REFERENCE ARCHITECTURE

Transcription

1 REFERENCE ARCHITECTURE Enterprise WAN Reference Architecture Copyright 2011, Juniper Networks, Inc. 1

2 Table of Contents Introduction Scope Target Audience Industry Trends Influencing WAN Design WAN Design Considerations Juniper s Advanced Routing Technology Solution Profile Overview Juniper s Advanced Routing Technology Virtualization Juniper s Advanced Routing Technology High Availability Best Practices and Tips HA: Juniper s Advanced Routing Technology QoS Best Practices and Tips QoS: Juniper s Advanced Routing Technology Security Best Practices and Tips Security: Juniper s Advanced Routing Technology Multicast Best Practices and Tips Multicast: Automate Ease of Management Use Cases Use Case: Enterprise WAN Private MPLS Across a Public Service Provider Network Use Case: Enterprise WAN Private MPLS Cloud Private MPLS Cloud: Some Benefits of Simplification (Before and After) Use Case: Data Center to Data Center Interconnectivity with L2 Stretch VPLS over GRE: Use Case: WAN Aggregation Use Case: Internet Edge Case 1: Corporate Internet Access Through Enterprise WAN Case 2: Internet Edge Backup Connectivity Conclusion References: About Juniper Networks Table of Figures Figure 1: Summary of advanced routing technologies that simplify, share, secure, and automate the WAN Figure 2: Complementary virtualization technologies from Juniper Figure 3: Example of financial institution with different QoS policies by path and application Figure 4: Example of a distributed enterprise with multiple layers of security Figure 5: Ethernet Design, Network Activate, and Route Insight Juniper s key management automation tools Figure 6: IPsec encrypted MPLS traffic tunneled using GRE to a provider router for transport over service provider L3VPN Figure 7: Before Case: Real example of legacy WAN using 30 dedicated links per application to interconnect data centers, with only 1% average utilization Figure 8: After Case: Real deployment using Juniper s simplified WAN design using network virtualization eliminates application dedicated links Figure 9: Inter data center connectivity over MPLS core Figure 10: WAN aggregation of remote branch offices using WAN aggregation routers Figure 11: Internet edge access through headquarters Carried through the enterprise WAN Figure 12: Internet edge providing backup connectivity to the enterprise WAN Copyright 2011, Juniper Networks, Inc.

3 Introduction Juniper Networks approach to WAN design is based upon four fundamental design principles that will help customers design a simplified architecture: Simplify the network, by reducing the number of required network devices, links, and inherent complexity Share network resources through virtualization to improve asset utilization Secure the network comprehensively Automate to provision, monitor, and troubleshoot the network Many organizations have experienced rapid growth with business requirements, applications, distributed branch offices, and data centers; and these growth factors have led to increased network complexity, over time. The challenge is to transport the growing mission critical and delay sensitive traffic cost effectively while improving security and privacy over the WAN. Juniper approaches this challenge using the four design principles outlined above. This paper examines: Technology and services trends such as cloud computing that impact architectural decisions Design considerations, which provides a basic architectural framework Juniper s advanced routing technology, which provides tools to address different business requirements Enterprise WAN use cases, which describe common deployment scenarios Scope This WAN reference architecture discusses WAN design concepts, and it also presents use cases and practical examples to help WAN architects and engineers address requirements for designing simplified WANs. The use cases outlined in this paper include: Enterprise WAN Private MPLS across a public service provider network Private MPLS cloud Data center to data center interconnectivity WAN aggregation Internet edge Corporate Internet access through WAN backhaul Internet edge backup connectivity Target Audience This paper describes Juniper Networks simplified WAN architecture. This architecture is particularly suitable for organizations that are: Improving their WAN infrastructure to enhance their competitive advantage Deploying bandwidth-hungry applications, such as video conferencing Consolidating links, data centers, or servers for cost savings Deploying a private, hybrid, or public cloud for improving productivity This document serves as a reference tool for the following network personnel: Network engineers Network architects Security managers IT and network industry analysts Juniper partners Any person with an interest in WAN design. Copyright 2011, Juniper Networks, Inc. 3

4 Industry Trends Influencing WAN Design WAN designs are not only impacted by business requirements, they are independently impacted by general industry trends as well. The two major trends, as shown in Table 1 below, are technology and services trends, and both have a material impact on WAN design. Table 1: General Industry Trends Influencing WAN Design General Industry Trends Business Impact Network Impact Technology Services Decline in connectivity pricing Increase in availability of connectivity options More availability of cloud services for applications, storage, and data Increase in adoption of Gigabit Ethernet, L2VPN, and L3VPN Increase in adoption of many types of connectivity in the same WAN Adds pressure for WAN bandwidth Applications storage and data are accessed by distributed branch offices, remote data centers and remote workers that results in inter-communication and a mesh topology Technology Trends Advancements in technology have led to an increase in WAN connectivity options and lower prices. This presents an opportunity for organizations to reevaluate their WAN designs, to improve performance, and to save costs. For example, a drop in the price of 10GbE has created an opportunity for enterprises to leapfrog in bandwidth speeds, allowing them to migrate from DS3/OC3 to 10GbE and replace private leased lines with Ethernet services. Services Trends Enterprises have been adopting cloud services, such as private, hybrid, and public cloud, to increase productivity and reduce costs. Using cloud services may increase WAN bandwidth requirements, as applications and data are now pushed over the WAN. The growth of WAN traffic can also occur organically as businesses add remote locations to better serve their customers. The growth of distributed branch offices, remote data centers, and remote workers commonly add traffic over the WAN, and can also create more meshed topologies. 4 Copyright 2011, Juniper Networks, Inc.

5 WAN Design Considerations There are many WAN design considerations that can help organizations simplify, share, secure and automate their network. Below are some of these design considerations: Simplify: Reduce the number physical devices, links, and complexity Organizations commonly reduce the number of physical storage devices and physical servers with virtualization. The same holds true for the network. The high-performance and advanced routing capabilities of Juniper Networks MX Series 3D Universal Edge Routers now make device, link, and complexity reduction possible. The reduction of physical devices and links also has a positive impact on CapEx and OpEx, power use, space consumption, and manageability. Reduce the number of operating systems Change management is especially acute as the number of network operating systems increases. Juniper runs one consistent operating system across its portfolio of routing, switching, and security products. A single operating system also reduces training requirements and improves operational efficiency. Prepare for Future Expansion Future readiness and simplification are best engineered over a period of time so that a network has sufficient overhead to accommodate future growth easily. Select an appropriate topology The topology of the network (such as mesh, hub and spoke) and the traffic pattern are important design considerations, because the choice impacts not only cost but also the responsiveness of the business. Share: Share network resources through virtualization to dramatically improve asset utilization, privacy, and traffic segmentation Juniper offers a number of virtualization technologies that go all the way from link virtualization, to device virtualization, and to network virtualization. Increase resiliency and reliability across network resources Network resiliency and reliability are critical to maintaining business continuity and regulatory compliance, and organizations can not only improve network device resiliency and reliability, but also improve that of WAN connectivity. Add traffic engineering, where appropriate, to optimally share network resources Today s bandwidth-hungry applications are consuming ever increasing amounts of network bandwidth and are impeding the performance of mission critical data. Traffic engineering offers another valuable tool to optimize network resources. Secure: Improve security and compliance Enterprises are increasingly subject to regulatory compliance mandates that require critical data to be separated from other data in the enterprise network. Further, enterprises must ensure that their data is protected from an ever increasing range of attacks. Juniper offers many technologies to improve privacy, security, and compliance. Automate: Improve manageability Automated provisioning, monitoring, and troubleshooting improve manageability, enhancing business agility and reducing OpEx. Copyright 2011, Juniper Networks, Inc. 5

6 Juniper s Advanced Routing Technology Solution Profile Overview Juniper provides organizations with a wide range of advanced routing technologies to meet design considerations such as high manageability, resiliency, application performance, security, and compliance: Virtualization Network virtualization features make applications completely transparent to underlying network architecture. This allows changes to architecture without impact to applications, enabling greater flexibility. Virtualization also provides better utilization of resources for lowering costs and improving power utilization. Low latency multicast Multicast technologies provide timely delivery of services to a large number of users, and distribute that traffic efficiently. Carrier-class reliability Juniper provides hardware resiliency; and also network and software redundancy. Quality of service (QoS) Sophisticated policies expedite delay sensitive content with predictable and measurable results. Security Security is enhanced using a combination of countermeasures such as separation of traffic for privacy, as well as techniques to provide network-layer and application-layer security. Consistent operating environment Juniper Networks Junos operating system provides a common language across Juniper s routing, switching, and security devices, and is also easily upgradable with unified in-service software upgrade (unified ISSU) for full releases. Virtualization GRE, MPLS, VPLS, Logical Systems, Virtual Router, Virtual Chassis Low-Latency Multicast ASIC based forwarding and replication, P2MPTE Carrier-Class Reliability Fully redundant hardware, ISSU, FRR, BFD QoS Hierarchical Queuing, commit scripts, statistical reporting Security IPsec, NAT, Stateful Firewall, Firewall Filters, DAA Advanced Routing Portfolio Junos OS Simplify Share Secure Automate Advanced Silicon and Hardware Figure 1: Summary of advanced routing technologies that simplify, share, secure, and automate the WAN Figure 1 shows Juniper s advanced routing technologies layered on top of our innovative advanced silicon and hardware, such as our latest 3D Trio chipset. Juniper s advanced hardware is supported by a single operating system Junos OS and a single release train that works across routing, switching, and security platforms. The powerful Junos OS drives Juniper s advanced routing portfolio. The following sections provide more details of the major components of advanced routing. 6 Copyright 2011, Juniper Networks, Inc.

7 Juniper s Advanced Routing Technology Virtualization Virtualization is one of the most important advanced routing technologies. Links, network devices, and the network itself can be virtualized to provide higher asset utilization and significant cost savings. Three major virtualization categories are complementary to one another: Device partitioning (1:N) Takes one physical device and partitions it into logical devices. Examples of device partitioning include VLANs, VPN routing and forwarding (VRF), integrated routing and bridging (IRB), virtual routers and bridges, and Juniper Networks JCS1200 Control System. Network communication (N:M) Provides many-to-many communication. Includes MPLS, and consists of L3VPNs (MPLS, generic routing encapsulation, IPsec), and L2VPNs (virtual private LAN service, pseudowires, 802.1Q). Device aggregation (N:1) Takes many physical devices and aggregates them into logical devices. Examples include Virtual Chassis, multichassis link aggregation group (LAG), Juniper Networks TX Matrix, and the JCS1200 Control System. Virtualization Categories Juniper s Key Virtualization Technologies Other Virtualization Technologies Device Partitioning 1 : N VLAN VRF IRB Virtual Routers Virtual Bridging Logical Systems JCS 1200 Logical Systems VLAN Network Communication N : M VLAN VLAN MPLS Virtualization with MPLS L3 VPN (MPLS. GRE. IPsec) L2 VPN (VPLS, Pseudo-wires, 802.1q) Circuit to Packet (TDM, Serial, etc. to IP) Device Aggregation N : 1 Virtual Chassis Virtual Chassis Multi-Chassis LAG TX Matrix JCS 1200 Figure 2: Complementary virtualization technologies from Juniper For a more detailed discussion of virtualization in the enterprise, please see: Extending the Virtualization Advantage with Network Virtualization. Copyright 2011, Juniper Networks, Inc. 7

8 Network Virtualization with MPLS Privacy Scale for Future Growth Network Segmentation Network Virtualization (with MPLS) Enhance User Experience Improve Network Resiliency Many customers have deployed private MPLS network virtualization because of the wealth of benefits that it provides. MPLS brings the benefits of circuits to IP, including: Privacy and Network Segmentation: Virtualization supports network segmentation and privacy. Organizations can obtain the benefits of segmentation of traffic without dedicated links. Enhanced User Experience: Enhances the end user application experience with traffic engineering, which enables fine-tuning of the network to deliver appropriate levels of QoS and service-level agreements (SLAs). Improved Network Resiliency: Improves network resiliency with features like MPLS fast reroute, enabling sub 50 millisecond reroute. Scale for Future Growth: Boosts network scalability and performance to provide head room for future growth. Juniper s Advanced Routing Technology High Availability Organizations that desire increased resiliency and reliability can benefit from Juniper s high availability (HA) technology. Organizations can select an appropriate level of link and device redundancy that supports their HA requirements, per given location. Link-level HA requires two links to operate in an active/backup setting so that if one link fails, the other takes over (or likely reinstates) the forwarding of traffic. Link-level resiliencies provide both fault detection and mitigation techniques that can be effectively combined to address failures. Some examples include: Bidirectional Forwarding Detection (BFD) provides proactive link fault detection and mitigation by detecting faults and using MPLS fast reroute to switch to the alternate path within 50 ms. Link aggregation group (LAG), multichassis link aggregation (MC-LAG), and Ethernet ring protection provide additional link-level resiliencies at Layer 2. Device-level HA complements link-level HA and includes: Graceful restart, which provides nonstop forwarding through individual routing protocol restart and convergence. Unified ISSU, which enables upgrading full software releases while the router is still operational, without requiring that the router be brought down during a scheduled maintenance window. Virtual Chassis, which combines multiple switches or routers into a virtual entity that can provide protection for node failures and failure of links connected to the Virtual Chassis. Virtual Chassis technology allows organizations to incrementally upgrade their switching or routing capacity by adding additional devices to the Virtual Chassis. For a detailed technical description of Juniper s HA features, please refer to HA Technical Documentation. Best Practices and Tips HA: Enterprises deploy collocation data centers to achieve greater resiliency. The traffic flow to and from any of these collocation centers into the WAN must be designed such that it is symmetric to prevent asymmetric routing issues. Grouping routers based on BGP community strings will also mitigate asymmetric routing issues. For instance, the branch office routers can advertise BGP community for each application based on the preferred data center. The use of monitoring applications and technologies can lead to higher network and application availability. With VoIP, for instance, a combination of using BFD to monitor link failures, MPLS fast reroute to mitigate faults, and a voice quality monitoring application can provide optimal results. 8 Copyright 2011, Juniper Networks, Inc.

9 Juniper s Advanced Routing Technology QoS Organizations that are looking for increased application performance and bandwidth optimization can benefit from Juniper s quality-of-service solutions. Defining a QoS strategy requires two main elements classification and prioritization. Juniper provides two classification types: Behavior aggregate (BA) classifiers, where the forwarding class is based upon the packet s IP precedence, MPLS EXP, etc. These are called behavior aggregates because they aggregate multiple classifications. BA classifiers are normally used in the core of the network. Multifield classifiers (MF), where the forwarding class and loss priority of a packet are based on one or more field value, such as 5 tuples, in the packet. For instance, the source and destination IP address, source and destination TCP ports, or protocol can be used for classification. MF classifiers are normally used in the network edge. Prioritization involves prioritizing network and application traffic according to levels of sensitivity and criticality. Multiple forwarding classes (queues) can be used to prioritize application traffic based on sensitivity to latency, jitter, or packet loss. Some sample settings are illustrated below: Table 2: Sample of Four Classes or Queues, Along with Their Traffic Characteristics Forwarding Classes Priority Latency/Packet Delay Sensitivity Jitter Sensitivity Packet Loss Sensitivity Sample Traffic Network control High None None High Routing Protocols Expedited forwarding Strict High* Low Low Medium VoIP Assured forwarding High Medium Medium High Business application virtual desktops Best effort Low None None None Other data *Queues with strict-high priority are serviced before high or low priority queues, as long as there are packets in the queue. Network control Referring to traffic such as a routing protocol, this class is given high priority due to its high packet loss sensitivity. Expedited forwarding (EF) Provides low loss, latency, jitter, and assured bandwidth for end-to-end service. Assured forwarding (AF) Provides a group of services (e.g., AF1 through AF4), each with low, medium, or high drop probability. Data in AF classes are more sensitive to packet loss than data in the EF class. Best effort Does not give any preference to queuing and forwarding during periods of congestion. End-to-end QoS strategy To enforce a successful QoS strategy, organizations must associate incoming traffic to forwarding classes based on priorities set on the packets by other parts of the network. For example, in the medium-to-large branch offices, the local switch performs the classification and the services gateway or secure router performs the enforcement. Branch office network devices should be able to carry QoS markings through the VPN tunnels and apply the policy across the entire deployment, thereby providing end-to-end QoS. Best Practices and Tips QoS: TCP or UDP The selection of forwarding classes and congestion control algorithms can be influenced by whether the traffic is TCP or UDP. TCP can be classified in the assured forwarding class, since TCP is more tolerant to packet loss due to TCP s retransmission and dynamic window sizing capabilities, which UDP does not have. UDP applications, such as voice for example, can be classified in the expedited forwarding class. Application criticality Review applications for criticality, even within a given forwarding class. For instance, secure file transfers do not necessarily need to receive the same treatment as SNMP, even though both are assigned to the assured forwarding class. Maximum allowed bandwidth Selected traffic can be limited to a certain percentage of the bandwidth to ensure fairness among the classes. For example, traffic can be limited to a certain amount of bandwidth once an estimated traffic ceiling has been established. Copyright 2011, Juniper Networks, Inc. 9

10 Traffic bursts Bandwidth allocation can factor in traffic bursts during specific time periods, such a quarterly close. Trust domains Determine whether an upstream switch or router will accept the priority settings from a downstream device. For instance, a downstream VoIP phone may set a high L2 priority that can either be ignored or accepted by an upstream switch before mapping the L2 priority to L3 priority. Interfacing with your service provider network Identify the type of end-to-end QoS supported by your service provider. For example, support of short pipe tunneling will allow the transport of the customer s original priority setting unaltered across the service provider network so that remote sites can make decisions based on priority settings. In designing the forwarding classes, the number of queues supported in the service provider network should be considered. For example, if only three classes can be supported in the service provider network vs. six in the enterprise network, enterprises must assess the impact on end-to-end QoS by combining multiple classes in the enterprise network to a few in the carrier network. Shape multicast and unicast traffic to the bandwidth purchased from the carrier while ensuring that critical traffic isn t dropped. HQ RETAIL BANKING FINANCIAL SERVICES INVESTMENT BANKING DATA CENTER Figure 3: Example of financial institution with different QoS policies by path and application Figure 3 shows an example of multiple logical paths between a data center and the investment banking, retail banking, headquarters, and financial services of a large financial institution. Each of these paths, denoted by solid and dotted lines, can have different QoS requirements because they run different applications with various SLAs. To achieve the different QoS requirements, customers can configure forwarding class parameters as shown in the sample configuration below. Table 3: Sample of Financial Institution Configuration for Four Forwarding Classes or Queues Forwarding Classes Buffer Size Transmit rate priority Network Control 6% 6% High Expedite Forwarding 50ms 20% Strict-high Assured Forwarding 40% 40% High Best Effort 40% remainder Low It is important to note that queues with strict-high priority are serviced before high or low priority queues, as long as there are packets in the queue. To prevent other queues from getting starved, the strict-high queue can be policed. Network control classes have infrequent traffic and therefore a buffer size and transmit rate of 6% are sufficient. Express Forwarding classes have a very small queue size to avoid jitter and latency. The Express Forwarding queue is also serviced aggressively at 20% transmit rate. Assured forwarding classes contain business critical traffic and are given a large bandwidth and transmit rate with a high priority service rate. The best-effort classes have 40% of the buffer space and the rest of available bandwidth. 10 Copyright 2011, Juniper Networks, Inc.

11 MX Series routers provide the following QoS advantages: Line-rate performance with QoS and access control lists (ACLs) to guarantee application performance and security without degraded throughput Easy provisioning using configuration scripts for rapid rollout of QoS Built-in denial of service (DoS) protection for enhanced security Less than 20µs high-performance queue latency provides low latency and jitter to applications Over 256,000 ACLs to provide granular control of traffic Over 128,000 hardware queues per chassis to provide ample room for controlling bandwidth For further details, please refer to QoS on Juniper routers. Juniper s Advanced Routing Technology Security Today s security requirements have grown as an organization s interconnected network must support an increasing number of remote users that include suppliers, partners, customers, and employees at remote locations. Attacks have also grown in sophistication and frequency. Juniper offers several comprehensive security solutions that protect the WAN: Comprehensive Security A comprehensive set of security features that include Web filtering, deep inspection, and intrusion detection and prevention (IDP). Juniper Networks Adaptive Threat Management Solutions Provides solutions that constitute high-performance security platforms adaptable to ever changing security threats. Business benefits include proactive data protection, business continuity, and reduced TCO resulting from fewer network disruptions. VPNs IPsec VPN and MPLS VPN that provide a logical separation of data and improve the privacy of data. These also offer a cost-effective alternative to expensive dedicated links to provide traffic separation. 10GbE SRX3600 QFX3500 QFX3500 GbE 5xGbE INTERNET MX Series Midrange MX80 MX80 QFX3500 QFX3500 QFX3500 MX960 MX960 MX960 MX960 SRX3600 SRX3600 MX480 MX Series midrange consists of the MX5, MX10, MX40, and MX80 EX4200/ EX4500 SRX3600 INTERNET SRX3600 INTERNET MX Series Midrange QFX3500 MX960 MX960 MX960 MX960 SRX3600 M120 M120 M120 M120 EX4200/ EX4500 EX4200/ EX4500 M120 M120 EX4200/ EX4500 Figure 4: Example of a distributed enterprise with multiple layers of security Copyright 2011, Juniper Networks, Inc. 11

12 Figure 4 depicts an enterprise network with many branch offices and data centers interconnected to the enterprise WAN. The branch offices are using Juniper Networks MX Series midrange routers MX5, MX10, MX40, and MX80 3D Universal Edge Routers to provide WAN and Internet connectivity, and the Juniper Networks SRX3600 Services Gateway to support virtual firewall functionality. The MX Series midrange routers provide high performance routing in a compact form factor and improve investment protection by enabling a seamless upgrade between models using software licensing. The enterprise branch has consolidated many disparate security devices into the SRX3600, using a L3VPN and virtual firewalls. Additionally, the MX Series offers Juniper Networks Multiservices DPC (MS-DPC) full slot modules to support firewall capability that is integrated into the router. The branch offices are connected using dual homed links to the enterprise WAN core. The data center consists of a pair of Juniper Networks M120 Multiservice Edge Router devices designed for resiliency to provide WAN connectivity, along with Juniper Networks EX4500/EX4200 Ethernet Switches providing 10GbE access for servers, which acts as an access-layer switch connecting to the servers and network attached storage (NAS) in the data center. The diagram also shows Juniper Networks MX80 3D Universal Routers connected to the QFX3500 Ethernet Switches providing 10GbE access for servers. The QFX3500 provides high density ultra low latency 10GbE access for Storage Area Networks (SANs), Fiber Channel (FC), Fiber Channel over Ethernet (FCoE) and High Speed Computing (HPC). The core of the network consists of four pairs of the MX960 3D Universal Edge Router, which (like the M120) have been designed for resiliency. Best Practices and Tips Security: Ensure that untrusted VPNs pass through a firewall. Where possible, consolidate firewalls into a common path where traffic from multiple VPNs can be funneled. For MPLS VPN, associate VPNs to specific WAN networks to ensure that VPNs which must exist in multiple WANs can use efficient interconnections. For further details on Juniper security, please refer to Security Literature. Juniper s Advanced Routing Technology Multicast Organizations are deploying many services like video on demand that add a large amount of traffic onto the WAN. Using multicast services can dramatically improve the efficiency of that traffic distribution. Juniper offers a range of multicast services that are suitable for MPLS or non-mpls networks. For MPLS-based WANs, organizations can use MPLS-based point-to-multipoint (P2MP) services that optimize nextgeneration MVPNs (NG MVPNs). NG MVPNs improve scalability by intelligently leveraging adjacencies that exist in the MPLS network, and this eliminates the need for every router to maintain separate adjacency information with every other router that participates in the MVPN. NGMVPN benefits enterprises by eliminating the need to run multicast routing protocol over service provider network. The benefits of NGMVPN are: Bandwidth reservation guarantees sufficient bandwidth for mission critical applications MPLS fast reroute allows quick detection of path failure and rapid reroute to alternate paths, in less than 50 ms Deterministic routing permits the ability to precisely control paths the data will follow, in order to create redundant paths from source to destination and thereby ensure resiliency in case of failure or performance degradation Best Practices and Tips Multicast: It is recommended that enterprise network architects consider the following in running a multicast network: The number of multicast groups that can be supported per VPN is usually limited, when using carrier networks. Thus to reduce costs, VPNs that require large number of multicast groups can be designed to run on private MPLS cloud rather than on a service provider network. The number of Rendezvous Points (RP) is limited per VPN and geographical location; therefore care must be taken in designing the optimal location for RP and the multicast sources that are handled by the RP. Juniper offers many multicast signalling protocols such as Protocol Independent Multicast-Sparse Mode (PIM-SM), Protocol Independent Multicast-Dense Mode (PIM-DM), Protocol Independent Multicast-Source Specific Mode (PIM-SSM), and Bidirectional PIM. For further information, please refer to Multicast Best Practices. 12 Copyright 2011, Juniper Networks, Inc.

13 Automate Ease of Management To simplify network provisioning, monitoring, and maintenance, several management tools are recommended to reduce network downtime, minimize human error, and accelerate service deployment: Juniper Networks Junos Space Ethernet Design Provides best practice service definition such as port security, QoS, spanning tree, etc., to plan, simulate, model, and diagnose issues in the network. Juniper Networks Junos Space Network Activate : Provides best practice service definition for ELINE, ELAN and ETREE services to quickly, accurately, and easily provision VPNs. Juniper Networks Junos Space Route Insight provides a tool to easily plan, simulate, model, and diagnose issues in the MPLS network. Ethernet Design Network Activate Route Insight Junos Space Tool Benefit Speed up Operations Scale Service Deployment Simplify Operations Function Rapidly provision large collection of switches Simplify configuration Rapidly provision VPNs Automates Network Resource Management Rapidly diagnose MPLS network problems Simulate Network Changes Figure 5: Ethernet Design, Network Activate, and Route Insight Juniper s key management automation tools In addition to network management tools, network architects can also benefit from using powerful Junos OS scripts that can help network engineers simplify and automate tasks. The following are available script types: Configuration scripts Use of configuration scripts are ideal for organizations that frequently change QoS policies that need to be propagated to many routers. These scripts also ensure adherence to corporate network guidelines. Operation scripts Organizations that want to simplify a series of iterative commands can benefit from creating a custom command using an operations script. Enterprises can also create commands customized for specific solutions. These scripts reduce the risk of misconfiguration and improve productivity. Event scripts Organizations can automate configuration changes to specific events with event scripts. For example, security can be enhanced by controlling the access to user accounts based on the employee s shift time using event scripts. Copyright 2011, Juniper Networks, Inc. 13

14 Use Cases The following sections highlight WAN use cases: Enterprise WAN Private MPLS across a public service provider network Private MPLS cloud Public network Data center to data center interconnectivity, with Layer 2 stretch WAN aggregation Internet edge The MX Series uniquely addresses enterprise network needs in a single platform based on simplicity: Massive upgradeability from 20 Gbps to 2.6 Tbps for a variety of application needs Range of interface speeds 10/100/1000M, 10GbE, OC3, OC12, OC48, DS3 for a different WAN interconnects Massive scalability in Layer2 and Layer3 and advanced virtualization. Traffic Engineering and MPLS based resiliency for superior application performance Dynamic GRE that simplifies provisioning of GRE tunnels Carrier Class reliability Uncompromised performance for QoS and Services Pay-as-you-grow and dynamic scale elasticity(mx5->mx10->mx40->mx80) to adapt network as business needs change: Capacity: 20 Gbps -> 40 Gbps -> 60 Gbps -> 80 Gbps, with optional software license Ethernet: 10/100 -> 1GbE -> 10GbE Non-Ethernet: OC3 -> OC12 -> OC48 Use Case: Enterprise WAN Private MPLS Across a Public Service Provider Network Ent-MPLS Ent-MPLS in GRE IP Handoff to SP Service Provider MPLS Overlay/Transparent CPE Carrier Router 1 Ent-MPLS Inside IPsec Inside GRE Ent-MPLS Carrier Router 3 CPE SITE A Carrier Router 2 CPE SITE C SITE B ENTERPRISE Ent-MPLS Inside IPsec Inside GRE ENTERPRISE Figure 6: IPsec encrypted MPLS traffic tunneled using GRE to a provider router for transport over service provider L3VPN Figure 6 depicts an enterprise running MPLS across a service provider L3VPN network. In this scenario, the enterprise has two locations (A and B) that are sending traffic to each other. Site B is also sending traffic to Site C. The MPLS traffic from Site A is sent via generic routing encapulation (GRE) tunnels to Site C and tunneled using the service provider s MPLS network. Likewise, the MPLS traffic from Site B to Site C is encrypted using IPsec and tunneled using GRE to Site C through the service provider MPLS transport. The traffic at the Carrier Router3 for Site C is then handed off using GRE tunnels to the customer premises equipment (CPE), where it is decrypted and sent over the organization s MPLS network. 14 Copyright 2011, Juniper Networks, Inc.

15 Enterprises choose VPN services offered by service providers for a variety of reasons. Some of the most common reasons are cost and simplicity. Additionally, enterprises can choose between managed services and unmanaged services. Many enterprises choose a managed CPE to reduce the cost of managing equipment. Unmanaged CPE is popular with enterprises that have the necessary resources and the desire to have control over the network on their premises. Customer Example: A Centralized Manufacturer The manufacturer performs most of the computations in its data center and is looking for a basic method for transporting data on the WAN. WAN design requirements: Low cost transportation of noncritical MPLS data between offices Resiliency needed to protect VoIP traffic Minimal enterprise resources for management of the network Proposed WAN solution: The manufacturer chooses a service provider s L3VPN service (unmanaged) for its WAN connectivity. The unmanaged service has a CPE device that either runs BGP to the carrier router to advertise routes, or it has static routes configured to send all traffic to the provider router. The enterprise can also encrypt all traffic leaving the CPE and tunnel these transmissions using GRE to the provider router. To connect the enterprise to the provider router, the enterprise may choose inexpensive cable or DSL connectivity instead of expensive fiber. The enterprise needs to guarantee resiliency, and ensure that the VoIP traffic is protected in case of failures in WAN connectivity. It may also decide to have a backup connection to the Internet. Use Case: Enterprise WAN Private MPLS Cloud Many enterprises use a private cloud of Ethernet links that run private MPLS to achieve maximum control over performance and latency. The resulting cloud is called the super core. The super core gives the enterprise greater control over critical metrics such as latency and resiliency. Benefits: Greater control over network latency by controlling SLA and directing low priority traffic over suboptimal paths. MPLS fast reroute provides improved resiliency. Logical separation, instead of physical separation, of data provides improved cost savings. Copyright 2011, Juniper Networks, Inc. 15

16 Private MPLS Cloud: Some Benefits of Simplification (Before and After) Figures 7 and 8 illustrate before (an example of a real customer impacted by rapid organic business growth), and after (the benefits of WAN simplification). This customer previously used application dedicated L2 and L3 inter data center links. Over time, this practice resulted in over 30 dedicated 10GbE links, with only 1% utilization per link. Dedicated Link Utilization 1% Data Center 1 Point-to-Point WDM Data Center 2 WAN Corporate Campus L3 L2 Figure 7: Before Case: Real example of legacy WAN using 30 dedicated links per application to interconnect data centers, with only 1% average utilization In contrast, deploying Juniper Networks devices, Junos OS, and network virtualization provides simplicity and improved network utilization with the flexibility needed to expand the network easily for future growth. With Juniper s enterprise WAN solution (as shown in Figure 8), the private MPLS cloud replaces dedicated link interconnectivity between the different entities using label-switched paths (LSPs) that can be set up on demand. Business continuity is maintained using MPLS fast reroute, while custom application bandwidth is maintained using traffic engineering. Significant CapEx and OpEx savings are achieved, while improving privacy and security using logical MPLS separation. No Dedicated Links; 100% Improvement in Utilization Applications Data Center 1 Engineered into LSPs across MPLS Core Data Center 2 PRIVATE MPLS CLOUD Corporate Campus WAN Critcal applications protected by Fast Reroute Detour paths and secondary LSPs Figure 8: After Case: Real deployment using Juniper s simplified WAN design using network virtualization eliminates application dedicated links 16 Copyright 2011, Juniper Networks, Inc.

17 In this example, the key principles of Juniper s simplified WAN design were based on: Simplicity eliminating application dedicated links Sharing applications shared yet maintaining logical separation Security separating resources and easily directing traffic to centralized and virtualized firewalls Manageability through automation tools in the form of scripts that help in self monitoring, self diagnosing, and self healing capabilities, along with several network management tools that help with easy provisioning, monitoring, and troubleshooting the network Customer Example: A Utility Enterprise A large utility needs to interconnect multiple data centers, and it owns the right of way in many locations between the data centers. WAN design requirements: Transport critical delay sensitive data between data centers Provide high resiliency for business critical data Maintain traffic separation between critical data and noncritical data for regulatory compliance Prevent noncritical data from overwhelming mission critical data Proposed WAN solution: The utility deploys an MPLS super core that interconnects the data centers and can choose between a managed or an unmanaged service. Use Case: Data Center to Data Center Interconnectivity with L2 Stretch Enterprises frequently deploy collocated data centers for reasons like disaster recovery. These data centers run many applications such as virtual machines that require Layer 2 stretch. Layer 2 Stretch VPLS over MPLS Core MX Series MX Series MX Series MX Series MPLS VLAN Service Edge Boundary EX Series EX Series VM1 VM2 DB1 DB1 VLAN VM1 VLAN DB1 VPLS VM1 VPLS DB1 VM1 VM2 DATA CENTER 1 DATA CENTER 2 Figure 9: Inter data center connectivity over MPLS core Figure 9 depicts two data centers (Data Center 1 and Data Center 2) connected over an MPLS core. The data centers house virtual machines (VM1 and VM2) and a database (DB1). The data centers have Juniper Networks EX Series Ethernet Switches in the access layer and MX Series routers in the core and WAN edge layers. The Layer 3 boundary is at the core layer and is indicated by the service edge boundary. This implies that VLANs from the access-layer switches are mapped into corresponding VRFs. Thus, specific VLANs can be mapped into corresponding virtual private LAN service (VPLS) paths. Copyright 2011, Juniper Networks, Inc. 17

18 1. Egress Routing: Addressing Suboptimal Routing Resulting From vmotion When a VM moves from Data Center1 to Data Center2 it refers to Data Center1 gateway, therefore egress traffic from the VM will traverse the inter-data center link, from Data Center2 to Data Center1, before egressing to the WAN from Data Center1 resulting in sub-optimal egress routing. Proposed Solution: To ensure that the traffic from the VM is optimally routed in the egress direction, configure a VRRP group, with the same VID, that spans the two data center gateways and setup a firewall filter for the VRRP hello packets between the routers in the VRRP group. Each router in the VRRP group will behave as active because the other router will be considered in-active. The VM traffic will therefore be routed from Data Center2 gateway instead of being forwarded to the gateway in Data Center1, thereby ensuring optimal egress routing. Note that, if the two gateways are in different VRRP groups (i.e. different Virtual MAC) then the VM will timeout its ARP entry and relearn the new gateway MAC addresses, which is undesirable. 2. Ingress Routing: The traffic destined for the VM, from the WAN, will also arrive at Data Center1 and traverse the inter-data center link before reaching the VM that has just moved to Data Center2. Proposed solution: The /32 address of the VM can be advertised to the external world thereby ensuring that all ingress traffic will arrive directly at the new location of the VM i.e. Data Center2 instead of traversing the inter-data center link. One caveat for enterprises advertising the ip addresses on carrier networks is that, carriers often limit the subnet mask to /24 and may not allow a /32 to be advertised. If a stateful firewall exists in Data Center1, then the only way to the address suboptimal routing is to terminate the client sessions (TCP sessions) and re-establish it with Data Center2. This is because the firewall states, pertaining to the VM, maintained in the Data Center1 are not migrated to Data Center2. Customer Example: Enterprise Private Cloud A bank has deployed a private cloud of virtual desktop machines to improve the productivity of its financial advisors. To ensure that the virtual desktops are available 24x7, the bank has created a collocated data center and requires data to be mirrored between the two data centers. WAN requirements: Cost effectively migrate data between the two data centers Provide L2 connectivity, on demand, for some of the data migration Provide resiliency for data traffic between the data centers Proposed solutions: VPLS paths are set up between the two MX Series devices in the collocated data centers. The VPLS can be set up so that it only transports traffic on specific VLANs. Thus, only specific hypervisors need to be migrated and need to be part of the VPLS domain, and all other traffic remains unaffected. VPLS not only emulates a L2 switch in the WAN but also runs on a private MPLS core. Private MPLS lets the bank to take advantage of advanced routing features such as traffic engineering. Traffic engineering allows the bank to optimally allocate bandwidth for the different departments without the need for dedicated L2 links. Benefits: Improved cost savings by using an MPLS cloud to interconnect data centers Rapid provisioning of MPLS paths between the data centers, on demand Cost-effective resiliency by using MPLS paths rather than physically separated interconnections 18 Copyright 2011, Juniper Networks, Inc.

19 VPLS over GRE: Enterprises that have only an IP core,and no MPLS core, to transport VPLS traffic can use VPLS traffic over GRE tunnels. Fragmentation of GRE frames: When GRE is used to transport MPLS packets over an Ethernet-based transport network, the transport network often supports a maximum transmission unit (MTU) of 1,500 bytes. Because of the overhead required to encapsulate MPLS packets in GRE, it is possible for the encapsulated packet size to exceed the minimum MTU of the network. The solution is to either fragment the packets before encapsulating in GRE frames or to fragment after addition of the GRE headers. Since L2 data cannot be fragmented before encapsulating in MPLS/GRE header, the packet must be fragmented after encapsulating in GRE frames. GRE tunnels are supported on Juniper Networks M Series Multiservice Edge Routers with the ASP tunnel module. It is recommended that the path MTU discovery be enabled in Juniper routers to identify the minimum MTU along the entire path. Such a setting will avoid needless fragmentation of packets. The maximum size, of Ethernet frame, beyond which fragmentation is necessary for transport on Ethernet network is 1448 bytes. Use Case: WAN Aggregation WAN aggregation consolidates multiple networks such as campus, branch, data center, etc., onto the enterprise WAN network. The WAN aggregation devices must be scalable, support a range of interfaces (such as T1, T3, SONET that may carry ATM, Frame Relay), as well as a variety of services (such as MPLS, IP routing, etc.). Public/Private WAN Static routes/ EBGP AS1 M Series/ MX Series AS2 WAN aggregation Router M Series/ MX Series SRX Series Branch Router Figure 10: WAN aggregation of remote branch offices using WAN aggregation routers Figure 10 depicts two branch offices that are connected to the public WAN (carrier provided) or the private WAN (enterprise owned). The branch offices have branch routers that are dual homed, for resiliency, to two aggregation routers. The WAN aggregation devices include two MX Series or M Series routers. The two WAN aggregation devices will be in separate autonomous systems (AS eg. AS1 and AS2) so as to keep the routing separate. The branch routers are mapped to the aggregation routers either using static routes or using EBGP. Enterprises that require enhanced resiliency use two providers for the WAN aggregation, i.e., AS1 will belong to provider 1 and AS2 will belong to provider 2. The redundancy will ensure that the enterprise WAN is not affected by any one provider failure. Note that larger branches use dual (redundant) branch routers for greater reliability, as shown in the following example. Copyright 2011, Juniper Networks, Inc. 19