WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture

8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture

1/36

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408.745.2000

1.888 JUNIPER

www.juniper.net

Enterprise Data Center NetworkReference Architecture

Using a High Performance Network Backbone to Meet theRequirements of the Modern Enterprise Data Center

Part Number: 803001-003 Nov 2008


2/36

Copyright 2008, Juniper Networks, Inc.2

Enterprise Data Center Network Reference Architecture

Table o Contents

Executive Summary 4

Introduction 4

Trends and Challenges 4

Juniper Networks Approach and Solution 6Scope 6

Target Audience 6

Enterprise Data Center Network Design Considerations 7

Virtualization 8

High Availability Disaster Recovery 8

Visibility 8

Network Connectivity 8

Security 9

Policy and Control 9

Quality o Service (QoS) 10

High Perormance 10

A Green and Environmentally Friendly Data Center 10

Juniper Networks Data Center Network Architecture 11

Open Systems ApproachJuniper Networks Enterprise Framework 11

Location-Based Approach 12

Design Principles 13

High-Level Architecture 14

Edge Services Tier 16

Edge Services Connectivity 16Edge Services High Availability 16

Edge Services Perormance 17

Edge Services Security 17

Core Network Tier 18

Core Network Connectivity 19

Core Network HA 19

Core Network Virtualization 19

Network Services Tier 20

Data Center Security Services 21

Application Front Ending Services 22

Applications and Data Services Tier 23

Fibre Channel SANs 26

iSCSI SANs 26

Data Center Backbone 27

Data Center Network Management 28


3/36

Copyright 2008, Juniper Networks, Inc. 3


Summary 30

Glossary 3

Appendix A Juniper Networks Data Center Network Solution Tables 33

Data Center Product Tables 33

Data Center Product Tables (by Tier) 33

Partner Products 34

Symantec 34

Kaspersky 34

SurControl and Websense 34

Avaya IG550 35

Appendix B Juniper Networks Core Network Power Eciency Analysis 35

About Juniper Networks 36


4/36



Executive Summary

The data center is an extremely critical corporate asset As such, the data center network that

connects all critical servers, applications and storage services is a key component that should be

careully planned and managed to meet the growing perormance demands o users and many

network-centric applications Juniper Networks oers a comprehensive data center network solution

that combines best-in-class products with well-dened practices to build high-perormance, robust,virtualized, and cost eective and business supported data center networks

This reerence architecture proposes practices, technologies and products that help data center

architects and engineers responsible or answering the requirements o designing modern data

center networks

Introduction

Trends and Challenges

According to research conducted by Nemertes (2006), 91 percent o benchmarked companies were

under compliance constraints, and more than 50 percent o companies consolidated their dispersed

data centers into ewer but larger data centers in the last 12 months, with even more planning to

consolidate in the upcoming 12 months While enterprises are consolidating their data centers and

centralizing their servers, the opposite is happening with the employees themselves More than 90

percent o employees work remotely and more companies are opening a larger number o branch

oces to get closer to their customers These two divergent trends cause tremendous strain on

the enterprise WAN connectivity as more people attempt to access applications that are highly

centralized Further, perormance o these applications is becoming a critical bottleneck in terms o

employee productivity

Another interesting trend is that servers are continuing to grow at a high annual rate o 11 percent,

while storage is growing at an even higher rate o 22 percent; both o which are causing tremendous

strain on the data centers power and cooling capacity According to Gartner, OS and application

instability is increasing the server sprawl with utilization rates o 20 percent Also, Coordination

Implementation and Operations (CIOs) are increasingly demanding utilization/eciency reports on

servers and storage, which is leading to an increased adoption o virtualization technologies such as

VMWare and XenSource

The major challenges identied by customers regarding their data centers include the ollowing:

Power capacity

Cooling

Increasing growth o the data centers

Availability

Disaster recovery

Operational issues concerning change management and controlling operational costs

Enterprises demand zero-downtime or extreme availability as businesses become increasingly

global and unction 24x7

Gartner (2007) identies the ollowing trends rom a list o the top 10 disruptive technologies in the

data center

Unied Communications

The Web as a platorm to deliver applications

Virtualization that goes beyond consolidation

Mashups and composite applications

Green IT


5/36



Emerging applications that use Service Oriented Architecture (SOA) and Web services are increasingly

computational and network intensive

While businesses are attracted to the cost savings o consolidating data centers and thereore are

reducing the number o acilities and operating locations, architects ace the challenge o designing

a data center that centralizes servers and applications that are accessible rom a variety o locations

(see Figure 1) Throughout all o these challenges, todays data center must meet the perormance

requirements to ensure satisactory user experiences without compromising security and compliance

Figure 1: Location-Based Perspective of the Enterprise Network

In addition, Gartner (2007) asserts that 50 percent o the Ethernet switch ports within the data center

are used or switch interconnectivity

Simply designing a data center that only deploys more servers, storage and devices signicantly

increases network complexity and cost Organizations must change the way they view their data

center network architecture to maximize eciency gains rom technologies such as virtualization

The architecture must use virtualization capabilities such as MPLS and virtual private LAN service

(VPLS) to enable an extremely ast, high-perormance data center backbone network, to meet theperormance demands o the consolidated architecture The data center network also must oer

required components such as security, perormance acceleration, high density and a resilient network

inrastructure These critical components help ensure that users sustain the perormance needed

to succeed in their jobs, and that the network supports their business goals This document shares

Juniper Networks best practices in designing a highly ecient, secure, scalable and fexible data

center network This document also showcases advanced network technologies such as high-density

next-generation Ethernet switches, application delivery controllers and WAN acceleration that can be

employed to create a seamless user experience, irrespective o the location on the network

ISG/IDPSSG

SSG

WX/WXC

InfranetController

J-series

M-series

M-seriesInfranetController

WX/WXC

J-series

SSG

WX/WXC

SAseries WX/WXC

ISG/IDP

SSG

Remote Sales Ofce

VoIP Pilots

PrivateWAN

Headquarters Ofce

Large Regional Ofce

Manufacturing

Plant

Small Regional Ofce

Standalone Ofce

Retail Store

Data

Center

SSG

Internet

J-series

Gateway

VoIP

AVAYA

SRX-series

EX-series


6/36



Juniper Networks Approach and Solution

The Juniper Networks strategy or designing the data center network uses an open systems approach

that enables enterprises to design a high-perormance data center network that consolidates network

elements into ewer networks and employs ewer network devices This approach simplies network

architecture, enables operational eciencies, and oers data center networks that are agnostic to

multiple media types

The architecture virtualizes critical network inrastructure components and unctionalities such as

security, load balancing and applications acceleration, and this architecture deploys and manages

based on a combination o business as well as technical heuristics The architecture optimizes

network perormance and increases eciencies within the network inrastructure The architecture

also automates network inrastructure management by connecting smoothly into the customers

existing management rameworks and third-party tools such as IBM Tivoli

Scope

The purpose o this document is to provide our partners, customers and potential customers with a

data center network architecture that mitigates business risk and supports the modern, consolidated

data center This document addresses the ollowing topics:

Network inrastructure

Security

Connectivity

Perormance aspects o the data center inrastructure

In addition, this document provides design guidance or the data center network, the inter-data

center and associated connectivity Discussions ocus on the ollowing network devices:

Routers

Switches

Firewalls

Intrusion prevention systems

VPN access devices

Application ront ends

WAN acceleration products

NOTE: Because application-specic components such as operating systems, processing machines,

databases and storage arrays are out o scope o this solution, they are not addressed in this

document

Target Audience

IT managers and security managers

Systems engineers

Network analysts and engineers

Network administrators


7/36



Enterprise Data Center Network Design Considerations

The ollowing section summarizes some o the technical considerations or designing a modern day

data center network that must support consolidated and centralized server and storage inrastructure

as well as enterprise applications

NOTE: The design considerations discussed are not necessarily specic to Juniper Networks solutions

and can be applied universally to any data center network design, regardless o the vendor

The unctional data center network design model (Figure 2) considers key design attributes Each o

these attributes is summarized in the ollowing sections

Figure 2: Center Network Functional Design Model

As data centers become consolidated, more servers become centralized The data center can beviewed rom the perspective o the dierent groups o people interacting to create a highly available

and unctional end user requirement or the enterprise These groups typically comprise storage,

server, application and network groups Observing all o the installed devices in the data center, we

obviously see large racks o servers (X86 servers, blade servers or mainrame systems), dierent

types o storage switches that use Fibre Channel (FC) and InniBand, and a variety o applications

(Oracle, SAP, Microsot) that utilize these resources to deliver business requirements These three silos

are connected through a ast, secure and reliable data center network abric which orms the ourth

silo o systems and devices in the data center The critical attributes or designing todays data center

or extreme availability and superior perormance are as ollows:

Virtualizationnetwork, server and storage

High Availability/Disaster Recovery (HADR)

Visibilitynot only in network trac and security events, but also into application trac

Connectivityubiquitous connectivity to disparate sets o resources

Security security and compliance

Policy and Controlcentralized policy and control

Quality o Service (QoS)

High Perormanceapplications, storage, servers and the network

Virt

ualiza

tion

HA/DR

Vis

ibil

ity

Con

nectivity Secur

ity

Cont

rol

Policy

&

QoS

HighPerformanc

e

STO

RAGE

APPLIC

AT

IONS

SERVERS

NetworkInfrastructure


8/36



Virtualization

As described in Wikipedia, virtualization is a technique or hiding the physical characteristics o

computing resources rom the way in which other systems, applications or end users interact with

those resources This means making a single physical resource such as a server, an operating system,

an application or a storage device appear to unction as multiple logical resources; or making multiple

physical resources such as storage devices or servers appear as a single logical resource Virtualization

also means making one physical resource appear, with somewhat dierent characteristics, as one

logical resource

From a network virtualization perspective, there are various technologies that provide data, control

and management plane virtualization A data plane virtualization example is a single physical interace

that provides security to multiple network segments using 8021q VLAN tagging From a control plane

virtualization perspective, multiple routing domains and protocol instances are other examples A

management plane virtualization example supports multiple logical rewall/VPN security systems that

use Virtual Systems (VSYS) or true multi-department or multi-customer environments, such as large

enterprises or service providers who oer managed security services all in a single device

High Availability Disaster Recovery

High Availability Disaster Recovery (HADR) is a key requirement rom the data center network

perspective and must be considered not only rom what is happening within the data center, but

also rom across multiple data centers Network high availability should be deployed by using

a combination o link redundancy (both external and internal connectivity) and critical device

redundancy to ensure network operations and business continuity In addition, using site redundancy

(multiple data centers) is critical to meeting disaster recovery and regulatory compliance objectives

Moreover, devices and systems deployed within the connes o the data center should support

component-level high availability, such as redundant power supplies, ans and routing engines

Another important consideration is the sotware/rmware running on these devices, which should be

based on a modular architecture that provides eatures such as in-service sotware upgrades (ISSUs)

to prevent sotware ailures/upgrade events rom impacting the entire device Sotware ailures/

upgrades should only impact a particular module, thereby ensuring system availability

VisibilityIt is important to have visibility into network trac and security events to eectively maintain andmanage the resources It is critical to collect IP trac fow statistics to give enterprises insight into

data fow, resource utilization, ault isolation, capacity planning, and tuning and ofine security

analysis WAN utilization and user-level visibility can help IT better support application perormance

by leveraging network services and other resources Security visibility is crucial to granularly view

security events to help determine how these events get handled Further, extending this visibility

to develop a deeper understanding o application-specic trac is crucial or understanding a wide

range o operational and perormance inormation that can impact the users o these applications

For example, specic compression and acceleration technologies can be applied at the network

layer to accelerate email applications such as Microsot Exchange Another example is preventing

employees access to services such as YouTube and social networking sites rom impacting business

applications Understanding the application (YouTube, Instant Messaging) and enorcing policies

based on the application ensures that business critical applications meet or exceed the perormanceexpectations o end users

Network Connectivity

Customers, partners and employees all require immediate access to applications and inormation

Modern applications such as supply chain applications, IP telephony, Customer Relationship

Management (CRM), Enterprise Resource Planning (ERP), or sales orce automation applications

demand signicant network perormance Concurrently, the challenge o working rom any location

in the enterprise urther increases the complexity


9/36



As part o the data center network design, the ollowing critical aspects o external network

connectivity must be considered:

WAN connectivity to enable branch oce and campus users to access applications

Internet connectivity to enable partner access as well as secure remote access or remote

and mobile users

Superior speed or data center backbone connectivity, data replication, business continuity,

and use o technologies such as VPLS/MPL

The internal data center comprises one or more server network(s) or data center LANs The data

center LAN hosts a large population o servers that require high-speed and highly available network

connectivity In addition, there can be multiple LAN segments and networks deployed that dier in

security and capacity levels and other services oered Typically, connections o 1 Gbps and higher

(while 10 Gbps are becoming the standard) will be available in the data center network, providing at

least 1 Gbps to the server and preerably 10 Gbps at network choke points

Security

The critical resources in any enterprise location are typically the applications themselves and the

servers and supporting systems such as storage and databases Financial, human resources, and

manuacturing applications with supporting data typically represent a companys most critical assetsand, i compromised, can create a potential disaster or even the most stable enterprise The core

network security layers must protect these business critical resources rom unauthorized user access

and attacks, including application-level attacks

The security design must employ layers o protection rom the network edge through the core to the

various endpoints, or example deense in depth A layered security solution protects critical network

resources that reside on the network I one layer ails, the next layer will stop the attack and/or limit

the damages that can occur This level o security allows IT departments to apply the appropriate

level o resource protection to the various network entry points based upon their dierent security,

perormance and management requirements

Layers o security that should be deployed at the data center include the ollowing:

Denial o Service (DoS) protection at the edge

Firewalls to tightly control who and what gets in and out o the network

VPN to protect internal communications

Intrusion Prevention System (IPS) solutions to prevent a more generic set o application

layer attacks

Further, application-layer rewalls and gateways also play a key role in protecting specic application

trac such as XML

The above-listed solution guidelines address the requirements specied in the NIST recommended

best practices, as stated in Guide to General Server Security Guide to General Server Security.1

Policy and Control

Policy-based networking is a powerul concept that enables devices in the network to be ecientlymanaged, especially within virtualized congurations, and it can be used to provide granular network

access control The policy and control capabilities should allow organizations to centralize policy

management while at the same time oer distributed enorcement The network policy and control

solution should provide appropriate levels o access control, policy creation and management, and

network and service management, ensuring secure and reliable networks or all applications In

addition, the data center network inrastructure should integrate easily into customers existing

management rameworks and third-party tools such as Tivoli, and provide best-in-class centralized

management, monitoring and reporting services or network services and the inrastructure

1Guide to General Server Security, Recommendations o the National Institute o Standards and Technology, Special Publication 800-123

http://csrcnistgov/publications/nistpubs/800-123/SP800-123pd
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdfhttp://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf


10/36



Quality of Service (QoS)

To truly assure application experience over large networks, Quality o Service (QoS) is a key

requirement It is critical to assign and manage QoS levels to ensure satisactory perormance o the

various sotware applications A minimum o three levels o QoS (each o which determines a priority

or applications and resources) are as ollows:

Real-time

Business critical

Best eort

Multiple Protocol Label Switching networks and network trac engineering capabilities are typically

deployed to congure Label Switch Paths (LSPs) with Resource Reservation Protocol (RSVP) or Loader

Debugger Protocol (LDP) This is especially critical with voice and video deployments, as QoS can

mitigate latency and jitter issues by sending trac along preerred paths or by enabling ast reroute

to anticipate perormance problems or ailures The data center network design should allow the

fexibility to assign multiple QoS levels based on end-to-end assessment and allow rapid and ecient

management to ensure end-to-end QoS or the enterprise

High Performance

To eectively address perormance requirements related to virtualization, server centralization anddata center consolidation, the data center network should boost the perormance o all application

trac, whether local or remote The data center should oer LAN-like user experience levels or all

enterprise users irrespective o their physical location To accomplish this, the data center network

should optimize applications, servers, storage and network perormance

WAN optimization techniques that include data compression, TCP and application protocol

acceleration, bandwidth allocation and trac prioritization improve perormance network trac

These techniques can also be applied to data replication, backup and restoration between data

centers and remote sites, including disaster recovery sites

Within the data center, Application Front Ends (AFEs) and load balancing solutions boost the

perormance o both client-server and Web-based applications, as well as speeding Web page

downloads In addition, designers must consider ofoading CPU-intensive unctions, such as TCP

connection processing and HTTP compression, rom backend applications and Web servers

Beyond application acceleration, critical inrastructure components such as routers, switches,

rewalls, remote access platorms and other security devices should be built on non-blocking

modular architecture, so that they have the perormance characteristics necessary to handle the

higher volumes o mixed trac types associated with centralization and consolidation Designers also

should account or remote users

A Green and Environmentally Friendly Data Center

A green data center is a repository or the storage, management and dissemination o data in which

the mechanical, lighting, electrical and computer systems provide maximum energy eciency with

minimum environmental impact As older data center acilities are upgraded and newer data centers

are built, it is important to ensure that the data center network inrastructure is highly energy and

space ecient Network designers should consider power, space and cooling requirements or all

network components, and they should compare dierent architectures and systems so that they can

ascertain the environmental and cost impacts across the entire data center In some environments,

it might be more ecient to implement high-end, highly scalable systems that can replace a large

number o smaller components, thereby promoting energy and space eciency Green initiatives

that track resource usage, carbon emissions and ecient utilization o resources, such as power and

cooling are important actors when designing a data centerAppendix B presents an analysis o the

Juniper Networks MX960 Ethernet Services Routers eects on reductions in energy consumption

and ootprint within the data center Designers can use this appendix as an example or comparative

analysis against other core solutions


11/36



Juniper Networks Data Center Network Architecture

The intent o Juniper Networks approach or building the enterprise data center network is to allow

enterprises to take advantage o the most advanced technologies, oer a design model that supports

the current as well as uture applications and data processing requirements o the enterprise, while at

the same time reduce the risk and total cost o ownership

Open Systems ApproachJuniper Networks Enterprise Framework

Juniper Networks uses a simplied version o the Open Systems Interconnection (OSI) model that

includes three unctional layers controlled by a policy and management domain (Figure 3) These

unctional layers are as ollows:

Applications

Services

Inrastructure

The applications layer provides support to the various sotware applications that are required to

run the business It provides the environment that allows applications to run and interoperate The

services layer combines the traditional presentation, session and transport layers and provides

support to users and applications It includes security services, applications interaces, and

acceleration and optimization services The inrastructure layer combines the network, data link and

physical layers and consists o routing and switching eatures that manage the network, connection

management, data fow and QoS

The policy and management domain integrates with the customers centralized policy and

management unctions to help reduce operations costs while simultaneously enabling compliance

All three layers are interconnected with open standards-based interaces that allow enterprises to

seamlessly deploy a multivendor solution that provides fexibility to use the best technologies to meet

business requirements

Figure 3: The Juniper Networks Enterprise Framework

Applications

Services

InfrastructurePolicyandManagement

Alliance Products

Security

Products utilizing

open Interfaces

Accelerationand

OptimizationAccess

Routing Switching Wireless

r1PMJDZ

r*EFOUJUZ

r7JTJCJMJUZ

r0QUJNJ[BUJPO

r1SPWJTJPOJOH


12/36



The Juniper Networks Enterprise Framework supports the next-generation data center network

by providing a best-in-class network environment that uses open, standards-based and

industry-accepted interaces Enterprises can use this ramework to logically view their network

inrastructure and applications in order to make decisions that best serve the requirements o

deploying enterprise applications

Juniper Networks takes a holistic approach to next-generation networking and takes into account the

user, network and applications perspectives Our understanding o applications and how they are

accessed rom a variety o locations enable us to provide an architecture that meets the demands o a

variety o users

Location-Based Approach

physical locations and geographies rom which data clients attempt to connect Enterprises typically

have campuses, regional oces, branch oces, a private WAN and data centers

The key intention o the data center is to ofoad always on requirements rom various enterprise

locations to a central, stable location that always contains the enterprises most recent application

data By decoupling the inormation store rom the physical location o the user, enterprises derive

greater eciencies by creating a centralized pool o resources This trend o centralizing applications

and consolidating multiple acilities makes the WAN or other external networks extremely critical,

because users now need to traverse a larger network in order to gain access to data As such, a great

deal o emphasis has been given to the design o the enterprise Private WAN and Internet edge,

which in many cases hosts branch oce connectivity and remote user connections

The data center does not typically host users and most certainly does not accommodate data center

application users However, this data center network design model can support dierent operational

requirements that are unique to certain enterprises Options such as administrative user access can

be built into any data center design

WAN services should extend to all o the remote location connections Among these services

are stateul rewalls, intrusion prevention and WAN acceleration Figure 4 depicts a high level

perspective, illustrating the overall enterprise connectivity into the data center and connectivity

between data centers


13/36



Figure 4: Enterprise Network Connectivity to the Data Centers

Design PrinciplesKey design principles originate rom business and technical reasons The business reasons are

airly clearoptimize capital expenditures and reduce operation expenses The top level technical

requirements include the ollowing:

Leverage shared inrastructures

Employ virtualization technologies to increase utilization and eciencies

Ensure scalability, fexibility, security and application perormance over the network

Juniper Networks key design principles are as ollows:

Consolidation o Data Centers and Centralization o Services rom Multiple Business Ofces

This principle imposes a variety o technical requirements on the data center network Centralizing

services typically does not improve overall processing time or data availability, but it oten increases

overall utilization and allows or more streamlined IT operations Additionally, centralizing services

requires maintenance o the unique aspects o legacy distributed processing congurations such that

dierent processing instances may belong to dierent business entities, such as nance and HR

Uniqueness and operational reedom should remain virtually independent

VirtualizationThe virtualization o processing has introduced a new standard in resource pooling

and resource utility optimization Virtualization technologies at various levels are introduced in the

data center rom virtualization o large storage arrays and servers to network virtualization and

Enterprise Private WAN

Data Center Backbone

Campus A

Campus BRegionalOfce B

RegionalOfce A

DataCenter A

DataCenter B

Branch

Branch

BranchBranch Branch

Branch 1

Branch 2

Branch n

PTP Network/Internet


DataCenter C

L2/L3



14/36



network service The network inrastructure maniests virtualization through VPNs, labels and tags

o orwarding plane trac, while the network services maniest virtualization through the denition

o service instances and application o unique processing logic to the dierent instances The overall

data virtualization capabilities o the data center are key requirements that eectively drive network

virtualization

High AvailabilityConsolidating and centralizing resources, as well as virtual zing technologies,

makes guaranteeing data access all the more critical Data should be available regardless o the

location rom which it is being served The our key vectors that address network HA include the

ollowing:

Component

Device

Link

Site

Streamlined Operation and Management o Data Center ServicesIn a consolidated and

virtualized environment, one o the key elements is a single management platorm based on open

standards that knows how to control servers, applications, storage and network inrastructure as one

Hence, it is critical to use devices and systems that support open standards-based interaces and

protocols, so that these devices and systems can all be controlled rom existing and rom evolving

customer management systems

High-Level Architecture

Figure 5 illustrates the Juniper Networks data center network architecture; the ollowing lists the

major architectural tiers:

Edge Services Tierhosts all WAN services connecting to non-data center locations

Core Network Tierconnects all data center networks within and across data centers

Network Services Tiersupports WAN acceleration, Intrusion Prevention and other network

services

Applications and Data Servicesprovides network connectivity to the data center server and

application inrastructure

Data Center Backboneprovides connectivity between data center acilities or high

availability, replication and disaster recovery

In the paragraphs that ollow, we explore the dierent network tiers in greater detail


15/36



Figure 5: Juniper Networks Data Center Network Architecture

The data center network scalability requirements are rather signicant because they must supportcentralized applications and data center consolidation Hosting a large network in one location

requires some modularization that allows certain services to be re-applied to applications and areas

as needed

As the data center edge network serves as the key boundary to the data center, it is responsible or

maintaining reachability with all other external networks

It is important to support network applications with an extremely ast core network that is capable

o orwarding the total aggregate trac at line rate Eectively, the network core can span across

multiple locations and multiple devices Logically, the network core connects all data center networks

directly to itsel This attribute is critical in order to oer rack/location-agnostic server-to-network

binding, which is a key element in building a virtualized data center abric that supports automatic

repurposing o compute resources Another benet o this approach is that it maintains a more

controllable HA design, so that a single device includes its own redundancy component to augment

an additional device (or set o devices) as a backup system

Extending all networks to the data center core allows fexibility to enable or disable services to each

o the networks independently, in addition to allowing scalable services initiated rom demand and

available capacity A virtualized approach or enabling network services optimizes perormance and

eciency A common example is a stateul rewall that provides virtual domain security by directly

connecting to the core and by securing multiple physical networks This approach proves highly

useul in segmenting the network by rewall policy

Edge

Services

Network

Services

Core

Network

Applications

and Data

Services

WAN

Acceleration

VPN

Termination

GatewayServer

Security

Gateway

Internet

Access

Gateway

Intrusion

Detection

and Prevention

Secure Access

(SSL)

IP Storage

Network

Internal

Storage

Network

External

Storage

Network

Infrastructure

Storage

Network

WAN

Edge

Internet

Edge

Core Firewall

SRX-series

Internet

PrivateWAN

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

ISGISGISG

IDP

M-series

M-series

SAseries

WX/WXC

Core Device

MX-series

EX8200Series


16/36



Edge Services Tier

The Edge Services tier is responsible or all connectivity and network level security aspects (up to

Layer 4) to connect the data center to the outside world Typically, routers and rewall/VPNs are

located in this tier It is likely that the data center connects to various leased lines connecting to

partners, branch oces and to the Internet For connecting all o these networks, it is important to

plan or the ollowing:

Internet routing isolation, or example separating the exterior routing protocols rom the

interior routing protocols

Network Address Translation (NAT) to convert your private IP addresses to public Internet

routable IP addresses

IPSec VPN tunnel termination or partner, branch and employee connections

Border security to enorce stateul rewall policies and content inspection

Quality o service (QoS)

Network architects have oten used L2 switches at the edge to orm a hierarchical mesh, with the

intention o allowing multitude links to provide ault protection during ailure The Juniper Networks

solution employs Juniper Networks M-series multiservice edge routers and Integrated Security

Gateway (ISG) rewalls or SRX rewalls Juniper Networks leverages the routing unctionality o therewalls to provide a routed connectivity solution instead o a traditional switched mesh approach

This method places ailure detection and correction into a domain that is solely routed, providing

more eective and intelligent network resource use The direct protocol interaction between the

routers (without intervening switches) eliminates the typical layer o Ethernet switches that are

commonly used at the edge

Edge Services Connectivity

Figure 6 shows the Juniper Networks edge services design and illustrates how the edge services tier

connects multiple, external networks to the data center Edge Services provide all connectivity and

network level (up to L4) security aspects or connecting the data center to the outside world The edge

routers and rewall VPNs reside in this tier

The edge routers are Juniper Networks M-series routers and are the edge devices or both Internet

and private WANs The M-series routers were selected or two primary reasons: interace capacity and

throughput

Each router has a single connection to the Internet (or private WAN) Connectivity between the edge

routers to each ISG rewall creates a ully meshed network You can link the edge routers to each

other using a single gigabit Ethernet link that provides a transit path around a less preerred or ailed

path In addition, Juniper Networks uses redundant hardware, Dynamic Routing Protocols (DRPs) and

ully meshed links to minimize the amount o ailure cases that could impede business continuity

Edge Services High Availability

The Edge Services tier should provide HA at three levels where appropriate:

Link

Device

Component


17/36



Link-level high availability should be applied at all Internet connections and in cases where

additional data centers are available, it is best to keep a single leased line/private WAN

connection in each data center Device-level high availability is relevant only when we enable

the link-level high availability setting, as multiple devices cannot utilize a single link themselves

Hence, Internet-acing routers and devices located within edge services layer should support

device-level high availability Additionally, component level high availability such as multiple

power supplies, ans and route engines should be mandatory or edge-deployed devices

Figure 6: Data Center Network Edge Services

In this solution, dynamic routing determines the fow o trac Each tier is deployed as a ully

meshed solution As a result, redundant paths are provided on each redundant device Duringa link ailure, a single device is not lost and this increases environment uptime by avoiding

bringing down a viable path, unless necessary

During a ailure, the network requires a minimum o one additional redundant path to route

around the ailure While this design itsel oers high availability, the addition o a second data

center urther ensures high availability, as an entire data center could be lost but avoid losing

network operability

Edge Services Performance

As in any other major server concentration, the data center should terminate a large number o

WAN acceleration tunnels These tunnels correspond to as many remote sites as are appropriate

or optimal user experience and perormance Some o the WAN acceleration technologies

include redundant WAN acceleration tunnels and load balanced WAN acceleration clusters Both

technologies integrate by using intelligent trac rerouting techniques in the data center

Edge Services Security

The edge services network serves three major security unctions First, it protects against Denial

o Service (DoS) attacks that are most eciently controlled at the data center edge without using

other valuable processing resources Second, the edge tier rewalls can perorm stateul inspection

Third, we implement VPN secure connectivity services This section covers the design guidelines

or these three security unctions These unctions cover the protection against the threats outlined

in NIST recommended best practice, as stated in the Guide to General Server Security2



Internet

Access

Gateways

Server

Security

Gateways

VPN

Termination

Gateway

Core

Network

Edge

Services

WAN

Acceleration

HA

HA HA

HA

M-series

M-series

M-series

ISG ISG ISG ISG ISGWX/WXC

InternetPrivateWAN

Core Device

MX-series

EX8200Series

Core Device

MX-series

EX8200Series


18/36



For large data centers, Juniper Networks recommends using three sets o rewalls in the Edge

Services tier The rst set, the Internet rewalls, must connect to the Internet and receive routing

inormation rom the edge routers to enable outbound trac routing to the Internet The second set,

the Secure Services Gateways (SSGs), secure the server and data resources and sotware applications

or inbound trac that originates rom the Internet The third set, the IPSec VPN rewalls comprise

the connectivity hub or all remote sites and terminate IPSec VPNs rom the Internet as well as rom

the private WAN The IPSec rewalls also terminate VPN tunnels or all o the remote branches overthe private WAN To provide services to the remote branches, the IPSec VPN rewalls must connect

to the network core Although these rewalls are shown as three sets, or smaller capacities and

perormance requirements, it is possible to consolidate the three rewalls into one or two sets

General DoS protection to all data center services should be perormed at the Edge Services tier

This moves the security intelligence closer to the provider edge, thereby decreasing the number o

devices that can potentially be compromised, especially with DoS attacks A large food can present

challenges to any network, as it can consume all available network bandwidth and might require

extra processing by stateul rewalls Large foods result in high CPU usage and slow response times

While stateul rewalls provide much needed visibility and ne-grade protection against a variety o

foods, all stateul rewalls have an upper limit in their capacity to deal with certain types o foods

such as SYN or Internet Control Message Protocol (ICMP) I a rewall is overwhelmed with a food,

the rewall experiences high-CPU loads and might drop legitimate trac The specic rate per attackvaries per rewall depending upon its conguration and sotware version To protect the rewall and

network against massive foods, rate limits should be implemented on routers protecting all rewall

interaces The goal is to limit certain types o trac, such as TCP control trac and ICMP types to

rates which will not impact available bandwidth and overwhelm the rewall

As part o the VPN design and encryption protocols selection, there are trade-os that must be made

Organizations should choose the strongest encryption that does not compromise the perormance

requirements or the network Encryption algorithms should be based on a balancing act between

security and perormance A longer key length provides more security against brute orce attacks

yet might require more computational power Thereore, this approach provides less perormance

or encrypting large amounts o data Note that perormance considerations should be made or all

devices participating in the VPN, not only devices that terminate at the headend Satellite devices

might not be as powerul as the application-specic integrated circuit (ASIC)-accelerated, crypto-powered headend systems When analyzing the elements, it is important to acknowledge the

handshake protocol encryption requirements These typically use asymmetric encryption algorithms

or improved security and might aect the devices dramatically, especially with many VPN peers

One also must consider bulk encryption algorithms Typically, these algorithms must be symmetrical

and at a minimum not be infuenced by design due to hardware assistance and the lower cost o hand

shakes However, i the design presents ew VPN peers and large amounts o data transer, this element

should be considered; the lowest common denominator will be the speed that determines the VPN

capacity Finally, one should consider hashing algorithms This selection is primarily done based on

security requirements, but i hardware assistance is involved, then design considerations diminish

Core Network Tier

The Juniper Networks design employs a data center network architecture consisting o two logicalorwarding tiers rather than a traditional

3-tier model Traditional 3-tier networks add an aggregation network between access networks and

core networks, and they are the primary method to extend networks because o scalability limitations

with most available core network devices Aggregation at the core allows or more fexibility and

easier support or virtualization, but it requires high-speed processing and high availability levels


19/36



One o the biggest advantages o a 2-tier design is a dramatic reduction in the number o devices

Reducing the number o devices provides the ollowing advantages:

Produces signicant power savings

Reduces the acilities ootprint o the system

Oers simplied device management

Allows tighter security control

Reduces the number o system ailure points

The scalability o the 2-tier model is typically limited by the scalability o the core network devices

The more traditional 3-tier design, which allows or high scalability requirements, is not discussed in

this paper

Core Network Connectivity

The core network provides the key data center abric connectivity by connecting routers, servers,

appliances and storage devices It does not directly allow connections between the dierent

networks that connect to the core, as each network must be contained in a separate routing instance

o Virtual Routing and Forwarding (VRF) In cases where trac should traverse between the VRFs,

the core rewall perorms the orwarding according to the security policy Eectively, the core

rewalls should connect between the dierent networks that reside on the same data center (see

Network Services Tier)

Core Network HA

The core network is a key component in enabling high availability in the data center network By

connecting all networks to the core network with ull redundancy at the core, high availability is

achieved without added complexity and dependency on the network protocols and convergence

Traditionally, adding high availability requires redesign o the network, whereas by using standards-

based redundancy protocols and a core network approach, high availability is provided at easier

operational overhead In addition to adding redundant devices, it is extremely important to ensure

that the core data center devices support in-service operations such as hot-swap interaces and

sotware upgrades

Core Network VirtualizationTo achieve network virtualization rom the server through the network core, there are a variety o

options to consider For all options, a key assumption is the deployment o network systems that

deliver line-rate throughput even when all eatures are turned on In general, there are two possible

approaches:

Extend VLANs rom the access layer or server all the way to the network core

Use VLANS between servers and access devices and divide the network by using MPLS rom

that point on through the core

There are advantages and disadvantages to each approach, and each approach might be more

practical on a dierent scale and or data center operators with dierent skill sets VLANs that extend

all the way to the core are more appropriate or smaller networks However, in the case o larger

networks that ace VLAN scaling limitations with more elaborate QoS requirements, MPLS is the

preerred choice Regardless o the approach, the Juniper Networks data center network architecture

and solution components provide both approaches without sacricing perormance

Multiple instances o a single VLAN, residing in dierent physical access networks, can be joined at

the core network across line cards (or not) without impacting perormance Additionally, multiple

distinct VLANs, all connecting to a single access switch port, can be seamlessly reclassied and

associated with MPLS Label Switched Paths (LSPs) with unique QoS and connectivity characteristics

The Juniper Networks 2-tier architecture provides or a more fexible design option, as depicted in

Figure 7The MX-series Ethernet Services Routers (ESRs) or EX 8200 series switches reside in the core

network and Juniper Networks EX-series Ethernet switch platorms reside in the access layer


20/36



Figure 7: Data Center Core Network and Network Services

Network Services Tier

The network services tie closely to the network protocols that support data center applications

Network services are generally divided into two main categories:

Security services

Application services

Throughout this section, we describe both services in greater detail and address the key elements that

comprise the data center network architecture

The Network Services tier should extend itsel to any o the server networks hosted in the data center,

and apply a network-specic policy and set o congurations to behave appropriately with the trac

in that particular network section For example, using a security service such as trac SYN checking/sequence number checking might only be required or servers available to the outside world

Thereore, the architecture should support the application o these eatures only to those systems

or networks Most importantly, key characteristics are enabled by a direct logical attachment to the

network core o the data center

Leveraged throughout is the Network Services tiers ability to extend a shared pool o network

services to any o the server and data networks, while allowing or granular and specic network

service settings or each one o the services The network services are virtually available or each o

the backend data and service networks by sharing the network service resources across the entire

Core

Network

Network

Services

Network

Services

Applications

and Data

Services

WANAcceleration

WANAcceleration

VPNTermination

Gateway

ServerSecurity

Gateways

InternetAccess

Gateways

SecureAccess(SSL)

IntrusionDetection

and Prevention

IntrusionDetection

and Prevention

SecureAccess(SSL)

X Connect

IP StorageNetwork

ExternalServersNetwork

InternalServersNetwork

InfrastructureServersNetwork

EX4200Series

EX4200Series

EX4200Series

EX4200Series

IDP

WX/WXC

PrivateWAN

M-series

Internet

M-series

ISG ISG ISG ISG ISG

IDP

SAseries

EX4200Series

EX4200Series

SRX

Core Firewall

Core DeviceCore Device

MX-series

EX8200Series

MX-series

EX8200Series

SRX

Core Firewall

EX4200Series

EX4200Series

SAseries

WX/WXC

EX4200Series

EX4200Series

EX4200Series

EX4200Series


21/36



data center This approach allows the network designer to intelligently deploy network services to

dierent applications and networks in the data center Virtual instances are a key consideration in

designing the Network Services tier

Figure 8 illustrates the connectivity systems (MX-series ESR/EX-8200), application systems (Network

N), and the network service systems (depicted on the ar right o the diagram) This diagram provides a

core network perspective and shows the interaction between the core and the pooled service devices

The network services include the ollowing systems:

Security servicessuch as rewalls, Intrusion Detection and Prevention

Application rontend servicessuch as server load balancing, SSL ofoad, HTTP cache, TCP

multiplex, and global server load balancing (GSLB)

Figure 8: Connectivity Systems, Application Systems and Network Service Systems

Data Center Security Services

One o the most important services o the Network Services tier is the security service The securityservice essentially controls segmentation o the data center into separate networks, and it enables

secure connectivity between the dierent networks Because security services are broadly used,

multiple devices participate in the application o security services to the data center server network

These security services at the data center network services layer provide necessary isolation and

policy control or communication between servers located at data center These security services

also address the requirements specied in the NIST recommended best practices to protect the data

center network rom any attacks or malicious activity rom un-patched or compromised servers

Reer to the Guide to General Server Security3

Inbound

Firewall

(ISG Series)

Outbound

Firewall

(ISG Series)

VPN

Firewall

(ISG Series)

Core

Firewall

(SRX, NS Series)

AFE

SSL VPN(SA Series)

Network 2

Network 1

Network 4

Network 3

EXT EXT

VRF

4

VRF

3

VRF

2

VRF

1

Core Switch

MX960/EX 8200

Core Network

NetworkServices

Edge

Firewalls

Apps andData Services




22/36



Stateul rewalls are the cornerstone o the data center networks security service Stateul rewalls

enorce a security policy that aligns with business and operational requirements through the

identication and classication o networks In addition to being the primary L4 access control

system, the rewalls help with many security unctions in the data center, such as service DoS or

quota protections, Deep Inspection to specic applications where it is required and also potential

network address translation

Generally, the rst layer o deense inside the data center is the stateul rewall However, it

is important to recognize that the rewall must be capable o extending a logical subset o its

unctionality as you dedicate the rewall to a specic data center network The minimum amount o

resources that the rewall must dedicate is a separate control and orwarding engine (virtual router)

such that all trac streams are totally isolated, and orwarding decisions will not mistakenly puncture

the security protections An additional attribute in designing a consolidated data center services

instance is high availability capabilities that must extend themselves particularly at the services layer

to truly design a network that depends on the services or its core unctionality

The Juniper Networks NetScreen rewall systems can split into separate virtual domains o control

and orwarding instances or Virtual Systems (VSYS), creating separate virtual domains that allow

autonomy to dierent departments to control their security policies To connect all o the core

networks, the core rewall must participate in routing protocols within the data center network

The Juniper Networks SRX 5800 service gateway provides 120 Gbps rewall, 30 Gbps IDP and

350,000 connections per second Equipped with a ull range o security eatures, the SRX 5800 is

ideally suited or securing large data centers

Application SecurityIn addition to assuring secure connectivity at L4, the Network Services tier

should employ application security services such as Intrusion Prevention to protect the data center

inrastructure Because these application services are available to all users coming rom insecure

locations, the risk o application misuse or application DoS increases In addition, because multiple

applications are co-located, this creates a chain eect in which each application is aected by the risk

to which another is exposed

The platorms should support the level o perormance required by the data center and be able to

inspect L7 inormation at line-rate speeds It is necessary to understand that the protocols deconstruct

the data streams and build the right context to look or application threats Thereore, a poweruland rich application protocol decoder is necessary Also, the integration o the application protocol

decoding to rewalls is a key consideration to help reduce the number o devices and to increase

overall eectiveness Finally, virtualization or a context-based security policy application, in which the

security systems are able to uniquely treat dierent networks and applications, is another important

consideration

Application Front Ending Services

It is important to nd ways to scale the data center services without a linear increase in the

hardware ootprint and to ensure that the design does not increase the operational complexity A

key component o the Network Services tier is a solution that enables ofoading o non-specialized

services rom the data center servers

One should consider deploying a system that supports acceleration or the dierent application tiers

and also provides comprehensive capabilities around the more common and emerging application

areas like Web 20 A data center acceleration solution should boost the perormance o both client-

server, Web-based, and server-to server-applications, as well as speeding Web page downloads In

addition, the acceleration solution should ofoad CPU-intensive unctions such as TCP connection

processing and HTTP compression rom backend applications and Web servers For its part, the

application acceleration platorm should be seamlessly expandable through stacking or clustering

o multiple devices In addition to advanced trac management and acceleration, the application

ront ending service should serve as a standard load balancer This means orwarding trac to its

destination address rom a pool o available addresses


23/36



Organization/business requirements drive the need to allow dierent applications to be treated

dierently, and to allow dierent departments to control and dene what acceleration and ront ending

characteristics they require rom the network service Our solution addresses these requirements

Applications and Data Services Tier

The core network tier connects to the data center services and applications tier which hosts all o the

servers, databases and storage Generally, there are our types o networks and there can be multipleinstances o each type Primary reasons or the multiple instances are separation o duties within

the company and dierentiated business objectives and IT requirements or the dierent networks

Figure 9 illustrates the our networks A description o the our networks is as ollows:

External Applications Network can be multiple external networks serving separate network

segments These typically include applications such as the public Website, public mail transer

agent (MTA), Domain Name System (DNS) services and remote access and potential le

services that are available through unltered access

Internal Applications Network multiple internal networks serving dierent levels o internal

access rom within the campus o branch locations These networks typically connect internal

applications such as nance and human resources systems Partner applications also reside

in the internal network and any specic applications that are exposed to partners such as

inventory systems and manuacturing inormation

Infrastructure Services Network only servers that are accessible to users are allowed to

access inrastructure networks These are intended to operate only on an automatic basis and

perormance usually is quite predictable Common examples o inrastructure services include

Lightweight Directory Access Protocol (LDAP), databases, le sharing, content management

and middleware servers

Storage storage networks, such as Fibre Channel, InniBand or Internet Small Computer

System Interace (iSCSI) are part o the storage networks Critical application servers directly

connect to the storage devices through a separate Host Bus Adapter (HBA) to ensure ast

access to data Other servers connect using Ethernet to access storage acilities

Figure 9: Data Center Application Network Types/Purposes

Externally Facing Applications

Data Center Services and Applications

GSLB, DNS, SMTP, SSL, FTP

Internally Facing Applications

Infrastructure

Management

DNS, LDAP, SMTP, MAPI, Web Apps (J2EE, ASP), SIP, RTSP, CIFS

Infrastructure Services and Applications

SQL, LDAP, CIFS, Content Management

Storage

iSCSI, FC, CIFS


24/36



The applications and data services tier is primarily responsible or connecting and wiring all servers

Juniper Networks solution provides a fexible deployment option using its Ethernet switching

platorm and virtual chassis capability Below are several fexible deployment options that Juniper

Networks provides

Redundant access switch top o the rack deployment

Server link aggregation with top o the rack deployment

End o the row access switch deployment

Redundant access switch top o the rack deployment: This deployment option requires two high-

speed, independent, top-o-rack switches that connect to the core network as a solution In data

center environments, servers are interconnected to access switches deployed within server racks

These access switches are oten reerred to as top-o-rack switches due to their location within

the data center Top-o-rack switching provides increased levels o availability because o multiple

independent operating characteristics and physical power sources Servers connect to two dierent

physical switches, each part o a separate virtual chassis ring Each ring in turn connects to the core

network while using a loop detection and high availability L2 protocol

Data center application connection is as ollows:

Each server has two, 1 Gbps access network switches; each server connects to a separate

access switch or redundancy purposesThe access switching layer connects to the core network using 10 Gbps uplink; each access

switch has separate 10 Gbps links

The server connection links and access switch uplinks can use VLAN trunking technology to

support both server virtual location and aggregation; all aggregating multiple L2 networks

then use ewer connections

Each internal and external applications network can be segmented into several sub networks (see

Figure 10) The servers that host these applications connect with at least a 1 Gbps (currently moving

towards 10 Gbps) link to the Juniper EX-series Virtual Chassisswitch The EX-series Virtual Chassis

switch connects to the network core through a 10 Gbps connection Depending on the number o

servers, multiple EX-series Virtual Chassis might be required, as shown in Figure 10 Juniper Networks

recommends dual homing the access layer switches using L3 with OSPF equal-cost multipath (ECMP)

instead o the Spanning Tree Protocol (STP) or deterministic behavior or minimal packet loss

Figure 10: Application and Data Services Network View

VC 1

VC 2

10/100/1000BASE-T/TX

10GBASE-SR LAG

Application

and

Data Services

Network Core

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

EX4200Series

Core Device

MX-series

EX8200Series

Core Device

MX-series

EX8200Series


25/36



In data center environments, servers are interconnected to access switches deployed within

server racks Typically, top-o-rack access switches are deployed in pairs to redundantly support

servers within a single rack Juniper Networks EX 4200 Virtual Chassis oers several advantages

when deployed as a top-o-rack access switch The EX 4200 supports a maximum o 48,

10/100/1000BASE-T/TX interaces or attached server devices at 1Gbps wire-rate per interace As

a result, perormance is not compromised Also, each EX 4200 oers additional wire-rate uplink

interaces, with a maximum o our GbE or two 10GbE uplink modules or interconnecting rom thetop rack back to the data center core

Server link aggregation with top o the rack deployment: This deployment requires two, high speed

top-o-rack switches that connect to the core network as the solution Both switches are part o

the same virtual chassis (the virtual chassis can extend to multiple racks, allowing a maximum o

10 switches and can be part o the same virtual chassis) Data center servers can connect to both

switches located at top-o-rack with link aggregation technology This deployment provides fexible

top-o-rack deployment with the additional advantage o desired high availability eatures such

as switch/link/uplink/power and abric redundancy This approach also provides ecient network

bandwidth utilization by actively using both links between server and access switch and by increasing

network throughput The virtual chassis can be dual-homed with an uplink to the core switches using

an L3 connection with OSPF equal-cost multipath (ECMP), instead o using STP or deterministic

behavior or minimal packet lossEnd o the row access switch deployment: With this deployment, all connections rom the data

center servers are extended to the switching rack at the end o the row This deployment model

was preerred because o the high availability eatures o a chassis-based solution which is typically

not available with small orm actor top-o-rack switches With Juniper Networks virtual chassis

technology, we can deploy top-o-rack switching deployment with all high availability eatures to

end-o-row deployment We can easily deploy a virtual chassis or the EX 8200 platorm or traditional

end-o-row deployment

With Juniper Networks virtual chassis capability, we can leverage ease and fexibility o top-o-rack

deployment without compromising any high availability eatures as compared to the traditional

chassis-based solution With virtual chassis technology, the top-o-rack deployment can expand

between data centers located a ew kilometers apart

The EX 4200 also supports the virtual chassis concept, whereby a maximum o 10 EX 4200 switches

can be interconnected through a redundant, high-speed 128 Gbps interconnect, yet still be managed

and maintained as a single logical device With the Virtual Chassis technology, the number o

managed devices can be reduced by a actor o 10, signicantly simpliying operations and reducing

costs associated with maintaining large numbers o legacy access switches Additionally, uplinks can

be distributed across multiple EX 4200s in a single virtual chassis, providing uplink perormance

fexibility and added redundancy levels unounded in legacy access switches

The deployment options considered with the application and data services tier provide optimized

data transer or the data center solution Server-to-server trac utilizes a high throughput virtual

chassis switch abric across access switches This provides necessary bandwidth or data transer

between application servers and the database as well as data replication between servers The user-

to-server trac utilizes aggregated links between the access switches and the core router using the

L3 connection o OSPF and ECMP Separating the network path or user-to-server and server-to-servertrac eciently utilizes network links and provides a predictable, consistent user experience


26/36



Storage Area Networks (SANs)

A Storage Area Network (SAN) connects servers and storage devices across a packet-switched

network Storage Area Networks allow arbitrary block level access rom servers to storage devices

and among storage devices Multiple servers can thereore share storage or clustering and high

availability applications In addition, the storage devices themselves can implement data protection

services, such as synchronous data replication, asynchronous data replication or data snapshots

by directly moving data to another storage device Storage Area Networks also provide a set o

conguration, directory, discovery and notication services to attached devices

A data center typically contains multiple SANs, each serving a dierent application, set o

applications, work group or department Depending upon the specic requirements, these SANs can

be either FC (Fibre Channel) or iSCSI-based deployments Both Fibre Channel Protocol (FCP) and

iSCSI allow block access to storage devices using SCSI commands The Fibre Channel Protocol uses

the Fibre Channel communication structure o exchanges, sequences and rames The iSCSI protocol

uses TCP/IP with an overlay o iSCSI Protocol Data Units (PDUs) to implement SCSI commands and

data raming

Fibre Channel SANs

A Fibre Channel abric has link-level credit-based fow control making it essentially lossless without

equipment ailure Link speeds are 1/2/4 Gbps with 8 Gbps on the horizon Fibre Channel host busadaptors (HBAs) are FC protocol ofoad engines that handle most o the exchange management and

all o the rame transmission or other low level protocol work Frame orwarding is based on an equal

cost multipath link state protocolFabric Shortest Path First (FSPF) Switch implementation does not

reorder rames unless a ailure occurs The set o FC abric services are distributed throughout the

switches in the abric

iSCSI SANs

An iSCSI SAN can be based upon any network supporting the IP protocols In practice, this means

iSCSI SANs are built rom Ethernet switches Because iSCSI is based upon TCP/IP, it can in principle

run on any switching inrastructure In practice, depending upon the eatures o the Ethernet

switches, the perormance characteristics o TCP/IP with regard to dropped rames can limit iSCSI

deployments to low perormance SANs In addition, most iSCSI deployments presently only use 1

Gbps Ethernet with sotware drivers and the resulting perormance does not compare avorably to FCat 2 or 4 Gbps with an ofoad HBA However, iSCSI SANs can be considerably less expensive than FC

SANs The Internet Storage Name Service (iSNS) server provides all abric services in an iSCSI SAN

Where iSCSI-based SANs are desirable, Juniper Networks switches and core routers are excellent

platorms or creating the underlying network because they support symmetric fow control using

8023X pause rames, RED (random early detection), QoS and logical partitioning Discards due to

RED only occur in congested environments, and most SANs are designed to avoid all but transient

congestion Quality o Service allows trac priority to be set so that storage trac can have

improved throughput and delivery characteristics during congestion Logical partitioning allows the

networking equipment that implements the SANs to be tailored to t the needs o the specic data

center and its applications

Storage Area Networks s are oten linked to remote data centers so that data can be replicated as part

o a BC/DR (Business Continuity/Disaster Recovery) design The inter-data center connections can

run across direct optical repeater circuits such as dense wavelength-division multiplexing (DWDM),

private IP-based WAN connections or the Internet

Fibre Channel trac uses DWDM or metro-to-regional distances and uses specialized Fibre Channel

over IP (FCIP) tunnel gateways or regional to longer distances Using DWDM requires FC switches

with FC credits sucient to span the distance at the desired throughput Fibre Channel over IP

gateways create complete WAN acceleration services such as compression, large buering, security,

encapsulation and tunneling or FC trac


27/36



The iSCSI trac can directly traverse the WAN connection without requiring a gateway, but iSCSI

implementations do not generally provide sucient buering to ully utilize high-speed connections

The iSCSI implementations do not contain compression or other WAN optimization eatures

Thereore, iSCSI WAN trac can oten benet rom a WAN acceleration device such as the WX

application acceleration platorms The iSCSI trac also can benet rom a data security gateway

providing IPSec and VPN tunnels

Data Center Backbone

In considering the scale o processing perormed at data centers and the requirements or regulatory

compliance, the data center backbone is a key component in the architecture and design, primarily

or disaster recovery reasons As such, the data center backbone supports a variety o computational

services such as data mirroring to ensure that accurate data is represented at multiple data centers

All o the unctions that rely on a high-perormance data center backbone include the ollowing:

Data replication that supports application clustering and compliance

Data backup and restore services

The reach to a variety o location-specic services using ast and secure connectivity across

data centers to support service-oriented architecture applications

Legacy clustering technology support that requires L2 connectivity (See Figure 11)

Figure 11: Data Center Backbone Connectivity

Dierent rom any other WAN interconnect, the data center backbone must oer high-speed

connectivity, especially because o the real-time and consistent representations o data that needs to

be available across multiple data centers at any given time In many cases, high volumes o data are

exchanged between the data centers to accommodate mirroring, replication and backup operations

The Juniper Networks data center network architecture denes a ew key technical elements

as enablers or the data center backbone that network architects can leverage to satisy the

requirements o their enterprise These elements include the connectivity links encompassing high-

speed data connectivity between data centers (typically using ber-based high-speed transport)

The second element is the interconnect protocol, on top o the interconnecting link, that supports

the separation o trac types or QoS and security reasons These services can be obtained through

MPLS technologies most eectively In addition to the interconnect elements, there are the availability

protocols that extend the data presence beyond a single physical location To achieve this, an L3-

Data Center A

Core

Routers

DC A

Backbone

Connectivity

DC B

Backbone

Connectivity

Core

Routers

Ethernet

X

Connect

Ethernet

PTP Connection PrivateWAN

M-series

Data Center B

EthernetEthernet

PTP Connection M-series

MX-series

EX8200Series

MX-series

EX8200Series

X

Connect

MX-series

EX8200Series

MX-series

EX8200Series


28/36



based reachability or routing protocol peering exchange with Internet routers can be used to create

resilient connectivity at the IP level Additionally, employing an L7 DNS as a global, load server

balancing mechanism provides resilience at the service level

Interconnectivity between data centers can be implemented using MPLS or VPLS as routing and

orwarding technologies This allows distinct IP routing inormation to be shared across data centers,

and orwarding can be perormed based on the unique, per-domain logic exchanged across the

data center acilities Multiple Protocol Label Switching technologies allow or the exchange o the

orwarding and routing inormation base to achieve consistent orwarding across all networks that

interconnect using MPLS In addition to MPLS, L2 extensions and technologies can be used so that

non-IP or broadcast domain dependent/attached protocols can be connected as part o a single

network For such applications, pseudowires, data link switching (DLSw) and VPLS technologies

should be used with the MPLS implementation

Ensuring that the service is globally available and is enabled by the network services tier is a task that

extends beyond the network orwarding layer The key premise is that applications and users connect

and associate themselves to name conventions other than IP (HTT

Documents

WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture