Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Industry Trends Influencing WAN Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 WAN Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Junipers Advanced Routing Technologysolution profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Junipers Advanced Routing TechnologyVirtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Junipers Advanced Routing TechnologyHigh Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Best practices and TipsHA: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Junipers Advanced Routing TechnologyQos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Best practices and TipsQos: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Junipers Advanced Routing Technologysecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Best practices and Tipssecurity: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Junipers Advanced Routing TechnologyMulticast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Best practices and TipsMulticast: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 AutomateEase of Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Use Case: Enterprise WANprivate MpLs Across a public service provider Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Use Case: Enterprise WANprivate MpLs Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 private MpLs Cloud: some Benefits of simplification (Before and After) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Use Case: Data Center to Data Center Interconnectivity with L2 stretch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 VpLs over GRE: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Use Case: WAN Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Use Case: Internet Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Case 1: Corporate Internet Access Through Enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Case 2: Internet Edge Backup Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 References: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table of Figures
Figure 1: summary of advanced routing technologies that simplify, share, secure, and automate the WAN . . . . . . . . . . . . . . . . . . 6 Figure 2: Complementary virtualization technologies from Juniper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Figure 3: Example of financial institution with different Qos policies by path and application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Figure 4: Example of a distributed enterprise with multiple layers of security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Figure 5: Ethernet Design, Network Activate, and Route Insight Junipers key management automation tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Figure 6: Ipsec encrypted MpLs traffic tunneled using GRE to a provider router for transport over service provider L3VpN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Figure 7: Before Case: Real example of legacy WAN using 30 dedicated links per application to interconnect data centers, with only 1% average utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Figure 8: After Case: Real deployment using Junipers simplified WAN design using network virtualization eliminates application dedicated links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Figure 9: Inter data center connectivity over MpLs core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Figure 10: WAN aggregation of remote branch offices using WAN aggregation routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Figure 11: Internet edge access through headquarters Carried through the enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Figure 12: Internet edge providing backup connectivity to the enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2
Introduction
Juniper Networks approach to WAN design is based upon four fundamental design principles that will help customers design a simplified architecture: Simplify the network, by reducing the number of required network devices, links, and inherent complexity Share network resources through virtualization to improve asset utilization Secure the network comprehensively Automate to provision, monitor, and troubleshoot the network Many organizations have experienced rapid growth with business requirements, applications, distributed branch offices, and data centers; and these growth factors have led to increased network complexity, over time. The challenge is to transport the growing mission critical and delay sensitive traffic cost effectively while improving security and privacy over the WAN. Juniper approaches this challenge using the four design principles outlined above. This paper examines: Technology and services trends such as cloud computing that impact architectural decisions Design considerations, which provides a basic architectural framework Junipers advanced routing technology, which provides tools to address different business requirements Enterprise WAN use cases, which describe common deployment scenarios
Scope
This WAN reference architecture discusses WAN design concepts, and it also presents use cases and practical examples to help WAN architects and engineers address requirements for designing simplified WANs. The use cases outlined in this paper include: Enterprise WAN - private MpLs across a public service provider network - private MpLs cloud Data center to data center interconnectivity WAN aggregation Internet edge - Corporate Internet access through WAN backhaul - Internet edge backup connectivity
Target Audience
This paper describes Juniper Networks simplified WAN architecture. This architecture is particularly suitable for organizations that are: Improving their WAN infrastructure to enhance their competitive advantage Deploying bandwidth-hungry applications, such as video conferencing Consolidating links, data centers, or servers for cost savings Deploying a private, hybrid, or public cloud for improving productivity This document serves as a reference tool for the following network personnel: Network engineers Network architects security managers IT and network industry analysts Juniper partners Any person with an interest in WAN design.
Technology
Increase in adoption of Gigabit Ethernet, L2VpN, and L3VpN Increase in adoption of many types of connectivity in the same WAN
Services
Adds pressure for WAN bandwidth Applications storage and data are accessed by distributed branch offices, remote data centers and remote workers that results in inter-communication and a mesh topology
Technology Trends Advancements in technology have led to an increase in WAN connectivity options and lower prices. This presents an opportunity for organizations to reevaluate their WAN designs, to improve performance, and to save costs. For example, a drop in the price of 10GbE has created an opportunity for enterprises to leapfrog in bandwidth speeds, allowing them to migrate from Ds3/OC3 to 10GbE and replace private leased lines with Ethernet services. Services Trends Enterprises have been adopting cloud services, such as private, hybrid, and public cloud, to increase productivity and reduce costs. Using cloud services may increase WAN bandwidth requirements, as applications and data are now pushed over the WAN. The growth of WAN traffic can also occur organically as businesses add remote locations to better serve their customers. The growth of distributed branch offices, remote data centers, and remote workers commonly add traffic over the WAN, and can also create more meshed topologies.
Figure 1: Summary of advanced routing technologies that simplify, share, secure, and automate the WAN
Figure 1 shows Junipers advanced routing technologies layered on top of our innovative advanced silicon and hardware, such as our latest 3D Trio chipset. Junipers advanced hardware is supported by a single operating systemJunos Osand a single release train that works across routing, switching, and security platforms. The powerful Junos Os drives Junipers advanced routing portfolio. The following sections provide more details of the major components of advanced routing.
VLAN VRF IRB Virtual Routers Virtual Bridging Logical Systems JCS 1200
VLAN
VLAN
L3 VPN (MPLS. GRE. IPsec) L2 VPN (VPLS, Pseudo-wires, 802.1q) Circuit to Packet (TDM, Serial, etc. to IP)
MPLS
benefits of circuits to Ip, including: Privacy and Network Segmentation: Virtualization supports network segmentation and privacy. Organizations can obtain the benefits of segmentation of traffic without dedicated links. Enhanced User Experience: Enhances the end user application experience with traffic engineering, which enables fine-tuning of the network to deliver appropriate levels of Qos and service-level agreements (sLAs). Improved Network Resiliency: Improves network resiliency with features like MpLs fast reroute, enabling sub 50 millisecond reroute. Scale for Future Growth: Boosts network scalability and performance to provide head room for future growth.
Privacy
Table 2: Sample of Four Classes or Queues, Along with Their Traffic Characteristics
ForWArDING ClASSES prIorITy lATENCy/pACkET DElAy SENSITIVITy JITTEr SENSITIVITy pACkET loSS SENSITIVITy SAmplE TrAFFIC
Best effort
Low
None
None
None
*Queues with strict-high priority are serviced before high or low priority queues, as long as there are packets in the queue.
Network controlReferring to traffic such as a routing protocol, this class is given high priority due to its high packet loss sensitivity. Expedited forwarding (EF)provides low loss, latency, jitter, and assured bandwidth for end-to-end service. Assured forwarding (AF)provides a group of services (e.g., AF1 through AF4), each with low, medium, or high drop probability. Data in AF classes are more sensitive to packet loss than data in the EF class. Best effortDoes not give any preference to queuing and forwarding during periods of congestion. End-to-end QoS strategyTo enforce a successful Qos strategy, organizations must associate incoming traffic to forwarding classes based on priorities set on the packets by other parts of the network. For example, in the medium-to-large branch offices, the local switch performs the classification and the services gateway or secure router performs the enforcement. Branch office network devices should be able to carry Qos markings through the VpN tunnels and apply the policy across the entire deployment, thereby providing end-to-end Qos.
Traffic burstsBandwidth allocation can factor in traffic bursts during specific time periods, such a quarterly close. Trust domainsDetermine whether an upstream switch or router will accept the priority settings from a downstream device. For instance, a downstream VoIp phone may set a high L2 priority that can either be ignored or accepted by an upstream switch before mapping the L2 priority to L3 priority. Interfacing with your service provider network - Identify the type of end-to-end Qos supported by your service provider. For example, support of short pipe tunneling will allow the transport of the customers original priority setting unaltered across the service provider network so that remote sites can make decisions based on priority settings. - In designing the forwarding classes, the number of queues supported in the service provider network should be considered. For example, if only three classes can be supported in the service provider network vs. six in the enterprise network, enterprises must assess the impact on end-to-end Qos by combining multiple classes in the enterprise network to a few in the carrier network. - shape multicast and unicast traffic to the bandwidth purchased from the carrier while ensuring that critical traffic isnt dropped.
HQ
INVESTMENT BANKING
DATA CENTER
Figure 3: Example of financial institution with different QoS policies by path and application
Figure 3 shows an example of multiple logical paths between a data center and the investment banking, retail banking, headquarters, and financial services of a large financial institution. Each of these paths, denoted by solid and dotted lines, can have different Qos requirements because they run different applications with various sLAs. To achieve the different Qos requirements, customers can configure forwarding class parameters as shown in the sample configuration below.
Table 3: Sample of Financial Institution Configuration for Four Forwarding Classes or Queues
ForWArDING ClASSES BuFFEr SIzE TrANSmIT rATE prIorITy
It is important to note that queues with strict-high priority are serviced before high or low priority queues, as long as there are packets in the queue. To prevent other queues from getting starved, the strict-high queue can be policed. Network control classes have infrequent traffic and therefore a buffer size and transmit rate of 6% are sufficient. Express Forwarding classes have a very small queue size to avoid jitter and latency. The Express Forwarding queue is also serviced aggressively at 20% transmit rate. Assured forwarding classes contain business critical traffic and are given a large bandwidth and transmit rate with a high priority service rate. The best-effort classes have 40% of the buffer space and the rest of available bandwidth.
10
MX series routers provide the following Qos advantages: Line-rate performance with Qos and access control lists (ACLs) to guarantee application performance and security without degraded throughput Easy provisioning using configuration scripts for rapid rollout of Qos Built-in denial of service (Dos) protection for enhanced security Less than 20s high-performance queue latency provides low latency and jitter to applications Over 256,000 ACLs to provide granular control of traffic Over 128,000 hardware queues per chassis to provide ample room for controlling bandwidth
For further details, please refer to QoS on Juniper routers.
GbE 5xGbE
MX Series Midrange
INTERNET
QFX3500 MX960 SRX3600 MX960
MX80
MX480
INTERNET
EX4200/ EX4500 SRX3600 SRX3600 MX Series Midrange
INTERNET
MX960 MX960 MX960 MX960
QFX3500
SRX3600
M120
M120
M120
M120
EX4200/ EX4500
EX4200/ EX4500
11
Figure 4 depicts an enterprise network with many branch offices and data centers interconnected to the enterprise WAN. The branch offices are using Juniper Networks MX series midrange routersMX5, MX10, MX40, and MX80 3D Universal Edge Routers to provide WAN and Internet connectivity, and the Juniper Networks sRX3600 services Gateway to support virtual firewall functionality. The MX series midrange routers provide high performance routing in a compact form factor and improve investment protection by enabling a seamless upgrade between models using software licensing. The enterprise branch has consolidated many disparate security devices into the sRX3600, using a L3VpN and virtual firewalls. Additionally, the MX series offers Juniper Networks Multiservices DpC (Ms-DpC) full slot modules to support firewall capability that is integrated into the router. The branch offices are connected using dual homed links to the enterprise WAN core. The data center consists of a pair of Juniper Networks M120 Multiservice Edge Router devices designed for resiliency to provide WAN connectivity, along with Juniper Networks EX4500/EX4200 Ethernet switches providing 10GbE access for servers, which acts as an access-layer switch connecting to the servers and network attached storage (NAs) in the data center. The diagram also shows Juniper Networks MX80 3D Universal Routers connected to the QFX3500 Ethernet switches providing 10GbE access for servers. The QFX3500 provides high density ultra low latency 10GbE access for storage Area Networks (sANs), Fiber Channel (FC), Fiber Channel over Ethernet (FCoE) and High speed Computing (HpC). The core of the network consists of four pairs of the MX960 3D Universal Edge Router, which (like the M120) have been designed for resiliency.
12
AutomateEase of management
To simplify network provisioning, monitoring, and maintenance, several management tools are recommended to reduce network downtime, minimize human error, and accelerate service deployment: Juniper Networks Junos space Ethernet Designprovides best practice service definition such as port security, Qos, spanning tree, etc., to plan, simulate, model, and diagnose issues in the network. Juniper Networks Junos space Network Activate: provides best practice service definition for ELINE, ELAN and ETREE services to quickly, accurately, and easily provision VpNs. Juniper Networks Junos space Route Insight provides a tool to easily plan, simulate, model, and diagnose issues in the MpLs network.
Ethernet Design
Network Activate
Route Insight
Benet
Scale Service Deployment Rapidly provision VPNs Automates Network Resource Management
Simplify Operations Rapidly diagnose MPLS network problems Simulate Network Changes
Function
Figure 5: Ethernet Design, Network Activate, and route Insight Junipers key management automation tools
In addition to network management tools, network architects can also benefit from using powerful Junos Os scripts that can help network engineers simplify and automate tasks. The following are available script types: Configuration scriptsUse of configuration scripts are ideal for organizations that frequently change Qos policies that need to be propagated to many routers. These scripts also ensure adherence to corporate network guidelines. Operation scriptsOrganizations that want to simplify a series of iterative commands can benefit from creating a custom command using an operations script. Enterprises can also create commands customized for specific solutions. These scripts reduce the risk of misconfiguration and improve productivity. Event scriptsOrganizations can automate configuration changes to specific events with event scripts. For example, security can be enhanced by controlling the access to user accounts based on the employees shift time using event scripts.
13
use Cases
The following sections highlight WAN use cases: Enterprise WAN - private MpLs across a public service provider network - private MpLs cloud - public network Data center to data center interconnectivity, with Layer 2 stretch WAN aggregation Internet edge The MX series uniquely addresses enterprise network needs in a single platform based on simplicity: Massive upgradeability from 20 Gbps to 2.6 Tbps for a variety of application needs Range of interface speeds 10/100/1000M, 10GbE, OC3, OC12, OC48, Ds3 for a different WAN interconnects Massive scalability in Layer2 and Layer3 and advanced virtualization. Traffic Engineering and MpLs based resiliency for superior application performance Dynamic GRE that simplifies provisioning of GRE tunnels Carrier Class reliability Uncompromised performance for Qos and services pay-as-you-grow and dynamic scale elasticity(MX5->MX10->MX40->MX80) to adapt network as business needs change: Capacity: 20 Gbps -> 40 Gbps -> 60 Gbps -> 80 Gbps, with optional software license Ethernet: 10/100 -> 1GbE -> 10GbE Non-Ethernet: OC3 -> OC12 -> OC48
use Case: Enterprise WANprivate mplS Across a public Service provider Network
Service Provider MPLS Overlay/Transparent
Ent-MPLS
Ent-MPLS
SITE A
CPE
Carrier Router 2
SITE C
SITE B ENTERPRISE
ENTERPRISE
Figure 6: Ipsec encrypted mplS traffic tunneled using GrE to a provider router for transport over service provider l3VpN
Figure 6 depicts an enterprise running MpLs across a service provider L3VpN network. In this scenario, the enterprise has two locations (A and B) that are sending traffic to each other. site B is also sending traffic to site C. The MpLs traffic from site A is sent via generic routing encapulation (GRE) tunnels to site C and tunneled using the service providers MpLs network. Likewise, the MpLs traffic from site B to site C is encrypted using Ipsec and tunneled using GRE to site C through the service provider MpLs transport. The traffic at the Carrier Router3 for site C is then handed off using GRE tunnels to the customer premises equipment (CpE), where it is decrypted and sent over the organizations MpLs network.
14
Enterprises choose VpN services offered by service providers for a variety of reasons. some of the most common reasons are cost and simplicity. Additionally, enterprises can choose between managed services and unmanaged services. Many enterprises choose a managed CpE to reduce the cost of managing equipment. Unmanaged CpE is popular with enterprises that have the necessary resources and the desire to have control over the network on their premises.
15
Data Center 1
Data Center 2
WAN
Corporate Campus
L3 L2
Figure 7: Before Case: real example of legacy WAN using 30 dedicated links per application to interconnect data centers, with only 1% average utilization
In contrast, deploying Juniper Networks devices, Junos Os, and network virtualization provides simplicity and improved network utilization with the flexibility needed to expand the network easily for future growth. With Junipers enterprise WAN solution (as shown in Figure 8), the private MpLs cloud replaces dedicated link interconnectivity between the different entities using label-switched paths (Lsps) that can be set up on demand. Business continuity is maintained using MpLs fast reroute, while custom application bandwidth is maintained using traffic engineering. significant CapEx and OpEx savings are achieved, while improving privacy and security using logical MpLs separation.
No Dedicated Links; 100% Improvement in Utilization Applications Engineered into LSPs across MPLS Core
Data Center 1
Data Center 2
Corporate Campus
WAN
Critcal applications protected by Fast Reroute Detour paths and secondary LSPs
Figure 8: After Case: real deployment using Junipers simplified WAN design using network virtualization eliminates application dedicated links
16
Copyright 2011, Juniper Networks, Inc.
In this example, the key principles of Junipers simplified WAN design were based on: simplicityeliminating application dedicated links sharingapplications shared yet maintaining logical separation securityseparating resources and easily directing traffic to centralized and virtualized firewalls Manageability through automationtools in the form of scripts that help in self monitoring, self diagnosing, and self healing capabilities, along with several network management tools that help with easy provisioning, monitoring, and troubleshooting the network
MX Series
MPLS VLAN
EX Series
VM1
VM2
DB1
DB1
VM1
VM2
DATA CENTER 1
DATA CENTER 2
17
18
Public/Private WAN
AS1 AS2 WAN aggregation Router M Series/ MX Series Static routes/ EBGP SRX Series Branch Router M Series/ MX Series
Figure 10: WAN aggregation of remote branch offices using WAN aggregation routers
Figure 10 depicts two branch offices that are connected to the public WAN (carrier provided) or the private WAN (enterprise owned). The branch offices have branch routers that are dual homed, for resiliency, to two aggregation routers. The WAN aggregation devices include two MX series or M series routers. The two WAN aggregation devices will be in separate autonomous systems (As eg. As1 and As2) so as to keep the routing separate. The branch routers are mapped to the aggregation routers either using static routes or using EBGp. Enterprises that require enhanced resiliency use two providers for the WAN aggregation, i.e., As1 will belong to provider 1 and As2 will belong to provider 2. The redundancy will ensure that the enterprise WAN is not affected by any one provider failure. Note that larger branches use dual (redundant) branch routers for greater reliability, as shown in the following example.
19
Static Routes/EBGP
MX Series Midrange
MX80
WAN
MX Series Midrange/ M Series MX Series Midrange/ M Series DMZ-SRX EBGP Static Routes/EBGP
HQ
M Series/MX Series
INTERNET
EBGP
Small Branch
SRX Series Branch Router
IBGP OSPF
Medium Branch
Virtual Chassis
BRANCH 1
BRANCH 2
Figure 11: Internet edge access through headquarters carried through the enterprise WAN
Figure 11 above depicts two branch offices (Branch1 and Branch2) that are connected to the headquarters (HQ) in a hub and spoke topology through the enterprise WAN network. Branch1, a small branch, has an sRX series branch router that connects it to the WAN. Branch2, a medium sized branch, has two dual-homed sRX series branch routers providing WAN connectivity and EX series access switches connecting the servers and phones to the sRX series branch routers. The branch routers run IBGp and OspF. The EX series switches are combined in a virtual chassis. All internet traffic is carried through the enterprise WAN to headquarters. All Internet traffic passes through firewalls in the DMZ that perform deep packet inspection to identify malicious content and to monitor and regulate bandwidth consumption by applications in the branch offices. The MX series midrange routers (MX5/MX10/40/MX80) are ideal for the Internet edge, as they provide seamless upgradeability on a single platform using software licensing. Enterprises that do not require Internet traffic to be carried to headquarters through the WAN allow for split tunneling of the traffic at the branch. split tunneling ensures that Internet traffic can be accessed directly from the branch. However, to meet security and regulatory compliance requirements such as payment Card Industry Data security standard (pCI Dss), these enterprises deploy security devices at the branch that perform deep packet inspection of Internet traffic. Juniper Networks sRX series services Gateways provide a range of security features that are ideal for branch security.
20
Static Routes/EBGP
BRANCH 2
Carrier WAN
Public Internet
MX5/MX10/ MX40/MX80
Static Routes/EBGP
IPsec MX Series midrange consists of the MX5, MX10, MX40, and MX80
BRANCH 1
Figure 12: Internet edge providing backup connectivity to the enterprise WAN
Figure 12 depicts two branch offices (Branch1 and Branch2) connected to the enterprise WAN and the Internet edge. The branch routers are connected to the WAN aggregation routers. Traffic is routed between the branch routers and the WAN aggregation routers using either static routes or EBGp. If the primary connectivity between the branch and the WAN fails, the branch router establishes an Ipsec tunnel, over the internet to Branch2. The MX series midrange routers provide Internet connectivity and are ideal for the Internet edge as they support uncompromising feature set and flexibility to upgrade using a single platform through software license. Enterprises that implement this form of resiliency must ensure that the bandwidth of the connections to the WAN and Internet are comparable. Further, these enterprises can expect application performance to be degraded when using the Internet as a backup and therefore may decide to route only some critical applications over the Internet during failover. One of the primary benefits of this use case is the low cost and the ease of deployment.
Conclusion
Enterprises have been responding to new business demands and increased competitive pressures by adopting new applications that transport mission critical data, and adding distributed branch offices and data centers. These changes have increased the complexity of maintaining and upgrading the network infrastructure, and they have made the network increasingly inflexible to meet growing business needs. Organizations can employ Junipers WAN design principles to address these challenges: simplifythe network infrastructure by reducing the number of devices, links, and operating systems sharethe network infrastructure through virtualization to improve performance and asset utilization securethe network comprehensively Automatethe network provisioning, monitoring, and troubleshooting. These design principles can effectively help organizations improve the end user experience, increase the velocity of application deployment, improve security and privacy, while at the same time delivering cost savings and operational efficiencies.
21
references:
1. The Essential Guide to Deploying MpLs for Enterprise Networks www.juniper.net/solutions/literature/white_papers/200183.pdf 2. VpLs in Data Center www.juniper.net/us/en/local/pdf/implementation-guides/ 8010050-en.pdf 3. Extending the Virtualization Advantage with Network Virtualization www.juniper.net/us/en/local/pdf/whitepapers/2000342-en.pdf 4. Branch sRX series and J series selective packet services www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf 5. JUNOS Enterprise Routing, by Doug Marschke; Harry Reynolds. O Reilly. 6. Optimizing Media-Rich Content Delivery with point-to-Multipoint www.juniper.net/us/en/local/pdf/whitepapers/2000274-en.pdf 7. Configuring MpLs over GRE www.juniper.net/techpubs/software/junos/junos91/ swconfig-mpls-apps/configuring-mpls-over-gre-tunnels.html
Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue sunnyvale, CA 94089 UsA phone: 888.JUNIpER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net
ApAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 Kings Road Taikoo shing, Hong Kong phone: 852.2332.3636 Fax: 852.2574.7803
EmEA Headquarters Juniper Networks Ireland Airside Business park swords, County Dublin, Ireland phone: 35.31.8903.600 EMEA sales: 00800.4586.4737 Fax: 35.31.8903.601
To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.
Copyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, Netscreen, and screenOs are registered trademarks of Juniper Networks, Inc. in the United states and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
8030009-003-EN
Apr 2011
22