本文介绍网络设备的关键组成部分,如输入/输出卡(I/O Card)、网络处理卡(Network Processing Card)等,并详细解析了数据包从进入平台到离开平台的物理与逻辑流程,包括状态检查、会话查找及各种安全策略的实施。
1. componets
IOC: input/output card
NPC: Network processing Card
SPC: services Processing Card
SCB: Switch Control Board
RE : Routing Engine
2. Physical Packet Flow
1. A packet enters the security platform through the IOC
2. The Packet traverses the switch fabiric from the IOC to the NPC. The NPC performs a flow lookup. If the packet belongs to an existing flow, the NPC forwards the packet to the SPC associsted with the packet's session. If the flow does not currentlu exist, the NPC installs a new session for the flow and assigns the flow to an SPC for processing. The NPC also performs QOS, plolcing and shaping.
3. The packet traverses the switch fabirc to its associated SPC, where security processing and forwarding or routing occurs.
4. The packet travers the switch fabric back to an NPC where additional packet processing such ad shaping and QOS occurs
5. The packet traverses the switch fabric to the IOC associated with the egress interface and travels to the attached physical medium.
3. Logical Packet Flow
1. The software applies staless policing filters and Cos classification to the packet at the ingress
2. If the packet does not drop, the software performs a session lookup to determine whether the packet belongs to an existing session. Junos softwere match on six elements of traffic information for this determination (source IP address, source port number, destination port number, protocol number, and a session token.
3. If the packet does not match an existing session, the software creates a new session for it. This process is refered to as the first-packet path. The packet matches a session, the software performs fast=path processing.
Detailed logical packet flow
first-path processing
1. Based on the protocal used and its session layer (TCP or UDP), the software starts a session timer. For TCP session, the default timeout is 30 minutes. FOr UDP session, the default timeout is 1 minutes. These values are the defaults, and you can change them.
2. The software applies firewall SCREEN options
3. If destination NAT is used, the software performs address allocation
4. Next, the software performs the route lookuo. If a route exists for the destination prefix, the software takes the next step. Otherwise, it drops the packet.
5. The software determines the packet's incoming zone by the interface though which if arrives. The software also determines the packet's outgoing zone by the forwarding lookuo.
6. Based on incoming and outgoing zones, the corresponding security policy is determined and a security policy lookup takes place. The software checke the packet against defined policies to determine how to treat the packet.
7. If source NAT is used, the software performs address allocation
8. The software sets up the ALG service vector
9. The software creates and installs the session. Futhermore, the software caches the decisions made for the first packet into a flow table, which subsequent packets of that flow use.
10. The packet now enters the fast-path processing.
Fast-path processing
1. The software applies firewall SCREEN options
2. The software performs TCP checks
3. The software applies NAT
4. The software applies an ALG
5. The software applies packet forwarding features, which include the following
a. Stateless packet filters
b. Traffic shaping by packet
c. Packet encapsulation and transmission
扫一扫
189
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
