Escolar Documentos
Profissional Documentos
Cultura Documentos
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Industry Trends Influencing WAN Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
WAN Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Juniper’s Advanced Routing Technology—Solution Profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Juniper’s Advanced Routing Technology—Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Juniper’s Advanced Routing Technology—High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Best Practices and Tips—HA: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Juniper’s Advanced Routing Technology—QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Best Practices and Tips—QoS: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Juniper’s Advanced Routing Technology—Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Best Practices and Tips—Security: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Juniper’s Advanced Routing Technology—Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Best Practices and Tips–Multicast: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Automate—Ease of Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Use Case: Enterprise WAN—Private MPLS Across a Public Service Provider Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Use Case: Enterprise WAN—Private MPLS Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Private MPLS Cloud: Some Benefits of Simplification (Before and After) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Use Case: Data Center to Data Center Interconnectivity with L2 Stretch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
VPLS over GRE: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Use Case: WAN Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Use Case: Internet Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Case 1: Corporate Internet Access Through Enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Case 2: Internet Edge Backup Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
References: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table of Figures
Figure 1: Summary of advanced routing technologies that simplify, share, secure, and automate the WAN . . . . . . . . . . . . . . . . . . 6
Figure 2: Complementary virtualization technologies from Juniper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 3: Example of financial institution with different QoS policies by path and application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 4: Example of a distributed enterprise with multiple layers of security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 5: Ethernet Design, Network Activate, and Route Insight—
Juniper’s key management automation tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 6: IPsec encrypted MPLS traffic tunneled using GRE to a provider router
for transport over service provider L3VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 7: Before Case: Real example of legacy WAN using 30 dedicated links per application to interconnect data centers,
with only 1% average utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 8: After Case: Real deployment using Juniper’s simplified WAN design using network
virtualization eliminates application dedicated links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 9: Inter data center connectivity over MPLS core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Figure 10: WAN aggregation of remote branch offices using WAN aggregation routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 11: Internet edge access through headquarters Carried through the enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 12: Internet edge providing backup connectivity to the enterprise WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Introduction
Juniper Networks approach to WAN design is based upon four fundamental design principles that will help customers design
a simplified architecture:
• Simplify the network, by reducing the number of required network devices, links, and inherent complexity
Many organizations have experienced rapid growth with business requirements, applications, distributed branch offices, and
data centers; and these growth factors have led to increased network complexity, over time. The challenge is to transport the
growing mission critical and delay sensitive traffic cost effectively while improving security and privacy over the WAN. Juniper
approaches this challenge using the four design principles outlined above. This paper examines:
• Technology and services trends such as cloud computing that impact architectural decisions
• Juniper’s advanced routing technology, which provides tools to address different business requirements
Scope
This WAN reference architecture discusses WAN design concepts, and it also presents use cases and practical examples to
help WAN architects and engineers address requirements for designing simplified WANs.
• Enterprise WAN
• WAN aggregation
• Internet edge
Target Audience
This paper describes Juniper Networks’ simplified WAN architecture. This architecture is particularly suitable for organizations
that are:
This document serves as a reference tool for the following network personnel:
• Network engineers
• Network architects
• Security managers
• Juniper partners
Technology Trends
Advancements in technology have led to an increase in WAN connectivity options and lower prices. This presents an
opportunity for organizations to reevaluate their WAN designs, to improve performance, and to save costs. For example,
a drop in the price of 10GbE has created an opportunity for enterprises to leapfrog in bandwidth speeds, allowing them to
migrate from DS3/OC3 to 10GbE and replace private leased lines with Ethernet services.
Services Trends
Enterprises have been adopting cloud services, such as private, hybrid, and public cloud, to increase productivity and reduce
costs. Using cloud services may increase WAN bandwidth requirements, as applications and data are now pushed over the WAN.
The growth of WAN traffic can also occur organically as businesses add remote locations to better serve their customers.
The growth of distributed branch offices, remote data centers, and remote workers commonly add traffic over the WAN, and
can also create more meshed topologies.
Simplify:
• Reduce the number physical devices, links, and complexity—Organizations commonly reduce the number of physical
storage devices and physical servers with virtualization. The same holds true for the network. The high-performance
and advanced routing capabilities of Juniper Networks® MX Series 3D Universal Edge Routers now make device, link, and
complexity reduction possible. The reduction of physical devices and links also has a positive impact on CapEx and OpEx,
power use, space consumption, and manageability.
• Reduce the number of operating systems—Change management is especially acute as the number of network operating
systems increases. Juniper runs one consistent operating system across its portfolio of routing, switching, and security
products. A single operating system also reduces training requirements and improves operational efficiency.
• Prepare for Future Expansion—Future readiness and simplification are best engineered over a period of time so that a
network has sufficient overhead to accommodate future growth easily.
• Select an appropriate topology—The topology of the network (such as mesh, hub and spoke) and the traffic pattern are
important design considerations, because the choice impacts not only cost but also the responsiveness of the business.
Share:
• Share network resources through virtualization to dramatically improve asset utilization, privacy, and traffic
segmentation—Juniper offers a number of virtualization technologies that go all the way from link virtualization, to device
virtualization, and to network virtualization.
• Increase resiliency and reliability across network resources—Network resiliency and reliability are critical to maintaining
business continuity and regulatory compliance, and organizations can not only improve network device resiliency and
reliability, but also improve that of WAN connectivity.
• Add traffic engineering, where appropriate, to optimally share network resources—Today’s bandwidth-hungry applications
are consuming ever increasing amounts of network bandwidth and are impeding the performance of mission critical data.
Traffic engineering offers another valuable tool to optimize network resources.
Secure:
• Improve security and compliance—Enterprises are increasingly subject to regulatory compliance mandates that require critical
data to be separated from other data in the enterprise network. Further, enterprises must ensure that their data is protected
from an ever increasing range of attacks. Juniper offers many technologies to improve privacy, security, and compliance.
Automate:
• Low latency multicast—Multicast technologies provide timely delivery of services to a large number of users, and distribute
that traffic efficiently.
• Carrier-class reliability—Juniper provides hardware resiliency; and also network and software redundancy.
• Quality of service (QoS)—Sophisticated policies expedite delay sensitive content with predictable and measurable results.
• Security—Security is enhanced using a combination of countermeasures such as separation of traffic for privacy, as well as
techniques to provide network-layer and application-layer security.
• Consistent operating environment—Juniper Networks Junos® operating system provides a common language across
Juniper’s routing, switching, and security devices, and is also easily upgradable with unified in-service software upgrade
(unified ISSU) for full releases.
Virtualization
GRE, MPLS, VPLS, Logical Systems, Virtual Router, Virtual Chassis
Low-Latency Multicast
ASIC based forwarding and replication, P2MPTE
Figure 1: Summary of advanced routing technologies that simplify, share, secure, and automate the WAN
Figure 1 shows Juniper’s advanced routing technologies layered on top of our innovative advanced silicon and hardware, such
as our latest 3D Trio chipset. Juniper’s advanced hardware is supported by a single operating system—Junos OS—and a single
release train that works across routing, switching, and security platforms. The powerful Junos OS drives Juniper’s advanced
routing portfolio. The following sections provide more details of the major components of advanced routing.
• Device partitioning (1:N)—Takes one physical device and partitions it into logical devices. Examples of device partitioning
include VLANs, VPN routing and forwarding (VRF), integrated routing and bridging (IRB), virtual routers and bridges, and
Juniper Networks JCS1200 Control System.
• Network communication (N:M)—Provides many-to-many communication. Includes MPLS, and consists of L3VPNs
(MPLS, generic routing encapsulation, IPsec), and L2VPNs (virtual private LAN service, pseudowires, 802.1Q).
• Device aggregation (N:1)—Takes many physical devices and aggregates them into logical devices. Examples include
Virtual Chassis, multichassis link aggregation group (LAG), Juniper Networks TX Matrix, and the JCS1200 Control System.
VLAN
VRF
IRB
Virtual Routers
Device
Virtual Bridging
Partitioning
Logical Systems
1:N
JCS 1200
Logical Systems
VLAN
L3 VPN
(MPLS. GRE. IPsec)
Network VLAN VLAN L2 VPN
(VPLS, Pseudo-wires, 802.1q)
Communication
Circuit to Packet
N:M
(TDM, Serial, etc. to IP)
MPLS
Virtualization with MPLS
Virtual Chassis
Device
Multi-Chassis LAG
Aggregation
TX Matrix
N:1
JCS 1200
Virtual Chassis
Network Virtualization • Enhanced User Experience: Enhances the end user application
(with MPLS) experience with traffic engineering, which enables fine-tuning of
the network to deliver appropriate levels of QoS and service-level
Improve
Scale for
Network agreements (SLAs).
Future Growth
Resiliency
• Improved Network Resiliency: Improves network resiliency with
features like MPLS fast reroute, enabling sub 50 millisecond reroute.
Link-level HA requires two links to operate in an active/backup setting so that if one link fails, the other takes over (or likely
reinstates) the forwarding of traffic. Link-level resiliencies provide both fault detection and mitigation techniques that can be
effectively combined to address failures. Some examples include:
• Bidirectional Forwarding Detection (BFD) provides proactive link fault detection and mitigation by detecting faults and
using MPLS fast reroute to switch to the alternate path within 50 ms.
• Link aggregation group (LAG), multichassis link aggregation (MC-LAG), and Ethernet ring protection provide additional
link-level resiliencies at Layer 2.
• Graceful restart, which provides nonstop forwarding through individual routing protocol restart and convergence.
• Unified ISSU, which enables upgrading full software releases while the router is still operational, without requiring that the
router be brought down during a scheduled maintenance window.
• Virtual Chassis, which combines multiple switches or routers into a virtual entity that can provide protection for
node failures and failure of links connected to the Virtual Chassis. Virtual Chassis technology allows organizations to
incrementally upgrade their switching or routing capacity by adding additional devices to the Virtual Chassis.
For a detailed technical description of Juniper’s HA features, please refer to HA Technical Documentation.
• Enterprises deploy collocation data centers to achieve greater resiliency. The traffic flow to and from any of these
collocation centers into the WAN must be designed such that it is symmetric to prevent asymmetric routing issues.
Grouping routers based on BGP community strings will also mitigate asymmetric routing issues. For instance, the branch
office routers can advertise BGP community for each application based on the preferred data center.
• The use of monitoring applications and technologies can lead to higher network and application availability. With VoIP,
for instance, a combination of using BFD to monitor link failures, MPLS fast reroute to mitigate faults, and a voice quality
monitoring application can provide optimal results.
- Behavior aggregate (BA) classifiers, where the forwarding class is based upon the packet’s IP precedence, MPLS EXP,
etc. These are called behavior aggregates because they aggregate multiple classifications. BA classifiers are normally
used in the core of the network.
- Multifield classifiers (MF), where the forwarding class and loss priority of a packet are based on one or more field value,
such as 5 tuples, in the packet. For instance, the source and destination IP address, source and destination TCP ports, or
protocol can be used for classification. MF classifiers are normally used in the network edge.
• Prioritization involves prioritizing network and application traffic according to levels of sensitivity and criticality. Multiple
forwarding classes (queues) can be used to prioritize application traffic based on sensitivity to latency, jitter, or packet loss.
Some sample settings are illustrated below:
Table 2: Sample of Four Classes or Queues, Along with Their Traffic Characteristics
FORWARDING PRIORITY LATENCY/PACKET JITTER SENSITIVITY PACKET LOSS SAMPLE TRAFFIC
CLASSES DELAY SENSITIVITY SENSITIVITY
*Queues with strict-high priority are serviced before high or low priority queues, as long as there are packets in the queue.
Network control—Referring to traffic such as a routing protocol, this class is given high priority due to its high packet loss
sensitivity.
Expedited forwarding (EF)—Provides low loss, latency, jitter, and assured bandwidth for end-to-end service.
Assured forwarding (AF)—Provides a group of services (e.g., AF1 through AF4), each with low, medium, or high drop
probability. Data in AF classes are more sensitive to packet loss than data in the EF class.
Best effort—Does not give any preference to queuing and forwarding during periods of congestion.
End-to-end QoS strategy—To enforce a successful QoS strategy, organizations must associate incoming traffic to forwarding
classes based on priorities set on the packets by other parts of the network. For example, in the medium-to-large branch
offices, the local switch performs the classification and the services gateway or secure router performs the enforcement.
Branch office network devices should be able to carry QoS markings through the VPN tunnels and apply the policy across the
entire deployment, thereby providing end-to-end QoS.
• TCP or UDP—The selection of forwarding classes and congestion control algorithms can be influenced by whether the
traffic is TCP or UDP. TCP can be classified in the assured forwarding class, since TCP is more tolerant to packet loss due to
TCP’s retransmission and dynamic window sizing capabilities, which UDP does not have. UDP applications, such as voice
for example, can be classified in the expedited forwarding class.
• Application criticality—Review applications for criticality, even within a given forwarding class. For instance, secure file
transfers do not necessarily need to receive the same treatment as SNMP, even though both are assigned to the assured
forwarding class.
• Maximum allowed bandwidth—Selected traffic can be limited to a certain percentage of the bandwidth to ensure fairness
among the classes. For example, email traffic can be limited to a certain amount of bandwidth once an estimated email
traffic ceiling has been established.
• Traffic bursts—Bandwidth allocation can factor in traffic bursts during specific time periods, such a quarterly close.
• Trust domains—Determine whether an upstream switch or router will accept the priority settings from a downstream
device. For instance, a downstream VoIP phone may set a high L2 priority that can either be ignored or accepted by an
upstream switch before mapping the L2 priority to L3 priority.
- Identify the type of end-to-end QoS supported by your service provider. For example, support of short pipe tunneling
will allow the transport of the customer’s original priority setting unaltered across the service provider network so that
remote sites can make decisions based on priority settings.
- In designing the forwarding classes, the number of queues supported in the service provider network should be
considered. For example, if only three classes can be supported in the service provider network vs. six in the enterprise
network, enterprises must assess the impact on end-to-end QoS by combining multiple classes in the enterprise
network to a few in the carrier network.
- Shape multicast and unicast traffic to the bandwidth purchased from the carrier while ensuring that critical traffic
isn’t dropped.
HQ
RETAIL
BANKING
FINANCIAL
SERVICES
INVESTMENT DATA
BANKING CENTER
Figure 3: Example of financial institution with different QoS policies by path and application
Figure 3 shows an example of multiple logical paths between a data center and the investment banking, retail banking,
headquarters, and financial services of a large financial institution. Each of these paths, denoted by solid and dotted lines,
can have different QoS requirements because they run different applications with various SLAs. To achieve the different QoS
requirements, customers can configure forwarding class parameters as shown in the sample configuration below.
Table 3: Sample of Financial Institution Configuration for Four Forwarding Classes or Queues
FORWARDING CLASSES BUFFER SIZE TRANSMIT RATE PRIORITY
It is important to note that queues with strict-high priority are serviced before high or low priority queues, as long as there are
packets in the queue. To prevent other queues from getting starved, the strict-high queue can be policed.
• Network control classes have infrequent traffic and therefore a buffer size and transmit rate of 6% are sufficient.
• Express Forwarding classes have a very small queue size to avoid jitter and latency. The Express Forwarding queue is also
serviced aggressively at 20% transmit rate.
• Assured forwarding classes contain business critical traffic and are given a large bandwidth and transmit rate with a high
priority service rate.
• The best-effort classes have 40% of the buffer space and the rest of available bandwidth.
• Line-rate performance with QoS and access control lists (ACLs) to guarantee application
performance and security without degraded throughput
• Less than 20µs high-performance queue latency provides low latency and jitter to applications
• Over 128,000 hardware queues per chassis to provide ample room for controlling bandwidth
For further details, please refer to QoS on Juniper routers.
• Comprehensive Security—A comprehensive set of security features that include Web filtering, deep inspection, and
intrusion detection and prevention (IDP).
• Juniper Networks Adaptive Threat Management Solutions—Provides solutions that constitute high-performance security
platforms adaptable to ever changing security threats. Business benefits include proactive data protection, business
continuity, and reduced TCO resulting from fewer network disruptions.
• VPNs—IPsec VPN and MPLS VPN that provide a logical separation of data and improve the privacy of data. These also
offer a cost-effective alternative to expensive dedicated links to provide traffic separation.
10GbE
QFX3500 QFX3500 GbE
SRX3600 5xGbE
MX Series
Midrange
MX80 MX80
INTERNET
QFX3500 QFX3500 QFX3500
SRX3600
MX480
SRX3600
MX Series
Midrange
INTERNET QFX3500
SRX3600
EX4200/ EX4200/
EX4500 EX4500
M120 M120
EX4200/
EX4500
Figure 4 depicts an enterprise network with many branch offices and data centers interconnected to the enterprise WAN.
The branch offices are using Juniper Networks MX Series midrange routers—MX5, MX10, MX40, and MX80 3D Universal
Edge Routers to provide WAN and Internet connectivity, and the Juniper Networks SRX3600 Services Gateway to support
virtual firewall functionality. The MX Series midrange routers provide high performance routing in a compact form factor and
improve investment protection by enabling a seamless upgrade between models using software licensing. The enterprise
branch has consolidated many disparate security devices into the SRX3600, using a L3VPN and virtual firewalls. Additionally,
the MX Series offers Juniper Networks Multiservices DPC (MS-DPC) full slot modules to support firewall capability that is
integrated into the router.
The branch offices are connected using dual homed links to the enterprise WAN core. The data center consists of a pair of
Juniper Networks M120 Multiservice Edge Router devices designed for resiliency to provide WAN connectivity, along with
Juniper Networks EX4500/EX4200 Ethernet Switches providing 10GbE access for servers, which acts as an access-layer
switch connecting to the servers and network attached storage (NAS) in the data center. The diagram also shows Juniper
Networks MX80 3D Universal Routers connected to the QFX3500 Ethernet Switches providing 10GbE access for servers.
The QFX3500 provides high density ultra low latency 10GbE access for Storage Area Networks (SANs), Fiber Channel (FC),
Fiber Channel over Ethernet (FCoE) and High Speed Computing (HPC). The core of the network consists of four pairs of the
MX960 3D Universal Edge Router, which (like the M120) have been designed for resiliency.
• Where possible, consolidate firewalls into a common path where traffic from multiple VPNs can be funneled.
• For MPLS VPN, associate VPNs to specific WAN networks to ensure that VPNs which must exist in multiple WANs can use
efficient interconnections.
For MPLS-based WANs, organizations can use MPLS-based point-to-multipoint (P2MP) services that optimize next-
generation MVPNs (NG MVPNs). NG MVPNs improve scalability by intelligently leveraging adjacencies that exist in the MPLS
network, and this eliminates the need for every router to maintain separate adjacency information with every other router
that participates in the MVPN. NGMVPN benefits enterprises by eliminating the need to run multicast routing protocol over
service provider network. The benefits of NGMVPN are:
• MPLS fast reroute—allows quick detection of path failure and rapid reroute to alternate paths, in less than 50 ms
• Deterministic routing—permits the ability to precisely control paths the data will follow, in order to create redundant paths
from source to destination and thereby ensure resiliency in case of failure or performance degradation
It is recommended that enterprise network architects consider the following in running a multicast network:
• The number of multicast groups that can be supported per VPN is usually limited, when using carrier networks. Thus to
reduce costs, VPNs that require large number of multicast groups can be designed to run on private MPLS cloud rather
than on a service provider network.
• The number of Rendezvous Points (RP) is limited per VPN and geographical location; therefore care must be taken in
designing the optimal location for RP and the multicast sources that are handled by the RP.
Juniper offers many multicast signalling protocols such as Protocol Independent Multicast-Sparse Mode (PIM-SM), Protocol
Independent Multicast-Dense Mode (PIM-DM), Protocol Independent Multicast-Source Specific Mode (PIM-SSM), and
Bidirectional PIM.
Automate—Ease of Management
To simplify network provisioning, monitoring, and maintenance, several management tools are recommended to reduce
network downtime, minimize human error, and accelerate service deployment:
• Juniper Networks Junos Space Ethernet Design—Provides best practice service definition such as port security, QoS,
spanning tree, etc., to plan, simulate, model, and diagnose issues in the network.
• Juniper Networks Junos Space Network Activate—: Provides best practice service definition for ELINE, ELAN and ETREE
services to quickly, accurately, and easily provision VPNs.
• Juniper Networks Junos Space Route Insight provides a tool to easily plan, simulate, model, and diagnose issues in the
MPLS network.
• Configuration scripts—Use of configuration scripts are ideal for organizations that frequently change QoS policies that need
to be propagated to many routers. These scripts also ensure adherence to corporate network guidelines.
• Operation scripts—Organizations that want to simplify a series of iterative commands can benefit from creating a custom
command using an operations script. Enterprises can also create commands customized for specific solutions. These
scripts reduce the risk of misconfiguration and improve productivity.
• Event scripts—Organizations can automate configuration changes to specific events with event scripts. For example,
security can be enhanced by controlling the access to user accounts based on the employee’s shift time using event scripts.
Use Cases
The following sections highlight WAN use cases:
• Enterprise WAN
- Public network
• WAN aggregation
• Internet edge
The MX Series uniquely addresses enterprise network needs in a single platform based on simplicity:
• Massive upgradeability from 20 Gbps to 2.6 Tbps for a variety of application needs
• Range of interface speeds 10/100/1000M, 10GbE, OC3, OC12, OC48, DS3 for a different WAN interconnects
• Traffic Engineering and MPLS based resiliency for superior application performance
• Capacity: 20 Gbps -> 40 Gbps -> 60 Gbps -> 80 Gbps, with optional software license
Use Case: Enterprise WAN—Private MPLS Across a Public Service Provider Network
CPE
SITE C
Ent-MPLS
SITE B Inside IPsec
Inside GRE
ENTERPRISE ENTERPRISE
Figure 6: IPsec encrypted MPLS traffic tunneled using GRE to a provider router
for transport over service provider L3VPN
Figure 6 depicts an enterprise running MPLS across a service provider L3VPN network. In this scenario, the enterprise has two
locations (A and B) that are sending traffic to each other. Site B is also sending traffic to Site C. The MPLS traffic from Site
A is sent via generic routing encapulation (GRE) tunnels to Site C and tunneled using the service provider’s MPLS network.
Likewise, the MPLS traffic from Site B to Site C is encrypted using IPsec and tunneled using GRE to Site C through the service
provider MPLS transport. The traffic at the Carrier Router3 for Site C is then handed off using GRE tunnels to the customer
premises equipment (CPE), where it is decrypted and sent over the organization’s MPLS network.
Enterprises choose VPN services offered by service providers for a variety of reasons. Some of the most common reasons
are cost and simplicity. Additionally, enterprises can choose between managed services and unmanaged services. Many
enterprises choose a managed CPE to reduce the cost of managing equipment. Unmanaged CPE is popular with enterprises
that have the necessary resources and the desire to have control over the network on their premises.
The unmanaged service has a CPE device that either runs BGP to the carrier router to advertise routes, or it
has static routes configured to send all traffic to the provider router. The enterprise can also encrypt all traffic
leaving the CPE and tunnel these transmissions using GRE to the provider router. To connect the enterprise to
the provider router, the enterprise may choose inexpensive cable or DSL connectivity instead of expensive fiber.
The enterprise needs to guarantee resiliency, and ensure that the VoIP traffic is protected in case of failures in
WAN connectivity. It may also decide to have a backup connection to the Internet.
Benefits:
• Greater control over network latency by controlling SLA and directing low priority traffic over suboptimal paths.
• Logical separation, instead of physical separation, of data provides improved cost savings.
WAN
Corporate Campus
L3
L2
Figure 7: Before Case: Real example of legacy WAN using 30 dedicated links per application to intercon-
nect data centers, with only 1% average utilization
In contrast, deploying Juniper Networks devices, Junos OS, and network virtualization provides simplicity and improved
network utilization with the flexibility needed to expand the network easily for future growth.
With Juniper’s enterprise WAN solution (as shown in Figure 8), the private MPLS cloud replaces dedicated link
interconnectivity between the different entities using label-switched paths (LSPs) that can be set up on demand. Business
continuity is maintained using MPLS fast reroute, while custom application bandwidth is maintained using traffic engineering.
Significant CapEx and OpEx savings are achieved, while improving privacy and security using logical MPLS separation.
Applications
Engineered into LSPs
Data Center 1 Data Center 2
across MPLS Core
PRIVATE
MPLS CLOUD
Corporate Campus
WAN
Critcal applications
protected by Fast
Reroute Detour paths
and secondary LSPs
Figure 8: After Case: Real deployment using Juniper’s simplified WAN design using network
virtualization eliminates application dedicated links
16 Copyright © 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Enterprise WAN Reference Architecture
In this example, the key principles of Juniper’s simplified WAN design were based on:
• Security—separating resources and easily directing traffic to centralized and virtualized firewalls
• Manageability through automation—tools in the form of scripts that help in self monitoring, self diagnosing, and self
healing capabilities, along with several network management tools that help with easy provisioning, monitoring, and
troubleshooting the network
Layer 2 Stretch
VPLS over
MPLS Core
MX Series MX Series
MX Series MX Series
Service
Edge
MPLS Boundary
VLAN
EX Series EX Series
DB1 VLAN
VM1 VLAN
DB1 VPLS
VM1 VM2 DB1 VM1 VPLS DB1 VM1 VM2
• Cost-effective resiliency by using MPLS paths rather than physically separated interconnections
When GRE is used to transport MPLS packets over an Ethernet-based transport network, the transport network often
supports a maximum transmission unit (MTU) of 1,500 bytes. Because of the overhead required to encapsulate MPLS
packets in GRE, it is possible for the encapsulated packet size to exceed the minimum MTU of the network. The solution is to
either fragment the packets before encapsulating in GRE frames or to fragment after addition of the GRE headers. Since L2
data cannot be fragmented before encapsulating in MPLS/GRE header, the packet must be fragmented after encapsulating
in GRE frames.
GRE tunnels are supported on Juniper Networks M Series Multiservice Edge Routers with the ASP tunnel module. It is
recommended that the path MTU discovery be enabled in Juniper routers to identify the minimum MTU along the entire
path. Such a setting will avoid needless fragmentation of packets.
The maximum size, of Ethernet frame, beyond which fragmentation is necessary for transport on Ethernet network is 1448 bytes.
Public/Private
WAN
AS1 AS2
WAN aggregation
Router
M Series/ M Series/
MX Series MX Series
Static routes/
EBGP
SRX Series
Branch
Router
Figure 10: WAN aggregation of remote branch offices using WAN aggregation routers
Figure 10 depicts two branch offices that are connected to the public WAN (carrier provided) or the private WAN (enterprise
owned). The branch offices have branch routers that are dual homed, for resiliency, to two aggregation routers. The WAN
aggregation devices include two MX Series or M Series routers. The two WAN aggregation devices will be in separate
autonomous systems (AS eg. AS1 and AS2) so as to keep the routing separate. The branch routers are mapped to the
aggregation routers either using static routes or using EBGP.
Enterprises that require enhanced resiliency use two providers for the WAN aggregation, i.e., AS1 will belong to provider 1 and
AS2 will belong to provider 2. The redundancy will ensure that the enterprise WAN is not affected by any one provider failure.
Note that larger branches use dual (redundant) branch routers for greater reliability, as shown in the following example.
WAN
HQ
MX Series Midrange/ MX Series Midrange/
M Series M Series
EBGP
Static INTERNET
Routes/EBGP
EBGP
BRANCH 1 BRANCH 2
Figure 11: Internet edge access through headquarters carried through the enterprise WAN
Figure 11 above depicts two branch offices (Branch1 and Branch2) that are connected to the headquarters (HQ) in a hub and
spoke topology through the enterprise WAN network.
Branch1, a small branch, has an SRX Series branch router that connects it to the WAN. Branch2, a medium sized branch,
has two dual-homed SRX Series branch routers providing WAN connectivity and EX Series access switches connecting the
servers and phones to the SRX Series branch routers. The branch routers run IBGP and OSPF. The EX Series switches are
combined in a virtual chassis.
All internet traffic is carried through the enterprise WAN to headquarters. All Internet traffic passes through firewalls in the
DMZ that perform deep packet inspection to identify malicious content and to monitor and regulate bandwidth consumption
by applications in the branch offices. The MX Series midrange routers (MX5/MX10/40/MX80) are ideal for the Internet edge,
as they provide seamless upgradeability on a single platform using software licensing.
Enterprises that do not require Internet traffic to be carried to headquarters through the WAN allow for split tunneling of the
traffic at the branch. Split tunneling ensures that Internet traffic can be accessed directly from the branch. However, to meet
security and regulatory compliance requirements such as Payment Card Industry Data Security Standard (PCI DSS), these
enterprises deploy security devices at the branch that perform deep packet inspection of Internet traffic. Juniper Networks
SRX Series Services Gateways provide a range of security features that are ideal for branch security.
SRX Series
Static Routes/EBGP Branch Router
IPsec
MX Series MX5/MX10/
Midrange/M Series MX40/MX80
BRANCH 2
IPsec
Static
Routes/EBGP
MX Series midrange consists
of the MX5, MX10, MX40, and MX80
SRX Series
Branch Router
BRANCH 1
Figure 12: Internet edge providing backup connectivity to the enterprise WAN
Figure 12 depicts two branch offices (Branch1 and Branch2) connected to the enterprise WAN and the Internet edge. The
branch routers are connected to the WAN aggregation routers. Traffic is routed between the branch routers and the WAN
aggregation routers using either static routes or EBGP. If the primary connectivity between the branch and the WAN fails, the
branch router establishes an IPsec tunnel, over the internet to Branch2.
The MX Series midrange routers provide Internet connectivity and are ideal for the Internet edge as they support
uncompromising feature set and flexibility to upgrade using a single platform through software license.
Enterprises that implement this form of resiliency must ensure that the bandwidth of the connections to the WAN and
Internet are comparable. Further, these enterprises can expect application performance to be degraded when using the
Internet as a backup and therefore may decide to route only some critical applications over the Internet during failover.
One of the primary benefits of this use case is the low cost and the ease of deployment.
Conclusion
Enterprises have been responding to new business demands and increased competitive pressures by adopting new
applications that transport mission critical data, and adding distributed branch offices and data centers. These changes
have increased the complexity of maintaining and upgrading the network infrastructure, and they have made the network
increasingly inflexible to meet growing business needs. Organizations can employ Juniper’s WAN design principles to address
these challenges:
• Simplify—the network infrastructure by reducing the number of devices, links, and operating systems
• Share—the network infrastructure through virtualization to improve performance and asset utilization
These design principles can effectively help organizations improve the end user experience, increase the velocity of application
deployment, improve security and privacy, while at the same time delivering cost savings and operational efficiencies.
References:
1. The Essential Guide to Deploying MPLS for Enterprise Networks
www.juniper.net/solutions/literature/white_papers/200183.pdf
Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions,
Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks
1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park representative at 1-866-298-6428 or
Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland
authorized reseller.
Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600
or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737
Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601
www.juniper.net
Copyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos,
NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. All other trademarks, service marks, registered marks, or registered service marks are the property of
their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.