Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
Executive Summary.................................................................................................4
Introduction.............................................................................................................4
Branch LAN Categories..........................................................................................4
Services Needed in the Branch..............................................................................5
Branch LAN Design Considerations..........................................................................6
Enterprise Computing Trends................................................................................6
Considerations for Different Branch Configurations...............................................7
Branch Architecture Overview.................................................................................8
Layered Approach..................................................................................................8
Benefits...........................................................................................................9
Challenges.......................................................................................................9
A Network Revolution......................................................................................9
Access Layer............................................................................................................9
Services...............................................................................................................10
Design Considerations.........................................................................................10
VLAN and Spanning Tree Protocol (STP).............................................................. 11
Using Layer 2 Versus Layer 3 at the Access Layer.................................................12
Implementing Unified Communications ...............................................................13
Considerations....................................................................................................13
Access Layer Security with IEEE 802.1X and Unified Access Control......................16
IEEE 802.1X........................................................................................................16
UAC.....................................................................................................................16
Access Layer Hardware Configurations...................................................................17
Scalable Configuration with Virtual Chassis Technology.......................................17
Aggregation Layer..................................................................................................19
Services and Considerations................................................................................19
Branch Office Recommendations........................................................................19
WAN Edge Integration . .........................................................................................22
WAN Edge Considerations...................................................................................22
HA.................................................................................................................22
Voice Gateway...............................................................................................22
WAN Acceleration..........................................................................................22
Firewall/VPN..................................................................................................22
WAN Edge Recommendations.............................................................................23
J-series Services Routers ...............................................................................23
Operational Simplicity and Unified Management ..................................................24
Achieving Operational Simplicity with JUNOS Software.......................................25
The Power of JUNOS Software.......................................................................25
Modular Processes.........................................................................................25
Rollback Capability........................................................................................26
Advanced Features........................................................................................26
Benefits.........................................................................................................26
Impact...........................................................................................................26
Unified Management with Juniper Networks NetScreen-Security Manager .........27
Benefits.........................................................................................................27
List of Tables
Table 1: Branch LAN Categories...............................................................................4
Table 2: Highly Available Branch LAN Design Considerations...................................8
Table 3: JUNOS Operating Efficiencies (Lake Partners 2007)..................................26
Table 4: Recommended Branch LAN Configurations..............................................28
List of Figures
Figure 1: Highly Available Branch Office LAN Configurations...................................7
Figure 2: The Layered Approach..............................................................................8
Figure 3: Access Layer at a Highly Available Medium Branch Office LAN..................9
Figure 4: Layer 2 versus Layer 3 at Access Layer....................................................12
Figure 5: IP Phone Connectivity Options................................................................15
Figure 6: Virtual Chassis Technology......................................................................17
Figure 7: Reducing CAPEX and OPEX with Virtual Chassis Technology..................18
Figure 8: Aggregation Layer in a Highly Available Large Branch Office LAN............20
Figure 9: WAN Edge in a Highly Available Large Branch Office LAN.......................22
Figure 10: J-series Services Router in a Highly Available Large Branch
Office LAN...........................................................................................................23
Figure 11: JUNOS – The Three Ones: One Source Code, One Train, and
One Modular Architecture...................................................................................25
Executive Summary
Now more than ever, the corporate network is a strategic tool that businesses rely on to support
day-to-day operations and succeed in the marketplace. The corporate LAN design is also
changing to accommodate an increasingly decentralized workforce as an estimated 89 percent
of employees work outside of headquarters (Nemertes Research 2006) in remote branch offices.
Business productivity increasingly depends upon the critical operations carried out at distributed
branch offices, as enterprises are centralizing applications to simplify operations and reduce
costs. These changes create new infrastructure challenges as branch office users require the same
fast, secure and reliable access to applications and network resources as those at headquarters.
Existing branch office infrastructure solutions cannot meet the requirements needed to provide
secure and high-performance access for branch office users, nor do they provide the centralized
management capabilities critical for reducing costs and streamlining operations.
A new branch office LAN design that meets branch office security, connectivity and performance
challenges while enabling key IT initiatives is needed. It also must scale and flexibly
accommodate new computing trends without an entire redesign. This document introduces
the issues related to changing branch office needs and also presents design considerations and
recommendations for branch LANs of all sizes. In addition, it shows how infrastructure solutions
from Juniper Networks advance the economics of networking, allowing businesses to “change
the rules” with their IT investments, and create a truly innovative and competitive environment
that helps them increase revenue and raise productivity today and into the future.
Introduction
Remote branch facilities typically contain a relatively small amount of computing resources
compared to central facilities or data centers, yet branch office employees have the same resource
needs as their colleagues in company headquarters. As most business processes are carried
out online, any branch LAN downtime or inefficiency has a negative impact on the corporate
bottom line. Secure, high-performance, highly available LAN services are crucial to ensure that
each branch facility is always online so that business productivity and customer satisfaction are
maximized.
Highly Available
Large Branch Office
Floor N Floor 1
Virtua Virtua
Chas l Chas l
Virtsi
ua s Virtsi s
POE Chas
Virtsi s
l Chas ua
Virtsi
l POE
Chas ua l ua s
sis Chas l
POE sis
POE
Acce
Pointss
POE POE
Acce
Highly Available
Medium Branch Office
Pointss
Security
Camera Security
Camera
J-seri
Virtua Virtua es EX 4
Chas
sis
l Chas
sis
l Serie200
V ir tus
Chass al
is
POE
POE
POE Acce
Poin ss
J635 J635 t
0 0
Local
Servers Security
Intern Intern Camera
et et
Inter
net/
WAN
J-seri
J-seri es
es V ir tu
Chass al
is
Acce
Data Center POE
Poin ss POE
t
or HQ POE Acce
Poin ss
t
Security
Camera
Local
Servers Security
Camera
Device Connectivity
er - 10/100/1000
Lay BA
SE
e ss -T
cc
A n Layer - GbE
atio L AG
eg F
gr ibe
Ag r
WAN
(Multiple SPs)
Data Center
Co G
re LA
Laye
Ag r - 10GbE
gr er
eg F ib
atio bE
n Layer - 10G
Ac
ce E-T
ss AS
Laye 0B
r - 10/100/100
Providing vital LAN services, these layers exist at various locations throughout the network,
including branch offices, campus buildings and the data center. This document focuses primarily
on the layers deployed in the branch office. Areas outside of that scope are presented when
relevant to the discussion. For example, smaller branch offices may not need the layered approach.
The access layer provides network connectivity to end users in a branch office. The aggregation
layer aggregates connections and traffic flows from multiple access-layer switches to core-
layer switches. And the LAN core layer provides secure connectivity between aggregation-layer
switches and the routers connecting to the WAN and the Internet to enable business-to-business
collaboration.
Benefits
A multilayered architecture facilitates network configuration by providing a modular design that
can rapidly and economically scale. It also creates a flexible network on which new services can
be easily added without redesign. The layered approach also delivers separated traffic, balances
load across devices and simplifies troubleshooting.
Challenges
This three-layered approach traditionally requires additional hardware and is therefore costly
to configure, deploy and administer for all but large branch offices. To account for that, most
micro branch offices collapse all layers and services into the WAN edge layer, and most small and
medium branch offices collapse the aggregation- and access-layer services into the access layer.
Trying to address emerging bandwidth, throughput and port density requirements, networks
in the past have grown bloated with extra layers of ill-suited legacy hardware that not only fails
to meet these needs, but also adds considerable management complexity, reduces network
availability, and drives up capital and operational expenses.
A Network Revolution
As a recent entrant into the evolving switching market, Juniper Networks has factored lessons
learned and experiences into the development of a new portfolio of Ethernet switch products
and network solution designs that address contemporary issues and accommodate future
growth. These new products are designed to eliminate unnecessary network layers while
providing a platform for delivering higher availability, converged communications, integrated
security and higher operational efficiency. With these solutions, Juniper Networks simultaneously
advances the fundamentals and economics of networking by delivering greater value, increasing
simplicity and lowering the total cost of network ownership.
Access Layer
In a branch office, the access layer provides network connectivity to end users by connecting
devices such as PCs, printers, IP phones and CCTV cameras to the corporate LAN via wired or
Wireless LAN (WLAN) access points. Access-layer switches typically reside in wiring closets.
Access Layer
WAN
J-ser
Inter ies EX 4
net Serie200
V ir s
Chastual
sis
POE POE
POE Acc
Poiness
t
Local
Servers Security
Camera
Services
The access layer provides connectivity, Power over Ethernet (PoE), QoS, and security with
authentication services and network access control.
Design Considerations
1. Connectivity: Wired Ports and WLAN Access
Accounting for an adequate number of wired ports for all computers, IP phones, CCTV
cameras and other IP devices is the first step to addressing port requirements. It’s also
important to determine the breadth of WLAN access needed for partners, customers
and employees. The logical segmentation required and the number of logically separate
networks that should share the same LAN must also be determined. These considerations
help establish what type of hardware configuration is needed.
Juniper offers a series of reliable, secure, expandable and scalable hardware
configurations to address any wired port needs. Many commercial solutions are available
for offices that need to provide secure WLAN services. For branches with wireless access
requirements, WLAN solutions from Juniper partners Aruba Networks, Trapeze Networks
and Meru Networks are recommended.
2. PoE
Most highly available branch offices have IP phones, many of which require PoE to
function. Other branch facilities may have PoE security cameras and WLAN devices.
Accounting for the correct number of PoE ports is vital as the system configuration
depends on it. Some access equipment doesn’t provide PoE services, so it’s important to
make sure to use traditional wall-powered IP phones, CCTV cameras and WLAN access
points in those installations.
3. HA in the Branch Network
It’s crucial that branch office networks operate with the same reliability and uptime
as the headquarter network. Depending on the branch network’s needs and available
budget, varying levels of HA may be implemented.
a. Device-Level HA
Most device failures are due to power supply failures or mechanical cooling problems.
It is important to always support business processes with high quality, carrier-class
network devices such as the Juniper Networks J-series or EX-series platforms. Purchasing
equipment with dual power supplies and redundant fans or blowers to minimize
equipment failure is always recommended, and raises the mean time to repair (MTTR).
Additional device-level HA can be provided by doubling up on key devices to assure that
there is a backup device to pick up in the event of a failed device. Not all budgets or
configurations support a full set of backup devices. In that event, purchasing extra key
device components, such as a backup set of field-serviceable or hot-swappable power
supplies or fans, helps mitigate the impact of a device failure.
b. Link-Level HA
Ensuring that business processes maintain vital data flow through internal and external
resources is provided through Link-level HA. At the branch office, Link-level HA requires
that two links operate in an active/backup configuration, such that if one link fails,
the other can take over or reinstate the forwarding of traffic that had been previously
forwarded over the failed link. Based on the budget and HA requirements, a backup
public switched telephone network (PSTN), ISDN or broadband link is provided. In more
complex networks, Link-level HA may also be provided between network switches.
c. Network Software HA
JUNOS™ software is the consistent operating system that powers all of Juniper Networks
switch, router and firewall solutions. It provides carrier-class network software to highly
available branch offices of all sizes. JUNOS software supports features like nonstop
forwarding (NSF), graceful restart, in-service software upgrade (ISSU), Bidirectional
Forwarding Detection (BFD) and other features which together make IP networking as
failure-safe and reliable as telephony networks. The JUNOS software’s modularity and
uniform implementation of all features enables the smallest branch office to benefit
from the same hardened services in their devices running JUNOS software as the largest
service providers.
VLAN and Spanning Tree Protocol (STP)
Branch office LANs use VLANs to logically group any set of users, devices or data, regardless of
location, into logical networks through software configuration instead of physically relocating
devices on the LAN. VLANs help address issues such as scalability, security and network
management.
VLANs are in essence Layer 2 broadcast domains that exist only within a defined set of switches.
Using the IEEE 802.1Q standard as an encapsulation protocol, packets are marked with a unique
VLAN tag. Tagged packets are then forwarded and flooded only to stations in the same VLAN.
Tagged packets must be forwarded through a routing device to reach any station not belonging to
the same VLAN. Any switch or switch port can be dynamically or statically grouped into a VLAN.
Alternately, traffic may be grouped into a VLAN and forwarded through specific ports based on
the specific data protocol being sent over the LAN. For example, VoIP traffic from a soft phone
can be segmented from other traffic and put into a VLAN that gets a higher quality of service.
1. STP
VLANs may create multiple active paths between network nodes, resulting in problematic
bridge loops. Since the same MAC addresses are seen on multiple ports, the switch
forwarding table can fail. Also, broadcast packets may end up being forwarded in an
endless loop between switches, consuming all available bandwidth and CPU resources.
STP, the IEEE 802.1D standard, ensures a loop free topology for any bridged LAN. STP is
designed to leave a single active path between any two network nodes by first creating
a tree within a mesh network of connected LAN switches and then disabling the links
which are not part of that tree. STP thus allows a network design to include redundant
links to provide automatic backup paths if an active link fails, without the danger of
bridge loops, or the need for manual enabling/disabling of these backup links. Each VLAN
can run a separate instance of Spanning Tree Protocol.
2. Issues with STP
Troubleshooting may be challenging with STP due to complicated routing, incorrect
configuration, or mis-cabling. Since every packet must go through the root bridge of the
spanning tree, routing performance with STP can also be non-optimal. STP often creates
underutilized links and lacks a load balancing mechanism as well. In addition, STP has
a slow convergence of up to 30 to 40 seconds after a topology change. To combat this,
Rapid Spanning Tree Protocol (RSTP) was created, providing sub-second convergence, but
only on point-to-point links. Multiple Spanning Tree Protocol (MSTP), the 802.1s standard,
supports multiple instances of STP, but it also increases configuration complexity.
WAN Edge
Layer 3 L2/L
3 Sw
itch
L2/L
3 Sw
itch
L2/L
3 Sw
itch
L2/L
3 Sw
itch
L2 Sw L2/L
3 Sw
itch itch
How Operating Systems Create Network Efficiency - Lake Partners Strategy Consultants, Inc 2007
1
Considerations
Unified communications have real-time requirements that are not necessary for most data
applications. VoIP packets, for example, must be efficiently transported throughout the LAN
and WAN to ensure high quality voice communications, even when the network is experiencing
high utilization or congestion. Simply adding more LAN or WAN bandwidth doesn’t make the
network voice-friendly. Latency, jitter and packet loss are common VoIP challenges that must be
accounted for with QoS queuing and scheduling to ensure high quality VoIP communications. In
addition to access-based security measures, addressing port density and PoE requirements for IP
phones are fundamental to a successful design.
1. QoS
a. Classification and Enforcement
Each type of data flow on the LAN has different QoS requirements. Traditional
applications such as Web browsing and email work fine with the best-effort delivery
standard on IP networks. However, additional requirements must be met to ensure
effective delivery of voice, video conferencing and other real-time applications. Unlike
streaming video, for example, real-time voice data can’t be cached nor have lost packets
retransmitted since both would add an unacceptable delay, ruin the quality of the
communication and result in a poor user experience. Voice packets, therefore, must be
given top priority when creating QoS policies.
IP phones and other communication devices are likely to be spread throughout the LAN
in many different physical locations. VLANs, as discussed earlier, can be used to identify
and segment voice, video conferencing and data traffic, regardless of location, into logical
VLANs so that the appropriate QoS parameters can be easily applied to maintain optimal
service for each data flow.
To facilitate QoS, data can be classified by a combination of physical port, device and
protocol. For example, a block of IP phones connected to a specific LAN segment could
be placed in a VLAN designated for voice traffic based on their port numbers. Or Link
Layer Detection Protocol-Media Endpoint (LLDP-MED) could be used to discover an IP
phone and automatically place it on a VLAN using 802.1X. Or traffic from a soft phone
can be analyzed at the protocol level, with voice data given top priority regardless of the
source port. Once the data is classified with the appropriate Differentiated Services Code
Point (DSCP), it needs to be queued and scheduled. Most importantly, the same QoS
rules need to be enforced consistently throughout the LAN and WAN.
b. Built-In Quality of Service
QoS or Class of Service (CoS) features are built into all Juniper infrastructure, security
and application acceleration solutions. JUNOS software comes standard with a full
complement of QoS services; the EX-series supports eight queues per port and offers
a range of policing options from best effort delivery to enhanced delivery to assured
delivery. Since the same JUNOS software is found across all Juniper router and switch
solutions, the same QoS policies can be used throughout the LAN and WAN design for
easy and consistent traffic management. In addition, application-specific integrated
circuits (ASICs) in all Juniper solutions support QoS by processing prioritized data and
minimizing CPU load.
Note: For more on VoIP QoS, read Juniper pub# 351113-001 August 2005 - VoIP on the WAN: It’s
a Matter of Priorities.
2. Security
Implementing unified communications on the data network increases security concerns
that can have serious service impacts. Malicious attacks from outside the network and
inadvertent attacks from within the network must be prevented. New ways of toll fraud
and new security risks like eavesdropping are being discovered at an ever-increasing
rate. Additional points of entry are created; a hacked VoIP system now provides a back
door to the corporate LAN. Security risks range from viruses, worms and DoS attacks to
unauthorized access. Deployment of VoIP solutions, similar to other network appliances,
must account for the security of the device itself, as well as how it can be used to
attack the network as a whole. Juniper Networks Intrusion Detection and Prevention
(IDP) solutions are recommended to thwart VoIP-related attacks in addition to typical
intrusions. An 802.1X solution should be used to authenticate and manage endpoints via
policy-based access. Using the protocol-specific Application Level Gateway (ALG) features
on all firewalls is recommended to dynamically open and close ports for each VoIP call.
3. Port Requirements
Implementing unified communications has a direct impact on port density and PoE
requirements.
a. Port Density
An adequate number of ports must be available to provide LAN connectivity for each
IP phone or other communication device. Juniper EX-series switches support two main
options to connect IP phones to the LAN, each presenting different port requirements.
Vi
Charstual
sis
or
Data VLAN
Voice VLAN
Vi
Charstual
sis
Vi
Charstual
sis
The issue with this option is in not having enough physical ports available, which is
easily addressed with the scalable Juniper EX-series switches presented in the Access
Layer Hardware Configurations section. Depending on the number of phones required,
however, it may be more costly than the first option.
b. PoE
Many IP phones and CCTV devices have neither internal nor external power supplies and
instead obtain their system power from a PoE connection. All devices needing PoE must
be accounted for when compiling port requirements. It’s also important to know the class
of each IP phone and the power draw of each device.
The access layer devices traditionally used by highly available micro branch offices don’t
offer PoE services. Wall-powered IP phones and cameras need to be used when planning
for unified communications in that type of branch LAN.
For branches with IP telephony and unified communications requirements, solutions
from Juniper partners Avaya and Microsoft are recommended.
Access Layer Security with IEEE 802.1X and Unified Access Control
Increasing security threats and risks force branch office LANs to remain secure and controlled
on all fronts, yet also provide open and pervasive access to maintain and increase productivity.
802.1X and Juniper Networks Unified Access Control (UAC) are used to effectively handle
unmanaged devices and guest users attempting network access, as well as to support
unmanageable devices, post admission control, and application access control, visibility and
monitoring.
IEEE 802.1X
The 802.1X standard provides a strong framework for authentication, access control and data
privacy for port-based network access control. An 802.1X access control solution completes
the authentication of network credentials even before a network IP address is assigned, thus
preventing unauthorized access and ensuring that viruses and other threats are halted before
they can spread into an organization. After login, Dynamic Port-Based Role Configuration is used
to then restrict use of specific resources.
UAC
Juniper Networks UAC solution combines identity-based policy and endpoint intelligence to give
enterprises real-time visibility and policy control throughout the network. The UAC solution may
make use of all or some of the following components: an Infranet Controller, which serves as
a centralized policy manager; a UAC Agent, which is dynamically downloadable or agentless
endpoint software, and several different forms of enforcement points that include both firewalls
and vendor-agnostic 802.1X-compliant switches and/or WLAN access points. UAC provides a
cost-effective solution to the problem of unmanaged or ill-managed endpoint security throughout
the LAN. In essence UAC enables the creation of a powerful network perimeter defense via
robust admission controls that ensure that endpoints comply with required OS updates, security
patches, personal firewall requirements, virus signatures, and so on, before being allowed access
the LAN.
EX 4
Serie200
V ir s
Chastual
EX 4 V ir sis
Ser 200 Chastual
EX 4 V iries V ir sis
Serie200 Chastual Chastual
s sis sis
2. Pay-As-You-Grow Scalability
The Juniper Networks Virtual Chassis technology enables a branch to add as many EX
4200 series switches as needed to meet its connectivity needs. Juniper’s unique pay-
as-you-grow model allows a branch to start with a single EX 4200 series switch (1 RU)
and incrementally add up to nine more switches to the virtual chassis at any time for
a total of 10 switches before starting another virtual chassis. Resiliently interconnected
via a 128 Gbps virtual backplane or 10 GbE uplink module, a fully-loaded Virtual Chassis
configuration supports up to 240 100BASE-FX/1000BASE-X ports, 480 10/100/1000BASE-T
ports, or any combination of the two, plus up to twenty 10 GbE uplink ports. Not only
does Virtual Chassis technology lower capital expenses when compared to traditional
chassis systems, but it dramatically reduces operating expenses by enabling any group of
interconnected switches to appear on the network and be remotely managed as a single
unit. Coupled with the incremental, pay-as-you-grow model, the compact form factor
of the virtual chassis enables the branch to save not only on upfront and recurring rack
space usage but also on costly power and cooling fees.
Small branch offices on a budget may consider the Juniper Networks EX 3200 series
switch, which provides most of the same robust features as the EX 4200 series with the
exception of Virtual Chassis technology.
3. Carrier-Class Reliability
The EX 4200 series switches with Virtual Chassis technology also provide the same
HA features as modular chassis-based systems. Each switch supports redundant, load-
sharing, hot-swappable AC or DC power supplies, as well as a field-replaceable hot-
swappable fan tray with redundant blowers, any of which can fail without affecting
operations.
Virtual Chassis technology provides unparalleled device and link HA utilizing the virtual
backplane protocol and JUNOS software. Each set of interconnected switches with
Virtual Chassis technology automatically takes full advantage of the multiple route
engines present to deliver Graceful Route Engine Switchover (GRES) and non-stop
forwarding to ensure uninterrupted operation in the rare event of any individual switch
failure. For added device and link HA, a virtual chassis can be configured to address any
requirements. For example, a single virtual-chassis configuration of 10 switches could
be configured instead as two five-switch virtual-chassis configurations, or in any other
desired combination.
4. Location Independence
Another key feature of Virtual Chassis technology is that the virtual backplane protocol
can also be extended across the 10 GbE uplink ports to interconnect switches that are
more than a few meters apart; creating a single virtual switch that spans multiple wiring
closets, floors or even data center server racks. Even when separated by long distances,
interconnected switches with Virtual Chassis technology can be managed, monitored,
upgraded and otherwise treated as a single resilient switch, dramatically reducing
recurring management and maintenance costs.
L2/L L2/L
3 Sw 3 Sw
itc h itc h
L2/L L2/L
3 Sw 3 Sw
itc h itc h
L2/L L2/L
3 Sw 3 Sw
West itc h itc h East
Closet Closet
Floor N
L2/L L2/L
3 Sw 3 Sw
itch itch
L2/L L2/L
3 Sw 3 Sw
itch itch
L2/L L2/L
3 Sw 3 Sw
West itc h itc h East
Closet Closet
Floor 1
50% fewer
wiring closets
to manage
V ir tu V ir tu
Chass al Chass al
V ir tuis V ir tuis
Chass al Chass al
West V ir tuis
Chass al
V ir tuis
Chass al
East
Closet is is
Closet
Acce Acce
Pointss Pointss
Floor N
V ir tu V ir tu
Chass al Chass al
V ir tuis V ir tuis
Chass al Chass al
West V ir tuis
Chass al
V ir tuis
Chass al
East
Closet is is
Closet
Acce Acce
Pointss Pointss
Floor 1
Aggregation Layer
The aggregation layer, sometimes referred to as the distribution layer, aggregates connections
and traffic flows from multiple access layer switches to provide connectivity to LAN core or WAN
edge layer switches.
The EX 4200 series switches also run the JUNOS software, providing full network
software HA features and further simplifying network operations. These solutions also
connect to a J-series services router at the WAN edge, which also provides DHCP.
3. Highly Available Large Branch Office
Due to the performance requirements of a highly available large branch office, HA
features and scalability are increased with a LAN design including an aggregation layer.
Floor N
EX 4
Serie200
EX 4s
Serie200
EX 4s
POE Serie200
EX 4s
Serie200 Aggregation
POE s
Layer
Acc
POE
Poiness
t
EX 4
Serie200
EX 4s J-seri
Serie200 es WAN
Security s
Camera
EX 4
Serie200
EX 4s J-seri Intern
Serie200 es et
s
EX 4
Serie200
EX 4s
Serie200
EX 4s
POE Serie200
EX 4s
Serie200
POE s
Acc
POE
Poiness
t
Security
Camera Floor 1
In addition to the EX 4200 series switches with Virtual Chassis technology deployed at
the access layer, two more virtual chassis are added as aggregation layer devices between
the access layer switches and the two J-series Services Routers at the WAN edge.
a. HA
Virtual Chassis technology enables fail-safe operations, as each unit is capable of passing
data from one to another in the event of a failure. Redundant links to each WAN edge
device are also provided in the event of a device or link failure. In addition to the device
HA features standard in the EX 4200 series switches, all equipment runs JUNOS software,
providing software HA features such as QoS and GRES, preserving forwarding and routing
operations during device events with non-stop forwarding and automatic load balancing.
b. Scalable Performance
Each EX 4200 series switch with Virtual Chassis technology provides pay-as-you-grow
scalability with features such as no (fiber only), full or partial PoE capability (8/24 or 8/48
ports). Virtual Chassis technology enables seamless scaling by allowing up to 10 EX 4200
series switches to be interconnected via a 128 Gbps backplane or via optional 10 GbE
uplink modules. Virtual Chassis technology simplifies administration as these devices can
be managed as one unit. In addition, multiple 10 GbE uplinks from any of the switches
that are members of the same virtual-chassis configuration, regardless of physical
location, can be link-aggregated for higher bandwidth connections to other aggregation
or core switches. Up to 10 EX 4200 series switches can be connected via Fiber Channel
into a Linked Aggregator Group (LAG) to provide load balancing for increased upstream
performance and further Link-level HA.
If more ports or throughput is required, another virtual chassis of up to 10 EX 4200 series
switches can be created. If extra device and link redundancy is required, as many virtual
chassis as desired can be deployed.
To meet the aggregation demands of even the largest branch office, the top-of-the-line EX
8200 Terabit-chassis switch delivers a powerful, high-density, high-performance solution.
Capable of up to 3.2Tbps throughput, the EX 8200 series Ethernet switches offer up to 64
(eight-slot chassis) or 128 (16-slot chassis) wire-speed 10 GbE ports.
c. CAPEX and OPEX Savings
Typically more than two layers of legacy Layer 3 switches are required to achieve the
wire-speed port densities demanded by today’s high-performance large branch office. The
Juniper Networks EX 4200 series switches, however, meets these needs and also enable
the collapse of the LAN core and aggregation layers, creating a direct positive impact
on the economics of networking. Virtual Chassis technology also simplifies network
operations and lowers operating expense on all fronts, from JUNOS software upgrades
and moves, adds and changes to troubleshooting and problem resolution.
Previously, only expensive chassis-based switches could provide the combination of
high 1000BASE-X fiber port densities and the HA features required to satisfy aggregation
layer requirements. While certainly scalable and highly available, these modular chassis-
based switches are not a very cost-effective solution for such applications. First, they
require a considerable up-front investment for the chassis and common equipment,
even if not fully populated. Second, because of their size, modular chassis require more
space in already crowded racks, taking up valuable real estate. Third, modular chassis
require more power and cooling—recurring costs that increase operational expenses and
contribute to the production of greenhouse gasses that threaten the environment.
The Juniper EX 4200 series switches with Virtual Chassis technology represent the new
generation of aggregation switching. They deliver greater value while reducing capital
and operating expenses, freeing up valuable IT resources to invest in new technologies to
improve business productivity.
Note: For a full set of features, benefits and specifications, please view the Juniper Networks EX
4200 Switches with Virtual Chassis Technology data sheet.
Floor N
EX 4
Serie200
EX 4s
Serie200
EX 4s
POE Serie200
EX 4 s
Serie200
POE s
WAN Edge Layer
Acces
POE
Point s
EX 4
Serie200
EX 4s J-ser
Serie200 ies WAN
Security s
Camera
EX 4
Serie200
EX 4s J-ser Inter
Serie200 ies net
s
EX 4
Serie200
EX 4s
Serie200
EX 4s
POE Serie200
EX 4 s
Serie200
POE s
Acces
POE
Point s
Security
Camera Floor 1
Voice Gateway
Secure and optimized voice services should be provided at the WAN edge to enable effective
communications across the LAN and WAN. Either an integrated or standalone VoIP gateway may
be implemented.
WAN Acceleration
Adding more bandwidth doesn’t automatically deliver LAN-like performance across the WAN.
Acceleration services are needed to optimize performance of centralized applications across the
WAN at all times, even when bandwidth is constrained.
Firewall/VPN
Security must be provided at the WAN edge, including VPN connections to remote locations and
users as well as integrated firewall services to protect against worms, trojans, viruses and other
malware. Such services should be centrally managed to facilitate rapid deployment and minimize
ongoing operational costs.
WAN
J-ser
Inter ies
net
Acc
Poiness
t
Figure 10: J-series Services Router in a Highly Available Micro Branch Office LAN
minimizes complexity for local IT staff. In addition, this joint solution offers multiple
levels of business continuity options, designed to enable branches to continue effective
operations under a variety of emergency or network conditions.
b. Application Acceleration with the WXC Integrated Services Module
Included in the J-series, the WXC Integrated Services Module provides distributed
enterprises with an easy-to-use, scalable approach to accelerating application delivery
over the WAN. Based on the integrated WX Framework, the WXC module optimizes
bandwidth use on WAN circuits and accelerates application performance by leveraging a
mix of bandwidth management, compression, caching, path optimization and protocol
acceleration techniques. For example, the WXC module lowers bandwidth requirements
for file sharing and data replication processes by up to 98 percent, and even VoIP
bandwidth can be reduced by up to 30 percent. A broad set of centralized management
tools ensures that remote performance remains on a par with local access, even over
constrained and contentious links.
c. Firewall/VPN
The J-series solutions provide the essential security functions required for securely
connecting sites over the Internet, including integrated firewall and IPSec VPN. The
platform also supports centralized user security policy and enables a unique HA option in
the form of dynamic route-based VPNs. Virtualization technologies allow segmentation of
the network into many separate zones within a single platform for enforcing compliance
to corporate security policies.
3. HA Hardware
The J-series provides dual field-serviceable power supplies and dual field-serviceable fans
standard on some models and optional on others to maximize device-level HA.
4. Expandability
The J-series offers the performance headroom and extensible memory to meet future
demands, providing unmatched reliability, investment protection and value for the
enterprise. Each J-series unit can be enhanced with a variety of optional physical interface
modules (PIMs). Though it offers no PoE capabilities, its port capacity can be easily
expanded from four to 48 10/100/1000BASE-T ports with a series of PIMs.
Note: For a full set of features, benefits and specifications, please see the Juniper Networks
J-series Services Routers Data Sheet.
TX
Mat
rix
J-seri
es 8.5 9.0 9.1
— API —
Module
Q407 Q108 Q208
X
Modular Processes
The JUNOS software is a completely modular operating system, enabling a functional division
of labor for seamless development and operation of many advanced features and capabilities.
By partitioning the software system, tasks are broken into manageable subsets that interact
infrequently and provide new levels of fault-tolerance. Unlike monolithic operating systems, each
key JUNOS software function executes as an independent process and runs in its own protected
memory space. Loading or executing one doesn’t affect the others. One daemon can restart
independently without disrupting another or forcing a full system crash or restart. A benefit of
this approach is the ability to maintain full control of the switch or router at all times. Because of
the separation of control, forwarding and services, filters can be added in real time to thwart a
DDoS attack.
Rollback Capability
JUNOS software also offers error-resilient configuration that prevents operators from
inadvertently bringing down the network. IT must explicitly commit changes after entering and
reviewing all modifications. If a configuration change causes loss of connectivity to the device
and no follow-up confirmation is provided, the device automatically reverts back to the previous
configuration, restoring connectivity, saving time and ensuring Link-level HA for remotely
operated branch deployments. In addition to automatically checking for errors or incorrectly
constructed configurations that could cause potential problems, JUNOS software provides a
rollback command to quickly restore any of the 50 prior configurations.
Advanced Features
The JUNOS software also provides a broad spectrum of advanced routing and security features
such as stateful firewall, IPSec, MPLS and IPv6 without requiring an additional software license.
In addition, the JUNOS software provides comprehensive QoS functions to classify, prioritize
and schedule traffic for applications such as VoIP. For medium and large branches using Virtual
Chassis technology, the JUNOS software enables bidirectional forwarding detection for early
detection of node or link failures.
Benefits
By running a common operating system, these Juniper solutions dramatically reduce
maintenance and management overhead while ensuring a consistent feature set across all
products, as well as a consistent implementation and management of those features. This
equates to time savings in all categories of operations. In addition to a reduction in training time,
the inherent interoperability across all platforms greatly simplifies new feature deployment,
software upgrades and other network modifications. A single consistent code set also enables
customers to qualify and deploy just one release. For many customers, the testing time of a new
release is cut from what was months down to just a few weeks. JUNOS software also provides
features to facilitate fast restoration of previous configurations.
Impact
In an independent study conducted in 2007, Lake Partners quantified the time savings Juniper
Networks customers experienced using the JUNOS software across a number of common
network operational tasks. The results are presented in Table 3:
This time savings translates to a substantial, tangible cost savings. According to Lake Partners,
an infrastructure of any size running JUNOS software can save up to 29 percent on operational
costs. Seeing that the IT department of a typical enterprise spends 40 to 60 percent of its budget
to maintain and enhance basic IT services (McKinsey & Company 2006), this savings could be
considerable.
Benefits
NSM lowers operational costs by presenting a Graphical User Interface (GUI) to simplify complex
tasks such as device configuration, supplying device templates to minimize configuration errors,
providing investigative tools for complete visibility into the network, and more.
Benefits
Built on JUNOS software, J-Web offers highly available branch offices of all sizes a GUI for device
management that complements the exciting suite of element and service management products
from Juniper. J-Web provides IT administrators and network operators with simple-to-use tools
to quickly and seamlessly monitor, configure, troubleshoot and manage any switch, router or
firewall.
J-Web allows non-technical users in branch office/small office environments to commission
and bring a switch or router online quickly and easily. It offers seamless GUI access to all of
the features and functions of JUNOS software, reducing timelines for new service deployments.
J-Web can be quickly integrated into existing network management or OSS (Operational Support
System) applications such as Micromuse Netcool Omnibus, Dorado RedCell Manager, IBM
Tivoli and HP Openview, thereby minimizing complexity for the service provider or enterprise
customer. Fast, error-free service changes and upgrades can be made with J-Web’s quick
configuration wizards, and new services can be rapidly created and deployed with the use of
configuration and QoS wizards that allow for real-time changes to service parameters.
connectivity, aggregation,
and WAN edge services such Acce
Poin ss
t
t&YUFSOBMMZXBMMQPXFSFEQIPOFT
DBNFSBTBOE"1T
POE POE
• The EX 3200 series or EX POE Acce
Poin ss
t
Juniper solutions:
J-seri
Intern es EX 4
• Two EX 4200 series et Serie200
V ir tus
Chass al
is
switches with Virtual
POE
Chassis technology are used POE
POE Acce
Poin ss
t
local servers.
• J-series Services Router is
used as a WAN edge device.
t'JCFS"HHSFHBUPS DPQQFS
t*OUFHSBUFE898"/0QUJNJ[BUJPO
POE
HA. Two Virtual Chassis "DDF
1PJO TT
U
t%VBM1PXFS4VQQMJFT t*OUFHSBUFE4FDVSJUZ71/4FSWJDFT
t8JSF4QFFE
/POCMPDLJOH t+8FC.BOBHFNFOU
deployments are used as Security
t7JSUVBM$IBTTJT t+6/04
Camera Floor N t+8FC.BOBHFNFOU
aggregation-layer switches t+6/04
for high throughput and
local server connectivity.
• Two J-series Services
Routers are used as WAN
edge devices for added
Device and Link-level HA.
Conclusion
The network plays an integral role in today’s business, making it arguably the most valuable
corporate asset. With a trend towards a decentralized workforce, branch LANs are becoming
increasingly critical to overall business success. Legacy solutions cannot meet the growing branch
office LAN needs for security, connectivity, performance and HA. A new branch office LAN
design that meets these needs while enabling key IT initiatives is needed. It must also scale and
flexibly accommodate new computing trends without an entire redesign.
Juniper solutions, including a new family of high-performance Ethernet switches, redefine
the way businesses build branch office networks. Offering high port densities, wire-speed
connectivity and HA in compact, pay-as-you-grow platforms, Juniper switches represent a
powerful yet cost-effective alternative to the aging and expensive solutions pushed by today’s
dominant switch vendors. By offering a smaller footprint in the wiring closet, combined with
lower power and cooling requirements, the Juniper switches represent the efficient and “green”
solutions users are looking for to power their networks of the future. In addition to a full suite
of secure services, Juniper products provide the end-to-end QoS required for sensitive and
bandwidth-hungry applications such as VoIP.
The JUNOS software, a single, consistent operating system, is used across all Juniper switch,
router and firewall products, making the network infrastructure exceedingly easy to deploy,
configure and upgrade, saving considerable time and operating resources that can be reallocated
to further improve business operations and maximize customer satisfaction.
Branch office infrastructure solutions from Juniper Networks advance the economics of
networking, allowing businesses to “change the rules” with their IT investments and create
a truly innovative and competitive environment that helps them increase revenue and raise
productivity today and into the future.
CORPORATE HEADQUARTERS EUROPE, MIDDLE EAST, AFRICA EAST COAST OFFICE ASIA PACIFIC REGIONAL SALES HEADQUARTERS
AND SALES HEADQUARTERS FOR REGIONAL SALES HEADQUARTERS Juniper Networks, Inc. Juniper Networks (Hong Kong) Ltd.
NORTH AND SOUTH AMERICA Juniper Networks (UK) Limited 10 Technology Park Drive 26/F, Cityplaza One
Juniper Networks, Inc. Building 1 Westford, MA 01886-3146 USA 1111 King’s Road
1194 North Mathilda Avenue Aviator Park Phone: 978.589.5800 Taikoo Shing, Hong Kong
Sunnyvale, CA 94089 USA Station Road Fax: 978.589.0800 Phone: 852.2332.3636
Phone: 888.JUNIPER (888.586.4737) Addlestone Fax: 852.2574.7803
or 408.745.2000 Surrey, KT15 2PG, U.K.
Fax: 408.745.2100 Phone: 44.(0).1372.385500
www.juniper.net Fax: 44.(0).1372.385501
Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks,
the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks
of Juniper Networks, Inc. in the United States and other countries. JUNOS and To purchase Juniper Networks solutions, please
JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service
marks, registered trademarks, or registered service marks are the property
contact your Juniper Networks sales representative
of their respective owners. Juniper Networks assumes no responsibility for at 1-866-298-6428 or authorized reseller.
any inaccuracies in this document. Juniper Networks reserves the right to
change, modify, transfer, or otherwise revise this publication without notice.