22
REFERENCE ARCHITECTURE Copyright © 2011, Juniper Networks, Inc. 1 ENTERPRISE WAN REFERENCE ARCHITECTURE

Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Embed Size (px)

Citation preview

Page 1: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

REFERENCE ARCHITECTURE

Copyright © 2011, Juniper Networks, Inc. 1

ENTERpRIsE WAN REFERENCE ARCHITECTURE

Page 2: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

2 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

TableofContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Industry Trends Influencing WAN Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

WAN Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Juniper’s Advanced Routing Technology—solution profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Juniper’s Advanced Routing Technology—Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Juniper’s Advanced Routing Technology—High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Best practices and Tips—HA: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Juniper’s Advanced Routing Technology—Qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Best practices and Tips—Qos: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Juniper’s Advanced Routing Technology—security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Best practices and Tips—security: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Juniper’s Advanced Routing Technology—Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Best practices and Tips–Multicast: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Automate—Ease of Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Use Case: Enterprise WAN—private MpLs Across a public service provider Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Use Case: Enterprise WAN—private MpLs Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

private MpLs Cloud: some Benefits of simplification (Before and After) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Use Case: Data Center to Data Center Interconnectivity with L2 stretch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

VpLs over GRE: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Use Case: WAN Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Use Case: Internet Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Case 1: Corporate Internet Access Through Enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Case 2: Internet Edge Backup Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

References: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

TableofFigures

Figure 1: summary of advanced routing technologies that simplify, share, secure, and automate the WAN . . . . . . . . . . . . . . . . . . 6

Figure 2: Complementary virtualization technologies from Juniper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 3: Example of financial institution with different Qos policies by path and application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Figure 4: Example of a distributed enterprise with multiple layers of security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Figure 5: Ethernet Design, Network Activate, and Route Insight— Juniper’s key management automation tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Figure 6: Ipsec encrypted MpLs traffic tunneled using GRE to a provider router for transport over service provider L3VpN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 7: Before Case: Real example of legacy WAN using 30 dedicated links per application to interconnect data centers, with only 1% average utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 8: After Case: Real deployment using Juniper’s simplified WAN design using network virtualization eliminates application dedicated links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 9: Inter data center connectivity over MpLs core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Figure 10: WAN aggregation of remote branch offices using WAN aggregation routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 11: Internet edge access through headquarters Carried through the enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Figure 12: Internet edge providing backup connectivity to the enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Page 3: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 3

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Introduction

Juniper Networks approach to WAN design is based upon four fundamental design principles that will help customers design

a simplified architecture:

• Simplify the network, by reducing the number of required network devices, links, and inherent complexity

• Share network resources through virtualization to improve asset utilization

• Secure the network comprehensively

• Automate to provision, monitor, and troubleshoot the network

Many organizations have experienced rapid growth with business requirements, applications, distributed branch offices, and

data centers; and these growth factors have led to increased network complexity, over time. The challenge is to transport the

growing mission critical and delay sensitive traffic cost effectively while improving security and privacy over the WAN. Juniper

approaches this challenge using the four design principles outlined above. This paper examines:

• Technologyandservicestrends such as cloud computing that impact architectural decisions

• Designconsiderations, which provides a basic architectural framework

• Juniper’sadvancedroutingtechnology, which provides tools to address different business requirements

• EnterpriseWANusecases, which describe common deployment scenarios

Scope

This WAN reference architecture discusses WAN design concepts, and it also presents use cases and practical examples to

help WAN architects and engineers address requirements for designing simplified WANs.

The use cases outlined in this paper include:

• Enterprise WAN

- private MpLs across a public service provider network

- private MpLs cloud

• Data center to data center interconnectivity

• WAN aggregation

• Internet edge

- Corporate Internet access through WAN backhaul

- Internet edge backup connectivity

TargetAudience

This paper describes Juniper Networks’ simplified WAN architecture. This architecture is particularly suitable for organizations

that are:

• Improving their WAN infrastructure to enhance their competitive advantage

• Deploying bandwidth-hungry applications, such as video conferencing

• Consolidating links, data centers, or servers for cost savings

• Deploying a private, hybrid, or public cloud for improving productivity

This document serves as a reference tool for the following network personnel:

• Network engineers

• Network architects

• security managers

• IT and network industry analysts

• Juniper partners

• Any person with an interest in WAN design.

Page 4: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

4 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

IndustryTrendsInfluencingWANDesign

WAN designs are not only impacted by business requirements, they are independently impacted by general industry trends

as well. The two major trends, as shown in Table 1 below, are technology and services trends, and both have a material

impact on WAN design.

Table1:GeneralIndustryTrendsInfluencingWANDesignGENErAlINDuSTryTrENDS BuSINESSImpACT NETWorkImpACT

Technology • Decline in connectivity pricing

• Increase in availability of connectivity options

• Increase in adoption of Gigabit Ethernet,

L2VpN, and L3VpN

• Increase in adoption of many types of

connectivity in the same WAN

Services • More availability of cloud services for

applications, storage, and data

• Adds pressure for WAN bandwidth

• Applications storage and data are accessed

by distributed branch offices, remote data

centers and remote workers that results in

inter-communication and a mesh topology

TechnologyTrends

Advancements in technology have led to an increase in WAN connectivity options and lower prices. This presents an

opportunity for organizations to reevaluate their WAN designs, to improve performance, and to save costs. For example,

a drop in the price of 10GbE has created an opportunity for enterprises to leapfrog in bandwidth speeds, allowing them to

migrate from Ds3/OC3 to 10GbE and replace private leased lines with Ethernet services.

ServicesTrends

Enterprises have been adopting cloud services, such as private, hybrid, and public cloud, to increase productivity and reduce

costs. Using cloud services may increase WAN bandwidth requirements, as applications and data are now pushed over the WAN.

The growth of WAN traffic can also occur organically as businesses add remote locations to better serve their customers.

The growth of distributed branch offices, remote data centers, and remote workers commonly add traffic over the WAN, and

can also create more meshed topologies.

Page 5: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 5

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

WANDesignConsiderations

There are many WAN design considerations that can help organizations simplify, share, secure and automate their network.

Below are some of these design considerations:

Simplify:

• Reduce the number physical devices, links, and complexity—Organizations commonly reduce the number of physical

storage devices and physical servers with virtualization. The same holds true for the network. The high-performance

and advanced routing capabilities of Juniper Networks® MX series 3D Universal Edge Routers now make device, link, and

complexity reduction possible. The reduction of physical devices and links also has a positive impact on CapEx and OpEx,

power use, space consumption, and manageability.

• Reduce the number of operating systems—Change management is especially acute as the number of network operating

systems increases. Juniper runs one consistent operating system across its portfolio of routing, switching, and security

products. A single operating system also reduces training requirements and improves operational efficiency.

• prepare for Future Expansion—Future readiness and simplification are best engineered over a period of time so that a

network has sufficient overhead to accommodate future growth easily.

• select an appropriate topology—The topology of the network (such as mesh, hub and spoke) and the traffic pattern are

important design considerations, because the choice impacts not only cost but also the responsiveness of the business.

Share:

• share network resources through virtualization to dramatically improve asset utilization, privacy, and traffic

segmentation—Juniper offers a number of virtualization technologies that go all the way from link virtualization, to device

virtualization, and to network virtualization.

• Increase resiliency and reliability across network resources—Network resiliency and reliability are critical to maintaining

business continuity and regulatory compliance, and organizations can not only improve network device resiliency and

reliability, but also improve that of WAN connectivity.

• Add traffic engineering, where appropriate, to optimally share network resources—Today’s bandwidth-hungry applications

are consuming ever increasing amounts of network bandwidth and are impeding the performance of mission critical data.

Traffic engineering offers another valuable tool to optimize network resources.

Secure:

• Improve security and compliance—Enterprises are increasingly subject to regulatory compliance mandates that require critical

data to be separated from other data in the enterprise network. Further, enterprises must ensure that their data is protected

from an ever increasing range of attacks. Juniper offers many technologies to improve privacy, security, and compliance.

Automate:

• Improve manageability—Automated provisioning, monitoring, and troubleshooting improve manageability, enhancing

business agility and reducing OpEx.

Page 6: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

6 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Juniper’sAdvancedroutingTechnology—Solutionprofileoverview

Juniper provides organizations with a wide range of advanced routing technologies to meet design considerations such as

high manageability, resiliency, application performance, security, and compliance:

• Virtualization—Network virtualization features make applications completely transparent to underlying network

architecture. This allows changes to architecture without impact to applications, enabling greater flexibility. Virtualization

also provides better utilization of resources for lowering costs and improving power utilization.

• Low latency multicast—Multicast technologies provide timely delivery of services to a large number of users, and distribute

that traffic efficiently.

• Carrier-class reliability—Juniper provides hardware resiliency; and also network and software redundancy.

• Quality of service (Qos)—sophisticated policies expedite delay sensitive content with predictable and measurable results.

• security—security is enhanced using a combination of countermeasures such as separation of traffic for privacy, as well as

techniques to provide network-layer and application-layer security.

• Consistent operating environment—Juniper Networks Junos® operating system provides a common language across

Juniper’s routing, switching, and security devices, and is also easily upgradable with unified in-service software upgrade

(unified IssU) for full releases.

Figure1:Summaryofadvancedroutingtechnologiesthatsimplify,share,secure,andautomatetheWAN

Figure 1 shows Juniper’s advanced routing technologies layered on top of our innovative advanced silicon and hardware, such

as our latest 3D Trio chipset. Juniper’s advanced hardware is supported by a single operating system—Junos Os—and a single

release train that works across routing, switching, and security platforms. The powerful Junos Os drives Juniper’s advanced

routing portfolio. The following sections provide more details of the major components of advanced routing.

Virtualization

GRE, MPLS, VPLS, Logical Systems, Virtual Router, Virtual Chassis

Low-Latency Multicast

ASIC based forwarding and replication, P2MPTE

Carrier-Class Reliability

Advanced Routing Portfolio

Junos OS

Advanced Silicon and Hardware

Fully redundant hardware, ISSU, FRR, BFD

QoS

Hierarchical Queuing, commit scripts, statistical reporting

Security

IPsec, NAT, Stateful Firewall, Firewall Filters, DAA

Simplify

Share

Secure

Automate

Page 7: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 7

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Juniper’sAdvancedroutingTechnology—Virtualization

Virtualization is one of the most important advanced routing technologies. Links, network devices, and the network itself

can be virtualized to provide higher asset utilization and significant cost savings. Three major virtualization categories are

complementary to one another:

• Devicepartitioning(1:N)—Takes one physical device and partitions it into logical devices. Examples of device partitioning

include VLANs, VpN routing and forwarding (VRF), integrated routing and bridging (IRB), virtual routers and bridges, and

Juniper Networks JCs1200 Control system.

• Networkcommunication(N:m)—provides many-to-many communication. Includes MpLs, and consists of L3VpNs

(MpLs, generic routing encapsulation, Ipsec), and L2VpNs (virtual private LAN service, pseudowires, 802.1Q).

• Deviceaggregation(N:1)—Takes many physical devices and aggregates them into logical devices. Examples include

Virtual Chassis, multichassis link aggregation group (LAG), Juniper Networks TX Matrix, and the JCs1200 Control system.

Figure2:ComplementaryvirtualizationtechnologiesfromJuniper

For a more detailed discussion of virtualization in the enterprise, please see: ExtendingtheVirtualizationAdvantagewith

NetworkVirtualization.

L3 VPN(MPLS. GRE. IPsec)

L2 VPN(VPLS, Pseudo-wires, 802.1q)

Circuit to Packet(TDM, Serial, etc. to IP)

VLAN

VRF

IRB

Virtual Routers

Virtual Bridging

Logical SystemsJCS 1200

Logical Systems

DevicePartitioning

1 : N

NetworkCommunication

N : M

DeviceAggregation

N : 1

Virtualization with MPLS

Virtual Chassis

Virtual ChassisMulti-Chassis LAG

TX Matrix

JCS 1200

VLAN

VLANVLAN

MPLS

Juniper’s KeyVirtualization Technologies

Other VirtualizationTechnologies

VirtualizationCategories

Page 8: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

8 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Juniper’sAdvancedroutingTechnology—HighAvailability

Organizations that desire increased resiliency and reliability can benefit from Juniper’s high availability (HA) technology.

Organizations can select an appropriate level of link and device redundancy that supports their HA requirements, per

given location.

link-levelHA requires two links to operate in an active/backup setting so that if one link fails, the other takes over (or likely

reinstates) the forwarding of traffic. Link-level resiliencies provide both fault detection and mitigation techniques that can be

effectively combined to address failures. some examples include:

• Bidirectional Forwarding Detection (BFD) provides proactive link fault detection and mitigation by detecting faults and

using MpLs fast reroute to switch to the alternate path within 50 ms.

• Link aggregation group (LAG), multichassis link aggregation (MC-LAG), and Ethernet ring protection provide additional

link-level resiliencies at Layer 2.

Device-levelHA complements link-level HA and includes:

• Graceful restart, which provides nonstop forwarding through individual routing protocol restart and convergence.

• Unified IssU, which enables upgrading full software releases while the router is still operational, without requiring that the

router be brought down during a scheduled maintenance window.

• Virtual Chassis, which combines multiple switches or routers into a virtual entity that can provide protection for

node failures and failure of links connected to the Virtual Chassis. Virtual Chassis technology allows organizations to

incrementally upgrade their switching or routing capacity by adding additional devices to the Virtual Chassis.

For a detailed technical description of Juniper’s HA features, please refer to HATechnicalDocumentation.

BestpracticesandTips—HA:

• Enterprises deploy collocation data centers to achieve greater resiliency. The traffic flow to and from any of these

collocation centers into the WAN must be designed such that it is symmetric to prevent asymmetric routing issues.

Grouping routers based on BGp community strings will also mitigate asymmetric routing issues. For instance, the branch

office routers can advertise BGp community for each application based on the preferred data center.

• The use of monitoring applications and technologies can lead to higher network and application availability. With VoIp,

for instance, a combination of using BFD to monitor link failures, MpLs fast reroute to mitigate faults, and a voice quality

monitoring application can provide optimal results.

Network Virtualization with MPLS

Many customers have deployed private MpLs network virtualization

because of the wealth of benefits that it provides. MpLs brings the

benefits of circuits to Ip, including:

• PrivacyandNetworkSegmentation: Virtualization supports network

segmentation and privacy. Organizations can obtain the benefits of

segmentation of traffic without dedicated links.

• EnhancedUserExperience: Enhances the end user application

experience with traffic engineering, which enables fine-tuning of

the network to deliver appropriate levels of Qos and service-level

agreements (sLAs).

• ImprovedNetworkResiliency: Improves network resiliency with

features like MpLs fast reroute, enabling sub 50 millisecond reroute.

• ScaleforFutureGrowth: Boosts network scalability and

performance to provide head room for future growth.

NetworkSegmentation

EnhanceUser

ExperiencePrivacy

Network Virtualization(with MPLS)

Scale for Future Growth

ImproveNetwork

Resiliency

Page 9: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 9

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Juniper’sAdvancedroutingTechnology—QoS

Organizations that are looking for increased application performance and bandwidth optimization can benefit from Juniper’s

quality-of-service solutions.

Defining a Qos strategy requires two main elements—classification and prioritization.

• Juniper provides two classification types:

- Behavior aggregate (BA) classifiers, where the forwarding class is based upon the packet’s Ip precedence, MpLs EXp,

etc. These are called behavior aggregates because they aggregate multiple classifications. BA classifiers are normally

used in the core of the network.

- Multifield classifiers (MF), where the forwarding class and loss priority of a packet are based on one or more field value,

such as 5 tuples, in the packet. For instance, the source and destination Ip address, source and destination TCp ports, or

protocol can be used for classification. MF classifiers are normally used in the network edge.

• prioritization involves prioritizing network and application traffic according to levels of sensitivity and criticality. Multiple

forwarding classes (queues) can be used to prioritize application traffic based on sensitivity to latency, jitter, or packet loss.

some sample settings are illustrated below:

Table2:SampleofFourClassesorQueues,AlongwithTheirTrafficCharacteristicsForWArDINGClASSES

prIorITy lATENCy/pACkETDElAySENSITIVITy

JITTErSENSITIVITy pACkETloSSSENSITIVITy

SAmplETrAFFIC

Network control High None None High Routing protocols

Expedited

forwarding

strict High* Low Low Medium VoIp

Assured forwarding High Medium Medium High Business

application virtual

desktops

Best effort Low None None None Other data

*Queues with strict-high priority are serviced before high or low priority queues, as long as there are packets in the queue.

Networkcontrol—Referring to traffic such as a routing protocol, this class is given high priority due to its high packet loss

sensitivity.

Expeditedforwarding(EF)—provides low loss, latency, jitter, and assured bandwidth for end-to-end service.

Assuredforwarding(AF)—provides a group of services (e.g., AF1 through AF4), each with low, medium, or high drop

probability. Data in AF classes are more sensitive to packet loss than data in the EF class.

Besteffort—Does not give any preference to queuing and forwarding during periods of congestion.

End-to-endQoSstrategy—To enforce a successful Qos strategy, organizations must associate incoming traffic to forwarding

classes based on priorities set on the packets by other parts of the network. For example, in the medium-to-large branch

offices, the local switch performs the classification and the services gateway or secure router performs the enforcement.

Branch office network devices should be able to carry Qos markings through the VpN tunnels and apply the policy across the

entire deployment, thereby providing end-to-end Qos.

BestpracticesandTips—QoS:

• TCPorUDP—The selection of forwarding classes and congestion control algorithms can be influenced by whether the

traffic is TCp or UDp. TCp can be classified in the assured forwarding class, since TCp is more tolerant to packet loss due to

TCp’s retransmission and dynamic window sizing capabilities, which UDp does not have. UDp applications, such as voice

for example, can be classified in the expedited forwarding class.

• Applicationcriticality—Review applications for criticality, even within a given forwarding class. For instance, secure file

transfers do not necessarily need to receive the same treatment as sNMp, even though both are assigned to the assured

forwarding class.

• Maximumallowedbandwidth—selected traffic can be limited to a certain percentage of the bandwidth to ensure fairness

among the classes. For example, email traffic can be limited to a certain amount of bandwidth once an estimated email

traffic ceiling has been established.

Page 10: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

10 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

• Trafficbursts—Bandwidth allocation can factor in traffic bursts during specific time periods, such a quarterly close.

• Trustdomains—Determine whether an upstream switch or router will accept the priority settings from a downstream

device. For instance, a downstream VoIp phone may set a high L2 priority that can either be ignored or accepted by an

upstream switch before mapping the L2 priority to L3 priority.

• Interfacingwithyourserviceprovidernetwork

- Identify the type of end-to-end Qos supported by your service provider. For example, support of short pipe tunneling

will allow the transport of the customer’s original priority setting unaltered across the service provider network so that

remote sites can make decisions based on priority settings.

- In designing the forwarding classes, the number of queues supported in the service provider network should be

considered. For example, if only three classes can be supported in the service provider network vs. six in the enterprise

network, enterprises must assess the impact on end-to-end Qos by combining multiple classes in the enterprise

network to a few in the carrier network.

- shape multicast and unicast traffic to the bandwidth purchased from the carrier while ensuring that critical traffic

isn’t dropped.

Figure3:ExampleoffinancialinstitutionwithdifferentQoSpoliciesbypathandapplication

Figure 3 shows an example of multiple logical paths between a data center and the investment banking, retail banking,

headquarters, and financial services of a large financial institution. Each of these paths, denoted by solid and dotted lines,

can have different Qos requirements because they run different applications with various sLAs. To achieve the different Qos

requirements, customers can configure forwarding class parameters as shown in the sample configuration below.

Table3:SampleofFinancialInstitutionConfigurationforFourForwardingClassesorQueuesForWArDINGClASSES BuFFErSIzE TrANSmITrATE prIorITy

Network Control 6% 6% High

Expedite Forwarding 50ms 20% strict-high

Assured Forwarding 40% 40% High

Best Effort 40% remainder Low

It is important to note that queues with strict-high priority are serviced before high or low priority queues, as long as there are

packets in the queue. To prevent other queues from getting starved, the strict-high queue can be policed.

• Network control classes have infrequent traffic and therefore a buffer size and transmit rate of 6% are sufficient.

• Express Forwarding classes have a very small queue size to avoid jitter and latency. The Express Forwarding queue is also

serviced aggressively at 20% transmit rate.

• Assured forwarding classes contain business critical traffic and are given a large bandwidth and transmit rate with a high

priority service rate.

• The best-effort classes have 40% of the buffer space and the rest of available bandwidth.

FINANCIALSERVICES

HQ

RETAILBANKING

INVESTMENTBANKING

DATACENTER

Page 11: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 11

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Juniper’sAdvancedroutingTechnology—Security

Today’s security requirements have grown as an organization’s interconnected network must support an increasing number

of remote users that include suppliers, partners, customers, and employees at remote locations. Attacks have also grown in

sophistication and frequency. Juniper offers several comprehensive security solutions that protect the WAN:

• ComprehensiveSecurity—A comprehensive set of security features that include Web filtering, deep inspection, and

intrusion detection and prevention (IDp).

• JuniperNetworksAdaptiveThreatManagementSolutions—provides solutions that constitute high-performance security

platforms adaptable to ever changing security threats. Business benefits include proactive data protection, business

continuity, and reduced TCO resulting from fewer network disruptions.

• VPNs—Ipsec VpN and MpLs VpN that provide a logical separation of data and improve the privacy of data. These also

offer a cost-effective alternative to expensive dedicated links to provide traffic separation.

Figure4:Exampleofadistributedenterprisewithmultiplelayersofsecurity

MX series routers provide the following Qos advantages:

• Line-rate performance with Qos and access control lists (ACLs) to guarantee application

performance and security without degraded throughput

• Easy provisioning using configuration scripts for rapid rollout of Qos

• Built-in denial of service (Dos) protection for enhanced security

• Less than 20µs high-performance queue latency provides low latency and jitter to applications

• Over 256,000 ACLs to provide granular control of traffic

• Over 128,000 hardware queues per chassis to provide ample room for controlling bandwidth

For further details, please refer to QoSonJuniperrouters.

INTERNET

MX Series midrange consists of the

MX5, MX10, MX40, and MX80

INTERNET

INTERNET

QFX3500

SRX3600

SRX3600

SRX3600

SRX3600

SRX3600

MX SeriesMidrange

SRX3600

EX4200/EX4500

EX4200/EX4500

M120M120

MX80MX80

M120M120M120M120

MX960MX960MX960MX960

MX960MX960MX960MX960

10GbE

GbE

5xGbE

QFX3500

QFX3500 QFX3500 QFX3500

QFX3500

EX4200/EX4500

EX4200/EX4500

MX SeriesMidrange

MX480

Page 12: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

12 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Figure 4 depicts an enterprise network with many branch offices and data centers interconnected to the enterprise WAN.

The branch offices are using Juniper Networks MX series midrange routers—MX5, MX10, MX40, and MX80 3D Universal

Edge Routers to provide WAN and Internet connectivity, and the Juniper Networks sRX3600 services Gateway to support

virtual firewall functionality. The MX series midrange routers provide high performance routing in a compact form factor and

improve investment protection by enabling a seamless upgrade between models using software licensing. The enterprise

branch has consolidated many disparate security devices into the sRX3600, using a L3VpN and virtual firewalls. Additionally,

the MX series offers Juniper Networks Multiservices DpC (Ms-DpC) full slot modules to support firewall capability that is

integrated into the router.

The branch offices are connected using dual homed links to the enterprise WAN core. The data center consists of a pair of

Juniper Networks M120 Multiservice Edge Router devices designed for resiliency to provide WAN connectivity, along with

Juniper Networks EX4500/EX4200 Ethernet switches providing 10GbE access for servers, which acts as an access-layer

switch connecting to the servers and network attached storage (NAs) in the data center. The diagram also shows Juniper

Networks MX80 3D Universal Routers connected to the QFX3500 Ethernet switches providing 10GbE access for servers.

The QFX3500 provides high density ultra low latency 10GbE access for storage Area Networks (sANs), Fiber Channel (FC),

Fiber Channel over Ethernet (FCoE) and High speed Computing (HpC). The core of the network consists of four pairs of the

MX960 3D Universal Edge Router, which (like the M120) have been designed for resiliency.

BestpracticesandTips—Security:

• Ensure that untrusted VpNs pass through a firewall.

• Where possible, consolidate firewalls into a common path where traffic from multiple VpNs can be funneled.

• For MpLs VpN, associate VpNs to specific WAN networks to ensure that VpNs which must exist in multiple WANs can use

efficient interconnections.

For further details on Juniper security, please refer to Securityliterature.

Juniper’sAdvancedroutingTechnology—multicast

Organizations are deploying many services like video on demand that add a large amount of traffic onto the WAN. Using

multicast services can dramatically improve the efficiency of that traffic distribution. Juniper offers a range of multicast

services that are suitable for MpLs or non-MpLs networks.

For MpLs-based WANs, organizations can use MpLs-based point-to-multipoint (p2Mp) services that optimize next-

generation MVpNs (NG MVpNs). NG MVpNs improve scalability by intelligently leveraging adjacencies that exist in the MpLs

network, and this eliminates the need for every router to maintain separate adjacency information with every other router

that participates in the MVpN. NGMVpN benefits enterprises by eliminating the need to run multicast routing protocol over

service provider network. The benefits of NGMVpN are:

• Bandwidthreservation—guarantees sufficient bandwidth for mission critical applications

• MPLSfastreroute—allows quick detection of path failure and rapid reroute to alternate paths, in less than 50 ms

• Deterministicrouting—permits the ability to precisely control paths the data will follow, in order to create redundant paths

from source to destination and thereby ensure resiliency in case of failure or performance degradation

BestpracticesandTips–multicast:

It is recommended that enterprise network architects consider the following in running a multicast network:

• The number of multicast groups that can be supported per VpN is usually limited, when using carrier networks. Thus to

reduce costs, VpNs that require large number of multicast groups can be designed to run on private MpLs cloud rather

than on a service provider network.

• The number of Rendezvous points (Rp) is limited per VpN and geographical location; therefore care must be taken in

designing the optimal location for Rp and the multicast sources that are handled by the Rp.

Juniper offers many multicast signalling protocols such as protocol Independent Multicast-sparse Mode (pIM-sM), protocol

Independent Multicast-Dense Mode (pIM-DM), protocol Independent Multicast-source specific Mode (pIM-ssM), and

Bidirectional pIM.

For further information, please refer to multicastBestpractices.

Page 13: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 13

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Automate—Easeofmanagement

To simplify network provisioning, monitoring, and maintenance, several management tools are recommended to reduce

network downtime, minimize human error, and accelerate service deployment:

• Juniper Networks Junos space Ethernet Design—provides best practice service definition such as port security, Qos,

spanning tree, etc., to plan, simulate, model, and diagnose issues in the network.

• Juniper Networks Junos space Network Activate—: provides best practice service definition for ELINE, ELAN and ETREE

services to quickly, accurately, and easily provision VpNs.

• Juniper Networks Junos space Route Insight provides a tool to easily plan, simulate, model, and diagnose issues in the

MpLs network.

Figure5:EthernetDesign,NetworkActivate,androuteInsight—Juniper’skeymanagementautomationtools

In addition to network management tools, network architects can also benefit from using powerful Junos Os scripts that can

help network engineers simplify and automate tasks. The following are available script types:

• Configurationscripts—Use of configuration scripts are ideal for organizations that frequently change Qos policies that need

to be propagated to many routers. These scripts also ensure adherence to corporate network guidelines.

• Operationscripts—Organizations that want to simplify a series of iterative commands can benefit from creating a custom

command using an operations script. Enterprises can also create commands customized for specific solutions. These

scripts reduce the risk of misconfiguration and improve productivity.

• Eventscripts—Organizations can automate configuration changes to specific events with event scripts. For example,

security can be enhanced by controlling the access to user accounts based on the employee’s shift time using event scripts.

Ethernet Design

Junos Space Tool

Benefit

Function

• Rapidly provision large collection of switches

• Simplify configuration

Speed upOperations

Network Activate

• Rapidly provision VPNs

• Automates Network Resource Management

Scale ServiceDeployment

Route Insight

• Rapidly diagnose MPLS network problems

• Simulate Network Changes

SimplifyOperations

Page 14: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

14 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

useCases

The following sections highlight WAN use cases:

• Enterprise WAN

- private MpLs across a public service provider network

- private MpLs cloud

- public network

• Data center to data center interconnectivity, with Layer 2 stretch

• WAN aggregation

• Internet edge

Service Provider MPLSOverlay/Transparent

Ent-MPLSInside IPsecInside GRE

Ent-MPLS

IP Hando�to SP

Ent-MPLS Ent-MPLSin GRE

Ent-MPLSInside IPsecInside GRE

Carrier Router 1

Carrier Router 2

Carrier Router 3

SITE B

ENTERPRISE ENTERPRISE

SITE C

SITE A

CPE

CPE

CPE

Figure6:IpsecencryptedmplStraffictunneledusingGrEtoaproviderrouter

fortransportoverserviceproviderl3VpN

Figure 6 depicts an enterprise running MpLs across a service provider L3VpN network. In this scenario, the enterprise has two

locations (A and B) that are sending traffic to each other. site B is also sending traffic to site C. The MpLs traffic from site

A is sent via generic routing encapulation (GRE) tunnels to site C and tunneled using the service provider’s MpLs network.

Likewise, the MpLs traffic from site B to site C is encrypted using Ipsec and tunneled using GRE to site C through the service

provider MpLs transport. The traffic at the Carrier Router3 for site C is then handed off using GRE tunnels to the customer

premises equipment (CpE), where it is decrypted and sent over the organization’s MpLs network.

The MX series uniquely addresses enterprise network needs in a single platform based on simplicity:

• Massive upgradeability from 20 Gbps to 2.6 Tbps for a variety of application needs

• Range of interface speeds 10/100/1000M, 10GbE, OC3, OC12, OC48, Ds3 for a different WAN interconnects

• Massive scalability in Layer2 and Layer3 and advanced virtualization.

• Traffic Engineering and MpLs based resiliency for superior application performance

• Dynamic GRE that simplifies provisioning of GRE tunnels

• Carrier Class reliability

• Uncompromised performance for Qos and services

pay-as-you-grow and dynamic scale elasticity(MX5->MX10->MX40->MX80) to adapt network as business needs

change:

• Capacity: 20 Gbps -> 40 Gbps -> 60 Gbps -> 80 Gbps, with optional software license

• Ethernet: 10/100 -> 1GbE -> 10GbE

• Non-Ethernet: OC3 -> OC12 -> OC48

useCase:EnterpriseWAN—privatemplSAcrossapublicServiceproviderNetwork

Page 15: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 15

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Customer Example: A Centralized Manufacturer

The manufacturer performs most of the computations in its data center and is looking for a basic method

for transporting data on the WAN.

WAN design requirements:

• Low cost transportation of noncritical MpLs data between offices

• Resiliency needed to protect VoIp traffic

• Minimal enterprise resources for management of the network

proposed WAN solution:

The manufacturer chooses a service provider’s L3VpN service (unmanaged) for its WAN connectivity.

The unmanaged service has a CpE device that either runs BGp to the carrier router to advertise routes, or it

has static routes configured to send all traffic to the provider router. The enterprise can also encrypt all traffic

leaving the CpE and tunnel these transmissions using GRE to the provider router. To connect the enterprise to

the provider router, the enterprise may choose inexpensive cable or DsL connectivity instead of expensive fiber.

The enterprise needs to guarantee resiliency, and ensure that the VoIp traffic is protected in case of failures in

WAN connectivity. It may also decide to have a backup connection to the Internet.

useCase:EnterpriseWAN—privatemplSCloud

Many enterprises use a private cloud of Ethernet links that run private MpLs to achieve maximum control over performance

and latency. The resulting cloud is called the “super core.” The “super core” gives the enterprise greater control over critical

metrics such as latency and resiliency.

Benefits:

• Greater control over network latency by controlling sLA and directing low priority traffic over suboptimal paths.

• MpLs fast reroute provides improved resiliency.

• Logical separation, instead of physical separation, of data provides improved cost savings.

Enterprises choose VpN services offered by service providers for a variety of reasons. some of the most common reasons

are cost and simplicity. Additionally, enterprises can choose between managed services and unmanaged services. Many

enterprises choose a managed CpE to reduce the cost of managing equipment. Unmanaged CpE is popular with enterprises

that have the necessary resources and the desire to have control over the network on their premises.

Page 16: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

16 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

privatemplSCloud:SomeBenefitsofSimplification(BeforeandAfter)

Figures 7 and 8 illustrate before (an example of a real customer impacted by rapid organic business growth), and after (the

benefits of WAN simplification). This customer previously used application dedicated L2 and L3 inter data center links. Over

time, this practice resulted in over 30 dedicated 10GbE links, with only 1% utilization per link.

Figure7:BeforeCase:realexampleoflegacyWANusing30dedicatedlinksperapplicationtointercon-nectdatacenters,withonly1%averageutilization

In contrast, deploying Juniper Networks devices, Junos Os, and network virtualization provides simplicity and improved

network utilization with the flexibility needed to expand the network easily for future growth.

With Juniper’s enterprise WAN solution (as shown in Figure 8), the private MpLs cloud replaces dedicated link

interconnectivity between the different entities using label-switched paths (Lsps) that can be set up on demand. Business

continuity is maintained using MpLs fast reroute, while custom application bandwidth is maintained using traffic engineering.

significant CapEx and OpEx savings are achieved, while improving privacy and security using logical MpLs separation.

Corporate Campus

Data Center 1 Data Center 2

ApplicationsEngineered into LSPs

across MPLS Core

Critcal applicationsprotected by Fast

Reroute Detour pathsand secondary LSPs

PRIVATEMPLS CLOUD

WAN

No Dedicated Links; 100% Improvement in Utilization

Corporate Campus

Data Center 1 Data Center 2

WAN

Dedicated Link Utilization 1%

Point-to-Point WDM

L3

L2

Figure8:AfterCase:realdeploymentusingJuniper’ssimplifiedWANdesignusingnetworkvirtualizationeliminatesapplicationdedicatedlinks

Page 17: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 17

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

In this example, the key principles of Juniper’s simplified WAN design were based on:

• simplicity—eliminating application dedicated links

• sharing—applications shared yet maintaining logical separation

• security—separating resources and easily directing traffic to centralized and virtualized firewalls

• Manageability through automation—tools in the form of scripts that help in self monitoring, self diagnosing, and self

healing capabilities, along with several network management tools that help with easy provisioning, monitoring, and

troubleshooting the network

Customer Example: A Utility Enterprise

A large utility needs to interconnect multiple data centers, and it owns the “right of way” in many locations

between the data centers.

WAN design requirements:

• Transport critical delay sensitive data between data centers

• provide high resiliency for business critical data

• Maintain traffic separation between critical data and noncritical data for regulatory compliance

• prevent noncritical data from overwhelming mission critical data

proposed WAN solution:

The utility deploys an MpLs super core that interconnects the data centers and can choose between a

managed or an unmanaged service.

useCase:DataCentertoDataCenterInterconnectivitywithl2Stretch

Enterprises frequently deploy collocated data centers for reasons like disaster recovery. These data centers run many

applications such as virtual machines that require Layer 2 stretch.

Figure9:InterdatacenterconnectivityovermplScore

Figure 9 depicts two data centers (Data Center 1 and Data Center 2) connected over an MpLs core. The data centers

house virtual machines (VM1 and VM2) and a database (DB1). The data centers have Juniper Networks EX series Ethernet

switches in the access layer and MX series routers in the core and WAN edge layers. The Layer 3 boundary is at the core layer

and is indicated by the service edge boundary. This implies that VLANs from the access-layer switches are mapped into

corresponding VRFs. Thus, specific VLANs can be mapped into corresponding virtual private LAN service (VpLs) paths.

EX Series

DB1 VLANVM1 VLANDB1 VPLSVM1 VPLS DB1 VM1 VM2

MX Series

MX Series

EX Series

DB1VM1

MX Series

MX Series

VM2

Layer 2 StretchVPLS overMPLS Core

MPLS

VLAN

ServiceEdge

Boundary

DATA CENTER 1 DATA CENTER 2

Page 18: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

18 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Addressing Suboptimal Routing Resulting From vMotion1.Egressrouting:

When a VM moves from Data Center1 to Data Center2 it refers to Data Center1 gateway, therefore egress traffic from the VM will traverse the inter-data center link, from Data Center2 to Data Center1, before egressing to the WAN from Data Center1 resulting in sub-optimal egress routing.

ProposedSolution:

To ensure that the traffic from the VM is optimally routed in the egress direction, configure a VRRp group , with the same VID, that spans the two data center gateways and setup a firewall filter for the VRRp hello packets between the routers in the VRRp group. Each router in the VRRp group will behave as active because the other router will be considered in-active. The VM traffic will therefore be routed from Data Center2 gateway instead of being forwarded to the gateway in Data Center1, thereby ensuring optimal egress routing.

Note that, if the two gateways are in different VRRp groups (i.e. different Virtual MAC) then the VM will timeout its ARp entry and relearn the new gateway MAC addresses, which is undesirable.

2.Ingressrouting:

The traffic destined for the VM, from the WAN, will also arrive at Data Center1 and traverse the inter-data center link before reaching the VM that has just moved to Data Center2.

Proposedsolution:

The /32 address of the VM can be advertised to the external world thereby ensuring that all ingress traffic will arrive directly at the new location of the VM i.e. Data Center2 instead of traversing the inter-data center link. One caveat for enterprises advertising the ip addresses on carrier networks is that, carriers often limit the subnet mask to /24 and may not allow a /32 to be advertised.

If a stateful firewall exists in Data Center1, then the only way to the address suboptimal routing is to terminate the client sessions (TCp sessions) and re-establish it with Data Center2. This is because the firewall states, pertaining to the VM, maintained in the Data Center1 are not migrated to Data Center2.

Customer Example: Enterprise Private Cloud

A bank has deployed a private cloud of virtual desktop machines to improve the productivity of its

financial advisors. To ensure that the virtual desktops are available 24x7, the bank has created a

collocated data center and requires data to be mirrored between the two data centers.

WAN requirements:

• Cost effectively migrate data between the two data centers

• provide L2 connectivity, on demand, for some of the data migration

• provide resiliency for data traffic between the data centers

proposed solutions:

VpLs paths are set up between the two MX series devices in the collocated data centers. The VpLs can

be set up so that it only transports traffic on specific VLANs. Thus, only specific hypervisors need to be

migrated and need to be part of the VpLs domain, and all other traffic remains unaffected. VpLs not only

emulates a L2 switch in the WAN but also runs on a private MpLs core. private MpLs lets the bank to take

advantage of advanced routing features such as traffic engineering. Traffic engineering allows the bank to

optimally allocate bandwidth for the different departments without the need for dedicated L2 links.

Benefits:

• Improved cost savings by using an MpLs cloud to interconnect data centers

• Rapid provisioning of MpLs paths between the data centers, on demand

• Cost-effective resiliency by using MpLs paths rather than physically separated interconnections

Page 19: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 19

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

VplSoverGrE:

Enterprises that have only an Ip core ,and no MpLs core, to transport VpLs traffic can use VpLs traffic over GRE tunnels.

FragmentationofGrEframes:

When GRE is used to transport MpLs packets over an Ethernet-based transport network, the transport network often

supports a maximum transmission unit (MTU) of 1,500 bytes. Because of the overhead required to encapsulate MpLs

packets in GRE, it is possible for the encapsulated packet size to exceed the minimum MTU of the network. The solution is to

either fragment the packets before encapsulating in GRE frames or to fragment after addition of the GRE headers. since L2

data cannot be fragmented before encapsulating in MpLs/GRE header, the packet must be fragmented after encapsulating

in GRE frames.

GRE tunnels are supported on Juniper Networks M series Multiservice Edge Routers with the Asp tunnel module. It is

recommended that the path MTU discovery be enabled in Juniper routers to identify the minimum MTU along the entire

path. such a setting will avoid needless fragmentation of packets.

The maximum size, of Ethernet frame, beyond which fragmentation is necessary for transport on Ethernet network is 1448 bytes.

useCase:WANAggregation

WAN aggregation consolidates multiple networks such as campus, branch, data center, etc., onto the enterprise WAN

network. The WAN aggregation devices must be scalable, support a range of interfaces (such as T1, T3, sONET that may

carry ATM, Frame Relay), as well as a variety of services (such as MpLs, Ip routing, etc.).

Figure10:WANaggregationofremotebranchofficesusingWANaggregationrouters

Figure 10 depicts two branch offices that are connected to the public WAN (carrier provided) or the private WAN (enterprise

owned). The branch offices have branch routers that are dual homed, for resiliency, to two aggregation routers. The WAN

aggregation devices include two MX series or M series routers. The two WAN aggregation devices will be in separate

autonomous systems (As eg. As1 and As2) so as to keep the routing separate. The branch routers are mapped to the

aggregation routers either using static routes or using EBGp.

Enterprises that require enhanced resiliency use two providers for the WAN aggregation, i.e., As1 will belong to provider 1 and

As2 will belong to provider 2. The redundancy will ensure that the enterprise WAN is not affected by any one provider failure.

Note that larger branches use dual (redundant) branch routers for greater reliability, as shown in the following example.

Public/PrivateWAN

AS2AS1

WAN aggregationRouter

Static routes/EBGP

M Series/MX Series

M Series/MX Series

SRX SeriesBranchRouter

Page 20: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

20 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

useCase:InternetEdge

The Internet edge acts as a gateway to the Internet for the enterprise. The Internet edge provides connectivity to the Internet

for branch offices and connects remote workers and partners to enterprise resources. It can also be used to provide backup

connectivity to the WAN for branch offices, in case the primary connectivity to the enterprise WAN fails.

Case1:CorporateInternetAccessThroughEnterpriseWAN

Figure11:InternetedgeaccessthroughheadquarterscarriedthroughtheenterpriseWAN

Figure 11 above depicts two branch offices (Branch1 and Branch2) that are connected to the headquarters (HQ) in a hub and

spoke topology through the enterprise WAN network.

Branch1, a small branch, has an sRX series branch router that connects it to the WAN. Branch2, a medium sized branch,

has two dual-homed sRX series branch routers providing WAN connectivity and EX series access switches connecting the

servers and phones to the sRX series branch routers. The branch routers run IBGp and OspF. The EX series switches are

combined in a virtual chassis.

All internet traffic is carried through the enterprise WAN to headquarters. All Internet traffic passes through firewalls in the

DMZ that perform deep packet inspection to identify malicious content and to monitor and regulate bandwidth consumption

by applications in the branch offices. The MX series midrange routers (MX5/MX10/40/MX80) are ideal for the Internet edge,

as they provide seamless upgradeability on a single platform using software licensing.

Enterprises that do not require Internet traffic to be carried to headquarters through the WAN allow for split tunneling of the

traffic at the branch. split tunneling ensures that Internet traffic can be accessed directly from the branch. However, to meet

security and regulatory compliance requirements such as payment Card Industry Data security standard (pCI Dss), these

enterprises deploy security devices at the branch that perform deep packet inspection of Internet traffic. Juniper Networks

sRX series services Gateways provide a range of security features that are ideal for branch security.

WAN

DMZ-SRX M Series/MX Series

MX Series Midrange MX80

Static Routes/EBGPMX Series midrange consistsof the MX5, MX10, MX40, and MX80

MX Series Midrange/M Series

MX Series Midrange/M Series

INTERNET

HQ

BRANCH 2

MediumBranch

SmallBranch

BRANCH 1

StaticRoutes/EBGP EBGP

EBGP

SRX Series BranchRouter

SRX Series BranchRouter

IBGP

OSPF

VirtualChassisEX Series

Page 21: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

Copyright © 2011, Juniper Networks, Inc. 21

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

Case2:InternetEdgeBackupConnectivity

Figure12:InternetedgeprovidingbackupconnectivitytotheenterpriseWAN

Figure 12 depicts two branch offices (Branch1 and Branch2) connected to the enterprise WAN and the Internet edge. The

branch routers are connected to the WAN aggregation routers. Traffic is routed between the branch routers and the WAN

aggregation routers using either static routes or EBGp. If the primary connectivity between the branch and the WAN fails, the

branch router establishes an Ipsec tunnel, over the internet to Branch2.

The MX series midrange routers provide Internet connectivity and are ideal for the Internet edge as they support

uncompromising feature set and flexibility to upgrade using a single platform through software license.

Enterprises that implement this form of resiliency must ensure that the bandwidth of the connections to the WAN and

Internet are comparable. Further, these enterprises can expect application performance to be degraded when using the

Internet as a backup and therefore may decide to route only some critical applications over the Internet during failover.

One of the primary benefits of this use case is the low cost and the ease of deployment.

Conclusion

Enterprises have been responding to new business demands and increased competitive pressures by adopting new

applications that transport mission critical data, and adding distributed branch offices and data centers. These changes

have increased the complexity of maintaining and upgrading the network infrastructure, and they have made the network

increasingly inflexible to meet growing business needs. Organizations can employ Juniper’s WAN design principles to address

these challenges:

• simplify—the network infrastructure by reducing the number of devices, links, and operating systems

• share—the network infrastructure through virtualization to improve performance and asset utilization

• secure—the network comprehensively

• Automate—the network provisioning, monitoring, and troubleshooting.

These design principles can effectively help organizations improve the end user experience, increase the velocity of application

deployment, improve security and privacy, while at the same time delivering cost savings and operational efficiencies.

Carrier WAN Public Internet

SRX Series Branch Router

MX5/MX10/MX40/MX80

MX Series Midrange/M Series

Static Routes/EBGP

MX Series midrange consists of the MX5, MX10, MX40, and MX80

M/MX

IPsec

IPsec

BRANCH 2

BRANCH 1

WAN aggRouter

StaticRoutes/EBGP

SRX Series Branch Router

MX Series Midrange/M Series

MX5/MX10/MX40/MX80

Page 22: Enterprise WAN Reference Architecture - Westcon-Comstorbe.security.westcon.com/documents/44379/Enterprise WAN reference... · private MpLs Cloud: some ... This paper describes Juniper

22 Copyright © 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture

8030009-003-EN Apr 2011

Copyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, Netscreen, and screenOs are registered trademarks of Juniper Networks, Inc. in the United states and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

EmEAHeadquarters

Juniper Networks Ireland

Airside Business park

swords, County Dublin, Ireland

phone: 35.31.8903.600

EMEA sales: 00800.4586.4737

Fax: 35.31.8903.601

ApACHeadquarters

Juniper Networks (Hong Kong)

26/F, Cityplaza One

1111 King’s Road

Taikoo shing, Hong Kong

phone: 852.2332.3636

Fax: 852.2574.7803

CorporateandSalesHeadquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

sunnyvale, CA 94089 UsA

phone: 888.JUNIpER (888.586.4737)

or 408.745.2000

Fax: 408.745.2100

www.juniper.net

printed on recycled paper

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at 1-866-298-6428 or

authorized reseller.

references:

1. The Essential Guide to Deploying MpLs for Enterprise Networks

www.juniper.net/solutions/literature/white_papers/200183.pdf

2. VpLs in Data Center

www.juniper.net/us/en/local/pdf/implementation-guides/8010050-en.pdf

3. Extending the Virtualization Advantage with Network Virtualization

www.juniper.net/us/en/local/pdf/whitepapers/2000342-en.pdf

4. Branch sRX series and J series selective packet services

www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf

5. JUNOSEnterpriseRouting, by Doug Marschke; Harry Reynolds. O’ Reilly.

6. Optimizing Media-Rich Content Delivery with point-to-Multipoint

www.juniper.net/us/en/local/pdf/whitepapers/2000274-en.pdf

7. Configuring MpLs over GRE

www.juniper.net/techpubs/software/junos/junos91/swconfig-mpls-apps/configuring-mpls-over-gre-tunnels.html

AboutJuniperNetworks

Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers,

Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The

company serves customers and partners worldwide. Additional information can be found at www.juniper.net.