NETSCREEN-5000 SERIES User’s Guide Version 5.0 P/N 093-1698-000 Rev.
Copyright Notice Copyright © 2006 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc.
Table of Contents Preface ...................................................................................................................vii Guide Organization ................................................................................... vii Command Line Interface (CLI) Conventions ............................................. viii Juniper Networks NetScreen Publications ................................................. viii Chapter 1 Overview .....................................................
Table of Contents NetScreen-5400 Interfaces............................................................................ 24 Configurable Interfaces ................................................................................ 24 Performing Initial Connection and Configuration ..................................... 25 Establishing a Terminal Emulator Connection................................................ 25 Upgrading the Firmware During the Boot Process .........................................
EMI Certifications .....................................................................................A-III Connectors ..............................................................................................A-III Appendix B Port Descriptions and LED Status ........................................................ B-I Module Port Descriptions .......................................................................... B-II Module LED Descriptions ........................................................
Table of Contents vi User’s Guide
Preface The Juniper Networks NetScreen-5000 Series consists of purpose-built, high-performance security systems that provide IPSec VPN and firewall services for large-scale carrier, enterprise, and data-center networks. Built around NetScreen’s third-generation ASIC technology and distributed system architecture, the NetScreen-5000 Series offers excellent scalability and flexibility.
Preface COMMAND LINE INTERFACE (CLI) CONVENTIONS The following conventions are used when presenting the syntax of a command line interface (CLI) command: • Anything inside square brackets [ ] is optional. • Anything inside braces { } is required. • If there is more than one choice, each choice is separated by a pipe ( | ). For example, set interface { ether1/1 | ether1/2 | ether2/2 } manage means “set the management options for the ether1/1, ether1/2, or ether2/2 interface”.
Chapter 1 Overview 1 This chapter provides detailed descriptions of the NetScreen-5000 Series, modules, power supplies, and fan assemblies.
Chapter 1 Overview NETSCREEN-5000 SERIES This section describes the NetScreen-5000 Series, which currently includes the NetScreen-5200 and the NetScreen-5400. NetScreen-5200 The NetScreen-5200 is a chassis-based, two-slot network security device with a 2U (rack unit) chassis. Slot 1 is for the management module and Slot 2 is for the Secure Port Module (SPM). The device has two hot-swappable power supplies for power redundancy and a removable fan module.
Power Supplies POWER SUPPLIES The NetScreen-5000 Series can use two kinds of power supplies: • Direct Current (DC) Power Supply • Alternating Current (AC) Power Supply The slots for these power supplies are located in the back of the NetScreen-5200 and on the front of the NetScreen-5400. Note: You can order a NetScreen-5000 Series that runs on DC power. For DC-powered units, the power supply has a DC terminal block with three sockets.
Chapter 1 Overview The DC Power Supply The DC power supply weighs about three pounds. The faceplate contains a power LED, a power switch, a cooling fan vent, and three DC power terminal blocks that connect to power cables. The figure below shows the NetScreen-5200 DC power supply. Thumbscrew DC Power Terminal Blocks Power LED Grounding Screw Power Switch The AC Power Supply The AC power supply weighs about three pounds.
Fan Modules FAN MODULES The NetScreen-5200 has a three-fan module and the NetScreen-5400 has a two-fan module. You can access the fan module from the left front side of each chassis. • To remove the NetScreen-5200 fan module, turn the fan knob in the unlock position, then gently pull the fan module lever toward you to slide the module out. • To remove the NetScreen-5400 fan module, loosen the two thumb screws that secure the fan module, then gently slide the module out.
Chapter 1 Overview Management Modules The management module provides general-purpose CPU delivery, and contains dedicated High Availability (HA) and management interfaces. It handles tasks such as management access, session setup and termination, and Internet Key Exchange (IKE) negotiation. There are currently two management modules: The 5000-M and 5000-M2.
NetScreen-5000 Modules The 5000-M2 Management Module The 5000-M2 management module is based around powerful, dual 1GHz PowerPC CPUs, which assist other system elements, primarily with non-flow related tasks. The 5000-M2 management module provides overall management and control of the system. Although it performs system management, the primary function of the 5000-M2 is to support the other modules.
Chapter 1 Overview Secure Port Modules Secure Port Modules (SPMs) perform general packet processing and device connection tasks for devices that communicate with the NetScreen-5000 Series. These modules are based around the GigaScreen-II ASIC. SPMs handle packets as they enter and exit the system, providing packet parsing, classification, and flow-level processing. SPMs also provide encryption, decryption, Network Address Translation (NAT), and session lookup features.
NetScreen-5000 Modules The 5000-2G24FE SPM The 5000-2G24FE SPM provides two 1-Gigabit Ethernet ports and 24 Fast Ethernet (FE) ports with up to 2 Gbps of firewall and up to 1 Gbps of VPN process capacity. This module is capable of supporting a total of six aggregate interfaces. This total consists of one aggregate interface for the two 1-Gigabit ports, and five aggregate interfaces for the 24 10/ 100 Ethernet ports. Only similar ports can be aggregated together.
Chapter 1 Overview The 5000-8G2 SPM The 5000-8G2 SPM provides eight 1-Gigabit mini-GBIC Ethernet ports using hot-swappable transceivers. The 5000-8G2 SPM delivers up to 8 Gbps of firewall and up to 4 Gbps of VPN capacity. This module is also capable of supporting a total of four aggregate interfaces, with up to four ports for each aggregate interface. This SPM cannot be mixed with the 5000-8G or 5000-2G24FE SPMs.
NetScreen-5000 Modules The 5000-2XGE SPM The 5000-2XGE SPM provides two 10-Gigabit mini-GBIC Ethernet ports using hot-swappable transceivers. The 5000-2XGE SPM delivers up to 10 Gbps of firewall and up to 5 Gbps of VPN capacity. This SPM cannot be mixed with the 5000-8G or 50002G24FE SPMs. (For details on connecting or removing a mini-GBIC transceiver and connecting and disconnecting a Gigabit Ethernet cable, see Chapter 4, Servicing the Device.
Chapter 1 Overview 12 User’s Guide
Chapter 2 Installing the Device 2 This chapter describes how to install a NetScreen-5000 Series in an equipment rack or on a desktop and how to configure the device on a network.
Chapter 2 Installing the Device GENERAL INSTALLATION GUIDELINES Observing the following precautions can prevent injuries, equipment failures, and shutdowns: • Never assume that the power supply is disconnected from a power source. Always check first. • Room temperature might not be sufficient to keep equipment at acceptable temperatures without an additional circulation system. Ensure that the room in which you operate the NetScreen-5000 Series has adequate air circulation.
Mounting the NetScreen-5000 Series There are two ways to rack mount the NetScreen-5200: • Rear and front mount • Mid-mount Note: Juniper Networks strongly recommends the rear and front rack mount configuration for the NetScreen-5200. You can only front-mount the NetScreen-5400. MOUNTING THE NETSCREEN-5000 SERIES The following sections describe how to rack mount the NetScreen-5000 Series.
Chapter 2 Installing the Device NetScreen-5200 Mid-Mount To mid-mount the NetScreen-5200, you need four fitted screws, a Phillips-head screwdriver, and brackets. To mid-mount the NetScreen-5200: 1. Screw the left and right brackets to the middle of each side of the chassis. 2. Screw the left and right brackets to the rack, shown below. NetScreen-5400 Front Mount To front mount the NetScreen-5400, you need four fitted screws, a Phillips-head screwdriver, and brackets. To front mount the device: 16 1.
Installing and Connecting the AC Power Supply INSTALLING AND CONNECTING THE AC POWER SUPPLY To install and connect the AC power supply to the NetScreen-5000 Series: 1. On the NetScreen-5200, slide the power supply into one of the power compartments in the back of the system. On the NetScreen-5400, slide the power supply into one of the power compartments on the front of the system. 2. Fasten the power supply to the system by tightening the corner screws into the eyelets on the sides of the power supply.
Chapter 2 Installing the Device The DC power supply, power switch, grounding screw, and terminal blocks, are located on the faceplate of the power supply unit. -48V -48V COM Thumbscrew Power LED DC Power Terminal Block Grounding Screw Power Switch Warning: You must shut off the electric current to the DC feed wires before connecting the wires to the power supplies. Also, make sure that the power switch is in the off position. To connect the DC power supply to a grounding point at your site: 1.
Establishing an HA Connection ESTABLISHING AN HA CONNECTION To assure continuous traffic flow in the event of a system failure, you can cable and configure two NetScreen devices in a redundant cluster, with one device acting as a master and the other as its backup. The master propagates all its network, configuration and session information to the backup. Should the master fail, the backup is promoted to master and takes over the traffic processing.
Chapter 2 Installing the Device 20 User’s Guide
Chapter 3 Configuring the Device 3 This chapter describes how to perform initial configuration on the NetScreen-5000 Series once you have mounted it in a rack or desktop, plugged in the necessary cables, and turned the power on.
Chapter 3 Configuring the Device OPERATIONAL MODES The NetScreen-5000 Series supports two operational modes: Transparent and Route. The default mode is Route. Transparent Mode In Transparent mode, a NetScreen-5000 Series systems operates as a Layer-2 bridge. Because the device cannot translate packet IP addresses, it cannot perform Network Address Translation (NAT).
The NetScreen-5000 Interfaces THE NETSCREEN-5000 INTERFACES Each Secure Port Module (SPM) for the NetScreen-5000 Series system provides 2, 8, or 26 physical ethernet ports. Each of these ports can serve as a physical interface. In addition, you can configure the ethernet ports to host multiple virtual (logical) interfaces. NetScreen-5200 Interfaces The NetScreen-5200 below contains one management module (in slot 1) and one 5000-8G SPM (in slot 2).
Chapter 3 Configuring the Device NetScreen-5400 Interfaces A NetScreen-5400 contains one management module (in slot 1) and up to three SPMs. You can use a 5000-M or a 5000-M2 management module in slot 1. In the illustrations below, the device contains three 5000-8G SPMs. Note: The 5000-8G2 and 5000-2XGE SPMs only work with the 5000-M2 management module.
Performing Initial Connection and Configuration Tunnel interfaces tunnel.n specifies a tunnel interface. Use this interface for VPN traffic. Function interfaces mgt specifies a dedicated management interface bound to the MGT zone. ha1 and ha2 specify the names of the dedicated HA ports. PERFORMING INITIAL CONNECTION AND CONFIGURATION To establish the first console session with the NetScreen-5000 Series system, use a vt100 terminal emulator program through the provided RJ-45/DB9 serial port connector.
Chapter 3 Configuring the Device Upgrading the Firmware During the Boot Process 1. Connect your computer to the NetScreen-5000 Series system: a. Using a serial cable, connect the serial port on your computer to the console port on the NetScreen-5000 Series system. This connection, in combination with a terminal application, enables you to manage the NetScreen device. b. Using an Ethernet cable, connect the network port on your computer to the management port on the NetScreen-5000 Series system.
Performing Initial Connection and Configuration Changing Your Admin Name and Password Because all NetScreen products use the same admin name and password (netscreen), it is highly advisable to change your admin name and password immediately. Enter the following commands: set admin name name_str set admin password pswd_str save For information on creating different levels of administrators, see the NetScreen Concepts & Examples ScreenOS Reference Guide.
Chapter 3 Configuring the Device For example, to set the IP address and subnet mask of the MGT interface to 10.100.2.183 and 16, respectively: set interface mgt ip 10.100.2.183/16 3. To confirm the new port settings, execute the following command: get interface mgt Setting the IP Address for the Trust Zone Interface The NetScreen-5000 Series system usually communicates with your protected network through an interface bound to the Trust zone.
Configuring the Device for Telnet and WebUI Sessions 3. Set the IP address and subnet mask by executing the following command: set interface ethernet2/3 ip ip_addr/mask where ip_addr is the IP address and mask is the subnet mask. For example, to set the IP address and subnet mask of the ethernet2/3 interface to 172.16.20.1/16: set interface ethernet2/3 ip 172.16.20.1/16 4.
Chapter 3 Configuring the Device For example, if the MGT interface has an address of 10.100.2.183, then enter: telnet 10.100.2.183 3. At the Username prompt, type your user name (default is netscreen). 4. At the Password prompt, type your password (default is netscreen). Note: Use lowercase letters only. Both username and password are case-sensitive. 5. (Optional) By default, the console times out and terminates automatically after 10 minutes of idle time.
Configuring the Chassis Alarm For example, if you assigned the MGT interface an IP address of 10.100.2.183/16, then enter: http://10.100.2.183 The NetScreen WebUI software displays the login prompt. 3. Enter netscreen in both the Admin Name and Password fields, and then click Login. (Use lowercase letters only. The Admin Name and Password fields are both case sensitive.) The NetScreen WebUI application window appears.
Chapter 3 Configuring the Device CONFIGURING JUMBO FRAMES The 5000-8G2 and 5000-2XGE SPMs support jumbo frames that are up to 9,830 bytes. To set jumbo frames, use the set environment max-frame-size=9830 CLI command. You must reboot the system before this feature can take effect. CONFIGURING AGGREGATE INTERFACES The NetScreen-5000 Series system allows you to combine two or more physical ports into a single virtual port. This virtual port is known as an aggregate interface.
Using CLI Commands to Reset the Device 4. (Optional) To see the updated port list and details about the new aggregate interface: get interface get interface aggregate1 Notice that the listing contains aggregate1, an aggregate interface comprised of ethernet2/1 and ethernet2/2. This aggregate interface runs with a throughput rate of 2 Gbps.
Chapter 3 Configuring the Device 3. Press the y key. The following message appears: !! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen; password: netscreen.
Chapter 4 Servicing the Device 4 This chapter details service and maintenance of various components in your NetScreen-5000 Series system.
Chapter 4 Servicing the Device REMOVING AND RESEATING MODULES Although NetScreen-5000 Series modules are pre-installed before shipping, you may find it necessary to remove or reseat modules to suit the special security needs of your network. Warning: Always be sure the chassis power switch is off before you remove or install a Secure Port Module (SPM) or management module. To remove a module from a NetScreen-5000 Series system: 1. Release the module from the chassis by loosening the screws. 2.
Replacing an AC Power Supply REPLACING AN AC POWER SUPPLY To replace an AC power supply: 1. Turn off the power supply. 2. Lift the AC power cord retainer clip. 3. Unplug the cord from the power supply. 4. Turn the thumbscrew counterclockwise to release the power supply. 5. Lift and grip the lever, and then gently pull the power supply straight out. 6. Insert the new power supply into the bay. 7. Secure the power supply in place by tightening the thumbscrew clockwise. 8.
Chapter 4 Servicing the Device NetScreen-5200 Fan Module Fan Module Fan Front Fan Lever To remove the fan module on a NetScreen-5200: 1. Pull the fan lever until it is fully extended. 2. Grip the sides, then gently slide the assembly straight out. Warning: Do not remove the fan module while the fans are still spinning. 38 3. Insert the new fan module in the fan bay, then push it straight in. 4. Secure the fan module in place by pushing the fan lever flat against the front panel.
Replacing the Fan Module NetScreen-5200 Fan Tray Filter Before you replace the fan tray filter, make sure you have the following tools: • Flashlight or other light source • 18-inch wooden ruler To replace the fan tray filter: 1. Remove the fan tray (See “NetScreen-5200 Fan Module” on page 38). 2. Pull the front edge of the filter from the Velcro backing. 3. Insert a wooden ruler between the filter and the chassis wall. 4.
Chapter 4 Servicing the Device 7. Once the filter is fully inserted, push the wooden ruler against the filters surface several times to insure that the filter is secure against the chassis wall. Note: Make sure that the filter is secure against the Velcro wall; otherwise the filter will tear when you reinstall the fan. 8. Insert the fan tray into the chassis. 9. Lock the fan lever. NetScreen-5400 Fan Module Fan Front Fan Module To replace the fan module on a NetScreen-5400: 1.
Replacing the Fan Module 3. Align the new fan module in the fan bay, and then push it straight in. 4. Secure the fan module in place by tightening the thumbscrews clockwise.
Chapter 4 Servicing the Device NetScreen-5400 Fan Tray Filter To replace the fan tray filter: 42 1. Remove the fan tray (See “NetScreen-5400 Fan Module” on page 40). 2. Lay the fan tray filter up. 3. Pull the filter from the Velcro backing. 4. Replace the filter. 5. Align the new fan module in the fan bay, and then push it straight in. 6. Secure the fan module in place by tightening the thumbscrews clockwise.
Connecting and Disconnecting Gigabit Ethernet Cables CONNECTING AND DISCONNECTING GIGABIT ETHERNET CABLES To connect a Gigabit Ethernet cable to a mini-GBIC connector transceiver port: 1. Hold the cable clip firmly but gently between your thumb and forefinger, with your thumb on top of the clip and your finger under the clip. (Do not depress the clip ejector on top of the clip.) 2. Slide the clip into the transceiver port until it clicks into place.
Chapter 4 Servicing the Device 44 User’s Guide
Appendix A Specifications A This appendix provides general system specifications for the NetScreen-5000 Series.
Appendix A Specifications NETSCREEN-5200 ATTRIBUTES Height: 3.4 inches (8.6 cm) Depth: 19.5 inches (49.5 cm) Width: 17.5 inches (44.5 cm) Weight: 32 pounds (without power supply) (15 kg) NETSCREEN-5400 ATTRIBUTES Height: 8.62 inches (21.89 cm) Depth: 14 inches (35 cm) Width: 17.5 inches (44.5 cm) Weight: 42 pounds (without power supply) (19 kg) ELECTRICAL SPECIFICATION AC voltage: 100-240 VAC +/- 10% DC voltage: -36 to -60 VDC AC Watts: 150 Watts DC Watts: 150 Watts Fuse Rating: AC: 3.
NEBS CERTIFICATIONS Level 3 NetScreen-5200 with DC power supply. GR-63-Core: NEBS, Environmental Testing GR-1089-Core: EMC and Electrical Safety for Network Telecommunications Equipment Note: NEBS certification is currently not available on the 5000-M2 management module. SAFETY CERTIFICATIONS UL, CUL, CSA, CE, CB EMI CERTIFICATIONS FCC class A, CE class A, C-Tick, VCCI class A CONNECTORS The RJ-45 twisted-pair ports are compatible with the IEEE 802.3 Type 10/100 Base-T standard.
Appendix A Specifications The following table shows the 10-Gigabit media types and distances for the different types of connectors used with the NetScreen-5000 Series systems. Standard Media Type Mhz/Km Rating Maximum Distance 1000 Base-SR 62.5/125µm Multimode Fiber 160 220 m 62.
Appendix B Port Descriptions and LED Status B This appendix provides detail on port descriptions and LED status for the NetScreen-5000 Series modules.
Appendix B Port Descriptions and LED Status MODULE PORT DESCRIPTIONS The following table describes the ports on the 5000-M and 5000-M2 management modules. Port Description Type Speed/Protocol Console Enables a serial connection, to establish terminal sessions with the system. Used for launching Command Line Interface (CLI) sessions. RJ-45 9600 Bps/ RS-232 Modem Enables a serial modem connection for establishing dial-up sessions.
The following table details the ports on the 5000-8G2 SPM. Port Description Type Speed/Protocol Network Ports 1-8 Eight 2-Gigabit ports with an aggregate throughput of 8 Gbps. mini-GBIC 2 Gbps/ Gigabit Ethernet The following table details the ports on the 5000-2XGE SPM. Port Description Type Speed/Protocol Network Ports 1 and 2 Two 10-Gigabit Ethernet mini-GBICs with a throughput of 10Gbps.
Appendix B Port Descriptions and LED Status STATUS LED STATES This section describes Status LED states on all modules. Interpreting Status LEDs for the Management Modules The Status LEDs indicate whether the management module is operating properly. The following table describes the status possibilities for each. LED LED Color Meaning of the LED CPU Utilization green Consists of an array of five LEDs that indicate the current level of CPU utilization.
Interpreting Status LEDs for the Secure Port Module The Status LEDs indicate whether the Secure Port Module is operating properly. The following table describes the status possibilities for each. LED LED Color Meaning of the LED POWER green Indicates the system is receiving power. off Indicates the system is not receiving power. amber Indicates the system has initially received power. blinking green Indicates the system is up and operational and that the power source is working properly.
Appendix B Port Descriptions and LED Status POWER SUPPLY LEDS The following tables describe LED behaviors on the 5000-M and 5000-M2 for different combinations of functioning power supplies. Interpreting Power Supply LED Status for the NetScreen-5200 The following table details the LED behaviors on the 5000-M and 5000-M2 for different combinations of functioning power supplies on the NetScreen-5200. Power Supply 1 Present Power Supply 2 Present Power LED Alarm LED Yes No Green Off Yes Yes.
FAN LED The following table describes the Fan LED on both the NetScreen-5200 and NetScreen-5400 chassis. LED Color Meaning of the LED green Fans are operating. off Power is off.
Appendix B Port Descriptions and LED Status VIII User’s Guide
Index Index Numerics 5000-2G24FE, description 9 5000-2XGE, description 11 5000-8G description 8 figure 8 port status LEDs V system status LEDs V 5000-8G2 description 10 figure 10, 11 port status LEDs V system status LEDs V 5000-M figure 6 system status LEDs IV 5000-M2 figure 7 system status LEDs IV A AC power supply 4 replacing 37 aggregate ports 31 asset recovery 33 C cabling, network interfaces 29 changing login and password 27 configuring aggregate ports 31 connecting power supply 17 serial connection
Index 5000-8G 8 5000-8G2 10, 11 5000-M 6 5000-M2 7 allowable slots 5 installing 5 management module 6 secure port modules 7 mounting mid-mount rack installation 16 rear and front rack installation 15 N NetScreen publications viii NetScreen-5000 connecting to a router or switch 19 connecting to other devices 18 modules 5 NetScreen-5200, about 2 NetScreen-5400, about 2 P password changing 27 resetting 33 port settings, viewing 27 port status LEDs 5000-2XGE V 5000-8G V 5000-8G2 V 5000-M V 5000-M2 V power su
