Download Print this page

Juniper SRX5400 Hardware Manual

Juniper SRX5400 Hardware Manual

Firewall

Hide thumbs Also See for SRX5400:

Hardware manual (438 pages)

,

Reference (109 pages)

,

Manual (102 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

SRX5400 Firewall Hardware Guide

Published

2023-07-10

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the SRX5400 and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper SRX5400

Page 1 SRX5400 Firewall Hardware Guide Published 2023-07-10...
Page 2 The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ("EULA") posted at https:/ /support.juniper.net/support/eula/.
Page 3: Table Of Contents
SRX5400 Firewall Midplane Description | 10 SRX5400 Firewall Craft Interface Overview | 10 SRX5400 Firewall Craft Interface Alarm LEDs and Alarm Cutoff/Lamp Test Button | 12 SRX5400 Firewall Craft Interface Host Subsystem LEDs | 13 SRX5400 Firewall Craft Interface Power Supply LEDs | 14...
Page 4 SRX5400 Firewall AC Power Supply LEDs | 27 AC Power Cord Specifications for the SRX5400 Firewall | 28 AC Power Circuit Breaker Requirements for the SRX5400 Firewall | 31 SRX5400 Firewall DC Power Supply | 31 SRX5400 Firewall DC Power Supply Specifications | 32...
Page 5 SRX5400 Line Cards and Modules | 67 SRX5400, SRX5600, and SRX5800 Firewall Card Overview | 68 Cards Supported on SRX5400, SRX5600, and SRX5800 Firewalls | 69 SRX5400 Firewall Card Cage and Slots | 74 SRX5400 Firewall Services Processing Card Overview | 74...
Page 6 SRX5400 Network Cable and Transceiver Planning | 156 Routing Engine Interface Cable and Wire Specifications for the SRX5400 Firewall | 156 Signal Loss in Multimode and Single-Mode Fiber-Optic Cable for the SRX5400 Firewall | 157 Attenuation and Dispersion in Fiber-Optic Cable for the SRX5400 Firewall | 157...
Page 7 Verifying the SRX5400 Firewall Parts Received | 169 Installing the SRX5400 Mounting Hardware | 172 Tools and Parts Required to Install the SRX5400 Firewall Mounting Hardware for a Rack or Cabinet | 172 Installing the SRX5400 Firewall Mounting Hardware for a Rack or Cabinet | 172...
Page 8 Connecting Network Cables to SRX5400 Firewall MICs | 193 Connecting the SRX5400 to Power | 194 Tools and Parts Required for SRX5400 Firewall Grounding and Power Connections | 195 Grounding the SRX5400 Firewall | 195 Connecting Power to an AC-Powered SRX5400 Firewall | 197...
Page 9 Removing an SRX5400 Firewall AC Power Supply | 229 Installing an SRX5400 Firewall AC Power Supply | 231 Replacing an SRX5400 Firewall AC Power Supply Cord | 232 Disconnecting an SRX5400 Firewall AC Power Supply Cord | 232 Connecting an SRX5400 Firewall AC Power Supply Cord | 232...
Page 10 Removing an SRX5400 Firewall MIC | 281 Installing an SRX5400 Firewall MIC | 282 Installing an MPC and MICs in an Operating SRX5400 Firewall Chassis Cluster | 284 Maintaining SPCs on the SRX5400 Firewall | 287 Replacing SRX5400 Firewall SPCs | 289...
Page 11 Troubleshooting the SRX5400 Firewall with Chassis and Interface Alarm Messages | 310 Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls | 310 Troubleshooting the SRX5400 Firewall with Alarm Relay Contacts | 323 Troubleshooting the SRX5400 Firewall with the Craft Interface LEDs | 323...
Page 12 DC Power Wiring Sequence Warning | 383 DC Power Wiring Terminations Warning | 385 Multiple Power Supplies Disconnection Warning | 386 TN Power Warning | 387 Action to Take After an Electrical Accident | 387 SRX5400 Firewall Agency Approvals | 388...
Page 13 SRX5400 Firewall Compliance Statements for EMC Requirements | 390...
Page 14: About This Guide
Junos OS documentation for information about further software configuration. RELATED DOCUMENTATION Getting Started Guide for the SRX5400 Firewall SRX5400, SRX5600 and SRX5800 Firewall Card Reference Safety Guide Air Deflector Kit Installation Guide for SRX3600 and SRX5400 Firewalls Transceivers Supported on SRX5400 Firewalls...
Page 15: Overview
C HAPTER Overview SRX5400 Firewall System Overview | 2 SRX5400 Chassis | 6 SRX5400 Cooling System | 20 SRX5400 Power System | 23 SRX5400 Host Subsystem | 39 SRX5400 Line Cards and Modules | 67...
Page 16: Srx5400 Firewall System Overview
The SRX5400 Firewall is 5 rack units (U) tall. You can stack eight firewalls in a rack that is at least 48 U (89.3 in. or 2.24 m) in height if it has a 1 in. cap between for increased port density per unit of floor space.
Page 17: Benefits Of The Srx5400 Firewall
Benefits of the SRX5400 Firewall • The SRX5400 Firewall is a small footprint but high-performance gateway which supports 285 Gbps IMIX firewall throughput, 90 million concurrent sessions, and 230 Gbps IPS. The ability to support unique security policies per zone with a compelling performance, makes the SRX5400 an optimal solution for the edge or data center services in large enterprise, service provider, or mobile operator environments.
Page 18: Srx5400 Firewall Frus
• Lost productivity and the impact of malicious URLs and extraneous or malicious content on the network to help maintain bandwidth. • Advanced Threat Prevention (ATP) - Juniper ATP Cloud, a SaaS-based service, and the Juniper ATP Appliance, an on-premises solution: •...
Page 19: Srx5400 Firewall Component Redundancy
SPCs MPCs MICs SRX5400 Firewall Component Redundancy The following major hardware components are redundant: • Power supplies—The firewall is configurable with two, three, or four AC power supplies at the rear of the chassis in slots PEM0 through PEM3 (left to right)or two DC power supplies in slots PEM0 and PEM2.
Page 20: Srx5400 Chassis
SRX5400 Firewall Midplane Description | 10 SRX5400 Firewall Craft Interface Overview | 10 SRX5400 Firewall Craft Interface Alarm LEDs and Alarm Cutoff/Lamp Test Button | 12 SRX5400 Firewall Craft Interface Host Subsystem LEDs | 13 SRX5400 Firewall Craft Interface Power Supply LEDs | 14...
Page 21 CAUTION: Before removing or installing components of a firewall, attach an ESD strap to an ESD point and place the other end of the strap around your bare wrist. Failure to use an ESD strap can result in damage to the firewall. WARNING: The firewall must be connected to earth ground during normal operation.
Page 22 Figure 2: Rear View of an AC-Powered Firewall Chassis Figure 3: Rear View of a Fully Configured DC-Powered Firewall Chassis...
Page 23: Srx5400 Firewall Physical Specifications
SRX5400 Firewall Physical Specifications Table 2 on page 9 summarizes the physical specifications for the firewall chassis. Table 2: Physical Specifications Description Value Chassis dimensions 8.7 in. (22.1 cm) high 17.45 in. (44.3 cm) wide 24.5 in. (62.2 cm) deep (from front-mounting bracket to chassis rear) Total depth (including cable management system): 27.75 in.
Page 24: Srx5400 Firewall Midplane Description
The midplane supports link speeds up to 10 Gbps and is not field replaceable. SRX5400 Firewall Craft Interface Overview The craft interface shows you status and troubleshooting information at a glance and lets you perform many system control functions.
Page 25 Figure 4: Front Panel of the Craft Interface Table 3: Front Panel of the Craft Interface Component Description Reference Routing Engine LEDs "SRX5400 Firewall Craft Interface Host Subsystem LEDs" on page 13 Fan LEDs "SRX5400 Firewall Craft Interface Fan LEDs" on page 15 PEM LEDs "SRX5400 Firewall Craft Interface...
Page 26: Srx5400 Firewall Craft Interface Alarm Leds And Alarm Cutoff/Lamp Test Button
NOTE: The SCB must be installed in the firewall for the craft interface to obtain power. SRX5400 Firewall Craft Interface Alarm LEDs and Alarm Cutoff/Lamp Test Button Two large alarm LEDs are located at the upper right of the craft interface. The circular red LED lights to indicate a major alarm condition that can result in a system shutdown.
Page 27: Srx5400 Firewall Craft Interface Host Subsystem Leds
Causes all LEDs on the craft interface to light (for testing) when pressed and held. SRX5400 Firewall Craft Interface Host Subsystem LEDs The host subsystem has three LEDs, located on the upper left of the craft interface, that indicate its status.
Page 28: Srx5400 Firewall Craft Interface Power Supply Leds
SRX5400 Firewall Craft Interface Power Supply LEDs Each power supply has two LEDs on the craft interface that indicate its status. The LEDs, labeled 0 through 3, are located near the middle of the craft interface next to the PEM label.
Page 29: Srx5400 Firewall Craft Interface Fan Leds
The Online/Offline buttons are only supported for slots containing MPC interface cards. You can install MPCs into slots: • SRX5400–Any slot except bottom slot 0 • SRX5600–Any slot except bottom slots 0 or 1 •...
Page 30 2. Issue the CLI show chassis fpc command to check the status of installed MPCs. As shown in the sample Offline in the column labeled State indicates that the MPC in slot 1 is now offline: output, the value user@host> show chassis fpc Slot State (C) Total Interrupt DRAM (MB) Heap...
Page 31 To bring an MPC back online using the Online/Offline buttons: 1. Press and hold the corresponding card’s Online/Offline button on slot 1 on the craft interface. The green OK/FAIL LED next to the button and the MPC’s LED begins to blink. Hold until both the button’s LED and the MPC’s LED are green and steady.
Page 32: Srx5400 Firewall Craft Interface Alarm Relay Contacts
1024 2 Online 1024 SRX5400 Firewall Craft Interface Alarm Relay Contacts The craft interface has two alarm relay contacts for connecting the device to external alarm devices (see Figure 5 on page 18). Whenever a system condition triggers either the major or minor alarm on the craft interface, the alarm relay contacts are also activated.
Page 33 Table 9: Alarm Relay Contact Functions Contact Label Contact Name Function Normally Closed Connects the alarm relay to an external alarm-reporting device that activates when the circuit between C and NC is closed. Current In Connects the alarm relay to the current source for the external alarm- reporting device.
Page 34: Srx5400 Cooling System
Figure 6: Example Alarm Reporting Device RELATED DOCUMENTATION General Electrical Safety Guidelines and Warnings Preventing Electrostatic Discharge Damage to the SRX5400 Firewall SRX5400 Cooling System The cooling system consists of the following components: • Fan tray • Air filter The cooling system components work together to keep all firewall components within the acceptable...
Page 35 The air intake to cool the chassis is located on the side of the chassis next to the air filter. Air is pulled through the chassis toward the fan tray, where it is exhausted out the side of the system. The air intake to cool the power supplies is located in the front of the device above the craft interface.
Page 36 Figure 8: Fan Tray Figure 9: Air Filter RELATED DOCUMENTATION Maintaining the Fan Tray on the SRX5400 Firewall | 221...
Page 37: Srx5400 Power System
SRX5400 Firewall AC Power Supply LEDs | 27 AC Power Cord Specifications for the SRX5400 Firewall | 28 AC Power Circuit Breaker Requirements for the SRX5400 Firewall | 31 SRX5400 Firewall DC Power Supply | 31 SRX5400 Firewall DC Power Supply Specifications | 32...
Page 38 NOTE: The SRX5400 Firewall and SRX5600 Firewall use the same power supply model. The firewall is configurable with two, three, or four AC power supplies by default (optionally, a fourth power supply can be added) or two DC power supplies. The AC power supplies are located horizontally at the rear of the chassis in slots PEM0 through PEM3 (left to right) and the DC power supplies are located in slots PEM0 and PEM2.
Page 39: Srx5400 Firewall Ac Power Supply
DC PSU PEM0 & PEM2 PEM2 SRX5400 Firewall AC Power Supply Each AC power supply consists of one AC appliance inlet, an AC switch, a fan, and LEDs to monitor the status of the power supply. Figure 10 on page 26 shows the power supply.
Page 40: Srx5400 Firewall Ac Power Supply Specifications
This separate protective earthing terminal must be permanently connected to earth. NOTE: The SRX5400 Firewall and SRX5600 Firewall use the same power supply model. SRX5400 Firewall AC Power Supply Specifications Table 13 on page 27 lists the AC power supply electrical specifications.
Page 41: Srx5400 Firewall Ac Power Supply Leds
Output power (maximum) per system 3501 W 4100 W SRX5400 Firewall AC Power Supply LEDs Each AC power supply faceplate contains three LEDs that indicate the status of the power supply (see Table 15 on page 28). The power supply status is also reflected in two LEDs on the craft interface. In...
Page 42: Ac Power Cord Specifications For The Srx5400 Firewall
Power supply is not functioning normally and its output voltage is out of regulation limits. Check AC OK and DC OK LEDs for more information. AC Power Cord Specifications for the SRX5400 Firewall Each AC power supply has a single AC appliance inlet located on the power supply that requires a dedicated AC power feed.
Page 43 Figure 11: C19 Appliance Coupler Table 16 on page 29 provides specifications and depicts the plug on the AC power cord provided for each country or region. Table 16: AC Power Cord Specifications Country Model Number Electrical Specification Plug Type Graphic Australia CBL-M-PWR-RA-AU...
Page 44 WARNING: To meet safety and electromagnetic interference (EMI) requirements and to ensure proper operation, you must properly ground the firewall chassis before connecting power. See "Grounding the SRX5400 Firewall " on page 195 for instructions. CAUTION: Power cords and cables must not block access to device components or drape where people could trip on them.
Page 45: Ac Power Circuit Breaker Requirements For The Srx5400 Firewall
We recommend that you provision 60 A or 70 A per feed, depending on the selected DIP switch setting. Figure 12: DC Power Supply Faceplate NOTE: The SRX5400 Firewall and SRX5600 Firewall use the same power supply model.
Page 46: Srx5400 Firewall Dc Power Supply Specifications
SRX5400 Firewall DC Power Supply Specifications Table 17 on page 32 lists the DC power supply electrical specifications. Table 18 on page 32 lists the DC power system specifications. Table 17: DC Power Supply Electrical Specifications Item Specification DIP=0 (60 A Input)
Page 47: Srx5400 Firewall Dc Power Supply Leds
Amber DC input is present, but not in valid operating range or connected in reverse polarity. DC Power Cable Specifications for the SRX5400 Firewall Table 20 on page 34 summarizes the specifications for the power cables, which you must supply.
Page 48: Dc Power Cable Lug Specifications For The Srx5400 Firewall
DC Power Cable Lug Specifications for the SRX5400 Firewall The accessory box shipped with the firewall includes the cable lugs that attach to the terminal studs of...
Page 49: Dc Power Circuit Breaker Requirements For The Srx5400 Firewall
This separate protective earth terminal must be permanently connected to earth. DC Power Circuit Breaker Requirements for the SRX5400 Firewall Each DC power supply has a single DC input (–48 VDC and return) that requires a dedicated facility circuit breaker.
Page 50: Srx5400 Firewall Chassis Grounding Point Specifications
WARNING: To meet safety and electromagnetic interference (EMI) requirements and to ensure proper operation, you must properly ground the firewall chassis before connecting power. See "Grounding the SRX5400 Firewall " on page 195 for instructions. CAUTION: Before firewall installation begins, a licensed electrician must attach cable lugs to the grounding and power cables that you supply.
Page 51: Srx5400 Firewall Grounding-Cable Specification
Figure 15: SRX5400 Firewall Grounding Point To ground the firewall, you must connect a grounding cable to earth ground and then attach it to the chassis grounding point using the two screws provided. NOTE: Additional grounding is provided to an AC-powered firewall when you plug its power supplies into grounded AC power receptacles.
Page 52: Srx5400 Firewall Grounding-Cable Lug Specification
NOTE: The same cable lug is used for the DC power cables. RELATED DOCUMENTATION Calculating Power Requirements for the SRX5400 Firewall | 150 Replacing an SRX5400 Firewall DC Power Supply | 233 Replacing an SRX5400 Firewall AC Power Supply | 229...
Page 53: Srx5400 Host Subsystem
• SRX5K-SCB–from Junos OS Release 9.2 to 12.3X48 • SRX5K-SCBE–from Junos OS Release 12.1X47-D15 and later • SRX5K-SCB3–from Junos OS Release 15.1X49-D10 and later • SRX5K-SCB4–from Junos OS Release 19.3R1 and later NOTE: SRX5K-SCB4 is not supported on SRX5400 Firewalls.
Page 54: Switch Control Board Srx5K-Scb Overview
• Routing Engine • SRX5K-RE-13-20–from Junos OS Release 9.2 to 12.3X48 • SRX5K-RE-1800X4–from Junos OS Release 12.1X47-D15 and later • SRX5K-RE3-128G–from Junos OS Release 19.3R1 and later NOTE: You can only configure the following combination of Routing Engine and SCB within a host subsystem: •...
Page 55: Switch Control Board Srx5K-Scb Specifications
• Provides interconnections to all the IOCs within the chassis through the switch fabrics integrated into the SCB SRX5400 and SRX5600 Firewalls have one SCB each installed and you can install a second SCB for redundancy. The SRX5800 Firewall has two SCBs installed and you can install a third SCB for switch...
Page 56 The host subsystem is composed of a Routing Engine installed directly into a slot on the faceplate of the SCB. When there is no Routing Engine is a SCB, its slot must be covered with a blank panel. Figure 18: Switch Control Board SRX5K-SCB Each SCB consists of the following components: •...
Page 57 Junos OS Release 9.2 and later Cables and connectors Slot for Routing Engine Controls None Supported Slots • SRX5400–Only bottom slots 0 and 1/0 • SRX5600–Only bottom slots 0 and 1 • SRX5800–Only center slots 0, 1, and 2/6 Power Requirement 150 W Weight Approximately 10 lb (4.5 kg)
Page 58: Switch Control Board Srx5K-Scbe Overview
Serial Number Location The serial number label is located as shown in Figure 19 on page Figure 19: SCB Serial Number Label Switch Control Board SRX5K-SCBE Overview The SRX5000 line enhanced Switch Control Board (SRX5K-SCBE) caters to high-end security markets requiring support for higher capacity traffic.
Page 59 Some key attributes of the SRX5K-SCBE are: • A bandwidth of 120 Gbps per slot with redundant fabric support and improved fabric performance by using the next-generation fabric (XF) chip. • A centralized clocking architecture that supports clock cleanup and distribution. The Stratum 3 clock module performs clock monitoring, filtering, and holdover in a centralized chassis location.
Page 60: Switch Control Board Srx5K-Scbe Specifications
Figure 20: SRX5K-SCBE Switch Control Board SRX5K-SCBE Specifications IN THIS SECTION SRX5K-SCBE LEDs | 48...
Page 61 Junos OS Release 12.1X47-D15 and later Cables and connectors Slot for Routing Engine Controls None Supported slots • SRX5400–Only bottom slots 0 and 1/0 • SRX5600–Only bottom slots 0 and 1 • SRX5800–Only center slots 0, 1, and 2/6 Power requirement •...
Page 62 Serial number location The serial number label is located as shown in Figure 21 on page Figure 21: SRX5K-SCBE Serial Number Label SRX5K-SCBE LEDs Table 22 on page 49 describes the SRX5K-SCBE LEDs and their states.
Page 63: Switch Control Board Srx5K-Scb3 Overview
The SRX5K-SCB3 (SCB3) caters to high-end security markets requiring support for higher capacity traffic, greater interface density (slot and capacity scale), and improved services. The SCB3 is supported on SRX5400, SRX5600, and SRX5800 Firewalls. The SCB3 supports the standard midplane and the enhanced midplane.
Page 64: Switch Control Board Srx5K-Scb3 Specifications
• Support for MPC line cards such as SRX5K-MPC (IOC2) and IOC3 (SRX5K-MPC3-40G10G or SRX5K-MPC3-100G10G) only. • Two 10-Gigabit Ethernet SFP+ ports (These ports are disabled and reserved for future use). The Routing Engine installs directly into a slot on the SCB3, as shown in Figure 22 on page Figure 22: SRX5K-SCB3 Switch Control Board SRX5K-SCB3 Specifications...
Page 65 Junos OS Release 15.1X49-D10 and later Cables and connectors Slot for Routing Engine Controls None Supported slots • SRX5400–Only bottom slots 0 and 1/0 • SRX5600–Only bottom slots 0 and 1 • SRX5800–Only center slots 0, 1, and 2/6 Power requirement 300 W Weight 9.6 lb (4.4 kg) with Routing Engine...
Page 66: Routing Engine Srx5K-Re-13-20 Overview
SRX5K-SCB3 LEDs Table 23 on page 52 describes the SCB3 LEDs and their states. Table 23: SRX5K-SCB3 LEDs Label Color State Description FABRIC ACTIVE Green On steadily Fabric is in active mode. OK/FAIL Green On steadily SCB3 is online. On steadily SCB3 has failed.
Page 67: Routing Engine Srx5K-Re-13-20 Specifications
Figure 24: SRX5K-RE-13-20 Routing Engine SRX5400, For detailed information about the Routing Engines supported by the firewall, see the SRX5600, and SRX5800 Firewall Card Reference at www.juniper.net/documentation/. Routing Engine SRX5K-RE-13-20 Specifications The SRX5K-RE-13-20 Routing Engine (Figure 25 on page 53) is an Intel-based PC platform that runs the Junos operating system (Junos OS).
Page 68 The Routing Engine boots from the storage media in this order: the USB device (if present), then the internal flash disk, then the hard disk, then the LAN. NOTE: For specific information about Routing Engine components (for example, the amount of DRAM), issue the show chassis routing-engine command. Description Routing Engine for SRX5400, SRX5600, and SRX5800 Firewalls...
Page 69 • ONLINE/OFFLINE Button—Not supported in the current release Supported Slots Front panel slot in an SCB installed in: • SRX5400: Bottom slot 0 • SRX5600: Bottom slots 0 or 1 • SRX5800: Center slots 0 or 1 NOTE: The firewall host subsystem Routing Engine must be installed in the SCB in slot 0. A Routing Engine installed in an SCB in slot 1 only enables dual control links in chassis cluster configurations.
Page 70 Blinking green–The Routing Engine hard disk is functioning normally. MASTER LED: • Blue–The Routing Engine is Primary. NOTE: The SRX5400, SRX5600, and SRX5800 Firewalls do not support a secondary or backup Routing Engine, so the MASTER LED should always be lit. OK/FAIL LED, one bicolor: •...
Page 71: Routing Engine Srx5K-Re-1800X4 Overview
Routing Engine SRX5K-RE-1800X4 Overview IN THIS SECTION SRX5K-RE-1800X4 Routing Engine Boot Sequence | 58 The enhanced Routing Engine is an Intel-based PC platform that runs Junos OS. Software processes that run on the Routing Engine maintain the routing tables, manage the routing protocols used on the device, control the device interfaces, control some chassis components, and provide the interface for system management and user access to the device.The Routing Engine must be installed directly into the SRX5K-SCBE.
Page 72: Routing Engine Srx5K-Re-1800X4 Specifications
• ETHERNET–Connects the Routing Engine through an Ethernet connection to a management LAN (or any other device that plugs into an Ethernet connection) for out-of-band management. The port uses an autosensing RJ-45 connector to support 10/100/1000 Mbps connections. Two small LEDs on the bottom of the port indicate the connection in use: the LED flashes yellow or green for a 10/100/1000 Mbps connection, and the LED is light green when traffic is passing through the port.
Page 73 • Online/Offline button—Takes the Routing Engine online or offline when pressed. • Extractor clips—Inserts and extracts the Routing Engine. • Captive screws—Secures the Routing Engine in place. Description Routing Engine for SRX5400, SRX5600, and SRX5800 Firewalls Software release Junos OS Release 12.1X47-D15 and later Cables and...
Page 74 Supported slots Front panel slot in an SCB installed in: • SRX5400: Bottom slot 0 • SRX5600: Bottom slots 0 or 1 • SRX5800: Center slots 0 or 1 NOTE: The firewall host subsystem Routing Engine must be installed in the SCB in slot 0. A Routing Engine installed in an SCB in slot 1 only enables dual control links in chassis cluster configurations.
Page 75: Routing Engine Srx5K-Re3-128G Specifications
SRX5K-RE-1800X4 LEDs Each Routing Engine has four LEDs that indicate its status. The LEDs, labeled MASTER, STORAGE, ONLINE, and OK/FAIL, are located directly on the faceplate of the Routing Engine. Table 24 on page describes the Routing Engine LEDs and their states. Table 24: SRX5K-RE-1800X4 LEDs Label Color...
Page 76 FAIL, and MASTER Description Routing Engine for SRX5400, SRX5600, and SRX5800 Firewalls, based on Intel’s Haswell-EP CPU with 6 cores, and 128GB of DDR4 memory. It provides increased control plane performance and scalability along with virtualization features in the SRX Series 5000 line of chassis.
Page 77 Supported slots Front panel slot in an SCB installed in: • SRX5400: Bottom slot 0 • SRX5600: Bottom slots 0 or 1 • SRX5800: Center slots 0 or 1 NOTE: The firewall host subsystem Routing Engine must be installed in the SCB in slot 0. A Routing Engine installed in an SCB in slot 1 only enables dual control links in chassis cluster configurations.
Page 78 Serial number The serial number label is located as shown in Figure 30 on page location Figure 30: SRX5K-RE3-128G Serial Number Label SRX5K-RE3-128G Routing Engine Components Each Routing Engine consists of the following components: • CPU—Runs Junos OS to maintain the routing tables and routing protocols. •...
Page 79 network, and two asynchronous serial ports—one for connecting to a console and one for connecting to a modem or other auxiliary device. NOTE: The control interface names differ based on the routing engine: • For RE2, the control interfaces are displayed as em0 and em1. •...
Page 80 LAN. SSD1 is the primary boot device. The boot sequence is tried twice for SSD1 and SSD2. RELATED DOCUMENTATION Replacing the SRX5400 Firewall SCB | 243 Maintaining the SRX5400 Firewall Host Subsystem | 240 Replacing the SRX5400 Firewall Routing Engine | 246 Replacing a CompactFlash Card in an SRX5K-RE-1800X4 Routing Engine...
Page 81: Srx5400 Line Cards And Modules
SRX5400 Line Cards and Modules IN THIS SECTION SRX5400, SRX5600, and SRX5800 Firewall Card Overview | 68 Cards Supported on SRX5400, SRX5600, and SRX5800 Firewalls | 69 SRX5400 Firewall Card Cage and Slots | 74 SRX5400 Firewall Services Processing Card Overview | 74...
Page 82: Srx5400, Srx5600, And Srx5800 Firewall Card Overview
SRX5400, SRX5600, and SRX5800 Firewall Card Overview The cards described in this guide let you upgrade and customize your SRX5400, SRX5600, or SRX5800 Firewall to suit the needs of your network. The following types of cards are available for the SRX5400, SRX5600, and SRX5800 Firewalls: •...
Page 83: Cards Supported On Srx5400, Srx5600, And Srx5800 Firewalls
Cards Supported on SRX5400, SRX5600, and SRX5800 Firewalls Table 26 on page 69 describes the cards and other modules supported on the SRX5400, SRX5600, and SRX5800 Firewalls. Table 26: Supported Cards for SRX5400, SRX5600, and SRX5800 Firewalls Card Name and Model...
Page 84 (Continued) Table 26: Supported Cards for SRX5400, SRX5600, and SRX5800 Firewalls Card Name and Model Earliest Supported Junos OS Release Last Supported Junos Number OS Release SRX5400 SRX5600 and SRX5800 SRX5400, SRX5600, and SRX5800 SRX5K-MPC3-40G10G 15.1X49-D10 15.1X49-D10 Specifications SRX5K-MPC3-100G10G 15.1X49-D10 15.1X49-D10...
Page 85 (Continued) Table 26: Supported Cards for SRX5400, SRX5600, and SRX5800 Firewalls Card Name and Model Earliest Supported Junos OS Release Last Supported Junos Number OS Release SRX5400 SRX5600 and SRX5800 SRX5400, SRX5600, and SRX5800 Flex I/O Card Port Module Not supported 10.2...
Page 86 (Continued) Table 26: Supported Cards for SRX5400, SRX5600, and SRX5800 Firewalls Card Name and Model Earliest Supported Junos OS Release Last Supported Junos Number OS Release SRX5400 SRX5600 and SRX5800 SRX5400, SRX5600, and SRX5800 Routing Engine SRX5K- 12.1X47-D15 12.1X47-D15 RE-1800X4 Specifications Routing Engine SRX5K- 19.3R1...
Page 87 Figure 31: Interoperability Matrix for SRX5400, SRX5600, and SRX5800 Firewalls...
Page 88: Srx5400 Firewall Card Cage And Slots
Table 27 on page 74 describes the types of cards that you can install into each slot. Table 27: SRX5400 Firewall Card Cage Slots Card Cage Slot Eligible Cards MPC & IOC SEE ALSO...
Page 89: Services Processing Card Srx5K-Spc-2-10-40 Specifications
Figure 32 on page 75 shows a typical SPC supported on the firewall. Figure 32: Typical SPC SRX5400, SRX5600, and For detailed information about SPCs supported by the firewall, see the SRX5800 Firewall Card Reference at www.juniper.net/documentation/.
Page 90 The firewall must have at least one SPC installed. You can install additional SPCs to increase services processing capacity. You can install SPCs in any of the slots that are not reserved for Switch Control Boards (SCBs). If a slot is not occupied by a card, you must install a blank panel to shield the empty slot and to allow cooling air to circulate properly through the device.
Page 91 Juniper Networks. If you face a problem running a Juniper device that uses third-party optical modules or cables, JTAC may help you diagnose host-related issues if the observed issue is not, in the opinion of JTAC, related to the use of the third-party optical modules or cables.
Page 92 Cables and CHASSIS CLUSTER CONTROL 0 and CHASSIS CLUSTER CONTROL 1–SFP ports for connectors control links in chassis cluster configurations. Supported SFP transceivers: 1000BASE-LH (model numbers SRX-SFP-1GE-LH, SRX-SFP-1GE-LH-ET) 1000BASE-LX (model numbers SRX-SFP-1GE-LX, SRX-SFP-1GE-LX-ET) 1000BASE-SX (model numbers SRX-SFP-1GE-SX, SRX-SFP-1GE-SX-ET) Controls None Supported Slots •...
Page 93 LEDs OK/FAIL LED, one bicolor: • Steady green–The SPC is operating normally. • Red–The SPC has failed and is not operating normally. • Off–The SPC is powered down. STATUS LED, one tricolor for each of the two SPUs SPU 0 and SPU 1: •...
Page 94 • The loss of chassis cluster links which causes an interface monitoring failure. • An error in an SPU or NPU. • Failure of the spu-monitoring or cold-sync-monitoring processes. • A chassis cluster IP monitoring failure. LINK/ACT LED, one for each of the two ports CHASSIS CLUSTER CONTROL 0 and CHASSIS CLUSTER CONTROL 1: •...
Page 95: Services Processing Card Srx5K-Spc-4-15-320 Specifications
Services Processing Card SRX5K-SPC-4-15-320 Specifications The SRX5K-SPC-4-15-320 Services Processing Card (SPC) contains four Services Processing Units (SPUs), which provide the processing power to run integrated services such as firewall, IPsec, and IDP (see Figure 35 on page 82). All traffic traversing the firewall is passed to an SPU to have services processing applied to it.
Page 96 Juniper Networks. If you face a problem running a Juniper device that uses third-party optical modules or cables, JTAC may help you diagnose host-related issues if the observed issue is not, in the opinion of JTAC, related to the use of the third-party optical modules or cables.
Page 97 ZR or ZR+) can potentially cause thermal damage to or reduce the lifespan of the host equipment. Any damage to the host equipment due to the use of third-party optical modules or cables is the users’ responsibility. Juniper Networks will accept no liability for any damage caused due to such use.
Page 98 Supported Slots • SRX5400–Any slot, except the bottom slot 0 which is reserved for SCB/RE. • SRX5600–Any slot, except the bottom slots 0 or 1 which are reserved for SCB/RE. • SRX5800–Any slot, except the slots 0 or 1 which are reserved for SCB/RE.
Page 99 LEDs OK/FAIL LED, one bicolor: • Steady green–The SPC is operating normally. • Red–The SPC has failed and is not operating normally. • Off–The SPC is powered down. STATUS LED, one tricolor for each of the four SPUs SPU 0 through SPU 3: •...
Page 100 • A chassis cluster IP monitoring failure. • Off–The node is not configured for clustering or it has been disabled by the dual membership and detection recovery process in reaction to a control link or fabric link failure. LINK/ACT LED, one for each of the two ports CHASSIS CLUSTER CONTROL 0 and CHASSIS CLUSTER CONTROL 1: •...
Page 101: Services Processing Card Srx5K-Spc3 Specifications
CAUTION: The Juniper Networks Technical Assistance Center (JTAC) provides complete support for Juniper-supplied optical modules and cables. However, JTAC does not provide support for third-party optical modules and cables that are not qualified or supplied by Juniper Networks. If you face a problem running a Juniper...
Page 102 ZR or ZR+) can potentially cause thermal damage to or reduce the lifespan of the host equipment. Any damage to the host equipment due to the use of third-party optical modules or cables is the users’ responsibility. Juniper Networks will accept no liability for any damage caused due to such use.
Page 103 Supported Slots • SRX5400–Any slot, except the bottom slot 0 which is reserved for SCB/RE. • SRX5600–Any slot, except the bottom slots 0 or 1 which are reserved for SCB/RE. • SRX5800–Any slot, except slot 11, and the slots 0 or 1 which are reserved for SCB/RE.
Page 104 LEDs OK/FAIL LED, one bicolor: • Steady green–The SPC is operating normally. • Red–The SPC has failed and is not operating normally. • Off–The SPC is powered down. STATUS LED, one tricolor for each SPU SPU 0 and SPU 1: •...
Page 105: Srx5400 Firewall Mpc And Mic Overview
You cannot install the MPC into the SCB slot (0). NOTE: The SRX5400 Firewall does not support the I/O cards (IOCs) or Flex IOCs supported by the SRX5600 and SRX5800 Firewalls. MPCs are the only supported interface cards for the SRX5400 Firewall.
Page 106: Modular Port Concentrator (Srx5K-Mpc) Specifications
Figure 38: SRX5K-MPC Modular Port Concentrator (SRX5K-MPC) Specifications The SRX5K-MPC (see Figure 39 on page 93) is an interface card with two slots that accept MICs. These MICs add Ethernet ports to your firewall. An MPC with MICs installed functions in the same way as a regular IOC but allows you to add different types of Ethernet ports to your firewall.
Page 107 If a slot in the SRX5400, SRX5600, or SRX5800 Firewall card cage is not occupied by a card, you must install a blank panel to shield the empty slot and to allow cooling air to circulate properly through the firewall. If a slot in an MPC is not occupied by a MIC, you must install a blank panel in the empty MIC slot to shield it and to allow cooling air to circulate properly through the MPC.
Page 108 CLI command: user@host set security forwarding-process application-services session-distribution-mode hash-based When installing an SRX5K-MPC in an SRX5400 Firewall, the session-distribution-mode will only function when hash-based mode is configured or set as the default. The normal mode is not supported.
Page 109: Srx5K-Mpc3-40G10G Specifications
SRX5K-MPCs. • On SRX5400 and SRX5600 Firewalls with AC power supplies, we recommend that you use high-line (220 V) input power to ensure that the devices have adequate power to support SRX5K-MPCs.
Page 110 Figure 40: SRX5K-MPC3-40G10G If a slot in the SRX5400, SRX5600, or SRX5800 Firewall card cage is not occupied by a card, you must install a blank panel to shield the empty slot and to allow cooling air to circulate properly through the firewall.
Page 111 Power Typical: 9.68 A @ 48 V (460 W) requirements At different temperatures: • 55° C: 607 W • 40° C: 541 W • 25° C: 511 W Weight 21 lb (9.52 kg) Hardware • Line-rate throughput of up to 240 Gbps features •...
Page 112 Software features • Optical diagnostics and related alarms • Two packet-forwarding engines, PFE0 and PFE1. PFE0 hosts PIC0 and PIC2. PFE1 hosts PIC1 and PIC3. • Configurable LAN-PHY mode options per 10-Gigabit Ethernet port • Intelligent oversubscription services NOTE: At any one time you can have only one of the following PIC combinations powered •...
Page 113: Srx5K-Mpc3-100G10G Specifications
The SRX5K-MPC3-100G10G (IOC3) is an interface card that provides 100 Gigabit Ethernet and 10 Gigabit Ethernet interfaces, with a Packet Forwarding Engine that provides a 240 Gbps line rate. This interface card is supported on SRX5400, SRX5600, and SRX5800 Firewalls. See Figure 42 on page...
Page 114 Figure 42: SRX5K-MPC3-100G10G If a slot in the SRX5400, SRX5600, or SRX5800 Firewall card cage is not occupied by a card, you must install a blank panel to shield the empty slot and to allow cooling air to circulate properly through the firewall.
Page 115 Power • Typical: 10.52 A @ 48 V (505 W) requirements At different temperatures: • 55° C: 607 W • 40° C: 541 W • 25° C: 511 W Weight 21 lb (9.52 kg) Hardware features • Line-rate throughput of up to 240 Gbps •...
Page 116 LEDs OK/FAIL LED, one bicolor: • Solid green—MPC is functioning normally. • Blinking green—MPC is transitioning online or offline. • Red—MPC has failed. 10-Gigabit Ethernet LINK LED, one bicolor per port: • Green—Link is up. • Amber—Link is disabled. • Off—Link is down or disabled.
Page 117: Mic With 20X1Ge Sfp Interfaces (Srx-Mic-20Ge-Sfp)
Serial Number The serial number label is located as shown in Figure 43 on page 103. Location Figure 43: SRX5K-MPC3-100G10G Serial Number Label MIC with 20x1GE SFP Interfaces (SRX-MIC-20GE-SFP) You use Modular Interface Cards (MICs) and Modular Port Concentrators (MPCs) to add different combinations of Ethernet interfaces to your firewall to suit the specific needs of your network.
Page 118 The SRX-MIC-20GE-SFP MIC (see Figure 44 on page 104) can be installed in the SRX-5K MPC to add twenty 1-Gigabit Ethernet small form-factor pluggable (SFP) Ethernet ports. Figure 44: SRX-MIC-20GE-SFP Description • MIC with twenty 1-Gigabit Ethernet SFP Ethernet ports •...
Page 119 LEDs OK/FAIL LED, one bicolor: • Green–MIC is operating normally. • Red–MIC has failed. • Off–MIC is powered down. LINK LED, single color, one per SFP port: • Green–Link is active. • Off–Link is inactive.
Page 120 For a complete list of media types, see Interface Naming Overview. • fpc —Slot in which the MPC is installed in an SRX5400, SRX5600, or SRX5800 Firewall. • pic —Two Logical PICs on the MIC , numbered 0 or 1 when installed in the first slot, and 2 or 3 when installed in the second slot.
Page 121 Figure 45: SRX-MIC-20GE-SFP Interface Port Mapping The SRX-MIC-20GE-SFP MIC contains two logical PICs, numbered PIC 0 PIC 1 through in the CLI. Each logical PIC contains 10 ports numbered 0 through 9. show chassis fpc pic-status The sample output of the command output displays two 20-port Gigabit Ethernet MICs with SFP —...
Page 122 user@host> show interfaces terse Interface Admin Link Proto Local Remote gr-0/0/0 ip-0/0/0 lt-0/0/0 ge-2/0/0 ge-2/0/1 down ge-2/0/2 down ge-2/0/3 down ge-2/0/4 down ge-2/0/5 ge-2/0/6 down ge-2/0/7 down ge-2/0/8 ge-2/0/9 ge-2/1/0 down ge-2/1/1 ge-2/1/2 down ge-2/1/3 down ge-2/1/4 ge-2/1/5 down ge-2/1/6 down ge-2/1/7 down...
Page 123 ge-2/3/8 down ge-2/3/9 down Serial number location The serial number label is yellow and is located as shown in Figure 46 on page 109. Figure 46: SRX-MIC-20GE-SFP Serial Number Label NOTE: The serial number for the mezzanine card is shown only for reference and is never used for any purpose.
Page 124: Mic With 10X10Ge Sfp+ Interfaces (Srx-Mic-10Xg-Sfpp)
MIC with 10x10GE SFP+ Interfaces (SRX-MIC-10XG-SFPP) You use MICs and MPCs to add different combinations of Ethernet interfaces to your firewall to suit the specific needs of your network. The SRX-MIC-10XG-SFPP (see Figure 47 on page 110) can be installed in an MPC to add ten 10-Gigabit Ethernet SFP+ ports.
Page 125 LEDs OK/FAIL LED, one bicolor: • Green–The MIC is operating normally. • Red–The MIC has failed and is not operating normally. • Off–The MIC is powered down. LINK LED, single color: • Green–The link is active. • Off–No link.
Page 126 Interface Naming Overview. • fpc —Slot in which the MPC is installed in an SRX5400, SRX5600, or SRX5800 Firewall. • pic —Logical PIC on the MIC , numbered 0 when installed in the first slot or 2 when installed in the second slot.
Page 127 show chassis fpc pic-status The sample output of the command displays two 10-port 10- Gigabit Ethernet MICs with SFP+ — inserted into the slots of an MPC in slot 10x 10GE SFP+ PIC 0 PIC 2 The logical PICs of the two MICs— —...
Page 128: Mic With 1X100Ge Cfp Interface (Srx-Mic-1X100G-Cfp)
xe-2/2/3 down xe-2/2/4 down xe-2/2/5 down xe-2/2/6 down xe-2/2/7 down xe-2/2/8 down xe-2/2/9 down Serial number The serial number label is yellow and located as shown in Figure 49 on page 114. location Figure 49: SRX-MIC-10XG-SFPP Serial Number Label MIC with 1x100GE CFP Interface (SRX-MIC-1X100G-CFP) You use MICs and MPCs to add different combinations of Ethernet interfaces to your firewall to suit the specific needs of your network.
Page 129 Figure 50: SRX-MIC-1X100G-CFP Description • MIC with one CFP 100-Gigabit Ethernet port • Fits into MPC • Supports up to 100 Gbps of full-duplex traffic • Maximum configurable MTU: 9192 bytes • Maximum throughput: 100 Gbps Software release Junos OS Release 12.1X46-D10 Cables and One socket for a 100-Gigabit CFP transceiver.
Page 130: Mic With 2X40Ge Qsfp+ Interfaces (Srx-Mic-2X40G-Qsfp)
LEDs OK/FAIL LED, one bicolor: • Green–The MIC is operating normally. • Red–The MIC has failed and is not operating normally. • Off–The MIC is powered down. LINK LED, single color: • Green–The link is active. • Off–No link. Serial number The serial number label is yellow and located as shown in Figure 51 on page 116.
Page 131 Figure 52: SRX-MIC-2X40G QSFP Description • MIC with two QSFP+ Ethernet ports • Fits into MPC • Supports up to 80 Gbps of full-duplex traffic • Maximum configurable MTU: 9192 bytes • Maximum throughput: 80 Gbps Software release Junos OS Release 12.1X46-D10 Cables and connectors Sockets for two QSFP+ 40-Gigabit Ethernet fiber-optic transceivers.
Page 132: I/O Card Srx5K-40Ge-Sfp Specifications
LEDs OK/FAIL LED, one bicolor: • Green–The MIC is operating normally. • Red–The MIC has failed and is not operating normally. • Off–The MIC is powered down. LINK LED, single color, one per QSFP+ port: • Green–The link is active. •...
Page 133 Forwarding Engine consists of one I-chip for Layer 3 processing and one Layer 2 network processor. The IOCs interface with the power supplies and Switch Control Boards (SCBs). You must install at least one IOC in the firewall. The IOC can be of any of the available IOC or Flex IOC types.
Page 134 Software release • Junos OS Release 9.2 and later Cables and 40 Gigabit Ethernet SFP ports connectors Supported SFP transceivers: 1000BASE-LH (model numbers SRX-SFP-1GE-LH, SRX-SFP-1GE-LH-ET) 1000BASE-LX (model numbers SRX-SFP-1GE-LX, SRX-SFP-1GE-LX-ET) 1000BASE-SX (model numbers SRX-SFP-1GE-SX, SRX-SFP-1GE-SX-ET) 1000BASE-T (model numbers SRX-SFP-1GE-T, SRX-SFP-1GE-T-ET) Controls None Supported Slots...
Page 135: I/O Card Srx5K-4Xge-Xfp Specifications
Serial Number The serial number label is located as shown in Figure 55 on page 121. Location Figure 55: Serial Number Label (IOC Shown, Other Cards Similar) I/O Card SRX5K-4XGE-XFP Specifications The SRX5K-4XGE-XFP I/O card (IOC) supports four 10-Gigabit Ethernet ports (see Figure 56 on page 122).
Page 136 Figure 56: IOC SRX5K-4XGE-XFP Description • I/O card with four 10-Gigabit Ethernet XFP ports • Maximum configurable MTU: 9192 bytes • Maximum throughput: 40 Gbps Software release • Junos OS Release 9.2 and later...
Page 137 Cables and connectors Four 10-Gbps XFP ports Supported XFP transceivers: 10GBASE-ER (model numbers SRX-XFP-10GE-ER and SRX-XFP-10GE-ER-ET ) 10GBASE-LR (model numbers SRX-XFP-10GE-LR and SRX-XFP-10GE-LR-ET 10GBASE-SR (model numbers SRX-XFP-10GE-SR and SRX-XFP-10GE-SR-ET ) Controls None Supported Slots • SRX5600–Any slot except bottom slots 0 or 1 •...
Page 138: Srx5K-Ioc4-10G Specifications
Figure 57: SRX5K-4XGE-XFP Serial Number Label SRX5K-IOC4-10G Specifications SRX5K-IOC4-10G is a fixed-configuration interface card with a Packet Forwarding Engine that provides 400-Gbps line rate. This interface card provides scalability in bandwidth and services to the SRX5400, SRX5600 and SRX5800 Firewalls. See Figure 58 on page 124.
Page 139 If a slot in the SRX5400, SRX5600, or SRX5800 Firewall card cage is not occupied by a card, you must install a blank panel to shield the empty slot and to allow cooling air to circulate properly through the firewall.
Page 140 Weight 17 lb (7.7 kg) Hardware features • Junos Trio chipsets for increased scaling for bandwidth, subscribers, and services • Forty 10-Gigabit Ethernet ports. The ports support SFP+ transceivers. • Requires high-capacity power supplies and high- capacity fan trays. • The ports are labeled as (seeFigure 58 on page 124):...
Page 141 Software features • Application security • Application Layer Gateway (ALG) • Attack detection and prevention • Class of service (CoS) • Equal-cost multipath (ECMP) load balancing • GPRS Tunneling Protocol (GTP) • High availability (chassis cluster) • Intrusion detection and prevention (IDP) •...
Page 142: Srx5K-Ioc4-Mrat Specifications
SRX5K-IOC4-MRAT is a fixed-configuration interface card with a Packet Forwarding Engine that provides up to 480-Gbps (240-Gbps per PIC slot) line rate. This interface card provides scalability in bandwidth and services to the SRX5400, SRX5600, and SRX5800 Firewalls. See Figure 60 on page 128.
Page 143 If a slot in the SRX5400, SRX5600, or SRX5800 Firewall card cage is not occupied by a card, you must install a blank panel to shield the empty slot and to allow cooling air to circulate properly through the firewall.
Page 144 Weight 15.7 lb (7.12 kg) Hardware features • Junos Trio chipsets for increased scaling for bandwidth, subscribers, and services • Twelve Gigabit Ethernet ports that can be configured as 40-Gigabit Ethernet port or as 4X10- Gigabit Ethernet port using a breakout cable. The ports support quad small-form factor pluggable plus (QSFP+) transceivers.
Page 145 Software features • Application security • Application Layer Gateway (ALG) • Attack detection and prevention • Class of service (CoS) • Equal-cost multipath (ECMP) load balancing • GPRS Tunneling Protocol (GTP) • High availability (chassis cluster) • Intrusion detection and prevention (IDP) •...
Page 146: Flex I/O Card (Srx5K-Fpc-Ioc) Specifications
Serial Number Location The serial number label is located as shown in Figure 61 on page 132. Figure 61: SRX5K-IOC4-MRAT Serial Number Label Flex I/O Card (SRX5K-FPC-IOC) Specifications The SRX5K-FPC-IOC Flex I/O card (Flex IOC) (Figure 62 on page 133) is an IOC with two slots that accept port modules that add Ethernet ports to your firewall.
Page 147 Figure 62: Flex IOC with Typical Port Modules Description • Flex IOC with slots for two port modules • Maximum throughput: 10 Gbps (per PFE) Software release • Junos OS Release 9.5R1 and later Cables and connectors Slots for two port modules Controls None Supported Slots...
Page 148: Flex I/O Card Port Module Srx-Ioc-16Ge-Sfp Specifications
Weight Approximately 10 lb (4.5 kg) LEDs OK/FAIL LED, one bicolor: • Steady green–The Flex IOC is operating normally. • Red–The Flex IOC has failed and is not operating normally. • Off–The Flex IOC is powered down. Serial Number Location The serial number label is located as shown in Figure 63 on page 134.
Page 149 Figure 64: Flex IOC Port Module SRX-IOC-16GE-SFP Description • Port module with 16 Gigabit Ethernet SFP ports • Maximum throughput: 10 Gbps • Oversubscription ratio: 1.6:1 • Maximum configurable MTU: 9192 bytes Software release • Junos OS Release 9.5R1 and later Cables and 16 Gigabit Ethernet SFP ports connectors...
Page 150: Flex I/O Card Port Module Srx-Ioc-16Ge-Tx Specifications
LEDs OK/FAIL LED, one bicolor: • Steady green–The port module is operating normally. • Red–The port module has failed and is not operating normally. • Off–The port module is powered down. LINK LED, single color, one per port: • Steady green–The link is active. •...
Page 151 the specific needs of your network. The SRX-IOC-16GE-TX port module (Figure 66 on page 137) installs into a Flex IOC to add sixteen 10/100/1000 Ethernet RJ-45 copper ports. Figure 66: Flex IOC Port Module SRX-IOC-16GE-TX Description • Port module with sixteen 10/100/1000 Ethernet RJ45 ports •...
Page 152 LEDs OK/FAIL LED, one bicolor: • Steady green–The port module is operating normally. • Red–The port module has failed and is not operating normally. • Off–The port module is powered down. LINK LED, single color, one per port: • Steady green–The link is active. •...
Page 153: Flex I/O Card Port Module Srx-Ioc-4Xge-Xfp Specifications
Flex I/O Card Port Module SRX-IOC-4XGE-XFP Specifications You use port modules and Flex I/O Cards (Flex IOCs) to add different combinations of small form-factor pluggable transceiver (SFP), 10-gigabit SFP transceiver (XFP), and copper ports to your firewall to suit the specific needs of your network. The SRX-IOC-4XGE-XFP port module (Figure 68 on page 139) installs into a Flex IOC to add four 10-Gigabit Ethernet XFP ports.
Page 154 • Off–No link. Serial Number The serial number label is located as shown in Figure 69 on page 140. Location Figure 69: Port Module SRX-IOC-4XGE-XFP Serial Number Label RELATED DOCUMENTATION SRX5400 Firewall Chassis | 6 SRX5400 Firewall FRUs | 4...
Page 155 SRX5400 Firewall Midplane Description | 10 Maintaining SPCs on the SRX5400 Firewall | 287 Maintaining SPCs on the SRX5400 Firewall | 287 Troubleshooting SRX5400 Firewall SPCs | 329 Replacing SRX5400 Firewall MPCs | 275 Replacing SRX5400 Firewall MICs | 280...
Page 156: Site Planning, Preparation, And Specifications
SRX5400 Site Guidelines and Requirements | 144 SRX5400 Rack and Cabinet Requirements | 148 Calculating Power Requirements for the SRX5400 Firewall | 150 SRX5400 Network Cable and Transceiver Planning | 156 SRX5400 Alarm and Management Cable Specifications and Pinouts | 161...
Page 157: Site Preparation Checklist For The Srx5400 Firewall
Site Preparation Checklist for the SRX5400 Firewall The checklist in Table 28 on page 143 summarizes the tasks you need to perform when preparing a site for firewall installation. Table 28: Site Preparation Checklist Item or Task For More Information ...
Page 158: Srx5400 Site Guidelines And Requirements
SRX5400 Firewall Environmental Specifications | 144 General Site Guidelines | 145 Site Electrical Wiring Guidelines | 146 Clearance Requirements for SRX5400 Firewall Airflow and Hardware Maintenance | 147 SRX5400 Firewall Environmental Specifications Table 29 on page 144 specifies the environmental specifications required for normal firewall operation.
Page 159: General Site Guidelines
(Continued) Table 29: Firewall Environmental Specifications Description Value Temperature Normal operation ensured in temperature range of 32°F (0°C) to 104°F (40°C) Nonoperating storage temperature in shipping container: –40°F (–40°C) to 158°F (70°C) Seismic Designed to meet Telcordia Technologies Zone 4 earthquake requirements Maximum thermal output AC power: 8065 BTU/hour (2365 W) DC power: 7325 BTU/hour (2148 W)
Page 160: Site Electrical Wiring Guidelines
Site Electrical Wiring Guidelines Table 30 on page 146 describes the factors you must consider while planning the electrical wiring at your site. WARNING: You must provide a properly grounded and shielded environment and use electrical surge-suppression devices. Avertissement Vous devez établir un environnement protégé et convenablement mis à la terre et utiliser des dispositifs de parasurtension.
Page 161: Clearance Requirements For Srx5400 Firewall Airflow And Hardware Maintenance
NEBS GR-63 recommends that you allow at least 30 in. (76.2 cm) in front of the firewall. Figure 70: Chassis Dimensions and Clearance Requirements RELATED DOCUMENTATION SRX5400 Firewall Agency Approvals | 388 SRX5400 Firewall Compliance Statements for EMC Requirements | 390...
Page 162: Srx5400 Rack And Cabinet Requirements
IN THIS SECTION SRX5400 Firewall Rack Size and Strength Requirements | 148 Spacing of Rack Mounting Bracket Holes for the SRX5400 Firewall | 149 Connection to Building Structure for the SRX5400 Firewall Rack | 149 SRX5400 Firewall Cabinet Size and Clearance Requirements | 149...
Page 163: Spacing Of Rack Mounting Bracket Holes For The Srx5400 Firewall
(100 kg). If you stack five fully configured devices in one rack, it must be capable of supporting up to 1100 lb (500 kg). Spacing of Rack Mounting Bracket Holes for the SRX5400 Firewall The firewall can be mounted in any rack that provides holes or hole patterns spaced at 1 U (1.75 in.) increments.
Page 164: Calculating Power Requirements For The Srx5400 Firewall
3. Calculate input power. 4. Calculate thermal output (BTUs) for cooling requirements. The following sample configuration shows an SRX5400 Firewall chassis with various power supplies and: • Two SRX5K-SPC-4-15-320 (SPC2) Services Processing Card (SPC) (slots 1 and 2) • One SRX5K-MPC (IOC2) with two MICs installed in it (slot 1/0)
Page 165 SRX5K-RE-13-20 (RE1) or SRX5KRE-1800X4 (RE2) installed in it (SCB slot 0) 1. Calculate the power requirements (usage) as shown in Table 31 on page 151. Table 31: Sample Power Requirements for an SRX5400 Firewall Chassis Component Part Number Power Requirement...
Page 166 NOTE: The power for the cooling system comes from a different tap on the power supply, reserved for the cooling system only. The cooling system power requirement does not need to be deducted from the output power budget of the power supply. Table 32 on page 152 lists the power supplies, their maximum output power, and unused power (or a power deficit) for an AC-powered firewall.
Page 167 SRX5400 DC 2138 * 3.41 = 7291 BTU/hr The following sample configuration shows an SRX5400 Firewall chassis with various power supplies and: • Two SRX5K-SPC-4-15-320 (SPC2) Services Processing Card (SPC) (slots 1 and 2) • One IOC3 (SRX5K-MPC3-40G10G or SRX5K-MPC3-100G10G) (slot 1/0) •...
Page 168 Table 36: Sample Power Requirements for an SRX5400 Firewall with SCB3, IOC3, and RE2 (Continued) Chassis Component Part Number Power Requirement MPC - slot 1/0 IOC3 607 W SPC - slots 1 and 2 SCP2 585 W * 2 = 1170 W...
Page 169 Here we include the power drawn by the cooling system. Table 39: Calculating System Input Power Power Supply Input Power Requirement Power Supply Efficiency SRX5400 AC 89 % 2282/0.89 = 2564 W SRX5400 DC ~98 % 2282/0.98 = 2329 W These values are at full load and nominal voltage.
Page 170: Srx5400 Network Cable And Transceiver Planning
IN THIS SECTION Routing Engine Interface Cable and Wire Specifications for the SRX5400 Firewall | 156 Signal Loss in Multimode and Single-Mode Fiber-Optic Cable for the SRX5400 Firewall | 157 Attenuation and Dispersion in Fiber-Optic Cable for the SRX5400 Firewall | 157...
Page 171: Signal Loss In Multimode And Single-Mode Fiber-Optic Cable For The Srx5400 Firewall
It is consequently more expensive. Attenuation and Dispersion in Fiber-Optic Cable for the SRX5400 Firewall Correct functioning of an optical data link depends on modulated light reaching the receiver with Attenuation is the reduction in power of the light signal as it enough power to be demodulated correctly.
Page 172: Calculating Power Budget For Fiber-Optic Cable For The Srx5400 Firewall
The optical power budget must allow for the sum of component attenuation, power penalties (including those from dispersion), and a safety margin for unexpected losses. Calculating Power Budget for Fiber-Optic Cable for the SRX5400 Firewall To ensure that fiber-optic connections have sufficient power for correct operation, you need to calculate the link's power budget, which is the maximum amount of power it can transmit.
Page 173: Calculating Power Margin For Fiber-Optic Cable For The Srx5400 Firewall
PB = 13 dB Calculating Power Margin for Fiber-Optic Cable for the SRX5400 Firewall PM ), which represents the After calculating a link's power budget, you can calculate the power margin ( amount of power available after subtracting attenuation or link loss ( LL ) from the power budget ( PB ).
Page 174 RELATED DOCUMENTATION Connecting the SRX5400 Firewall to a Network for Out-of-Band Management | 191 Connecting the SRX5400 Firewall to a Management Console or an Auxiliary Device | 190...
Page 175: Srx5400 Alarm And Management Cable Specifications And Pinouts
Console Port Cable and Wire Specifications for the SRX5400 Firewall | 161 RJ-45 Connector Pinouts for the SRX5400 Firewall Routing Engine Ethernet Port | 162 RJ-45 Connector Pinouts for the SRX5400 Firewall Routing Engine Auxiliary and Console Ports | 163 Alarm Relay Contact Wire Specifications for the SRX5400 Firewall Table 43 on page 161 lists the specifications for the wires that connect to the alarm relay contacts.
Page 176: Connector Pinouts For The Srx5400 Firewall Routing Engine Ethernet Port
RJ-45/DB-9 auxiliary interface connectors RJ-45 Connector Pinouts for the SRX5400 Firewall Routing Engine Ethernet Port The port on the Routing Engine labeled ETHERNET is an autosensing 10/100-Mbps Ethernet RJ-45 receptacle that accepts an Ethernet cable for connecting the Routing Engine to a management LAN (or other device that supports out-of-band management).
Page 177: Connector Pinouts For The Srx5400 Firewall Routing Engine Auxiliary And Console Ports
Table 45: RJ-45 Connector Pinout for the Routing Engine ETHERNET Port Signal Termination network RJ-45 Connector Pinouts for the SRX5400 Firewall Routing Engine Auxiliary and Console Ports The ports on the Routing Engine labeled AUX and CONSOLE are asynchronous serial interfaces that accept an RJ-45 connector.
Page 178 RELATED DOCUMENTATION Connecting the SRX5400 to External Devices | 189...
Page 179: Initial Installation And Configuration
Installing the SRX5400 Using a Mechanical Lift | 176 Installing the SRX5400 Without a Mechanical Lift | 178 Connecting the SRX5400 to External Devices | 189 Connecting the SRX5400 to Power | 194 Performing the Initial Software Configuration for the SRX5400 | 205...
Page 180: Srx5400 Installation Overview
"Installing the SRX5400 Firewall Chassis in the Rack Manually" on page 184 Connect cables to the network and external devices. • "Connecting the SRX5400 Firewall to a Management Console or an Auxiliary Device" on page • "Connecting the SRX5400 Firewall to a Network for Out-of-Band Management" on page 191 •...
Page 181: Unpacking The Srx5400
206. Unpacking the SRX5400 IN THIS SECTION Tools and Parts Required to Unpack the SRX5400 Firewall | 167 Unpacking the SRX5400 Firewall | 167 Verifying the SRX5400 Firewall Parts Received | 169 Tools and Parts Required to Unpack the SRX5400 Firewall To unpack the firewall and prepare for installation, you need the following tools: •...
Page 182 SRX5400 Firewall Getting Started Guide . Remove the accessory box and the Verify the parts received as described in "Verifying the SRX5400 Firewall Parts Received" on page 169. Remove the vapor corrosion inhibitor (VCI) packs attached to the pallet, being careful not to break the VCI packs open.
Page 183: Verifying The Srx5400 Firewall Parts Received
Figure 71: Contents of the Shipping Crate Verifying the SRX5400 Firewall Parts Received A packing list is included in each shipment. Check the parts in the shipment against the items on the packing list. The packing list specifies the part numbers and descriptions of each part in your order.
Page 184 (Continued) Table 47: Parts List for a Fully Configured Firewall Component Quantity Routing Engine Power supplies Up to 4 Fan tray Air filter Air filter tray Getting Started Guide Small mounting shelf Blank panels for slots without components installed One blank panel for each slot not occupied by a component Table 48: Accessory Box Parts List Part...
Page 185 RJ-45-to-DB-9 cable to connect the device through the serial port Cable manager brackets Terminal block plug, 3–pole, 5.08 mm spacing, 12A, to connect the device alarms Transceiver Label, accessories contents, SRX5400 USB flash drive with Junos OS Read me first document Affidavit for T1 connection...
Page 186: Installing The Srx5400 Mounting Hardware
Installing the SRX5400 Mounting Hardware IN THIS SECTION Tools and Parts Required to Install the SRX5400 Firewall Mounting Hardware for a Rack or Cabinet | 172 Installing the SRX5400 Firewall Mounting Hardware for a Rack or Cabinet | 172 Moving the Mounting Brackets for Center-Mounting the SRX5400 Firewall | 175...
Page 187 Table 49 on page 173 specifies the holes in which you insert cage nuts and screws to install the mounting hardware required. The hole distances are relative to one of the standard U divisions on the rack. The bottom of all mounting shelves is at 0.02 in. above a U division. Table 49: Four-Post Rack or Cabinet Mounting Hole Locations Hole Distance Above U Division...
Page 188 Figure 72: Installing the Front Mounting Hardware for a Four-Post Rack or Cabinet...
Page 189: Moving The Mounting Brackets For Center-Mounting The Srx5400 Firewall
Figure 73: Installing the Mounting Hardware for an Open-Frame Rack Moving the Mounting Brackets for Center-Mounting the SRX5400 Firewall Two removable mounting brackets are attached to the mounting holes closest to the front of the chassis. You can move the pair of brackets to another position on the side of the chassis for center-mounting the firewall.
Page 190: Installing The Srx5400 Using A Mechanical Lift
Installing the SRX5400 Using a Mechanical Lift IN THIS SECTION Tools Required to Install the SRX5400 Firewall with a Mechanical Lift | 176 Installing the SRX5400 Firewall Using a Mechanical Lift | 176 Tools Required to Install the SRX5400 Firewall with a Mechanical Lift To install the firewall, you need the following tools: •...
Page 191 CAUTION: Before front mounting the firewall in a rack, have a qualified technician verify that the rack is strong enough to support the firewall's weight and is adequately supported at the installation site. To install the firewall using a lift (see Figure 74 on page 178): 1.
Page 192: Installing The Srx5400 Without A Mechanical Lift
Overview of Installing the SRX5400 Firewall Without a Mechanical Lift | 179 Tools Required to Install the SRX5400 Firewall Without a Mechanical Lift | 179 Removing Components from the SRX5400 Chassis Before Installing It Without a Lift | 179 Installing the SRX5400 Firewall Chassis in the Rack Manually | 184...
Page 193: Overview Of Installing The Srx5400 Firewall Without A Mechanical Lift
Reinstalling Components in the SRX5400 Firewall Chassis After Installing It Without a Lift | 186 Overview of Installing the SRX5400 Firewall Without a Mechanical Lift If you cannot use a mechanical lift to install the firewall (the preferred method), you can install it manually.
Page 194: Removing The Power Supplies Before Installing The Srx5400 Firewall Without A Lift
Removing Cards Before Installing an SRX5400 Firewall Without a Lift | 182 If you cannot use a mechanical lift to install the firewall (the preferred method), you can install it manually. Before installing the firewall manually, you must first remove components from the chassis, and reinstall the components the chassis is installed in the rack.
Page 195: Removing The Fan Tray Before Installing An Srx5400 Firewall Without A Lift
Figure 75: Removing a Power Supply Before Installing the Device Removing the Fan Tray Before Installing an SRX5400 Firewall Without a Lift To remove the fan tray (see Figure 2 1. Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point.
Page 196: Removing Cards Before Installing An Srx5400 Firewall Without A Lift
Figure 76: Removing the Fan Tray Removing Cards Before Installing an SRX5400 Firewall Without a Lift The firewall holds up to four cards (MPCs, SCB, and SPCs), which are installed horizontally in the front of the device. Each card weighs up to 18.3 lb (8.3 kg), be prepared to accept its full weight.
Page 197 CAUTION: Do not leave a fiber-optic transceiver uncovered, except when inserting or removing a cable. The safety cap keeps the port clean and protects your eyes from accidental exposure to laser light. CAUTION: Avoid bending a fiber-optic cable beyond its minimum bend radius. An arc smaller than a few inches in diameter can damage the cable and cause problems that are difficult to diagnose.
Page 198: Installing The Srx5400 Firewall Chassis In The Rack Manually
Figure 77: Removing a Card (MPC Shown, Other Card Types Similar) Installing the SRX5400 Firewall Chassis in the Rack Manually To install the device in the rack (see Figure 78 on page 185): CAUTION: If you are installing more than one firewall in a rack, install the lowest one first.
Page 199 WARNING: To prevent injury, keep your back straight and lift with your legs, not your back. Avoid twisting your body as you lift. Balance the load evenly and be sure that your footing is solid. 4. Slide the firewall onto the mounting shelf until the mounting brackets contact the rack rails. The shelf ensures that the holes in the mounting brackets of the chassis align with the holes in the rack rails.
Page 200: Reinstalling Components In The Srx5400 Firewall Chassis After Installing It Without A Lift
IN THIS SECTION Reinstalling Power Supplies After Installing the SRX5400 Firewall Without a Lift | 186 Reinstalling the Fan Tray After Installing the SRX5400 Firewall Without a Lift | 187 Reinstalling Cards After Installing the SRX5400 Firewall Without a Lift | 188 After the firewall is installed in the rack, reinstall the removed components before booting and configuring the firewall.
Page 201: Reinstalling The Fan Tray After Installing The Srx5400 Firewall Without A Lift
Figure 79: Reinstalling a Power Supply Reinstalling the Fan Tray After Installing the SRX5400 Firewall Without a Lift To reinstall the fan tray (see Figure 1. Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point.
Page 202: Reinstalling Cards After Installing The Srx5400 Firewall Without A Lift
Figure 80: Reinstalling the Fan Tray Reinstalling Cards After Installing the SRX5400 Firewall Without a Lift To reinstall MPCs, SPCs, and the SCB, follow this procedure for each card (see Figure 1. Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point.
Page 203: Connecting The Srx5400 To External Devices
IN THIS SECTION Tools and Parts Required for SRX5400 Firewall Connections | 190 Connecting the SRX5400 Firewall to a Management Console or an Auxiliary Device | 190 Connecting the SRX5400 Firewall to a Network for Out-of-Band Management | 191 Connecting an SRX5400 Firewall to an External Alarm-Reporting Device | 192...
Page 204: Tools And Parts Required For Srx5400 Firewall Connections
• Wire cutters • Pliers • Electrostatic discharge (ESD) grounding wrist strap Connecting the SRX5400 Firewall to a Management Console or an Auxiliary Device To use a system console to configure and manage the Routing Engine, connect it to the appropriate CONSOLE port on the Routing Engine.
Page 205: Connecting The Srx5400 Firewall To A Network For Out-Of-Band Management
• Data bits—8 • Stop bits—1 • Flow control—none Connecting the SRX5400 Firewall to a Network for Out-of-Band Management To connect the firewall Routing Engine to a network for out-of-band management, connect an Ethernet cable with RJ-45 connectors to the ETHERNET port on the Routing Engine. One Ethernet cable is provided with the firewall.
Page 206: Connecting An Srx5400 Firewall To An External Alarm-Reporting Device
Figure 85: Ethernet Port Connecting an SRX5400 Firewall to an External Alarm-Reporting Device To connect the firewall to external alarm-reporting devices, attach wires to the MAJOR ALARM and MINOR ALARM relay contacts on the craft interface. (See Figure 86 on page 192.) A system condition...
Page 207: Connecting Network Cables To Srx5400 Firewall Mics
4. Attach the other end of the wires to the external device. To attach a reporting device for the other kind of alarm, repeat the procedure. Connecting Network Cables to SRX5400 Firewall MICs To connect the MICs to the network: 1.
Page 208: Connecting The Srx5400 To Power
Connecting the SRX5400 to Power IN THIS SECTION Tools and Parts Required for SRX5400 Firewall Grounding and Power Connections | 195 Grounding the SRX5400 Firewall | 195 Connecting Power to an AC-Powered SRX5400 Firewall | 197...
Page 209: Tools And Parts Required For Srx5400 Firewall Grounding And Power Connections
You must install the SRX5400 in a restricted-access location and ensure that the chassis is always properly grounded. The SRX5400 has a two-hole protective grounding terminal provided on the chassis. See Figure 88 on page 196.
Page 210 You ground the device by connecting a grounding cable to earth ground and then attaching it to the chassis grounding points using UNC 1/4-20 two screws. You must provide the grounding cable (the cable lug is supplied with the device). 1.
Page 211: Connecting Power To An Ac-Powered Srx5400 Firewall
CAUTION: Do not mix AC and DC power supplies within the same firewall. Damage to the device might occur. NOTE: The SRX5400 Firewall and SRX5600 Firewall use the same power supply model. You connect AC power to the device by attaching power cords from the AC power sources to the AC appliance inlets located on the power supplies.
Page 212: Powering On An Ac-Powered Srx5400 Firewall
Figure 89: Connecting AC Power to the Firewall Powering On an AC-Powered SRX5400 Firewall To power on an AC-powered firewall: 1. Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point.
Page 213: Connecting Power To A Dc-Powered Srx5400 Firewall
CAUTION: Do not mix AC and DC power supplies within the same firewall. Damage to the firewall might occur. NOTE: The SRX5400 Firewall and SRX5600 Firewall use the same power supply model. You connect DC power to the firewall by attaching power cables from the external DC power sources to the terminal studs on the power supply faceplates.
Page 214 To connect the DC source power cables to the firewall: Switch off the dedicated customer site circuit breakers. Ensure that the voltage across the DC power source cable leads is 0 V and that there is no chance that the cable leads might become active during installation.
Page 215 Install heat-shrink tubing insulation around the power cables. To install heat-shrink tubing: a. Slide the tubing over the portion of the cable where it is attached to the lug barrel. Ensure that tubing covers the end of the wire and the barrel of the lug attached to it. b.
Page 216: Powering On A Dc-Powered Srx5400 Firewall
13. Repeat Steps through for the remaining power supplies. Figure 92: Connecting DC Power to the Device Powering On a DC-Powered SRX5400 Firewall To power on a DC-powered firewall:...
Page 217 Verify that an external management device is connected to one of the Routing Engine ports (AUX, CONSOLE, or ETHERNET). Turn on the power to the external management device. Verify that the power supplies are fully inserted in the chassis. Verify that the source power cables are connected to the appropriate terminal: the positive (+) source cable to the return terminal (labeled RETURN) and the negative (–) source cable to the input terminal (labeled –48V).
Page 218: Powering Off The Srx5400 Firewall
4. On an AC-powered firewall, switch the AC switch on each power supply to the off position (O). On a DC-powered firewall, switch the circuit breaker on each power supply to the off position (OFF). RELATED DOCUMENTATION Preventing Electrostatic Discharge Damage to the SRX5400 Firewall...
Page 219: Performing The Initial Software Configuration For The Srx5400
Performing the Initial Software Configuration for the SRX5400 IN THIS SECTION SRX5400 Firewall Software Configuration Overview | 205 Initially Configuring the SRX5400 Firewall | 206 Performing Initial Software Configuration Using J-Web | 211 SRX5400 Firewall Software Configuration Overview The firewall is shipped with the Junos operating system (Junos OS) preinstalled and ready to be configured when the device is powered on.
Page 220: Initially Configuring The Srx5400 Firewall
Initially Configuring the SRX5400 Firewall This procedure connects the device to the network but does not enable it to forward traffic. For complete information about enabling the device to forward traffic, including examples, see the appropriate Junos OS configuration guides.
Page 221 Commit the configuration to activate it on the device. [edit] root@# commit Log in as the administrative user you configured in step 6. Configure the name of the device. If the name includes spaces, enclose the name in quotation marks (“ ”). configure [edit] host-name...
Page 222 14. Configure basic security policies. [edit] policy-name match admin@# set security policies from-zone trust to-zone untrust policy source-address any destination-address any application any policy-name then permit root@# set security policies from-zone trust to-zone untrust policy 15. Check the configuration for validity. [edit] admin@# commit check configuration check succeeds...
Page 223 * { any emergency; file messages { any any; authorization info; file interactive-commands { interactive-commands any; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; interfaces { xe-0/0/0 { unit 0; xe-2/0/0 { unit 0 { family inet { address 5.1.1.1/24; xe-2/2/5 {...
Page 224 fxp0 { unit 0 { family inet { address 192.168.10.2/24; routing-options { static { route 0.0.0.0/0 next-hop 5.1.1.2; security { zones { security-zone trust { interfaces { xe-2/2/5.0; security-zone untrust { interfaces { xe-2/0/0.0; policies { from-zone trust to-zone untrust { policy bob { match { source-address any;...
Page 225: Performing Initial Software Configuration Using J-Web
18. Commit the configuration to activate it on the device. [edit] admin@# commit 19. Optionally, configure additional properties by adding the necessary configuration statements. Then commit the changes to activate them on the device. [edit] admin@# commit 20. When you have finished configuring the device, exit configuration mode. [edit] admin@# exit admin@host>...
Page 226 2. Start the CLI and enter configuration mode. root@% cli root@>configure root@# 3. Set the root authentication password by entering a cleartext password, an encrypted password, or an SSH public key string (DSA or RSA). [edit] root@# set system root-authentication plain-text-password password New password: password...
Page 227: Configuring Interfaces, Zones, And Policies With J-Web
Configuring Zones and Assigning Interfaces | 214 Configuring Security Policies | 215 You can configure hostnames, interfaces, zones, and security policies using J-Web. NOTE: You cannot use J-Web to configure SRX5400, SRX5600, and SRX5800 Firewalls in Junos OS Release 15.1X49-D10. Before you begin: •...
Page 228 You have successfully configured the hostname for the system. Configuring Interfaces To configure two physical interfaces: 1. From the J-Web Dashboard page, select Configure>Interfaces and select a physical interface you want to configure. 2. Select Add>Logical Interface. The Add interface dialog box appears. 3.
Page 229 Configuring Security Policies To configure security policies: 1. From the J-Web Dashboard page, select Configure>Security>Security Policy and click Add. The Add Policy dialog box appears. 2. In the Policy tab, enter the policy name and set the policy action to permit. Then select Zone and set the From Zone to trust and the To Zone to untrust.
Page 230: Maintaining Components
Maintaining the SRX5400 Chassis | 217 Maintaining the SRX5400 Cooling System | 221 Maintaining the SRX5400 Power System | 227 Maintaining the SRX5400 Host Subsystem | 239 Maintaining the SRX5400 Line Cards and Modules | 271 Maintaining the SRX5400 Cables and Connectors | 299...
Page 231: Maintaining The Srx5400 Chassis
Maintaining the SRX5400 Chassis IN THIS SECTION Routine Maintenance Procedures for the SRX5400 Firewall | 217 Replacing the SRX5400 Firewall Craft Interface | 218 Routine Maintenance Procedures for the SRX5400 Firewall IN THIS SECTION Purpose | 217 Action | 217 Purpose For optimum firewall performance, perform preventive maintenance procedures regularly.
Page 232: Replacing The Srx5400 Firewall Craft Interface
Replacing the SRX5400 Firewall Craft Interface IN THIS SECTION Disconnecting the Alarm Relay Wires from the SRX5400 Firewall Craft Interface | 218 Removing the SRX5400 Firewall Craft Interface | 218 Installing the SRX5400 Firewall Craft Interface | 219 Connecting the Alarm Relay Wires to the SRX5400 Firewall Craft Interface | 220...
Page 233: Installing The Srx5400 Firewall Craft Interface
5. Disconnect the ribbon cable from the back of the faceplate by gently pressing on both sides of the latch with your thumb and forefinger. Remove the craft interface from the chassis. Figure 94: Removing the Craft Interface Installing the SRX5400 Firewall Craft Interface To install the craft interface (see Figure 1.
Page 234: Connecting The Alarm Relay Wires To The Srx5400 Firewall Craft Interface
Figure 95: Installing a Craft Interface Connecting the Alarm Relay Wires to the SRX5400 Firewall Craft Interface To connect the alarm relay wires between a firewall and an alarm-reporting device (see Figure 1. Prepare the required length of replacement wire with gauge between 28-AWG and 14-AWG (0.08 and 2.08 mm...
Page 235: Maintaining The Srx5400 Cooling System
Figure 96: Alarm Relay Contacts Maintaining the SRX5400 Cooling System IN THIS SECTION Maintaining the Fan Tray on the SRX5400 Firewall | 221 Replacing the SRX5400 Firewall Fan Tray | 222 Maintaining the Air Filter on the SRX5400 Firewall | 224...
Page 236: Replacing The Srx5400 Firewall Fan Tray
NOTE: The fan numbers are stamped into the fan tray sheet metal next to each fan. Replacing the SRX5400 Firewall Fan Tray IN THIS SECTION Removing the SRX5400 Firewall Fan Tray | 222 Installing the SRX5400 Firewall Fan Tray | 223 To replace a fan tray, perform the following procedures in sequence:...
Page 237: Installing The Srx5400 Firewall Fan Tray
5. Place one hand under the fan tray to support it and pull the fan tray completely out of the chassis. Figure 97: Removing the Fan Tray Installing the SRX5400 Firewall Fan Tray To install the fan tray (see Figure 1.
Page 238: Maintaining The Air Filter On The Srx5400 Firewall
Figure 98: Installing the Fan Tray Maintaining the Air Filter on the SRX5400 Firewall IN THIS SECTION Purpose | 224 Action | 224 Purpose For optimum cooling, verify the condition of the air filters. Action • Regularly inspect the air filter. A dirty air filter restricts airflow in the unit, impeding the ventilation of the chassis.
Page 239: Replacing The Srx5400 Firewall Air Filter
NOTE: Air filters will not be replaced by Juniper Networks under the Juniper Networks Hardware Replacement Support Plan, you need to purchase them for replacement. CAUTION: Always keep the air filter in place while the firewall is operating. Because the fans are very powerful, they could pull small bits of wire or other materials into the firewall through the unfiltered air intake.
Page 240: Installing The Srx5400 Firewall Air Filter
3. Remove the air filter cover. 4. Slide the air filter out of the chassis. Figure 99: Removing the Air Filter Installing the SRX5400 Firewall Air Filter To install the air filter (see Figure 1. Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point.
Page 241: Maintaining The Srx5400 Power System
Maintaining SRX5400 Firewall Power Supplies | 228 Replacing an SRX5400 Firewall AC Power Supply | 229 Replacing an SRX5400 Firewall AC Power Supply Cord | 232 Replacing an SRX5400 Firewall DC Power Supply | 233 Replacing an SRX5400 Firewall DC Power Supply Cable | 237...
Page 242: Maintaining Srx5400 Firewall Power Supplies
Maintaining SRX5400 Firewall Power Supplies IN THIS SECTION Purpose | 228 Action | 228 Purpose For optimum firewall performance, verify the condition of the power supplies. Action On a regular basis: • To check the status of the power supplies, issue the show chassis environment pem command. The sample output below is of a chassis with DC power supplies: user@host>...
Page 243: Replacing An Srx5400 Firewall Ac Power Supply
Installing an SRX5400 Firewall AC Power Supply | 231 To replace an AC power supply, perform the following procedures: NOTE: The SRX5400 Firewall and SRX5600 Firewall use the same power supply model. Removing an SRX5400 Firewall AC Power Supply The power supplies are located at the rear of the chassis. Each AC power supply weighs approximately...
Page 244 CAUTION: Do not leave a power supply slot empty for more than 30 minutes while the firewall is operational. For proper airflow, the power supply must remain in the chassis, or a blank panel must be used in an empty slot. NOTE: After powering off a power supply, wait at least 60 seconds before turning it back on.
Page 245: Installing An Srx5400 Firewall Ac Power Supply
Installing an SRX5400 Firewall AC Power Supply To install an AC power supply (see Figure 1. Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point. 2. Move the AC switch next to the appliance inlet on the power supply to the off position (O).
Page 246: Replacing An Srx5400 Firewall Ac Power Supply Cord
Disconnecting an SRX5400 Firewall AC Power Supply Cord | 232 Connecting an SRX5400 Firewall AC Power Supply Cord | 232 To replace an SRX5400 Firewall AC power supply cord, perform the following procedures: Disconnecting an SRX5400 Firewall AC Power Supply Cord WARNING: Before working on an AC-powered device or near power supplies, unplug the power cord.
Page 247: Replacing An Srx5400 Firewall Dc Power Supply
AC OK and DC OK LEDs light steadily, and the PS FAIL LED is not lit. Replacing an SRX5400 Firewall DC Power Supply IN THIS SECTION Removing an SRX5400 Firewall DC Power Supply | 233 Installing an SRX5400 Firewall DC Power Supply | 234 Removing an SRX5400 Firewall DC Power Supply The power supplies are located at the rear of the chassis.
Page 248: Installing An Srx5400 Firewall Dc Power Supply
Figure 103: Removing a DC Power Supply Installing an SRX5400 Firewall DC Power Supply NOTE: The SRX5400 Firewall and SRX5600 Firewall use the same power supply model. To install a DC power supply: Ensure that the voltage across the DC power source cable leads is 0 V and that there is no chance that the cable leads might become active during installation.
Page 249 Figure 104: DC Power Supply Input Mode Switch Using both hands, slide the power supply straight into the chassis until the power supply is fully seated in the chassis slot. The power supply faceplate should be flush with any adjacent power supply faceplate (see Figure Figure 105: Installing a DC Power Supply...
Page 250 b. Attach the negative (–) DC source power cable lug to the –48V (input) terminal. Figure 106: Connecting DC Power CAUTION: You must ensure that power connections maintain the proper polarity. The power source cables might be labeled (+) and (–) to indicate their polarity. There is no standard color coding for DC power cables.
Page 251: Replacing An Srx5400 Firewall Dc Power Supply Cable
Disconnecting an SRX5400 Firewall DC Power Supply Cable | 237 Connecting an SRX5400 Firewall DC Power Supply Cable | 238 To replace an SRX5400 Firewall DC power supply cable, perform the following procedures: Disconnecting an SRX5400 Firewall DC Power Supply Cable...
Page 252: Connecting An Srx5400 Firewall Dc Power Supply Cable
Loosen the captive screws on the power supply faceplate. 10. Carefully move the power cable out of the way. Connecting an SRX5400 Firewall DC Power Supply Cable To install a replacement power cable for a DC power supply (see Figure Locate a replacement power cable that meets the specifications defined in "DC Power Cable...
Page 253: Maintaining The Srx5400 Host Subsystem
Maintaining the SRX5400 Firewall Host Subsystem | 240 Taking the SRX5400 Firewall Host Subsystem Offline | 242 Operating and Positioning the SRX5400 Firewall SCB Ejectors | 242 Replacing the SRX5400 Firewall SCB | 243 Replacing the SRX5400 Firewall Routing Engine | 246...
Page 254: Maintaining The Srx5400 Firewall Host Subsystem
Maintaining the SRX5400 Firewall Host Subsystem IN THIS SECTION Purpose | 240 Action | 240 Purpose For optimum firewall performance, verify the condition of the host subsystem. The host subsystem is composed of an SCB and a Routing Engine installed into the slot in the SCB.
Page 255 Interrupt 0 percent Idle 94 percent Model RE-S-1300 Serial ID 1000697084 Start time 2008-07-11 08:31:44 PDT Uptime 3 hours, 27 minutes, 27 seconds Load averages: 1 minute 5 minute 15 minute 0.44 0.16 0.06 • To check the status of the SCB, issue the show chassis environment cb command. The output is similar to the following: user@host>...
Page 256: Taking The Srx5400 Firewall Host Subsystem Offline
NOTE: The SCB might continue forwarding traffic for approximately 5 minutes after the request system halt command has been issued. Operating and Positioning the SRX5400 Firewall SCB Ejectors • When removing or inserting the SCB, ensure that the cards or blank panels in adjacent slots are fully inserted to avoid hitting them with the ejector handles.
Page 257: Replacing The Srx5400 Firewall Scb
Replacing the SRX5400 Firewall SCB IN THIS SECTION Removing the SRX5400 Firewall SCB | 243 Installing an SRX5400 Firewall SCB | 244 Before replacing the SCB, read the guidelines in "Operating and Positioning the SRX5400 Firewall SCB Ejectors" on page 242.
Page 258: Installing An Srx5400 Firewall Scb
Place the SCB on the antistatic mat. 10. If you are not replacing the SCB now, install a blank panel over the empty slot. Figure 108: Removing the SCB Installing an SRX5400 Firewall SCB To install the SCB (see Figure...
Page 259 Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point. Power off the firewall using the command request system power-off. user@host# request system power-off NOTE: Wait until a message appears on the console confirming that the services stopped. Physically turn off the power and remove the power cables from the chassis.
Page 260: Replacing The Srx5400 Firewall Routing Engine
Replacing the SRX5400 Firewall Routing Engine IN THIS SECTION Removing the SRX5400 Firewall Routing Engine | 247 Installing the SRX5400 Firewall Routing Engine | 247 To replace the Routing Engine, perform the following procedures: NOTE: The procedure to replace a Routing Engine applies to both SRX5K-RE-13-20, SRX5K-...
Page 261: Removing The Srx5400 Firewall Routing Engine
Removing the SRX5400 Firewall Routing Engine CAUTION: Before you replace the Routing Engine, you must take the host subsystem offline. To remove the Routing Engine (see Figure 1. Take the host subsystem offline as described in "Taking the SRX5400 Firewall Host Subsystem Offline"...
Page 262 If you have not already done so, take the host subsystem offline. See "Taking the SRX5400 Firewall Host Subsystem Offline" on page 242. Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point.
Page 263 To check the status of the Routing Engine, use the CLI command: user@host> show chassis routing-engine Routing Engine status: Slot 0: Current state Master ... For more information about using the CLI, see the Explorer. 10. If the Routing Engine was replaced on one of the nodes in a chassis cluster, then you need to copy certificates and key pairs from the other node in the cluster: a.
Page 264: Low Impact Hardware Upgrade For Scb3 And Ioc3
Ensure that the secondary node does not have an impact on network traffic by isolating it from the network when LICU is in progress. For this, disable the physical interfaces (RETH child interfaces) on the secondary node. For SRX5400 Services Gateways admin@cluster#set interfaces xe-5/0/0 disable admin@cluster#set interfaces xe-5/1/0 disable...
Page 265 Commit the configuration. root@#commit Disconnect control and fabric links between the devices in the chassis cluster so that nodes running different Junos OS releases are disconnected. For this, change the control port and fabric port to erroneous values. Fabric ports must be set to any FPC number and control ports to any non-IOC port.
Page 266 See: • "Powering On an AC-Powered SRX5400 Firewall" on page 198 • "Powering On a DC-Powered SRX5400 Firewall" on page 202 • Powering On an AC-Powered SRX5600 Firewall Powering On a DC-Powered SRX5600 Firewall • Powering On an AC-Powered SRX5800 Firewall •...
Page 267 a. Configure the control port, fabric port, and RETH child ports on the secondary node. [edit] root@clustert# show | display set | grep delete delete groups global interfaces fab1 delete groups global interfaces fab0 delete interfaces reth0 delete interfaces reth1 delete interfaces xe-3/0/5 gigether-options redundant-parent reth0 delete interfaces xe-9/0/5 gigether-options redundant-parent...
Page 268 xe-9/0/2 set groups global interfaces fab0 fabric-options member-interfaces xe-3/0/2 [edit] root@clustert# show | display set | grep reth0 set chassis cluster redundancy-group 1 ip-monitoring family inet 44.44.44.2 interface reth0.0 secondary-ip-address 44.44.44.3 set interfaces xe-3/0/0 gigether-options redundant-parent reth0 set interfaces xe-9/0/0 gigether-options redundant-parent reth0 set interfaces reth0 vlan-tagging set interfaces reth0 redundant-ether-options redundancy-group...
Page 269 Junos: 15.1X49-D10 JUNOS Software Release [15.1X49-D10] root@cluster> show chassis cluster status Monitor Failure codes: CS Cold Sync monitoring FL Fabric Connection monitoring GR GRES monitoring HW Hardware monitoring IF Interface monitoring IP IP monitoring LB Loopback monitoring MB Mbuf monitoring NH Nexthop monitoring NP NPC monitoring SP SPU monitoring...
Page 270 PIC 2 Online 2x 40GE QSFP+ 10. Verify configuration changes by disabling interfaces on the primary node and enabling interfaces on the secondary. For SRX5400 Services Gateways admin@cluster#set interfaces xe-2/0/0 disable admin@cluster#set interfaces xe-2/1/0 disable admin@cluster#delete interfaces xe-5/0/0 disable admin@cluster#delete interfaces xe-5/1/0 disable...
Page 271 Ignore error messages pertaining to the disconnected cluster. 15. Power on the primary node. admin@cluster#request system reboot See: • "Powering On an AC-Powered SRX5400 Firewall" on page 198 • "Powering On a DC-Powered SRX5400 Firewall" on page 202 Powering On an AC-Powered SRX5600 Firewall •...
Page 272 a. Configure the control port, fabric port, and RETH child ports on the primary node. [edit] root@clustert# show | display set | grep delete delete groups global interfaces fab1 delete groups global interfaces fab0 delete interfaces reth0 delete interfaces reth1 delete interfaces xe-3/0/5 gigether-options redundant-parent reth0 delete interfaces xe-9/0/5 gigether-options redundant-parent...
Page 273 [edit] root@clustert# show | display set | grep reth1 set interfaces xe-3/0/4 gigether-options redundant-parent reth1 set interfaces xe-9/0/4 gigether-options redundant-parent reth1 set interfaces reth1 vlan-tagging set interfaces reth1 redundant-ether-options redundancy-group set interfaces reth1 unit 0 vlan-id 30 set interfaces reth1 unit 0 family inet address 55.55.55.1/8 17.
Page 274 node0 0 lost node1 100 primary None Redundancy group: 1 , Failover count: 3 node0 0 lost node1 150 primary None root@cluster>show chassis fpc pic-status node1 Slot 1 Online SRX5k IOC II PIC 0 Online 1x 100GE CFP PIC 2 Online 2x 40GE QSFP+ Slot 2 Online...
Page 275 20. Verify configuration changes by disabling interfaces on the secondary node and enabling interfaces on the primary. For SRX5400 Services Gateways admin@cluster#set interfaces xe-5/0/0 disable admin@cluster#set interfaces xe-5/1/0 disable admin@cluster#delete interfaces xe-2/0/0 disable admin@cluster#delete interfaces xe-2/1/0 disable For SRX5600 Services Gateways...
Page 276 • "Powering On an AC-Powered SRX5400 Firewall" on page 198 • "Powering On a DC-Powered SRX5400 Firewall" on page 202 Powering On an AC-Powered SRX5600 Firewall • Powering On a DC-Powered SRX5600 Firewall • Powering On an AC-Powered SRX5800 Firewall •...
Page 277 28. Verify the Redundancy Group (RG) states and their priority. root@cluster>show version node0: -------------------------------------------------------------------------- Hostname: <displays the hostname> Model: <displays the model number> Junos: 15.1X49-D10 JUNOS Software Release [15.1X49-D10] node1: -------------------------------------------------------------------------- Hostname: <displays the hostname> Model: <displays the model> Junos: 15.1X49-D10 JUNOS Software Release [15.1X49-D10] After the secondary node is powered on, issue the following command: root@cluster>show chassis fpc pic-status...
Page 278 PIC 0 Online 10x 10GE SFP+ PIC 2 Online 10x 10GE SFP+ node1: -------------------------------------------------------------------------- Slot 1 Online SRX5k IOC II PIC 0 Online 1x 100GE CFP PIC 2 Online 2x 40GE QSFP+ Slot 2 Online SRX5k SPC II PIC 0 Online SPU Cp PIC 1 Online SPU Flow...
Page 279 node0 250 primary None node1 100 secondary None Redundancy group: 1 , Failover count: 0 node0 254 primary None node1 150 secondary None root@cluster>show security monitoring node0: -------------------------------------------------------------------------- Flow session Flow session CP session CP session FPC PIC CPU Mem current maximum current...
Page 280: In-Service Hardware Upgrade For Srx5K-Re-1800X4 And Srx5K-Scbe Or Srx5K-Re-1800X4 And Srx5K-Scb3 In A Chassis Cluster
Enable the traffic interfaces on the secondary node. root@cluster> show interfaces terse | grep reth0 xe-3/0/0.0 aenet --> reth0.0 xe-3/0/0.32767 aenet --> reth0.32767 xe-9/0/0.0 aenet --> reth0.0 xe-9/0/0.32767 aenet --> reth0.32767 reth0 reth0.0 inet 44.44.44.1/8 reth0.32767 multiservice root@cluster> show interfaces terse | grep reth1 xe-3/0/4.0 aenet -->...
Page 281 D15 or later for SRX5K-SCBE with SRX5K-RE-1800X4 and 15.1X49-D10 or later for SRX5K-SCB3 Cards with SRX5K-RE-1800X4. For more information on cards supported on the firewalls see Supported on SRX5400, SRX5600, and SRX5800 Firewalls unified ISSU ), see For more information about unified in-service software upgrade (...
Page 282 RE-13-20s with SRX5K-RE-1800X4s based on the chassis specifications. Power on the secondary node. See: • "Powering On an AC-Powered SRX5400 Firewall" on page 198 • "Powering On a DC-Powered SRX5400 Firewall" on page 202 Powering On an AC-Powered SRX5600 Firewall •...
Page 283 KB12022 from the Knowledge Base Power off the secondary node. Powering Off the SRX5600 Firewall "Powering Off the SRX5400 Firewall" on page 204, , or Powering Off the SRX5800 Firewall 10. Re-insert all the interface cards into the chassis backplane.
Page 284 For RG0, issue the following command: admin@cluster> request chassis cluster failover redundancy-group 0 node 1 For RG1, issue the following command: admin@cluster> request chassis cluster failover redundancy-group 1 node 1 Verify that all RGs are failed over by issuing the following command: admin@cluster>...
Page 285: Maintaining The Srx5400 Line Cards And Modules
Replacing SRX5400 Firewall MPCs | 275 Replacing SRX5400 Firewall MICs | 280 Installing an MPC and MICs in an Operating SRX5400 Firewall Chassis Cluster | 284 Maintaining SPCs on the SRX5400 Firewall | 287 Replacing SRX5400 Firewall SPCs | 289...
Page 286 1. Orient the card so that the faceplate faces you. To verify orientation, confirm that the text on the card is right-side up and the EMI strip is on the right-hand side. 2. Place one hand around the card faceplate about a quarter of the way down from the top edge. To avoid deforming the EMI shielding strip, do not press hard on it.
Page 287 Figure 112: Do Not Grasp the Connector Edge Never carry the card by the faceplate with only one hand. Do not rest any edge of a card directly against a hard surface (see Figure 113 on page 274). Do not stack cards.
Page 288: Storing An Srx5400 Firewall Card
If you must rest the card temporarily on an edge while changing its orientation between vertical and horizontal, use your hand as a cushion between the edge and the surface. Storing an SRX5400 Firewall Card You must store a card as follows: •...
Page 289: Replacing Srx5400 Firewall Mpcs
Never stack a card under or on top of any other component. Replacing SRX5400 Firewall MPCs IN THIS SECTION Removing an SRX5400 Firewall MPC | 275 Installing an SRX5400 Firewall MPC | 277 To replace an MPC, perform the following procedures: Removing an SRX5400 Firewall MPC An MPC installs horizontally in the front of the firewall.
Page 290 • Issue the following CLI command: user@host>request chassis fpc slot slot-number offline If you have not already done so, power off the firewall. Disconnect the cables from the MICs installed in the MPC. LASER WARNING: Do not look directly into a fiber-optic transceiver or into the ends of fiber-optic cables.
Page 291: Installing An Srx5400 Firewall Mpc
14. If you are not reinstalling an MPC into the emptied line card slots within a short time, install a blank DPC panel over each slot to maintain proper airflow in the card cage. Installing an SRX5400 Firewall MPC An MPC installs horizontally in the front of the firewall. A fully configured MPC can weigh up to 18.35 lb (8.3 kg).
Page 292 CAUTION: When the MPC is out of the chassis, do not hold it by the ejector handles, bus bars, or edge connectors. They cannot support its weight. Figure 115: Installing an MPC in the SRX5400 Firewall 10. Slide the MPC all the way into the card cage until you feel resistance.
Page 293 13. Insert the appropriate cable into the cable connector ports on each MIC on the MPC. Secure the cables so that they are not supporting their own weight. Place excess cable out of the way in a neatly coiled loop, using the cable management system. Placing fasteners on a loop helps to maintain its shape.
Page 294: Replacing Srx5400 Firewall Mics
SPU Flow PIC 2 Online SPU Flow PIC 3 Online SPU Flow Replacing SRX5400 Firewall MICs IN THIS SECTION Removing an SRX5400 Firewall MIC | 281 Installing an SRX5400 Firewall MIC | 282 To replace an MIC, perform the following procedures:...
Page 295: Removing An Srx5400 Firewall Mic
Removing an SRX5400 Firewall MIC The MICs are located in the MPCs installed in the front of the firewall. A MIC weighs less than 2 lb (0.9 kg). To remove a MIC: 1. Place an electrostatic bag or antistatic mat on a flat, stable surface to receive the MIC. If the MIC connects to fiber-optic cable, have ready a rubber safety cap for each transceiver and cable.
Page 296: Installing An Srx5400 Firewall Mic
9. If you are not reinstalling a MIC into the emptied MIC slot within a short time, install a blank MIC panel over the slot to maintain proper airflow in the MPC card cage. Installing an SRX5400 Firewall MIC To install a MIC: Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point.
Page 297 CAUTION: Slide the MIC straight into the slot to avoid damaging the components on the MIC. After the MIC is seated in its slot, verify that the ejector knob is engaged by pushing it all the way in toward the MPC faceplate. If the MIC uses fiber-optic cable, remove the rubber safety cap from each transceiver and the end of each cable.
Page 298: Installing An Mpc And Mics In An Operating Srx5400 Firewall Chassis Cluster
If that remaining device fails for any reason, you incur network downtime until you restart at least one of the devices. To install MPCs in an operating SRX5400 Firewall cluster without incurring downtime: Use the console port on the Routing Engine to establish a CLI session with one of the devices in the cluster.
Page 299 Wait for the secondary firewall to completely shut down. Install the new MPCs in the powered-off firewall using the procedure in "Installing an SRX5400 Firewall MPC" on page 275. Install MICs in the MPCs in the powered-off firewall using the procedure in "Installing an SRX5400...
Page 300 PIC 3 Online SPU Flow Slot 2 Online SRX5k IOC II PIC 0 Online 2x 40GE QSFP+ PIC 2 Online 10x 10GE SFP+ 11. Issue the show chassis cluster status command to make sure that the priority for all redundancy groups is greater than zero.
Page 301: Maintaining Spcs On The Srx5400 Firewall
19. Issue the show chassis cluster status command to make sure that the priority for all redundancy groups is greater than zero. Maintaining SPCs on the SRX5400 Firewall IN THIS SECTION Purpose | 287 Action | 287 Purpose For optimum firewall performance, verify the condition of the Services Processing Cards (SPCs). The firewall can have up to three FPCs (two SPCs) mounted horizontally in the card cage at the front of the chassis.
Page 302 For more detailed output, add the detail option. The following example does not specify a slot number, which is optional: user@host> show chassis fpc detail Slot 0 information: State Online Temperature Total CPU DRAM 1024 MB Total RLDRAM 259 MB Total DDR DRAM 4864 MB Start time:...
Page 303: Replacing Srx5400 Firewall Spcs
For further description of the output from the command, see Command Reference at www.juniper.net/documentation/. Replacing SRX5400 Firewall SPCs IN THIS SECTION Removing an SRX5400 Firewall SPC | 289 Installing an SRX5400 Firewall SPC | 291 To replace an SPC, perform the following procedures: Removing an SRX5400 Firewall SPC An SPC weighs up to 18.3 lb (8.3 kg).
Page 304 NOTE: Wait until a message appears on the console confirming that the services stopped. Physically turn off the power and remove the power cables from the chassis. Label the cables connected to each port on the SPC so that you can later reconnect the cables to the correct ports.
Page 305: Installing An Srx5400 Firewall Spc
10. If you are not reinstalling an SPC into the empty slot within a short time, install a blank panel over the slot to maintain proper airflow in the card cage. Figure 118: Removing an SPC Installing an SRX5400 Firewall SPC To install an SPC (see Figure Attach an ESD grounding strap to your bare wrist, and connect the other end of the strap to an ESD grounding point.
Page 306 NOTE: Wait until a message appears on the console confirming that the services stopped. Physically turn off the power and remove the power cables from the chassis. Place the SPC on an antistatic mat or remove it from its electrostatic bag. Identify the slot on the firewall where the SPC will be installed.
Page 307: Replacing Spcs In An Operating Srx5400, Srx5600, Or Srx5800 Firewalls Chassis Cluster
Figure 119: Installing an SPC Figure 120: Attaching a Cable to an SPC Replacing SPCs in an Operating SRX5400, SRX5600, or SRX5800 Firewalls Chassis Cluster If your Firewall is part of an operating chassis cluster, you can replace the first-generation SRX5K-...
Page 308 SPCs with the next generation SRX5K-SPC3s by incurring a minimum downtime on your network. NOTE: SRX5K-SPC-2-10-40 SPC is not supported on SRX5400 Firewall. To replace SPCs in a firewall that is part of a chassis cluster, it must meet the following conditions: •...
Page 309 Install the new SPC or SPCs in the powered-off Firewall using the procedure in "Installing an Installing an SRX5600 Firewall SPC Installing an SRX5400 Firewall SPC" on page 287, or , or SRX5800 Firewall SPC Insert the power cables to the chassis and power on the secondary firewall and wait for it to finish starting.
Page 310: In-Service Hardware Upgrade For Srx5K-Spc3 In A Chassis Cluster
11. Use the show chassis fpc pic-status command to make sure that all of the cards in the secondary node chassis are back online. 12. Use the show chassis cluster status command to make sure that the priority for all redundancy groups is greater than zero.
Page 311 • Starting in Junos OS Release 19.4R1, ISHU for SRX5K-SPC3 is supported on all SRX5000 line of devices chassis cluster: • If the chassis has only one SPC3, you can only install one more SPC3 by using the ISHU procedure. •...
Page 312 Install the new SPC3 or SPC3s in the powered-off firewall using the procedure in "Installing an Installing an SRX5600 Firewall SPC Installing an SRX5400 Firewall SPC" on page 287, or , or SRX5800 Firewall SPC Insert the power cables to the chassis and power on the secondary firewall and wait for it to finish starting.
Page 313: Maintaining The Srx5400 Cables And Connectors
Maintaining the SRX5400 Cables and Connectors IN THIS SECTION Maintaining SRX5400 Firewall Network Cables | 299 Replacing the Management Ethernet Cable on the SRX5400 Firewall | 300 Replacing the SRX5400 Firewall Console or Auxiliary Cable | 301 Replacing an SRX5400 Firewall Network Cable | 302...
Page 314: Replacing The Management Ethernet Cable On The Srx5400 Firewall
Use only an approved alcohol-free fiber-optic cable cleaning kit, such as the Opptex Cletop-S Fiber Cleaner. Follow the directions for the cleaning kit you use. Replacing the Management Ethernet Cable on the SRX5400 Firewall One Ethernet cable with RJ-45 connectors is provided with the firewall.
Page 315: Replacing The Srx5400 Firewall Console Or Auxiliary Cable
5. Plug the other end of the cable into the network device. Figure 121: Cable Connector Figure 122: Ethernet Port Replacing the SRX5400 Firewall Console or Auxiliary Cable Before you begin to replace the console or auxiliary Cable: Prevention of •...
Page 316: Replacing An Srx5400 Firewall Network Cable
Figure 123: Auxiliary and Console Ports Replacing an SRX5400 Firewall Network Cable IN THIS SECTION Removing an SRX5400 Firewall Network Cable | 302 Installing an SRX5400 Firewall Network Cable | 303 Removing an SRX5400 Firewall Network Cable Removing and installing network cables does not affect firewall function, except that the component does not receive or transmit data while its cable is disconnected.
Page 317: Installing An Srx5400 Firewall Network Cable
The safety cap keeps the port clean and protects your eyes from accidental exposure to laser light. Installing an SRX5400 Firewall Network Cable To install a cable in a MIC: 1. Have ready a length of the type of cable used by the MIC.
Page 318: Replacing Srx5400 Firewall Transceivers
Replacing SRX5400 Firewall Transceivers IN THIS SECTION Removing an SRX5400 Firewall Transceiver | 304 Installing an SRX5400 Firewall Transceiver | 306 Removing an SRX5400 Firewall Transceiver...
Page 319 • Replacement transceiver or transceiver slot plug • Antistatic mat • Rubber safety cap for the transceiver • Needle-nose pliers Transceivers are installed in a MIC or SPC. Transceivers are hot-insertable and hot-removable. Removing a transceiver does not interrupt the functioning of the card, but the removed transceiver no longer receives or transmits data.
Page 320: Installing An Srx5400 Firewall Transceiver
Juniper Networks. If you face a problem running a Juniper device that uses third-party optical modules or cables, JTAC may help you diagnose host-related issues if the observed issue is not, in the opinion of JTAC, related to the use of the third-party optical modules or cables.
Page 321 ZR or ZR+) can potentially cause thermal damage to or reduce the lifespan of the host equipment. Any damage to the host equipment due to the use of third-party optical modules or cables is the users’ responsibility. Juniper Networks will accept no liability for any damage caused due to such use.
Page 322: Troubleshooting Hardware
C HAPTER Troubleshooting Hardware Troubleshooting the SRX5400 | 309...
Page 323: Troubleshooting The Srx5400
Troubleshooting SRX5400 Firewall SPCs | 329 Troubleshooting the SRX5400 Firewall Power System | 331 Behavior of the SRX5400, SRX5600, and SRX5800 Firewalls When the SRX5K-SCBE and SRX5K-RE-1800X4 in a Chassis Cluster Fail | 333 Troubleshooting the SRX5400 Firewall with the Junos OS CLI The Junos OS command-line interface (CLI) is the primary tool for controlling and troubleshooting firewall hardware, Junos OS, routing protocols, and network connectivity.
Page 324: Troubleshooting The Srx5400 Firewall With Chassis And Interface Alarm Messages
IN THIS SECTION Backup Routing Engine Alarms | 321 Table 51 on page 310 lists the alarms that the chassis components can generate on SRX5400, SRX5600, and SRX5800 Firewalls. Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls...
Page 325 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity Alternative media The Firewall boots from an Open a support case using the Yellow alternate boot device, the hard Case Manager link at https:/ / disk.
Page 326 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity FPC airflow temperature sensors Check the status of all fan trays. in SRX5K-SPC3 reach high or over or crosses fire temperature threshold.
Page 327 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity SRX5K-SPC3 LTC Firm Ware To manually upgrade the LTC Version Mismatch. LEDs on the Firmware Version: front panel of the chassis indicate 1.
Page 328 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity Real Time Clock battery failure. Open a support case using the Case Manager link at https:/ / www.juniper.net/support/ call 1-888-314-5822 (toll free, US &...
Page 329 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity Fan tray not working or failed. Replace fan tray. One fan in the chassis is not Replace fan tray. spinning or is spinning below required speed.
Page 330 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity Power supplies A power supply has been Insert power supply into empty Yellow removed from the chassis. slot. A power supply has a high Replace failed power supply or temperature.
Page 331 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity Routing Engine Excessive framing errors on Replace the serial cable Yellow console port. connected to the device. An excessive framing error alarm...
Page 332 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity Routing Engine failed to boot. Replace failed Routing Engine. The Ethernet management • Check the interface cable interface (fxp0 or em0) on the connection.
Page 333 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity An SCB throughput decreased. Yellow • Check fabric plane summary if all 4 fabric planes are online. • This alarm could be raised before all fabric planes are brought up.
Page 334 Table 51: Chassis Component Alarm Conditions on SRX5400, SRX5600, and SRX5800 Firewalls (Continued) Chassis Component Alarm Condition Remedy Alarm Severity The chassis temperature has • Check room temperature. exceeded 65 degrees C (149 degrees F), and a fan has •...
Page 335 Yellow from an alternate boot device, the Case Manager link at https:/ / hard disk. The CompactFlash card www.juniper.net/support/ is typically the primary boot call 1-888-314-5822 (toll free, device. The Routing Engine boots US & Canada) or from the hard disk when the 1-408-745-9500 (from outside primary boot device fails.
Page 336 Reboot the system. • If the alarm recurs, open a support case using the Case Manager link at https:/ / www.juniper.net/support/ call 1-888-314-5822 (toll free, US & Canada) or 1-408-745-9500 (from outside the United States). FRU Offline The backup Routing Engine has...
Page 337: Troubleshooting The Srx5400 Firewall With Alarm Relay Contacts
The alarm relay contacts are located on the upper right of the craft interface. Troubleshooting the SRX5400 Firewall with the Craft Interface LEDs The craft interface is the panel on the front of the firewall located above the card cage that contains LEDs and buttons that allow you to troubleshoot the device.
Page 338: Troubleshooting The Srx5400 Firewall With The Component Leds
Troubleshooting the SRX5400 Firewall with the Component LEDs The following LEDs are located on various firewall components and display the status of those components: • Card LED—One LED labeled OK/FAIL on each card in the card cage indicates the card’s status.
Page 339: Troubleshooting Srx5400 Firewall Mpcs
• The firewall temperature exceeds the “temperature warm” threshold (minor alarm). • The temperature of the firewall exceeds the maximum (“temperature hot”) threshold (major alarm and automatic shutdown of the power supplies). Troubleshooting SRX5400 Firewall MPCs IN THIS SECTION Problem | 325...
Page 340 The Routing Engine downloads the MPC software to it under two conditions: the MPC is present when the Routing Engine boots Junos OS, and the MPC is installed and requested online through the CLI or push button on the front panel. The MPC then runs diagnostics, during which the OK LED blinks.
Page 341 After pushing MPC online button: user@host> show chassis fpc Temp CPU Utilization (%) Memory Utilization (%) Slot State (C) Total Interrupt DRAM (MB) Heap Buffer 0 Online 1024 1 Online 1024 2 Offline ---Offlined by button press--- For more detailed output, add the detail option. The following example does not specify a slot number, which is optional: user@host>...
Page 342: Troubleshooting Srx5400 Firewall Mics
Max Power Consumption 570 Watts Junos OS System Basics and Services For further description of the output from the command, see Command Reference at www.juniper.net/documentation/. Troubleshooting SRX5400 Firewall MICs IN THIS SECTION Problem | 328 Solution | 328 Problem Description The MICs are not functioning normally.
Page 343: Troubleshooting Srx5400 Firewall Spcs
PIC 2 Online 10x 10GE SFP+ Junos OS System Basics and Services For further description of the output from the command, see Command Reference at www.juniper.net/documentation/. Troubleshooting SRX5400 Firewall SPCs IN THIS SECTION Problem | 329 Solution | 329 Problem Description A Services Processing Card (SPC) is not functioning normally.
Page 344 6656 MB Start time: 2013-12-10 02:58:07 PST Uptime: 1 day, 11 hours, 59 minutes, 24 seconds Max Power Consumption 570 Watts For further description of the output from the command, see Junos OS System Basics and Services Command Reference at www.juniper.net/documentation/.
Page 345: Troubleshooting The Srx5400 Firewall Power System
Troubleshooting the SRX5400 Firewall Power System IN THIS SECTION Problem | 331 Solution | 331 Problem Description The power system is not functioning normally. Solution • Check the LEDs on each power supply faceplate. • If an AC power supply is correctly installed and functioning normally, the AC OK and DC OK LEDs light steadily, and the PS FAIL LED is not lit.
Page 346 State Empty PEM 2 status: State Online Temperature DC Input: DC Output Voltage(V) Current(A) Power(W) Load(%) Voltage: 48.0 V input 53000 mV PEM 3 status: State Empty If a power supply is not functioning normally, perform the following steps to diagnose and correct the problem: •...
Page 347: Behavior Of The Srx5400, Srx5600, And Srx5800 Firewalls When The Srx5K-Scbe And Srx5K-Re-1800X4 In A Chassis Cluster Fail
Behavior of the SRX5400, SRX5600, and SRX5800 Firewalls When the SRX5K-SCBE and SRX5K-RE-1800X4 in a Chassis Cluster Fail It is important to understand the behavior of the SRX5400, SRX5600, and SRX5800 Firewalls when the Switch Control Board (SRX5K-SCBE) and Routing Engine (SRX5K-RE-1800X4) in the chassis cluster fail.
Page 348 Expected Behavior After the SCB and SRX5K-SCBs Planes Planes Routing Engine are Removed SRX5400 4 (virtual) 0 (virtual) If the SCB in the primary node fails, the device will fail over to the secondary node as the primary node powers off.
Page 349 NOTE: In SRX5600 and SRX5800 Firewalls, failover does not happen when the secondary Routing Engine in slot 1 fails, while the SCB in slot 1 is inactive. Chassis Cluster User Guide for SRX Series For detailed information about chassis cluster, see the Devices at www.juniper.net/documentation/.
Page 350: Contacting Customer Support And Returning The Chassis Or Components
C HAPTER Contacting Customer Support and Returning the Chassis or Components Returning the SRX5400 Chassis or Components | 337...
Page 351: Returning The Srx5400 Chassis Or Components
Contacting Customer Support Once you have located the serial numbers of the firewall or component, you can return the firewall or component for repair or replacement. For this, you need to contact Juniper Networks Technical Assistance Center (JTAC). You can contact JTAC 24 hours a day, 7 days a week, using any of the following methods: •...
Page 352: Return Procedure For The Srx5400 Firewall
This number is used to track the returned material at the factory and to return repaired or new components to the customer as needed. NOTE: Do not return any component to Juniper Networks, Inc. unless you have first obtained an RMA number. Juniper Networks, Inc. reserves the right to refuse shipments that do not have an RMA.
Page 353: Listing The Srx5400 Firewall Component Serial Numbers With The Cli
Listing the SRX5400 Firewall Component Serial Numbers with the CLI Before contacting Juniper Networks, Inc. to request a Return Materials Authorization (RMA), you must find the serial number on the firewall or component. To display all of the firewall components and their serial numbers, enter the following command-line interface (CLI) command: user@host>...
Page 354: Locating The Srx5400 Firewall Craft Interface Serial Number Label
Figure 126: AC Power Supply Serial Number Label Figure 127: DC Power Supply Serial Number Label Locating the SRX5400 Firewall Craft Interface Serial Number Label The serial number is located on the back of the craft interface panel (see Figure 128 on page...
Page 355: Information You Might Need To Supply To Jtac
• Configuration data displayed by one or more show commands • Your name, organization name, telephone number, fax number, and shipping address Required Tools and Parts for Packing the SRX5400 Firewall To remove components from the firewall or the firewall from a rack, you need the following tools and parts: •...
Page 356: Packing The Srx5400 Firewall For Shipment
To pack the firewall for shipment: Retrieve the shipping crate and packing materials in which the firewall was originally shipped. If you do not have these materials, contact your Juniper Networks representative about approved packaging materials. On the console or other management device connected to the primary Routing Engine, enter CLI operational mode and issue the following command to shut down the firewall software.
Page 357: Packing Srx5400 Firewall Components For Shipment
12. Securely tape the box closed or place the crate cover over the firewall. 13. Write the RMA number on the exterior of the box to ensure proper tracking. Packing SRX5400 Firewall Components for Shipment Follow these guidelines for packing and shipping individual components of the firewall: •...
Page 358: Safety And Compliance Information
C HAPTER Safety and Compliance Information General Safety Guidelines and Warnings | 346 Definitions of Safety Warning Levels | 347 Restricted Access Area Warning | 349 Fire Safety Requirements | 350 Qualified Personnel Warning | 352 Warning Statement for Norway and Sweden | 352 Installation Instructions Warning | 353 Chassis and Component Lifting Guidelines | 353 Ramp Warning | 354...
Page 359 DC Power Wiring Terminations Warning | 385 Multiple Power Supplies Disconnection Warning | 386 TN Power Warning | 387 Action to Take After an Electrical Accident | 387 SRX5400 Firewall Agency Approvals | 388 SRX5400 Firewall Compliance Statements for EMC Requirements | 390...
Page 360: General Safety Guidelines And Warnings
General Safety Guidelines and Warnings The following guidelines help ensure your safety and protect the device from damage. The list of guidelines might not address all potentially hazardous situations in your working environment, so be alert and exercise good judgment at all times. •...
Page 361: Definitions Of Safety Warning Levels
• Some parts of the chassis, including AC and DC power supply surfaces, power supply unit handles, SFB card handles, and fan tray handles might become hot. The following label provides the warning for hot surfaces on the chassis: • Always ensure that all modules, power supplies, and cover panels are fully inserted and that the installation screws are fully tightened.
Page 362 Waarschuwing Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Varoitus Tämä...
Page 363: Restricted Access Area Warning
Restricted Access Area Warning WARNING: The Firewall is intended for installation in restricted access areas. A restricted access area is an area to which access can be gained only by service personnel through the use of a special tool, lock and key, or other means of security, and which is controlled by the authority responsible for the location.
Page 364: Fire Safety Requirements
In addition, you should establish procedures to protect your equipment in the event of a fire emergency. Juniper Networks products should be installed in an environment suitable for electronic equipment. We...
Page 365 NOTE: To keep warranties effective, do not use a dry chemical fire extinguisher to control a fire at or near a Juniper Networks device. If a dry chemical fire extinguisher is used, the unit is no longer eligible for coverage under a service agreement.
Page 366: Qualified Personnel Warning
Qualified Personnel Warning WARNING: Only trained and qualified personnel should install or replace the device. Waarschuwing Installatie en reparaties mogen uitsluitend door getraind en bevoegd personeel uitgevoerd worden. Varoitus Ainoastaan koulutettu ja pätevä henkilökunta saa asentaa tai vaihtaa tämän laitteen. Avertissement Tout installation ou remplacement de l'appareil doit être réalisé...
Page 367: Installation Instructions Warning
Installation Instructions Warning WARNING: Read the installation instructions before you connect the device to a power source. Waarschuwing Raadpleeg de installatie-aanwijzingen voordat u het systeem met de voeding verbindt. Varoitus Lue asennusohjeet ennen järjestelmän yhdistämistä virtalähteeseen. Avertissement Avant de brancher le système sur la source d'alimentation, consulter les directives d'installation.
Page 368: Ramp Warning
• Up to 39.7 lb (18 kg): One person. • From 39.7 lb (18 kg) to 70.5 lb (32 kg): Two or more people. • From 70.5 lb (32 kg) to 121.2 lb (55 kg): Three or more people. • Above 121.2 lb (55 kg): Use material handling systems (such as levers, slings, lifts, and so on). When this is not practical, engage specially trained persons or systems (such as riggers or movers).
Page 369 De onderstaande richtlijnen worden verstrekt om uw veiligheid te verzekeren: • De Juniper Networks switch moet in een stellage worden geïnstalleerd die aan een bouwsel is verankerd. • Dit toestel dient onderaan in het rek gemonteerd te worden als het toestel het enige in het rek is.
Page 370 Les directives ci-dessous sont destinées à assurer la protection du personnel: • Le rack sur lequel est monté le Juniper Networks switch doit être fixé à la structure du bâtiment. • Si cette unité constitue la seule unité montée en casier, elle doit être placée dans le bas.
Page 371 • Il Juniper Networks switch deve essere installato in un telaio, il quale deve essere fissato alla struttura dell'edificio. • Questa unità deve venire montata sul fondo del supporto, se si tratta dell'unica unità da montare nel supporto. • Quando questa unità viene montata in un supporto parzialmente pieno, caricare il supporto dal basso all'alto, con il componente più...
Page 372 Para garantizar su seguridad, proceda según las siguientes instrucciones: • El Juniper Networks switch debe instalarse en un bastidor fijado a la estructura del edificio. • Colocar el equipo en la parte inferior del bastidor, cuando sea la única unidad en el mismo.
Page 373: Grounded Equipment Warning
Grounded Equipment Warning WARNING: This device must be properly grounded at all times. Follow the instructions in this guide to properly ground the device to earth. Waarschuwing Dit apparaat moet altijd goed geaard zijn. Volg de instructies in deze gids om het apparaat goed te aarden. Varoitus Laitteen on oltava pysyvästi maadoitettu.
Page 374 Class 1 LED Product Warning | 361 Laser Beam Warning | 362 Juniper Networks devices are equipped with laser transmitters, which are considered a Class 1 Laser Product by the U.S. Food and Drug Administration and are evaluated as a Class 1 Laser Product per IEC/EN 60825-1 requirements.
Page 375 Class 1 Laser Product Warning LASER WARNING: Class 1 laser product. Waarschuwing Klasse-1 laser produkt. Varoitus Luokan 1 lasertuote. Avertissement Produit laser de classe I. Warnung Laserprodukt der Klasse 1. Avvertenza Prodotto laser di Classe 1. Advarsel Laserprodukt av klasse 1. Aviso Produto laser de classe 1.
Page 376: Radiation From Open Port Apertures Warning
Laser Beam Warning LASER WARNING: Do not stare into the laser beam or view it directly with optical instruments. Waarschuwing Niet in de straal staren of hem rechtstreeks bekijken met optische instrumenten. Varoitus Älä katso säteeseen äläkä tarkastele sitä suoraan optisen laitteen avulla. Avertissement Ne pas fixer le faisceau des yeux, ni l'observer directement à...
Page 377: Maintenance And Operational Safety Guidelines And Warnings
Varoitus Koska portin aukosta voi emittoitua näkymätöntä säteilyä, kun kuitukaapelia ei ole kytkettynä, vältä säteilylle altistumista äläkä katso avoimiin aukkoihin. Avertissement Des radiations invisibles à l'il nu pouvant traverser l'ouverture du port lorsqu'aucun câble en fibre optique n'y est connecté, il est recommandé de ne pas regarder fixement l'intérieur de ces ouvertures.
Page 378 Lightning Activity Warning | 366 Operating Temperature Warning | 367 Product Disposal Warning | 368 While performing the maintenance activities for devices, observe the following guidelines and warnings: Battery Handling Warning WARNING: Replacing a battery incorrectly might result in an explosion. Replace a battery only with the same or equivalent type recommended by the manufacturer.
Page 379 Aviso Existe perigo de explosão se a bateria for substituída incorrectamente. Substitua a bateria por uma bateria igual ou de um tipo equivalente recomendado pelo fabricante. Destrua as baterias usadas conforme as instruções do fabricante. ¡Atención! Existe peligro de explosión si la batería se reemplaza de manera incorrecta. Reemplazar la baterían EXclusivamente con el mismo tipo o el equivalente recomendado por el fabricante.
Page 380 Avvertenza Prima di intervenire su apparecchiature collegate alle linee di alimentazione, togliersi qualsiasi monile (inclusi anelli, collane, braccialetti ed orologi). Gli oggetti metallici si riscaldano quando sono collegati tra punti di alimentazione e massa: possono causare ustioni gravi oppure il metallo può saldarsi ai terminali. Advarsel Fjern alle smykker (inkludert ringer, halskjeder og klokker) før du skal arbeide på...
Page 381 6 in. (15.2 cm) of clearance around the ventilation openings. Waarschuwing Om te voorkomen dat welke switch van de Juniper Networks router dan ook oververhit raakt, dient u deze niet te bedienen op een plaats waar de maximale aanbevolen omgevingstemperatuur van 40°...
Page 382 40° C. Para evitar a restrição à circulação de ar, deixe pelo menos um espaço de 15,2 cm à volta das aberturas de ventilação. ¡Atención! Para impedir que un encaminador de la serie Juniper Networks switch se recaliente, no lo haga funcionar en un área en la que se supere la temperatura ambiente máxima recomendada de 40°...
Page 383: General Electrical Safety Guidelines And Warnings
Avertissement La mise au rebut définitive de ce produit doit être effectuée conformément à toutes les lois et réglementations en vigueur. Warnung Dieses Produkt muß den geltenden Gesetzen und Vorschriften entsprechend entsorgt werden. Avvertenza L'eliminazione finale di questo prodotto deve essere eseguita osservando le normative italiane vigenti in materia Advarsel Endelig disponering av dette produktet må...
Page 384 ports pour intérieur de l’appareil sont réservés au raccordement de câbles pour intérieur ou non exposés uniquement. L’ajout de protections ne constitue pas une précaution suffisante pour raccorder physiquement ces interfaces au câblage de l’installation extérieure. CAUTION: Before removing or installing components of a device, connect an electrostatic discharge (ESD) grounding strap to an ESD point and wrap and fasten the other end of the strap around your bare wrist.
Page 385: Prevention Of Electrostatic Discharge Damage
• Operate the device within marked electrical ratings and product usage instructions. • To ensure that the device and peripheral equipment function safely and correctly, use the cables and connectors specified for the attached peripheral equipment, and make certain they are in good condition.
Page 386: Ac Power Electrical Safety Guidelines
• When removing or installing a component that is subject to ESD damage, always place it component- side up on an antistatic surface, in an antistatic card rack, or in an antistatic bag (see Figure 129 on page 372). If you are returning a component, place it in an antistatic bag before packing it. Figure 129: Placing a Component into an Antistatic Bag CAUTION: ANSI/TIA/EIA-568 cables such as Category 5e and Category 6 can get electrostatically charged.
Page 387: Ac Power Disconnection Warning
“ATTENTION: CET APPAREIL COMPORTE PLUS D'UN CORDON D'ALIMENTATION. AFIN DE PRÉVENIR LES CHOCS ÉLECTRIQUES, DÉBRANCHER TOUT CORDON D'ALIMENTATION AVANT DE FAIRE LE DÉPANNAGE.” • AC-powered devices are shipped with a three-wire electrical cord with a grounding-type plug that fits only a grounding-type power outlet. Do not circumvent this safety feature. Equipment grounding must comply with local and national electrical codes.
Page 388: Dc Power Electrical Safety Guidelines
Avertissement Avant de travailler sur un châssis ou à proximité d'une alimentation électrique, débrancher le cordon d'alimentation des unités en courant alternatif. Warnung Bevor Sie an einem Chassis oder in der Nähe von Netzgeräten arbeiten, ziehen Sie bei Wechselstromeinheiten das Netzkabel ab bzw. Avvertenza Prima di lavorare su un telaio o intorno ad alimentatori, scollegare il cavo di alimentazione sulle unità...
Page 389 DC Power Electrical Safety Guidelines The following electrical safety guidelines apply to a DC-powered firewall: • A DC-powered firewall is equipped with a DC terminal block that is rated for the power requirements of a maximally configured firewall. To supply sufficient power, terminate the DC input wiring on a facility DC source capable of supplying at least 15 A @ -48 VDC for the system.
Page 390 DC Power Disconnection Warning WARNING: Before performing any of the following procedures, ensure that power is removed from the DC circuit. To ensure that all power is off, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position.
Page 391 Aviso Antes de executar um dos seguintes procedimentos, certifique-se que desligou a fonte de alimentação de energia do circuito de corrente contínua. Para se assegurar que toda a corrente foi DESLIGADA, localize o disjuntor no painel que serve o circuito de corrente contínua e coloque-o na posição OFF (Desligado), segurando nessa posição a manivela do interruptor do disjuntor com fita isoladora.
Page 392 Avvertenza In fase di installazione dell'unità, eseguire sempre per primo il collegamento a massa e disconnetterlo per ultimo. Advarsel Når enheten installeres, må jordledningen alltid tilkobles først og frakobles sist. Aviso Ao instalar a unidade, a ligação à terra deverá ser sempre a primeira a ser ligada, e a última a ser desligada.
Page 393 Stromversorgung ist -48V zu -48V, +RTN zu +RTN und dann Erdanschluss zu Erdanschluss. Es ist zu beachten dass der Erdanschluss immer zuerst angeschlossen und als letztes abgetrennt wird. Avvertenza Mostra la morsettiera dell alimentatore CC. Cablare l'alimentatore CC usando i connettori adatti all'estremità del cablaggio, come illustrato. La corretta sequenza di cablaggio è...
Page 394 grijperschop type waarbij de aansluitpunten omhoog wijzen. Deze aansluitpunten dienen de juiste maat voor de draden te hebben en dienen zowel de isolatie als de geleider vast te klemmen. Varoitus Jos säikeellinen johdin on tarpeen, käytä hyväksyttyä johdinliitäntää, esimerkiksi suljettua silmukkaa tai kourumaista liitäntää, jossa on ylöspäin käännetyt kiinnityskorvat.
Page 395: Dc Power Disconnection Warning
RELATED DOCUMENTATION Action to Take After an Electrical Accident General Electrical Safety Guidelines and Warnings AC Power Electrical Safety Guidelines DC Power Disconnection Warning WARNING: Before performing any of the DC power procedures, ensure that power is removed from the DC circuit. To ensure that all power is off, locate the circuit breaker on the panel board that services the DC circuit, switch the circuit breaker to the OFF position, and tape the device handle of the circuit breaker in the OFF position.
Page 396: Dc Power Grounding Requirements And Warning
(OFF), individuare l'interruttore automatico sul quadro strumenti che alimenta il circuito CC, mettere l'interruttore in posizione OFF e fissarlo con nastro adesivo in tale posizione. Advarsel Før noen av disse prosedyrene utføres, kontroller at strømmen er frakoblet likestrømkretsen. Sørg for at all strøm er slått AV. Dette gjøres ved å lokalisere strømbryteren på...
Page 397: Dc Power Wiring Sequence Warning
Varoitus Laitetta asennettaessa on maahan yhdistäminen aina tehtävä ensiksi ja maadoituksen irti kytkeminen viimeiseksi. Avertissement Lors de l'installation de l'appareil, la mise à la terre doit toujours être connectée en premier et déconnectée en dernier. Warnung Der Erdanschluß muß bei der Installation der Einheit immer zuerst hergestellt und zuletzt abgetrennt werden.
Page 398 est rectifié pour rectifier, +RTN à +RTN, puis –48 V à –48 V. En débranchant la puissance, l'ordre approprié de câblage est –48 V à –48 V, +RTN à +RTN, a alors rectifié pour rectifier. Notez que le fil de masse devrait toujours être relié d'abord et débranché pour la dernière fois.
Page 399: Dc Power Wiring Terminations Warning
DC Power Wiring Terminations Warning WARNING: When stranded wiring is required, use approved wiring terminations, such as closed-loop or spade-type with upturned lugs. These terminations must be the appropriate size for the wires and must clamp both the insulation and conductor. Waarschuwing Wanneer geslagen bedrading vereist is, dient u bedrading te gebruiken die voorzien is van goedgekeurde aansluitingspunten, zoals het gesloten-lus type of het grijperschop type waarbij de aansluitpunten omhoog wijzen.
Page 400: Multiple Power Supplies Disconnection Warning
¡Atención! Cuando se necesite hilo trenzado, utilizar terminales para cables homologados, tales como las de tipo "bucle cerrado" o "espada", con las lengüetas de conexión vueltas hacia arriba. Estos terminales deberán ser del tamaño apropiado para los cables que se utilicen, y tendrán que sujetar tanto el aislante como el conductor. Varning! När flertrådiga ledningar krävs måste godkända ledningskontakter användas, t.ex.
Page 401: Tn Power Warning
¡Atención! Esta unidad tiene más de una conexión de suministros de alimentación; para eliminar la alimentación por completo, deben desconectarse completamente todas las conexiones. Varning! Denna enhet har mer än en strömförsörjningsanslutning; alla anslutningar måste vara helt avlägsnade innan strömtillförseln till enheten är fullständigt bruten. TN Power Warning WARNING: The device is designed to work with a TN power system.
Page 402: Srx5400 Firewall Agency Approvals
3. If possible, send another person to get medical aid. Otherwise, assess the condition of the victim, and then call for help. SRX5400 Firewall Agency Approvals IN THIS SECTION Compliance Statement for Argentina | 389 The firewall complies with the following standards: •...
Page 403 • GR-1089-CORE: EMC and Electrical Safety for Network Telecommunications Equipment • SR-3580: NEBS Criteria Levels (Level 3 Compliance) Compliance Statement for Argentina EQUIPO DE USO IDÓNEO. RELATED DOCUMENTATION SRX5400 Firewall Environmental Specifications | 144 SRX5400 Firewall Physical Specifications | 9 SRX5400 Firewall Compliance Statements for EMC Requirements | 390...
Page 404: Srx5400 Firewall Compliance Statements For Emc Requirements
SRX5400 Firewall Compliance Statements for EMC Requirements IN THIS SECTION Canada | 390 European Community | 390 Israel | 391 Japan | 391 United States | 391 Canada This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.
Page 405 Israel The preceding translates as follows: This product is Class A. In residential environments, the product may cause radio interference, and in such a situation, the user may be required to take adequate measures. Japan The preceding translates as follows: This is a Class A product.
Page 406 RELATED DOCUMENTATION SRX5400 Firewall Environmental Specifications | 144 SRX5400 Firewall Physical Specifications | 9 SRX5400 Firewall Agency Approvals | 388...

This manual is also suitable for:

Srx5600 Srx5800