, and VLAN extensions
- RFC 5643 OSPF v3 MIB support
- Draft – blumenthal – aes – usm - 08
- Draft – reeder - snmpv3 – usm - 3desede -00
- Draft-ietf-bfd-mib-02.txt
- Draft-ietf-idmr-igmp-mib-13
- Draft-ietf-idmr-pim-mib-09
- Draft-ietf-idr-bgp4-mibv2-02.txt – Enhanced BGP-4 MIB
- Draft-ietf-isis-wg-mib-07
Troubleshooting
- Debugging: CLI via console, Telnet, or SSH
- Diagnostics: Show and debug command, statistics
- Traffic mirroring (port)
- Traffic mirroring (VLAN)
- IP tools: Extended ping and trace
- Juniper Networks commit and rollback
Traffic Monitoring
- ACL-based mirroring
- Mirroring destination ports per system: 4
- LAG port monitoring
- Multiple destination ports monitored to 1 mirror (N:1)
- Maximum number of mirroring sessions: 4
- Mirroring to remote destination (over L2): 1 destination VLAN
Safety and Compliance
Electromagnetic Compatibility (EMC) Requirements
- FCC 47 CFR Part 15
- ICES-003 / ICES-GEN
- EN 300 386 V1.6.1
- EN 300 386 V2.1.1
- EN 55032
- CISPR 32
- EN 55024
- CISPR 24
- EN 55035
- CISPR 35
- IEC/EN 61000 Series
- AS/NZS CISPR 32
- VCCI-CISPR 32
- BSMI CNS 13438
- KN 32 and KN 35
- KN 61000 Series
- TEC/SD/DD/EMC-221/05/OCT-16
- TCVN 7189
- TCVN 7317
Safety Requirements Chassis and Optics
- CAN/CSA-C22.2 No. 62368-1 and 60950-1
- UL 62368-1 and 60950-1
- IEC 62368-1 and 60950-1 (All country deviations): CB Scheme report
- IEC 62368-3 for USB and PoE: CB Scheme report
- CFR, Title 21, Chapter 1, Subchapter J, Part 1040
- REDR c 1370 OR CAN/CSA-E 60825-1- Part 1
- IEC 60825-1
- IEC 60825-2
Energy Efficiency
- AT&T TEER (ATIS-06000015.03.2013)
- ECR 3.0.1
- ETSI ES 203 136 V.1.1.1
- Verizon TEEER (VZ.TPR.9205)
Environmental
- Reduction of Hazardous Substances (ROHS) 6/6
Telco
- CLEI code
Noise Specifications
- Max Noise measurements based on operational tests taken from bystander position (front) and performed at 23° C in compliance with ISO 7779.
Table 3: Acoustic in dBAModel Number Acoustics Noise (dBA) EX4100-F-12T NA EX4100-F-12P NA EX4100-F-24T 35.4 EX4100-F-24P 45.1 EX4100-F-48T 37.1 EX4100-F-48P 46.5 Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.Ordering Information
Product Description EX4100-F-12T 12-port 10/100/1000BASE-T switch, 2x100Mb/1GbE/2.5GbE/5GbE/10GbE uplinks, 4x10GbE stacking/uplink ports, with Standard SW, 0ptics sold separately EX4100-F-12P 12-port 10/100/1000BASE-T PoE+ switch, 2x100Mb/1GbE/2.5GbE/5GbE/10GbE uplinks, 4x10GbE stacking/uplink ports, with Standard SW, optics sold separately EX4100-F-24T 24-port 10/100/1000BASE-T switch, 4x1GbE/10GbE SFP/SFP+ uplinks, 4x10GbE stacking/uplink ports, with Standard SW, optics sold separately, TAA compliant EX4100-F-24P 24-port 10/100/1000BASE-T PoE+ switch, 4x1GbE/10GbE SFP/SFP+ uplinks, 4x10GbE stacking/uplink ports, with Standard SW, optics sold separately, TAA compliant EX4100-F-48T 48-port 10/100/1000BASE-T switch, 4x1GbE/10GbE SFP/SFP+ uplinks, 4x10GbE stacking/uplink ports, with Standard SW, optics sold separately, TAA compliant EX4100-F-48P 48-port 10/100/1000BASE-T PoE+ switch, 4x1GbE/10GbE SFP/SFP+ uplinks, 4x10GbE stacking/uplink ports, with Standard SW, optics sold separately, TAA compliant Perpetual Licenses S-EX-A-C1-P Software, EX Series Advanced license, Class 1 (12 ports), Perpetual license for EX4100-F 12-port switches S-EX-P-C1-P Software, EX Series Premium license, Class 1 (12 ports), Perpetual license for EX4100-F 12-port switches S-EX-A-C2-P Software, EX Series Advanced license, Class 2 (24 ports), Perpetual license for EX4100-F 24-port switches S-EX-P-C2-P Software, EX Series Premium license, Class 2 (24 ports), Perpetual license for EX4100-F 24-port switches S-EX-A-C3-P Software, EX Series Advanced license, Class 3 (32 or 48 ports), Perpetual license for EX4100-F 48-port switches S-EX-P-C3-P Software, EX Series Premium license, Class 3 (32 or 48 ports), Perpetual license for EX4100-F 48-port switches S-EX4100-F-FBT-P Software, EX Series Flow Based Telemetry license, Perpetual license for all EX4100-F switches Subscription Licenses S-EX-A-C1-1 Software, EX Series Advanced license, Class 1 (12 ports), includes Juniper Mist Wired Assurance and VNA subscription for EX Series 12-port switches, 1 year S-EX-A-C1-3 Software, EX Series Advanced license, Class 1 (12 ports), includes Juniper Mist Wired Assurance and VNA subscription for EX Series 12-port switches, 3 year S-EX-A-C1-5 -
Overview:
The EX4400 line of Ethernet access switches offers secure, cloud-ready access for enterprise campus, branch, and data center networks for the AI era and optimized for the cloud. The platforms boost network performance and visibility, meeting the security demands of today as well as for networks of the next decade. As part of the underlying infrastructure for Juniper Mist Wired Assurance, the EX4400 is purpose-built for, and managed by, the cloud. The switch leverages Mist AI to simplify operations and provide better visibility into the experience of connected devices, delivering a refreshing, user experience-first approach to access layer switching. The Juniper Networks EX4400 line of Ethernet switches offers a secure, cloud-ready portfolio of access switches ideal for enterprise branch, campus, and data center networks. The EX4400 switches combine the simplicity of the cloud, the power of Mist AI™, and a robust hardware foundation with best-in-class security and performance to deliver a differentiated approach to access switching in the cloud, mobile, and IoT era. With Juniper Mist™ Wired Assurance, the EX4400 can be effortlessly onboarded, configured, and managed from the cloud. This simplifies operations, improves visibility, and ensures a much better experience for connected devices. Key features of the EX4400 include:- Cloud-ready, driven by Mist AI with Juniper Mist Wired Assurance and Marvis Virtual Network Assistant
- Ethernet VPN–Virtual Extensible LAN (EVPN-VXLAN) to the access layer
- End-to-end encryption using Media Access Control Security (MACsec) AES256
- IEEE 802.3bt Power over Ethernet (PoE++)
- Standards-based microsegmentation using group-based policies (GBP)
- Flow-based telemetry to monitor traffic flows for anomaly detection
- 10-member Virtual Chassis support
- The EX4400-48MP, which offers 12 x 100M/1/2.5/5/10GbE GbE and 36 x 100M/1/2.5GbE PoE access ports, delivering up to 90 W per PoE port with an overall total 2200 W of PoE power budget (using two power supplies)
- The EX4400-24MP, which offers 24 x 100M/1/2.5/5/10GbE PoE access ports, delivering up to 90 W per port with an overall total 1800 W of PoE power budget (using two power supplies)
- The EX4400-48F, which offers 12 x 10GbE SFP+ and 36 x 1GbE SFP fiber access ports
- The EX4400-24T, which offers 24 x 1GbE non-PoE access ports
- The EX4400-24P, which offers 24 x 1GbE PoE access ports, delivering up to 90 W per port with an overall total 1440W of PoE power budget (using two power supplies)
- The EX4400-48T, which offers 48 x 1GbE non PoE-access ports
- The EX4400-48P, which offers 48 x 1GbE PoE access ports, delivering up to 90 W per port with an overall total 1800W of PoE power budget (using two power supplies)
Architecture and Key Components:
Cloud Management with Juniper Mist Wired Assurance Driven by Mist AI
EX4400 switches can be quickly and easily onboarded (Day 0), provisioned (Day 1), and managed (Day 2+) from the cloud with Juniper Mist Wired Assurance, which brings AI-powered automation and insights that optimize experiences for endusers and connected devices. The EX4400 provides the rich Junos® operating system telemetry data for Mist AI, which helps achieve simpler operations, shorter mean time to repair (MTTR), and streamlined troubleshooting. As a complementary service to Juniper Mist Wired Assurance, Marvis Virtual Network Assistant—a key part of The SelfDriving Network™—makes the Mist AI engine interactive. A digital extension of the IT team, Marvis offers automatic fixes or recommended actions, allowing IT teams to streamline how they troubleshoot and manage their network operations.EVPN-VXLAN Technology
Most traditional campus networks have used a single-vendor, chassis-based architecture that worked well for smaller, static campuses with few endpoints. However, this approach is too rigid to support the scalability and changing needs of modern campus networks. The EX4400 supports EVPNVXLAN, extending an end-to-end fabric from campus core to distribution to the access layer. An EVPN-VXLAN fabric is a simple, programmable, highly scalable architecture built on open standards. This technology can be applied in both data centers and campuses for architectural consistency. A campus EVPN-VXLAN architecture uses a Layer 3 IP-based underlay network and an EVPN-VXLAN overlay network. A flexible overlay network based on a VXLAN overlay with an EVPN control plane efficiently provides Layer 2 and/or Layer 3 connectivity throughout the network. EVPNVXLAN also offers a scalable way to build and interconnect multiple campus sites, delivering:- Greater consistency and scalability across all network layers
- Multivendor deployment support
- Reduced flooding and learning
- Location-agnostic connectivity
- Consistent network segmentation
- Simplified management
Virtual Chassis Technology
Juniper’s Virtual Chassis technology allows multiple interconnected switches to operate as a single, logical unit, enabling users to manage all platforms as one virtual device. Up to 10 EX4400 switches can be interconnected as a Virtual Chassis using two dedicated 100GbE rear-panel ports. Although configured as Virtual Chassis ports by default, the 100GbE uplinks can also be channelized as 4 x 10GbE/25GbE Ethernet uplink ports. The EX4400 switches can form a Virtual Chassis with any other models within the EX4400 product line.
Figure 1: EX4400 Virtual Chassis configuration interconnected via dedicated rear-panel 100GbE portsMicrosegmentation Using Group-Based Policy
Group-based policies (GBP) leverage underlying VXLAN technology to provide location-agnostic endpoint access control. This allows network administrators to implement consistent security policies across the enterprise network domains. The EX4400 supports a standards-based GBP solution, allowing different levels of access control for endpoints and applications even within the same VLAN. Customers can simplify their network configuration by using GBP, avoiding the need to configure large numbers of firewall filters on all their switches. GBP can block lateral threats by ensuring consistent application of security group policies throughout the network, regardless of the location of endpoints and/or users.Flow-Based Telemetry
Flow-based telemetry enables flow-level analytics, allowing network administrators to monitor thousands of traffic flows on the EX4400 without burdening the CPU. This improves network security by monitoring, baselining, and detecting flow anomalies. For example, if predefined flow thresholds are breached due to an attack, IP Flow Information Export (IPFIX) alerts can be sent to an external server so the attack can be quickly identified and remedial action initiated. Network administrators can automate specific workflows, such as further examining the traffic or quarantining a port, to triage the issue.Features and Benefits:
Simplified Operations with Juniper Mist Wired Assurance
The EX4400 is fully cloud onboarded, provisioned, and managed by Juniper Mist Wired Assurance. The EX4400 is designed from the ground up to deliver the rich telemetry that enables AI for IT Operations (AIOps) with simplified operations from Day 0 to Day 2 and beyond. Juniper Mist Wired Assurance provides detailed switch insights for easier troubleshooting and improved time to resolution.Seamless Onboarding with Simplified Configuration and Automation (Day 0/1)
- Claim a greenfield switch or adopt a brownfield switch with a single activation code for true plug-and-play simplicity
- Learn the connectivity status of the switch without logging into a console via the cloud LED
- Implement a template-based configuration model for bulk rollouts while retaining the flexibility and control required to apply custom site- or switch-specific attributes
- Provision device and port profiles manually or automatically (dynamic port profiles)
- Automate troubleshooting, ticketing, and more with support for open APIs for third-party integrations
AI-Driven Operations (Day 2+)
- Monitor and measure wired service-level expectations such as throughput, successful connects, and switch health with key pre- and post-connection metrics (see Figure 2)
- Get insights into how switches are performing with devicelevel metrics such as CPU, memory utilization, and Virtual Chassis status
- Leverage Marvis Actions for self-driving capabilities to detect Spanning Tree Protocol (STP) loops, add missing VLANs, fix misconfigured ports, or identify bad cables (see Figure 3)
Figure 2: Juniper Mist Wired Assurance service-level expectations screen
Figure 3: Marvis Actions for wired switchesCampus Fabric Deployments
EVPN-VXLAN for Campus Core, Distribution, and Access
The EX4400 switches can be deployed in campus and branch access layer networks or as top-of-rack switches in data center environments using 10GbE/25GbE uplinks to support technologies such as EVPN multihoming. Juniper’s campus fabrics support the following validated architectures:- EVPN multihoming (collapsed core or distribution): A collapsed core architecture combines the core and distribution layers into a single switch, turning the traditional three-tier hierarchal network into a two-tier network. This eliminates the need for STP across the campus network by providing multihoming capabilities from the access to the core layer.
- Core/distribution: A pair of interconnected EX Series core or distribution switches provide L2 EVPN and L3 VXLAN gateway support. The IP Clos network between the distribution and core layers offers two modes: centrally or edge routed bridging overlay.
- IP Clos: The IP Clos architecture pushes VXLAN Layer 2 gateway functionality to the access layer. This model is also referred to as “end-to-end,” given that VXLAN tunnels are terminated at the access layer where the EX4400 is deployed.
Chassis-Class Availability
The EX4400 switches deliver high availability through redundant power supplies and fans, graceful Routing Engine switchover (GRES), and nonstop bridging and routing when deployed in a Virtual Chassis configuration. In a Virtual Chassis configuration, each EX4400 switch is capable of functioning as a Routing Engine. When two or more EX4400 switches are interconnected, a single control plane is shared among all Virtual Chassis member switches. Junos OS automatically initiates an election process to assign a master (active) and backup (hot-standby) RE. An integrated L2 and L3 GRES feature maintains uninterrupted access to applications, services, and IP communications in the unlikely event of a primary RE failure. When more than two switches are interconnected in a Virtual Chassis configuration, the remaining switch elements act as line cards and are available to assume the backup RE position should the designated master fail. Master, backup, and line card priority status can be assigned to dictate the order of ascension; this N+1 RE redundancy, coupled with the GRES, nonstop active routing (NSR), and nonstop bridging (NSB) capabilities of Junos OS, assures a smooth transfer of control plane functions following unexpected failures. The EX4400 implements the same slot/module/port numbering schema as other Juniper Networks chassis-based products when numbering Virtual Chassis ports, providing true chassislike operations. By using a consistent operating system and a single configuration file, all switches in a Virtual Chassis configuration are treated as a single device, simplifying overall system maintenance and management. Individually, the EX4400 offers a number of HA features that are typically associated with modular chassis-based switches. When combined with the field-proven Junos OS and L2/L3 failover capabilities, these features provide the EX4400 with true carrier-class reliability.- Redundant power supplies: The EX4400 line of Ethernet switches supports redundant, load-sharing, hot-swappable, and field-replaceable power supplies to maintain uninterrupted operations. Thanks to its compact footprint, the EX4400 requires significantly less power than chassisbased switches delivering equivalent port densities.
- Hot-swappable fans: The EX4400 includes hot-swappable fans, providing sufficient cooling (for a short duration) even if one of the fans were to fail.
- Nonstop bridging and nonstop active routing: NSB and NSR on the EX4400 ensure that control plane protocols, states, and tables are synchronized between primary and standby REs to prevent protocol flaps or convergence issues following a Routing Engine failover.
- Redundant trunk group (RTG): To avoid the complexities of Spanning Tree Protocol (STP) without sacrificing network resiliency, the EX4400 employs redundant trunk groups to provide the necessary port redundancy and simplify switch configuration.
- Cross-member link aggregation: Cross-member link aggregation allows redundant link aggregation connections between devices in a single Virtual Chassis configuration, providing an additional level of reliability and availability.
- IPv4 and IPv6 routing support: IPv4 and IPv6 Layer 3 routing (OSPF and BGP) is available with an Enhanced license, enabling highly resilient networks.
Figure 4: Campus fabrics showing Virtual Chassis and EVPN-VXLAN-based architecturesMACsec AES256
The EX4400 switches support IEEE 802.1ae MACsec with AES256-bit encryption to increase security of point-to-point traffic communications. MACsec provides encrypted communication at the link layer that is capable of identifying and preventing threats from denial of service (DoS) and other intrusion attacks, as well as man-in-the-middle, masquerading, passive wiretapping, and playback attacks launched from behind the firewall. When MACsec is deployed on all ports, the traffic is encrypted on the wire, but the traffic inside the switch is not. This allows the switch to apply network policies such as quality of service (QoS) or deep packet inspection (DPI) to each packet without compromising the security of packets on the wire. On the EX4400 switches, the MACsec AES-256 encryption capability is supported on all user-facing interfaces as well as the 10/25Gbe extension modules.PoE/PoE+/Poe++ Power and Fast PoE
The EX4400 delivers PoE for supporting connected devices such as phones, surveillance cameras, IoT devices, and 802.11AX/Wi-Fi 6 access points, offering a PoE power budget of up to 1800 W and supporting up to 90 W per port based on the IEEE 802.3bt PoE standard. The EX4400 switches also support a fast PoE capability that delivers PoE power to connected endpoints during a switch reboot, even before the switch is fully operational. This is especially beneficial in situations where the endpoint only needs the power and is not necessarily dependent on network connectivity.Junos Telemetry Interface
The EX4400 supports Junos telemetry interface (JTI), a modern telemetry streaming feature designed for switch health and performance monitoring. Sensor data can be streamed at configurable periodic intervals to a management system, enabling network administrators to monitor individual link and node utilization as well as troubleshoot issues such as network congestion in real time. JTI delivers the following features:- Performance management by provisioning sensors to collect and stream data and analyze application and workload flow paths through the network
- Capacity planning and optimization by proactively detecting hotspots and monitoring latency and microbursts
- Troubleshooting and root cause analysis via high-frequency monitoring and correlation of overlay and underlay networks
Junos Operating System
The EX4400 switches run Junos OS, Juniper’s powerful and robust network operating system that powers all Juniper switches, routers, and firewalls. By utilizing a common operating system, Juniper delivers a consistent implementation and operation of control plane features across all products. To maintain that consistency, Junos OS adheres to a highly disciplined development process that uses a single source code and employs a highly available modular architecture that prevents isolated failures from bringing down an entire system. These attributes are fundamental to the core value of the software, enabling all Junos OS-powered products to be updated simultaneously with the same software release. All features are fully regression tested, making each new release a true superset of the previous version. Customers can deploy the software with complete confidence that all existing capabilities are maintained and operate in the same way.Flex Licensing
Juniper Flex licensing offers a common, simple, and flexible licensing model for EX Series access switches, enabling customers to purchase features based on their network and business needs. Flex licensing is offered in Standard, Advanced, and Premium tiers. Standard tier features are available with the Junos OS image that ships with EX Series switches. Additional features can be unlocked with the purchase of a Flex Advanced or Flex Premium license. The Flex and Premium licenses for the EX Series platforms are class-based, determined by the number of access ports on the switch. Class 1 (C1) switches have 12 ports, Class 2 (C2) switches have 24 ports, and Class 3 (C3) switches have 32 or 48 ports. The EX4400 switches support both subscription and perpetual Flex licenses. Subscription licenses are offered for three- and five-year terms. In addition to Junos OS features, the Flex Advanced and Premium subscription licenses include Juniper Mist Wired Assurance. Flex Advanced and Premium subscription licenses also allow portability across the same tier and class of switches, ensuring investment protection for the customer.Product Options:
EX4400 Line of Ethernet Switches Model: Access Port Configuration PoE++ Ports PoE++ Budget 1 PSU/2 PSU 10GbE Ports (max. with module) 25GbE Ports (max. with module) 100GbE ports Power Supply Rating Cooling EX4400-48P 48-port 10/100/1000BASE-T 48 1290 W/ 1800 W 0 (4) 0 (4) 2 1600 W AC AFO (Front-toback airflow) EX4400-24P 24-port 10/100/1000BASE-T 24 788 W/ 1440 W 0 (4) 0 (4) 2 1050 W AC AFO (Front-to-back airflow ) EX4400-48T 48-port 10/100/1000BASE-T 0 N/A 0 (4) 0 (4) 2 550 W AC AFO (Front-to-back airflow ) EX4400-24T 24-port 10/100/1000BASE-T 0 N/A 0 (4) 0 (4) 2 550 W AC AFO (Front-to-back airflow ) EX4400-48F 48-port 10/100/1000BASE-T 0 N/A 12 (16) 0 (4) 2 550 W AC AFO (Front-to-back airflow ) EX4400-24MP 24x-port 100M/1/2.5/5/10GbE 24 780 W/ 1800 W 24 (28) 0 (4) 2 1050 W AC AFO (Front-to- back airflow) EX4400-48MP 48-port GbE (12x100M/1/2.5/5/10GbE + 36x100M/1/2.5GbE 48 1300 W/ 2200 W 12 (16) 0 (4) 2 1600 W AC AFO (Front-to- back airflow) EX4400-48T-AFI 48-port 10/100/1000BASE-T 0 N/A 0 (4) 0 (4) 2 550 W AC AFI (Back-to-front airflow) EX4400-24T-AFI 24-port 10/100/1000BASE-T 0 N/A 0 (4) 0 (4) 2 550 W AC AFI (Back-to-front airflow) EX4400-48T-DC 48-port 10/100/1000BASE-T 0 N/A 0 (4) 0 (4) 2 550 W DC AFO (Front-to-back airflow) EX4400-48T-DC-AFI 48-port 10/100/1000BASE-T 0 N/A 0 (4) 0 (4) 2 550 W DC AFI (Back-to-front airflow) EX4400-24T-DC 24-port 10/100/1000BASE-T 0 N/A 0 (4) 0 (4) 2 550 W DC AFO (Front-to-back airflow) EX4400-24T-DC-AFI 24-port 10/100/1000BASE-T 0 N/A 0 (4) 0 (4) 2 550 W DC AFI (Back-to-front airflow) EX4400-48F-AFI 12-port 1000/10000BASE-X + 36-port 100/1000BASE-X 0 N/A 12 (16) 0 (4) 2 550 W AC AFI (Back-to-front airflow) EX4400-48F-DC-AFI 12-port 1000/10000BASE-X + 36-port 100/1000BASE-X 0 N/A 12 (16) 0 (4) 2 550 W DC AFI (Back-to-front airflow) EX4400-48F-DC 12-port 1000/10000BASE-X + 36-port 100/1000BASE-X 0 N/A 12 (16) 0 (4) 2 550 W DC AFO (Front-to-back airflow) EX4400 Spare Chassis SKUs
The EX4400 also offers spare chassis options without power supplies or fans, providing customers with the flexibility to stock SKUs. See the Ordering Information section for additional details.EX4400 Spare Chassis SKUs Spare Chassis SKU Description JPSU-550- C-AC-AFO + EX4400-FAN JPSU-550- C-AC-AFI + EX4400-FANAFI JPSU-550- C-DC-AFO + EX4400-FAN JPSU-550- C-DC-AFI + EX4400-FAN-AFI JPSU-1050- C-AC-AFO + EX4400-FAN JPSU-1600- C-AC-AFO + EX4400-FAN EX4400-48P-S Spare chassis, 48-port 10/100/1000BASE-T X X X X X Y EX4400-24P-S Spare chassis, 24-port 10/100/1000BASE-T X X X X Y X EX4400-48T-S Spare chassis, 48-port 10/100/1000BASE-T Y Y Y Y X X EX4400-24T-S Spare chassis, 24-port 10/100/1000BASE-T Y Y Y Y X X EX4400-48F-S Spare chassis, 12-port 1000/10000BASE-X + 36-port 100/1000BASE-X Y Y Y Y X X EX4400-24MP-S Spare chassis, 24x100M/ 1/2.5/5/10GbE ports Y X X X X X EX4400-48MP-S Spare chassis, 12 x 100M/1/2.5/5/10GbE + 36x100M/1/2.5GbE ports X Y X X X X Y = supported; X = not supported
Specifications:
Model: EX4400-24P Physical Specifications Backplane 400 Gbps Virtual Chassis interconnect to combine up to 10 units as a single logical device Extension Module Options - EX4400-EM-4S, 4 port SFP+
- EX4400-EM-4Y, 4 port SFP28
Dimensions (W x H x D) - With power supply installed: 17.39 x 1.72 x 16.93 in. (44.17 x 4.37 x 43 cm)
- With power supply, extension module, and fan module: 17.39 x 1.72 x 17.26 in. (44.17 x 4.37 x 43.84 cm)
- Height: 1 U
Weight - EX4400 switch (with no power supply or fan module): 13.01 lb (5.9 kg)
- 550 W AC power supply: 1.76 lb (0.8 kg)
- 550 W DC power supply: 1.65 lb (0.75 kg)
- 1050 W AC power supply: 1.98 lb (0.9 kg)
- 1600 W AC power supply: 2.0 lb (0.91 kg)
- EX4400-EM-4S: 0.2 lb (0.09 kg)
- EX4400-EM-4Y: 0.29 lb (0.13kg)
- Fan module: 0.26 lb (0.12 kg)
Hardware Specifications Switching Engine Model Store and forward Memory - DRAM: 4 GB with Error Correcting Code (ECC) on all models
- Storage: 20 GB on all models
CPU 2.2 GHz Quad-Core Intel x86 CPU GbE port density per system - 30 (24 1GbE host ports + 2 100GbE ports + optional 4 port 1GbE/10GbE or 10/25GbE extension module)
- 100GbE port density per system:
- All models: 2
Physical Layer - Time domain reflectometry (TDR) for detecting cable breaks and shorts
- Auto medium-dependent interface/medium-dependent interface crossover (MDI/MDIX) support
- Port speed downshift/setting maximum advertised speed on 10/100/1000BASE-T ports
- Digital optical monitoring for optical ports
Packet Switching Capacities (Maximum with 64 Byte Packets) 324 Gbps (unidirectional)/648 Gbps (bidirectional) Power Options Power Supply Rating Autosensing; 100-120 V/200-240 V; 550 W, 1050 W, 1600 W AC AFO and 550 W AC AFI dual load sharing hot-swappable internal redundant power supplies Maximum Current Inrush 30 amps DC power supply 550 W DC AFO and 550 W DC AFI; input voltage range 48-60 V max; dual load-sharing hotswappable internal redundant power supplies Minimum number of PSUs required for fully loaded chassis 1 per switch Environment Operating Temperature 32° to 113° F (0º to 45º C) Storage Temperature -40º to 158º F (-40º to 70º C) Relative Humidity (Operating) 5% to 90% (noncondensing) Relative Humidity (Non-Operating) 0% to 90% (noncondensing) Altitude (Operating) Up to 6000 ft at 40° C (1828.8m) Altitude (Non-Operating) Up to 16,000 ft (4,877 m) Cooling Field-replaceable fans 2 Total maximum airflow throughput with two power supplies 61 CFM Safety and Compliance Electromagnetic Compatibility (EMC) Requirements - FCC 47 CFR Part 15
- ICES-003 / ICES-GEN
- EN 300 386 V1.6.1
- EN 300 386 V2.1.1
- EN 55032
- CISPR 32
- EN 55024
- CISPR 24
- EN 55035
- CISPR 35
- IEC/EN 61000 Series
- AS/NZS CISPR 32
- VCCI-CISPR 32
- BSMI CNS 13438
- KN 32 and KN 35
- KN 61000 Series
- TEC/SD/DD/EMC-221/05/OCT-16
- TCVN 7189
- TCVN 7317
Safety Requirements Chassis and Optics - CAN/CSA-C22.2 No. 62368-1 and 60950-1
- UL 62368-1 and 60950-1
- IEC 62368-1 and 60950-1 (All country deviations): CB Scheme report
- IEC 62368-3 for USB and PoE: CB Scheme report
- CFR, Title 21, Chapter 1, Subchapter J, Part 1040
- REDR c 1370 OR CAN/CSA-E 60825-1- Part 1
- IEC 60825-1
- IEC 60825-2
Energy Efficiency - AT&T TEER (ATIS-06000015.03.2013)
- ECR 3.0.1
- ETSI ES 203 136 V.1.1.1
- Verizon TEEER (VZ.TPR.9205)
Environmental Reduction of Hazardous Substances (ROHS) 6/6 Telco CLEI code Noise Specifications Noise measurements based on operational tests taken from bystander position (front) and performed at 23° C in compliance with ISO 7779 Additional Feature Specifications:
Security- MAC limiting (per port and per VLAN)
- Allowed MAC addresses: 112,000
- Dynamic Address Resolution Protocol (ARP) inspection (DAI)
- IP source guard
- Local proxy ARP
- Static ARP support
- Dynamic Host Configuration Protocol (DHCP) snooping
- Captive portal
- Persistent MAC address configurations
- Distributed denial of service (DDoS) protection (CPU control path flooding protection)
- Maximum MAC addresses per system: 112,000
- Jumbo frames: 9,216 Bytes
- Number of VLANs: 4,093
- Range of possible VLAN IDs: 1 to 4094
- Virtual Spanning Tree (VST) instances: 510
- Port-based VLAN
- Voice VLAN
- Physical port redundancy: Redundant trunk group (RTG)
- Compatible with Per-VLAN Spanning Tree Plus (PVST+)
- Routed VLAN Interface (RVI)
- Uplink Failure Detection (UFD)
- ITU-T G.8032 Ethernet Ring Protection Switching
- IEEE 802.1AB: Link Layer Discovery Protocol (LLDP)
- LLDP-MED with VoIP integration
- Default VLAN and multiple VLAN range support
- MAC learning deactivate
- Persistent MAC learning (sticky MAC)
- MAC notification
- Private VLANs (PVLANs)
- Explicit congestion notification (ECN)
- Layer 2 protocol tunneling (L2PT)
- IEEE 802.1ak: Multiple VLAN Registration Protocol (MVRP)
- IEEE 802.1p: CoS prioritization
- IEEE 802.1Q: VLAN tagging
- IEEE 802.1X: Port Access Control
- IEEE 802.1ak: Multiple Registration Protocol
- IEEE 802.3: 10BASE-T
- IEEE 802.3u: 100BASE-T
- IEEE 802.3ab: 1000BASE-T
- IEEE 802.3z: 1000BASE-X
- IEEE 802.3ae: 10-Gigabit Ethernet
- IEEE 802.3by: 25-Gigabit Ethernett
- IEEE 802.3af: Power over Ethernet
- IEEE 802.3at: Power over Ethernet Plus
- IEEE 802.3bt: 90 W Power over Ethernet
- IEEE 802.3x: Pause Frames/Flow Control
- IEEE 802.3ah: Ethernet in the First Mile
- IEEE 802.1D: Spanning Tree Protocol
- IEEE 802.1s: Multiple instances of Spanning Tree Protocol (MSTP)
- Number of MST instances supported: 64
- Number of VLAN Spanning Tree Protocol (VSTP) instances supported: 510
- IEEE 802.1w: Rapid reconfiguration of Spanning Tree Protocol
- IEEE 802.3ad: Link Aggregation Control Protocol
- 802.3ad (LACP) support:
- Number of LAGs supported: 128
- Maximum number of ports per LAG: 16
- LAG load-sharing algorithm bridged or routed (unicast or multicast) traffic:
- IP: S/D IP
- TCP/UDP: S/D IP, S/D Port
- Non-IP: S/D MAC
- Tagged ports support in LAG
- Maximum number of ARP entries: 24,000
- Maximum number of IPv4 unicast routes in hardware: 130,048 prefixes; 81,000 host routes
- Maximum number of IPv4 multicast routes in hardware: 40,000 multicast routes
- Routing protocols: RIPv1/v2, OSPF, BGP, IS-IS
- Static routing
- Routing policy
- Bidirectional Forwarding Detection (BFD)
- Layer 3 redundancy: Virtual Router Redundancy Protocol (VRRP)
- VRF-Lite
- Maximum number of Neighbor Discovery (ND) entries: 12,000
- Maximum number of IPv6 unicast routes in hardware: 87,000 prefixes; 40,000 host routes
- Maximum number of IPv6 multicast routes in hardware: 20,000 multicast routes
- Routing protocols: RIPng, OSPFv3, IPv6, ISIS
- Static routing
- Port-based ACL (PACL): Ingress and egress
- VLAN-based ACL (VACL): Ingress and egress
- Router-based ACL (RACL): Ingress and egress
- ACL entries (ACE) in hardware per system:
- Port-based ACL (PACL) ingress: 2048
- VLAN-based ACL (VACL) ingress: 2048
- Router-based ACL (RACL) ingress: 2048
- Egress shared across PACL and VACL: 512
- Egress across RACL: 1024
- ACL counter for denied packets
- ACL counter for permitted packets
- Ability to add/remove/change ACL entries in middle of list (ACL editing)
- L2-L4 ACL
- 802.1X port-based
- 802.1X multiple supplicants
- 802.1X with VLAN assignment
- 802.1X with authentication bypass access (based on host MAC address)
- 802.1X with VoIP VLAN support
- 802.1X dynamic ACL based on RADIUS attributes
- 802.1X Supported Extensible Authentication Protocol (EAP types): Message Digest 5 (MD5), Transport Layer Security (TLS), Tunneled TLS (TTLS), Protected Extensible Authenticated Protocol (PEAP)
- MAC authentication (RADIUS)
- Control plane DoS protection
- Radius functionality over IPv6 for authentication, authorization, and accounting (AAA)
- DHCPv6 snooping
- IPv6 neighbor discovery
- IPv6 source guard
- IPv6 RA guard
- IPv6 Neighbor Discovery Inspection
- Media Access Control security (MACsec)
- Redundant, hot-swappable power supplies
- Redundant, field-replaceable, hot-swappable fans
- Graceful Routing Engine switchover (GRES) for Layer 2 hitless forwarding and Layer 3 protocols on RE failover
- Graceful protocol restart (OSPF, BGP)
- Layer 2 hitless forwarding on RE failover
- Non-Stop Bridging - LACP, xSTP
- Non-Stop Routing - PIM, OSPF v2 and v3, RIP v2, RIPnG, BGP, BGPv6, ISIS, IGMP v1, v2, v3
- Online insertion and removal (OIR) uplink module
- Layer 2 QoS
- Layer 3 QoS
- Ingress policing: 1 rate 2 color
- Hardware queues per port: 12 (8 unicast + 4 multicast)
- Scheduling methods (egress): Strict priority (SP), weighted deficit round robin (wDRR)
- 802.1p, DiffCode (DSCP)/IP Precedence trust and marking
- L2-L4 classification criteria: Interface, MAC address, Ethertype, 802.1p, VLAN, IP address, DSCP/IP Precedence, TCP/UDP port numbers, and more
- Congestion avoidance capabilities: Tail drop, weighted random early detection (wRED)
- IGMP: v1, v2, v3
- IGMP snooping
- Multicast Listener Discovery (MLD) snooping
- Protocol Independent Multicast-Sparse Mode (PIM-SM), PIM Source-Specific Mode (PIM-SSM), PIM Dense Mode (PIM-DM)
- ACL-based mirroring
- Mirroring destination ports per system: 1
- LAG port monitoring
- Multiple destination ports monitored to 1 mirror (N:1)
- Maximum number of mirroring sessions: 4
- Mirroring to remote destination (over L2): 1 destination VLAN
Services and Manageability- Juniper Mist Wired Assurance
- Junos OS CLI
- Junos Space Management Applications
- Junos Space Network Director
- Junos Space Service Now for automated fault detection, simplified trouble ticket management, and streamlined operations
- Out-of-band management: Serial; 10/100/1000BASE-T Ethernet
- ASCII configuration
- Rescue configuration
- Configuration rollback
- Image rollback
- RMON (RFC2819) groups 1, 2, 3, 9
- Remote performance monitoring
- SNMP: v1, v2c, v3
- Network Time Protocol (NTP)
- DHCP server
- DHCP client and DHCP proxy
- DHCP relay and helper
- DHCP local server support
- RADIUS
- TACACS+
- SSHv2
- Secure copy
- HTTP/HTTPs
- Domain Name System (DNS) resolver
- System logging
- Temperature sensor
- Configuration backup via FTP/secure copy
- RFC 768 UDP
- RFC 783 TFTP
- RFC 791 IP
- RFC 792 ICMP
- RFC 793 TCP
- RFC 826 ARP
- RFC 854 Telnet client and server
- RFC 894 IP over Ethernet
- RFC 903 RARP
- RFC 906 TFTP Bootstrap
- RFC 951, 1542 BootP
- RFC 1027 Proxy ARP
- RFC 1058 RIP v1
- RFC 1112 IGMP v1
- RFC 1122 Host Requirements
- RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments (TCP/IP transport only)
- RFC 1256 IPv4 ICMP Router Discovery (IRDP)
- RFC 1492 TACACS+RFC 1519 CIDR
- RFC 1587 OSPF NSSA Option
- RFC 1591 DNS
- RFC 1812 Requirements for IP Version 4 Routers
- RFC 1981 Path MTU Discovery for IPv6
- RFC 2030 SNTP, Simple Network Time Protocol
- RFC 2068 HTTP server
- RFC 2080 RIPng for IPv6
- RFC 2131 BOOTP/DHCP relay agent and DHCP server
- RFC 2138 RADIUS Authentication
- RFC 2139 RADIUS Accounting
- RFC 2154 OSPF w/Digital Signatures (Password, MD-5)
- RFC 2236 IGMP v2
- RFC 2267 Network Ingress Filtering
- RFC 2328 OSPF v2 (Edge-mode)
- RFC 2338 VRRP
- RFC 2362 PIM-SM (Edge-mode)
- RFC 2370 OSPF Opaque LSA Option
- RFC 2453 RIP v2
- RFC 2460 Internet Protocol, Version 6 (IPv6) Specification
- RFC 2461 Neighbor Discovery for IP Version 6 (IPv6)
- RFC 2463 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
- RFC 2464 Transmission of IPv6 Packets over Ethernet Networks
- RFC 2474 DiffServ Precedence, including 12 queues/port
- RFC 2475 DiffServ Core and Edge Router Functions
- RFC 2526 Reserved IPv6 Subnet Anycast Addresses
- RFC 2597 DiffServ Assured Forwarding (AF)
- RFC 2598 DiffServ Expedited Forwarding (EF)
- RFC 2740 OSPF for IPv6
- RFC 2925 MIB for Remote Ping, Trace
- RFC 3176 sFlow
- RFC 3376 IGMP v3
- RFC 3484 Default Address Selection for Internet Protocol Version 6 (IPv6)
- RFC 3513 Internet Protocol Version 6 (IPv6) Addressing Architecture
- RFC 3569 draft-ietf-ssm-arch-06.txt PIM-SSM PIM Source Specific Multicast
- RFC 3579 RADIUS EAP support for 802.1x
- RFC 3618 Multicast Source Discovery Protocol (MSDP)
- RFC 3623 OSPF Graceful Restart
- RFC 4213 Basic Transition Mechanisms for IPv6 Hosts and Routers
- RFC 4291 IP Version 6 Addressing Architecture
- RFC 4443 ICMPv6 for the IPv6 Specification
- RFC 4541 IBMP and MLD snooping services
- RFC 4861 Neighbor Discovery for IPv6
- RFC 4862 IPv6 Stateless Address Autoconfiguration
- RFC 4915 MT-OSPF
- RFC 5176 Dynamic Authorization Extensions to RADIUS
- RFC 5798 VRRPv3 for IPv6
- Draft-ietf-bfd-base-05.txt Bidirectional Forwarding Detection
- Draft-ietf-idr-restart-10.txt Graceful Restart Mechanism
- Draft-ietf-isis-restart-02 Restart Signaling for IS-IS
- Draft-ietf-isis-wg-multi-topology-11 Multi Topology (MT) Routing in IS-IS for BGP
- Internet draft-ietf-isis-ipv6-06.txt, Routing IPv6 with IS-IS
- LLDP Media Endpoint Discovery (LLDP-MED), ANSI/TIA-1057, draft 08
- PIM-DM Draft IETF PIM Dense Mode draft-ietf-idmr-pim-dm-05. txt, draft-ietf-pim-dm-new-v2-04.txt
- RFC 1155 SMI
- RFC 1157 SNMPv1
- RFC 1212, RFC 1213, RFC 1215 MIB-II, Ethernet-Like MIB and TRAPs
- RFC 1493 Bridge MIB
- RFC 1643 Ethernet MIB
- RFC 1657 BGP-4 MIB
- RFC 1724 RIPv2 MIB
- RFC 1850 OSPFv2 MIB
- RFC 1905 RFC 1907 SNMP v2c, SMIv2 and Revised MIB-II
- RFC 2011 SNMPv2 for Internet Protocol using SMIv2
- RFC 2012 SNMPv2 for transmission control protocol using SMIv2
- RFC 2013 SNMPv2 for user datagram protocol suing SMIv2
- RFC 2096 IPv4 Forwarding Table MIB
- RFC 2287 System Application Packages MIB
- RFC 2570 – 2575 SNMPv3, user based security, encryption, and authentication
- RFC 2576 Coexistence between SNMP Version 1, Version 2, and Version 3
- RFC 2578 SNMP Structure of Management Information MIB
- RFC 2579 SNMP Textual Conventions for SMIv2
- RFC 2665 Ethernet-like interface MIB
- RFC 2787 VRRP MIB
- RFC 2819 RMON MIB
- RFC 2863 Interface Group MIB
- RFC 2863 Interface MIB
- RFC 2922 LLDP MIB
- RFC 2925 Ping/Traceroute MIB
- RFC 2932 IPv4 Multicast MIB
- RFC 3413 SNMP Application MIB
- RFC 3414 User-based Security model for SNMPv3
- RFC 3415 View-based Access Control Model for SNMP
- RFC 3621 PoE-MIB (PoE switches only)
- RFC 4188 STP and Extensions MIB
- RFC 4363 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering, and VLAN extensions
- RFC 5643 OSPF v3 MIB support
- Draft – blumenthal – aes – usm - 08
- Draft – reeder - snmpv3 – usm - 3desede -00
- Draft-ietf-bfd-mib-02.txt
- Draft-ietf-idmr-igmp-mib-13
- Draft-ietf-idmr-pim-mib-09
- Draft-ietf-idr-bgp4-mibv2-02.txt – Enhanced BGP-4 MIB
- Draft-ietf-isis-wg-mib-07
- Debugging: CLI via console, Telnet, or SSH
- Diagnostics: Show and debug cmd, statistics
- Traffic mirroring (port)
- Traffic mirroring (VLAN)
- IP tools: Extended ping and trace
- Juniper Networks commit and rollback
Views:
Top Front View
Front View
Rear View
Left Angle View -
Product Overview
The EX4300 line of Ethernet switches delivers the performance, flexibility, and scale required for both campus and data center Gigabit Ethernet (GbE) access switch environments. When deployed in a Virtual Chassis configuration, the EX4300 delivers the operational simplicity and higher logical scale that businesses demand. Combining compact, pay-as-you-grow economics and low power and cooling with the performance, availability, and port densities of chassis-based platforms, the EX4300 enables businesses to deploy with speed and agility to increase revenue and improve productivity. The EX4300 is onboarded, provisioned, and managed in the Juniper Mist Cloud Architecture. Mist Wired Assurance delivers better experiences for connected devices through AI-powered automation and service levels.
Product Description
The Juniper Networks® EX4300 line of Ethernet switches with Virtual Chassis technology combines the carrier-class reliability of modular systems with the economics and flexibility of stackable platforms, delivering a high-performance, scalable solution for data center, campus, and branch office environments. Both 1GbE access and multigigabit switch options are available. Offering a full suite of Layer 2 and Layer 3 switching capabilities, the EX4300 enables a variety of deployments, including campus, branch, and data center access. A single 24-port or 48-port EX4300 switch can be deployed initially. As requirements grow, Juniper’s Virtual Chassis technology allows any combination of up to 10 EX4300 and/or EX4600 switches to be seamlessly interconnected and managed as a single device, delivering a scalable, pay-as-you-grow solution for expanding network environments. A pair of 32-port EX4300 fiber switches can also be deployed as a consolidated aggregation or small core switch. Additionally, the EX4300 can integrate with the Juniper Networks QFX5100 line of 10GbE and 40GbE data center access switches in a single stack or Virtual Chassis configuration, enabling nondisruptive 10GbE server upgrades and simplified management of a mixed access environment. The EX4300 switches can be interconnected over multiple 40GbE quad small form-factor pluggable plus (QSFP+) transceiver ports to form a 320 gigabit per second (Gbps) backplane. A flexible uplink module that supports both 1GbE and 10GbE options is also available, enabling high-speed connectivity to aggregation- or core-layer switches which connect multiple floors or buildings. All EX4300 switches include high availability (HA) features such as redundant, hot-swappable internal power supplies and field-replaceable fans to ensure maximum uptime. In addition, Power over Ethernet (PoE)-enabled EX4300 switch models offer standards-based 802.3at PoE+ for delivering up to 30 watts on all ports to support high-density IP telephony and 802.11n wireless access point deployments. Additionally, a multigigabit model, the EX4300-48MP, supports IEEE 802.3bz-compliant 100 Mbps, 1 Gbps, 2.5 Gbps, 5 Gbps, and 10 Gbps speeds on access ports. This enables 802.11ac Wave 2 access points, which require higher bandwidth, to connect to the switch. The EX4300 multigigabit switch also supports up to 95 watts of power on any of the access ports, enabling PoE++ devices requiring more than 30 watts to connect to and draw power from the switch. The EX4300 multigigabit switch also enables higher levels of Media Access Control Security (MACsec) AES256 encryption on all access and uplink ports, protecting customer traffic from unauthorized access. The EX4300-48MP includes four dedicated 40GbE QSFP+ transceiver ports that can be used as Virtual Chassis ports to create a 320 Gbps backplane.Chassis-Like Features in an Expandable Form Factor
The fixed-configuration EX4300 switches include a number of high availability features typically associated with chassis-based solutions, including the following:- Hot-swappable fans
- Modular Juniper Networks Junos® operating system (consistent with chassis systems)
- Dual Routing Engines (REs) with graceful Routing Engine switchover (GRES) in a Virtual Chassis configuration
- Single management interface
- Easy, centralized software upgrades
- Scalability from 24 to 480 10/100/1000BASE-T ports and 24 to 240 100/1000/2500/5000/10000BASE-T ports, with up to 40 10GbE uplinks and 40 40GbE uplinks (up to 40 10GbE uplinks, 20 40GbE uplinks, or 20 100GbE uplinks on multigigabit models, in addition to four dedicated 40 Gbps Virtual Chassis ports per switch)
Architecture and Key Components
The EX4300 switches are single rack unit (1 U) devices that deliver a compact solution for crowded wiring closets and access switch locations where space and power are at a premium. Each EX4300 supports standard 40GbE QSFP+ ports which are preconfigured to support high-speed Virtual Chassis backplane connections; on the 1GbE access switches, these ports can also serve as uplinks to upstream aggregation devices. In addition, each EX4300 supports an optional front panel uplink module offering 1GbE or 10GbE ports for high-speed backbone or link aggregation connections between wiring closets and upstream aggregation switches; the multigigabit model offers a choice between a 4-port 10GbE SFP+ uplink module or a 2-port 40GbE QSFP+/2-port 100GbE QSFP28 uplink module. Uplink modules can be installed without powering down the switch, enabling users to add high-speed connectivity at any time or migrate from one uplink type to the other, delivering the ultimate in flexible, high-performance interconnectivity.The 1GbE access EX4300 models also feature a front panel LCD that offers a flexible interface for performing device bring-up and configuration rollbacks, reporting switch alarm and LED status, or restoring the switch to its default settings. When deployed as a member of a Virtual Chassis configuration, the LCD also displays the switch’s chassis “slot number” and RE status for rapid identification and problem resolution. The four integrated rear panel 40GbE QSFP+ ports support EX4300 Virtual Chassis deployment over a 320 Gbps virtual backplane. When deployed in close proximity such as in wiring closets or in top-of-rack data center applications, the EX4300 switches can be securely connected using standard 40GbE QSFP+ direct attach copper (DAC) cables (available in 50 cm, 1 m, 3 m, and 5 m lengths). Switches deployed in Virtual Chassis configurations spread over larger areas can be interconnected using optical QSFP+ transceivers such as the QSFP+ SR4, which supports distances up to 150 m. A dedicated rear panel RJ-45 port is available for out-of-band management, while a rear panel USB port can be used to easily upload Junos OS and configuration files. In addition, a dedicated front panel USB console port and a rear panel RJ-45 console port offer flexible out-of-band console options.Cloud Management with Juniper Mist Wired Assurance
Juniper Mist Wired Assurance, a cloud-based service driven by Mist AI to claim, configure, manage, and troubleshoot the EX4300, delivers AI-powered automation and service levels to ensure a better experience for connected devices. Wired Assurance leverages rich Junos switch telemetry data to simplify operations, reduce mean time to repair, and improve visibility. Wired Assurance offers the following features:- Day 0 operations—Onboard switches seamlessly by claiming a greenfield switch or adopting a brownfield switch with a single activation code for true plug-and-play simplicity.
- Day 1 operations—Implement a template-based configuration model for bulk rollouts of traditional and campus fabric deployments, while retaining the flexibility and control required to apply custom site- or switch-specific attributes. Automate provisioning of ports via Dynamic Port Profiles.
- Day 2 operations—Leverage the AI in Juniper Mist Wired Assurance to meet service-level expectations such as throughput, successful connects, and switch health with key pre- and post-connection metrics (see Figure 1). Add the self-driving capabilities in Marvis Actions to detect loops, add missing VLANs, fix misconfigured ports, identify bad cables, isolate flapping ports, and discover persistently failing clients (see Figure 2). And perform software upgrades easily through Juniper Mist cloud.
Figure 1: Juniper Mist Wired Assurance service-level expectations screen
Figure 2: Marvis Actions for wired switchesThe addition of Marvis, a complementary Virtual Network Assistant driven by Mist AI, lets you start building a self-driving network that simplifies network operations and streamlines troubleshooting via automatic fixes for EX Series switches or recommended actions for external systems. For more information see Juniper Mist™ Wired Assurance.EVPN-VXLAN Technology
The EX4300-48MP embraces open standards and extends the industry-standard Ethernet VPN (EVPN)-Virtual Extensible LAN (VXLAN) technology already supported for campus fabric IP Clos networks. An IP Clos network between the distribution and the core layers can exist in two modes: centrally routed bridging overlay or edge routed bridging overlay.
Figure 3: Campus Fabric: IP Clos with EX4300-MPWith enterprise applications moving to the cloud, it has become necessary to deploy IP fabrics as enterprise fabrics with L2 extensions using VXLAN. The EX4300-48MP is capable of both L2 and L3 VXLAN gateway services, allowing you to deploy networks that provide L2 adjacencies for applications over L3 fabrics. EVPN-VXLAN offers a scalable way to build and interconnect multiple campuses, delivering:- Greater network efficiency
- Compliance with industry standards
- Scalability across all network layers
- Faster convergence
- Flexible and secure architecture
Campus Fabric Deployments
Juniper campus fabrics support these validated architectures with the EX4300 switch playing the role of access switch:- EVPN multihoming (collapsed core or distribution): A collapsed core architecture combines the core and distribution layers into a single switch, turning the traditional three-tier hierarchal network into a two-tier network. This eliminates the need for STP across the campus network by providing multihoming capabilities from the access to the core layer. EVPN multihoming can be deployed and managed using the Juniper Mist cloud.
- Core/distribution: A pair of interconnected EX Series core or distribution switches provide L2 EVPN and L3 VXLAN gateway support. The IP Clos network between the distribution and core layers offers two modes: centrally or edge routed bridging overlay.
Figure 4: Campus fabrics showing Virtual Chassis and EVPN-VXLAN-based architecturesVirtual Chassis Technology
Up to 10 EX4300 switches can be interconnected using Virtual Chassis technology, creating a single logical device supporting up to 480 10/100/1000BASE-T ports, plus up to 40 10GbE or 40 40GbE uplink ports. For mixed 1GbE and 10GbE access environments, the EX4300 can be interconnected with the EX4600 enterprise campus and QFX5100 high-performance data center access switches. EX4300 Virtual Chassis configurations can be created to support a variety of port and density options for data center, campus, and branch deployments. Virtual Chassis connections can be formed using any of the 40GbE ports or 10GbE ports using standard DAC cables and optics. The EX4300 does not support Virtual Chassis technology on the GbE copper or fiber ports. With the EX4300 multigigabit model, up to 10 switches can be interconnected using dedicated 40GbE ports through Virtual Chassis technology, creating a single logical device supporting up to 240 10/100/1000BASE-T ports and 240 100/1000/2500/5000/10000BASE-T ports, with up to 40 10GbE uplinks, 20 40GbE uplinks, or 20 100GbE uplinks. The multigigabit EX4300 can also participate in a 10-member mixed-mode Virtual Chassis configuration with other 1GbE EX4300 access switches.Virtual Chassis Deployments in Campus Wiring Closets
In campus wiring closets, flexible topologies can be created usingstandard QSFP+ optics on the 40GbE ports to extend the VirtualChassis configuration across long distances spanning multiple wiringclosets, floors, or even buildings while using 10GbE or 40GbE foruplink connectivity. EX4300 fiber-based switches can also be usedfor campus aggregation or small core deployments.Virtual Chassis Deployments in the Data Center
When deployed in a Virtual Chassis configuration in the data center, all EX4300 switches are monitored and managed as a single device, enabling enterprises to separate physical topology from logical groupings of endpoints and allowing more efficient resource utilization. Highly resilient topologies can also be created using the 40GbE DAC cables.
Figure 5: Using Virtual Chassis technology, up to 10 EX4300 switches can be interconnected to create a single logical device spanning an entire building.Mesh Virtual Chassis Configurations for the Data Center
In data center top-of-rack deployments, a full mesh five-switch Virtual Chassis configuration can be created where every switch member is just one hop away from every other member, delivering the lowest possible latency. A mesh spanning distances of up to 150 meters can be created using standard QSFP+ optics on the 40GbE ports (DAC cables up to 3 m in length are available for shorter distances), while 10GbE ports can be used as uplinks to connect to upstream aggregation or core devices.
Figure 6: The EX4300 Ethernet Switch with Virtual Chassis technology delivers a high-performance, scalable, and highly reliable solution for the data center.
Figure 7: EX4300 switches in a full mesh Virtual Chassis configuration for the data center.Virtual Chassis Fabric Switching Architecture
Existing Virtual Chassis technology is further scaled and enhanced to support a spine-and-leaf topology that is ideal for high-performance and low-latency data center deployments. In its first instance, this topology, called Virtual Chassis Fabric, enables up to 20 switches to be deployed in a spine-and-leaf configuration, with two to four QFX5100 switches in the spine and up to 18 QFX5100 or EX4300 switches as leaf nodes. This architecture provides any-rack-to-any-rack deterministic throughput and low latency, while significantly simplifying network operations through a single point of management. A Virtual Chassis Fabric configuration supports mixed 1GbE, 10GbE, and 40GbE servers1.
Figure 8: EX4300, QFX3500, QFX3600, and QFX5100 at the access layer of a Virtual Chassis Fabric configuration.Features and Benefits
Managing AI-Driven Campus Fabric with the Juniper Mist Cloud
Juniper Mist Wired Assurance brings cloud management and Mist AI to campus fabric. It sets a new standard moving away from traditional network management towards AI-driven operations, while delivering better experiences to connected devices. The Juniper Mist cloud streamlines deployment and management of campus fabric architectures by allowing:- Automated deployment and zero touch deployment
- Anomaly detection
- Root cause analysis
Figure 9: EVPN multihoming configuration via the Juniper Mist cloudChassis-Class Availability
The EX4300 line of Ethernet switches delivers high availability through redundant power supplies and fans, GRES, and nonstop bridging and routing when deployed in a Virtual Chassis configuration. In a Virtual Chassis configuration, each EX4300 switch is capable of functioning as a Routing Engine. When two or more EX4300 switches are interconnected, a single control plane is shared among all Virtual Chassis member switches. When two EX4300 switches are interconnected, Junos OS automatically initiates an election process to assign a primary (active) and backup (hot-standby) RE. An integrated L2 and L3 GRES feature maintains uninterrupted access to applications, services, and IP communications in the unlikely event of a primary RE failure. When more than two switches are interconnected in a Virtual Chassis configuration, the remaining switch elements act as line cards and are available to assume the backup RE position should the designated primary fail. Primary, backup, and line card priority status can be assigned to dictate the order of ascension; this N+1 RE redundancy, coupled with the GRES, nonstop routing (NSR), and nonstop bridging (NSB) capabilities of Junos OS, assures a smooth transfer of control plane functions following unexpected failures. The EX4300 implements the same slot/module/port numbering schema as other Juniper Networks chassis-based products when numbering Virtual Chassis ports, providing true chassis-like operations. By using a consistent operating system and a single configuration file, all switches in a Virtual Chassis configuration are treated as a single device, simplifying overall system maintenance and management. In a mixed Virtual Chassis configuration with both EX4300 1GbE access and multigigabit switches, the EX4300 multigigabit switches must assume the role of the RE, while the 1GbE access EX4300 switches can only act as line cards. Individually, the EX4300 offers a number of HA features that are typically associated with modular chassis-based switches. When combined with the field-proven Junos OS and L2/L3 failover capabilities, these features provide the EX4300 with true carrier-class reliability.- Redundant power supplies: The EX4300 line of Ethernet switches supports internal redundant, load-sharing, hot-swappable, and field-replaceable power supplies to maintain uninterrupted operations. Thanks to its compact footprint, the EX4300 requires significantly less power than chassis-based switches delivering equivalent port densities. The EX4300 1GbE access switches offer both AC and DC options, while the EX4300 multigigabit switch supports only AC power supplies.
- Hot-swappable fans: The EX4300 includes hot-swappable fans, providing sufficient cooling even if one of the fans were to fail.
- Nonstop bridging and nonstop routing: NSB and NSR on the EX4300 ensure that control plane protocols, states, and tables are synchronized between primary and standby REs to prevent protocol flaps or convergence issues following a Routing Engine failover.
- Redundant trunk group (RTG): To avoid the complexities of Spanning Tree Protocol (STP) without sacrificing network resiliency, the EX4300 employs redundant trunk groups to provide the necessary port redundancy and simplify switch configuration.
- Cross-member link aggregation: Cross-member link aggregation allows redundant link aggregation connections between devices in a single Virtual Chassis configuration, providing an additional level of reliability and availability.
- Carrier-class hardware: The EX4300 leverages a purpose-built packet forwarding engine ASIC, the EX-PFE, which integrates much of the same intellectual property used in Juniper’s carrier-class routers. As a result, the EX4300 delivers the same predictable, scalable functionality found in the world’s largest networks.
- IPv4 and IPv6 routing support: IPv4 and IPv6 Layer 3 routing (OSPF and BGP) is available with an Enhanced license, enabling highly resilient networks.
Carrier-Class Operating System
The EX4300 runs on Junos OS, the same operating system software used by other Juniper Networks switches, routers, and security devices. By utilizing a common operating system, Juniper delivers a consistent implementation and operation of control plane features across all products. To maintain that consistency, Junos OS adheres to a highly disciplined development process that uses a single source code, follows a single quarterly release train, and employs a highly available modular architecture that prevents isolated failures from bringing an entire system down. These attributes are fundamental to the core value of the software, enabling all products powered by Junos OS to be updated simultaneously with the same software release. All features are fully regression tested, making each new release a true superset of the previous version. Customers can deploy the software with complete confidence that all existing capabilities will be maintained and operate in the same way.Converged Networks
The EX4300 line of Ethernet switches provides the highest levels of availability for the most demanding converged data, voice, and video environments, delivering the most reliable platform for unifying enterprise communications. The EX4300 supports rich quality of service (QoS) functionality for prioritizing data, voice, and video traffic. The switches support 12 QoS queues on every port, enabling them to maintain multilevel, end-to-end traffic prioritizations. The EX4300 also supports a wide range of policy options, including priority and weighted deficit round-robin (WDRR) queuing. By providing 15.4 watts of Class 3 802.3af PoE on all ports to power voice over IP (VoIP) telephones, closed-circuit security cameras, wireless access points, and other IP-enabled devices, the EX4300 delivers a future-proofed solution for converging disparate networks onto a single IP infrastructure. The EX4300 switches also support standards-based 802.3at PoE+, which delivers up to 30 watts per port for powering networked devices such as multiple radio IEEE 802.11n wireless access points and video phones that may require more power than available with IEEE 802.3af. The EX4300 multigigabit switch supports pre-standard IEEE 802.3bt PoE++, which delivers up to 95 watts per port for powering devices requiring more than the 30 watts of power provided by PoE+. Link Layer Discovery Protocol–Media Endpoint Discovery (LLDP-MED)-based granular PoE/PoE+ management allows the EX4300 to negotiate PoE/PoE+ usage down to a fraction of a watt on powered devices, enabling more efficient PoE utilization across the switch. To ease deployment, the EX4300 supports the industry-standard LLDP and LLDP-MED, which enable the switches to automatically discover Ethernet-enabled devices, determine their power requirements, and assign virtual LAN (VLAN) parameters. The EX4300 supports the IEEE 802.3az standard for Energy Efficient Ethernet (EEE) functionality, reducing power consumption of copper physical layers (PHY) during periods of low link utilization.Security
The EX4300 provides a full complement of port security features, including Dynamic Host Configuration Protocol (DHCP) snooping, dynamic ARP inspection (DAI), IP source guard, and media access control (MAC) limiting (per port and per VLAN) to defend against internal and external spoofing, man-in-the-middle and denial-of-service (DoS) attacks.MACsec
EX4300 switches support IEEE 802.1AE MACsec, providing support for link-layer data confidentiality, data integrity, and data origin authentication. The MACsec feature enables the EX4300 to support 88 Gbps of near line-rate hardware-based traffic encryption on all GbE and 10GbE ports, including the base unit and optional uplink modules. The multigigabit EX4300 model supports the MACsec AES 256 standard for encrypting traffic on all access and uplink ports. Defined by IEEE 802.1AE, MACsec provides secure, encrypted communication at the link layer that is capable of identifying and preventing threats from denial of service (DoS) and intrusion attacks, as well as man-in-the-middle, masquerading, passive wiretapping, and playback attacks launched from behind the firewall. When MACsec is deployed on switch ports, all traffic is encrypted on the wire but traffic inside the switch is not. This allows the switch to apply all network policies such as QoS, deep packet inspection, and sFlow to each packet without compromising the security of packets on the wire. Hop-by-hop encryption enables MACsec to secure communications while maintaining network intelligence. In addition, Ethernet-based WAN networks can use MACsec to provide link security over long haul connections. MACsec is transparent to Layer 3 and higher layer protocols and is not limited to IP traffic; it works with any type of wired or wireless traffic carried over Ethernet links.Simplified Operations
When employing Virtual Chassis technology, the EX4300 dramatically simplifies network management. Up to 10 interconnected EX4300 switches can be managed as a single device. Each Virtual Chassis group uses a single Junos OS image file and a single configuration file, reducing the overall number of units to monitor and manage. When Junos OS is upgraded on the primary switch in a Virtual Chassis configuration, the software is automatically upgraded on all other member switches at the same time. The EX4300 also includes port profiles that allow network administrators to automatically configure ports with security, QoS, and other parameters based on the type of device connected to the port. Six preconfigured profiles are available, including default, desktop, desktop plus IP phone, wireless access point, routed uplink, and L2 uplink. Users can select from the existing profiles or create their own and apply them through the command line interface (CLI), Junos Web interface, or management system.Flex Licensing
Juniper Flex licensing offers a common, simple, and flexible licensing model for EX Series access switches, enabling customers to purchase features based on their network and business needs. Flex licensing is offered in Standard, Advanced, and Premium tiers. Standard tier features are available with the Junos OS image that ships with EX Series switches. Additional features can be unlocked with the purchase of a Flex Advanced or Flex Premium license. The Flex Advanced and Premium licenses for the EX Series platforms are class based, determined by the number of access ports on the switch. Class 1 (C1) switches have 12 ports, Class 2 (C2) switches have 24 ports, and Class 3 (C3) switches have 32 or 48 ports. The EX4300 switches support both subscription and perpetual Flex licenses. Subscription licenses are offered for three- and five-year terms. In addition to Junos features, the Flex Advanced and Premium subscription licenses include Juniper Mist Wired Assurance. Flex Advanced and Premium subscription licenses also allow portability across the same tier and class of switches, ensuring investment protection for the customer. For a complete list of features supported by the Flex Standard, Advanced, and Premium tiers, or to learn more about Junos EX Series licenses, please visit https://www.juniper.net/documentation/us/en/software/license/licensing/topics/topic-map/understanding_software_licenses.html.Warranty
For warranty information, please visit https://support.juniper.net/support/warranty/.Product Options
Ten EX4300 switch models are available (see Table 1 below).Table 1. EX4300 Line of Ethernet Switches*Dedicated Virtual Chassis ports cannot be used in Ethernet mode Model/Product SKU Access Port Configuration PoE /PoE+ Ports PoE Budget 10GbE Ports (max. with module) 40GbE Ports (max. with module) 100GbE Ports (max. with module) Power Supply Rating Airflow EX4300-24T 24-port 10/100/1000BASE-T 0 0 W 0 (4) 4 0 350 W AC AFO (Front-to-back airflow) EX4300-24P 24-port 10/100/1000BASE-T 24 550 W 0 (4) 4 0 715 W AC AFO (Front-to-back airflow) EX4300-48T 48-port 10/100/1000BASE-T 0 0 W 0 (4) 4 0 350 W AC AFO (Front-to-back airflow) EX4300-48P 48-port 10/100/1000BASE-T 48 900 W 0 (4) 4 0 1100 W AC AFO (Front-to-back airflow) EX4300-48T-AFI 48-port 10/100/1000BASE-T 0 0 W 0 (4) 4 0 350 W AC AFI (Back-to-front airflow) EX4300-48T-DC 48-port 10/100/1000BASE-T 0 0 W 0 (4) 4 0 550 W DC AFO (Front-to-back airflow) EX4300-48T-DC-AFI 48-port 10/100/1000BASE-T 0 0 W 0 (4) 4 0 550 W DC AFI (Back-to-front airflow) EX4300-48MP 24-port 10/100/1000BASE-T, 24-port 100/1000/2500/5000/ 10000BASE-T 48 1100 24 (28) 4* (2) 0 (2) 1400 W AC AFO (Front-to-back airflow) EX4300-32F 32-port 100/1000BASE-X 0 0 W 4 (12) 2 (4) 0 350 W AC AFO (Front-to-back airflow) EX4300-32F-DC 32-port 100/1000BASE-X 0 0 W 4 (12) 2 (4) 0 550 W DC AFO (Front-to-back airflow The EX4300 also offers spare chassis options without power supplies or fans, providing customers with the flexibility to create custom SKUs. The supportability matrix for the EX4300 spare chassis SKUs is shown in Table 2. See Ordering Information section for registration details.Table 2. Supportability Matrix for EX4300 Spare Chassis SKUsNote: P: supported as a SKU; Y: supported combination; X: unsupported combination Spare Chassis SKU Description PSU-350-AC-AFO + EX4300-FAN JPSU-715-AC- AFO + EX4300-FAN JPSU-1100-AC-AFO + EX4300-FAN JPSU-1400-AC-AFO + EX4300-FAN JPSU-550-DC-AFO + EX4300-FAN JPSU-350-AC-AFI+ EX4300-FAN-AFI JPSU-550-DC-AFI + EX4300-FAN-AFI EX4300-48T-S Spare chassis, 48-port 10/100/1000BASE-T P EX4300-48T X Y X P EX4300-48T-DC P EX4300-48T-AFI P EX4300-48T-DC-AFI EX4300-48P-S Spare chassis, 48-port 10/100/1000BASE-T PoE+ Y Y P EX4300-48P X Y Y Y EX4300-48MP-S Spare chassis, 24-port 10/100/1000BASE-T, 24-port 100/1000/2500/5000/ 10000BASE-T 95 W PoE X Y Y Y Y X X EX4300-24T-S Spare chassis, 24-port 10/100/1000BASE-T P EX4300-24T X Y X Y Y Y EX4300-24P-S Spare chassis, 24-port 10/100/1000BASE-T PoE+ Y P EX4300-24P Y X Y Y Y EX4300-32F-S Spare chassis, 32-port 100/1000BASE-X SFP, 4x10GBASE-X SFP+, 2x40GBASE-X QSFP+ P EX4300-32F X Y X P EX4300-32F-DC Y Y 
EX4300 Specifications
Physical Specifications
Backplane
- 320 Gbps Virtual Chassis interconnect to combine up to 10 units as a single logical device
Uplink Module Options
- EX4300-32F/EX4300-32F-DC: 8-port dual-mode 10GbE/1GbE module with pluggable SFP+/SFP optics
- EX4300-32F/EX4300-32F-DC: 2-port dual-mode 40GbE module with pluggable QSFP+ optics
- EX4300-48MP: 4-port dual-mode 10GbE/1GbE module with pluggable SFP+/SFP optics or 2-port QSFP+/1-port QSFP28 module
- Others: 4-port dual-mode 10GbE/1GbE module with pluggable SFP+/SFP optics
Power Options
- Power supplies: Autosensing; 100-120 V/200-240 V; AC 350 W AFO, 350 W AFI, 715 W AFO, and 1100 W AFO dual load-sharing hot-swappable internal redundant power supplies
- Maximum current inrush: 50 amps
- EX4300-48MP: 100-120 V/200-240 V; AC 715 W AFO, 1100 W AFO, 1400 W AFO dual load-sharing hot-swappable internal redundant power supplies
- DC power supply: 550 W DC AFO and 550 W DC AFI; input voltage range 43.5-60 V max (+/- 0.5 V); dual input feed, dual load-sharing hot-swappable internal redundant power supplies
- Minimum number of PSUs required for fully loaded chassis: 1 per switch
Dimensions (W x H x D)
- EX4300-24P, -24T, -48P, -48T:
- Base unit: 17.36 x 1.72 x 16.38 in (44.1 x 4.37 x 41.6 cm)
- With power supply installed: 17.36 x 1.72 x 17.51 in (44.1 x 4.37 x 44.47 cm)
- With power supply and front module installed: 17.36 x 1.72 x 18 in (44.1 x 4.37 x 45.73 cm)
- EX4300-32F:
- Base unit: 17.36 x 1.72 x 17.87 in (44.1 x 4.37 x 45.4 cm)
- With power supply installed: 17.36 x 1.72 x 19 in (44.1 x 4.37 x 48.28 cm)
- With power supply and front module installed: 17.36 x 1.72 x 19.31 in (44.1 x 4.37 x 49.1 cm)
- EX4300-48MP:
- Base unit: 17.36 x 1.72 x 18.39 in (44.1 x 4.37 x 46.7 cm)
- With power supply installed: 17.36 x 1.72 x 19.63 in (44.1 x 4.37 x 49.99 cm)
- With power supply and front module installed: 17.36 x 1.72 x 20.06 in (44.1 x 4.37 x 50.96 cm)
System Weight
- EX4300 switch (with no power supply or fan module): 13 lb (5.9 kg)
- EX4300 switch (with single power supply and two fan modules): 16.1 lb (7.3 kg)
- 350 W AC power supply: 2.4 lb (1.1 kg)
- 715 W AC power supply: 2.4 lb (1.1 kg)
- 1100 W AC power supply: 2.4 lb (1.1 kg)
- 550 W DC power supply: 2.4 lb (1.1 kg)
- SFP+ uplink module: 0.44 lb (0.2 kg)
- Fan module: 0.33 lb (0.15 kg)
Environmental Ranges
- Operating temperature:
- AFO models: 32° to 113° F (0° to 45° C)
- AFI models: 32° to 95° F (0° to 35° C)
- Storage temperature: -40° to 158° F (-40° to 70° C)
- Operating altitude: up to 10,000 ft (3,049 m)
- Non-operating altitude: up to 16,000 ft (4,877 m)
- Relative humidity operating: 10% to 85% (noncondensing)
- Relative humidity non-operating: 0% to 95% (noncondensing)
Cooling
- Field-replaceable fans: 2
- Airflow: PSU-7.5 cubic feet per minute (CFM); fan-22 CFM
- Total maximum airflow throughput with two power supplies: 59 CFM
Hardware Specifications
Switching Engine Mode
- Store and forward
Memory
- DRAM: 8 GB with Error Correcting Code (ECC) on EX4300-48MP, 3 GB with ECC on EX4300-32F and EX4300-32F-DC; 2 GB with ECC on all other EX4300 switches
- Storage: 50 GB on EX4300-48MP, 4 GB on EX4300-32F and EX4300-32F-DC; 2 GB on all other EX4300 switches
CPU
- EX4300-48MP: 2.2 GHz Dual-Core Intel Broadwell CPU
- Other EX4300s: 1.5 GHz Dual-Core PowerPC CPU
GbE Port Density per System
- 24P/24T: 32 (24 host ports + four 40GbE ports + optional four-port 1/10GbE uplink module)
- 32F: 46 (32 host ports + four 10GbE ports + two 40GbE ports + optional eight-port 1/10GbE uplink module or two-port 40GbE uplink module)
- 48P/48T/48MP: 56 (48 host ports + four 40GbE ports + optional four-port 1/10GbE uplink module)
- 10GbE port density per system:
- 32F: 4 (fixed) + 8 (uplink module)
- 48MP: 24 (fixed) = 4 (uplink module)
- All others: 4 (uplink module)
- 40GbE port density per system:
- 32F: 2 (fixed) + 2 (uplink module)
- 48MP: 4 (fixed) + 2 (uplink module)
- All others: 4 (fixed)
- 100GbE port density per system:
- 48MP: 2 (uplink module)
Supported Optics
- GbE SFP optic/connector type: LC SFP fiber supporting SX (multimode), LX (single-mode)
- 10GbE SFP+ optic/connector type: 10GbE SFP+ LC connector, SR (multimode), USR (multimode), LR (single-mode), ER (single-mode), LRM (multimode), and DAC (direct-attach copper)
- 40 GbE QSFP+ optic/connector type: 40GbE QSFP+ LC connector type, SR (multimode), DAC (direct-attach copper)
- 100 GbE QSFP28 optic type: 100GbE QSFP SR4, LR4, DAC (direct-attach copper)
Physical Layer
- Time domain reflectometry (TDR) for detecting cable breaks and shorts: 24P/24T and 48P/48T only
- Auto medium-dependent interface/medium-dependent interface crossover (MDI/MDIX) support: 24P/24T and 48P/48T/48MP only (all ports)
- Port speed downshift/setting maximum advertised speed on 10/100/1000BASE-T ports: 24P/24T and 48P/48T/48MP only, on all ports
- Digital optical monitoring for optical ports
Packet Switching Capacities (Maximum with 64 Byte Packets)
- 24P/24T: 224 Gbps (unidirectional)/448 Gbps (bidirectional)
- 48P/48T: 248 Gbps (unidirectional)/496 Gbps (bidirectional)
- 48MP: 464 Gbps (unidirectional)/928 Gbps (bidirectional)
- 32F: 232 Gbps (unidirectional)/464 Gbps (bidirectional)
Software Specifications
Security
- MAC limiting (per port and per VLAN)
- Allowed MAC addresses configurable per port
- Dynamic ARP inspection (DAI)
- IP source guard
- Local proxy ARP
- Static ARP support
- DHCP snooping
- Captive portal
- Persistent MAC address configurations
- Distributed denial of service (DDoS) protection (CPU control path flooding protection)
Layer 2/Layer 3 Throughput (Mpps) (Maximum with 64 Byte Packets)
- EX4300-24P/24T: 333 Mpps (wire speed)
- EX4300-48P/48T: 369 Mpps (wire speed)
- EX4300-48MP: 714 Mpps
- EX4300-32F: 345 Mpps (wire speed)
Layer 2 Switching
- Maximum MAC addresses per system: 64,000
- Jumbo frames: 9216 Bytes
- Number of VLANs supported: 4093
- Range of possible VLAN IDs: 1 to 4094
- Virtual Spanning Tree (VST) instances: 510
- Port-based VLAN
- Voice VLAN
- Physical port redundancy: Redundant trunk group (RTG)
- Compatible with Per-VLAN Spanning Tree Plus (PVST+)
- Routed VLAN Interface (RVI)
- Uplink Failure Detection (UFD)
- ITU-T G.8032: Ethernet Ring Protection Switching
- IEEE 802.1AB: Link Layer Discovery Protocol (LLDP)
- LLDP-MED with VoIP integration
- Default VLAN and multiple VLAN range support
- MAC learning deactivate
- Persistent MAC learning (sticky MAC)
- MAC notification
- Private VLANs (PVLANs)
- Explicit congestion notification (ECN)
- Layer 2 protocol tunneling (L2PT)
- IEEE 802.1ak: Multiple VLAN Registration Protocol (MVRP)
- IEEE 802.1p: CoS prioritization
- IEEE 802.1Q: VLAN tagging
- IEEE 802.1X: Port Access Control
- IEEE 802.1ak: Multiple Registration Protocol
- IEEE 802.3: 10BASE-T
- IEEE 802.3u: 100BASE-T
- IEEE 802.3ab: 1000BASE-T
- IEEE 802.3z: 1000BASE-X
- IEEE 802.3ae: 10-Gigabit Ethernet
- IEEE 802.3ba: 40-Gigabit Ethernet
- IEEE 802.3af: Power over Ethernet
- IEEE 802.3at: Power over Ethernet Plus
- IEEE 802.3x: Pause Frames/Flow Control
- IEEE 802.3ah: Ethernet in the First Mile
Spanning Tree
- IEEE 802.1D: Spanning Tree Protocol
- IEEE 802.1s: Multiple instances of Spanning Tree Protocol (MSTP)
- Number of MST instances supported: 64
- Number of VLAN Spanning Tree Protocol (VSTP) instances supported: 510
- IEEE 802.1w: Rapid reconfiguration of Spanning Tree Protocol
Link Aggregation
- IEEE 802.3ad: Link Aggregation Control Protocol
- 802.3ad (LACP) support:
- Number of LAGs supported: 128
- Maximum number of ports per LAG: 16
- LAG load-sharing algorithm bridged or routed (unicast or multicast) traffic:
- IP: S/D IP
- TCP/UDP: S/D IP, S/D Port
- Non-IP: S/D MAC
- Tagged ports support in LAG
Layer 3 Features: IPv4
- Maximum number of ARP entries: 64,000
- Maximum number of IPv4 unicast routes in hardware: 16,000 prefixes; 32,000 host routes
- Maximum number of IPv4 multicast routes in hardware: 8000 multicast groups; 16,000 multicast routes
- Routing protocols: RIPv1/v2, OSPF, BGP, IS-IS
- Static routing
- Routing policy
- Bidirectional Forwarding Detection (BFD)
- L3 redundancy: Virtual Router Redundancy Protocol (VRRP)
- VRF-Lite
Layer 3 Features: IPv6
- Maximum number of Neighbor Discovery (ND) entries: 32,000
- Maximum number of IPv6 unicast routes in hardware: 4000 prefixes; 15,000 host routes
- Maximum number of IPv6 multicast routes in hardware: 8000 multicast groups; 16,000 multicast routes
- Routing protocols: RIPng, OSPFv3, IPv6, ISIS
- Static routing
Access Control Lists (ACLs) (Junos OS Firewall Filters)
- Port-based ACL (PACL): Ingress and egress
- VLAN-based ACL (VACL): Ingress and egress
- Router-based ACL (RACL): Ingress and egress
- ACL entries (ACE) in hardware per system:
- Port-based ACL (PACL) ingress: 3072
- VLAN-based ACL (VACL) ingress: 3500
- Router-based ACL (RACL) ingress: 7000
- Egress shared across PACL and VACL: 512
- Egress across RACL: 1024
- ACL counter for denied packets
- ACL counter for permitted packets
- Ability to add/remove/change ACL entries in middle of list (ACL editing)
- L2-L4 ACL
Access Security
- 802.1X port-based
- 802.1X multiple supplicants
- 802.1X with VLAN assignment
- 802.1X with authentication bypass access (based on host MAC address)
- 802.1X with VoIP VLAN support
- 802.1X dynamic ACL based on RADIUS attributes
- 802.1X Supported Extensible Authentication Protocol (EAP types): Message Digest 5 (MD5), Transport Layer Security (TLS), Tunneled TLS (TTLS), Protected Extensible Authenticated Protocol (PEAP)
- MAC authentication (RADIUS)
- Control plane DoS protection
- Radius functionality over IPv6 for authentication, authorization, and accounting (AAA)
- DHCPv6 snooping
- IPv6 neighbor discovery
- IPv6 source guard
- IPv6 RA guard
- IPv6 Neighbor Discovery Inspection
- Media Access Control security (MACsec)
High Availability
- Redundant, hot-swappable power supplies
- Redundant, field-replaceable, hot-swappable fans
- Graceful Routing Engine switchover (GRES) for Layer 2 hitless forwarding and Layer 3 protocols on RE failover
- Graceful protocol restart (OSPF, BGP)
- Layer 2 hitless forwarding on RE failover
- Nonstop bridging: LACP, xSTP
- Nonstop routing: PIM, OSPF v2 and v3, RIP v2, RIPnG, BGP, BGPv6, ISIS, IGMP v1, v2, v3
- Online insertion and removal (OIR) uplink module
Quality of Service
- L2 QoS
- L3 QoS
- Ingress policing: 1 rate 2 color
- Hardware queues per port: 12
- Scheduling methods (egress): Strict priority (SP), WDRR
- 802.1p, DiffCode (DSCP)/IP precedence trust and marking
- L2-L4 classification criteria: Interface, MAC address, Ethertype, 802.1p, VLAN, IP address, DSCP/IP precedence, TCP/UDP port numbers, and more
- Congestion avoidance capabilities: Tail drop, weighted random early detection (WRED)
Multicast
- IGMP: v1, v2, v3
- IGMP snooping
- Multicast Listener Discovery (MLD) snooping
- PIM-SM, PIM-SSM, PIM-DM
Management and Analytics Platforms
- Juniper Mist Wired Assurance for Campus
- Junos Space®Network Director for Campus
- Junos Space® Management
Services and Manageability
- Junos OS CLI
- Junos Web interface (J-Web)
- Out-of-band management: Serial; 10/100/1000BASE-T Ethernet
- ASCII configuration
- Rescue configuration
- Configuration rollback
- Image rollback
- LCD management
- Element management tools: Juniper Networks Network and Security Manager (NSM)
- Remote performance monitoring
- Proactive services support via Advanced Insight Solutions (AIS)
- SNMP: v1, v2c, v3
- RMON (RFC 2819) Groups 1, 2, 3, 9
- Network Time Protocol (NTP)
- DHCP server
- DHCP client and DHCP proxy
- DHCP relay and helper
- DHCP local server support
- RADIUS
- TACACS+
- SSHv2
- Secure copy
- HTTP/HTTPs
- Domain Name System (DNS) resolver
- System logging
- Temperature sensor
- Configuration backup via FTP/secure copy
