Data Communications Services - Amazon S3 · Data Communications Services Solicitation No. JP14001 August 30, 2013 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089-1206

Data Communications Services Solicitation No. JP14001

August 30, 2013

Juniper Networks, Inc. 1194 North Mathilda Avenue

Sunnyvale, CA 94089-1206 Phone: 888-JUNIPER (888-586-4737)

WSCA-NASPO Data Communications Services Page i

Juniper Networks Confidential

Cover Letter

August 30, 2013

Juniper Networks (US), Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089-1206

Jennifer A. Porter State of Utah Division of Purchasing and General Services State Office Building, Capitol Hill Room 3150 Salt Lake City, UT 84114-1061

Dear Ms. Porter,

Juniper Networks is pleased to respond to the WSCA-NASPO Data Communications Products and Services RFP, No. JP14001.

We are proud to participate in your evaluation of vendorsa critical first step in selecting technology suitable for your network deployments. With an understanding of your RFP goals, we propose the following Juniper Networks products and services to meet the following requirements:

Networking Software

Optical Networking

Routers

Security

Switches

Wireless

Services

Thank you for the opportunity to respond; we look forward to meeting with you to discuss this further.

Cover Letter (cont.)

<Customer Name> <Proposal Title> Page ii Juniper Networks Confidential

The new network is here. And it runs on Junos.The new network is here. And it runs on Junos.

Sincerely,

Roxanne Bieniek Business Development Manager Juniper Networks 10 Technology Park Drive Westford, MA 01886 Office phone: +1 978.589.0636 Email: [email protected]

mailto:[email protected]

WSCA-NASPO Data Communications Services Page iii


Table of Contents

Cover Letter ........................................................................................................ i

3. Data Communications Provider Mandatory Minimum Requirements ...... 1

3.1 General Information ........................................................................................... 1

3.1.1 Equipment Offering ............................................................................................... 1

3.1.2 Service Offering ..................................................................................................... 1

3.1.3 Insurance Requirement ......................................................................................... 3

3.1.4 Delivery ................................................................................................................... 4

3.1.5 Service Offering Documentation .......................................................................... 4

3.1.6 Data Communications Provider Contract Administrator and Usage Report Administrator ..................................................................................................................... 4

3.1.7 eMarket Center Cooperation .................................................................................... 5

4. Data Communications Provider Qualifications .......................................... 6

4.1 General Information ........................................................................................... 6

4.2 Warranty .............................................................................................................. 6

4.3 Website .................................................................................................................. 9

4.4 Customer Service ..................................................................................................... 9

4.5 Firm .......................................................................................................................... 13

4.6 Authorized Sub Contractor Relationships .............................................................. 16

5. Service Offering Qualifications ................................................................. 18

5.1 General Information ......................................................................................... 18

5.1.1 General Business Requirements ........................................................................ 18

5.1.2 Terms and Conditions ......................................................................................... 18

5.1.3 Experience............................................................................................................ 18

5.1.4 Financial Stability ................................................................................................ 19

5.1.5 Other General Responsibilities .......................................................................... 19

Table of Contents (cont.)

WSCA-NASPO Data Communications Services Page iv Juniper Networks Confidential


5.2 Data Communications Services – Requirements ......................................... 20

5.2.1 Data Center Application Services ...................................................................... 20

5.2.2 Networking Software ........................................................................................... 22

5.2.3 Network Optimization and Acceleration ............................................................ 27

5.2.4 Optical Networking .............................................................................................. 28

5.2.5 Routers ................................................................................................................. 30

5.2.6 Security ................................................................................................................ 37

5.2.7 Storage Networking ............................................................................................. 53

5.2.8 Switches ............................................................................................................... 54

Juniper Networks EX Series ........................................................................................... 54

Forrester Consulting Report: Simplifying Data Center Networks with Juniper Networks EX Series Reduces Network OpEx ............................................................................................... 56

EX Series Models ..................................................................................................................... 56

5.2.9 Wireless ................................................................................................................ 93

5.3.0 Unified Communications (UC) ................................................................... 102

5.3.1 Services .............................................................................................................. 107

5.3.2 Adding Products ................................................................................................ 108

6. Evaluation .................................................................................................. 110

6.1 General Information ....................................................................................... 110

6.2 Administrative Requirements Compliance .................................................. 110

6.3 Minimum Scope Requirements Compliance ............................................... 111

6.4 Evaluation Criteria.......................................................................................... 111

7. Master Agreement Terms and Conditions/Exceptions ........................... 116

7.1 WSCA-NASPO Master Agreement Terms and Conditions ......................... 116

7.2 Offeror Exceptions to Terms and Conditions ............................................. 117

7.3 WSCA-NASPO eMarket Center ..................................................................... 120

Appendix A. Product Overviews .................................................................. 123


WSCA-NASPO Data Communications Services Page v Juniper Networks Confidential


MX Series ................................................................................................................ 123

PTX Series ............................................................................................................... 128

ACX Series .............................................................................................................. 129

SRX Series for the Branch ..................................................................................... 131

SRX Series for the Data Center ............................................................................. 134

vGW Series .............................................................................................................. 135

STRM Series ............................................................................................................ 136

Junos Pulse ............................................................................................................ 137

EX Series ................................................................................................................. 139

QFabric .................................................................................................................... 142

JunosV ..................................................................................................................... 144

Wireless LAN Solution ........................................................................................... 146

WLA Solution ................................................................................................................. 146

WLC Series ..................................................................................................................... 147

WLM Series ............................................................................................................. 149

Appendix B. Junos Operating System ......................................................... 151

Different by Design ................................................................................................. 151

One Operating System .................................................................................................. 152

One Software Release ................................................................................................... 153

One Modular Software Architecture............................................................................. 153

High-Performance Network Foundation ............................................................... 153

Key Competitive Advantages ................................................................................ 154

Continuous Systems ..................................................................................................... 154

Automated Operations .................................................................................................. 155

Configuration ................................................................................................................. 155

Open Innovation ..................................................................................................... 155

Junos Platform ....................................................................................................... 156


WSCA-NASPO Data Communications Services Page vi Juniper Networks Confidential


Appendix C. Customer Services and Support ............................................ 158

Service Programs ................................................................................................... 158

Juniper Networks Technical Assistance Center (JTAC) .................................... 160

Customer Support Center ...................................................................................... 160

Management Escalation Path ................................................................................ 160

Resident Engineers ................................................................................................ 162

Education Services ................................................................................................ 163

Courses .......................................................................................................................... 164

Fast Track Program ....................................................................................................... 164

Training Credits ............................................................................................................. 164

Technical Certification Program................................................................................... 164

Authorized Education Centers ..................................................................................... 165

Awards and Industry Recognition ........................................................................ 166

Appendix D. Juniper Networks Corporate Overview .................................. 167

Our Mission: Connect Everything. Empower Everyone. .................................... 167

Build the Best ......................................................................................................... 167

Research and Development .................................................................................. 168

Customer Base and Deployments ........................................................................ 168

Financial Stability ................................................................................................... 169

Corporate Awards .................................................................................................. 170

WSCA-NASPO Data Communications Services Page 1


3. Data Communications Provider Mandatory Minimum Requirements

3.1 General Information

This section contains requirements that must be addressed in order for your proposal to be considered for the evaluation phase of this RFP. All of the items described in this section are non-negotiable. Respondents are required to complete:

Mandatory Requirements (M)

All Respondents must meet the (M) requirements listed in this section, and explain how the requirement is met. A ‘no’ response on the acceptance document or omission of the required explanation will disqualify the service from further evaluation.

JUNIPER NETWORKS RESPONSE:

Read and understood.

3.1.1 Equipment Offering

(M) Identify Equipment Offering in sections 5.2.1-5.3.0.


Juniper is offering equipment that includes:

Networking Software

Optical Networking

Routers

Security

Switches

Wireless

Please see section 5.2.1-5.3.0 for additional information.

3.1.2 Service Offering

(M) Identify Service Offerings for all products offered in Sections 5.2.1-5.3.0.


Juniper is offering services that include:

Maintenance

3. Data Communications Provider Mandatory Minimum Requirements (cont.)

WSCA-NASPO Data Communications Services Page 2 Juniper Networks Confidential


Professional

Partner

Training

Please see section 5.2.1-5.3.0 for additional information.




3.1.3 Insurance Requirement

(M) This pertains to the State of Utah insurance requirements. Other Participating States may identify different insurance requirements during the participating addendum process.

Data Communications Provider’s and their authorized contractors shall procure and maintain insurance which shall protect the authorized contractor and The State and/or purchasing entity (as an additional insured) from any claims from bodily injury, property damage, or personal injury covered by the indemnification obligations set forth herein. The Data Communications Provider’s authorized contractor shall procure and maintain the insurance policies described below at their own expense and shall furnish to the procurement manager, upon award, an insurance certificate listing the participating State(s) as certificate holder and as an additional insured.

The insurance certificate must document that the Commercial General Liability insurance coverage purchased by the authorized contractor to include contractual liability coverage applicable to this Master Agreement. In addition, the insurance certificate must provide the following information: the name and address of the insured; name, address, telephone number and signature of the authorized agent; name of the insurance company (authorized to operate in all States); a description of coverage in detailed standard terminology (including policy period, policy number, limits of liability, exclusions and endorsements) and an acknowledgment of notice of cancellation to the participating States.

Authorized contractor is required to maintain the following insurance coverage’s during the term of the WSCA-NASPO Master Agreement:

1) Workers’ Compensation Insurance – The Data Communications Provider’s authorized contractor must comply with Participating State’s requirements and provide a certificate of insurance.

2) Commercial General Liability Policy per occurrence - $1,000,000. Coverage to include bodily injury and property damage combined single limit.

3) Business Automobile Policy to include but not limited to liability coverage on any owned, non- owned, or hired vehicle used by Data Communications Provider’s authorized contractor personnel in the performance of this Master Agreement. The business automobile policy shall have the following limits of liability: Per Occurrence - $1,000,000, Annual Aggregate - $3,000,000, Annual Aggregate applying to products and services - $3,000,000. Coverage must include premises and operations, bodily injury and property damage, personal and advertising injury; blanket contractual, products and services, owner named as an additional insured. The State of Utah must be listed as an additional insured.

Within 10 days of contract award, the Contracted Supplier and/or Authorized Contractor must submit proof of certificate of insurance that meets the above requirements or the Participating States requirements.


Read and Understood




3.1.4 Delivery

(M) The prices offered shall be the delivered price to any WSCA-NASPO purchasing entity. All deliveries shall be F.O.B. destination with all transportation and handling charges paid by the contractor. Responsibility and liability for loss or damage shall remain the Contractor until final inspection and acceptance (within 30 days after delivery for external damage and 30 days for any concealed damage) when responsibility shall pass to the Buyer except as to latent defects, fraud and Contractor’s warranty obligations. The minimum shipment amount will be found in the special terms and conditions. Any order for less than the specified amount is to be shipped with the freight prepaid and added as a separate item on the invoice. Any portion of an order to be shipped without transportation charges that is back ordered shall be shipped without charge.


Read and Understood.

3.1.5 Service Offering Documentation

(M) Upon request, user and/or technical documentation should be supplied for all procured products and services. Manuals may be available via the Contracted Supplier’s website. The manual shall contain user and technical instructions appropriate to the service.


Juniper Networks will comply.

3.1.6 Data Communications Provider Contract Administrator and Usage Report Administrator

(M) The Contracted Supplier shall provide a Contract Administrator to manage compliance with the scope and terms and conditions for this contract. The following Information, at a minimum, regarding the Contract Administrator shall be provided:

a. Administrator’s number of years experience in the Data Communications Services business.


More than 10 years of industry experience

b. Confirmation that the Data Communications Provider Contract Administrator has authority to enforce the scope of work and terms and conditions of the resulting contract.


Juniper Networks will comply with this request.




The Contracted Supplier shall also provide a Usage Report Administrator responsible for the quarterly sales reporting described in Section 1.15 Usage Reporting Requirement.



3.1.7 eMarket Center Cooperation

(M) To be eligible for contract award, the Contractor must agree to cooperate with WSCA-NASPO and SciQuest (and any authorized agent or successor entity to SciQuest) with uploading a hosted catalog or integrating a punchout site. The contract requirements are in section 7.





4. Data Communications Provider Qualifications


Provide any pertinent general information about the depth and breadth of the Offeror’s product and service offerings and their overall use and acceptance in the Data Communications marketplace.


Connect everything. Empower everyone.

Juniper Networks believes the network is the single greatest vehicle for knowledge, understanding, and human advancement the world has ever known. Our simple―yet incredibly powerful―solution elegantly links software, silicon, and systems architecture to connect everything and empower everyone.

4.2 Warranty

Specify the Offeror’s standard warranty offerings for the products and services proposed in the response to this RFP.


To ensure you receive your full Product Warranty benefits, please register your Juniper Networks products.

Warranty Start Date

"Start Date" as used in this policy means (i) the date this product is shipped from the manufacturing facilities of Juniper Networks, Inc. ("Juniper Networks"), or (ii) in the case of resale by an authorized Juniper Networks reseller, the date not more than ninety (90) days after original shipment of this product by Juniper Networks.

Hardware

Juniper Networks warrants that for a period of one (1) year from the Start Date, the Juniper Networks hardware purchased by customer ("Hardware") shall be free of defects in material and workmanship under normal authorized use consistent with the product instructions. This product warranty extends only to the original purchaser. In the event that Juniper Networks receives notice during the warranty period that any Hardware does not conform to its warranty, Customer's sole and exclusive remedy, and Juniper Networks sole and exclusive liability, shall be for Juniper Networks, at its sole option, to either repair or replace the non-conforming Hardware in accordance with this limited warranty. Hardware replaced under the terms of any such warranty may be refurbished or new equipment substituted at the option of Juniper Networks. Juniper Networks will use commercially reasonable efforts to ship the replacement Hardware within twenty (20) business days after receipt of the product at a Juniper Networks Repair Center. Actual delivery times may vary depending on the customer location.

4. Data Communications Provider Qualifications (cont.)



Software

Juniper Networks warrants that for a period of ninety (90) days from the Start Date, the media, on which the software embedded in the Hardware ("Software") is recorded, shall be free from defects in material and workmanship under normal authorized use consistent with the product instructions. The sole and exclusive remedy of the customer and the entire liability of Juniper Networks under this limited warranty shall be the replacement of the media containing the Software. In addition, with respect to Software embedded in Juniper Networks security products, application acceleration products or certain other Hardware products, as more specifically set forth on http://www.juniper.net/support, for a period of fifteen (15) days from the date a customer receives such Hardware product, Juniper Networks will provide the customer that purchased such Hardware product access to one (1) download of the most recent commercially-available version of Software that is embedded in such product. Customer may download the Software by going to http://www.juniper.net/support This right to download extends only to the original purchaser.

Restrictions

No warranty will apply if the Hardware or Software (i) has been altered, except by Juniper Networks; (ii) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by Juniper Networks in the enclosed documentation; or (iii) has been subjected to unreasonable physical, thermal or electrical stress, misuse, negligence, or accident. In addition, Hardware or Software is not designed or intended for use in (i) the design, construction, operation or maintenance of any nuclear facility, (ii) navigating or operating aircraft; or (iii) operating life-support or life-critical medical equipment, and Juniper Networks disclaims any express or implied warranty of fitness for such uses. Customer is solely responsible for backing up its programs and data to protect against loss or corruption. Juniper Networks warranty obligations do not include installation support.

EX Series Limited Lifetime Hardware Warranty

Juniper Networks offers a limited lifetime hardware warranty for EX2200, EX3200 and EX4200 Switches. Hardware covered are the Juniper Networks EX2200, EX3200 and EX4200 system purchased after September 30, 2009.

Warranty Start Date – “Start Date” as used in this policy means (i) the date this product is shipped from the manufacturing facilities of Juniper Networks, Inc. (“Juniper Networks”), or (ii) in the case of resale by an authorized Juniper Networks reseller, the date not more than ninety (90) days after original shipment of this product by Juniper Networks.

Limited Lifetime Hardware Warranty – Juniper Networks warrants that Covered Hardware will be free from defects in material and workmanship commencing on the Start Date and for as long as the original purchaser (“Customer”) continues to own or use the Covered Hardware; provided that the fan and power supply warranty is limited to 5 years from the Start Date. In the event of discontinuance of manufacture of the Covered Hardware, the Juniper warranty support is limited to 5 years from the announcement of the discontinuance. This product warranty extends only to the original purchaser (“Customer”). In the event that Juniper Networks receives notice during the warranty period that any Covered Hardware does not conform to its warranty, Customer’s sole and exclusive remedy, and Juniper Networks sole and exclusive liability, shall be for Juniper Networks, at its sole option, to either repair or replace the non-conforming Covered Hardware in accordance with this limited warranty. Covered Hardware replaced under the terms of any such warranty may be refurbished or new equipment substituted at the option of Juniper Networks. Juniper Networks will use commercially reasonable efforts to ship the replacement hardware within twenty (20) business days after receipt of the product at a Juniper Networks Repair Center. Actual delivery times may vary depending on the customer location.

For more information on the EX Series Limited Lifetime Warranty, please visit our website at: http://www.juniper.net/support/warranty/990235.pdf

http://www.juniper.net/support/warranty/990235.pdf




Dead On Arrival ("DOA")

For up to thirty (30) days from the Start Date, Juniper Networks will provide expedited replacement of affected field replaceable units of Hardware that fail to operate within twenty-four (24) hours of initial installation. For purposes of this DOA policy, "fail to operate" shall mean a material failure to substantially perform in accordance with the Hardware's technical specifications and shall not include cosmetic or other deficiencies that do not materially affect Hardware performance. A new field replaceable unit will be shipped from Juniper Networks' manufacturing facilities within two (2) business days of Juniper Networks' receipt and validation of customer's notification of an inoperative unit. Notification must be sent by customer via online procedures set forth below. Defective Hardware must be returned within thirty (30) days of failure, or customer pays purchase price of replacement Hardware. Non-U.S. customers should allow for additional transit time due to international customs clearance.

Hardware Return Procedures

Any defective item can only be returned if it references a return material authorization ("RMA") number issued by authorized Juniper Networks service personnel. To request an RMA number, customer must contact Juniper Networks Technical Assistance Center ("JTAC") via the online resource available at the URL: http://www.juniper.net/support. JTAC will only assist customers with online RMA processing pursuant to the terms of this warranty and will not provide any troubleshooting, configuration or installation assistance. Telephone calls to JTAC will not be accepted unless the customer has purchased a valid Juniper Networks service contract that is in effect as of the time of the call. The RMA number must be included on the outside carton label of the returned item. Transportation costs, if any, incurred in connection with the return of a defective item to Juniper Networks shall be borne by customer to the in-country location, if available. Juniper Networks shall pay any transportation costs incurred with the redelivery of a repaired or replaced item. If, however, Juniper Networks reasonably determines that the item is functional, the customer shall pay any transportation cost. If Juniper Networks determines, at its sole discretion, that the allegedly defective item is not covered by the terms of the warranty provided hereunder or that a warranty claim is made after the warranty period, the cost of repair by Juniper Networks, including all shipping expenses, shall be paid by customer.

Disclaimer

EXCEPT AS EXPRESSLY SET FORTH ABOVE, JUNIPER NETWORKS MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NONINFRINGEMENT, OR WARRANTIES OR OBLIGATIONS ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. FURTHER, JUNIPER NETWORKS DOES NOT WARRANT THAT THE SOFTWARE IS ERROR FREE OR THAT BUYER WILL BE ABLE TO OPERATE THE SOFTWARE WITHOUT PROBLEMS OR INTERRUPTION.

Limitation of Liability

IN NO EVENT WILL JUNIPER NETWORKS OR ITS AFFILIATES OR SUPPLIERS BE LIABLE FOR ANY LOSS OF USE, INTERRUPTION OF BUSINESS, LOST PROFITS, OR LOST DATA, OR INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF JUNIPER NETWORKS OR ITS AFFILIATE OR SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND WHETHER OR NOT ANY REMEDY PROVIDED SHOULD FAIL OF ITS ESSENTIAL PURPOSE. THE TOTAL CUMULATIVE LIABILITY TO CUSTOMER, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE PURCHASE PRICE OF THE PRODUCT PAID BY CUSTOMER. IN ADDITION, JUNIPER NETWORKS SHALL NOT BE LIABLE FOR




CUSTOMER'S OR ANY THIRD PARTY'S SOFTWARE, FIRMWARE, INFORMATION, OR MEMORY DATA CONTAINED IN, SORTED ON, OR INTEGRATED WITH ANY PRODUCT RETURNED TO JUNIPER NETWORKS, WHETHER UNDER WARRANTY OR NOT.

4.3 Website

Award contractors are required to establish and maintain a website applicable to the WSCA/NASPO contract which will allow Participating States to see applicable contract price list, discounts on said price list, approved resellers or partners for their state and any additional information that may be required to assist the participating states in obtaining information concerning the contract award. The State of Utah representing WSCA/NASPO reserves the right to require the award contractor to add additional items to assist in this process. Specify Websites used by the Offeror to facilitate customer ordering under awarded contracts.

This is a mandatory requirement.


Juniper Networks will comply with this requirement.

4.4 Customer Service

Specify the Offeror’s standard customer service policies and detail the escalation process used to handle customer-generated issues.


Juniper Care improves staff productivity and decreases operational costs through Juniper Networks award winning 24x7 support and automation. Juniper Care Services provide rapid response from Juniper Networks technical service engineers and hardware replacement options that let you choose the right timing and resources for your network needs. Juniper Care increases operational effectiveness and lowers operational costs by utilizing Junos Space Service Now to reduce the time for problem identification and diagnostics.

Juniper Care Services includes:

Technical Support – Gain access to Juniper Networks technical support engineers, software updates, online access to our knowledge base, online tools, and hardware replacement.

Automated Incident Management – Leveraging the capabilities of Service Now technology to automatically detect, analyze, troubleshoot, and report incidents on specific device events.

Inventory Management Assistance – Automatically collect and record the most up-to-date device inventory information including device name, software version, platform, serial number, and chassis inventory details for all devices managed by Service Now.

Knowledge Transfer – Access a series of E-Learning courses on product troubleshooting features.




Juniper Care entitlements allows you to select a primary level of support to determine your hardware replacement options and gain access to Juniper Networks Customer Support Center (CSC) which allows you access to software updates and online post-sales tools. Table 1 shows the Juniper Care entitlements.

Table 1. Juniper Care Support Option Entitlements

PRIMARY LEVEL OF SUPPORT:

Core Core Plus Next-Day Ship

Next-Day

Delivery

Next-Day

Onsite

Same-Day

Delivery

Same-Day

Onsite

Unlimited JTAC 24X7 X X X X X X X

Software releases X X X X X X X

CSC online E-Support

X X X X X X X

Junos Space Service Now/ Service Insight

X X X X X X X

E-Learning X X X X X X X

Return-to-factory X

Next-business-day advanced replacement parts shipment

X

Next-business-day advanced replacement parts delivery

X X

Same-day advanced replacement parts delivery

X X

Onsite technician X X

Core

Core Support protects networking investments by providing basic remote support resources, including all software feature releases, plus access to the Juniper Networks Technical Assistance Center (JTAC) and the online Customer Support Center (CSC).

Core Plus

Core Plus offers the same features of Core Support plus targets 10-business day repair turnaround from the date of receipt at the Juniper Networks repair facility.

Next-Day

Next-Day includes all Core Support features, plus the delivery of covered replacement hardware on the next business day.

Next business day is defined as 12 hours a day, five days a week delivery of advance hardware replacements. “Next day delivery” means that Juniper Networks will deliver advance replacements for defective hardware on the




next business day for replacement requests placed by 3:00 p.m. (local JTAC time), Monday through Friday, except Juniper Networks holidays. For countries where Juniper Networks does not have an in-country depot and next business day delivery is unavailable, Juniper Networks will ship the replacement part within 24 hours of the RMA origination. Actual delivery will be subject to local customs and importation restrictions and transportation delays.

Next-Day Onsite

For customers who may not have the onsite staff to perform replacement tasks, Next-Day Onsite allows them to stay focused on their core business. Next-Day Onsite provides the same features as Next-Day and includes the dispatch of a trained technician to a customer location within the next business day.

The technician will perform tasks as directed by JTAC, and as outlined in the existing Global Service Operations (GSO) policy “Customer Onsite Service Support”. The technician will be release from the site upon approval of the JTAC engineer with concurrence from the customer.

Same-Day

Same-Day is an essential service for providers with mission-critical networks who cannot wait until the next business day for replacement parts. In addition to all Core Support features, Same-Day provides delivery of covered replacement hardware within four hours of request if your physical site is located within the designated distance from any authorized regional Juniper Networks parts depot, shown in Table 1.

Table 1. Juniper Care: Same-Day Entitlements

Region Distance from Juniper Networks Parts Depot

USA/Canada 150 miles (241 km)

EMEA 120 miles (193 km)

Mexico/Latin America 62 miles (100 km)

Asia Pacific 43 miles (69 km) (all countries except India)

India 31 miles (50km)

Same-Day Onsite

Same-Day Onsite provides a skilled technician for rapid remedial hardware problem resolution, including the installation of replacement parts. This service includes all Same-Day features, plus access to an onsite technician within four hours of request, as shown in Table 1 above. An onsite technician can be requested 24 hours a day, 7 days a week, including holidays.

As shown in Table 2, Juniper Networks offers systematic escalation management to customers with current service agreements. This ensures that the appropriate resources within Juniper Networks are utilized to resolve outstanding technical problems as efficiently as possible.

Our systematic escalation process is intended to notify and brief various levels of management throughout the life cycle of the technical issue. Escalation timeframes are measured on a 24x7x365 basis.




Table 2. Juniper Networks Escalation Management Response Times

Owner Priority 1, Critical Priority 2, High Priority 3, Medium Priority 4, Low

Manager, Technical Support

1 hour 12 hours 15 days 30 days

Director, Customer Service

2 hour 24 hours

Vice President, Customer Service

4 hours 96 hours

Vice President, Engineering and Sales

4 hours

Note: These escalation timeframes are to be used as guidelines and are not a substitute for sound business practices.

Case Definitions for Priority

Juniper Networks offers priority setting of problems to customers with current service agreements. This ensures that the appropriate resources within Juniper Networks are utilized to resolve outstanding technical problems as efficiently as possible.

Priority Management

The Juniper Networks Technical Assistance Center (JTAC) works with customers to assign mutually agreeable priority levels to problems that will be reflected in the support case opened on their behalf.

Priority 1: Critical

Total loss of continuous instability of mission-critical functionality, examples of Priority 1 issues include:

Network or system is down causing customers to experience a total loss of service

Inability to use a feature or functionality that is currently relied upon for mission critical functionality

Priority 2: High

Issues that are impairing, but not causing a total loss of mission-critical functionality, examples of Priority 2 issues include:

Intermittent issues affecting mission critical functionality

Inability to deploy a key feature or function that is not currently relied upon for mission-critical functionality

Loss of redundancy of critical hardware component

Priority 3: Medium

Issues in the network or on the system that are not causing impact to mission-critical functionality, examples of Priority 3 issues include:

Non-repeated issues having impacted mission-critical functionality but have since recovered




Issues seen in a test or pre-production environment that would normally cause adverse impact to a production network

Time sensitive information requests

Workaround in place for Priority 1 and Priority 2 issues

Priority 4: Low

Low priorities include information requests, examples of Priority 4 issues include:

Standard questions on configuration or functionality of equipment

Non-urgent RMA requests

Cosmetic defects

4.5 Firm

a. Provide a brief history of your firm including the following:

1. Number of years providing Data Communications Services being offered in response to this RFP.


17 years.

2. Number of separate services provided in each of the area categories described in this RFP.


Juniper is providing services that include:

Maintenance

Professional

Partner

Training

Please see section 5.3.1 for additional information.

b. Describe specifically what makes your firm a stable long term partner for WSCA-NASPO.


Juniper Networks global customer base is large and diverse, ensuring our continued presence within this market. Our customers include government agencies, service providers, mobile and cable providers, global PTTs, R&E entities, and enterprises.




From a financial standpoint, Juniper Networks continues to execute on our objective of delivering high-quality financial metrics including profitability, positive cash flow from operations, strong gross margins, and a strong balance sheet.

Table 3 highlights several of Juniper Networks financial accomplishments as of June 30, 2013.

Table 3. Juniper Networks Financial Highlights as of June 30, 2013

Highlight Details

Revenue Growth

$1.151 B in Q2 2013 (up 9% from Q1 2013; up 7% from Q2 2012)

$ 2.209 B for six months ending June 30, 2013

Net Income (Q2 2013) GAAP: $98M ($0.19 per share)

Non-GAAP: $148M ($0.29 per share)

Strong Cash Position $3.8 B

Positive Cash Flow from Operations $284 M in Q2 2013

$212 M Q2 2012

Geographical Diversification Americas: $675 M in Q2 2013

EMEA: $300 M in Q2 2013

APAC: $174 M in Q2 2013

Product Revenue PSD: $916 M in Q2 2013

SSD: $235 M in Q2 2013

Market Diversification Enterprise: 36%

Service Provider: 64%

Growing Employees 9,400 employees

Research and Development Spending $1,101 M in FY 2012 (24% of total revenue)

$1,026 M in FY 2011 (23% of total revenue)

No single customer accounted for more than 10% of Juniper Networks total net revenues for 2012.

Further details on Juniper Networks financials, including annual reports and documents filed with the SEC, can be found at the following website: http://www.juniper.net/company/investor/

c. Describe specifically what information the Data Communications Provider contract administrator would provide at annual meetings with an entity that has executed a participating addendum.


The Contract Administrator would provide the total number of agencies participating; what each agency has purchased; level of service performed at an agency; level of service requested by an agency; any technical issues reported; any escalations requested; future goals of the agency.

http://www.juniper.net/company/investor/




d. Describe how you plan to implement the contract including having a single point of contact to perform and manage all aspects of this contract.


Juniper Networks will provide a Contract Administrator that will manage all aspects of this contract.

e. Describe in detail your firm’s escalation management plan including contact information.





Owner Priority 1, Critical Priority 2, High Priority 3, Medium Priority 4, Low

Manager, Technical Support

1 hour 12 hours 15 days 30 days

Director, Customer Service

2 hour 24 hours

Vice President, Customer Service

4 hours 96 hours

Vice President, Engineering and Sales

4 hours





4.6 Authorized Sub Contractor Relationships

Respondents may propose the use of Servicing Subcontractors or partners however; the Contractor shall remain solely responsible for the performance under the terms and conditions of the Contract if Servicing Subcontractors are utilized. This includes sales report information. The Contractor will be responsible to collect, and report this information from all partners or resellers representing your contract.

a. Briefly describe what your firm requires from potential contractors to become an “Authorized Data Communications Reseller”. Provide an Authorized Contractor List.


Juniper Networks leverages a wide range of partner’s to satisfy customer requirements. These partners are authorized and certified via our Juniper Partner Advantage Program (JPA).

A potential partner must complete a ‘Reseller’ application online. Once a registration agreement is complete, our inside-sales organization conducts a vetting process to verify their viability. Once approved, they are moved into our reseller program.

To reach elevated status within the JPA program (Select or Elite) a Juniper Partner Account Manager is assigned to their account to vet their strengths, potential and accomplishments. The partner must complete product authorizations, specialization and / or domain requirement, i.e., specific sets of certification requirements to progress in the program.

Although we cannot provide a full list of our JPA partners, our Select and Elite level partners are listed in our partner locator tool on the Juniper website by theatre, region, country, partner level, service level, product or solution certifications. http://www.juniper.net/us/en/partners/locator/

b. Describe in detail how your firm currently measures an authorized contractors’ performance.


Juniper Networks uses four main metrics to measure the performance of our partners; certification attainment, opportunity registrations, revenue growth and customer satisfaction. Juniper Partner Account Manager’s conduct business planning with our partners every year to set performance expectations, then Quarterly Business Reviews are conducted on a quarterly basis to measure partner performance and to ensure a given partner is tracking towards plan.

http://www.juniper.net/us/en/partners/locator/




c. Describe in detail the process for revoking a designation as a sub contractor from an authorized contractor for issues related to customer service, or other authorized contractor performance related issues.


Partners must consistently meet and maintain requirements for their partner level, meaning they must adhere to our partner code of conduct/T&C and annual certification refresh for technical and sales requirements. Infractions to the JPA Program, i.e. not achieving annual requirement or violations to our partner code of conduct, could include demotion and/or could cause termination of a partner from our program.

d. Describe in detail how your firm will support and assist an authorized contractor in improving their performance and the corrective action process.


Partner performance is reviewed every quarter via Quarterly Business Reviews with the partner’s leadership team and the Juniper Partner Account Manager (PAM). If a partner is under achieving, the PAM will assist in the development of a custom “get well plan.” Such plan may include enablement resources provided by Juniper to support the partner in reaching certification compliance. It may also include marketing programs and sales support to assist in driving revenue growth. The partner is then given a quarter to ramp before their performance is assessed again.

e. Describe in detail the process that your firm uses to track and respond to issues and concerns from both your authorized contractors and from participating entities.


Partner Account Managers (PAM’s) are the point of contact for the partner, as they own the overall partner relationship. If need be, PAMs and partners can escalate issues internally. Juniper remains dedicated and focused on resolving issues and providing the best partner/customer experience possible. Surveys are conducted annually to gauge our success with both partners and customers.

f. Describe in detail how your firm will track, report and verify sales from your designated Data Communication partners and authorized contractors.


On a quarterly basis the designated contract administrator at Juniper Networks will contact the contract administrator at our designated partners and authorized contractor organization and prompt them to fill out the required template for their authorized sales under the awarded contract. The Juniper Networks contract administrator will then compile the multiple reports from the partners and authorized contractors into a single master report and prepare that report for submission to the contract administrator at WSCA-NASPO.

Juniper Networks MX Series Universal Edge Routing Solution Page 18


5. Service Offering Qualifications


This section contains mandatory minimum requirements that must be met in order for your proposal to be considered for the evaluation phase of this RFP. All of the items described in this section are nonnegotiable.

Respondents are required to complete:

Mandatory Requirements (M)

All Respondents must meet the (M) requirements listed in this section, and explain how the requirement is met. A ‘no’ response on the acceptance document or omission of the required explanation will disqualify the service from further evaluation.

5.1.1 General Business Requirements

Each provider must meet the following mandatory general business requirements:

5.1.2 Terms and Conditions

(M) Respondents must indicate their acceptance of the State of Utah Standard Terms and Conditions in addition to the WSCA-NASPO Terms and Conditions attached to this RFP as Attachment A and Attachment B. Any exceptions to these terms and conditions must be clearly identified in bid response and during the question and answer period on BidSync. Significant exceptions may constitute grounds for rejecting Respondent proposals.


Redlined Terms and conditions are provided by Juniper Networks.

5.1.3 Experience

(M) Respondents must be able to provide reference service contracts from a minimum of five government or commercial customers for their Data Communications Product and Services offerings. Government references are preferred. References must include environments and complexity that is similar in scope to those described within this RFP. Any proposals from Respondents that cannot meet these requirements will not be considered. The Respondent must provide specific contact information describing their reference service contracts, which may be verified.



5. Service Offering Qualifications (cont.)



5.1.4 Financial Stability

(M) The Data Communications Product and Services vendor must provide audited financial statements to the State and should meet a minimum Dun and Bradstreet (D&B) credit rating of 4A2 or better, or a recognized equivalent rating. Please provide the Respondent’s D&B Number and the composite credit rating. The State reserves the right to verify this information. If a branch or wholly owned subsidiary is bidding on this RFP, please provide the D&B Number and score for the parent company that will be financially responsible for performance of the agreement. Prime contractors working on behalf of Respondents must submit financial statements that demonstrate financial stability, and adequate working capital, but do not need to meet 4A2 credit rating requirements.


Juniper Networks will comply with this request. The Juniper D&B number is 94-679-2355. Juniper Networks credit rating is 5A1.

5.1.5 Other General Responsibilities

(M) The Respondent must provide the personnel, equipment, tools, and expertise to meet the requirements in this RFP.



(M) Computer applications and Web sites must be accessible to people with disabilities, and must comply with Participating entity accessibility policies and the Americans with Disability Act.



(M) Applications and content delivered through Web browsers must be accessible using current released versions of multiple browser platforms (such as Internet Explorer, Firefox, Chrome, and Safari) at minimum.






5.2 Data Communications Services – Requirements

Offerors may respond to any of the sections where they have substantive product offerings that address the scope detailed in each Section from 5.2.1-5.3.0. All Offerors must include a response to section 5.31 services that addresses products proposed in 5.2.1-5.3.0.

Products may be used by the states in branch offices, main government offices and data centers, and by overall government data communications providers offering carrier class services.

Responses should consider this breadth of use and users.

The scope and context of this solicitation does not include endpoints such as cell/smart phones, other mobile devices or devices designed exclusively for use by individual users. It is focused on the equipment and software infrastructure required to support provisioning of a variety of network services within a modern digital network.

The user context will vary from branch offices through enterprise and statewide data communication network installations. Respondents should offer a range of solutions that are appropriate for installations of varying size and complexity.



5.2.1 Data Center Application Services

Application networking solutions and technologies that enable the successful and secure delivery of applications within data centers to local, remote, and branch-office users using technology to accelerate, secure, and increase availability of both application traffic and computing resources.

5.2.1.1 Virtualized Load Balancers

Virtual devices that act like a reverse proxy to distribute network and/or application traffic across multiple servers to improve the concurrent user capacity and overall reliability of applications. Capabilities should include:

SSL (Secure Sockets Layer) Off-loading


N/A

Caching capabilities


N/A

Layer 4 Load Balancing





N/A



N/A

Detailed Reporting


N/A

Supports multiple load balancers in the same system for multiple groups


N/A

Supports TLS1.2


N/A

5.2.1.2 WAN Optimization

An appliance utilizing a collection of techniques for increasing data-transfer efficiencies across wide-area networks (WAN). Capabilities should include:

CIFS (Common Internet File System) acceleration


N/A

Data Compression


N/A

SSL encryption/decryption for acceleration (Optional)


N/A

Layer 4-7 visibility


N/A




Application Specific optimization


N/A

5.2.2 Networking Software

Software that runs on a server and enables the server to manage data, users, groups, security, applications, and other networking functions.

The network operating system is designed to allow shared file and printer access among multiple computers in a network, typically a local area network (LAN), a private network or to other networks. Networking software capabilities should include:

Junos OS is Juniper Networks highly reliable, high-performance network operating system that provides a common language across our routing, switching, and security devices. The power of one Junos OS reduces complexity in high-performance networks to increase availability and deploy services faster—decreasing network operation costs by up to 40%

Complex networks that require extensive rework to scale and change can slow down marketplace response and new business initiatives. Evolving your network to cost-effectively scale with traffic growth, adapt along with changing business needs, and deliver new services—all while maintaining the operational stability of your infrastructure—begins with greater confidence in your underlying network foundation.

While old hardware and outdated or poorly integrated technologies present challenges, it is the software running in IP networks that consumes the most operational time, causes the majority of operational headaches, and creates obstacles to change. If you can trust the software supporting your infrastructure—particularly in its most strategic and distributed components—your team can focus more of its time and efforts keeping up with traffic demand, as well as new application and business requirements.

What sets Juniper Networks Junos OS apart from other network operating systems is the way it is built—one operating system delivered in one software release track and with one modular architecture.

The consistent user experience and automated toolsets of Junos OS make:

Planning and training easier;

Day-to-day operations more efficient;

Changes in the network faster.

Further, one operating system integrating new functionality in software protects customer investment—not only in hardware, but also in internal systems, practices, and knowledge. That means lower TCO, along with greater flexibility in meeting the new needs and opportunities of your business.

Restartable Process


Yes, the Junos operating system has restartable processes. The modularity of the Junos OS architecture is integral to the high reliability, performance, and scalability delivered by its software design.




The software architecture of Junos OS is a modular design conceived for flexible, yet stable, innovation across many types of networking functions and sizes of platforms. Modularity and well-defined interfaces throughout the architecture streamline new development and enable complete, holistic integration of services. Through the delivery of one operating system that meets an expanding set of integrated requirements, customers can utilize hardware that can be incrementally expanded to support new growth and services for years to come.

This approach extends customer investment not only in devices, but also in their internal systems, practices, and knowledge. The advantages of modularity reach beyond the stable, evolutionary design of the software. For example, the process modules of the architecture run independently in their own protected memory space, so one module cannot disrupt another by scribbling on its memory. And, the architecture provides separation between control and forwarding functions to support predictable high-performance with powerful scalability from small to very large platforms.

High availability options


In support of high-availability router functioning, Junos OS includes the following features:

Graceful restart – Enables a routing protocol, before it restarts, to inform its adjacent neighbors and peers of its condition. Most Junos OS routing protocols support graceful restart.

Graceful Routing Engine switchover – On routers with dual Routing Engines, enables switching of mastership between Routing Engines without interruption to packet forwarding. For routers in which Adaptive Services, Multiservices, or Tunnel Services PICs or DPCs are installed, features that rely on their services are interrupted momentarily during a Routing Engine switchover. Features that do not use the services continue uninterrupted. After switchover, all features are restored and packet forwarding continues.

Targeted operating systems, i.e. DC, campus, core, wan, etc.


The Junos operating system is the industry’s only carrier-class, purpose-built “pure IP” OS and complements our other core competencies in architecture and silicon design.

Operating System Efficiencies


Inherent interoperability simplifies new feature deployment, software upgrades, and other modifications, allowing operations teams to function more efficiently with less training time and lower costs.

The truly unique nature of Junos OS begins with its most fundamental virtue: a single source code base. This means that Juniper Networks engineers can develop new features one time and then share the code, as applicable, across the many platforms running Junos OS.

A single, cohesive operating system providing a consistent user experience makes planning easier, day-to-day operations more intuitive, and changes faster. Administrators can configure and manage functionality from the basic chassis to complex routing using the same tools across devices to monitor, manage, and update the entire




network. In addition, Juniper Networks Junos Space provides one system to manage security, switching, and routing platforms.

5.2.2.1 Network Management and Automation

Software products and solutions for data center automation, cloud computing, and IT systems management.


Designed for both service providers and enterprises, Junos Space simplifies and automates management of Juniper Networks switching, routing, and security devices. Providing a centralized management plane for a single point-of-contact into the network, and a common management platform for managing and creating applications that meet specific needs, Junos Space is a critical component of Juniper Networks Software Defined Network (SDN) strategy.

Junos Space consists of the following components:

A network management platform for deep element management;

Plug-n-play, domain-specific management applications that help you quickly provision new services and optimize workflow tasks;

A programmable Software Development Kit (SDK) ―the industry’s most complete developer toolkit specifically designed for easy creation of customized network-aware applications.

Each of these components works together to deliver a unified network management and orchestration solution to help you more efficiently manage your network and reduce costs. While Junos Space offers broad fault, configuration, and device provisioning capabilities with a task-specific user interface, its multiple plug-n-play management applications extend the breadth of the platform to optimize workflow tasks for specific domains and use cases (e.g., core, edge, data center, campus and branch, security, mobility, and more). These applications enable you to automate the end-to-end provisioning of new services across thousands of devices with a simple point-n-click GUI interface.

5.2.2.2 Data Center Management and Automation

Software products and solutions that capture and automate manual tasks across servers, network, applications, and virtualized infrastructure.


Using the Junos Space SDK, you can leverage the connections and intelligence embedded in your network to create and deploy complete, customized solutions that meet your specific business needs, simplifying and automating the network, improving network agility at both the platform and application levels, and delivering new services quickly―all from a single console.

In addition to traditional network management and automation, the Junos operating system also offers automation solutions that allow for integration into existing IT practices and workflow systems. This automated solutions come in the form of on-box scripting, as well as off-box




automation solution that give customers an endless amount of possibilities for workflow automation.

Junos automation scripts automate network and router management and troubleshooting. Automation scripts can perform any function available through the remote procedure calls (RPCs) supported by either of the two application programming interfaces (APIs): the Junos Extensible Markup Language (XML) API and the Junoscript API.

On Box scripting comes in three categories:

Configuration Automation (commit script)

Simplify and enforce business rules to avert human errors and optimize network availability.

Event Automation (event script)

Automate reactive and proactive actions in response to network events to achieve self-monitoring and self-diagnostic.

Operations Automation (op script)

Customize and streamline manual tasks to increase operational efficiency and maximize staff expertise leverage.

Off Box Automation

Off Box automation allow for an endless possibility of applications by the end user, Juniper professional services or third parties. One example of this, relative to Datacenter, is our integration with the Puppet Labs Server configuration tool. Puppet Labs’ integration with Juniper enables IT organizations to coordinate change management between their compute and networking resources. This integration solution includes Puppet Enterprise for Junos OS, which provides a native Puppet agent for Junos OS-based devices, as well as the netdev Puppet Forge module. With the Puppet Enterprise and Juniper integration solution, IT organizations can perform common network device configuration changes directly rather than through traditional methods such as change-request tickets, which are tedious, slow and error-prone. By automating network resource management, Puppet Enterprise reduces risk, increases agility, lowers operational costs, and improves overall service levels for IT infrastructure users.

5.2.2.3 Cloud Portal and Automation

Software products and solutions for cloud management with policy-based controls for provisioning virtual and physical resources.


Junos Space Standard Edition includes the Junos Space Platform and a set of collaborative, out-of-the-box applications for automating the operations of Juniper Networks security and switching networks. Additionally, these applications provide plug-and-play solutions for security, mobility, the data center, and more when combined with additional Juniper Networks technologies. The Standard Edition enables quick responses and cost-effective management of highly distributed environments that change frequently. The Standard Edition also




offers multi-layered security and support for new applications and services. If you are just starting out with Junos Space, Juniper Networks recommends you purchase this package.

Applications included in the Junos Space Standard Edition follow:

Network Director – Drastically simplifies enterprise deployment; provides rapid operationalization of campus and data center networks.

Security Design – Simple-to-use application makes it easier to design, validate, and deploy security policies across multi-domain networks.

Service Now – Simplifies and automates diagnostics to speed problem resolution and create additional operational efficiency.

Service Insight – Enables proactive network maintenance with targeted actionable network intelligence, and minimizes the cost of operations.

For integration with your virtual resources Juniper offers the Junos Space application Virtual Control.

Juniper Networks Junos Space Virtual Control allows users to manage, monitor, and control the virtual networks that run within virtualized servers deployed in the data center. Built on Junos Space—an open, extensible platform for developing and hosting applications designed to reduce cost and complexity while opening networks to new business opportunities—Junos Space Virtual Control contributes to a comprehensive solution that extends across the routing, switching, and security infrastructure.

Rather than rebuild the virtual switch that comes as part of the hypervisor software, Virtual Control integrates with the hypervisor vendor’s existing management tools, delivering a combined solution that benefits from both vendors’ innovation and Juniper Networks orchestration solutions.

5.2.2.4 Branch Office Management and Automation

Software products and solutions for management of branch offices. Capabilities include remote troubleshooting, device management, WAN performance monitoring.


In addition to the aforementioned network management features and applications for Junos Space, Junos Space Network Director is specifically designed for Campus and Branch Office management and automation. Junos Space Network Director provides a single pane of glass view into both the wired and wireless networks, and creates a holistic, full lifecycle management solution for the network. Junos Space Network Director delivers:

Critical elements of advanced management applications by providing operational efficiency, expedited error free service roll-out, enhanced visibility and fast troubleshooting.

Operational efficiency by employing a correlated view of various networks elements. It offers a holistic view of every aspect of network operation to remove the need for disjointed applications throughout the lifecycle of the network.

Faster roll-out and activation of services while protecting against configuration errors with profile-based configuration and configuration pre-validation.

Single pane of glass management that provides a unified view of the network infrastructure including a correlated view of overlay services and user experience on top of network infrastructure. Junos Space Network Director also tracks aggregated utilization, network hotspots, failures, correlated RF data and usage to a user level providing deep visibility and easy troubleshooting of connectivity, equipment and general failures.




Additional Automation tools for network deployments can be built utilizing the Junos Automation toolset.

5.2.3 Network Optimization and Acceleration

Devices and tools for increasing data-transfer efficiencies across wide-area networks.


N/A

5.2.3.1 Dynamic Load Balancing

An appliance that performs a series of checks and calculations to determine which server can best service each client request in order to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole.


N/A

5.2.3.2 WAN Acceleration

Appliance that optimizes bandwidth to improve the end user's experience on a wide area network (WAN). Capabilities should include:

CIFS acceleration


N/A

Data Compression


N/A



N/A



N/A






N/A

5.2.3.3 High Availability and Redundancy

Limits any disruption to network uptime should an appliance face unforeseen performance issues. Transparently redistributes workloads to surviving cluster appliances without impacting communication throughout the cluster.


N/A

5.2.4 Optical Networking

High capacity networks based on optical technology and components that provide routing, grooming, and restoration at the wavelength level as well as wavelength based services.

Juniper Networks provides a strong Routing Products Portfolio consisting of ACX, MX, T and PTX series routers, which provide Routing, Grooming and Restoration at the Packet Layer (L3) that are optimized for the Access, Edge, Edge/Core, and Core networks respectively. The PTX Packet Optical Converged Transport Router has integrated DWDM interfaces that enable packet optical integration, as demonstrated at the Optical Fiber Conference in Anaheim, CA in March 2013; PTX can interoperate with third party DWDM systems and Management System for Wavelength Provisioning and Restoration.

5.2.4.1 Core DWDM (Dense Wavelength Division Multiplexing) Switches

Switches used in systems designed for long haul and ultra long-haul optical networking applications.


The PTX Packet Optical Converged Transport Router has integrated DWDM interfaces that are capable of long-haul transport without the need for transponder cards in the third party LH DWDM systems and without the need for in-line Dispersion Compensation Modules (DCM)’s, significantly improving CapEx efficiency and Transport Latency Performance. The MX and T Series routers interface with the third party LH DWDM systems via short reach optics.




5.2.4.2 Edge Optical Switches

Provide entry points into the enterprise or service provider core networks.


The MX and ACX Series of routers are optimized for Provider Edge Services that interface into the enterprise Core and Service provider core, which might be made up of T Series and/or PTX Packet Optical Converged Transport Router. Both MX and ACX product families support a rich set of interfaces and services.

5.2.4.3 Optical Network Management

Provides capabilities to manage the optical network and allows operators to execute end-to-end circuit creation.


Juniper Networks entire Router portfolio of products are built upon Junos Operating system that allow for simplified operations of all Juniper routers. The Junos Space Network Management platform supports all Junos-based platforms providing end-end service creation, management, OAM and SLA enforcement.

5.2.4.4 IP over DWDM (IPoDWDM)

A device utilized to integrate IP Routers and Switches in the OTN (Optical Transport Network).


All routers in Juniper Networks Routing portfolio support optical modules that can support an Optical Transport Network. Grey-client optical interfaces can be deployed over point-to-point fibers to connect with grey-client optics on DWDM systems , which then multiplex onto optical fiber. In addition, Juniper supports pluggable optical interfaces that are on the ITU C-BAND optical grid, which can be used with passive multiplexers for DWDM connectivity.




5.2.5 Routers

A device that forwards data packets along networks. A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP's network. Routers are located at gateways, the places where two or more networks connect, and are the critical device that keeps data flowing between networks and keep the networks connected to the Internet.

5.2.5.1 Branch Routers

A multiservice router typically used in branch offices or locations with limited numbers of users and supports flexible configurations/feature. For example: security, VoIP, wan acceleration, etc.


Juniper Networks SRX Series for the branch delivers the proven performance and deployment capabilities needed for an enterprise to build a worldwide network of thousands of sites. A wide variety of options allow configuration of performance, functionality, and price scaled to support a range of users, from a handful to thousands. The SRX Services Gateway for the branch offers the following:

Application level security – AppSecure is a suite of application-aware security services that classify traffic flows, bringing greater visibility, enforcement, control, and protection to network security. AppSecure uses advanced classification techniques to decode and identify applications including Web 2.0 encrypted and nested applications that run within trusted protocols such as HTTP.

Network security segmentation – Security zone, virtual LANs (VLANs), IPsec VPNs and virtual routers allow administrators to tailor security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups.

Fully integrated Unified Threat Management (UTM) – Allows enterprises to utilize the appropriate level of security needed at a particular site instead of deploying a multi-device solution. Includes two antivirus options (on-premise or cloud-based), intrusion prevention system (IPS), anti-spam, enhanced Web filtering, data loss prevention, and AppSecure.

5.2.5.2 Network Edge Routers

A specialized router residing at the edge or boundary of a network. This router ensures the connectivity of its network with external networks, a wide area network or the Internet. An edge router uses an External Border Gateway Protocol, which is used extensively over the Internet to provide connectivity with remote networks.


Juniper Networks MX Series 3D Universal Edge Routers are the only routers designed to provide the 3D scaling necessary to address today’s advanced Ethernet requirements. MX Series routers are purpose-built with full routing and switching capabilities to deliver the lowest cost per port without sacrificing performance, reliability, scalability, or functionality. Powered by Juniper Networks Junos operating system and high-performance silicon, such as the I-Chip and




Junos Trio chipset, the MX Series enables service providers and enterprises to adapt to—and profit from—Ethernet services in a changing market.

The MX Series provides the 3D scale, maximum performance, availability, and service agility that enterprises and service providers need to gain a competitive advantage in today’s Ethernet environment. These high-performance Ethernet routers function as a Universal Edge platform capable of supporting all types of business, mobile, and residential services. With powerful switching and security features, the MX Series delivers unmatched flexibility and reliability to support advanced services and applications. MX Series routers also separate control and forwarding functions to provide maximum scale and intelligent service delivery capabilities.

MX Series routers are optimized for Ethernet and address a wide range of deployments, architectures, port densities, and interfaces for both service provider and enterprise environments. In both markets, the MX Series provide the scalable, high port-density routing and switching required for applications, such as data centers. For service providers, MX Series routers surpass the requirements of carrier-grade Ethernet switches as defined by the Metro Ethernet Forum—making Juniper Networks routers the platforms of choice for service providers seeking 3D scaling in the Universal Edge.

Powered by Junos OS, the MX Series provides a consistent operating environment that streamlines network operations and improves the availability, performance, and security of all types of services supported at the Universal Edge. It offers the most complete, advanced routing features in the industry without compromising performance, which maximizes investment protection. These features include traffic segmentation and virtualization with MPLS, ultra-low-latency multicast, as well as comprehensive security and QoS implementations to accelerate delivery of time-sensitive applications and services.

The carrier-class reliability and high availability features available on the MX Series include:

Graceful restart

Nonstop routing

Fast reroute (FRR)

Unified In-Service Software Upgrade (ISSU)

A comprehensive OAM toolkit

VPLS multihoming

Small to Mid-Range MX Models include:

• MX5 – Juniper Networks MX5 midrange router is a versatile platform for small-scale environments with space and power constraints and is suitable for both enterprise and service provider networks needing full MX Series features and capabilities in a compact form factor. Only 2 RU high, this cost-effective router supports one MIC slot and is software upgradable to MX10, MX40, or MX80.

• MX10 – Juniper Networks MX10 midrange router is a cost-effective, versatile platform in a compact form factor. The MX10 is suitable for enterprise and service provider networks with space and power constraints that require the full MX Series features and capabilities in a compact form factor. This router measures 2 RU high, supports two MIC slots, and is software upgradable to the MX40 or MX80.

• MX40 – Juniper Networks MX40 midrange router is suitable for small-scale environments with space and power constraints, as well as enterprise and service provider networks needing the versatility of complete MX Series features and capabilities. This router supports two MIC slots and is software upgradable to MX80. Only 2 RU high, this router is designed to help customers drive down their TCO and increase operational efficiencies in both enterprise and service provider deployments without service compromise.




• MX80 – Juniper Networks MX80 is the most compact member of the MX Series product family. Only 2 RU high and equipped with front-end accessible redundant power supplies and fans, this platform is perfectly suited for environments requiring full Ethernet capabilities, but facing space or power constraints. In the enterprise, the MX80 and MX80-48T can be deployed in campus, small sites, and small data center WAN connectivity; and service providers can utilize the MX80 for mobile backhaul hub site aggregation, metro ring access nodes, cable and Multitenant Unit (MTU) aggregation, distributed PE and high-end CPE.

Juniper Networks Multiservice Interface MICs deliver the most widely used multiservice interfaces including DS3, OC3, OC12, and OC48. The Multiservice Interface MICs deliver these interfaces on all the MX Series routers. This allows the MX Series to address various multiservice scenarios, permitting service delivery with a single versatile platform. The Multiservice Interface MICs extend the latest advancements in traffic management technology, allowing service providers and enterprises to meet their most demanding WAN needs. Interface options include:

20 ports of 10/100/1000 Ethernet with small form-factor pluggable transceiver (SFP) interfaces

2 10gbE modular interface ports with 10-gigabit small form-factor pluggable transceiver (XFP) interfaces

40 ports of 10/100/1000 Ethernet with Tx interfaces

low density 4 port clear channel OC3, or 4 port OC12, or 1 port OC48

High density 8 port clear channel OC3, or 8 port OC12, or 4 port OC48

5.2.5.3 Core Routers

High performance, high speed, low latency routers that enable Enterprises to deliver a suite of data, voice, and video services to enable nextgeneration applications such as IPTV and Video on Demand (VoD), and Software as a Service (SaaS).


With advanced services and applications such as IPTV, VoIP, and VPLS driving a more comprehensive set of sophisticated requirements, Juniper Networks has purpose-built our MX Series portfolio to provide true carrier-grade Ethernet functionality with the scalability and performance needed to satisfy the most demanding network requirements. No other vendor comes close to matching the number of supported 1GE and 10GE ports and MAC addresses of Juniper Networks MX Series. Because the MX Series supports more than twice as many interfaces per chassis as competing products, customers can increase the energy efficiency of their networks and reduce power, space, and cooling costs by as much as 60 percent.

In addition to the models referenced in the previous sections additional models are available to provide scale in the core of the network. These models include:

MX104 – Juniper Networks MX104 is a modular, full-featured MX Series platform for space- and power-constrained service provider and enterprise facilities. Optimized for the aggregation of mobile, enterprise WAN, business, and residential access services, the MX104 can also deliver edge services for metro providers. The MX104 comes in a space-efficient 3.5 RU, ETSI compliant chassis and supports 80 Gbps of throughput—setting a new benchmark for port density in its product category.

MX240 – Juniper Networks MX240 delivers increased port density over traditional carrier




Ethernet platforms as well as performance, scalability, and reliability in a space-efficient package. The MX240 offers fully redundant hardware that includes a redundant Switch Control Board (SCB) and Routing Engines (REs) to increase system availability.

MX480 – Juniper Networks MX480 provides a dense, highly redundant platform primarily targeted for medium to large enterprise campus and data centers, as well as dense dedicated access aggregation and provider edge services in medium and large POPs. The MX480 offers common hardware redundancy including the SCBs, REs, fan trays, and power supplies.

5.2.5.4 Service Aggregation Routers

Provides multiservice adaptation, aggregation and routing for Ethernet and IP/MPLS networks to enable service providers and enterprise edge networks simultaneously host resource-intensive integrated data, voice and video business and consumer services.


The MX Series Routers is the top choice for carries looking for Service Aggregation Solutions. The MX Series routers separate control and forwarding functions to provide maximum scale and intelligent service delivery capabilities. They are optimized for Ethernet services and address a wide range of deployments, architectures, port densities, and interfaces, for both service provider and enterprise environments. Some of the key capabilities that allow MX to be a market leader as service aggregator are:

Rich Virtualization Virtual Switches (L3-L2 stitching) Bridge Domains – VLAN Scaling. Virtual Routers Routing-instances

High Multi-dimensional Scale (these are typical customer scale requirements, not necessarily the MX maximum scale )

4000+ Routing-Instances of type VRF 4000 VRRP instances Up to 8000 eBGP sessions 4000 IPSec Tunnels each running an eBGP session 4000 GRE interfaces 8000 IRB interfaces 8000 Bridge Domains MPLS templates for 4000 IFL’s (both IPv4 and MPLS traffic)

100Gbe Capability for Data Center Interconnect Ability to provide multi-tenancy to customers offering MPLS, GRE& IPSec connectivity options

simultaneously.

Ability to terminate secure tunnels into VRF and tying VRF to Layer 2 domains

Ethernet-based services present a significant new revenue opportunity for service providers across all market segments. These business, mobile, and residential services include VPNs, point-to-point connectivity, high-speed Internet access, and video-based offerings. With continuous technology advances and ongoing standards development, Ethernet is increasingly the technology of choice at the service provider edge—and the MX Series 3D Universal Edge Routers are capable of supporting all these services.




As an example of Juniper Networks commitment to delivering a Universal Edge solution to meet the needs of next-generation networks and services, the MX Series offers unmatched scalability, performance, reliability, and QoS for all types of business, mobile, and residential services. MX Series routers are the only high-density Layer 2 and Layer 3 Ethernet platforms designed with 3D Scaling for deployment in a number of service provider Ethernet edge scenarios.

Examples of the wide range of applications enabled by the MX Series in the Universal Edge include the following:

VPLS for multipoint connectivity – Supports high scale BGP and LDP support Virtual leased line for point-to-point services – Provides native support for point-to-point services RFC 2547.bis IP/MPLS VPN (L3VPN) – Provides full support for MPLS VPNs throughout the Ethernet

network Video distribution for IPTV services – Provides advanced capabilities such as multicast MPLS VPNs Ethernet aggregation at the multiservice edge – Supports up to 480 1GE ports or 192 10GE ports in a

single platform for maximum Ethernet density WAN interfaces for the multiservice edge – Provides support for most widely used multiservice interfaces,

including OC3, OC12, and OC48, facilitating service delivery with a single versatile platform Residential multiplay services – With subscriber management capabilities as well as high-density

Ethernet aggregation, fulfills multiple roles in the delivery of residential services Cloud computing – Provides the perfect platform for connectivity to and between clouds Data center consolidation – With advanced multicasting and unicast capabilities, provides data center

connectivity and server live-mirroring and migration VPLS and MPLS – Enable multiple services, improving network utilization Mobile backhaul and aggregation – Provides cost-effective transport and backhaul of mobile data traffic Application monitoring – With integrated performance monitoring systems such as StreamScope eRM

and Telchemy Embedded Performance Monitor (TePM), provides advanced application layer diagnostics to help service providers deliver a superior user experience for voice, video, and other multimedia services

In addition to the previously mentioned models, the following are options to provide even greater scale:

MX960 – Juniper Networks MX960 (shown in Figure xxx) is a high-density Layer 2 and Layer 3 Ethernet platform designed for deployment in a number of enterprise and service provider Ethernet scenarios. For service providers, the wide range of Ethernet services provided by the MX960 include VPLS services for multi-point connectivity, Virtual Leased Line for point-to-point services, full support for MPLS VPNs throughout the Ethernet network, Ethernet aggregation at the campus/enterprise edge, and Ethernet aggregation at the multiservice edge. In the enterprise, the MX960 can be used for campus and data center core and aggregation, and as a WAN gateway.

The MX960 is ideal for large applications requiring predictable performance for feature-rich infrastructures, and also supports provider edge services. In addition, this platform is ideal where SCB and RE redundancy are required. All major components are field replaceable, increasing system serviceability and reliability, and decreasing mean time to repair.




MX2010 – Expanding the breadth of Juniper Networks Universal Edge portfolio, the MX2010 provides service providers a common system and service delivery platform with variants that cover every market and geography, and offers the highest capacity and density for aggregation of massive numbers of businesses and consumers, in a highly reliable, resilient architecture. The MX2010 is built upon a highly scalable, redundant switch fabric, and a powerful, fully redundant control plane, providing a flexible, scalable, pay-as-you-grow power system supporting DC or AC power sources designed to be highly efficient now and for many years to come.

The MX2010 delivers all of the benefits of the MX2020 and shares a common set of components and cards in a smaller, 10-slot form factor. Eight SFBs are installed to deliver 8.6 Tbps of switching capacity at inception. The MX2010 supports the same line cards as the MX2020 and offers the same powerful feature set as the MX Series family of products.

MX2020 – Expanding the breadth of Juniper Networks Universal Edge portfolio—from the 20 Gbps MX5 router to the 80 Tbps MX2020—the MX2020 gives service providers a common system and service delivery platform with variants that cover every market and geography, and offers the highest capacity and density for aggregation of massive numbers of businesses and consumers, in a highly reliable, resilient architecture. The MX2020 is built upon a highly scalable, redundant switch fabric, and a powerful, fully redundant control plane, providing a flexible, scalable, pay-as-you-grow power system supporting DC or AC power sources designed to be highly efficient now and for many years to come.

The MX2020 is a full rack, 20-slot Universal Edge routing platform that has been designed to scale to 80 Tbps (half-duplex) over the long haul. Eight Switch Fabric Boards (SFBs) are installed to deliver 17.2 Tbps of switching capacity at inception. Designed to fit into a standard 19-inch, 45 RU, 4-post equipment rack, the MX2020 is a fully redundant design for all common components, including fan trays, power supplies, and power cabling. Both -48 V DC or AC power modules are offered. AC power is available in Delta or Wye 3-phase configurations.

5.2.5.5 Carrier Ethernet Routers

High performance routers that enable service providers to deliver a suite of data, voice, and video services to enable next generation applications such as IPTV, Video on Demand (VoD), and Software as a Service (SaaS).


Juniper Networks MX Series 3D Universal Edge Routers are the only routers designed to provide the 3D Scaling necessary to address today’s advanced Ethernet requirements. Powered by Juniper Networks Junos operating system and high-performance silicon—such as the I-Chip and Junos Trio chipset—the MX Series enables service providers and enterprises to adapt to, and profit from, Ethernet services in a changing market.

With continuous technology advances and ongoing standards development, Ethernet is rapidly becoming the technology of choice for both enterprises and service providers looking to provide connectivity and intelligent services. While in some respects the requirements may be different, today’s advanced services are dictating that




both enterprises and service providers build networks that meet increasingly stringent requirements regarding QoS, network performance, and availability.

Ethernet bandwidth requirements continue to rise as a result of companies needing high-speed connectivity between their geographically dispersed sites. In addition, there is an increased reliance on collaborative applications across a globally distributed user base which requires sharing data across the WAN. These are often multimedia applications—including video conferencing and video streaming—and thus require extremely high bandwidth and low latency.

In addition to these basic requirements, service providers seeking to provide a differentiated user experience are finding they must scale their networks to support increasingly higher amounts of bandwidth, services, and subscribers. Scaling the network in these three dimensions will be critical to securing competitive differentiation for the next generation of services. Scalability is further enhanced by the ability to interconnect and manage multiple chassis as a single, logical device—improving operational efficiency while lowering TCO.

To address these requirements, Juniper Networks MX Series 3D Universal Edge Routers deliver a high-performance network infrastructure that provides fast, secure, and reliable delivery of the applications that drive business processes—while containing cost and increasing operational efficiency.



5.2.6 Security

5.2.6.1 Data Center and Virtualization Security Products and Appliances

Products designed to protect high-value data and data center resources with threat defense and policy control.


SRX Series: Overview and Models

Juniper Networks SRX Series Services Gateways are the next-generation solution for securing the ever-increasing network infrastructure and applications requirements for both enterprise and service providers. Designed from the ground up to provide flexible processing scalability, I/O scalability, and services integration, the SRX Series can meet the network and security requirements of data center hyper-consolidation, rapid managed services deployments, and aggregation of security solutions.

Based on Juniper Networks revolutionary Dynamic Services Architecture, the SRX Series provides market-leading scalability, flexibility, service integration, and price/performance. Each services gateway can support almost-linear scalability with each additional services processing card (SPC) enabling a fully equipped SRX Series gateway to support between 20 Gbps and 120 Gbps firewall throughput.

SPCs are designed to support a wide range of services and enable future capabilities without the need for service-specific hardware. Using SPCs on all services ensures that there are no idle resources based on specific services being used—maximizing the utilization of equipped hardware.

Built on Junos software¬—which combines the routing heritage of Juniper Networks with the security heritage of ScreenOS—the SRX Series offers the high feature/service integration necessary to secure modern network infrastructures and applications. The SRX Series is equipped with a robust list of features that includes firewall, intrusion detection and prevention (IDP), DoS, NAT, and QoS.

In addition to the benefit of individual features, incorporating the various features under a single OS greatly optimizes the flow of traffic through the services gateway. With Junos, the SRX Series enjoys the benefit of a single source OS, single release train, and one architecture—traditionally available on Juniper Networks service provider class routers and switches. Network traffic no longer needs to be routed across multiple paths/cards or even disparate operating systems within a single gateway.

Juniper Networks Datacenter SRX Portfolio supports the following IPS functionality:

• Modes of operation – In-line and in-line tap

• Active/active traffic monitoring

• Stateful protocol signatures

• Attack detection mechanisms – Stateful signatures, protocol anomaly detection (zero-day coverage), and application identification

• Attack response mechanisms – Drop connection, close connection, session packet log, session summary, and email

• Attack notification mechanisms – Structured syslog

• Worm protection

• Simplified installation through recommended policies

• Trojan protection

• Spyware, adware, and keylogger protection




• Other malware protection

• Application DoS protection

• Protection against attack proliferation from infected systems

• Reconnaissance protection

• Request and response side attack protection

• Compound attacks – Combines stateful signatures and protocol anomalies

• Create custom attack signatures

• Access contexts for customization – 500+

• Attack editing (port range or other)

• Stream signatures

• Protocol thresholds


• Approximate number of attacks covered – 8,000+

• Detailed threat descriptions and remediation/patch info

• Create and enforce appropriate application-usage policies

• Attacker and target audit trail and reporting

• Frequency of updates – Daily and emergency

Models

Juniper Networks SRX Series Services Gateways are high-performance, scalable, carrier-class security devices with multi-processor architectures. The SRX Series models include the following:

SRX1400 – Supports up to 10 Gbps and is ideally suited for small to mid-size data centers, enterprise, and service provider network deployments in need of consolidated functionality, compact environmental footprint, and affordability. Juniper Networks SRX1400 delivers extensive service integration to 10GE environments without the massive scalability provided by the SRX3000 and SRX5000 lines.

SRX3400 – Supports up to 20 Gbps firewall, 6 Gbps firewall and IPS or 6 Gbps IPSec VPN, and up to 180,000 new connections per second. Juniper Networks SRX3400 is ideally suited for securing enterprise data centers and server farms, as well as aggregation of various security solutions.

SRX3600 – Supports up to 30 Gbps firewall, 10 Gbps firewall and IPS or 14 Gbps IPSec VPN, and up to 180,000 connections per second. Juniper Networks SRX3600 is ideally suited for securing enterprise data centers and server farms, as well as aggregation of various security solutions in enterprise and service provider environments.

SRX5600 – Supports up to 70 Gbps firewall, 12 Gbps IPS, and 380,000 new connections per second. Juniper Networks SRX5600 is ideally suited for securing enterprise data centers, as well as aggregation of various security solutions.

SRX5800 – Supports up to 150 Gbps firewall, 26 Gbps ISP, and 380,000 new connections per second. Juniper Networks SRX5800 is ideally suited for securing large enterprise centers and co-located data centers. It can also be deployed to secure service provider infrastructures, as well as services.




Juniper Networks vGW Virtual Gateway is a comprehensive virtualization security solution that includes a high-performance hypervisor-based stateful firewall, integrate intrusion detection system (IDS), virtualization-specific antivirus protection, and unrivaled scalability for managing multi-tenant cloud security. The vGW brings forward powerful new features that offer layers of defense and automated security and compliance enforcement within virtual networks and clouds. By leveraging virtual machine introspection (VM Introspection) data and intelligence, and coupling it with Juniper Networks wide-ranging knowledge of the virtual network environment, vGW creates an extensive database of parameters by which security policies and compliance rules can be defined and enforced.

The vGW Virtual Gateway makes this rich data available in intuitive UIs that let administrators build the entire range of policies from corporate rules on global protocol handling (e.g., block Kazaa) to discrete regulatory compliance policies for how virtual machines should be configured (e.g., must have antivirus installed). Compliance assessment and security enforcement happen automatically and in lockstep with changes in the virtual environment. New VMs, for example, will be scanned and quarantined if out of compliance with policies in effect. The same applies to VMs whose “state” changes such that the security posture is weakened (e.g., antivirus is turned off). The vGW VMware VMsafe-certified security operates from deep within the virtualization fabric as part of the hypervisor. Consequently, the software delivers unprecedented levels of security, far beyond what is possible with traditional physical network security products.

Security and compliance concerns are top of mind in virtualization and cloud deployments. Juniper Networks experience and innovative research in virtualization security has resulted in a powerful software suite capable of monitoring and protecting virtualized environments without negatively impacting performance. A hypervisor-based, VMsafe-certified virtualization security approach, in combination with “X-ray” level knowledge of each virtual machine through VM Introspection, gives the vGW a unique vantage point in the virtualized fabric. Here, virtualization security can be applied efficiently and with context about the virtual environment and its state at any given moment.

vGW delivers total virtual data center protection and cloud security through visibility, protection, and compliance:

• Visibility – Provides full view to all applications flowing between VMs, as well as complete VM and VM group inventory, including virtual network settings. Deep knowledge of VM state, including installed applications, operating systems, and patch level, is also available through VM Introspection.

• Protection – A VMsafe-certified stateful firewall provides access control over all traffic via policies that define which ports, protocols, destination VMs, etc. should be blocked. An integrated intrusion detection engine inspects packets for the presence of malware or malicious traffic and sends alerts as needed. Finally, virtualization-specific antivirus protections deliver highly-efficient on-demand and on-access scanning of VM disks and files with the ability to quarantine infected entities.

• Compliance – Allows for enforcement of corporate and regulatory policies for the presence of required or banned applications via VM Introspection. Some practical applications of compliance enforcement, such as assurance of segregation of duties, ensure that VMs are assigned to the right trust zones inside the virtual environment. In addition, pre-built compliance assessment is based on common industry best practices and leading regulatory standards. vGW can also enforce compliance to a VM “gold” image with quarantine and alerting for non-compliance, thereby ensuring that deviations from the desired VM configuration for not create a security risk.

Juniper Networks Junos DDoS Secure is a unique and advanced heuristic DDoS mitigation technology that dynamically responds to the loading of the protected resources, automatically providing the full spectrum of DDoS defense. Junos DDoS Secure mitigation technology has been ensuring availability of critical business resources for some of the world’s busiest e-commerce and public sector websites for over a decade.

During this time, DDoS has evolved from being a blunt weapon, using high-volume attacks to bring down web servers, to becoming a highly sophisticated tool designed to zero-in on strategic business resources. DDoS




volumetric flood attacks are still a problem for online businesses, but with the right defense in place, these attacks can be nullified.

However, today’s new breed of “low and slow” application layer attacks are not as easy to detect, and therefore, are much more difficult to mitigate. Through an ongoing commitment to R&D—with 100% focus on DDoS mitigation—Juniper Networks world-class technology has kept pace with the changing threat landscape. By offering an equally sophisticated, fine-grained DDoS mitigation tool, Junos DDoS Secure software protects network resources, regardless of which attack vectors are being deployed.

Juniper Networks Junos WebApp Secure is the first Web Intrusion Deception system that detects, tracks, profiles, and prevents hackers in real time.

Traditional web application firewalls are seriously flawed as a result of their reliance on a library of signatures to detect attacks, making them susceptible to unknown (zero-day) web attacks. Junos WebApp Secure software technology uses Intrusion Deception to address this problem. Unlike signature-based approaches, Junos WebApp Secure inserts random, variable detection points, or tar traps, into the code of outbound Web application traffic to proactively identify attackers before they can do damage—without false positives.

Junos WebApp Secure puts in place the following three key elements to ensure protection from attacks:

No False Positives

Junos WebApp Secure inserts detection points into the code and creates a random and variable minefield all over the Web application. These detection points allow for detection of attackers during the reconnaissance phase of the attack, before they have successfully established an attack vector. Attackers are detected when they manipulate the tar traps inserted into the code. And because attackers are manipulating code that has nothing to do with your website or Web application, you can be absolutely certain that it is a malicious action—with no chance of a false positive.

Block Attackers, Not IPs

Junos WebApp Secure captures the IP address as one data point for tracking the attacker, but it also realizes that making decisions on attackers identified only by an IP address is fundamentally flawed because many legitimate users could be accessing your site from the same IP address. For this reason, Junos WebApp Secure tracks the attackers in significantly more granular ways.

For attackers who are using a browser to hack your website, Junos WebApp Secure tracks them by injecting a persistent token into their client. The token persists even if the attacker clears cache and cookies, and it has the capacity to persist in all browsers including those with various privacy control features. As a result of this persistent token, Junos WebApp Secure can prevent a single attacker from attacking your site, while allowing all legitimate users normal access. For attackers who are using software and scripts to hack your website, Junos WebApp Secure tracks them using a fingerprinting technique to identify the machine delivering the script.

Prevent and Deceive

Detection with no false positives and client-level tracking are both vital for launching a countermeasure to prevent an attacker. Only with certainty-based detection can you safely prevent an attacker and ensure that you are not blocking legitimate users. The Smart Profiling technology profiles the attacker to determine the best response to prevent the attack. Responses can be as simple as a warning or as deceptive as simulating that the site is broken from the attacker’s perspective only. Every detected attacker gets a profile and every profile gets a name. The Smart Profile ultimately creates a threat level for each attacker in order to prevent attackers in real time, at the client level, with no false positives.

Smart Profiling provides IT security professionals with more valuable knowledge about attackers and the threat they pose than has ever before been available. With automated countermeasures, Junos WebApp Secure works around the clock detecting and preventing attackers. It doesn’t create log files for review; it simply reports how




many attackers it has detected and what countermeasure response was applied. This security device works as part of your security team—even when you sleep.

The Junos WebApp Secure process follows:

Detect

Detect using deception – Junos WebApp Secure inserts detection points into web application code including URLs, forms, and server files to create a variable minefield. These traps detect hackers when they manipulate the detection points during the reconnaissance phase of the attack—before they can establish an attack vector. And because hackers are manipulating code that has nothing to do with the website or web application, the malicious action is certain.

Track

Track attackers beyond the IP address – Junos WebApp Secure captures an attacker’s IP address as one data point for tracking. But many legitimate users could also be accessing the site from the same IP address—for this reason, Junos WebApp Secure goes beyond the IP address and tracks attackers more granularly. Attackers using a browser are tracked by injecting a persistent token into their client. Attackers using scripts and tools are tracked using a fingerprinting technique to identify the machine delivering the script.

Profile

Understand attackers and record their attack – The tracking techniques allow us to profile the attacker and record the attack. Every attacker is assigned a name, and each incident is recorded along with a threat level based on their intent and skill.

Respond

Respond to attackers – Once an attack has been detected, an appropriate response—from a warning, to requiring a CAPTCHA, to blocking a user or forcing them to logout, can be deployed manually or automatically in real-time.

5.2.6.2 Intrusion Detection/Protection and Firewall Appliances

Provide comprehensive inline network firewall security from worms, Trojans, spyware, key loggers, and other malware. This includes Next-Generation Firewalls (NGFW), which offer a wire-speed integrated network platform that performs and Firewall Appliances should provide:

Non-disruptive in-line bump-in-the-wire configuration


In addition to supporting In-line and in-line tap on the Juniper SRX Datacenter firewalls, the SRX supports a wide range of Highly Available deployments. The primary goal is to ensure that the SRX can survive losing either the data or control plane in the event of a failure. Juniper Networks SRX brings a new idea to high availability design by enabling it to failover the control plane and/or the data plane between chassis.

This new hybrid design allows two individual boxes to act as one large chassis. In doing so, it allows two different systems to be spread across two units. In this scenario, it is not like a traditional active/backup cluster where one device does all of the work and the other device sits idle.

The control plane portion of the cluster is the Routing Engine. The Routing Engine can failover between the two chassis, with the first node passing traffic while the second node maintains the active Routing Engine. In the event of a failure, the system that is running on the failed chassis fails over to the second chassis. This is done in a stateful manor for all of the traffic passing through the device. The only traffic that is lost is what is in the box or




the wires that fail. In the data center, this provides the ease of deployment of active/backup with the flexibility that the second chassis can provide some backup services.

Juniper Networks SRX5800 supports the following functionality for high availability:

• Active/passive, active/active

• Configuration synchronization

• Session synchronization for firewall and IPsec VPN

• Session failover for routing change

• Device failure detection

• Link and upstream failure detection

• Dual control links

• Interface link aggregation/LACP

• Redundant data and control links*

• In-Service Software Upgrade (ISSU)**

Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.


Juniper Networks Datacenter SRX Portfolio supports the following firewall functionality:

Stateful Inspection

Network attack detection

DoS and DDoS protection

TCP reassembly for fragmented packet protection

Brute force attack mitigation

SYN cookie protection

Zone-based IP spoofing

Malformed packet protection

Traffic Inspection Methods include:

Application identification - Identifies applications and tunneled applications independent of protocol and port numbers. This provides granular control over application traffic through smart FW policies.

Protocol anomaly detection – Verifies protocol usage against published RFCs to detect violations or abuse. This proactively protects network from undiscovered vulnerabilities.

Traffic anomaly detection - Utilizes heuristic rules to detect unexpected traffic patterns that may suggest reconnaissance or attacks. This proactively prevents reconnaissance activities or blocks DDoS attacks.




IP spoofing detection - Checks the validity of allowed addresses inside and outside the network. This permits only authentic traffic while blocking disguised sources.

DoS Detection - Supports SYN cookie-based protection from SYN flood attacks. This protects key network assets from being overwhelmed with SYN floods.

The SRX Datacenter Portfolio has a wide range of NAT support. NAT support methods are as follows:

Destination NAT

Juniper Networks SRX5800 supports the following functionality for destination NAT:

Destination NAT with PAT

Destination NAT within same subnet as ingress interface IP

Destination addresses and port numbers to one single address and a specific port number (M:1P)

Destination addresses to one single address (M:1)

Destination addresses to another range of addresses (M:M)

Source NAT

Juniper Networks SRX5800 supports the following functionality for source NAT:

Static Source NAT – IP-shifting DIP

Source NAT with PAT – Port-translated

Source NAT without PAT – Fix-port

Source NAT – IP address persistency

Source pool grouping

Source pool utilization alarm

Source IP outside of the interface subnet

Interface source NAT – Interface DIP

Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted

Symmetric NAT

Allocate multiple ranges in NAT pool

Proxy ARP for physical port

Source NAT with loopback grouping – DIP with loopback grouping

IPsec VPN Functionality

Juniper Networks SRX5800 supports the following IPsec VPN functionality:

Site-to-site tunnels up to 15,000




Tunnel interfaces up to 15,000

DES (56-bit), 3DES (168-bit), and AES encryption

MD5 and SHA-1 authentication

Manual key, IKE, PKI (X.509)

Perfect forward secrecy (DH groups) – 1, 2, 5

Replay attack prevention

Remote access VPN

Redundant VPN gateways

Application awareness, full stack visibility and granular control


Juniper Networks AppSecure is a suite of next-generation security capabilities that utilizes advanced application identification and classification to deliver greater visibility, enforcement, control, and protection over the network.

Features are as follows:

AppTrack - Detailed analysis on application volume/usage throughout the network based on bytes, packets, and sessions. This provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control.

AppFW - Fine grained application control policies to allow or deny traffic based on dynamic application name or group names. This enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis.

AppQoS - Set prioritization of traffic based on application information and contexts. This provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance.

AppDoS - Multi-stage detection methods used to identify and mitigate targeted attacks from disrupting critical applications and services. This identifies attacking botnet traffic against legitimate client traffic to prevent DDoS attacks targeting applications.

Application Signatures - More than 900 signatures for identifying applications and nested applications. This ensures that applications are accurately identified and the resulting information can be used for visibility, enforcement, control, and protection.

SSL Inspection - Inspection of HTTP traffic encrypted in SSL on any TCP/UDP port. This combined with application identification, provides visibility and protection against threats embedded in SSL encrypted traffic.

Capability to incorporate information from outside the firewall, e.g., directory based policy, blacklists, white lists, etc.


Yes, the Juniper SRX Datacenter Firewall product portfolio has the ability to incorporate information from outside sources in several ways. This integration can be from Juniper products like policy changes integrated with the vGW product or UAC. Third-party solutions




such as ThreatStop are also available. Also future products like the Juniper Spotlight Secure solution have the ability to integrate as well.

vGW Integration:

The SRX Series with vGW Virtual gateway integration delivers the security necessary for today’s data center with its mix of physical and virtualized workloads. Integrated with the SRX Series, the vGW Virtual gateway queries the SRX Series gateway for its zone, interface, network, and routing configuration. vGW then uses that information with the vGW management system (Security design for vGW) to create VM Smart groups so that users of vGW can see VM-to-zone attachments, create additional inter-VM zone policies, and incorporate zone knowledge into compliance checks (for example, is a client x VM connected to a client y zone).

In combination, the SRX Series and vGW deliver best-in-class security to the data center, enabling security administrators to guarantee that consistent security is enforced from the perimeter to the server VM. The SRX Series delivers zone-based segregation at the data center perimeter. vGW integrates the knowledge collected in SRX Series zones to ensure that zone integrity is enforced on the hypervisor using automated security concepts like Smart groups and virtual machine introspection. Together, these solutions deliver stateful firewall and optional malware detection for inter-zone and inter-VM traffic; compliance monitoring and enforcement of SRX Series zones within the virtualized environment; and automated quarantine of VMs that violate access, regulatory, or zone policies.

In terms of the benefits of zone synchronization between the SRX Series and vGW, implementers have:

Guaranteed integrity of zones on the hypervisor (virtualization operating system)

Automation and verification that VM connectivity does not violate zone policy

Enhancement of the SRX Series network with knowledge of VMs and their zone location Datacenter SRX and UAC Integration:

Juniper Networks firewall products act as Layer 3 through Layer 7 overlay enforcement points for UAC. Furthermore, with Juniper Networks standalone IDP Series appliances serving as role-based application-level policy enforcement points, UAC is able to deliver access control to the application within your network.

Threat Stop Integration:

ThreatSTOP is a cloud service that delivers IP addresses for known criminal sites to Juniper Networks® SRX Series Services Gateways so that they can block all traffic to and from those sites. This blocklist is updated continually, and it is distributed to the SRX Series via a Domain Name System (DNS) lookup. The service can be enabled on an SRX Series device within an hour via a two-command install. No software, network reconfiguration, or user training is needed.

Botnets, spear-phishing, and related criminal malware are among the greatest network security risks today. Designed to steal valuable data and control your machines, these threats can cause great financial, competitive,




productivity, and reputational damage. Industry surveys show botnet infection rates are near 100% for organizations of all sizes and types. No one is immune from this exponentially growing and pervasive problem.

Most of today’s security products rely on signature detection to spot threats. Used exclusively, this approach leads to low catch rates, slow detection, and high false positives. Equally important, these solutions do not stop malware from “calling home” to command and control hosts to pilfer your valuable financial, corporate, and customer data.

Juniper Spotlight Secure:

Juniper Networks Junos Spotlight Secure is a cloud-based threat intelligence solution that identifies individual attackers at the device level (versus the IP address), tracks them in a global database, and shares them globally with security devices. The hacker device ID intelligence solution creates a persistent fingerprint of attacker devices based on more than 200 unique attributes to deliver precision identification and blocking of attackers—without false positives that could impact valid users. While current available reputation feeds rely only on IP addresses, Junos Spotlight Secure offers customers more reliable security against attackers and eliminates false positives.

Leveraged by Junos WebApp Secure and Juniper Networks SRX Series Services Gateways, Junos Spotlight Secure acts as the consolidation point for attacker and threat information, feeding intelligence in real time to Juniper Networks security solutions. In addition, it puts non IP- based attacker profiling at the center of a framework that will gather and distribute attacker fingerprints to a worldwide network of inline security solutions. With a broad security and networking product installed base and a new system for distributing definitive hacker IDs, Juniper Networks has changed the speed and accuracy with which customers prevent security breaches. The Junos Spotlight Secure global attacker intelligence service sets a new efficacy bar for all security and networking vendors.

Upgrade path to include future information feeds and security threats


Yes, the Juniper SRX product portfolio is future proofed and can receive outside feeds in several fashions as demonstrated in the previous section. Also more flexible solutions are available and can be customer build through the use of the Junos XML API and NETCONF.

SSL decryption to enable identifying undesirable encrypted applications (Optional)


Yes the Juniper SRX datacenter product portfolio through the use of its AppSecure feature set can inspect HTTP traffic encrypted in SSL on any TCP/UDP port. This combined with application identification, provides visibility and protection against threats embedded in SSL encrypted traffic.

5.2.6.3 Logging Appliances and Analysis Tools

Solutions utilized to collect, classify, analyze, and securely store log messages.


Juniper Networks STRM Series Security Threat Response Managers provide situational awareness and compliance support to organizations that need to tighten security and improve policy monitoring with a modest investment in time and resources. STRM provides an all-in-one security solution that combines, analyzes, and




manages an incomparable set of surveillance data―network behavior, security events, vulnerability profiles, and threat information―all from a single, secure console.

Along with simple deployment, fast implementation, and improved security at a low TCO, STRM goes beyond traditional SIEM products and network behavior analysis (NBA) products to create a command-and-control center that delivers:

Threat management – STRM detects threats that would otherwise be missed by product or operational silos.

Log management – STRM responds to the right threats at the right time through effective analysis of log files.

Compliance – STRM implements a compliance and reporting safety net with comprehensive event storage and reporting.

STRM provides network remediation for threat responses across all security products. Through effective analysis of networks, events, and audit log files, STRM has the ability to identify environmental anomalies in the network, attack paths, and the sources of threats.

STRM uses two drivers for security analysis of external and internal threats:

Security Information Management (SIM) – Provides reporting and analysis of data from host systems, applications, and security devices to support security policy compliance management, internal threat management, and regulatory compliance initiatives.

Security Event Management (SEM) – Improves security incident response capabilities by processing data from security devices and network devices; helps network administrators to provide effective responses to external and internal threats.

STRM plugs right into a network, making it fast and easy to deploy. With pre-installed software, a hardened operating system, and a Web-based setup, STRM lets you get your network security up and running quickly and easily. With its intuitive Web-based user interface, configuration is so simple that STRM can be up and monitoring the network in minutes.

In addition, STRM is optimized hardware that does not require expensive external storage, third-party databases, or ongoing database administration.

STRM500

Juniper Networks STRM500 is ideal for deployments in small, medium, and large enterprises or departments that do not foresee the need to upgrade to higher events-per-second or flows-per-minute capacities. STRM500 can also be deployed as a dedicated QFlow collector for collection of network flows to provide Layer 7 analysis.

STRM2500

Juniper Networks STRM2500 is an enterprise-class appliance that provides a scalable network security management solution for medium-sized companies up to large, globally-deployed organizations. STRM2500 is the ideal solution for growing companies that will need additional flow and event monitoring capacity in the future. It is also the base platform for large companies that may be geographically dispersed and looking for an enterprise-class scalable solution. STRM2500 includes on-board event collection, correlation, and extensive reporting capabilities, and is expandable with additional STRM2500 appliances acting as event and flow collectors or a combination of both on a single appliance.




STRM5000

Juniper Networks STRM5000 is an enterprise and carrier-class appliance which provides a scalable network security management solution for medium-sized companies up to large, globally-deployed organizations. STRM5000 is the ideal solution for growing companies that anticipate the need for additional flow and event monitoring capacity in the future. It is also the base platform for large companies that are geographically dispersed and looking for a distributed enterprise/carrier-class scalable solution. STRM5000 utilizes on-board event/flow collection and correlation capabilities, and is expandable with additional STRM5000 appliances acting as event and flow collectors.

5.2.6.4 Secure Edge and Branch Integrated Security Products

Network security, VPN, and intrusion prevention for branches and the network edge. Products typically consist of appliances or routers.


SRX Series for the Branch: Overview and Models

Juniper Networks SRX Series Services Gateways for the branch are deployed at remote and branch locations in the network to provide all-in-one secure WAN connectivity, IP telephony, and connection to local PCs and servers via integrated Ethernet switching. This SRX Series product line provides essential capabilities that connect, secure, and manage work force locations sized from handfuls to hundreds of users.

By consolidating fast, highly available switching, routing, security, and applications capabilities in a single device, enterprises can economically deliver new services, safe connectivity, and a satisfying end user experience. All SRX Series gateways, including those scaled for the branch, campus, and data center applications, are powered by Juniper Networks Junos OS―the proven operating system that provides unmatched consistency, better performance with services, and superior infrastructure protection at a lower TCO. Used by core Internet routers in all of the top 100 service providers around the world, Junos OS offers the rigorously tested carrier-class routing features of IPv4/IPv6, OSPF, BGP, and multicast.

Juniper Networks SRX Series for the branch provides:

Perimeter security

Content security

Application visibility

Tracking and policy enforcement

Role-based access control

Network-wide threat visibility and control

Best-in-class firewall and VPN technologies secure the perimeter with minimal configuration and consistent performance. By using zones and policies, even new network administrators can configure and deploy an SRX Series gateway quickly and securely. The SRX Series also includes wizards for firewall, IPsec VPN, NAT, and initial set up to simplify configurations out of the box. Policy-based VPNs support more complex security architectures that require dynamic addressing and split tunneling. For content security, the branch SRX Series offers a complete suite of Unified Threat Management (UTM) services via content filtering, including:




Intrusion prevention system (IPS)

Application security (AppSecure)

On-box and cloud-based antivirus

Anti-spam

Enhanced Web filtering

Data loss prevention

Select models (SRX550, SRX650, and high-memory versions of SRX210, SRX220, and SRX240) feature Content Security Accelerator for high-performance IPS and antivirus performance. The branch SRX Series integrates with other Juniper Networks security products to deliver enterprise-wide unified access control (UAC) and adaptive threat management. These capabilities give security professionals powerful tools in the fight against cybercrime and data loss.

The SRX Series for the branch brings high-performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of sites. The wide variety of options allows configuration of performance, functionality, and price scaled to support from a handful to thousands of users. Ethernet, serial, T1/E1, DS3/E3, xDSL, Wi-Fi, and 3G/4G LTE wireless are all available options for WAN or Internet connectivity to securely link your sites. Multiple form factors allow you to make cost-effective choices for mission-critical deployments. Managing the network is easy using the proven Junos CLI and scripting capabilities, a simple-to-use Web-based GUI, Juniper Networks Network and Security Manager (NSM) for large-scale deployments, or Juniper Networks Junos Space Security Design for centralized management.

Models

Juniper Networks SRX Series for the branch includes the following models:

SRX100 – Juniper Networks SRX100 can support up to 700 Mbps firewall, 65 Mbps IPSec VPN, and 60 Mbps IPS. Additional security features include UTM, which consists of IPS, antispam, antivirus, and Web filtering. The SRX100 is ideally suited for securing small distributed enterprise locations.




SRX240 – Juniper Networks SRX240 can support up to 1.8 Gbps firewall, 300 Mbps IPSec VPN, and 230 Mbps IPS. The SRX240 also supports UTM, and is ideally suited for securing branch distributed enterprise locations.

SRX550 – Juniper Networks SRX550 can support up to 5.5 Gbps firewall, 1.0 Gbps IPSec VPN, and 800 Mbps IPS. Additional security features include UTM, which consists of IPS, antispam, antivirus, and Web filtering. The SRX550 is ideally suited for securing small distributed enterprise locations.




SRX650 – Juniper Networks SRX650 can support up to 7.0 Gbps firewall, 1.5 Gbps IPSec VPN, and 1.0 Gbps IPS. The SRX650 also supports UTM, and is ideally suited for securing regional distributed enterprise locations.

5.2.6.5 Secure Mobility Products

Delivers secure, scalable access to corporate applications across multiple mobile devices.


Junos Pulse: Overview

Juniper Networks Junos Pulse is an endpoint software platform that enables dynamic SSL VPN connectivity, network access control (NAC), mobile security, online meetings and collaboration, and application acceleration through a simple, yet elegant user interface. By removing the complexity from network connectivity and access control collaboration, as well as application acceleration, Junos Pulse provides dynamic connectivity and security, and delivers optimal connectivity to end users depending on their device type, security state, location, identity, and adherence to corporate access control policies. It is identity- and location-aware, and seamlessly migrates from one access method to another based on device location.

Junos Pulse provides easy deployment and management for administrators and easy access for users by intelligently delivering and enabling services through a single, integrated user interface for both mobile and non-mobile devices. Using Junos Pulse—the only integrated access, security, collaboration, and acceleration services solution for virtually any device, administrators can simplify and secure fast, seamless mobile, remote, and local network, cloud, and application access for end users by configuring policies that automatically enable the appropriate network or cloud connection—with no user interaction required.

Junos Pulse also provides the following features:

Enables mobile and remote network access, network security, and application acceleration, increasing visibility and manageability while enabling secure access to network resources based on user identity and role

Reduces the cost and time associated with deployment

Uses industry and open standards, such as the Trusted Network Connect (TNC) specifications

Serves as a platform for integration of select third-party, best-in-class security, access, and connectivity applications

Delivers a value-added services platform for service providers

Junos Pulse Services

Services currently supported and delivered through Junos Pulse include:

Junos Pulse Mobile Security Suite

Junos Pulse Mobile Security Suite protects smartphones from viruses, malware, loss or theft, physical compromise, and other threats, and supports major mobile operating systems. It also provides robust remote device management tools. Junos Pulse Mobile Security Suite can remotely backup and restore data stored on




smartphones, and it can monitor and control device use. It is simple to deploy, and enables enterprises to give personal smartphones secure access to corporate network and information resources.

Junos Pulse Secure Access Service

Junos Pulse Secure Access Service provides secure, authenticated access to corporate resources by remote or mobile users from any Web-enabled device to corporate resources—anytime, anywhere, through the simple, intuitive Junos Pulse interface. Junos Pulse Secure Access Service, in conjunction with MAG Series Junos Pulse Gateways, SA Series SSL VPN Virtual Appliances, or legacy SA Series SSL VPN Appliances, enables secure SSL access from a broad range of mobile and non-mobile devices, including laptops, desktop PCs, smartphones, tablets, and other Wi-Fi or 3G-enabled devices.

Junos Pulse Application Acceleration Service

Junos Pulse Application Acceleration Service enables dynamically provisioned, pervasive, location-agnostic application acceleration. When used in conjunction with the Junos Pulse Secure Access Service, Junos Pulse Application Acceleration Service delivers accelerated application access for mobile and remote users. The Junos Pulse Application Acceleration Service also provides an easy, affordable solution for small offices where a dedicated application acceleration appliance may not be economically feasible.

Junos Pulse Access Control Service

Junos Pulse Access Control Service enables safe, protected cloud, network, and

application access for a diverse user audience over a variety of devices, including mobile

devices. Junos Pulse Access Control Service, working in concert with MAG Series Junos

Pulse Gateways or IC Series Unified Access Control Appliances, delivers granular, secure

access control for LANs, private or public clouds, as well as their applications and data based on user identity and role, device type and integrity, and location.

5.2.6.6 Encryption Appliances

A network security device that applies crypto services at the network transfer layer - above the data link level, but below the application level.


N/A

5.2.6.7 On-premise and Cloud-based services for Web and/or Email Security

Solutions that provide threat protection, data loss prevention, message level encryption, acceptable use and application control capabilities to secure web and email communications.


N/A




5.2.6.8 Secure Access

Products that provide secure access to the network for any device, including personally owned mobile devices (laptops, tablets, and smart phones). Capabilities should include:

Junos Pulse is a simplified, integrated, multiservice network client enabling anytime, anywhere connectivity, security, and acceleration that requires minimal user interaction. Junos Pulse makes secure network and cloud access easy through virtually any device—mobile or non-mobile, Wi-Fi or 3G-enabled, managed or unmanaged—over a broad array of computing and mobile operating systems.

Management visibility for device access


UAC correlates user identity and role information to network and application security and usage. With UAC, you will know who is accessing your network and applications, when your network and applications are being accessed, what is being accessed, and where the user and device has been on your network. UAC provides valuable, effective tracking and auditing of network and application access, which helps address regulatory compliance requirements and audits.

Detailed user access logs provide an audit of the authentication process. For more detailed troubleshooting of an individual user the Junos Pulse Access Control Service allows you to troubleshoot problems by tracking events when a user signs into a realm. The Policy Tracing page allows you to record a policy trace file for an individual user. The Junos Pulse Access Control Service displays log entries that list the user’s actions and indicates why that user is allowed or denied access to various functions. Additional tools like TCP dump and RADIUS troubleshooting are available to examine intricate detail of communications.

Self-service on-boarding


N/A

Centralized policy enforcement


N/A

Differentiated access and services


Junos Pulse Secure Access Service for the MAG Series gateways provides dynamic access privilege management capabilities without infrastructure changes, custom development, or software deployment/maintenance. This facilitates the easy deployment and maintenance of secure remote access, as well as secure extranets and intranets. When users log into MAG Series, they pass through a pre-authentication assessment, and are then dynamically mapped to the session role that combines established network, device,




identity, and session policy settings. Granular resource authorization policies further ensure exact compliance to security restrictions.

Device Management


N/A

5.2.7 Storage Networking

High-speed network of shared storage devices connecting different types of storage devices with data servers.


N/A

5.2.7.1 Director Class SAN (Storage Area Network) Switches and Modules

A scalable, high-performance, and protocol-independent designed primarily to fulfill the role of core switch in a core-edge Fibre Channel (FC), FCOE or similar SAN topology. A Fibre Channel director is, by current convention, a switch with at least 128 ports. It does not differ from a switch in core FC protocol functionality. Fibre Channel directors provide the most reliable, scalable, high-performance foundation for private cloud storage and highly virtualized environments.


N/A

5.2.7.2 Fabric and Blade Server Switches

A Fibre Channel switch is a network switch compatible with the Fibre Channel (FC) protocol. It allows the creation of a Fibre Channel fabric, which is currently the core component of most SANs. The fabric is a network of Fibre Channel devices, which allows many-to-many communication, device name lookup, security, and redundancy. FC switches implement zoning; a mechanism that disables unwanted traffic between certain fabric nodes.


N/A




5.2.7.3 Enterprise and Data Center SAN and VSAN (Virtual Storage Area Network) Management

Management tools to provisions, monitors, troubleshoot, and administers SANs and VSANs.


N/A

5.2.7.4 SAN Optimization

Tools to help optimize and secure SAN performance (i.e. Encryption of data-at-rest, data migration, capacity optimization, data reduction, etc.


N/A

5.2.8 Switches

Layer 2/3 devices that are used to connect segments of a LAN (local area network) or multiple LANs and to filter and forward packets among them.


Juniper Networks EX Series

With Juniper Networks EX Series, businesses can deploy a cost-effective family of switches that delivers the high availability, unified communications, integrated security, and operational excellence you need today—while providing a platform for supporting the requirements of tomorrow.

Key Competitive Advantages

Juniper Networks EX Series exhibits five key areas of innovation that work together to deliver a true enterprise switching solution:

Carrier-class reliability

Integrated security

Network virtualization

Application control

Reduced total cost of ownership (TCO)

Working together, attributes advance the economics of networking by allowing businesses to spend less money and time on their network infrastructures―and more on innovative technologies that help them gain a competitive edge.




Carrier-class Reliability

The EX Series leverages much of the same field-proven Juniper Networks technology―including high performance ASICs, system architecture, and Junos software―that powers the world’s largest service provider networks. The result is a robust, time-tested and highly reliable network infrastructure solution for high performance enterprises.

Security Risk Management

The EX Series is fully compatible with Juniper Networks Unified Access Control (UAC) solution―delivering an extra layer of security by first authenticating users and performing virus checks, then enforcing precise, end-to-end security policies that determine who can access what network resources, as well as QoS policies to ensure delivery of business processes. Integrated anomaly-based threat detection provides additional protection by identifying and blocking DDoS attacks.

Network Virtualization

The EX220, EX3300, EX4200, EX4500, EX4550 feature Juniper Networks Virtual Chassis technology, which enables multiple switches to be interconnected and operate as a single system. With Virtual Chassis technology, users get the reliability, availability, and high-port densities of traditional chassis-based systems in a cost-effective, compact form factor—the best of both worlds.

Juniper Networks EX Series also supports GRE tunneling in hardware for sending mirrored traffic from remote locations to monitoring devices in the network operations center for centralized troubleshooting and analysis, or to build segregated overlay networks without the challenges associated with Spanning Tree.

Application Control

Successfully managing a network requires knowing how it is being used in order to optimize application delivery and maximize efficiency. Applications are divided into categories―business, peer-to-peer, messaging, or gaming―for easy identification. Additional details such as top talkers, bandwidth consumption by application, and traffic distribution by location are available, providing a detailed snapshot of how applications are behaving across the network.

To ensure that application traffic is properly prioritized, the EX Series hardware supports a robust eight QoS queues per port―more than enough to establish separate queues for control plane, voice, video, and multiple levels of data traffic, with room to converge other networks such as building automation and security cameras.

Lower TCO

Juniper Networks EX Series reduces operational and capital expenses with:

A highly scalable pay-as-you-grow architecture.

Network designs with lower power consumption.

Reduced space and associated cooling requirements.

A common operating system.

Unified management tools across the Juniper Networks portfolio.

The high performance, high density EX Series platforms let users start small and grow incrementally, saving valuable space in crowded wiring closets and data centers, while lowering recurring power and cooling costs. Leveraging a common version of Junos software across the switch families ensures consistency throughout the




infrastructure and accelerates the learning curve. In addition, unified management tools consolidate system monitoring and maintenance, saving time and money.

Forrester Consulting Report: Simplifying Data Center Networks with Juniper Networks EX Series Reduces Network OpEx

In August 2010, Juniper Networks commissioned Forrester Consulting to examine the total economic impact and potential ROI that an enterprise may realize by simplifying the network architecture of its data center with Juniper Networks EX Series running Junos OS. Forrester interviewed Townsend Analytics, an existing Juniper Networks customer that simplified its server farm network to two tiers by implementing the EX Series. Forrester’s subsequent financial analysis found that Townsend Analytics experienced a risk-adjusted ROI of 33%.

For the complete Forrester Consulting report—The Total Economic Impact of Network Simplification in an Enterprise Data Centers—please refer to the following website: http://www.juniper.net/us/en/local/pdf/analyst-reports/forrester-tei-network-simplification-townsend.pdf

EX Series Models

Juniper Networks EX Series switches are designed to deliver scalable port density and performance, providing you with an economical pay-as-you-grow approach to building your high performance network. EX Series models follow:

EX2200 – Juniper Networks EX2200 with Virtual Chassis technology delivers a high performance, highly available standalone solution at an economical price point with plug-and-play simplicity―ideal for access layer deployments in branch and remote offices, as well as campus networks.

o EX2200-C – Juniper Networks EX2200-C delivers a compact, silent, and power-efficient platform for low density micro-branch deployments and commercial access or enterprise workgroup environments outside the wiring closet.

EX3200 – Juniper Networks fixed-configuration EX3200 offers a high performance standalone solution for low-density access deployments in the wiring closets of remote offices and small LANs in large office buildings.

EX3300 – Juniper Networks EX3300 with Virtual Chassis technology offers a compact, cost-effective, highly scalable solution for supporting the most demanding converged enterprise access environments.

EX4200 – Juniper Networks EX4200 with Virtual Chassis technology combines the high availability and reliability of modular systems with the economics and flexibility of stackable platforms, delivering a high-performance, scalable solution for data center campus, and branch environments.

EX4300 – Juniper Networks EX4300 Ethernet switches are compact, fixed-configuration platforms that satisfy a variety of high-performance branch, campus and data center access deployments. Juniper Virtual Chassis technology enables up to 10 EX4300 switches to be interconnected over a 320 Gbps backplane using four back-panel 40GbE ports, creating a single, logical device that delivers a highly scalable, cost-effective solution for growing campus environments. Five-member full-mesh Virtual Chassis configurations spanning up to 150 meters are also supported, delivering a low-latency solution that ensures switch members are just one hop away from every other switch.

EX4500 Series – Juniper Networks EX4500 Series with Virtual Chassis technology delivers scalable, compact, high performance platforms for supporting high-density 10 Gbps data center, campus, and service provider deployments.

http://www.juniper.net/us/en/local/pdf/analyst-reports/forrester-tei-network-simplification-townsend.pdf




EX4550 Series - The compact, scalable EX4500 line of Ethernet switches offers economical, power-efficient, high performance platforms for enterprise data center top-of-rack, data center end-of-row or campus deployment applications, and for service provider deployments.

The 2RU EX4500 has 40 wire-speed dual GbE/10GbE ports with full Layer 2 and Layer 3 support. Optional high-speed uplink modules include eight additional 10GbE ports.

The 1RU EX4550 has 32 wire-speed GbE/10GbE ports, with two expansion slots for optional modules that increase port densities to 48. The EX4550 supports Layer 3 dynamic routing protocols such as RIP and OSPF, MPLS services such as Layer 2 and Layer 3 VPNs, MACsec on all ports, and a comprehensive quality-of-service (QoS) feature set.

Both the EX4500 and EX4550 support Juniper’s Virtual Chassis technology and can be deployed with EX4200 switches in the same Virtual Chassis configuration to support environments where both GbE and 10GbE servers are present.

5.2.8.1 Campus LAN – Access Switches

Provides initial connectivity for devices to the network and controls user and workgroup access to internetwork resources. The following are some of the features a campus LAN access switch should support:

Security

o SSHv2 (Secure Shell Version 2)

o 802.1X (Port Based Network Access Control)

o Port Security

o DHCP (Dynamic Host Configuration Protocol) Snooping


Yes, the Juniper EX line supports both SSH v1/v2

Yes, the Juniper EX line supports 802.1X authentication.

EX Series: Access Port Security Features

Juniper Networks EX4200 supports the following access port security features:

DHCP snooping – Filters and blocks ingress DHCP server messages on untrusted ports; builds and maintains an IP-address/MAC-address binding database (called the DHCP snooping database).

Dynamic ARP inspection (DAI) – Prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons.

MAC limiting – Protects against flooding of the Ethernet switching table.

MAC move limiting – Detects MAC movement and MAC spoofing on access ports and prevents hosts whose MAC addresses have not been learned by the switch from accessing the network.




Trusted DHCP server – With a DHCP server on a trusted port, protects against rogue DHCP servers sending leases.

Yes, the EX series supports DHCP snooping.

VLANs

MACsec – A MACsec software license enables the EX4200 and EX4550 to provide near line-rate hardware-

based encryption of user traffic on a dual-speed 2x10GbE or 4x1GbE SFP+ MACsec uplink module.


EX Series: VLAN Support

Juniper Networks EX Series switches use Layer 2 bridging protocols to discover the topology of their LAN and to forward traffic toward destinations on the LAN. Bridging divides a single physical LAN (a single broadcast domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of network nodes that are grouped together to form separate broadcast domains. On an Ethernet network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN. Frames that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within a VLAN and on the LAN as a whole.

On an Ethernet LAN, all network nodes must be physically connected to the same network. On VLANs, the physical location of the nodes is not important, so you can group network devices in any way that makes sense for your organization, such as by department or business function, types of network nodes, or even physical location. Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q encapsulation (discussed below).

Bridging

The transparent bridging protocol allows a switch to learn information about all the nodes on the LAN, including nodes on all the different VLANs. The switch uses this information to create address-lookup tables, called Ethernet switching tables that it consults when forwarding traffic to or toward a destination on the LAN.

Transparent bridging uses five mechanisms to create and maintain Ethernet switching tables on the switch:

1. Learning – When a switch is first connected to an Ethernet LAN or VLAN, it has no information about other nodes on the network. The switch goes through a learning process to obtain the MAC addresses of all the nodes on the network. It stores these in the Ethernet switching table. To learn MAC addresses, the switch reads all packets that it detects on the LAN or on the local VLAN, looking for MAC addresses of sending nodes. It places these addresses into its Ethernet switching table, along with two other pieces of information—the interface (or port) on which the traffic was received and the time when the address was learned.

2. Forwarding – Switches forward traffic, passing it from an incoming interface to an outgoing interface that leads to or toward the destination. To forward frames, the switch consults the Ethernet switching table to see whether the table contains the MAC address corresponding to the frames' destination. If the Ethernet switching table contains an entry for the desired destination address, the switch sends the traffic out the interface associated with the MAC address. The switch also consults the Ethernet switching table in the same way when transmitting frames that originate on devices connected directly to the switch. If the Ethernet switching table does not contain an entry for the desired destination address, the switch uses flooding, which is the third bridging mechanism.




3. Flooding – Flooding is how the switch learns about destinations not in its Ethernet switching table. If this table has no entry for a particular destination MAC address, the switch floods the traffic out all interfaces except the interface on which it was received. (If traffic originates on the switch, the switch floods it out all interfaces.) When the destination node receives the flooded traffic, it sends an acknowledgment packet back to the switch, allowing it to learn the MAC address of the node and to add the address to its Ethernet switching table.

4. Filtering – Filtering is how broadcast traffic is limited to the local VLAN whenever possible. As the number of entries in the Ethernet switching table grows, the switch pieces together an increasingly complete picture of the VLAN and the larger LAN—of which nodes are in the local VLAN and which are on other network segments. The switch uses this information to filter traffic. Specifically, for traffic whose source and destination MAC addresses are in the local VLAN, filtering prevents the switch from forwarding this traffic to other network segments.

5. Aging – Finally, the switch uses aging, the fifth bridging mechanism, to keep the entries in the Ethernet switching table current. For each MAC address in the Ethernet switching table, the switch records a timestamp of when the information about the network node was learned. Each time the switch detects traffic from a MAC address, it updates the timestamp. A timer on the switch periodically checks the timestamp, and if it is older than a user-configured value, the switch removes the node's MAC address from the Ethernet switching table. This aging process ensures that the switch tracks only active nodes on the network and that it is able to flush out network nodes that are no longer available.

Switch Ports

The ports, or interfaces, on a switch operate in either access mode or trunk mode. An interface in access mode connects to a network device, such as a desktop computer, an IP telephone, a printer, a file server, or a security camera. The interface itself belongs to a single VLAN. The frames transmitted over an access interface are normal Ethernet frames. By default, when you boot a switch and use the factory-default configuration, or when you boot the switch and do not explicitly configure a port mode, all interfaces on the switch are in access mode.

Trunk interfaces handle traffic for multiple VLANs, multiplexing the traffic for all those VLANs over the same physical connection. Trunk interfaces are generally used to interconnect switches to one another.

IEEE 802.1Q Encapsulation and Tags

To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged and are encapsulated with 802.1Q tags.

For a simple network that has only a single VLAN, all traffic has the same 802.1Q tag.

When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine to origin of frames and where to forward them.

Assignment of Traffic to VLANs

You assign traffic to a particular VLAN in one of the following ways:

By interface (port) on the switch – You specify that all traffic received on a particular interface on the switch is assigned to a specific VLAN. If you use the default factory switch settings, all traffic received on an access interface is untagged. This traffic is part of a default VLAN, but it is not tagged with an 802.1Q tag. When configuring the switch, you specify which VLAN to assign the traffic to. You configure the VLAN either by




using a VLAN number (called a VLAN ID) or by using a name, which the switch translates into a numeric VLAN ID.

By MAC address – You can specify that all traffic received from a specific MAC address be forwarded to a specific egress interface (next hop) on the switch. This method is administratively cumbersome to configure manually, but it can be useful when you are using automated databases to manage the switches on your network.

Ethernet Switching Tables

As EX Series switches learn the MAC addresses of the devices on local VLANs, they store them in the bridge on the switch. With each MAC address, the Ethernet switching table stores and associates the name of the interface (or port) on which the switch learned that address. The switch uses the information in this table when forwarding packets toward their destination.

Layer 2 and Layer 3 Forwarding of VLAN Traffic

To pass traffic within a VLAN, the switch uses Layer 2 forwarding protocols, including IEEE 802.1Q, Spanning Tree Protocol (STP), and GARP VLAN Registration Protocol (GVRP).

To pass traffic between two VLANs, the switch uses standard Layer 3 routing protocols, such as static routing, OSPF, and RIP. On EX Series switches, the same interfaces that support Layer 2 bridging protocols also support Layer 3 routing protocols, providing multilayer switching.

GVRP

The GARP VLAN Registration Protocol (GVRP) is an application protocol of the Generic Attribute Registration Protocol (GARP) and is defined in the IEEE 802.1Q standard. GVRP learns VLANs on a particular 802.1Q trunk port and adds the corresponding trunk port to the VLAN if the advertised VLAN is preconfigured on the switch.

The VLAN registration information sent by GVRP includes the current VLANs membership—that is, which switches are members of which VLANs—and which switch ports are in which VLAN. GVRP shares all VLAN information configured manually on a local switch.

As part of ensuring that VLAN membership information is current, GVRP removes switches and ports from the VLAN information when they become unavailable. Pruning VLAN information:

Limits the network VLAN configuration to active participants’ only, reducing network overhead.

Targets the scope of broadcast, unknown unicast, and multicast (BUM) traffic to interested devices only.

Routed VLAN Interface

In a traditional network, broadcast domains consist of either physical ports connected to a single switch or logical ports connected to one or more switches through VLAN configurations. Switches send traffic to hosts that are part of the same broadcast domain, but routers are needed to route traffic from one broadcast domain to another and to perform other Layer 3 functions such as traffic engineering. EX Series switches use a routed VLAN interface (RVI) to perform these routing functions, using it to route data to other Layer 3 interfaces. This functionality eliminates the need for having both a switch and a router.

The RVI interface must be configured as part of a broadcast domain or VPLS routing instance in order for Layer 3 traffic to be routed out of it. The RVI interface supports IPv4, IPv6, MPLS, and ISIS traffic. At least one Layer 2 logical interface should be operationally up in order for the RVI interface to be operationally up. You must configure an RVI broadcast domain or VPLS routing instance just as you would configure a VLAN on a switch.




Multicast data, broadcast data, or unicast data is switched between ports within the same RVI broadcast domain or VPLS routing instance. The RVI interface routes data that is destined for the router’s media access control (MAC) address.

Fast Ethernet/Gigabit Ethernet


EX2200/EX3200/EX3300/EX4200 offer 24-port and 48-port configuration options offer simple plug-and-play 10/100/1000BASE-T connectivity meet today’s converged networking needs. With optional full or partial Power over Ethernet (PoE) ports, the EX Series can support IP-enabled devices such as telephones, security cameras, WLAN access points in converged network environments. The EX4200 offers a 24-port fiber switch offering 100/1000BASE-X support.

PoE (Power over Ethernet)


Juniper Networks EX Series supports PoE, which is the implementation of IEEE 802.3af, allowing both data and electric power to pass over a copper Ethernet LAN cable. PoE ports provide electrical current to devices through the network cables so that separate power cords for devices such as IP phones, wireless access points, and security cameras are unnecessary. This technology allows VoIP telephones, wireless access points, video cameras, and point-of-sale devices to safely receive power from the same access ports that are used to connect personal computers to the network.

EX Series switches have options of full or partial PoE capability. Full PoE models are primarily used in IP telephony environments. Partial PoE models are used in environments where, for example, only a few ports for wireless access points or security cameras are required.

PoE and Power Supply Units in EX Series Switches

EX Series switch models provide either 8, 24 or 48 PoE ports.

All 802.3af-compliant powered devices require no more than 12.95 watts. Thus, if you follow the recommended guidelines for selecting power supply units to support the number of PoE ports, the switch should be able to supply power to all connected powered devices. If you install a higher capacity power supply unit on a switch model that has only eight PoE ports, it does not extend PoE capabilities to the non-PoE ports.

Power Management Mode

The power management mode is used to determine the number of interfaces that can be provided with power. There are two modes of power management:

Static – In this mode the power allocated for each interface can be configured.

Class – In this mode the power allocation for interfaces is decided based on the class of powered device connected.

link aggregation





Juniper Networks EX Series supports link aggregation. You can combine multiple physical Ethernet ports to form a logical point-to-point link, known as a link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single Ethernet link can provide. Additionally, link aggregation provides network redundancy by load-balancing traffic across all available links. If one of the links should fail, the system automatically load-balances traffic across all remaining links.

You can select up to eight Ethernet interfaces and include them within a link aggregation group.

10 Gb support


EX3200/EX4200 Optional four-port 1GE and two-port 10GE uplink modules with pluggable optics are also available for supporting high-speed connections to other switches or upstream devices such as routers. EX3300 Offers four dual mode 1GE SFP/10GE SFP+ uplink ports available for supporting high-speed connections to other switches or upstream devices such as routers. The Juniper Networks EX4300 offers an optional dual-purpose four-port GbE/10GbE fiber uplink module. EX4500 offers up to 48 wire-speed 10GE ports in a 2 RU platform it delivers full Layer 2 and Layer 3 connectivity to networked devices such as servers and other switches. This is delivered in 40 fixed ports are complemented by two optional high-speed uplink modules available for configuration flexibility, offering four additional 10GE small form-factor pluggable transceiver (SFP+) ports for connecting to upstream devices. The EX4550 features up to 48 wire-speed 1GE or 10GE small form-factor pluggable transceivers (SFP/SFP+), or 100M/1GBASE-T/10GBASE-T ports in a compact 1 RU form factor, the EX4550 provides support for 480 Gbps of Layer 2 and Layer 3 connectivity to networked devices, such as servers and other switches. Two versions of the EX4550 are available—a 32-port fiber-based version and a 32-port copper-based version—which feature two expansion slots that can accommodate one of four optional expansion modules, providing tremendous configuration and deployment flexibility for campus and data center access as well as aggregation networks.

Port mirroring


Yes, the EX Series switches support port mirroring.

Span Taps


N/A

Support of IPv6 and IPv4


N/A

Standards-based rapid spanning tree





EX Series: Rapid Spanning Tree Protocol (RSTP)

Juniper Networks EX Series uses Rapid Spanning Tree Protocol (RSTP) to provide better reconvergence time than the original STP. RSTP identifies certain links as point to point. When a point-to-point link fails, the alternate link can transition to the forwarding state.

Although STP provides basic loop prevention functionality, it does not provide fast network convergence when there are topology changes. STP’s process to determine network state transitions is slower than RSTP's because it is timer-based. A device must reinitialize every time a topology change occurs. The device must start in the listening state and transition to the learning state and eventually to a forwarding or blocking state. When default values are used for the maximum age (20 seconds) and forward delay (15 seconds), it takes 50 seconds for the device to converge. RSTP converges faster because it uses a handshake mechanism based on point-to-point links instead of the timer-based process used by STP.

An RSTP domain running on an EX Series switch has the following components:

Root port – The “best path” to the root device

Designated port – Indicates that the switch is the designated bridge for the other switch connecting to this port

Alternate port – Provides an alternate root port

Backup port – Provides an alternate designated port.

Port assignments change through messages exchanged throughout the domain. An RSTP device generates configuration messages once every hello time interval. If an RSTP device does not receive a configuration message from its neighbor after an interval of three hello times, it determines it has lost connection with that neighbor. When a root port or a designated port fails on a device, the device generates a configuration message with the proposal bit set. Once its neighbor device receives this message, it verifies that this configuration message is better than the one saved for that port and then it starts a synchronizing operation to ensure that all of its ports are in sync with the new information.

Similar waves of proposal agreement handshake messages propagate toward the leaves of the network, restoring the connectivity very quickly after a topology change (in a well-designed network that uses RSTP, network convergence can take as little as 0.5 seconds). If a device does not receive an agreement to a proposal message it has sent, it returns to the original IEEE 802.D convention.

RSTP was originally defined in the IEEE 802.1w draft specification and later incorporated into the IEEE 802.1D-2004 specification.

Netflow Support (Optional)


sFlow:

Juniper Networks most of the Juniper EX product line supports sFlow to monitor high-speed switched or routed networks. sFlow randomly samples network packets and sends the samples to a monitoring station. For example, you can configure sFlow on the EX4200 to continuously monitor traffic at wire speed on all interfaces simultaneously.




sFlow uses the following two sampling mechanisms:

Packet-based sampling – Samples one packet out of a specified number of packets from an interface enabled for sFlow technology

Time-based sampling – Samples interface statistics at a specified interval from an interface enabled for sFlow technology

The sampling information is used to create a network traffic visibility picture. Junos fully supports the sFlow version 5 standard described at sFlow.org (refer to the following website: www.sflow.org).

An sFlow monitoring system consists of an sFlow agent embedded in the switch and a centralized collector. The sFlow agent’s two main activities are random sampling and statistics gathering. It combines interface counters and flow samples and sends them across the network to the sFlow collector.

The EX4200 adopts the distributed sFlow architecture. The sFlow agent has two separate sampling entities that are associated with each packet forwarding engine. These sampling entities are known as subagents. Each subagent has a unique ID that is used by the collector to identify the data source. A subagent has its own independent state and forwards its own sample messages to the sFlow agent. The sFlow agent is responsible for packaging the samples into datagrams and sending them to the sFlow collector. Because sampling is distributed across subagents, the protocol overheads associated with sFlow are significantly reduced at the collector. If the mastership assignment changes in a Virtual Chassis setup, sFlow technology continues to function.

The sFlow collector uses the sFlow agent’s IP address to determine the source of the sFlow data. The IP address assigned to the agent is based on the following order of priority of interfaces configured on the switch:

1. Virtual management Ethernet (VME) interface

2. Management Ethernet interface

If any of the above interfaces have not been configured, the IP address of any Layer 3 interface or the routed VLAN (RVI) interface is used as the IP address for the agent. At least one interface must be configured for an IP address to be assigned to the agent.

sFlow data can be used to provide network traffic visibility information. The IP address to be assigned to source data can be configured. If it has not been configured, the IP address of the configured Gigabit Ethernet interface, 10GE interface, or the RVI is used as the source IP address. Infrequent sampling flows are not reported in the sFlow information, but over time the majority of flows are reported. Based on a defined sampling rate, 1 out of N packets is captured and sent to the collector. This type of sampling does not provide a 100 percent accurate result in the analysis, but it does provide a result with quantifiable accuracy. A polling interval defines how often the sFlow data for a specific interface are sent to the collector, but an sFlow agent is free to schedule polling.

The EX4200 uses adaptive sampling to ensure both sampling accuracy and efficiency. Adaptive sampling is a process of monitoring the overall incoming traffic rate on the network device and providing intelligent feedback to interfaces to dynamically adapt their sampling rate to the traffic conditions. Interfaces on which incoming traffic exceeds the system threshold are penalized so that all violations can be regulated without affecting the traffic on other interfaces. Every five seconds, the agent checks interfaces to get the number of samples, and interfaces are grouped based on the slot that they belong to. The top five interfaces that produce the highest samples are selected. Using the binary backoff algorithm, the sampling load on these top five interfaces is reduced to half and adjusted on interfaces that have a lower sample rate. Therefore, when the processor limit is reached , the sampling rate is adapted so that it does not load the processor any further. If the switch is rebooted, the adaptive sample rate is reset to the user configured sample rate. Also, if you modify the sample rate, the adaptive sample rate changes.

The advantage of adaptive sampling is that the switch continues to operate at its optimum level even when there is a change in the traffic patterns in the interfaces. You do not need to make any changes. Since the sampling

http://www.sflow.org/




rate is adapted dynamically based on the network conditions, the resources are utilized optimally thereby resulting in a high-performance network.

5.2.8.2 Campus LAN – Core Switches

Campus core switches are generally used for the campus backbone and are responsible for transporting large amounts of traffic both reliably and quickly. Core switches should provide:

EX9200 Series: Overview and Models

Juniper Networks EX9200 Series next-generation carrier-class campus and data center core Ethernet switching platforms (shown in Figure xxx) are designed for performance and scale―delivering greater port densities, space efficiency, and an on-ramp to 40GE and 100GE for enterprise customers.

The EX9200 line of programmable, flexible, and scalable modular Ethernet core switches simplifies the deployment of cloud applications, virtualized servers and rich media collaboration tools across campus and data center environments. As a key element of Juniper Networks “Simply Connected” portfolio of resilient switching, security, routing, and wireless products, the EX9200 Series enables collaboration and provides simple and secure access to mission critical applications. In the data center, the EX9200 simplifies network architectures and network operations to better align the network with today’s dynamic business environments.

As networks become a more strategic part of an enterprise’s business, they need to be more agile. Network agility requires programmability, and the EX9200 provides that and more in its silicon and at the system and networking levels. The EX9200 is based on Juniper One custom silicon—an ASIC designed by Juniper Networks which provides a programmable Packet Forwarding Engine (PFE) and allows for native support of networking protocols such as virtualization using MPLS over IP and overlay network protocols. ASIC micro code changes delivered through updates to Juniper Networks Junos OS provide investment protection by allowing existing hardware to support new or future networking protocols.

All EX9200 system programmability provides support for Junos OS-based automation along with the Junos SDK, which enables integration with Puppet, OpenFlow, and other automation applications. The EX9200 network programmability also enables integration with leading orchestration applications.

Trends such as mobility and increasing rich-media traffic in the campus, combined with virtualization and cloud computing in the data center, mandate a core switch that can deliver:

Increased bandwidth and throughput via 40GE and 100GE interfaces;

Increased logical scale needed to support more devices and servers;

Increased 10GE port densities;

Form factor alternatives;

Programmability to address future business needs;

Carrier grade availability.

Juniper Networks EX9200 Series is ready to handle changing networking demands for at least the next decade.

High bandwidth





Fully configured, a single EX9214 chassis can support up to 320 10GE ports (240 at wire speed for all packet sizes), delivering one of the industry’s highest line-rate 10GE port densities for this class of feature rich and programmable switch.

The EX9200 switch fabric is capable of delivering 240 Gbps (full duplex) per slot, enabling scalable wire-rate performance on all ports for any packet size. The pass-through midplane design also supports a future capacity of up to 13.2 Tbps.

Low latency


In the data center, the EX9200 architecture is designed for very large deployments, with no head-of-line blocking, a single tier low latency switch fabric, efficient multicast replication handling, and deep buffering to ensure performance at scale. The EX9200 chassis midplane distributes the control and management signals over independent paths to the various system components and distributes power throughout the system. Data plane signals pass directly from the EX9200 line cards to the EX9200 Switch Fabric modules via a unique pass-through connector system that provides unparalleled signal quality for future generations of fabric ASICs.

Hot swappable power supplies and fans


To maintain uninterrupted operation, the EX9200’s fan trays cool the line cards, Routing Engine, and Switch Fabric modules with redundant, variable speed fans. In addition, the EX9200 power supplies convert building power to the internal voltage required by the system. All EX9200 components are hot-swappable, and all central functions are available in redundant configurations, providing high operational availability by allowing continuous system operation during maintenance or repairs.

Security

o SSHv2

o MacSec encryption

o Role-Based Access Control Lists (ACL)


Yes, SSHv1 and SSHv2 are supported by the EX9200

No, MacSec is not currently supported and is being investigated for a future release.



Yes, the EX9200 switch supports both IPv4 and IPv6.

1/10/40/100 Gbps support





All three EX9200 chassis can accommodate any combination of EX9200 Ethernet line cards. Options include the following:

EX9200-40T – 40-port 10/100/1000BASE-T RJ-45 line card

EX9200-40F – 40-port 100FX/1000BASE-X SFP line card

EX9200-32XS – 32-port 10GE SFP+ line card

EX9200-4QS – 4-port 40GE quad SFP (QSFP+) line card

IGP (Interior Gateway Protocol) routing


The EX9200 Series supports RIP v1/v2, OSPF v1/v2/v3, and IS-IS

EGP (Exterior Gateway Protocol) routing


The EX9200 Series supports BGP

VPLS (Virtual Private LAN Service) Support


Yes, the EX9200 supports MPLS/VPLS

The Advanced Feature License enables MPLS, BGP, IS-IS and Logical Systems. EX9200 MPLS capabilities include L3VPNs and VPLS.

VRRP (Virtual Router Redundancy Protocol) Support


Yes, the EX9200 supports VRRP

Netflow Support.




JUNIPER NETWORKS RESPONSE: The Juniper EX9200 supports Netflow in Junos 13.2 and sFlow in Junos 13.3 (roadmap End of 2013/beginning of 2014).

5.2.8.3 Campus Distribution Switches

Collect the data from all the access layer switches and forward it to the core layer switches. Traffic that is generated at Layer 2 on a switched network needs to be managed, or segmented into Virtual Local Area Networks (VLANs), Distribution layer switches provides the inter- VLAN routing functions so that one VLAN can communicate with another on the network. Distribution layer switches provides advanced security policies that can be applied to network traffic using Access Control Lists (ACLs).


Juniper Networks EX4550 Ethernet Switch delivers a scalable, high-performance platform for supporting high-density 10 Gbps data center top-of-rack deployments, as well as data center, campus, and service provider aggregation environments. Featuring up to 48 wire-speed 1GE or 10GE small form-factor pluggable transceivers (SFP/SFP+), or 100M/1GBASE-T/10GBASE-T ports in a compact 1 RU form factor, the EX4550 provides support for 480 Gbps of Layer 2 and Layer 3 connectivity to networked devices, such as servers and other switches.

Two versions of the EX4550 base switch are available:

32-port fiber-based version, providing 32 fixed 10GE SFP/SFP+ pluggable ports

32-port copper-based version, providing 32 fixed 100M/1GBASE-T/10GBASE-T ports

Both versions feature two expansion slots, one in front and one in back, that can accommodate one of four optional expansion modules, providing tremendous configuration and deployment flexibility for campus and data center access as well as aggregation networks. The four expansion modules include the following:

128 Gbps Virtual Chassis module

8 x 10GBASE-T copper expansion module

8 x 10GBASE SFP/SFP+ fiber expansion module

2 x 40GE expansion module

Virtual Chassis Technology

Juniper Networks EX4550 is also designed to support Juniper Networks unique Virtual Chassis technology, which enables up to 10 interconnected switches to operate as a single, logical device with a single IP address. Virtual Chassis technology enables enterprises to separate physical topology from logical groupings of endpoints and, as a result, provides efficient resource utilization.

The EX4550 can participate in the same Virtual Chassis configuration with any combination of Juniper Networks EX4200 and EX4500 Ethernet Switches, delivering highly flexible and scalable configuration options for campus and data center deployments. EX4550 switches in a Virtual Chassis configuration can be connected using dedicated 128 Gbps interconnect ports on the Virtual Chassis expansion module, or via link aggregation groups (LAGs) across 10GE/40GE ports, providing aggregate backplane capacity of up to 320 Gbps.

In the data center, EX4550 Virtual Chassis deployments can extend across multiple top-of- rack or end-of-row switches, providing tremendous configuration flexibility for 10GE server connectivity by only requiring redundant links between Virtual Chassis groups, rather than each physical switch to ensure high availability. In addition,




mixed Virtual Chassis configurations featuring EX4200, EX4500, and EX4550 switches provide an ideal solution for data centers with a mix of 1GE and 10GE servers, or for environments transitioning from 1GE to 10GE server connectivity.

High bandwidth


A single EX4550 switch can support up to 48 10GE ports at line rate, providing a highly scalable solution for even the most demanding environments. In addition, Virtual Chassis technology allows for easy network scalability and reduces management complexity. By adding switches to a Virtual Chassis configuration, it is possible to grow the number of switch ports without increasing the number of devices to manage. As more switches are added to the Virtual Chassis configuration, backplane bandwidth demands can also be scaled to maintain adequate oversubscription ratios. The EX4550 Virtual Chassis bandwidth can be increased to 256 Gbps by inserting 128 Gbps Virtual Chassis expansion modules in each of the two available expansion slots.

Low latency


Juniper Networks EX4550 also offers an economical, power-efficient, and compact solution for aggregating 10GE expansions from access devices in building and campus deployments. The switch’s dual-speed interfaces also support environments transitioning from 1GE to 10GE.

The EX4550 easily meets enterprise core switch requirements, delivering low latency (~2us), wire-speed performance on every port, full device redundancy, support for Layer 3 dynamic routing protocols, such as RIP and OSPF, Layer 2 and Layer 3 MPLS VPNs, and a comprehensive set of security and QoS features.



Yes, the EX4550 has both redundant, hot-swappable power supplies and redundant, field-replaceable, hot-swappable fans.

Security (SSHv2 and/or 802.1X)


The EX4550 supports both SSHv1/v2 and 802.1x



The EX4550 supports both IPv4 and IPv4

Jumbo Frames Support


The EX4550 supports Jumbo Frames

Dynamic Trunking Protocol (DTP)





DTP is a proprietary protocol not supported by Juniper product lines. Similar functionality via an open standard protocol is not available as this functionality may not be best practices. It is however possible to automate this via the Junos Automation if one desired this functionality. The use of Junos Automation would also allow you to safeguard this auto-negotiation to meet the needs of your business.

Per-VLAN Rapid Spanning Tree (PVRST+)


The EX4550 provides the following Spanning Tree Protocol Support:

Rapid Spanning Tree Protocol (RSTP) and VLAN Spanning Tree Protocol (VSTP) running concurrently. VSTP maintains a separate spanning tree instance for each VLAN, and is compatible with the Per-VLAN Spanning Tree Plus (PVST+) and Rapid-PVST+.

Spanning Tree Protocol (802.1D)

Multiple Spanning Tree Protocol (MSTP) (802.1s)

RSTP (802.1w)

VSTP – VLAN Spanning Tree

BPDU protect

Loop protect

Root protect

Switch-port auto recovery


N/A

NetFlow Support or equivalent


EX4550: sFlow

Juniper Networks EX4550 supports sFlow to monitor high-speed switched or routed networks. sFlow randomly samples network packets and sends the samples to a monitoring station. You can configure sFlow on the EX4200 to continuously monitor traffic at wire speed on all interfaces simultaneously.


• Packet-based sampling – Samples one packet out of a specified number of packets from an interface enabled for sFlow technology

• Time-based sampling – Samples interface statistics at a specified interval from an interface enabled for sFlow technology













The advantage of adaptive sampling is that the switch continues to operate at its optimum level even when there is a change in the traffic patterns in the interfaces. You do not need to make any changes. Since the sampling rate is adapted dynamically based on the network conditions, the resources are utilized optimally thereby resulting in a high-performance network.




5.2.8.4 Data Center Switches

Data center switches, or Layer 2/3 switches, switch all packets in the data center by switching or routing good ones to their final destinations, and discard unwanted traffic using Access Control Lists (ACLs), all at Gigabit and 10 Gigabit speeds. High availability and modularity differentiates a typical Layer 2/3 switch from a data center switch. Capabilities should include:

QFabric System: Overview

Juniper Networks QFabric System is the only fabric solution that delivers any-to-any connectivity and simplified operations, making it the ideal architectural foundation for virtualized data centers today and for the next decade. It is a scalable, high-performance, non-blocking, and easy-to-manage fabric that enables traditional Layer 2 and Layer 3 connectivity along with virtualization and convergence. The standards-based QFabric System is completely interoperable and seamlessly integrates with customers’ existing data center environments, allowing them to easily migrate traditional tiered networks to a single tier QFabric architecture that connects compute, storage, network, and services resources as extensions of a low latency network.

QFabric technology enables customers to maximize the performance of their data centers and simplify their network operations. By providing direct connectivity and predictable high performance at scale between any two ports in the fabric, common changes in the data center such as adding capacity, virtual machine mobility, or deploying new applications can be achieved quickly and easily.

Two QFabric System models are available:

QFX3000-M QFabric System – Designed for mid-tier, satellite, and container data center environments, this system supports from 48 to 768 10GE ports, delivering the simplicity, agility, and performance benefits of QFabric architecture in a space-optimized form factor. The QFX3000-M is ideal for high-performance computing environments, big data Hadoop clusters, and back-end business applications, and it provides investment protection by allowing customers to easily scale to a larger QFabric system deployment as demands for 10GE grow.

QFX3000-G QFabric System – Designed for large enterprises, service providers, and cloud data center environments, this system scales to support up to 6,144 10GE ports in a single device. The QFX3000-G is ideal for cloud (IaaS, SaaS), large enterprise IT data center (business applications, data analytics), and high performance computing (grid computing, data modeling, scientific research) environments.

System Components

The QFabric System consists of three separate but interdependent edge, interconnect, and control devices—the QFabric Node, QFabric Interconnect, and QFabric Director. As shown in Figure xxx, these components represent the internal elements of a traditional switch.

QFabric Node – In a QFabric system, the line cards that typically reside within a modular chassis switch become high-density, fixed-configuration, 1 RU edge devices that provide access into and out of the fabric. The Nodes, which can also operate as independent top-of-rack 10GE switches, provide compute, storage, services, and network access for the QFabric System. There are two types of QFabric Nodes available: the QFX3500, which offers a variety of connectivity options ranging from 1GE to 10GE, Fibre Channel (FC), and FC over Ethernet (FCoE); and the QFX3600, which offers 10GE and 40GE connectivity options. Both the QFX3500 and QFX3600 Nodes can be used in a single system.

QFabric Interconnect – The QFabric Interconnect represents the typical backplane of a modular switch, connecting all QFabric Node edge devices in a flat, any-to-any topology. This topology provides the data




plane connectivity between all Nodes, with the Interconnect acting as the high-performance backplane. Two QFabric Interconnect options are available. The QFX3000-M uses the 1 RU fixed configuration QFX3600-I QFabric Interconnect, which supports up to 16 connected QFabric Nodes to create a single fabric capable of supporting 768 10GE ports. The QFX3000-G uses the modular QFX3008-I, which connects up to 128 QFabric Nodes to create a single fabric capable of supporting 6,144 10GE ports.

QFabric Director – The Routing Engines embedded within a modular switch are externalized in the QFabric system via the QFX3100 QFabric Director, which provides control and management services for the fabric. Deployed in clusters to provide redundancy, QFabric Directors provide a single management interface to manage the scalable data plane provided by the Node and Interconnect devices. The QFabric Node and QFabric Interconnect devices together create the distributed data plane for the QFabric System over which all data traffic to and from servers and storage is carried. Existing QFabric system components can be redeployed between a QFX3000-M and a QFX3000-G, greatly simplifying flexibility and migration. Users can initially deploy a QFX3000-M and, as their 10GE demands grow, migrate to a QFX3000-G with the simple replacement of the QFabric Interconnect, dramatically increasing scale.

One of the greatest advantages of QFabric technology is its manageability. Unlike traditional deployments with multiple touch points for provisioning and troubleshooting, a QFabric System presents a single management interface for provisioning, managing, and troubleshooting the data center. Up to 128 top-of-rack switches in a QFX3000-G system and up to 16 top-of-rack switches in a QFX3000-M system work together to connect network, compute, and storage resources.

High bandwidth


Juniper Networks QFabric System is designed to provide a low latency fabric that can scale to more than 6,000 ports and be deployed in a variety of environments. With the advent of server virtualization, the IT infrastructure is providing business efficiency by consolidating many physical servers into fewer high-performance virtualized servers. However, this introduces new challenges in the data center by significantly increasing network utilization and requiring faster access-layer connectivity.

Every QFabric Node in a QFabric System adds high-performance, ultra-low latency (ULL) 10GE ports, making it possible to support large-scale server virtualization deployments—with a large media access control (MAC) address table with ultra-low latency (5 microseconds port-to-port under typical loads for a QFX3000-G system, and 3 microseconds port-to-port under typical loads for a QFX3000-M system) at Layer 2 and Layer 3 from server node to server node.

The QFabric system offers the following advantages for high-performance access:

Full-featured, standards-based Layer 2 and Layer 3 switching capabilities

Low latency switching on up to 56 10GE ports with the QFX3600 Node, or 48 10GE ports with the QFX3500 Node

Scaling options for 768 10GE ports with the QFX3000-M system, or 6,144 10GE ports with the QFX3000-G system using QFX3500 or QFX3600 Nodes at 3:1 or 6:1 oversubscription

Scaling options for up to 896 10GE ports with the QFX3000-M system, or 7,168 10GE ports with the QFX3000-G system using QFX3600 nodes at 7:1 oversubscription

Support for the same Junos OS that powers other Juniper Networks switches, routers, and security products, as well as Juniper Networks Junos Space management platform

Low latency








QFX3008-I Interconnect: Cooling System and Airflow

Juniper Networks QFX3008-I cooling system consists of ten fan trays and nine air filters. The fan trays and air filters are hot-insertable and hot-removable FRUs.

Eight fan trays install vertically on the front sides of the chassis, one fan tray installs directly below the front card cage, and one fan tray installs in the rear of the chassis at the top. The chassis has front-to-back airflow.

QFX3008-I Interconnect: Power Supply Overview

Juniper Networks QFX3008-I has six power supplies and two wiring trays. The power supplies are installed at the rear bottom of the chassis in slots 0 through 5 (left to right when viewed from the rear of the chassis). Wiring trays are installed at the rear bottom of the chassis on either side of the power supplies. The wiring tray in slot Wiring Tray 0 provides input power to the power supplies in slots 0 through 2. The wiring tray in slot Wiring Tray 1 provides input power to the power supplies in slots 3 through 5. The AC power supply in a QFX3008-I Interconnect device is a hot-insertable and hot-removable field-replaceable unit (FRU).

QFX3100 Director: Cooling System and Airflow

Juniper Networks QFX3100 cooling system consists of three fan modules as well as a single fan in each AC power supply. The fan modules are located in the fan module slots on the rear of the QFX3100. The QFX3100 also provides front-to-back airflow.

Temperature sensors in the chassis monitor the temperature within the chassis. The system raises an alarm if the fan fails or if the temperature inside the chassis rises above permitted levels. If the temperature inside the chassis rises above the threshold, the system shuts down automatically.

QFX3100 Director: Power Supply Overview

Juniper Networks QFX3100 power supplies are hot-removable and hot-insertable FRUs. Up to two AC power supplies may be installed in a QFX3100 device. Power supplies are installed in the power supply slots on the back of the chassis. Each QFX3100 Director is shipped with two AC power supplies.

Each power supply has its own fan and is cooled by its own internal cooling system. Hot air exhausts from the rear of the chassis.

560 W AC

Approximate weight – 2.5 lb (1.1 kg)

QFX3500 Switch: Cooling System and Airflow




Juniper Networks QFX3500 cooling system consists of two field-replaceable unit (FRU) fan trays with two fan modules each and two fan modules on the management board FRU (Figure xxx). In addition, the power supplies have internal fans to cool themselves.

The QFX3500 device provides FRU-side-to-port-side or port-side-to-FRU-side airflow depending on the device model you purchase. In the QFX3500 device models that have FRU-side-to-port-side airflow, the air intake to cool the chassis is located on the front panel of the chassis, where the FRUs are installed. Air is pulled into the chassis and pushed away from the fan trays and management board. Hot air exhausts from the rear of the chassis, where the ports are located.

In the QFX3500 device models that have port-side-to-FRU-side airflow, the air intake to cool the chassis is located on the rear panel of the chassis, the side with access and uplink ports. Air is pulled into the chassis and pulled through the fan trays and management boards. Hot air exhausts from the front of the chassis, where the FRUs are installed.

Each airflow type requires specific fan trays, management boards, and power supplies that have fan modules oriented in the proper direction. The fan trays and management boards are designed so that they can only be inserted into the QFX3500 device model that supports the same airflow type. The power supplies have labels and arrows on the handles that depict the direction of airflow. The label AFI denotes FRU-side-to-port-side airflow; AFO denotes port-side-to-FRU-side airflow.

The chassis includes a fan speed-control system. Under normal operating conditions, fans operate at reduced speed to reduce noise and power consumption. Temperature sensors in the chassis monitor the temperature within the chassis. The system raises an alarm if a fan fails or if the temperature inside the chassis rises above permitted levels. If the temperature inside the chassis rises above the threshold, the device shuts down automatically. You can see the status of fans and the temperature remotely through the CLI by issuing the operational mode command show chassis environment.

A single fan module cannot be replaced. If one or more fan modules fail, the entire fan tray or management board must be replaced.

QFX3500 Switch: Power Supply Overview

Juniper Networks QFX3500 power supplies are hot-removable and hot-insertable FRUs that can be installed on the front panel without powering off the switch or disrupting the switching function. Both AC and DC power supplies are 650 W.

The power supply provides FRU-side-to-port-side or port-side-to-FRU-side airflow depending on the model you purchase. The power supplies have labels and arrows on the handles that depict the direction of airflow. The label AFI denotes FRU-side-to-port-side airflow; AFO denotes port-side-to FRU-side airflow.

QFX3600 Switch: Power Supply and Fan Modules

Juniper Networks QFX3600 power supply and fan specifications follow:

• Dual-redundant (1+1) and hot-pluggable power supplies

• 100 to 240 V single-phase AC power or -40 to -72 V DC power

• Redundant and hot-pluggable fan modules

Ultra-low latency through wire-speed ports with nanosecond port-to-port latency and hardware-based Inter-Switch Link (ISL) trunking


The QFX3500 features sub-microsecond latency across all packet sizes in both cut-through and store-and-forward modes. ISL is a proprietary protocol and not supported.




Load Balancing across Trunk group able to use packet based load balancing scheme


QFabric supports LACP (IEEE 802.3ad) for link aggregation and redundancy.

Bridging of Fibre Channel SANs and Ethernet fabrics


The QFX3500 is a fully IEEE DCB- and T11 FC-BB-5-based FCoE Transit Switch and FCoE-FC Gateway, delivering a high-performance solution for converged server edge access environments. The QFX3500 provides configurable ports capable of 1GE, 10GE, and 2/4/8 Gbps FC connectivity.

FCoE Transit Switch – As an FCoE Transit Switch, the QFX3500 provides a pure IEEE DCB converged access layer between FCoE-enabled servers and an FCoE-enabled Fibre Channel SAN. The QFX3500 offers a full-featured DCB implementation that provides strong monitoring capabilities on the top-of-rack switch for SAN and LAN administration teams, while maintaining a clear separation of management. In addition, FC Initiation Protocol (FIP) snooping provides perimeter protection, ensuring that the presence of an Ethernet layer does not impact existing SAN security policies. The FCoE Transit Switch functionality, along with Priority-based Flow Control (PFC), Enhanced Transmission Selection (ETS), and Data Center Bridging Exchange (DCBX), are included as part of the default software; no additional licenses are required.

FCoE-FC Gateway – In FCoE-FC Gateway mode, the QFX3500 eliminates the need for FCoE enablement in the SAN backbone. Organizations can add a converged access layer and interoperate with existing SANs without disrupting the network. The QFX3500 allows up to 12 ports to be converted to Fibre Channel without additional switch hardware modules, and gateway functionality can be soft-provisioned with a software license to protect existing investments. The QFX3500 provides N-Port ID virtualization (NPIV) proxy functionality between FCoE-enabled servers and traditional Fibre Channel SANs. As a top-of-rack switch with FCoE-FC Gateway functionality, the QFX3500 presents itself as an FCoE-enabled switch to the rack or blade servers, and as a group of logical FC servers to the traditional Fibre Channel SAN.

iSCSI Transit Switch – As an iSCSI Transit Switch, the QFX3500 provides a pure IEEE DCB-converged network between iSCSI-enabled servers and iSCSI-enabled storage. The QFX3500 offers a full-featured DCB implementation that provides strong monitoring capabilities on the top-of-the-rack switch for storage and LAN administration teams, while maintaining a clear separation of management. The iSCSI Transit Switch functionality, notably Priority-based Flow Control (PFC), Enhanced Transmission Selection (ETS), and Data Center Bridging Exchange (DCBX), including the iSCSI Application TLV, are included as part of the default software; no additional licenses are required.

Juniper Networks QFabric System Fibre Channel specifications follow:

Fibre Channel over Ethernet (FCoE)

FCoE Transit Switch (FIP snooping)

FCoE-FC Gateway

iSCSI Transit Switch (iSCSI tlv)

Fibre Channel Standard

Fibre Channel port speeds – 2, 4, 8 Gbps

Fibre Channel port types – N_Port and VF_Port (Fabric only mode)




Fibre Channel classes of service – Class 3

Fibre Channel services – N_Port Virtualizer Device (FCoE to FC)

Fibre Channel services – N_Port ID Virtualization (NPIV) gateway

FCoE Support – FC-BB-5 FC-BB_E, including FIP Snooping

Jumbo Frame Support


The Juniper Networks QFabric supports Jumbo Frames

Plug and Play Fabric formation that allows a new switch that joins the fabric to automatically become a member


The Director group in a QFabric system automatically recognizes when devices are added or replaced in the QFabric system. The Director group sends each device its own portion of the Junos OS configuration and adds the device to the QFabric system inventory. The QFabric system upgrades the Node device to the version of software installed on the QFX3100 Director devices.

Ability to remotely disable and enable individual ports


Yes, you can remotely disable and enable individual ports.

Support NetFlow or equivalent


QFabric: sFlow

Juniper Networks QFabric supports sFlow to monitor high-speed switched or routed networks. sFlow randomly samples network packets and sends the samples to a monitoring station. You can configure sFlow on the EX4200 to continuously monitor traffic at wire speed on all interfaces simultaneously.






The EX4200 adopts the distributed sFlow architecture. The sFlow agent has two separate sampling entities that are associated with each packet forwarding engine. These sampling entities are known as subagents. Each subagent has a unique ID that is used by the collector to identify the data source. A subagent has its own independent state and forwards its own sample messages to the sFlow agent. The sFlow agent is responsible for packaging the samples into datagrams and sending them to the sFlow collector. Because sampling is distributed




across subagents, the protocol overheads associated with sFlow are significantly reduced at the collector. If the mastership assignment changes in a Virtual Chassis setup, sFlow technology continues to function.






QFabric uses adaptive sampling to ensure both sampling accuracy and efficiency. Adaptive sampling is a process of monitoring the overall incoming traffic rate on the network device and providing intelligent feedback to interfaces to dynamically adapt their sampling rate to the traffic conditions. Interfaces on which incoming traffic exceeds the system threshold are penalized so that all violations can be regulated without affecting the traffic on other interfaces. Every five seconds, the agent checks interfaces to get the number of samples, and interfaces are grouped based on the slot that they belong to. The top five interfaces that produce the highest samples are selected. Using the binary backoff algorithm, the sampling load on these top five interfaces is reduced to half and adjusted on interfaces that have a lower sample rate. Therefore, when the processor limit is reached , the sampling rate is adapted so that it does not load the processor any further. If the switch is rebooted, the adaptive sample rate is reset to the user configured sample rate. Also, if you modify the sample rate, the adaptive sample rate changes.


5.2.8.5 Software Defined Networks (SDN) – Virtualized Switches and Routers

Technology utilized to support software manipulation of hardware for specific use cases.


JunosV Firefly

JunosV Firefly virtual security software is a significant innovation from Juniper that brings the power of the Junos operating system to x86-based virtualization environments. With JunosV Firefly, large enterprises and service providers can leverage their virtualization investment to create a granular security perimeter, giving dedicated security resources within a cloud construct to tenants and service subscribers. For some service providers this is the enabler to rolling out hosted cloud security services while for others it will mean expanded customer choice in deployment options spanning dedicated hardware, high-end hardware, and now, virtual machines.




5.2.8.6 Software Defined Networks (SDN) – Controllers

Controllers is an application in software-defined networking (SDN) that manages flow control to enable intelligent networking. SDN controllers are based on protocols, such as OpenFlow, that allow servers to tell switches where to send packets. The SDN controller lies between network devices at one end and applications at the other end. Any communications between applications and devices have to go through the controller. The controller uses multiple routing protocols including OpenFlow to configure network devices and choose the optimal network path for application traffic.


SDN and JunosV Contrail

Trio ASICs (used in the Juniper Networks MX series 3d universal edge routers) and one ASICs (used in the newly announced eX9200 Ethernet aggregation switch) are uniquely positioned to solve these challenges because of their flexible and programmable microcode architecture. Their ability to look deep into the encapsulated packets and extract the virtual network identifier allows them to maintain per-tenant statistics which aid in troubleshooting and debugging. Their ability to do fine-grained queuing allows them to provide per-tenant QoS, which helps to isolate tenants from each other, if needed. The micro programmable architecture also allows Juniper to support new data plane protocols without respinning the ASICs, which provides future proofing in the still developing area of SDN.

Furthermore, Juniper is building the virtual overlay (including service chaining) and the physical underlay in such a way that 1 + 1 will add up to more than 2. The virtual overlay will be aware of the physical underlay and vice versa. Some examples of the integration between virtual and physical world include:

Flow-through provisioning of the gateway functions, for example in EX series switches, QFabric ™ Family of Products, and MX series routers where the virtual network meets the physical network

Flow-through provisioning of service chaining, including the steering of traffic into the right service chains on the virtual and physical service appliances

Tenant awareness in the underlay for troubleshooting and QoS

Efficient and scalable solutions for dealing with broadcast and multicast traffic in the overlay without requiring multicast in the underlay

JunosV Contrail is a networking virtualization and intelligence system designed to increase business innovation, improve system-level orchestration, and decrease networking costs.

It works within the OpenStack and CloudStack architecture, and includes an open, standards-based SDN controller that virtualizes the network to enable automation and orchestration of hybrid cloud environments, elastic service chaining of network and security services, and a robust “Big Data for Infrastructure” (BDI) analytics engine providing a real-time view of the entire network.

JunosV Contrail is the industry’s first truly open standards-based IP solution that natively enables Network as a Service (NaaS) across heterogeneous and federated cloud networks.

Designed for cloud providers offering IaaS and enterprises delivering ITaaS in emerging application environments, JunosV Contrail software is a complete virtual network automation and intelligence system that offers a standards-based scale-out virtual overlay solution for




network virtualization, automated SDN service-chaining of L4-L7 services, and seamless resource delivery across any cloud.

Unlike closed, proprietary solutions which lack interoperability with existing networks, do not deliver network/service abstractions, and introduce single points of failure, JunosV Contrail is the industry’s first truly open standards-based IP solution that natively enables NaaS across heterogeneous and federated cloud networks.

With JunosV Contrail, the network is no longer a roadblock to speed and agility. It is a vehicle to business innovation.

5.2.8.7 Carrier Aggregation Switches

Carrier aggregation switches route traffic in addition to bridging (transmitted) Layer 2/Ethernet traffic. Carrier aggregation switches’ major characteristics are:


With continuous technology advances and ongoing standards development, Ethernet is rapidly becoming the technology of choice for both enterprises and service providers looking to provide connectivity and intelligent services. While in some respects the requirements may be different, today’s advanced services are dictating that both enterprises and service providers build networks that meet increasingly stringent requirements regarding QoS, network performance, and availability.




Designed for Metro Ethernet networks


Juniper Networks MX Series is optimized for Ethernet, and addresses a wide range of deployments, architectures, port densities, and interfaces for both service provider and enterprise environments. In both




markets, MX Series routers provide the scalable, high port density routing and switching required for applications such as data centers. For service providers, MX Series routers surpass the requirements of carrier Ethernet routing and switching as defined by the Metro Ethernet Forum, making Juniper Networks routers the platforms of choice for service providers seeking 3D Scaling in the Universal Edge. These features can also be deployed in high performance enterprise data centers and enterprise campus networks.

Designed for video and other high bandwidth applications


Built in 65-nanometer technology, Junos Trio includes four chips with a total of 1.5 billion transistors and 320 simultaneous processes, yielding total router throughput up to 2.6 terabits per second and up to 2.3 million subscribers per rack—far exceeding the performance and scale possible through off-the-shelf silicon. Junos Trio includes advanced forwarding, queuing, scheduling, synchronization, and end-to-end resiliency features, helping customers provide service-level guarantees for voice, video, and data delivery. Junos Trio also incorporates significant power efficiency features to enable more environmentally conscious data center and service provider networks.

Supports a variety of interface types, especially those commonly used by Service Providers


WAN interfaces for the multiservice edge – Provides support for most widely used multiservice interfaces, including OC3, OC12, and OC48, facilitating service delivery with a single versatile platform

Flexible Physical Interface Card (PIC) Concentrators (FPCs) support non-Ethernet interfaces on Juniper Networks MX Series. The MX FPC and PIC combination is used to support SONET/SDH interfaces.

MX FPCs use a modular architecture to provide a clean separation between Layer 3 and Layer 2 forwarding functionality on the PFE, and Layer 1 processing on PICs. The FPCs contain the PFE, made up of the I-CHIP and Ethernet Services Engine (ESE). PICs plug into the FPC to support the following functions:

Physical media connectivity

SONET/SDH, T3/E3, T1/E1 framing

HDLC processing

Deep-channelization of OC12 and OC48 interfaces to OC3, T3/E3, T1/E1 and NxDS0 sub-interfaces

CoS support on channelized interfaces, since the PFE on the FPCs support per-port queuing only

Two types of MX FPCs and PICs are supported on the MX Series. They vary in the port speeds supported as well the physical form factor of the PICs themselves.

Type3 MX FPCs – Support Type3 PICs. Each Type3 PIC typically supports an aggregate bandwidth of OC192 or 10 Gbps. The Type3 MX FPC supports PC form factor PICs that are also used on Juniper Networks T Series, M120, and M320 routers. Type3 PICs support OC192 and OC48 ports.

Type2 MX FPCs – Support Type2 PICs. Each Type2 PIC typically supports an aggregate bandwidth of up to OC48 or 4 Gbps. The Type2 MX FPC supports PB form factor PICs that are also used on Juniper Networks T Series, M120, and M320 routers. Type2 PICs support OC48, OC12, OC3, and deep-channelized OC48 and OC12 ports.




All Layer 3 and MPLS routing and forwarding functionality supported by the DPCs are supported on both the MX FPCs. The ESE NPU is used to support VPLS functionality on the MX FPCs for non-Ethernet interfaces.

Type3 MX FPCs and PICs can be used to provide non-Ethernet uplink functionality on MX platforms. Using the ESE NPU, the MX FPC provides VPLS functionality on PPP, Frame Relay, or Cisco HDLC encapsulated packets that contain Ethernet payload. The PICs perform the SONET and HDLC processing, and forward the packet to the ESE NPU. The ESE NPU extracts the Ethernet packets from the pseudo-wire and forwards the packet into a VPLS network using a Layer 2 forwarding table.

Type2 MX FPCs and PICs can be used to connect the MX to non-Ethernet access networks. The PICs support OC48, OC12, and OC3 ports. The Type2 MX FPC is also used to support deep channelization. IQE PICs provide flexible channelization from OC12 to OC3, T3/E3, T1/E1, and NxDS0 interfaces. They also support hierarchical CoS per channelized interface on the PIC.

Capabilities should include:

Redundant Processors


Yes, the Juniper MX series has redundant Routing Engines

Redundant Power


Yes, the Juniper MX series had redundant Power Supplies

IPv4 and IPv6 unicast and multicast


MX Series: IPv4 and IPv6 Routing Protocols

Junos implements full IP routing functionality, providing support for IPv4 and IPv6. The routing protocols are fully interoperable with existing IP routing protocols, and they have been developed to provide the scale and control necessary for the Internet core.

IPv4 Routing Protocol Support

Unicast Routing Protocols

Support for unicast routing protocols includes:

BGP – Border Gateway Protocol, version 4, is an exterior gateway protocol (EGP) that guarantees loop-free exchange of routing information between routing domains (also called autonomous systems). BGP, in conjunction with Junos routing policy, provides a system of administrative checks and balances that can be used to implement peering and transit agreements.

ICMP – Internet Control Message Protocol router discovery enables hosts to discover the addresses of operational routers on the subnet.

IS-IS – Intermediate System-to-Intermediate System is a link-state interior gateway protocol (IGP) for IP networks that uses the shortest-path-first (SPF) algorithm, which also is referred to as the Dijkstra algorithm,




to determine routes. The Junos IS-IS software is a new and complete implementation of the protocol, addressing issues of scale, convergence, and resilience.

OSPF – Open Shortest Path First, version 2, is an IGP that was developed for IP networks by the Internet Engineering Task Force (IETF). OSPF is a link-state protocol that makes routing decisions based on the SPF algorithm. The Junos OSPF software is a new and complete implementation of the protocol, addressing issues of scale, convergence, and resilience.

RIP – Routing Information Protocol, version 2, is an IGP for IP networks based on the Bellman-Ford algorithm. RIP is a distance-vector protocol. RIP dynamically routes packets between a subscriber and a service provider without the subscriber having to configure BGP or participate in the service provider’s IGP discovery process.

Multicast Routing Protocols

Support for multicast routing protocols includes:

DVMRP – Distance Vector Multicast Routing Protocol is a dense-mode (flood-and-prune) multicast routing protocol.

IGMP – Internet Group Management Protocol, versions 1 and 2, is used to manage membership in multicast groups.

MSDP – Multicast Source Discovery Protocol enables multiple Protocol Independent Multicast (PIM) sparse mode domains to be joined. A rendezvous point (RP) in a PIM sparse mode domain has a peer relationship with an RP in another domain, enabling it to discover multicast sources from other domains.

PIM sparse mode and dense mode – Protocol-Independent Multicast is a multicast routing protocol. PIM sparse mode routes to multicast groups that might span wide-area and interdomain internets. PIM dense mode is a flood-and-prune protocol.

SAP/SDP – Session Announcement Protocol and Session Description Protocol handle conference session announcements.

MPLS Applications Protocols

Support for MPLS applications protocols includes:

LDP – The Label Distribution Protocol provides a mechanism for distributing labels in nontraffic-engineered applications. LDP enables routers to establish label-switched paths (LSPs) through a network by mapping network-layer routing information directly to data-link layer switched paths. LSPs created by LDP can also traverse LSPs created by the Resource Reservation Protocol (RSVP).

MPLS – Multiprotocol Label Switching, formerly known as tag switching, enables you to manually or dynamically configure LSPs through a network. It lets you direct traffic through particular paths rather than rely on the IGP’s least-cost algorithm to choose a path.

RSVP – The Resource Reservation Protocol, version 1, provides a mechanism for engineering network traffic patterns that is independent of the shortest path decided upon by a routing protocol. RSVP itself is not a routing protocol; it operates with current and future unicast and multicast routing protocols. The primary purpose of the Junos RSVP software is to support dynamic signaling for MPLS LSPs.





Junos implements IP routing functionality for IPv6 to provide the scale and control necessary for the Internet core. Junos supports the following IPv6 unicast protocols:

BGP (v4)

ICMP

IS-IS

OSPF

RIP

High bandwidth





Low latency


Powered by Juniper Networks Junos operating system, the MX Series provides a consistent operating environment that streamlines network operations and improves the availability, performance, and security of all types of services supported at the Universal Edge. The MX Series maximizes investment protection by offering the most complete, advanced routing features in the industry without compromising performance. These features include:

Traffic segmentation and virtualization with MPLS;

Sophisticated virtualization techniques such as Virtual Chassis, logical systems, and ultra-low-latency multicast;

Comprehensive security and QoS implementations to accelerate delivery of time-sensitive applications and services.

The carrier-class reliability and high availability features available on the MX Series include graceful restart, nonstop routing (NSR), fast reroute (FRR), Unified In-Service Software Upgrade (ISSU), and VPLS multihoming.






MXs 5,10, 40, 80, 240, 480, 960, 2010 and 2020 have hot swappable power supplies. The MX 240 and up have hot swappable Fans

MPLS (Multiprotocol Label Switching)


As an industry leader in the development and deployment of MPLS, Juniper Networks leads the way in making it possible for enterprises and service providers to implement network architectures and services based on MPLS. Our MX Series provides a wide range of MPLS features and functionality powered by Junos OS. The feature richness of Junos OS provides the MX Series an advantage over other operating systems that are either too immature to support the required MPLS feature breadth or architected in a monolithic fashion, making them too complicated or unwieldy to efficiently manage.

MPLS has traditionally been found in network backbones to provide traffic engineering and allow the efficient transport of a wide range of Layer 2 and Layer 3 traffic such as IP, Frame Relay, and ATM. Extending MPLS to Ethernet networks provides complementary capabilities to help:

Deal with more traffic types.

Provide greater resiliency, QoS, restoration techniques, and OA&M diagnostic capabilities.

Further enable users to consolidate traffic types on a single, common IP/MPLS network.

BGP (Border Gateway Protocol)





IS-IS – Intermediate System-to-Intermediate System is a link-state interior gateway protocol (IGP) for IP networks that uses the shortest-path-first (SPF) algorithm, which also is referred to as the Dijkstra algorithm, to determine routes. The Junos IS-IS software is a new and complete implementation of the protocol, addressing issues of scale, convergence, and resilience.






Software router virtualization and/or multiple routing tables


The Juniper MX series can virtualize one device to many devices using services such as a Virtual Router, Logical Systems, and a Virtual Switch, which virtualizes physical routers as multiple logical entities

Policy based routing


Yes, the Juniper MX series supports Policy Based Routing

Layer 2 functionality

o Per VLAN Spanning Tree


Juniper Networks MX Series supports the VLAN Spanning Tree Protocol (VSTP). VSTP maintains a separate spanning tree instance for each VLAN, and is compatible with the Per-VLAN Spanning Tree Plus (PVST+) and Rapid-PVST+ protocols supported on Cisco Systems routers and switches.

o Rapid Spanning Tree


To provide Layer 2 loop prevention, Juniper Networks MX Series 3D Universal Edge routers support a range of STP varieties, including Rapid Spanning Tree protocol (RSTP), Multiple Spanning Tree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP). In each of these flavors, a loop-free network is computed through the exchange of a special type of frame called bridge protocol data unit (BPDU), which contains information such as bridge IDs and root path costs.

o VLAN IDs up to 4096


The Juniper MX Series supports VLAN Identifiers 0 through 4095

o Layer 2 Class of Service (IEEE 802.1p)


Yes, the Juniper MX Series supports 801.1p




o Link Aggregation Control Protocol (LACP)


Yes, the Juniper MX supports LACP

o QinQ (IEEE 802.1ad)


Yes, the Juniper MX supports 802.1ad

5.2.8.8 Carrier Ethernet Access Switches

A carrier Ethernet access switch can connect directly to the customer or be utilized as a network interface on the service side to provide layer 2 services.

ACX Series: Overview and Models

Juniper Networks ACX Series Universal Access Routers are built to support adaptive services architecture, enabling rapid deployment of access services and transforming the network to create a seamless end-to-end service delivery platform. Many networks have reaped benefits from convergence in the core as well as on the edge, and a similar transformation is clearly required in the access network. The ACX Series is an architecture that extends operational intelligence to that network.

ACX Series routers include the fixed configuration ACX1000, ACX1100, ACX2000, and ACX2100 Universal Access Routers in a compact 1 RU form factor. These routers are environmentally hardened and support passive-cooling for easy deployments in outside street cabinets or environmental enclosures. The ACX4000 Universal Access Router is a modular 2.5 RU form factor access router with higher performance and configurable options for interface types. ACX Series Routers cost-effectively address current operator challenges to rapidly deploy new, high-bandwidth services. The ACX Series has a leading performance of up to 60 Gbps for all models, and the most comprehensive, traditional, and packet timing features.

The ACX Series is well-positioned to address the growing bandwidth needs in the access network. These platforms deliver the scale and performance needed to support multi-generation services. With support for extensive hardware and software features, the ACX Series extends the operational intelligence all the way to the access network.

Powered by Junos OS, the ACX Series family complements Juniper Networks Universal Edge and Universal WAN solutions, integrating the mobile network with a flexible, scalable enterprise branch routing portfolio. The ACX Series is optimized to support rapidly growing mobile, video, and cloud computing applications.

The ACX Series introduces Juniper Networks proven IP/MPLS leadership from core and edge into the access layers of the network while maintaining relative simplicity in the access network. The ACX Series delivers industry-leading performance and simplified end-to-end provisioning with support for full IP/MPLS with traffic engineering as well as extensive Layer 2 and Layer 3 functionality.

ACX Series features and support include:

Interfaces for both time-division multiplexing (TDM)

Ethernet high density (1GE, PoE, and 10GE)




High precision-clocking and synchronization

Mobile networks evolution path from 2G/2.5G to 3G/4G/Long Term Evolution (LTE)

A rich suite of Layer 2, Layer 3, and IP/MPLS functionality to provide large-scale, seamless MPLS networks with simplified service provisioning and operations

ACX Series Models

Juniper Networks ACX Series product line offers the following five models:

ACX1000 – Juniper Networks ACX1000 with fan-less passive cooling and a compact 1 RU (1.75 in.) form factor is an ideal access platform for external cabinet deployments. The fixed-port configuration includes eight T1/E1 interfaces, eight copper 1GE (10/100/1000) interfaces, and four 1GE combination ports (fiber or copper).

ACX1100 – Juniper Networks ACX1100 with fan-less passive cooling and a compact 1 RU (1.75 in.) form factor is an Ethernet-only access platform with a mix of copper and fiber 1GE interfaces. The fixed-port configuration includes four copper 10/100/1000 Mbps interfaces, four 1GE combination ports (copper or fiber interfaces), and four 1GE SFP ports.

ACX2000 – Juniper Networks ACX2000 with fan-less passive cooling provides a versatile access platform in a compact 1 RU (1.75 in.) fixed-form factor that includes TDM, 1GE, and 10GE interfaces. The fixed-port configuration includes 16 TDM (T1/E1) interfaces, eight copper 1GE interfaces with PoE+ (65W) capability on two ports, two 1GE SFP ports, and two10GE SFP+ ports.

ACX2100 – Juniper Networks ACX2100 with fan-less passive cooling in a compact 1 RU (1.75 in.) form factor is an ideal access router for high-speed bandwidth services. The fixed-port configuration includes 16 T1/E1 interfaces, four copper 10/100/1000 Mbps interfaces, four combination 1GE ports (copper or fiber), two 1GE SFP ports, and two 10GE SFP+ ports.

ACX4000 – Juniper Networks ACX4000 Universal Access Router is an environmentally hardened, actively cooled, 2 RU (2.5 in.) modular system that includes TDM, 1GE, and 10GE interfaces to provide a versatile access platform. The modular configuration includes 16 T1/E1 interfaces, eight copper 1GE interfaces, two 1GE SFP ports, two PoE+ ports, two 10GE SFP+ ports, and a choice of two modular interface cards (MICs).

Hot-swappable and field-replaceable integrated power supply and fan tray

AC or DC power supply with DC input ranging from 18V to 32 VDC and 36V to 72 VDC


ACX1100: Power Specifications

Power specifications for Juniper Networks ACX1100 follow:

DC power – -48 V or -60 V Telco nominal or +24 VDC nominal

AC power – 90 -240 VAC, for ACX1100-AC only

Maximum power draw:

o ACX1100 – 35 W

o ACX1100-DC – 40 W






DC power

o -48 V or -60 V Telco nominal or +24 VDC nominal

Maximum power draw – 70 W (plus PoE power)



DC power – -48 V or- 60 V Telco nominal or +24 VDC nominal

AC power – 90-240 VAC, for ACX-2100 only

Maximum power draw:

o ACX2100 – 60 W

o ACX2100-DC – 80 W




AC power – 90-240 VAC

Maximum power draw:

o Without MICs – 150 W

o Each MIC – 45 W

o Each PoE++ port – 65 W

Ethernet and console port for manageability


Yes, the Juniper ACX series can be managed via console or Ethernet

SD flash card slot for additional external storage


The Juniper ACX has a USB slot for external storage

Stratum 3 network clock


ACX hardware and software supports various clocking options where the chassis can lock to physical

layer based SyncE, PTP/1588v2 messages, line timing and BITS and drives out clock on T1/E1, BITS,




Synchronous Ethernet on FE/GE/XE ports and 1 PPS. ACX uses OCXO (Stratum 3E) type of oscillator.

Line-rate performance with a minimum of 62-million packets per second (MPPS) forwarding rate


The ACX Delivers line-rate performance with a packet forwarding capacity ranging from 36Mpps (ACX1000/1100) to 125 Mpps (AXC4000).

Support for dying gasp on loss of power


The Juniper Networks Junos operating system (Junos OS) for Juniper Networks ACX Series routers allows the Ethernet interfaces on these routers to support the IEEE 802.3ah standard for the Operation, Administration, and Maintenance (OAM) of Ethernet in access networks. The standard defines OAM link fault management (LFM). You can configure IEEE 802.3ah OAM LFM on point-to-point Ethernet links that are connected either directly or through Ethernet repeaters. The IEEE 802.3ah standard meets the requirement for OAM capabilities even as Ethernet moves from being solely an enterprise technology to a WAN and access technology, and the standard remains backward compatible with the existing Ethernet technology.

Ethernet OAM provides tools that network management software and network managers can use to determine how a network of Ethernet links is functioning. Ethernet OAM should:

• Rely only on the media access control (MAC) address or virtual LAN identifier for troubleshooting.

• Work independently of the actual Ethernet transport and function over physical Ethernet ports or a virtual service such as a pseudowire.

• Isolate faults over a flat (or single-operator) network architecture or nested or hierarchical (or multiprovider) networks.

The following OAM LFM features are supported on ACX Series routers:

• Discovery and Link Monitoring

The discovery process is triggered automatically when OAM is enabled on the interface. The discovery process permits Ethernet interfaces to discover and monitor the peer on the link if it also supports the IEEE 802.3ah standard. You can specify the discovery mode used for IEEE 802.3ah OAM support. In active mode, the interface discovers and monitors the peer on the link if the peer also supports IEEE 802.3ah OAM functionality. In passive mode, the peer initiates the discovery process. After the discovery process has been initiated, both sides participate in the process. The router performs link monitoring by sending periodic OAM protocol data units (PDUs) to advertise OAM mode, configuration, and capabilities.

You can specify the number of OAM PDUs that an interface can skip before the link between peers is considered down.

• Remote Fault Detection

Remote fault detection uses flags and events. Flags are used to convey the following:

o Link Fault means a loss of signal

o Dying Gasp means an unrecoverable condition such as a power failure

o Critical Event means an unspecified vendor-specific critical event

You can specify the interval at which OAM PDUs are sent for fault detection.

Note: ACX Series routers support the receipt of dying-gasp packets, but cannot generate them.




• Remote Loopback Mode

Remote loopback mode ensures link quality between the router and a remote peer during installation or troubleshooting. In this mode, when the interface receives a frame that is not an OAM PDU or a PAUSE frame, it sends it back on the same interface on which it was received. The link appears to be in the active state. You can use the returned loopback acknowledgement to test delay, jitter, and throughput.

If a remote data terminal equipment (DTE) supports remote loopback mode, Junos OS can place the remote DTE into loopback mode. When you place a remote DTE into loopback mode, the interface receives the remote loopback request and puts the interface into remote loopback mode. When the interface is in remote loopback mode, all frames except OAM PDUs and PAUSE frames are looped back. No changes are made to the frames. OAM PDUs continue to be sent and processed.

Support for a variety of small form factor pluggable transceiver (SFP and SFP+) with support for Device Object Model (DOM)


Onboard and modular interface options:

ACX1000 unit, 8xT1/E1, 8xGbE copper, 4xGbE combination (copper or SFP)

ACX1100 unit, 8xGbE copper and 4xGbE combination (copper or SFP),

ACX2000 unit, 16xT1/E1, 2x10GbE SFP+, 8xGbE copper with PoE++ on two ports, 2xGbE SFP

ACX2100 unit, 16xT1/E1, 2x10GbE SFP+, 4xGbE copper, 4xGbE combination (copper or fiber), 2xGbE SFP

ACX4000 modular unit, 2x10GbE SFP+, 8xGbE combo (copper/fiber) with PoE++ on two ports, 2xGbE SFP

6xGbE copper/SFP MIC for ACX4000

4xCHOC3/STM-1/1xCHOC12/STM-4 MIC for ACX4000

16x T1/E1 MIC for ACX4000

Timing services for a converged access network to support mobile solutions, including Radio Access Network (RAN) applications


ACX is a Cell/Hub Site Router (CSR/HSR), primarily targeted to deploy in mobile backhaul networks to hand off variety of TDM, ATM, and Ethernet traffic into IP/MPLS network. ACX can be directly connected to multiple variants of base stations (like BTS in 2G, NodeB in 3G and eNodeB in 4G) and can form a ring or mesh topology or can act as a head-end/aggregation node of the ring that can be connected to metro ring. Juniper Networks MX node can be used on the other side where the TDM, ATM and Ethernet traffic is handed over to the controller stations. On top of delivering various services, clocking is an important feature on ACX where it should be able to extract the network clock and pass on synchronization information to the base stations to help these nodes to be in sync with the controller stations.

Support for Synchronous Ethernet (SyncE) services





ACX hardware and software supports various clocking options where the chassis can lock to physical layer based SyncE, PTP/1588v2 messages, line timing and BITS and drives out clock on T1/E1, BITS, Synchronous Ethernet on FE/GE/XE ports and 1 PPS. ACX uses OCXO (Stratum 3E) type of oscillator.

Supports Hierarchical Quality of Service (H-QoS) to provide granular traffic shaping policies


ACX: QoS Features

QoS features supported by Juniper Networks ACX2000 include the following:

Firewall filters (ACLs):

o Standard firewall filter match conditions for MPLS traffic

o family inet

o family ccc/any

Policing:

o Per logical interface

o Per physical interface

o Per family

TrTCM (color aware, color blind)

SrTCM (color aware, color blind)

Host protection

8 queues per port

Priority queuing

Rate control

Scheduling with 2 different priorities

Low Latency Queue (LLQ)

WRED with 2 levels of DP

Classification:

o DSCP

o MPLS EXP

o IEEE 802.1p

Rewrite:

o DSCP

o MPLS EXP




o IEE 802.1p

o MPLS and DCP to different values

Supports Resilient Ethernet Protocol REP/G.8032 for rapid layer-two convergence


No the ACX does not support G.8032

5.2.9 Wireless

Provides connectivity to wireless devices within a limited geographic area. System capabilities should include:

The demands of a mobile workforce and the “consumerization” of IT have forever changed the requirements for enterprise-class wireless networking solutions. Legacy WLAN networks are challenged to support the onslaught of mobile devices accessing the network and the drain on network resources caused by a vast array of media-rich applications. You need a new network, one that can deliver always-on wireless access to the resources that give you a competitive advantage.

Juniper has delivered this network to thousands of customers around the globe. We have designed an innovative, high-performance wireless solution to address the challenges of today’s market and enable businesses to take advantage of the shifts taking place. Juniper WLAN products deliver the highest level of wireless LAN reliability, performance, security and management for the most demanding mobile applications and users.

With an understanding of your current wireless deployment and projected growth and applications, we propose the following Juniper Networks platforms as the ideal solution for meeting your short-term business goals and long-term architectural requirements:

Wireless LAN (WLAN) solution – Juniper Networks’ innovative wireless controllers, access points and management tools are the most scalable and reliable in the industry, and are the only ones that offer hitless failover for all sessions—even under the most extreme network failure conditions. The Juniper solutions also offer simple yet complete access control for guest, employee owned (BYOD) and corporate owned devices.

Redundancy and automatic failover


WLC Series controllers ensure the highest wireless LAN availability in the industry. They can be configured as a Virtual Controller Cluster to provide many-to-many redundancy without the need for expensive hot-standby controllers. This enables nonstop wireless availability with hitless failover for all sessions, even voice calls, in the unlikely event of a controller failure. It also allows for in-service maintenance with no impact on wireless availability. Additionally, with Juniper Networks RingMaster software, controller configurations can be obtained locally or from a remote location with automatic “no touch” deployment, and remote configuration and management capabilities.

IPv6 compatibility





Configuring IPv6 addresses is not supported, but IPv6 clients are supported. The WLC can view IPv6 session information and control IPv6 ACLs. The session information now includes:

IPv6 information of both dual-stack and IPv6 only clients.

16 of the most recent IPv6 addresses plus one local link address of a client.

For dual stack clients, the IPv4 session is kept for storing IPv6 addresses.

IPv6 packets are classified at QoS level based on the DSCP value. In the IPv6 header the six most significant bits of the Traffic class field are used for DSCP. For downstream traffic, the WLC marks the DSCP in the Tunnel encapsulation, based on 802.1p or DSCP value mapped to the internal CoS value. The WLA maps the Tunnel DSCP to the internal CoS value and marks the packet user priority based on the internal CoS value. For upstream traffic, the WLA classifies packets based on the user priority in the 802.11 header and maps this to the internal CoS value. Then, the WLA marks the DSCP value in the Tunnel header based on the internal CoS value. The WLC classifies the packet based on DSCP and maps it to the internal CoS value. Based on the internal CoS value, the WLC marks the 802.1p value and also the DSCP field if a tunnel is present

NTP Support


You can configure the system time and date statically or by using Network Time Protocol (NTP) servers. In each case, you can specify the offset from Coordinated Universal Time (UTC) by setting the time zone. You also can configure MSS to offset the time by an additional hour for daylight savings time or similar summertime period.

5.2.9.1 Access Points

A wireless Access Point (AP) is a device that allows wireless devices to connect to a wired network using Wi-Fi, or related standards. Capabilities should include:

802.11a/b/g/n


Juniper Wireless Portfolio support 802.11 a/b/g/n

802.11n


WLA321 – The WLA321 is an entry level 802.11n, single radio, 2x2 MIMO 2 spatial stream indoor WLAN access point with internal antennas. It delivers enterprise-class, high-speed 11n wireless LAN services for low-to-medium density environments, and supports spectrum analysis capability to ensure reliable RF coverage.

WLA322 – The WLA322 is an entry level 802.11n, dual radio, 2x2 MIMO 2 spatial stream indoor WLAN access point with internal antennas. It delivers enterprise-class, high-speed 11n wireless LAN services for low-to-medium density environments, and supports spectrum analysis capability to ensure reliable RF coverage.

WLA522 – The WLA522 is a high-performance 802.11n, dual-radio, 2x2 MIMO indoor WLAN access point designed for high-density deployments requiring maximum capacity.

WLA532 – The WLA532 is a high-performance, next-generation 802.11n, dual radio, 3x3 MIMO indoor WLAN access point designed for very high-density client environments accessing multimedia applications.




WLA632 – The WLA632 is a ruggedized 802.11n, dual-radio, 3x3 MIMO, outdoor access point designed for high-performance client access, bridging, and mesh services, with maximum range in extreme outdoor environments.

802.11ac


802.11AC is a roadmap item for the Juniper Wireless Solution and is on the Statement of Product roadmap or SOPD for Jan-Apr 2014

Capable of controller discovery method via DHCP (onsite controller or offsite through Cloud Architecture)


Yes, the Juniper WLAs can use DHCP Options (VSAs) to locate their controller.

UL2043 plenum rated for safe mounting in a variety of indoor environments


The Juniper WLA522E and WLA532E models are UL2043 plenum rated

Support AES-CCMP (128-bit)


Wi-Fi Protected Access (WPA) Personal is a Wi-Fi Alliance standard that uses preshared key authentication with Advanced Encryption Standard-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP) and Temporal Key Integrity Protocol (TKIP) cipher suits. Both WPA and the newer WPA2 standards are supported. If you have both clients that support WPA2 and clients that only support WPA, you can configure the virtual access point to allow both types of clients to associate and authenticate.

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-wlan/topic-37915.html

Provides real-time wireless intrusion monitoring and detection


WIDS/WIPS

ActiveScan – Simultaneous scanning and client services

SentryScan – Dedicated scanning and mitigation






5.2.9.2 Outdoor Wireless Access Points

Outdoor APs are rugged, with a metal cover and a DIN rail or other type of mount. During operations they can tolerate a wide temperature range, high humidity and exposure to water, dust, and oil. Capabilities should include:

Juniper Networks WLA632 Wireless LAN Access Point (shown in Figure xxx) is a ruggedized dual-radio 3x3 MIMO access point designed for outdoor deployment in all weather conditions. In addition to enabling wireless users to stay seamlessly connected as they roam from building to building, it also provides mesh services to extend wireless access in areas where Ethernet cabling cannot reach or is not desired. Point-to-point bridging is also supported, allowing the WLA632 to interconnect different sites over the air, without needing to lay or lease fiber.

The WLA632 comes with complete security and networking services, along with advanced performance and scalability features which enable the access points to offload controllers by inspecting and forwarding traffic locally and performing encryption and security enforcement at the access point. The WLA632 also provides band steering, client load balancing, dynamic authorization, QoS, and bandwidth management—all of which provide a more consistent user experience as traffic is more evenly distributed across controllers, access points, and radios. This also improves scalability, providing the same consistent user experience for thousands of mobile users and devices.

Flexible Deployment Options


Installation and configuration specifications for Juniper Networks WLA632 follow:

Mounting

o Outdoor pole mount brackets and swivel collar

Powering

o External PSU 48VDC with 8-pin (male) DIN connector



WIDS/WIPS









5.2.9.3 Wireless LAN Controllers

An onsite or offsite solution utilized to manage light-weight access points in large quantities by the network administrator or network operations center. The WLAN controller automatically handles the configuration of wireless access-points. Capabilities should include:

Juniper Networks WLC Series WLAN Controllers enable seamless integration of reliable, scalable, secure WLANs with existing wired infrastructures in installations of any size—from corporate small branch offices to the largest business or university campus.


The WLC Series is easily deployed over any existing Layer 2/Layer 3 wired network without disruption to the Layer 2/Layer 3 topologies. WLC Series controllers can also offload policy enforcement and data forwarding to Juniper Networks WLA Series Wireless LAN Access Points, resulting in optimized traffic flow, radically reduced latency, and massive scalability.

The WLC Series provides Layer 2 Ethernet switching, stateful per user and per service firewalls, wireless intrusion protection, 802.1Q trunking, Per-VLAN Spanning Tree Plus (PVST+), complete wired to wireless QoS, and automated radio frequency (RF) management.

The WLC Series delivers all of the standard security and networking functionality expected of wireless LANs with the added benefits of intelligent switching, identity-based roaming, bridging and mesh services, and nonstop wireless availability. These features are consistent and supported across every model. The WLC Series includes the following models.

Ability to monitor and mitigate RF interference/self-heal


WLC Series controllers play a key role in rogue and intrusion detection, as well as DoS attack detection. Working in conjunction with access points, the controllers systematically scan all 802.11 channels while simultaneously providing client services. When rogue or interference sources are detected, the WLC Series coordinates the appropriate mitigation response to ensure the highest air quality for efficient and high-performing wireless access services. If an access point goes out of service and leaves a coverage hole, WLC Series controllers can change channels or adjust power levels on multiple nearby access points in a coordinated fashion in order to restore Wi-Fi coverage.

Support seamless roaming from AP to AP without requiring re-authentication


WLC Series controllers give users the same identity-based services and privileges, no matter where they connect. The WLC Series offers seamless roaming at a single location, and it enables the same secure mobility and consistent service profiles at multiple locations in the same network.




Applying identity-based networking globally offers great benefits to users who frequently work at different sites (for example, doctors who serve at many hospitals with a hospital system, teachers across a school district, or IT users across multiple campuses). Whatever the experience a user has at one site, it can be replicated at another similar site.

Support configurable access control lists to filter traffic and denying wireless peer to peer traffic


Yes, this is supported

System encrypts all management layer traffic and passes it through a secure tunnel


The Juniper WLC products provides encryption of data path tunnels, between pairs of WLC and remote APs

Policy management of users and devices provides ability to de-authorize or deny devices without denying the credentials of the user, nor disrupting other AP traffic


Yes.



The Juniper WLAN solution provides the ability to configure and deploy access control lists to deny and restrict Layer 2 and Layer 3 traffic between client devices. The solution can also deny client traffic unless the client successfully receives an IP address via DHCP.

5.2.9.4 Wireless LAN Network Services and Management

Enables network administrators to quickly plan, configure and deploy a wireless network, as well as provide additional WLAN services. Some examples include wireless security, asset tracking, and location services. Capabilities should include:

Junos Space Network Director provides a single pane of glass view into both the wired and wireless networks, and creates a holistic, full lifecycle management solution for the network. Junos Space Network Director delivers:

Critical elements of advanced management applications by providing operational efficiency, expedited error

free service roll-out, enhanced visibility and fast troubleshooting.

Operational efficiency by employing a correlated view of various networks elements. It offers a holistic view of

every aspect of network operation to remove the need for disjointed applications throughout the lifecycle of

the network.

Faster roll-out and activation of services while protecting against configuration errors with profile-based

configuration and configuration pre-validation.

Single pane of glass management that provides a unified view of the network infrastructure including a

correlated view of overlay services and user experience on top of network infrastructure. Junos Space




Network Director also tracks aggregated utilization, network hotspots, failures, correlated RF data and usage

to a user level providing deep visibility and easy troubleshooting of connectivity, equipment and general

failures.

RingMaster Software is a management suite for planning, configuring, deploying, monitoring, and optimizing, an enterprise wireless LAN network. Single or multi-site wireless LAN networks can be managed from one RingMaster console.

RingMaster develops an accurate RF (radio frequency) plan for the building using scanned or generated floor

plans, outdoor obstacle maps, and the RF characteristics of common building materials. This wireless LAN

network planning software automatically determines the number of access points to install in any part of the

building, including a report to show technicians precisely where to install the access points.

Features:

Automated coverage, capacity, and voice planning for indoor and outdoor areas

802.11n planning for the 2.4 GHz and 5 GHz channels and planning for existing 802.11a/b/g networks

Integrated spectrum analysis with visualization and of reporting of interference sources and overall RF health

Configuration wizards to set up secure wireless LAN network services, including voice services, mesh

services, guest access services, customizable service profiles, and WPA/WPA2 803.1X-based secure

wireless access

Automated configuration of all wireless LAN network controllers and access points

Graphic dashboard for real-time data monitoring on wireless network status, traffic patterns, client

connectivity, access point and wireless LAN network controller status, and alarms

Client watch lists, for detailed troubleshooting of correlated client session data over extended time period

Customizable and standard reports, including inventory, client session summary, rogue summary, switch

configuration, and equipment installation

Security-related alarms, including rogue access points, DoS and probe attacks, and ad-hoc networks

Integration with other management applications via APIs and with wireless intrusion detection/prevention

systems (WIDs/WIPs)

Complete integration of SmartPass guest access, subscriber management and security features under the

same management console

Provide for redundancy and automatic failover


RingMaster leverages the redundancy and high availability capabilities of your VM infrastructure to provide for a resilient management solution.

Historical trend and real time performance reporting is supported


With periodic audits, RingMaster can detect such conditions as missing or incorrectly configured equipment and services. If a problem is found, RingMaster instantaneously sends out an alarm, with such notifications as client




authentication failures, spoofed media access control (MAC) addresses, controller failures, denial-of-service (DoS) attacks and Power over Ethernet (PoE) failures detected.

Reports can be generated ad hoc or according to predefined schedules, with the output stored on the RingMaster server and accessible via secure Internet connections or email. RingMaster stores one year of comprehensive historical records and 30 days of location history. A wide range of predefined report types are provided, including inventory, client session summary, clients per locale, SSID usage and availability, rogue summary, switch configuration, and equipment installation. Custom reports with access to almost any data set can be created, with a wide range of output and report sharing options.

Management access to wireless network components is secured


Traffic between RingMaster and the Wireless LAN Controllers (WLCs) is secured with 128 bit encryption.

SNMPv3 enabled


RingMaster, the controllers and the access points all support SNMPv3.

RFC 1213 compliant


All Juniper networks WLAN MIBS are enterprise MIBS.

Automatically discover wireless network components


Network Director can perform network discovery for wired and wireless Juniper network elements.

Capability to alert for outages and utilization threshold exceptions


All Juniper Networks wired and wireless management platforms have the ability to alert on outages, utilization threshold exceptions and a variety of other pertinent events.

Capability to support Apple’s Bonjour Protocol / mDNS


The Juniper WLAN solution includes Juniper Networks Bonjour Gateway, allowing the WLAN network to control Bonjour traffic in a very granular fashion, allowing policy to be set to allow all or only certain types of Bonjour devices to advertise across network boundaries.




QoS / Application identification capability


The Juniper Networks WLAN solution can apply QoS on a per user, per VLAN or per SSID basis. In the case of voice traffic, the Juniper Networks solution can also detect and apply QoS on voice traffic using SIP awareness. In conjunction with the rest of the Juniper networks solution, applications can be identified and policy can be applied to control specific traffic as needed.

5.2.9.5 Cloud-based services for Access Points

Cloud-based management of campus-wide Wi-Fi deployments and distributed multi-site networks. Capabilities include:

Zero-touch access point provisioning


As stated previously, the Juniper Networks WLAN solution can provide zero touch AP provisioning.

Network-wide visibility and control


Using Network Director and RingMaster, the administrators have complete network-wide visibility and highly granular control.

RF optimization,


RingMaster provides a complete tool set for RF planning and optimization. The Juniper solution also provides sophisticated tools for real time optimization of the RF environment by way of channel and power auto-tuning.

Firmware updates


Firmware updates can be done in place with minimal down time, on demand or at a scheduled time unattended.




5.2.9.6 Bring Your Own Device (BYOD)

Mobile Data Management (MDM) technology utilized to allow employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged government information and applications in a secure manner. Capabilities should include:

Ability to apply corporate policy to new devices accessing the network resources, whether wired or wireless


The Juniper Networks WLAN portfolio includes both SmartPass and SmartPass Connect, which allow for user and client policy to be set to support BYOD programs and user driven device onboarding capabilities to greatly reduce the management overhead needed to maintain a large constituency of users.

Provide user and devices authentication to the network


The Juniper Networks WLAN solution supports the industry standard set of device and user authentication tools and features.

Provide secure remote access capability


N/A

Support 802.1x


N/A

Network optimization for performance, scalability, and user experience


N/A

5.3.0 Unified Communications (UC)

A set of products that provides a consistent unified user interface and user experience across multiple devices and media types. Unified Communications that is able to provide services such as session management, voice, video, messaging, mobility, and web conferencing. It can provide the foundation for advanced unified communications capabilities of IM and presence-based services and extends telephony features and capabilities to packet telephony network devices such as IP phones, media processing devices, Voice over IP (VoIP) gateways, and multimedia applications.

Additional services, such as unified messaging, multimedia conferencing, collaborative contact centers, and interactive multimedia response systems, are made possible through open telephony APIs. General UC solution capabilities should include:

High Availability for Call Processing





N/A

Hardware Platform High Availability


N/A

Network Connectivity High Availability


N/A

Call Processing Redundancy


N/A

5.3.0.1 IP Telephony

Solutions utilized to provide the delivery of the telephony application (for example, call setup and teardown, and telephony features) over IP, instead of using circuit-switched or other modalities. Capabilities should include:

Support for analog, digital, and IP endpoints


N/A

Centralized Management


N/A

Provide basic hunt group and call queuing capabilities


N/A

Flexibility to configure queue depth and hold time, play unique announcements and Music on Hold (MoH), log in and log out users from a queue and basic queue statistics (from the phone


N/A

E911 Support





N/A

5.3.0.2 Instant Messaging/ Presence

Solutions that allow communication over the Internet that offers quick transmission of text-based messages from sender to receiver. In push mode between two or more people using personal computers or other devices, along with shared clients, instant messaging basically offers real-time direct written language-based online chat. Instant messaging may also provide video calling, file sharing, PC-to-PC voice calling and PC-to-regular-phone calling.


N/A

5.3.0.3 Unified Messaging

Integration of different electronic messaging and communications media (e-mail, SMS, Fax, voicemail, video messaging, etc.) technologies into a single interface, accessible from a variety of different devices.

Ability to access and manage voice messages in a variety of ways, using email inbox, Web browser, desktop client, VoIP phone, or mobile phone


N/A

Visual Voicemail Support (Optional)


N/A

5.3.0.4 Contact Center

A computer-based system that provides call and contact routing for high-volume telephony transactions, with specialist answering “agent” stations and a sophisticated real-time contact management system. The definition includes all contact center systems that provide inbound contact handling capabilities and automatic contact distribution, combined with a high degree of sophistication in terms of dynamic contact traffic management.


N/A

5.3.0.5 Communications End Points and Applications

Attendant Consoles





N/A

IP Phones


N/A

5.3.0.6 UC Network Management

Provides end-to-end service management for Unified Communications. Capabilities include testing, performance monitoring, configuration management, and business intelligence reporting.


N/A

5.3.0.7 Collaboration

Voice, video, and web conferencing; messaging; mobile applications; and enterprise social software.


N/A

5.3.0.8 Collaborative Video

A set of immersive video technologies that enable people to feel or appear as if they were present in a location that they are not physically in. Immersive video consists of a multiple codec video system, where each meeting attendee uses an immersive video room to “dial in” and can see/talk to every other member on a screen (or screens) as if they were in the same room and provides call control that enables intelligent video bandwidth management.


N/A




5.3.0.8.1 Content Delivery Systems (CDS)

A large distributed system of servers deployed in multiple data centers connected by the Internet. The purpose of the content delivery system is to serve content to end-users with high availability and high performance.

CDSs serve content over the Internet, including web objects (text, graphics, URLs, and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks.


N/A

5.3.0.8.2 Physical Security

Technology utilized to restricting physical access by unauthorized people to controlled facilities. Technologies include:

a. Access control systems


N/A

b. Detection/Identification systems, such as surveillance systems, closed circuit television cameras, or IP camera networks and the associated monitoring systems.


N/A

c. Response systems such as alert systems, desktop monitoring systems, radios, mobile phones, IP phones, and digital signage


N/A

d. Building and energy controls


N/A




5.3.1 Services

For each Category above (5.21-5.30), the following services should be available for procurement as well at the time of product purchase or anytime afterwards.

5.3.1.1 Maintenance Services

Capability to provide technical support, flexible hardware coverage, and smart, proactive device diagnostics for hardware.



5.3.1.2 Professional Services

Deployment Services

o Survey/ Design Services – Includes, but not limited to, discovery, design, architecture review/validation, and readiness assessment.

o Implementation Services – Includes, but not limited to, basic installation and configuration or end-to-end integration and deployment.

o Optimization – Includes, but not limited to, assessing operational environment readiness, identify ways to increase efficiencies throughout the network, and optimize Customer’s infrastructure, applications and service management.

Remote Management Services – Includes, but not limited to, continuous monitoring, incident management, problem management, change management, and utilization and performance reporting that may be on a subscription basis.

Consulting/Advisory Services – Includes, but not limited to, assessing the availability, reliability, security and performance of Customer’s existing solutions.

Data Communications Architectural Design Services – Developing architectural strategies and roadmaps for transforming Customer’s existing network architecture and operations management.

Statement of Work (SOW) Services – Customer-specific tasks to be accomplished and/or services to be delivered based on Customer’s business and technical requirements.


Juniper Networks will comply to this request.

5.3.1.3 Partner Services

Provided by Contractor’s Authorized Partners/Resellers.

Subject to Contractor’s approval and the certifications held by its Partners/Resellers, many Partners/Resellers can also offer and provide some or all of the Services as listed above at




competitive pricing, along with local presence and support. As the prime, Contractor is still ultimately responsible for the performance of its Partners/ Resellers. Customers can have the option to purchase the Services to be directly delivered by Contractor (OEM) or its certified Partners/Resellers.



5.3.1.4 Training

Learning offerings for IT professionals on networking technologies, including but not limited to designing, implementing, operating, configuring, and troubleshooting network systems pertaining to items provided under the master agreement.



5.3.2 Adding Products

The ability to add new equipment and services is for the convenience and benefit of WSCANASPO, the Participating States, and all the Authorized Purchasers. The intent of this process is to promote “one-stop shopping” and convenience for the customers and equally important, to make the contract flexible in keeping up with rapid technological advances. The option to add new product or service categories and/items will expedite the delivery and implementation of new technology solutions for the benefit of the Authorized Purchasers.

After the contracts are awarded, additional IT product categories and/or items may be added per the request of the Contractor, a Participating State, an Authorized Purchaser or WSCA-NASPO. Additions may be ad hoc and temporary in nature or permanent. All additions to an awarded Contractor or Manufacturer’s offerings must be products, services, software, or solutions that are commercially available at the time they are added to the contract award and fall within the original scope and intent of the RFP (i.e., converged technologies, value adds to manufacturer’s solution offerings, etc.).






5.3.2.1 New Product from Contractors

If Contractor, a Participating State, an Authorized Purchaser or WSCA-NASPO itself requests to add new product categories permanently, then all awarded Contractors (Manufacturers) will be notified of the proposed change and will have the opportunity to work with WSCA to determine applicability, introduction, etc. Any new products or services must be reviewed and approved by the WSCA-NASPO Contract Administrator.



5.3.2.2 Ad Hoc Product Additions

A request for an ad hoc, temporary addition of a product category/item must be submitted to WSCA-NAPOS via the governmental entity’s contracting/purchasing officer. Ad hoc, temporary requests will be handled on a case-by-case basis.



5.3.2.3 Pricelist Updates

As part of each Contractor’s ongoing updates to its pricelists throughout the contract term, Contractor can add new SKUs to its awarded product categories that may have been developed in-house or obtained through mergers, acquisitions or joint ventures; provided, however, that such new SKUs fall within the Contractor’s awarded product categories.





6. Evaluation


Proposals will be evaluated for completeness and compliance with the requirements of this RFP by a sourcing team. The sourcing team may engage additional qualified individuals during the process to assist with technical, financial, legal, or other matters.

Except at the invitation of the sourcing team, no activity or comments from Offerors regarding this RFP shall be discussed with any member of the sourcing team during the evaluation process. An Offeror who contacts a member of the sourcing team in reference to this RFP may have its proposal rejected.

Each proposal must be submitted in Microsoft Word or Excel, or PDF labeled and organized in a manner that is congruent with the section number, headings, requirements, and terminology used in this RFP. Proposal documents must be use Arial font size 10. All proposals must be submitted in electronic form.



6.2 Administrative Requirements Compliance

The sourcing team will evaluate each proposal for compliance with administrative requirements. Non compliance with any of these requirements will render a proposal non-responsive. Only those proposals that pass the administrative requirements will be evaluated further.

In order to pass the Administrative Requirements, the following must be received by due date and time associated with this RFP as listed in Bid Sync.



6. Evaluation (cont.)



6.2.1 References

Vendor must provide a least three current account references for which your company provides similar Data Communications services for private, state and/or large local government clients (preferably government/public entities). Offerors are required to submit Attachment B - Reference Form, for business references. The business providing the reference must submit the Reference Form directly to the State of Utah, Division of Purchasing. It is the offeror’s responsibility to ensure that completed forms are received by the State of Utah Division of Purchasing on or before the proposal submission deadline for inclusion in the evaluation process. Business references not received, or not complete, may adversely affect the offeror’s score in the evaluation process. The Purchasing Division reserves the right to contact any or all business references for validation of information submitted.



6.3 Minimum Scope Requirements Compliance

The sourcing team will evaluate each proposal that passed the administrative requirements for compliance with Section 5.2 Data Communications Services – Requirements. Scope requirements are evaluated in terms of the breadth and depth of the offeror proposal for each of the section 5.2.1-5.3.0 Scope categories. Only those proposals in each section that score 70% or better will move on to cost evaluation.



6.4 Evaluation Criteria

The following table details how each proposal shall be evaluated on a basis of 100 points. An evaluation committee comprised of representatives from some WSCA-NASPO member States will be appointed by the WSCA-NASPO Contract Administrator to perform the proposal evaluation. All Offeror’s proposals will be initially reviewed for compliance with the mandatory general requirements in Section 3 and Sections 5.1.1-5.1.5 stated within the RFP. Any proposal failing to meet one or more mandatory requirement(s) will be considered non-responsive and deemed “unacceptable”, and will be eliminated from further consideration.

Those proposals deemed “acceptable” or “potentially acceptable” will be evaluated against the following proposal evaluation criteria using a point-based scoring methodology. Proposal evaluation criteria are listed in relative order of importance:







* Purchasing will use the following cost formula for the “Services”: The points assigned to each Offeror’s cost proposal will be based on the lowest proposal price. The offeror with the lowest Proposed Price will receive 100% of the price points. All other Offerors will receive a portion of the total cost points based on what percentage higher their Proposed Price is than the Lowest Proposed Price. An Offeror who’s Proposed Price is more than double (200%) the Lowest Proposed Price will receive no points. The formula to compute the points is: Cost Points x (2- Proposed Price/Lowest Proposed Price).

Purchasing will use the following cost formula for the “Product Offering Discount Percentage”: The points assigned to each Offeror’s cost proposal will be based on the highest discount percentage. The Offeror with the highest discount percentage will receive 100% of the price points. All other Offerors will receive a portion of the total cost points based on what percentage lower their discount percentage is than the highest discount percentage. An Offeror who’s Proposed percentage discount is less than double (200%) the highest discount percentage will receive no points. The formula to compute the points is: Cost Points x (2-Highest Proposed Discount/Proposed Discount).

6.4.1 Cost – (bid sheets including discounts off list price attached) – 30%

Given that technology products generally depreciate over time and go through typical product lifecycles, it is more favorable for customers to have prime contracts be based on minimum discounts off the Offeror’s’ commercially published pricelists versus fixed pricing. In addition, Offerors must have the ability to update and refresh their respective price books, as long as the agreed-upon discounts are fixed. Minimum guaranteed contract discounts do not preclude an Offeror and/or its authorized resellers from providing deeper or additional, incremental discounts at their sole discretion.



6.4.1.1 Refurbished Equipment

Many IT manufacturers offer refurbished equipment at a substantially lower cost with attractive warranties that also address risk concerns some customers may have with refurbished gear. Offerors may add an optional provision for manufacturer-certified refurbished equipment to be available for procurement under this contract. This offering will not be evaluated as part of the cost scoring process.


Juniper Networks does not offer refurbished equipment.

6.4.2 Demonstrate ability to provide products and services within scope of the RFP (Section 5.2-5.31) – 25%






6.4.3 Qualifications, technical ability, maintenance, training and value added services – 10%



6.4.4 Ability to supply to WSCA / NASPO member states/geographical coverage -10%



6.4.5 Offer profile and references

(i.e., financial stability, presence in marketplace, adequate staff, marketing efforts etc.) – 20%



6.4.6 Administrative

(i.e., report generating ability, e-commerce, account reps, problem resolution, customer satisfaction, website hosting and other administrative related issues) – 5%






At the option of the evaluation committee the WSCA-NASPO Contract Administrator may initiate discussion(s) with Offerors who submit responsive or potentially responsive proposals for the purpose of clarifying aspects of the proposal(s), however, proposals may be evaluated without such discussion(s). Such discussion(s) is not to be initiated by Offerors.

Based on the competitive range of the evaluation scores, the evaluation committee may choose to make a “finalist list” of offeror’s; if opted for, all offeror’s will be notified of their status at this juncture by the Procurement Manager.

Finalist Offeror’s may be required, at the option of the evaluation committee, to present their proposals and possibly demonstrate their Internet website to the evaluation committee. The Procurement Manager will schedule the time and location for each Offeror presentation. Each Offeror presentation will be of equal duration for all offeror’s and may also include an additional amount of time reserved for questions/answers.

The sourcing team will evaluate each proposal that has passed the administrative requirements and met or exceeded the Section 3 and Section 5.1.1-5.1.5 Mandatory Requirements.





7. Master Agreement Terms and Conditions/Exceptions

7.1 WSCA-NASPO Master Agreement Terms and Conditions

7.1.1 The WSCA-NASPO Contract Administrator referred to in section 2 of the WSCANASPO Master Agreement Terms and Conditions is Debra Gunderson, State of Utah Division of Purchasing and General Services. This RFP represents the WSCA-NASPO Contract Administrator’s written approval of the modifications, waivers, alterations, amendments, and supplements to the Master Agreement Terms and Conditions made in this RFP and this Section 7.


Juniper Networks understands and concurs.

7.1.2 Except as limited in this section or elsewhere in this RFP, Participating Entities who execute a Participating Addendum may alter, modify, supplement, or amend the WSCANASPO Master Agreement Terms and Conditions as necessary to comply with Participating Entity law or policy with respect to their orders under the Master Agreement. A Contractor may not deliver Products or perform services under this Master Agreement until a Participating Addendum acceptable to the Participating Entity and Contractor is executed. The WSCA-NASPO Terms and Conditions are applicable to any order by a Participating Entity, except to the extent altered, modified, supplemented or amended by a Participating Addendum. By way of illustration and not limitation, this authority may apply to unique delivery and invoicing requirements, confidentiality requirements, defaults on orders, governing law and venue relating to orders by a Participating Entity, Indemnification, and insurance requirements. Statutory or constitutional requirements relating to availability of funds may require specific language in some Participating Addenda in order to comply with applicable law. The expectation is that these alterations, modifications, supplements, or amendments will be addressed in the Participating Addendum or, with the consent of the Participating Entity and Contractor, may be included in the commitment voucher (e.g. purchase order or contract) used by the Participating Entity to place the order.



7.1.3 The term Purchasing Entity and Participating Entity shall both mean “Participating Entity” as that term is defined in WSCA-NASPO Master Agreement Terms and Conditions.



7. Master Agreement Terms and Conditions/Exceptions (cont.)



7.1.4 With respect to section 11, Indemnification, the terms of any Participating Addendum may alter, modify, supplement, or amend the language in section 11 and may include a limitation of liability mutually agreeable to the Participating Entity and the Contractor.



7.1.5 With regard to section 20, Participants, Participating Entities who are not states may under some circumstances sign their own Participating Addendum, subject to the approval of the Chief Procurement Official of the state where the Participating Entity is located. Contractors may upon request obtain a copy of the written authorization from the WSCA-NASPO Contract Administrator.



7.2 Offeror Exceptions to Terms and Conditions

7.2.1 The Lead State discourages exceptions to contract terms and conditions in the RFP, attached Participating Entity terms and conditions (if any), and the WSCA-NASPO Master Agreement Terms and Conditions. As specified in this RFP, exceptions may cause a proposal to be rejected as nonresponsive when, in the sole judgment of the Lead State (and its evaluation team), the proposal appears to be conditioned on the exception or correction of what is deemed to be a deficiency or unacceptable exception would require a substantial proposal rewrite to correct. Moreover, Offerors are cautioned that award may be made on receipt of initial proposals without clarification or an opportunity for discussion, and the nature of exceptions would be evaluated. Further, the nature of exceptions will be considered in the competitive range determination if one is conducted. Exceptions will be evaluated to determine the extent to which the alternative language or approach poses unreasonable, additional risk to the state, is judged to inhibit achieving the objectives of the RFP, or whose ambiguity makes evaluation difficult and a fair resolution (available to all vendors) impractical given the timeframe for the RFP.






7.2.2 The Lead State will entertain exceptions to contract terms and conditions in this RFP, including the WSCA-NASPO Master Agreement Terms and Conditions. Offerors are strongly encouraged to be judicious in identifying exceptions.


Juniper Networks understands. Juniper Networks has proposed exceptions and has attempted to be judicious as possible in such proposals.

7.2.3 Based on the market research conducted by the Lead State, the following provisions are intended to frame the contours of exceptions that may be acceptable, additional risk so long as the Offeror’s exceptions are specified with sufficient particularity.



7.2.4 The Lead State will consider Offeror standard terms for inspection and acceptance, so long as a reasonable time for acceptance is stated. However, the Participating Entities right to exercise revocation of acceptance under its Uniform Commercial Code must be preserved. Submit the standard terms with the offer and describe generally how commerciality in their use is established, e.g., identify publicly-available catalogs where the warranty terms are used and how long they have been in use.


Juniper Networks has provided its standard warranties have been in use since Juniper networks founding in 1996. All Juniper end user customers are entitled these warranties. When the end users first use a Juniper product, the Juniper warranties are triggered. End Users are notified about this in the documentation accompanying the Juniper products.

7.2.5 The Lead State will consider standard warranty and/or maintenance terms, but the alternative warranty and/or maintenance will be evaluated to determine whether they provide comparable protection to the warranty specified in section 30 of the WSCANASPO Master Agreement Terms and Conditions. Provide the terms of the warranty and maintenance in the offer. Also describe generally how commerciality is established for those terms, e.g., publicly-available catalogs the warranty terms are used and how long they have been in use. Provide one reference from a customer having comparable sales volume who is using the warranty and maintenance provisions, where the warranty term has expired, and who has exercised rights under the warranty.


Please see Juniper Networks response to 7.2.4.




7.2.6 Intellectual property. The Lead State will consider license terms and conditions that as a minimum convey to Participating Entities a nonexclusive, irrevocable, perpetual, paid-up, royalty free license to use software or other intellectual property delivered with or inherent in the commodity or service, and to transfer the license rights to third parties for government purposes. Provide the terms of the license, including any terms that cover third party intellectual property used in the Offeror’s solution. Offerors should be aware that Participating Entities using federal funds may be required to negotiate additional or different terms to satisfy minimum rights requirements of their federal grants.


Juniper Networks has provided its standards End User License Agreement that is provided with all products provided to End User customers.

7.2.7 Any limitation of liability provision – including any exclusion of damages clause – proposed by an Offeror to be the default limitation of liability provision under the Master Agreement must preserve a reasonable amount of direct damages for breach of contract, additionally permit the Participating Entity to recoup amounts paid for supplies or services not finally accepted (as in the case of advance or progress payments, if used), and preserve the right of the Participating Entity to be held harmless from costs of litigation as well as ultimate liability within limits agreed by the parties.

Moreover, any limitation of liability clause proposed by an Offeror should be reciprocal, cover lost profits, and exclude claims or liability arising out of intellectual property infringement, bodily injury (including death), damage to tangible property, and data breach. Include the text of any such language if proposed. Further, provide contact information for a public entity, or private entity if no public entity exists, where the limitation of liability clause (or another clause substantially similar) operated to limit liability. If no such example exists, provide contact information for a state, or if no state exists, a higher education institution, or if none exists, a city or county represented by counsel in the negotiations who has agreed to the proposed terms and conditions.


Juniper Networks has provided limitation of liability language that the State has accepted previously as evidenced by publicly available documents.

7.2.8 The enumerated examples in subsection 7.2 are not intended to limit the ability of Offerors to propose additional, reasonable exceptions. For any other exception, where the exception is based on claims of standard or normal commercial practice, provide contact information for a state, or if no state exists, a higher education institution, or if none exists, a city or county represented by counsel in the negotiations who has agreed to the proposed terms and conditions.


Juniper Networks currently manages a contract with the State of New York, Florida, and Texas. Contacts are below:




Karen Rogers State of New York (518) 486-9298 [email protected]

David Bennett State of Florida (850) 921-4072 [email protected]

Lisa Maldonado State of Texas (512) 463-5662 [email protected]

7.3 WSCA-NASPO eMarket Center

7.3.1 In July 2011, WSCA-NASPO entered into a multi-year agreement with SciQuest, Inc. whereby SciQuest will provide certain electronic catalog hosting and management services to enable eligible WSCA-NASPO entity’s customers to access a central online website to view and/or shop the goods and services available from existing WSCANASPO Cooperative Contracts. The central online website is referred to as the WSCANASPO eMarket Center Contractor shall either upload a hosted catalog into the eMarket Center or integrate a punchout site with the eMarket Center.

Supplier’s Interface with the eMarket Center

There is no cost charged by SciQuest to the Contractor for loading a hosted catalog or integrating a punchout site.

At a minimum, the Contractor agrees to the following:

1. Implementation Timeline: WSCA-NASPO eMarket Center Site Admin shall provide a written request to the Contractor to begin enablement process. The Contractor shall have fifteen (15) days from receipt of written request to work with WSCA-NASPO and SciQuest to set up an enablement schedule, at which time SciQuest’s technical documentation shall be provided to the Contractor. The schedule will include future calls and milestone dates related to test and go live dates. The contractor shall have a total of Ninety (90) days to deliver either a (1) hosted catalog or (2) punch-out catalog, from date of receipt of written request.

2. Definition of Hosted and Punchout: WSCA-NASPO and SciQuest will work with the Contractor, to decide which of the catalog structures (either hosted or punch-out as further described below) shall be provided by the Contractor. Whether hosted or punch-out, the catalog must be strictly limited to







the Contractor’s awarded contract offering (e.g. products and/or services not authorized through the resulting cooperative contract should not be viewable by WSCA-NASPO Participating Entity users).

a. Hosted Catalog. By providing a hosted catalog, the Contractor is providing a list of its awarded products/services and pricing in an electronic data file in a format acceptable to SciQuest, such as Tab Delimited Text files. In this scenario, the Contractor must submit updated electronic data annually to the eMarket Center for WSCANASPO Contract Administrator’s approval to maintain the most up-todate version of its product/service offering under the cooperative contract in the eMarket Center.

b. Punch-Out Catalog. By providing a punch-out catalog, the Contractor is providing its own online catalog, which must be capable of being integrated with the eMarket Center as a. Standard punch-in via Commerce eXtensible Markup Language (cXML). In this scenario, the Contractor shall validate that its online catalog is up-to-date by providing a written update quarterly to the Contract Administrator stating they have audited the offered products/services and pricing listed on its online catalog. The site must also return detailed UNSPSC codes (as outlined in line 3) for each line item. Contractor also agrees to provide e-Quote functionality to facilitate volume discounts.

3. Revising Pricing and Product Offerings: Any revisions (whether an increase or decrease) to pricing or product/service offerings (new products, altered SKUs, etc.) must be pre-approved by the WSCA-NASPO Contract Administrator and shall be subject to any other applicable restrictions with respect to the frequency or amount of such revisions. However, no cooperative contract enabled in the eMarket Center may include price changes on a more frequent basis than once per quarter. The following conditions apply with respect to hosted catalogs:

a. Updated pricing files are required by the 1st of the month and shall go into effect in the eMarket Center on the 1st day of the following month (i.e. file received on 1/01/14 would be effective in the eMarket Center on 2/01/14). Files received after the 1st of the month may be delayed up to a month (i.e. file received on 11/06/14 would be effect in the eMarket Center on 1/01/15).

b. Contract Administrator-approved price changes are not effective until implemented within the eMarket Center. Errors in the Contractor’s submitted pricing files will delay the implementation of the price changes in eMarket Center.

4. Supplier Network Requirements: Contractor shall join the SciQuest Supplier Network (SQSN) and shall use the SciQuest’s Supplier Portal to import the Contractor’s catalog and pricing, into the SciQuest system, and view reports on catalog spend and product/pricing freshness. The Contractor can receive orders through electronic delivery (cXML) or through low-tech options such as fax. More information about the SQSN can be found at: www.sciquest.com or call the SciQuest Supplier Network Services team at 800-233-1121.

5. Minimum Requirements: Whether the Contractor is providing a hosted catalog or a punch-out catalog, the Contractor agrees to meet the following requirements:

a. Catalog must contain the most current pricing, including all applicable administrative fees and/or discounts, as well as the most up-to-date product/service offering the Contractor is authorized to provide in accordance with the cooperative contract; and

b. The accuracy of the catalog must be maintained by Contractor throughout the duration of the cooperative contract between the Contractor and the Contract Administrator; and

c. The Catalog must include a Lead State contract identification number; and

d. The Catalog must include detailed product line item descriptions; and

e. The Catalog must include pictures when possible; and




f. The Catalog must include any additional WSCA-NASPO and Participating Addendum requirements.*

6. Order Acceptance Requirements: Contractor must be able to accept Purchase Orders via fax or cXML.

a. The Contractor shall provide positive confirmation via phone or email within 24 hours of the Contractor’s receipt of the Purchase Order. If the Purchasing Order is received after 3pm EST on the day before a weekend or holiday, the Contractor must provide positive confirmation via phone or email on the next business day.

7. UNSPSC Requirements: Contractor shall support use of the United Nations Standard Product and Services Code (UNSPSC). UNSPSC versions that must be adhered to are driven by SciQuest for the suppliers and are upgraded every year. WSCA-NASPO reserves the right to migrate to future versions of the UNSPSC and the Contractor shall be required to support the migration effort. All line items, goods or services provided under the resulting statewide contract must be associated to a UNSPSC code. All line items must be identified at the most detailed UNSPSC level indicated by segment, family, class and commodity. More information about the UNSPSC is available at: http://www.unspsc.com and http://www.unspsc.com/FAQs.asp#howdoesunspscwork.

8. Applicability: Contractor agrees that WSCA-NASPO controls which contracts appear in the eMarket Center and that WSCA-NASPO may elect at any time to remove any supplier’s offering from the eMarket Center.

9. The WSCA-NASPO Contract Administrator reserves the right to approve the pricing on the eMarket Center. This catalog review right is solely for the benefit of the WSCA-NASPO Contract Administrator and Participating Entities, and the review and approval shall not waive the requirement that products and services be offered at prices (and approved fees) required by the Master Agreement.

* Although suppliers in the SQSN normally submit one (1) catalog, it is possible to have multiple contracts applicable to different WSCA-NASPO Participating Entities. For example, a supplier may have different pricing for state government agencies and Board of Regents institutions. Suppliers have the ability and responsibility to submit separate contract pricing for the same catalog if applicable. The system will deliver the appropriate contract pricing to the user viewing the catalog.

Several WSCA-NASPO Participating Entities currently maintain separate SciQuest eMarketplaces, these Participating Entities do enable certain WSCA-NASPO Cooperative Contracts. In the event one of these entities elects to use this WSCA-NASPO Cooperative Contract (available through the eMarket Center) but publish to their own eMarketplace, the Contractor agrees to work in good faith with the entity and WSCA-NASPO to implement the catalog. WSCA-NASPO does not anticipate that this will require substantial additional efforts by the Contractor; however, the supplier agrees to take commercially reasonable efforts to enable such separate SciQuest catalogs.


Juniper networks will comply with this request.

http://www.unspsc.com/FAQs.asp#howdoesunspscwork



Appendix A. Product Overviews

MX Series

Juniper Networks MX Series 3D Universal Edge Routers are the only routers designed to provide the 3D scaling necessary to address today’s advanced Ethernet requirements. MX Series routers are purpose-built with full routing and switching capabilities to deliver the lowest cost per port without sacrificing performance, reliability, scalability, or functionality. Powered by Juniper Networks Junos operating system and high-performance silicon, such as the I-Chip and Junos Trio chipset, the MX Series enables service providers and enterprises to adapt to—and profit from—Ethernet services in a changing market.

Ethernet-based services present a significant new revenue opportunity for service providers across all market segments. These business, mobile, and residential services include VPNs, point-to-point connectivity, high-speed Internet access, and video-based offerings. With continuous technology advances and ongoing standards development, Ethernet is increasingly the technology of choice at the service provider edge—and Juniper Networks MX Series routers are capable of supporting all of these services.

The MX Series provides the 3D scale, maximum performance, availability, and service agility that enterprises and service providers need to gain a competitive advantage in today’s Ethernet environment. These high-performance Ethernet routers function as a Universal Edge platform capable of supporting all types of business, mobile, and residential services. With powerful switching and security features, the MX Series delivers unmatched flexibility and reliability to support advanced services and applications. MX Series routers also separate control and forwarding functions to provide maximum scale and intelligent service delivery capabilities.


Powered by Junos OS, the MX Series provides a consistent operating environment that streamlines network operations and improves the availability, performance, and security of all types of services supported at the Universal Edge. It offers the most complete, advanced routing features in the industry without compromising performance, which maximizes investment protection. These features include traffic segmentation and virtualization with MPLS, ultra low-latency multicast, as well as comprehensive security and QoS implementations to accelerate delivery of time-sensitive applications and services.


Graceful restart

Nonstop routing

Fast reroute (FRR)



VPLS multihoming

Appendix A. Product Overviews (cont.)



MX Series Models

MX Series models follow:

MX5 – Juniper Networks MX5 midrange router (shown in Figure 1) is a versatile platform for small-scale environments with space and power constraints and is suitable for both enterprise and service provider networks needing full MX Series features and capabilities in a compact form factor. Only 2 RU high, this cost-effective router supports one MIC slot and is software upgradable to MX10, MX40, or MX80.

Figure 1. Juniper Networks MX5 3D Universal Edge Router.

MX10 – Juniper Networks MX10 midrange router (shown in Figure 2) is a cost-effective, versatile platform in a compact form factor. The MX10 is suitable for enterprise and service provider networks with space and power constraints that require the full MX Series features and capabilities in a compact form factor. This router measures 2 RU high, supports two MIC slots, and is software upgradable to the MX40 or MX80.


MX40 – Juniper Networks MX40 midrange router (shown in Figure 3) is suitable for small-scale environments with space and power constraints, as well as enterprise and service provider networks needing the versatility of complete MX Series features and capabilities. This router supports two MIC slots and is software upgradable to MX80. Only 2 RU high, this router is designed to help customers drive down their TCO and increase operational efficiencies in both enterprise and service provider deployments without service compromise.


MX80 – Juniper Networks MX80 (shown in Figure 4) is the most compact member of the MX Series product family. Only 2 RU high and equipped with front-end accessible redundant power supplies and fans, this platform is perfectly suited for environments requiring full Ethernet capabilities, but facing space or power constraints. In the enterprise, the MX80 and MX80-48T can be deployed in campus, small sites, and small data center WAN connectivity; and service providers can utilize the MX80 for mobile backhaul hub site aggregation, metro ring access nodes, cable and Multitenant Unit (MTU) aggregation, distributed PE and high-end CPE.





MX104 – Juniper Networks MX104 (shown in Figure 5) is a modular, full-featured MX Series platform for space- and power-constrained service provider and enterprise facilities. Optimized for the aggregation of mobile, enterprise WAN, business, and residential access services, the MX104 can also deliver edge services for metro providers. The MX104 comes in a space-efficient 3.5 RU, ETSI compliant chassis and supports 80 Gbps of throughput—setting a new benchmark for port density in its product category.


MX240 – Juniper Networks MX240 (shown in Figure 6) delivers increased port density over traditional carrier Ethernet platforms as well as performance, scalability, and reliability in a space-efficient package. The MX240 offers fully redundant hardware that includes a redundant Switch Control Board (SCB) and Routing Engines (REs) to increase system availability.


MX480 – Juniper Networks MX480 (shown in Figure 7) provides a dense, highly redundant platform primarily targeted for medium to large enterprise campus and data centers, as well as dense dedicated access aggregation and provider edge services in medium and large POPs. The MX480 offers common hardware redundancy including the SCBs, REs, fan trays, and power supplies.


MX960 – Juniper Networks MX960 (shown in Figure 8) is a high-density Layer 2 and Layer 3 Ethernet platform designed for deployment in a number of enterprise and service provider Ethernet scenarios. For service providers, the wide range of Ethernet services provided by the MX960 include VPLS services for multi-point connectivity, Virtual Leased Line for point-to-point services, full support for MPLS VPNs throughout the Ethernet network, Ethernet aggregation at the campus/enterprise edge, and Ethernet aggregation at the multiservice edge. In the enterprise, the MX960 can be used for campus and data center core and aggregation, and as a WAN gateway.






MX2010 – Expanding the breadth of Juniper Networks Universal Edge portfolio, the MX2010 (shown in Figure 9) provides service providers a common system and service delivery platform with variants that cover every market and geography, and offers the highest capacity and density for aggregation of massive numbers of businesses and consumers, in a highly reliable, resilient architecture. The MX2010 is built upon a highly scalable, redundant switch fabric, and a powerful, fully redundant control plane, providing a flexible, scalable, pay-as-you-grow power system supporting DC or AC power sources designed to be highly efficient now and for many years to come. The MX2010 delivers all of the benefits of the MX2020 and shares a common set of components and cards in a smaller, 10-slot form factor. Eight SFBs are installed to deliver 8.6 Tbps of switching capacity at inception. The MX2010 supports the same line cards as the MX2020 and offers the same powerful feature set as the MX Series family of products.





MX2020 – Expanding the breadth of Juniper Networks Universal Edge portfolio—from the 20 Gbps MX5 router to the 80 Tbps MX2020—the MX2020 (shown in Figure 10) gives service providers a common system and service delivery platform with variants that cover every market and geography, and offers the highest capacity and density for aggregation of massive numbers of businesses and consumers, in a highly reliable, resilient architecture. The MX2020 is built upon a highly scalable, redundant switch fabric, and a powerful, fully redundant control plane, providing a flexible, scalable, pay-as-you-grow power system supporting DC or AC power sources designed to be highly efficient now and for many years to come. The MX2020 is a full rack, 20-slot Universal Edge routing platform that has been designed to scale to 80 Tbps (half-duplex) over the long haul. Eight Switch Fabric Boards (SFBs) are installed to deliver 17.2 Tbps of switching capacity at inception. Designed to fit into a standard 19-inch, 45 RU, 4-post equipment rack, the MX2020 is a fully redundant design for all common components, including fan trays, power supplies, and power cabling. Both -48 V DC or AC power modules are offered. AC power is available in Delta or Wye 3-phase configurations.





MX Series Literature

For all Juniper Networks MX Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/routing/mx-series/#literature

PTX Series

Juniper Networks PTX Series Packet Transport Routers are a portfolio of high-performance platforms designed for the service provider Converged Supercore. These routers deliver powerful capabilities based on innovative silicon and forwarding architecture optimized for MPLS and Ethernet, with integrated, coherent 100GE technology. The PTX Series delivers several critical core functionalities, including game changing density and scalability, cost optimization, high availability, and network simplification.

The PTX Series is based on Juniper Networks Junos Express chipset—part of the Junos family of processors. Express uses state-of-the-art 40 nm fabrication technology and is built with “no packet drop” assurance. The PTX Series is designed to scale beyond 2 Tbps per slot and provides significant cost reduction over traditional core transport solutions.

http://www.juniper.net/us/en/products-services/routing/mx-series/#literature




Juniper Networks PTX Series provides a unique combination of hardware and software features, allowing service providers to manage their supercore networks more efficiently. These platforms are built from the ground up for speed, scale, and cost optimization. In addition, the PTX Series adapts to rapidly changing traffic patterns for video, mobility, and cloud-based services. It is the first supercore packet router in the industry that supports a single chassis with 8 Tbps capacity. Its modular power design allows power efficiency on the order of 1 watt per Gbps—less than half the requirements of competitive platforms.

A PTX Series router, working in conjunction with Juniper Networks T Series Core Routers, allows a service provider to build a core network that is flexible enough to accommodate:

Dynamically changing traffic patterns for applications;

Data center consolidation;

Mobility for devices, users, and applications;

An increase in bandwidth-intensive applications such as HD video.

The integration of optical transport with 100GE coherent technology further improves the economics of the core network. The seamless integration of IP/MPLS and optical control plane facilitates modeling, planning, simulation, provisioning, seamless management, and restoration of multiservice core networks deploying PTX Series platforms.

Juniper Networks offers the following PTX Series models:

PTX3000

Juniper Networks PTX3000 is a 22 RU, 8-slot system with less than 300 mm depth. With a 4 Tbps capacity in one-fourth the form factor of the competition, it is the world’s most compact high-end router. It supports up to eight FPCs, each of which supports one PIC. The PTX3000 can support 16x100GE interfaces on a single device, with either gray or coherent optic technology. It can be used as a supercore router, in the metro networks, or IP backbone networks, delivering statistical multiplexing and dynamic label-switched path (LSP) creation and management. With its ultra-optimized form factor, the PTX3000 is ideally positioned for IP/MPLS cores, metro cores, central offices, and co-location facilities, providing all operators with efficient packet-transport architectures.

PTX5000

Juniper Networks PTX5000 is a 36 RU, 8-slot system. It supports up to eight FPCs, with each FPC supporting two PICs. The PTX5000 can be used as a supercore router, delivering statistical multiplexing and dynamic label-switched path (LSP) creation and management. In addition, the PTX5000 supports up to 32x100GE coherent interfaces, and is the densest fully integrated packet transport system in the market, functioning as a packet optical node delivering functionality for multiple layers with a consistent operating system-based platform without going to multi-chassis. The PTX5000 can be used to build a Converged Supercore with a higher capacity compared to a core router, and it includes optical transport capabilities.

PTX Series Literature

For all PTX Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/produ\cts-services/packet-transport/ptx-series/#literature

ACX Series

Juniper Networks ACX Series Universal Access Routers are built to support adaptive services architecture, enabling rapid deployment of access services and transforming the network to create a seamless end-to-end

http://www.juniper.net/us/en/products-services/packet-transport/ptx-series/#literature




service delivery platform. Many networks have reaped benefits from convergence in the core as well as on the edge, and a similar transformation is clearly required in the access network. The ACX Series is an architecture that extends operational intelligence to that network.


The ACX Series is well-positioned to address the growing bandwidth needs in the access network. These platforms deliver the scale and performance needed to support multi-generation services. With support for extensive hardware and software features, the ACX Series extends the operational intelligence all the way to the access network. Powered by Junos OS, the ACX Series family complements Juniper Networks Universal Edge and Universal WAN solutions, integrating the mobile network with a flexible, scalable enterprise branch routing portfolio. The ACX Series is optimized to support rapidly growing mobile, video, and cloud computing applications.



Interfaces for both time-division multiplexing (TDM) and Ethernet (high-density 1GE, PoE, and 10GE)


Mobile networks evolution path from 2G/2.5G to 3G/4G/ LTE

Diverse interface requirements for enterprise applications


ACX Series Models


ACX1000 – Juniper Networks ACX1000 (shown in Figure 11) with fan-less passive cooling and a compact 1 RU (1.75 in.) form factor is an ideal access platform for external cabinet deployments. The fixed-port configuration includes eight T1/E1 interfaces, eight copper 1GE (10/100/1000) interfaces, and four 1GE combination ports (fiber or copper).

Figure 11. Juniper Networks ACX1000 Universal Access Router.

ACX1100 – Juniper Networks ACX1100 (shown in Figure 12) with fan-less passive cooling and a compact 1 RU (1.75 in.) form factor is an Ethernet-only access platform with a mix of copper and fiber 1GE interfaces. The fixed-port configuration includes four copper 10/100/1000 Mbps interfaces, four 1GE combination ports (copper or fiber interfaces), and four 1GE SFP ports.





ACX2000 – Juniper Networks ACX2000 (shown in Figure 13) with fan-less passive cooling provides a versatile access platform in a compact 1 RU (1.75 in.) fixed-form factor that includes TDM, 1GE, and 10GE interfaces. The fixed-port configuration includes 16 TDM (T1/E1) interfaces, eight copper 1GE interfaces with PoE+ (65W) capability on two ports, two 1GE SFP ports, and two10GE SFP+ ports.




ACX4000 – Juniper Networks ACX4000 Universal Access Router (shown in Figure 15) is an environmentally hardened, actively cooled, 2 RU (2.5 in.) modular system that includes TDM, 1GE, and 10GE interfaces to provide a versatile access platform. The modular configuration includes 16 T1/E1 interfaces, eight copper 1GE interfaces, two 1GE SFP ports, two PoE+ ports, two 10GE SFP+ ports, and a choice of two modular interface cards (MICs).


ACX Series Literature

For all ACX Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/routing/acx-series/#literature

SRX Series for the Branch


http://www.juniper.net/us/en/products-services/routing/acx-series/#literature






Perimeter security

Content security





Best-in-class firewall and VPN technologies secure the perimeter with minimal configuration and consistent performance. By using zones and policies, even new network administrators can configure and deploy an SRX Series gateway quickly and securely. The SRX Series also includes wizards for firewall, IPsec VPN, NAT, and initial set up to simplify configurations out of the box. Policy-based VPNs support more complex security architectures that require dynamic addressing and split tunneling. For content security, the branch SRX Series offers a complete suite of Unified Threat Management (UTM) services, consisting of:




Anti-spam



Select models (SRX550, SRX650, and high-memory versions of SRX210, SRX220, and SRX240) feature Content Security Accelerator for high-performance IPS and antivirus scanning. The branch SRX Series integrates with other Juniper Networks security products to deliver enterprise-wide unified access control (UAC) and adaptive threat management. These capabilities give security professionals powerful tools in the fight against cybercrime and data loss.

The SRX Series for the branch brings high-performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of sites. The wide variety of options allows configuration of performance, functionality, and price scaled to support from a handful to thousands of users. Ethernet, serial, T1/E1, DS3/E3, xDSL, Wi-Fi, and 3G/4G LTE wireless are all available options for WAN or Internet connectivity to securely link your sites, and multiple form factors allow you to make cost-effective choices for mission-critical deployments. In addition, managing the network is easy using the proven Junos CLI, scripting capabilities, a simple-to-use Web-based GUI, Juniper Networks Network and Security Manager (NSM), for large-scale deployments, or Juniper Networks Junos Space Security Design for centralized management.

Models

Shown in Figure 16, Juniper Networks SRX Series for the branch includes the following models:




SRX100 – Juniper Networks SRX100 can support up to 700 Mbps firewall, 65 Mbps IPsec VPN, and 75 Mbps IPS. Additional security features include UTM, which consists of IPS, anti-spam, antivirus, and Web filtering. The SRX100 is ideally suited for securing small distributed enterprise locations.




SRX240 – Juniper Networks SRX240 can support up to 1.8 Gbps firewall, 300 Mbps IPsec VPN, and 230 Mbps IPS. The SRX240 also supports UTM, and is ideally suited for securing branch distributed enterprise locations.

SRX550 – Juniper Networks SRX550 can support up to 5.5 Gbps firewall, 1.0 Gbps IPsec VPN, and 800 Mbps IPS. Additional security features include UTM, which consists of IPS, anti-spam, antivirus, and Web filtering. The SRX550 is ideally suited for securing small distributed enterprise locations.

SRX650 – Juniper Networks SRX650 can support up to 7.0 Gbps firewall, 1.5 Gbps IPsec VPN, and 1.0 Gbps IPS. The SRX650 also supports UTM, and is ideally suited for securing regional distributed enterprise locations.

Figure 16. Juniper Networks SRX Series Services Gateways for the Branch Models.

SRX Series Literature

For all SRX Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/security/srx-series/#literature

http://www.juniper.net/us/en/products-services/security/srx-series/#literature




SRX Series for the Data Center




Built on Junos software—which combines the routing heritage of Juniper Networks with the security heritage of ScreenOS—the SRX Series offers the high feature/service integration necessary to secure modern network infrastructures and applications. The SRX Series is equipped with a robust list of features that includes firewall, intrusion detection and prevention (IDP), DoS, NAT, and QoS.


Models










SRX Series Literature

For all SRX Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/security/srx-series/#literature

vGW Series

Juniper Networks vGW Virtual Gateway is a comprehensive virtualization security solution that includes a high-performance hypervisor-based stateful firewall, integrate intrusion detection system (IDS), virtualization-specific antivirus protection, and unrivaled scalability for managing multi-tenant cloud security (architecture shown in Figure 17). The vGW brings forward powerful new features that offer layers of defense and automated security and compliance enforcement within virtual networks and clouds. By leveraging virtual machine introspection (VM Introspection) data and intelligence, and coupling it with Juniper Networks wide-ranging knowledge of the virtual network environment, vGW creates an extensive database of parameters by which security policies and compliance rules can be defined and enforced.

Figure 17. Juniper Networks vGW Architecture.


Security and compliance concerns are top of mind in virtualization and cloud deployments. Juniper Networks experience and innovative research in virtualization security has resulted in a powerful software suite capable of

http://www.juniper.net/us/en/products-services/security/srx-series/#literature




monitoring and protecting virtualized environments without negatively impacting performance. A hypervisor-based, VMsafe-certified virtualization security approach, in combination with “X-ray” level knowledge of each virtual machine through VM Introspection, gives the vGW a unique vantage point in the virtualized fabric. Here, virtualization security can be applied efficiently and with context about the virtual environment and its state at any given moment.


Visibility – Provides full view to all applications flowing between VMs, as well as complete VM and VM group inventory, including virtual network settings. Deep knowledge of VM state, including installed applications, operating systems, and patch level, is also available through VM Introspection.

Protection – A VMsafe-certified stateful firewall provides access control over all traffic via policies that define which ports, protocols, destination VMs, etc. should be blocked. An integrated intrusion detection engine inspects packets for the presence of malware or malicious traffic and sends alerts as needed. Finally, virtualization-specific antivirus protections deliver highly-efficient on-demand and on-access scanning of VM disks and files with the ability to quarantine infected entities.

Compliance – Allows for enforcement of corporate and regulatory policies for the presence of required or banned applications via VM Introspection. Some practical applications of compliance enforcement, such as assurance of segregation of duties, ensure that VMs are assigned to the right trust zones inside the virtual environment. In addition, pre-built compliance assessment is based on common industry best practices and leading regulatory standards. vGW can also enforce compliance to a VM “gold” image with quarantine and alerting for non-compliance, thereby ensuring that deviations from the desired VM configuration for not create a security risk.

vGW Series Literature

For all vGW Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/software/security/vgw-series/#literature

STRM Series

Juniper Networks STRM Series Security Threat Response Managers provide situational awareness and compliance support to organizations that need to tighten security and improve policy monitoring with a modest investment in time and resources. STRM provides an all-in-one security solution that combines, analyzes, and manages an incomparable set of surveillance data—network behavior, security events, vulnerability profiles, and threat information—all from a single, secure console.





http://www.juniper.net/us/en/products-services/software/security/vgw-series/#literature







Models

Juniper Networks STRM Series consists of the following components.

STRM Virtual Appliance (STRMV) – Juniper Networks STRMV is a virtualized platform providing STRM functionality. This platform is available as an all-in-one installation for managed services, small enterprise installations, and as a distributed setup where dedicated virtual event and flow processors can conduct distributed log and flow collection. STRMV is available both as a log management (STRM LogManager Virtual Appliance) and a threat management (STRM ThreatManager Virtual Appliance) solution.

STRM500 – Juniper Networks STRM500 is ideal for deployments in small, medium, and large enterprises or departments that do not foresee the need to upgrade to higher events-per-second or flows-per-minute capacities. STRM500 can also be deployed as a dedicated QFlow collector for collection of network flows to provide Layer 7 analysis.

STRM2500 – Juniper Networks STRM2500 is an enterprise-class appliance that provides a scalable network security management solution for medium-sized companies up to large, globally-deployed organizations. STRM2500 is the ideal solution for growing companies that will need additional flow and event monitoring capacity in the future. It is also the base platform for large companies that may be geographically dispersed and looking for an enterprise-class scalable solution. STRM2500 includes on-board event collection, correlation, and extensive reporting capabilities, and is expandable with additional STRM2500 appliances acting as event and flow collectors or a combination of both on a single appliance.

STRM5000 – Juniper Networks STRM5000 is an enterprise and carrier-class appliance which provides a scalable network security management solution for medium-sized companies up to large, globally-deployed organizations. STRM5000 is the ideal solution for growing companies that anticipate the need for additional flow and event monitoring capacity in the future. It is also the base platform for large companies that are geographically dispersed and looking for a distributed enterprise/carrier-class scalable solution. STRM5000 utilizes on-board event/flow collection and correlation capabilities, and is expandable with additional STRM5000 appliances acting as event and flow collectors.

STRM Series Literature

For all STRM Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/security/strm-series/#literature

Junos Pulse

Juniper Networks Junos Pulse is an endpoint software platform that enables dynamic SSL VPN connectivity, network access control (NAC), mobile security, online meetings and collaboration, and application acceleration

http://www.juniper.net/us/en/products-services/security/strm-series/#literature




through a simple, yet elegant user interface. By removing the complexity from network connectivity and access control collaboration, as well as application acceleration, Junos Pulse provides dynamic connectivity and security, and delivers optimal connectivity to end users depending on their device type, security state, location, identity, and adherence to corporate access control policies. It is identity- and location-aware, and seamlessly migrates from one access method to another based on device location.











Junos Pulse Mobile Security Suite protects smartphones from viruses, malware, loss or theft, physical compromise, and other threats, and supports major mobile operating systems. It also provides robust remote device management tools. Junos Pulse Mobile Security Suite can remotely backup and restore data stored on smartphones, and it can monitor and control device use. It is simple to deploy, and enables enterprises to give personal smartphones secure access to corporate network and information resources.




Junos Pulse Application Acceleration Service enables dynamically provisioned, pervasive, location-agnostic application acceleration. When used in conjunction with the Junos Pulse Secure Access Service, Junos Pulse Application Acceleration Service delivers accelerated application access for mobile and remote users. The Junos




Pulse Application Acceleration Service also provides an easy, affordable solution for small offices where a dedicated application acceleration appliance may not be economically feasible.


Junos Pulse Access Control Service enables safe, protected cloud, network, and application access for a diverse user audience over a variety of devices, including mobile devices. Junos Pulse Access Control Service, working in concert with MAG Series Junos Pulse Gateways or IC Series Unified Access Control Appliances, delivers granular, secure access control for LANs, private or public clouds, as well as their applications and data based on user identity and role, device type and integrity, and location.

Junos Pulse Literature

For all Junos Pulse literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/software/junos-platform/junos-pulse/#literature

EX Series

Juniper Networks EX Series Ethernet Switches deliver a strategic, innovative solution that allows enterprises to spend less on their network infrastructures, and more on revenue-generating and productivity-enhancing technologies that help them gain a competitive edge. Today’s high-performance businesses demand a high-performance network infrastructure that provides fast, secure, and reliable delivery of the applications that drive business processes. Switches deployed in regional offices, campuses, and data centers enable these business processes by connecting users to applications—delivering everything from traditional file services to telephony, messaging, presence, video conferencing, and Web services.

Most contemporary switches fall short of delivering the performance, scalability, and wire speed port densities that today’s converged networks demand. Juniper Networks high-performance, carrier-class EX Series offers an innovative alternative to the cost and complexity of maintaining legacy switched networks.

Designed specifically for high-performance businesses, the EX Series provides the carrier-class reliability, security, risk management, virtualization, application control, and lower total TCO that are essential for today’s converged network deployments—while allowing businesses to scale in an economically sensible way for years to come. Companies can grow their networks at their own pace, minimizing large up-front investments.

In addition, Juniper Networks EX Series features:

High availability to ensure uninterrupted, uncompromised delivery of business processes in the event of failures and outages.

Unified data, voice, messaging, presence, and video communications on a single IP infrastructure.

Integrated security functions to defend against malicious, sophisticated attacks and optimize application response times.

Operational excellence for consistency and simplicity across the infrastructure to reduce total cost of ownership. EX Series switches are easy to deploy and manage, allowing Juniper Networks customers to design more energy-efficient networks, with the flexibility to innovate with confidence.

http://www.juniper.net/us/en/products-services/software/junos-platform/junos-pulse/#literature




Powered by Junos software—Juniper Networks field-tested and customer-proven operating system used by our high-performance routers—the EX Series provides the ability to roll out new features and applications that enhance business operations without threatening network performance.

Juniper Networks offers fixed-configuration, virtual chassis, and terabit Ethernet models:

EX2200 Series Fixed-Configuration Platforms

Juniper Networks EX2200 Ethernet Switch is a fixed-configuration platform that offers an economical, entry-level, standalone solution for access layer deployments in branch and remote offices, as well as campus networks. Featuring complete Layer 2 and basic Layer 3 switching capabilities, the EX2200 satisfies the branch and low-density wiring closet connectivity requirements of today’s high-performance businesses. The 24-port and 48-port configuration options offer simple plug-and-play 10/100/1000BASE-T connectivity meet today’s converged networking needs. With optional Power over Ethernet (PoE) ports, the EX2200 can support IP-enabled devices such as telephones, security cameras, WLAN access points in converged network environments.

Juniper Networks EX2200-C Ethernet Switch is a highly compact, silent, and power-efficient platform ideally suited for low-density micro branch deployments and commercial access or enterprise workgroup environments outside the wiring closet. Featuring 12 10/100/1000BASE-T access ports with optional PoE+ in a fanless design, the EX2200-C switches deliver a powerful solution designed specifically for office, classroom, hospitality, and other space- and wiring-constrained environments. Two front panel dual-purpose (10/100/1000BASE-T or 100/1000BASE-X) uplinks provide operational flexibility.

EX3200 Series Fixed-Configuration Platforms

Juniper Networks EX3200 Ethernet Switch is a fixed-configuration switch offering a simple, cost-effective, standalone solution for low-density regional and corporate office deployments. Installed in wiring closets to provide network access, the 24- and 48-port EX3200 offers simple plug-and-play 10/100/1000BASE-T connectivity to meet today’s converged network requirements. Full and partial Power over Ethernet (PoE) options are available for supporting IP-enabled devices such as telephones, security cameras, and wireless LAN (WLAN) access points in converged network environments. Optional four-port 1GE and two-port 10GE uplink modules with pluggable optics are also available for supporting high-speed connections to other switches or upstream devices such as routers. A field-replaceable power supply and fan tray lowers mean time to repair.

EX3300 Series with Virtual Chassis Technology

Juniper Networks EX3300 Ethernet Switches support Virtual Chassis technology to deliver a flexible, cost-effective enterprise access solution for demanding environments that support converged data, voice, and video. Virtual Chassis technology enables up to six interconnected EX3300 switches to operate as a single, logical device, providing enterprises with a level of flexibility and management simplicity normally associated with higher-end access switches. Offering 24- and 48-port 10/100/1000BASE-T configurations and four dual mode 1GE SFP/10GE SFP+ uplink ports, the EX3300 provides support for PoE, which enables the switch to support networked devices such as telephones, video cameras, and WLAN access points.


Juniper Networks EX4200 Ethernet Switches with Virtual Chassis technology combine the reliability, scalability, and ease-of-management of modular systems with the economics and flexibility of stackable platforms—delivering a high-performance, scalable solution for data center, corporate, and regional office environments. Like the EX3200, the EX4200 offers 24- and 48-port 10/100/1000BASE-T configurations with full and partial PoE and optional 1GE and 10GE uplink modules, plus a 24-port fiber switch offering 100/1000BASE-X support. Using Virtual Chassis technology, up to 10 EX4200 switches can be interconnected over a 128 Gbps backplane, creating a single virtual switch supporting up to 480 10/100/1000BASE-T ports and up to 40 1GE or 20 10GE




uplink ports. All EX4200 switches include high availability features such as redundant, hot-swappable internal power supplies and field-replaceable, multi-blower fan trays to help deliver maximum uptime.

EX4300 with Virtual Chassis Technology

Juniper Networks EX4300 Ethernet Switch with Virtual Chassis technology combines the carrier-class reliability of modular systems with the economics and flexibility of stackable platforms, delivering a high-performance, scalable solution for data center, campus, and branch office environments. A single 24-port or 48-port switch can be deployed initially; as requirements grow, Juniper Networks Virtual Chassis technology allows up to 10 EX4300 switches to be interconnected and managed as a single device, delivering a scalable, pay-as-you-grow solution for expanding network environments. The EX4300 switches can be interconnected over multiple 40GE quad small form-factor pluggable plus (QSFP+) transceiver ports to form a 320 Gbps backplane. Flexible 1GE and 10GE uplink options are also available, enabling high-speed connectivity to aggregation- or core-layer switches which connect multiple floors or buildings. All EX4300 switches include high availability features such as redundant, hot-swappable internal power supplies and field-replaceable fans to ensure maximum uptime. In addition, Power over Ethernet (PoE)-enabled EX4300 switch models offer standards- based 802.3at PoE+ for delivering up to 30 watts on all ports for supporting high-density IP telephony and 802.11n wireless access point deployments.


Juniper Networks EX4500 Ethernet Switch with Virtual Chassis technology delivers a scalable, compact, high-performance platform for supporting high-density 10 Gbps data center top-of-rack as well as data center, campus, and service provider aggregation deployments. Featuring up to 48 wire-speed 10GE ports in a 2 RU platform, the EX4500 delivers full Layer 2 and Layer 3 connectivity to networked devices such as servers and other switches. 40 fixed ports are complemented by two optional high-speed uplink modules available for configuration flexibility, offering four additional 10GE small form-factor pluggable transceiver (SFP+) ports for connecting to upstream devices. Using Virtual Chassis technology, up to 10 EX4500 switches can be interconnected over a 128 Gbps backplane, allowing switches to operate as a single, logical device supporting up to 480 10GE ports with a single IP address—dramatically reducing complexity and introducing a new level of flexibility for data center top-rack or end-of-row server aggregation deployments.

Juniper Networks EX4550 Ethernet Switch with Virtual Chassis technology delivers a scalable, high-performance platform for supporting high-density 10 Gbps data center top-of-rack deployments, as well as data center, campus, and service provider aggregation environments. Featuring up to 48 wire-speed 1GE or 10GE small form-factor pluggable transceivers (SFP/SFP+), or 100M/1GBASE-T/10GBASE-T ports in a compact 1 RU form factor, the EX4550 provides support for 480 Gbps of Layer 2 and Layer 3 connectivity to networked devices, such as servers and other switches. Two versions of the EX4550 are available—a 32-port fiber-based version and a 32-port copper-based version—which feature two expansion slots that can accommodate one of four optional expansion modules, providing tremendous configuration and deployment flexibility for campus and data center access as well as aggregation networks. Up to 10 EX4550 switches can be interconnected in a Virtual Chassis configuration using dedicated 128 Gbps interconnect ports on the Virtual Chassis expansion module, or via link aggregation groups (LAGs) across 10GE/40GE ports, providing aggregate backplane capacity of up to 320 Gbps.

EX6200 Series

Juniper Networks EX6210 Ethernet Switch delivers a scalable, resilient, high-performance chassis-based wiring closet solution, providing extremely high port densities in a space-optimized form factor. With a choice of data only or Power over Ethernet (PoE) and PoE+ port options, the EX6210 delivers high availability and investment protection for enterprise campus environments, as well as data center access deployments using end-of-row designs. The 10-slot EX6210 chassis is designed to support a variety of highly flexible network configurations. Two of the slots hold Switch Fabric Routing Engine (SRE) modules, while the remaining eight slots are dedicated for I/O line cards. Each SRE module includes four 10GE uplinks, while the line cards feature full PoE+ support to




deliver complete investment protection. Two EX6200 48-port 10/1000/1000BASE-T line cards are available—with and without PoE/PoE+ support for powering networked devices such as telephones, video cameras, multiple radio IEEE 802.11n WLAN access points, and video phones in converged network environments.

EX8200 Series Terabit Ethernet Switches

Juniper Networks modular EX8200 terabit Ethernet switches deliver a high-performance, highly scalable solution for high-density 10GE enterprise core and aggregation deployments. Two EX8200 switches―an eight-slot 1.6 terabit model and a 16-slot 3.2 terabit model―feature enterprise-class table sizes and deep, hardware-based packet buffers. In addition, the EX8200 offers some of the industry’s highest wire-speed 10GE port densities for its switch class:

64 ports in the eight-slot chassis

128 ports in the 16-slot chassis

Two fully-equipped 16-slot EX8200 switches can fit in a single 42-unit rack, delivering an unprecedented 256 wire-speed 10GE ports per rack.

EX9200 Series Switches

Juniper Networks EX9200 Series next-generation carrier-class campus and data center core Ethernet switching platforms are designed for performance and scale―delivering greater port densities, space efficiency, and an on-ramp to 40GE and 100GE for enterprise customers.

Three EX9200 chassis options are available, providing full deployment flexibility:

EX9204 – 4-slot, 6 RU chassis that supports up to three line cards

EX9208 – 8-slot, 8 RU chassis that supports up to six line cards

EX9214 – 14-slot, 16 RU chassis that supports up to 12 line cards

EX Series Literature

For all EX Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/switching/ex-series/#literature

QFabric



http://www.juniper.net/us/en/products-services/switching/ex-series/#literature







System Components

The QFabric System consists of three separate but interdependent edge, interconnect, and control devices—the QFabric Node, QFabric Interconnect, and QFabric Director. As shown in Figure 18, these components represent the internal elements of a traditional switch.

QFabric Node – In a QFabric system, the line cards that typically reside within a modular chassis switch become high-density, fixed-configuration, 1 RU edge devices that provide access into and out of the fabric. The Nodes, which can also operate as independent top-of-rack 10GE switches, provide compute, storage, services, and network access for the QFabric System. The Nodes, which can also operate as independent top-of-rack 10GE switches, provide compute, storage, services, and network access for the QFabric System. There are two types of QFabric Nodes available, both of which can be used in a single system:

o QFX3500 – Offers a variety of connectivity options ranging from 1GE to 10GE, Fibre Channel (FC), and FC over Ethernet (FCoE)

o QFX3600 – Offers 10GE and 40GE connectivity options

QFabric Interconnect – The QFabric Interconnect represents the typical backplane of a modular switch, connecting all QFabric Node edge devices in a flat, any-to-any topology. This topology provides the data plane connectivity between all Nodes, with the Interconnect acting as the high-performance backplane. Two QFabric Interconnect options are available:

o QFX3600-I – Used by the QFX3000-M system, it supports up to 16 connected QFabric Nodes to create a single fabric capable of supporting 768 10GE ports

o QFX3008-I – Used by the QFX3000-G system, it connects up to 128 QFabric Nodes to create a single fabric capable of supporting 6,144 10GE ports

QFabric Director – The Routing Engines embedded within a modular switch are externalized in the QFabric system via the QFX3100 QFabric Director, which provides control and management services for the fabric. Deployed in clusters to provide redundancy, QFabric Directors provide a single management interface to manage the scalable data plane provided by the Node and Interconnect devices.

The QFabric Node and QFabric Interconnect devices together create the distributed data plane for the QFabric System over which all data traffic to and from servers and storage is carried. Existing QFabric system components can be redeployed between a QFX3000-M and a QFX3000-G, greatly simplifying flexibility and migration. Users can initially deploy a QFX3000-M and, as their 10GE demands grow, migrate to a QFX3000-G with the simple replacement of the QFabric Interconnect, dramatically increasing scale.

One of the greatest advantages of QFabric technology is its manageability. Unlike traditional deployments with multiple touch points for provisioning and troubleshooting, a QFabric System presents a single management interface for provisioning, managing, and troubleshooting the data center. Up to 128 top-of-rack switches in a




QFX3000-G system and up to 16 top-of-rack switches in a QFX3000-M system work together to connect network, compute, and storage resources.

Figure 18. Juniper Networks QFabric System Components.

QFabric Literature

For all QFabric literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/switching/qfabric-system/#literature

JunosV

Traditional network service architectures are crowded with various bumps-in-the-wire and tethered network appliances. A new appliance is deployed for each additional service, adding to management and operational complexity and limited flexibility to meet customer demands. However, Juniper Networks JunosV App Engine goes beyond both the appliance deployment model and the typical server virtualization platforms by unifying application management, optimizing the network for application provisioning and performance, and redefining the network architecture by providing a virtualization platform.

http://www.juniper.net/us/en/products-services/switching/qfabric-system/#literature




Figure 19. Juniper Networks JunosV App Engine.

JunosV App Engine’s virtualization platform extends Juniper Networks Junos OS with a new elastic virtual plane. This hosts both Juniper Networks and third-party network control and traffic service applications, providing a full range of network-embedded applications across all network domains for both enterprises and service providers. The network architecture is now redefined to a single Junos OS device with a virtual plane, where:

Multiple physical appliances collapse into a virtual machine cluster, reducing costs and simplifying device management and scaling of network applications

Multiple operating systems run their value-added network applications without any porting, allowing faster time-to-market

At the core of the JunosV App Engine is a virtualized environment that hosts multiple guest operating systems that run different applications. Instead of deploying an appliance for each application, JunosV App Engine enables deployment of a virtual machine for each application, while leveraging the deployment simplicity of a single device. It also offers a single pane of glass for management of all applications through an associated instance of Junos OS to dynamically add and adapt services.

Features and Benefits

Features and benefits of JunosV include the following:




Agility – Juniper Networks enables network operators to differentiate their solutions by allowing customized and intelligent network services to run on our devices. We further enable differentiation by providing different locations within the device for network-embedded applications such as control plane, services plane, and the virtual plane. The virtual plane for each device runs JunosV to virtually host many environments. For Junos OS, the Junos Software Development Kit (SDK) can be used to build applications for the device on both local control plane and service plane. For JunosV, the SDK offers remote routing and system language-agnostic middleware APIs, which allow developers to extend their applications in various operating systems on the virtual plane.

Flexibility – JunosV App Engine can be deployed on Juniper Networks VSE Series Virtual Services Engines or router-integrated line cards. This offers flexibility in the deployment models, and lets customers choose the deployment model that best suits their application needs. The VSE Series device model is suitable for situations where slots for line cards are limited. The router-integrated line card mode is desirable when the operator prefers a single chassis solution.

Simplicity – JunosV App Engine and its applications can be managed from Junos OS. This makes it simple for network operators to manage and control applications and the platform from a single central point. Also, JunosV releases are in step with the Junos OS single release train.

JunosV App Engine Literature

For all JunosV App Engine literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/software/junosv-app-engine/#literature

Wireless LAN Solution

WLA Solution

Juniper Networks WLA Series Wireless LAN Access Points provide complete client access, spectrum analysis, mesh, and bridging services for indoor and outdoor deployments of enterprise wireless LANs (WLANs). Featuring support for 802.11n as well as 802.11a/b/g, the WLA Series provides seamless mobility both indoors and outdoors, and it enables scalable deployment of wireless voice over IP (VoIP), video, and real-time location services.

The WLA Series comes with complete security and networking services, along with advanced performance and scalability features which enable the access points to offload controllers by inspecting and forwarding traffic locally and performing encryption and security enforcement at the access point. The WLA Series also provides band steering, client load balancing, dynamic authorization, QoS, bandwidth controls and dynamic call admission control (CAC)—all of which combine to ensure a more consistent user experience as traffic is more evenly distributed across controllers, access points, and radios. This also improves scalability, providing the same consistent user experience for thousands of mobile users and devices.

Simple to deploy and easily configured and remotely managed, the WLA Series access points automatically monitor the data integrity and radio frequency (RF) signal strength of wireless channels, and continually tune for optimal RF channel and transmit power upon installation. Continuous scanning of the RF spectrum also allows early detection, classification, avoidance and remediation of performance degrading interference sources.

WLA Series access points enforce stringent prioritization of delay sensitive traffic for voice and other critical applications, and provide granular QoS as well as bandwidth management capabilities on a per-application, per-

http://www.juniper.net/us/en/products-services/software/junosv-app-engine/%23literature




user or per-SSID basis. Wi-Fi Multimedia (WMM) or SpectraLink Voice Priority (SVP) can be configured to ensure optimal QoS for voice traffic. Access point policies allow per user, protocol, or CoS mapping.

WLA Series access points may also be deployed in branch locations away from a main campus in a controller-less plug and play deployment model. This reduces the cost and complexity of installing wireless access in remote sites. They can be managed via the WAN or through the Internet by controllers at headquarters, and will maintain local session persistence indefinitely, if the WAN link goes down. If the connection to the controller is lost, wireless services continue uninterrupted; connected clients maintain wireless connection to the AP, new clients can connect and authenticate locally, and the Wireless Intrusion Detection System (WIDS) continues. In addition, the new country code override feature in the remote AP profile allows the AP’s channel and transmit power to be set to meet the specific country’s regulatory requirement where it is located, independent of the location of the WLAN controller which is managing it.

Models

Juniper Networks WLA Series access points are offered in the following models:






WLA Series Literature

For all WLA Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/wireless/wla-series/#literature

WLC Series

Juniper Networks WLC Series WLAN Controllers enable seamless integration of reliable, scalable, secure WLANs with existing wired infrastructures in installations of any size—from small branch offices or retail outlets to the largest enterprise or university campus. Identity-based networking policies also enable users to have a common experience with consistent services across wide geographies.

Today’s businesses demand that network connectivity be available for users anytime, anywhere, regardless of the device they are using. The explosion of mobile devices is fueling an unprecedented need for enterprise-wide mobility. The WLC Series delivers the highest level of wireless LAN reliability, performance, security, and management for the most demanding mobile applications and users.

http://www.juniper.net/us/en/products-services/wireless/wla-series/#literature




Companies can now build networks based on Juniper Networks end-to-end routing, security, and wired and wireless switching infrastructure to enable seamless mobility, improve the user experience, and increase productivity at the lowest total cost of ownership.


The WLC Series supports the following features:

Layer 2 Ethernet switching

Stateful per-user and per-service firewalls

Wireless intrusion protection

802.1Q trunking

Per-VLAN Spanning Tree Plus (PVST+)

Complete wired to wireless QoS

Automated radio frequency (RF) management

WLC Series controllers ensure the highest wireless LAN availability in the industry. They can be configured as a Virtual Controller Cluster to provide many-to-many redundancy without the need for expensive hot-standby controllers. This enables nonstop wireless availability with hitless failover for all sessions, even voice calls, in the unlikely event of a controller failure.

With Juniper Networks RingMaster management software, controller configurations can be obtained locally or from a remote location with automatic “no touch” deployment, and remote configuration and management capabilities. Juniper Networks WLAN deployments can also be managed by Junos Space Network Director, which provides a single pane of glass view into both wired and wireless networks.

The WLC Series delivers all of the standard security and networking functionality expected of wireless LANs with the added benefits of intelligent switching, identity-based roaming, bridging and mesh services, and nonstop wireless availability.

Models

WLC Series Wireless LAN Controllers include the following models:

WLC2 – The WLC2 supports up to four access points and is designed especially for branch office, retail store, and small business deployments.

WLC8 – The WLC8 supports up to 12 access points and is suitable for branch office, small business, or small school deployments.

WLC100 – The WLC100 supports up to 32 access points and is ideally suited for small deployments, including branch office and distributed branch office deployments.

WLC800 – The WLC800 offers 8 Gbps of line-rate switching throughput and supports up to 128 three-stream 802.11n access points, making it ideal for mainstream 11n deployment at large sites.

WLC880 – The WLC880 supports up to 256 three-stream 802.11n access points, and is designed for mainstream 802.11n deployment at large sites, enabling the extension of secure WLAN services to branch offices.




WLC2800 – The WLC2800 offers 28 Gbps of switching throughput and supports up to 512 802.11n access points, making it ideal for mass deployment of wireless LAN access in large enterprises.

JunosV Wireless LAN Controller – The JunosV Wireless LAN Controller is a virtualized software-based controller that supports up to 256 access points, making it ideal for distributed campus environments.

WLC Series Literature

For all WLC Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/wireless/wlc-series/#literature

WLM Series

Juniper Networks WLM1200 Wireless LAN Management Appliance is a scalable, rack-mountable management platform for enterprise wireless LANs (WLANs). The WLM1200 comes preconfigured in one of the following ways—as a Mobility Services Appliance (WLM1200-UMSP), as a Location Appliance (WLM1200-LA), or as a RingMaster Appliance (WLM1200- RMTS).

Figure 20. Juniper Networks WLM1200 Wireless LAN Management Appliance.

Mobility Services Appliance

Juniper Networks Mobility Services Appliance (WLM1200-UMSP) provides a scalable, open platform which allows infrastructure management, security, and multiple mobility services software components to be unified within a common framework. The unification of mobility services provides the ability to share and correlate collective intelligence about the network, users, and sessions. The result is dramatically improved services and infrastructure management visibility, as well as control of network resources which provides a foundation for offering and enforcing service-level guarantees in future.

The current services in Juniper Networks Mobility Services suite include guest access, voice, video, context awareness, real-time location tracking, advanced security, and spectrum analysis. In addition, application programming interfaces (APIs) enable third-party partners to integrate a growing ecosystem of value-added services and applications.

Location Appliance

Juniper Networks Location Appliance (WLM1200-LA) provides fast and reliable real-time location services for tracking devices on WLANs. It enables enterprises to implement location-based security, improve asset utilization, and augment identity-based security policies. The Location Appliance also accurately defines physical boundaries, distinguishing between perimeters such as indoors and out, and it enables location awareness to existing applications via SOAP/XML APIs.

RingMaster Appliance

Juniper Networks RingMaster Appliance (WLM1200-RMTS), which comes configured with Juniper Networks RingMaster Software, provides full lifecycle enterprise wireless LAN management, including the planning,

http://www.juniper.net/us/en/products-services/wireless/wlc-series/#literature




configuring, deploying, monitoring, and optimizing of WLANs. In addition, the RingMaster Appliance has fully redundant dual RAID storage and supports up to 5,000 indoor and outdoor access points.

WLM Series Literature

For all WLM Series literature―including datasheet(s) with complete specifications―please refer to the following website: http://www.juniper.net/us/en/products-services/wireless/wlm-series/#literature

http://www.juniper.net/us/en/products-services/wireless/wlm-series/#literature


Appendix B. Junos Operating System

Juniper Networks highly reliable, high-performance Junos OS provides a common language across our routing, switching, and security devices. The power of one Junos OS reduces complexity in high-performance networks to increase availability and deploy services faster—decreasing network operation costs by up to 40%

What sets Junos OS apart from other network operating systems is the way it is built—one operating system delivered in one software release track and with one modular architecture.






Different by Design

Simplicity and innovation are what make Junos OS so unique. The key advantages of Junos OS derive primarily from how it is built—what Juniper Networks calls the power of one differences:

One operating system across all types and sizes of platforms reduces the time and effort to plan, deploy, and operate network and security infrastructures.

One release track meets changing needs in software with stable delivery of new functionality in a steady, time-tested cadence.

One modular software architecture provides highly available, secure and scalable software—open to automation and partner innovation.

Figure 21 illustrates the power of one common language—Junos OS—across Juniper Networks routing, switching, and security devices.

Appendix B. Junos Operating System (cont.)



Figure 21. Junos OS: The Power of One Common Language across Juniper Networks Routing, Switching, and Security Devices.

One Operating System



A single, cohesive operating system providing a consistent user experience makes planning easier, day-to-day operations more intuitive, and changes faster. Administrators can configure and manage functionality from the basic chassis to complex routing using the same tools across devices to monitor, manage, and update the entire network. In addition, Juniper Networks Junos Space provides one system to manage security, switching, and routing platforms.




One Software Release

Juniper Networks approach to software development produces a stable code base that not only reduces the number of unplanned system events, but also the time and trouble of planned maintenance and upgrades.

Juniper Networks builds Junos OS along a single “release train”—a disciplined plan for development with strict engineering principles that include rigid quality metrics and testing. Juniper Networks does not replicate or recreate code to form multiple software trains or many different sets of feature packages (as is the standard practice for other vendors). Rather, new releases build up on the prior, creating the single release train delivered in a series of numbered versions.

In over eleven years of development, Juniper Networks has delivered new releases of expanding functionality four times each year, year after year. Each new release supports each product family for its role and application in the network. Whenever you are ready to upgrade, you simply choose and qualify a higher release number than your current version.

Juniper Networks provides over three years of support for our extended end-of-life releases. Customers count on the reliability and predictable behavior of the single Junos OS release train and confidently upgrade when they want to enable new functionality in their network.

One Modular Software Architecture

The modularity of the Junos OS architecture is integral to the high reliability, performance, and scalability delivered by its software design.



High-Performance Network Foundation

Propelled by the power of one differences, Junos OS has rapidly evolved over the years in many dimensions to accommodate increasingly complex application and service needs. Juniper Networks platforms simultaneously scale integrated security and networking capabilities without compromising high performance and reliability. Junos OS helps customers to save time and lower costs by reducing operational challenges and improving operational productivity.

A commissioned study conducted by Forrester Consulting on behalf of Juniper Networks—The Total Economic Impact of Juniper Networks Junos OS Network Operating System—examines the total economic impact and potential return on investment (ROI) enterprises may realize by deploying Junos OS in an enterprise network environment (as shown in Figure 22). Among other top-line results, the independent study found that interviewed companies, through the use of Junos OS and Juniper Networks switches and routers, achieved a 40% reduction in operations costs for certain network operations tasks including planning and provision, deployment, and planned and unplanned network events.




Figure 22. The Total Economic Impact of Juniper Networks Operating Systems (Forrester Consulting).


Deploying Juniper Networks production-proven platforms run by Junos OS delivers three key advantages to your networking infrastructure:

Continuous systems – Improve network availability and the delivery of applications and services through high-performance software design, high availability features, prevention of human errors, and proactive operations measures

Automated operations – Increase productivity to lower operational expenses by reducing complexity with time saving configuration, automation of operations tasks, and centralized management

Open innovation – Enhances flexibility to deliver new services and applications, including secure interfaces and tools that open development to partners and customers for developing and deploying onboard applications on the Junos OS

Continuous Systems

The consequence of an outage in a modern multiservice network can be extraordinarily expensive in terms of lost customer connections and transactions, as well as damaged customer confidence and penalties. Many different types of events and errors can cause disruption to network availability. Network equipment downtime can come




from planned maintenance activities, unplanned hardware or software events, and—most often, according to many different studies—human error.

Addressing downtime, therefore, requires a multifaceted design approach that proactively considers all underlying factors. Devices running Junos OS have a well-deserved reputation for continuous performance and operational stability. The engineering foundations of continuous systems are rooted in the long-standing design and software development philosophies of Junos OS; this is not a feature or attribute that can be easily retrofitted. Junos OS functionality for high availability includes expected failover and other service mechanisms, along with a range of capabilities unique to Juniper Networks, such as:

Our disciplined processes for software development;

Error-resilient configuration;

Unified in-service software upgrade (ISSU);

Automation of technical support services.

Tools for automating operations are essential to maintaining high uptime. They not only reduce the severity and duration when unplanned network events do occur, but can also proactively prevent events from even happening.

Automated Operations

The operational benefits of Junos OS derive not only from the reliability, performance, and security of its design, but also from a dedicated focus on simplified, error-resilient tasks across all operations functions. The hindsight that comes from prior experience has helped Junos OS engineers find better ways to design operations steps, interfaces, and tools. Many of these improvements simplify operations and reduce human error through increased automation.

Configuration

The Junos OS CLI is easy to learn, with a feel that is similar to other command sets. Prominent improvements over other systems include:

Error-resilient configuration with changes posted to a candidate file;

Flexible editing with time-saving shortcuts;

Automated checks of configurations;

Version control and rollback flexibility to restore prior configurations;

Automated rollback in systems inadvertently isolated by configuration changes.

The most frustrating of human errors are ones that have happened before, because they are repeating known mistakes that operations teams could ideally prevent. Junos OS configuration automation directly addresses this challenge through the customization of the commit verifications that run before a configuration becomes active. A library of scripts can be developed and maintained by your most experienced engineers to ensure that configurations are compliant with your business, network, and security policies. Moreover, these advanced tools include a macro capability that can condense repeated complex configurations into only a few configuration lines and variables.

Open Innovation

Juniper Networks has extensively adopted and promoted open standards and interfaces for customers to manage and operate our networking and security platforms in multivendor networks. Junos OS provides multiple open interfaces such as RADIUS, NETCONF/XML, and DMI, for policy control, network management, and integration




to other operations systems. The time-tested interoperability and integration capabilities of Junos OS are evident in deployments in the largest service providers worldwide, and in tens-of-thousands of enterprise and government networks.

Junos OS also offers a software development platform that allows customers and partners to develop and deploy their own unique applications. The Junos Software Development Kit (SDK) provides the necessary tools, libraries, and interfaces to build secure applications that run on Junos OS. In over two years of availability, Junos SDK application development has grown with partners such as Advanced Broadband Networks, Harris Stratex, Lockheed Martin, NEC, NTT, Telchemy, and Triveni Digital developing a diverse mix of network applications.

Junos Platform

Juniper Networks Junos OS is a part of the Junos Platform, an open software platform enabling dynamic, network-aware applications that interact with the network from the client to the cloud. With the Junos Platform, Juniper Networks customers can:

Expand network software and interfaces to the application space;

Deploy software clients to control delivery;

Accelerate the pace of innovation with an ecosystem of developers.

The Junos Platform provides customers and third-party developers with unmatched flexibility to build applications by providing development interfaces at multiple layers of the network:

In the networking device;

Across the network application layer;

At the network client.

Unlike other platforms that merely enable third parties to integrate through APIs, the Junos Platform provides a true development environment including Software Development Kits (SDKs) to create applications. Juniper Networks Junos Platform includes the following components.

Junos OS with Junos SDK

Junos OS includes a Software Development Kit (SDK) for the development of onboard applications that deliver new control and packet processing functionality. The intelligent and secure interfaces of the Junos SDK give developers powerful options to build applications leveraging the underlying control and packet processing functionality of the operating system.

Junos Space

Junos Space is a programmable and extensible multipurpose Web 2.0 network application platform that enables the rapid development and deployment of applications to reduce cost and complexity, and to open the network to new business opportunities. Junos Space includes a core set of applications for network infrastructure automation with new management modules offered in each new release.

Junos Pulse

Juniper Networks Junos Pulse is a standards-based, dynamic, integrated multiservice network client for desktops, notebooks, netbooks, smartphones, and other mobile and non-mobile devices. Junos Pulse interfaces with integrated, multi-service network gateways to deliver identity- and location-aware anytime/anywhere connectivity, security, acceleration, and collaboration with a simplified user experience—while also serving as a development and integration platform for select third-party applications.




Junosphere

Junosphere is a cloud-based environment that enables realistic network modeling using virtual Junos routers. Junosphere services enable customers to learn, model, and test Junos features from any PC with an Internet connection.


Appendix C. Customer Services and Support

Your business depends on your network, which is why you can count on Juniper Networks Technical Support services. No matter what challenges your business environment presents, Juniper Networks post-sales engineers are at your service with in-depth knowledge and practical experience on networks like yours.

Service Programs

Juniper Networks services programs include Juniper Care and Juniper Care Plus.

Juniper Care

Juniper Care combines traditional 24x7 support, E-Support, E-Learning, and service automation, and provides rapid response from Juniper Networks technical service engineers and hardware replacement options that let you choose the right timing and resources for your network needs. More than a simple break-fix service, Juniper Care helps you meet network demands with technical and operational support designed to keep your network running reliably―while at the same time protecting your high-performance networking investment.

Juniper Care increases your operational effectiveness and lowers operational costs by utilizing Juniper Networks Junos Space Service Now to reduce the time for problem identification and diagnostics―allowing your staff to concentrate on running the business, not fixing equipment. Juniper Care enables you to:

Scale your operational team to new heights, and leverage multilayered security features through Service Now management capabilities;

Increase your operational effectiveness and lower operational expenses by using Service Now to reduce the time needed for problem identification, troubleshooting, and communication with Juniper Networks technical support;

Dramatically simplify operational processes through self diagnosis and automated incident reporting to significantly reduce mean time to resolution (MTTR), allowing staff to concentrate on higher priority tasks that drive the business;

Increase operational efficiency by automating detailed inventory management;

Improve operational stability with early identification of incidents that are reported in real time―allowing for preemptive diagnosis and repair, and increasing the availability of your network.

Complementary options include:

Resident Engineer – The Resident Engineer provides troubleshooting and operational assistance and expertise for a constantly growing list of technologies and products.

Resident Consultant – The Resident Consultant provides highly customized network architecture and design assistance and expertise for a constantly growing list of technologies and products.

Juniper Care Support Option Entitlements

Table 3 lists entitlements for each of the Juniper Care support options.

Appendix C. Customer Services and Support (cont.)



Table 3. Juniper Care Support Option Entitlements

PRIMARY LEVEL OF SUPPORT:

Juniper Care Core

Juniper Care

Core Plus

Juniper Care Next-

Day Ship

Juniper Care Next-Day

Delivery

Juniper Care Next-Day

Onsite

Juniper Care

Same-Day

Delivery

Juniper Care

Same-Day

Onsite

Unlimited JTAC 24X7 X X X X X X X

Software releases X X X X X X X

CSC online E-Support

X X X X X X X

Junos Space Service Now/ Service Insight

X X X X X X X

E-Learning X X X X X X X

Return-to-factory X

Next-business-day advanced replacement parts shipment

X

Next-business-day advanced replacement parts delivery

X X

Same-day advanced replacement parts delivery

X X

Onsite technician X X

Juniper Care Plus

Juniper Care Plus is an advanced service providing a level of personalization above and beyond what is available in Juniper Care. Juniper Care Plus keeps your network at optimum readiness through high-touch support (Service Manager), direct access to senior engineers, proactive automation tools to help automate and simplify the network (Junos Space Service Insight), and personalized services such as training, network consulting, and account management—all mitigating risk for organizations, providing application reliability, reducing the learning curve, and accelerating time to value.

The pre-requisite service product is Juniper Care. Having a Juniper Care contract in place assures that you can take full advantage of all the Juniper Care Plus features, capabilities, and benefits.




Complementary options include:

Resident Engineer – The Resident Engineer provides troubleshooting and operational assistance and expertise for a constantly growing list of technologies and products.

Resident Consultant – The Resident Consultant provides highly customized network architecture and design assistance and expertise for a constantly growing list of technologies and products.

Focused Technical Support – The Focused Technical Support engineering team has a deep understanding of your network architecture, design, layout, and even the applications that your network runs on.

Juniper Networks Technical Assistance Center (JTAC)

With JTAC support, you have unlimited access to JTAC engineers by phone and online 24x7x365. As the single point of contact for all your support needs, our JTAC engineers have extensive experience in supporting large-scale networks and they will help you diagnose system problems, provide solutions and workarounds where necessary. To ensure that we respond as quickly as possible, automatic escalation alerts to senior management are triggered on all priority issues.

Customer Support Center

The Web-based CSC provides instant, secure access to critical information including our Knowledge Base, frequently asked questions, field alerts, proactive technical bulletins, problem reports, technical notes, release notes, and product documentation. Through the CSC, customers can also create, view, and edit technical support cases with Juniper Networks.net Case Manager and download major, minor, and maintenance software releases.

Management Escalation Path




Owner Priority 1, Critical

Priority 2, High

Priority 3, Medium

Priority 4, Low

Manager, Technical Support Immediate 12 hours 15 days

Director, Customer Service 1 hour 24 hours

Vice President, Customer Service 4 hours 96 hours

Vice President, Engineering and Sales 4 hours

Executive Vice President, Operations and Field Operations

24 hours





Case Definitions for Priority

Juniper Networks offers priority setting of problems to customers with current service agreements. This ensures that the appropriate resources within Juniper Networks are utilized to resolve outstanding technical problems as efficiently as possible.

Priority Management

Juniper Networks Technical Assistance Center (JTAC) works with customers to assign mutually agreeable priority levels to problems that will be reflected in the support case opened on their behalf.

Priority 1: Critical

Catastrophic impact to business operations. Examples of Priority 1 issues include:

Network or system is down causing customers to experience a total loss of service

Continuous or frequent instabilities affecting traffic-handling capability on a significant portion of the network

Loss of connectivity or isolation to a significant portion of the network

Creation of a hazard or an emergency

Priority 2: High

Significant impact to business operations. Examples of Priority 2 issues include:

Network or system event causing intermittent impact to end customers

Loss of redundancy

Loss of routine administrative or diagnostic capability

Inability to deploy a key feature or function

Partial loss of service due to a failed hardware component

Priority 3: Medium

Limited impact to business operations. Examples of Priority 3 issues include:

Network event causing only limited impact to end customers

Issues seen in a test or pre-production environment that would normally cause adverse impact to a production network

Time sensitive information requests

Successful workaround in place for a higher priority issue

Priority 4: Low

No impact to business operations. Examples of Priority 4 issues include:

Information requests

Standard questions on configuration or functionality of equipment




Resident Engineers

A dedicated Juniper Networks Resident Engineer is an effective way to support Juniper Networks products throughout their lifecycle, as well as being a smart investment. Here are a few of the reasons to consider using a Juniper Networks Resident Engineer for your mission-critical support:

Service quality and customer satisfaction – Resident Engineers understand both Juniper Networks technology and your own network and processes, for effective preventive maintenance and quick, efficient incident resolution.

Skills transfer – Resident Engineers assist your operations staff with hands-on technical issues, providing informal, on-the-job staff training as they deliver network support.

Return on investment – Resident Engineers help you minimize downtime and operational costs, avoid service-level agreement penalties, and introduce technology that supports new revenue-generating services.

Partnership – Resident Engineers provide a trusted channel of communication between your staff and Juniper Networks, and smooth escalation when necessary for effective incident resolution.

Your Juniper Networks Resident Engineer offers deep organizational and process knowledge from working side-by-side with your staff, as well as specialized Juniper Networks training and experience.

Juniper Networks Resident Engineers specialize in the following:

Design Resident Engineers – Juniper Networks Design Resident Engineers are available for annual, onsite engagements, providing highly customized network architecture and design assistance to your organization. Typical activities for a Design Resident Engineer include:

o Troubleshoot the network's design and architecture issues

o Analyze network and device configurations

o Act as customer technical liaison for Juniper Networks technical resources

o Test product features and functionality

o Manage and track open bug reports and critical issues

o Provide informal workshops

o Apply industry-recognized best practices to the design, planning, and implementation of the network

o Apply extensive industry experience to optimize network performance and proactively analyze potential enhancements

o Evaluate technical specifications for interoperability




Operations Resident Engineers – Juniper Networks Operations Resident Engineers reduce the number of time-consuming tasks normally performed by your staff―including upgrades and installations, delayed deployment of new network capabilities, and resource-intensive network adaptation. Operations Resident Engineers are available for annual, onsite engagements and provide highly customized operational assistance to your organization. They focus on all the technical aspects of your Juniper Networks products. Working daily with your staff, they become familiar with your business processes and requirements, your network's configurations and challenges, and your staff's strengths and limitations. Thus, your Resident Engineer can help you avoid many network issues before they arise―and is prepared to help resolve issues as quickly as possible if they do arise. The Resident Engineer also assists with deployment of Juniper Networks equipment, post-cutover activities, and day-to-day operations for larger networks. Typical activities for an Operations Resident Engineer include:

o Troubleshoot the network and supporting operations

o Analyze network configurations

o Act as customer technical liaison for Juniper Networks support and development teams

o Manage and track open trouble tickets, RMAs, and open bug reports

o Provide informal technical and product workshops

o Design, plan, and implement the network

o Optimize the network and proactively analyze potential enhancements

o Evaluate technical specifications for interoperability

Education Services

Network-based businesses compete on speed―using innovative services and fast competitive response to capture investment capital, customer loyalty, and profit. In high-speed business environments, a rapid and confident deployment of network infrastructure is the key to competitive advantage. Juniper Networks Education Services helps build your deployment team to accelerate network planning, configuration, and troubleshooting― providing you with:

Value from your people

Value from your network

Value for your future

Enterprises use Juniper Networks trained and certified staff to keep their networks highly available, protected, performing, and responsive to new business opportunities. Service providers count on advanced training in Junos OS Software platforms to unlock new network capabilities and services that keep them ahead of competitors. Public sector organizations help retain and develop staff with education and certifications.

Every organization can use Juniper Networks Education Services to:

Recruit and retain motivated, top-performing expert staff

Stay current with improvements in performance, security and economy

Reduce costs and delays in network deployment and maintenance

Accelerate returns on investments through rapid, optimized deployment of new network features and functions




Juniper Networks Education Services offers courses and certifications in enterprise and service provider routing tailored to the precise requirements of your business―at your facility, through Juniper Networks worldwide network of classrooms and labs, or conveniently over the Web. Every course helps build a solid foundation of expertise to motivate your team, improve operational effectiveness, and accelerate the value of your network investments.

Juniper Networks Education Services delivers the knowledge and expertise today’s networking professionals need to keep up with the latest applications of network technology. Delivered through a structured curriculum of courses―with certifications available in key proficiency areas―Juniper Networks offers course content and delivery options that match the requirements of any organization, and the career development goals of networking professionals from novice to expert.

Courses

Juniper Networks Education Services offers a curriculum of introductory and advanced courses on Juniper Networks networking and security products. Our courses help ensure that you have the knowledge and skills to deploy and maintain cost-effective, high-performance networks, as well as demonstrate your technical expertise―keeping you ahead of the technology curve. We have expert training staff with deep technical and industry knowledge, providing you with instructor-led, hands-on courses as well as convenient, self-paced eLearning courses. Courses can be taken on location or at one of our partner training centers.

Curriculum

Curriculum consists of courseware and certifications for both the enterprise and service provider environments.

To learn more about Juniper Networks curriculum, please refer to the following website: http://www.juniper.net/us/en/training/technical_education/

Fast Track Program

Juniper Networks Certification Fast Track program is specifically designed for experienced networking professionals who want to become certified in Juniper Networks Junos OS Software at a substantial savings. Fast Track allows you to quickly earn up to four Junos OS Enterprise technical certifications. It combines free courseware with online pre-assessment exams to give users a discount on certification exams.

To learn more about Juniper Networks Fast Track Program, please refer to the following website: http://www.juniper.net/us/en/training/fasttrack/

Training Credits

Juniper Networks Training Credits are an easy way to get the top-quality training you need to optimize your Juniper Networks network investment and enjoy the benefits of a satisfied and highly-educated technical staff.

Learn more about Juniper Networks Training Credits, please refer to the following website: http://www.juniper.net/us/en/training/trainingcredits/

Technical Certification Program

Juniper Networks Technical Certification Program (JNTCP) enables participants to demonstrate competence in configuring and troubleshooting Juniper Networks networking and security products.

Juniper Networks Technical Certification consists of platform-specific, multi-tiered tracks, which enable participants to demonstrate, through a combination of written proficiency exams and hands-on configuration and

http://www.juniper.net/us/en/training/technical_education/

http://www.juniper.net/us/en/training/fasttrack/

http://www.juniper.net/us/en/training/trainingcredits/




troubleshooting exams, competence with Juniper Networks technology. Successful candidates demonstrate thorough understanding of Internet and security technologies and Juniper Networks platform configuration and troubleshooting skills. Separate tracks let participants focus on the platform types most pertinent to their job functions and experience.

Professional and Expert level technicians receive direct access to JTAC engineers on priority 1 and 2 cases for any product covered by an active support contract. This privilege accelerates case resolution by combining onsite expertise with the capabilities and resources of senior JTAC engineers.

Organizations that hire and train Juniper Networks certified technicians position themselves for rapid incident response and thorough resolution to maintain the highest levels of availability and business value from their network infrastructures.

To learn more about Juniper Networks Certification Program, please refer to the following website: http://www.juniper.net/us/en/training/certification/

Authorized Education Centers

To expand our education services offerings, Juniper Networks Authorized Education Center (JNAEC) partners are trained and certified to teach our courses worldwide.

Juniper Networks Education Centers

Juniper Networks strategically selects global locations to provide customer and channel partner training that enables full deployment of our products.

To locate a Juniper Networks Education Center, please refer to the following website: http://www.juniper.net/training/technical_education/education_centers.html

Authorized Education Partner Training Centers

Our authorized training partners use only Juniper Networks authorized instructors, Juniper Networks-developed courseware, and must maintain the same strict quality standards that we require of our own instructors and training organizations.

To locate a Juniper Networks Authorized Education Partner Training Center, please refer to the following websites:

North America: http://www.juniper.net/training/technical_education/natc_locate_us.html

Latin American: http://www.juniper.net/training/technical_education/natc_locate_la.html

EMEA: http://www.juniper.net/training/technical_education/natc_locate_emea.html

Asia Pacific: http://www.juniper.net/training/technical_education/natc_locate_ap.html

http://www.juniper.net/us/en/training/certification/

http://www.juniper.net/training/technical_education/education_centers.html

http://www.juniper.net/training/technical_education/natc_locate_us.html

http://www.juniper.net/training/technical_education/natc_locate_la.html

http://www.juniper.net/training/technical_education/natc_locate_emea.html

http://www.juniper.net/training/technical_education/natc_locate_ap.html




Awards and Industry Recognition

Juniper Networks Customer Services and Support is proud of the positive industry recognition and many awards we have received, including the following:

Association of Support Professionals: Ten Best Global Web Support Sites of 2011, 2010, 2009, 2008, 2007, and 2006

(May 2011) For an industry-unprecedented six consecutive years, the Association of Support Professionals (ASP) has recognized Juniper Networks Customer Support Center (CSC) global website for outstanding performance and innovation in online service and support—validating our long-standing commitment to, and successful track record of, service and support excellence. No other networking company has won more than two consecutive ASP awards. Juniper Networks was inducted into the ASP Web Support Hall of Fame in 2009.


Appendix D. Juniper Networks Corporate Overview

Our Mission: Connect Everything. Empower Everyone.

In 1996, Pradeep Sindhu founded Juniper Networks with a new vision of what the network could become. Since our inception, Juniper Networks simple―yet incredibly powerful―solutions elegantly link software, silicon, and systems architectures to fulfill our mission: connect everything and empower everyone. This statement is the guiding principle behind everything we do.

Today, Juniper Networks [NYSE: JNPR] is headquartered in Sunnyvale, California, with:

More than 9,400 dedicated employees;

Offices in nearly 50 countries;

A 2012 net revenue of $4,365 billion;

A broad product portfolio designed to provide unmatched performance, greater choice, and true flexibility―while reducing overall total cost of ownership.

Juniper Networks has developed and productized some of the industry’s most groundbreaking, strategic innovations across every aspect of networking technology. These innovations manifest our dedication to developing new, pure play IP solutions based on a unique single architecture, a single operating system, and a single software release train―ensuring performance, reliability, and security at the scale that customers demand of their networks, without compromise.

Build the Best

No matter what your network demands—from engineering to services to sales—the people of Juniper Networks are focused on one thing: helping you build the best for your business.

Three years ago, we told the world The New Network is here. It was a bold and truthful statement that differentiated and defined Juniper Networks position in the market as an innovator. It remains our core brand value and how our mission becomes action.

Today, we have a new way to talk about the work we do at Juniper Networks—a powerful statement of our core commitment to helping our customers solve challenges other companies won’t touch. This statement is the truth and heart behind every innovation we create.

We are all here for one reason: to help our customers build the best. This is not a slogan or a tagline, and it is not about Juniper Networks building the best products (although we do). This is about helping our customers build the best networks, so you can compete and win in the marketplace.

Appendix D. Juniper Networks Corporate Overview (cont.)



Research and Development

Juniper Networks invests significant time and resources in creating a research and development process that successfully brings product concepts and development projects to market, allowing us to deliver a broad range of products and services to customers in target markets. In fact, Juniper Networks invests more in R&D as a percentage of revenue than industry peers―enabling us to introduce strategic architectures, platforms, and solutions that add significant value for our customers.

Customer Base and Deployments

Juniper Networks broad product portfolio and technologies run the world’s largest and most demanding networks today. Figure 23 illustrates some of our major customers.

Figure 23. The World’s Largest Service Providers and Most Successful Enterprises Choose Juniper Networks.




Financial Stability

From a financial standpoint, Juniper Networks continues to execute on our objective of delivering high-quality financial metrics including profitability, positive cash flow from operations, strong gross margins, and a strong balance sheet.

Table 5 highlights several of Juniper Networks financial accomplishments as of June 30, 2013.

Table 5. Juniper Networks Financial Highlights as of June 30, 2013

Highlight Details

Revenue Growth

$1.151 B in Q2 2013 (up 9% from Q1 2013; up 7% from Q2 2012)

$ 2.209 B for six months ending June 30, 2013

Net Income (Q2 2013) GAAP: $98M ($0.19 per share)

Non-GAAP: $148M ($0.29 per share)

Strong Cash Position $3.8 B

Positive Cash Flow from Operations $284 M in Q2 2013

$212 M Q2 2012

Geographical Diversification Americas: $675 M in Q2 2013

EMEA: $300 M in Q2 2013

APAC: $174 M in Q2 2013

Product Revenue PSD: $916 M in Q2 2013

SSD: $235 M in Q2 2013

Market Diversification Enterprise: 36%

Service Provider: 64%

Growing Employees 9,400 employees

Research and Development Spending $1,101 M in FY 2012 (24% of total revenue)

$1,026 M in FY 2011 (23% of total revenue)

No single customer accounted for more than 10% of Juniper Networks total net revenues for 2012.

Further details on Juniper Networks financials, including annual reports and documents filed with the SEC, can be found at the following website: http://www.juniper.net/company/investor/

http://www.juniper.net/company/investor/




Corporate Awards

Juniper Networks corporate awards include the following:

Carrier Ethernet World Congress: 2012 Best Carrier Ethernet Mobile Backhaul Product

(September 2012) At the Carrier Ethernet World Congress, Juniper Networks received the “2012 Best Carrier Ethernet Mobile Backhaul Product” for our ACX Series Universal Access Routers.

Interop Tokyo: 2012 Best of Show Grand Prix

(June 2012) At Interop Tokyo, Juniper Networks received the “2012 Best of Show Grand Prix” in the Data Center and Storage category for our QFabric System. This award was presented by a panel of IT industry experts who carried out a rigorous examination of products and solutions exhibited by more than 350 companies. Juniper Networks has received awards every year at Interop Tokyo since 2007.

Ethisphere Institute: 2013 World’s Most Ethical Companies List

(March 2013) For the third consecutive year, Juniper Networks has been recognized as one of the World’s Most Ethical Companies by Ethisphere Institute, a leading international think-tank. Juniper Networks was selected out of a record number of nominations and applications as an organization that outperforms industry peers when it comes to promoting ethical business standards.

For a complete list of Juniper Networks corporate and product awards, please refer to the following website: http://www.juniper.net/us/en/company/awards/

http://www.juniper.net/us/en/company/awards/

JUNIPER NETWORKS, INC. CONFIDENTIALITY AND PROPRIETARY INFORMATION

CONFIDENTIALITY NOTICE This material contains information that is confidential and proprietary to Juniper Networks, Inc. Except as Juniper Networks otherwise agrees to in writing, recipient may not disclose or distribute any portion of this material to any third party, and recipient may use this material solely for informational purposes.

TRADEMARKS Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JunosE is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Information in this document is subject to change without notice. Juniper Networks assumes no responsibility for any errors that may appear in this document.

STATEMENT OF PRODUCT DIRECTION Juniper Networks may disclose information related to our development and plans for future products, features, or enhancements (“SOPD”). SOPD information is subject to change at any time, without notice. Except as may be set forth in definitive agreements for a potential transaction, Juniper Networks provides no assurances, and assumes no responsibility, that future products, features, or enhancements will be introduced. Except as may be set forth in definitive agreements for a potential transaction, Company acknowledges that: a) purchasing decisions are not being made based upon reliance of timeframes or specifics outlined in the SOPD, and b) purchasing decisions would not be affected if Juniper Networks delays or never introduces the future products, features, or enhancements.

MTBF DATA Juniper Networks furnishes MTBF data “as is” and disclaims all warranties and representations, express or implied, with respect to it. MTBF figures are generated for internal Juniper Networks reference only and are not based on actual field experience. They are calculated values based on information furnished by our component suppliers. Such supplier data has not been verified. They should not be relied upon by any customer/reseller/user as a measure of reliability of any Juniper Networks product, or as a commitment or assurance that such a level of reliability will be achieved. Copyright (©) 2013 Juniper Networks. All Rights Reserved.


Follow us!

http://forums.juniper.net/

http://www.youtube.com/junipernetworks

http://twitter.com/JuniperNetworks/

http://www.facebook.com/JuniperNetworks/

http://rss.juniper.net/p/subscribe/

State of Utah Bid JP14001

Jul 1, 2013 5:09:04 PM MDT p. 1

Solicitation JP14001

Data Communications Products & Services

Bid designation: Public

State of Utah


Jul 1, 2013 5:09:04 PM MDT p. 2

Bid JP14001 Data Communications Products & Services

Bid Number JP14001

Bid Title Data Communications Products & Services

Bid Start Date Jul 1, 2013 5:07:32 PM MDT

Bid End Date Aug 30, 2013 11:00:00 AM MDT

Question & Answer

End Date Jul 26, 2013 11:00:00 AM MDT

Bid Contact Jennifer A Porter

Purchasing Agent

DAS/State Purchasing

[email protected]

Contract Duration 5 years

Contract Renewal 2 annual renewals

Bid Comments Do not contact the WSCA-NASPO Contract Administrator or other RFP Sourcing Committee members

with questions relating to this solicitation. All question pertaining to this RFP must be submitted through

BidSync. All responses will be posted through BidSync. Please read the RFP requirements thoroughly

to ensure proposal response is compliant.

Clarification on terms and conditions attached to the RFP: WSCA-NASPO Terms and Conditions will apply to the Master Agreements that result from this RFP. The State of Utah - Attachment A Information

Technology Terms and Conditions will apply specifically to the Participating Addendum's (PA's) Utah

signs and is not specific to the WSCA-NASPO Master Agreement. Other States may have their own

terms and conditions that will be addressed specifically when their PA's are executed.

Item Response Form

Item JP14001-01-01 - JP14001 - Data Communications Products & Services

Quantity 1 contract

Prices are not requested for this item.

Delivery Location State of Utah

No Location Specified

Description

Qty 1

Do not contact the WSCA-NASPO Contract Administrator or other RFP Sourcing Committee members with questions relating to this solicitation. All question pertaining to this RFP must be submitted through BidSync. All responses will be posted through BidSync.

Please read the RFP requirements thoroughly to ensure proposal response is compliant. Prices & Percentages discounts must be submitted using the RFP Attachment C - Cost Sheet provided. Do not include prices or percentage discounts in the technical portion

of the response.



Jul 1, 2013 5:09:04 PM MDT p. 3

STATE OF UTAH

SOLICITATION NO. JP14001

Data Communications Products & Services

RESPONSES DUE NO LATER THAN:

Aug 30, 2013 11:00:00 AM MDT

RESPONSES MAY BE SUBMITTED ELECTRONICALLY TO:

www.bidsync.com

RESPONSES MAY BE MAILED OR DELIVERED TO:

State of Utah Division of Purchasing

3150 State Office Building, Capitol Hill Salt Lake City, Utah 84114-1061

http://www.bidsync.com/


Jul 1, 2013 5:09:04 PM MDT p. 4

State of Utah Request for Proposal

Legal Company Name (include d/b/a if

applicable)

Federal Tax

Identification Number

State of Utah Sales Tax ID

Number

Juniper Networks (US), Inc. 77-0559888

Ordering Address City State Zip Code

1194 North Mathilda Avenue Sunnyvale CA 94089

Remittance Address (if different from ordering

address)

City State Zip Code

Type X Corporation

_Jll Partnership

_Jll

Company Contact Person Roxanne Bieniek

Proprietorship _Jll Government _Jll

978-589-0636 Number (include area code) 978-589-0042

www.juniper.net [email protected]

N/A 30 Days After Receipt of Order (ARO)

Discount Terms (for bid purposes, bid discounts

less than 30 days will not be considered)

Days Required for Delivery After Receipt of Order (see

attached for any required minimums)

No, US, Mexico, China and Malaysia

The undersigned certifies that the goods or services offered are produced, mined, grown, manufactured, or

performed in Utah. Yes No _Jll . If no, enter where produced, etc.

http://www.juniper.net/


Jul 1, 2013 5:09:04 PM MDT p. 5

Offeror=s Authorized Representative=s Signature Date

8-27-2013

Type or Print Name Position or Title

Gilbert Aronson Global Leader Bids & Proposals


Jul 1, 2013 5:09:04 PM MDT p. 6

N O T I C E

When submitting a response (proposal, quote or bid) electronically through BidSync, it is the sole responsibility of the supplier to ensure that the response is received by BidSync prior to the closing date and time. Each of the following steps in BidSync MUST be completed in order to place an offer:

A. Login to www.bidsync.com;

B. Locate the bid (solicitation) to which you are responding;

a. Click the “Search” tab on the top left of the page; b. Enter keyword or bid (solicitation) number and click “Search”;

C. Click on the “Bid title/description” to open the Bid (solicitation) Information Page;

D. “View and Accept” all documents in the document section;

E. Select “Place Offer” found at the bottom of the page;

F. Enter your pricing, notes, other required information and upload attachments to this page;

G. Click “Submit” at the bottom of the page;

H. Review Offer(s); and

I. Enter your password and click “Confirm”.

Note that the final step in submitting a response involves the supplier’s acknowledgement that the information and documents entered into the BidSync system are accurate and represent the supplier’s actual proposal, quote or bid. This acknowledgement is registered in BidSync when the supplier clicks “Confirm”. BidSync will post a notice that the offer has been received. This notice from BidSync MUST be recorded prior to the closing date and time or the response will be considered late and will not be accepted.

Be aware that entering information and uploading documents into BidSync may take considerable time. Please allow sufficient time to complete the online forms and upload documents. Suppliers should not wait until the last minute to submit a response. It is recommended that suppliers submit responses a minimum of 24 hours prior to the closing deadline. The deadline for submitting information and documents will end at the closing time indicated in the solicitation. All information and documents must be fully entered, uploaded, acknowledged (Confirm) and recorded into BidSync before the closing time or the system will stop the process and the response will be considered late and will not be accepted.

Responses submitted in BidSync are completely secure. No one (including state purchasing staff) can see responses until after the deadline. Suppliers may modify or change their response at any time prior to the closing deadline. However, all modifications or changes must be completed and acknowledged (Confirm) in the BidSync system prior to the deadline. BidSync will post a notice that the modification/change (new offer) has been received. This notice from BidSync MUST be recorded prior to the closing date and time or the response will be considered late and will not be accepted.

Utah Code 46-4-402(2) Unless otherwise agreed between a sender (supplier) and the recipient (State Purchasing), an electronic record is received when: (a) it enters an information processing system that the recipient has designated or uses for the purpose of receiving electronic records or information of the type sent and from which the recipient is able to retrieve the electronic record; and (b) it is in a form capable of being processed by that system.


Jul 1, 2013 5:09:04 PM MDT p. 7

REQUEST FOR PROPOSAL - INSTRUCTIONS AND GENERAL PROVISIONS

1. SUBMITTING THE PROPOSAL: (a) The Utah Division of Purchasing and General Services (DIVISION) prefers that proposals be submitted electronically. Electronic proposals may be submitted through a secure mailbox at BidSync (formerly RFP Depot, LLC) (www.bidsync.com) until the date and time as indicated in this document. It is the sole responsibility of the supplier to ensure their proposal reaches BidSync before the closing date and time. There is no cost to the supplier to submit Utah’s electronic proposals via BidSync. (b) Electronic proposals may require the uploading of electronic attachments. The submission of attachments containing embedded documents is prohibited. All documents should be attached as separate files. (c) If the supplier chooses to submit the proposal directly to the DIVISION in writing: The proposal must be signed in ink, sealed, and delivered to the Division of Purchasing, 3150 State Office Building, Capitol Hill, Salt Lake City, UT 84114-1061 by the "Due Date and Time.” The "Solicitation Number" and "Due Date" must appear on the outside of the envelope. All prices and notations must be in ink or typewritten. Each item must be priced separately. Unit price shall be shown and a total price shall be entered for each item offered. Errors may be crossed out and corrections printed in ink or typewritten adjacent and must be initialed in ink by person signing offer. Unit price will govern, if there is an error in the extension. Written offers will be considered only if it is submitted on the forms provided by the DIVISION. (d) Proposals, modifications, or corrections received after the closing time on the "Due Date" will be considered late and handled in accordance with the Utah Procurement Rules, section R33-3-209. (e) Facsimile transmission of proposals to DIVISION will not be considered. 2. PROPOSAL PREPARATION: (a) Delivery time of products and services is critical and must be adhered to as specified. (b) Wherever in this document an item is defined by using a trade name of a manufacturer and/or model number, it is intended that the words, "or equivalent" apply. "Or equivalent" means any other brand that is equal in use, quality, economy and performance to the brand listed as determined by the DIVISION. If the supplier lists a trade name and/or catalog number in the offer, the DIVISION will assume the item meets the specifications unless the offer clearly states it is an alternate, and describes specifically how it differs from the item specified. All offers must include complete manufacturer=s descriptive literature if quoting an equivalent product. All products are to be of new, unused condition, unless otherwise requested in this solicitation. (c) Incomplete proposals may be rejected. (d) Where applicable, all proposals must include complete manufacturer=s descriptive literature. (e) By submitting the proposal the offeror certifies that all of the information provided is accurate, that they are willing and able to furnish the item(s) specified, and that prices offered are correct. (f) This proposal may not be withdrawn for a period of 60 days from the due date. 3. FREIGHT COST: Suppliers are to provide line item pricing FOB Destination Freight Prepaid. Unless otherwise indicated on the contract/purchase order, shipping terms will be FOB Destination Freight Prepaid. 4. SOLICITATION AMENDMENTS: All changes to this solicitation will be made through written addendum only. Answers to questions submitted through BidSync shall be considered addenda to the solicitation documents. Bidders are cautioned not to consider verbal modifications. 5. PROTECTED INFORMATION: Suppliers are required to mark any specific information contained in their offer which they are claiming as protected and not to be disclosed to the public or used for purposes other than the evaluation of the offer. Each request for non-disclosure must be made by completing the “Confidentiality Claim Form” located at: http://www.purchasing.utah.gov/contract/documents/confidentialityclaimform.doc with a specific justification explaining why the information is to be protected. Pricing and service elements of any proposal will not be considered proprietary. All material becomes the property of the DIVISION and may be returned only at the DIVISION 's option. 6. BEST AND FINAL OFFERS: Discussions may be conducted with offerors who submit proposals determined to be reasonably susceptible of being selected for award for the purpose of assuring full understanding of, and responsiveness to, solicitation requirements. Prior to award, these offerors may be asked to submit best and final offers. In conducting discussions, there shall be no disclosure of any information derived from proposals submitted by a competing offeror. 7. SAMPLES: Samples of item(s) specified in this offer, brochures, etc., when required by the DIVISION, must be furnished free of expense to the DIVISION. Any item not destroyed by tests may, upon request made at the time the sample is furnished, be returned at the offeror's expense.

8. AWARD OF CONTRACT: (a) The contract will be awarded with reasonable promptness, by written notice, to the responsible offeror whose proposal is determined to be the most advantageous to the DIVISION,

http://www.purchasing.utah.gov/contract/documents/confidentialityclaimform.doc


Jul 1, 2013 5:09:04 PM MDT p. 8

taking into consideration price and evaluation factors set forth in the RFP. No other factors or criteria will be used in the evaluation. The contract file shall contain the basis on which the award is made. Refer to Utah Code Annotated 65-56-408. (b) The DIVISION may accept any item or group of items, or overall best offer. The DIVISION can reject any or all proposals, and it can waive any informality, or technicality in any proposal received, if the DIVISION believes it would serve the best interests of the DIVISION. (c) Before, or after, the award of a contract the DIVISION has the right to inspect the offeror's premises and all business records to determine the offeror's ability to meet contract requirements. (d) The DIVISION will open proposals publicly, identifying only the names of the offerors. During the evaluation process, proposals will be seen only by authorized DIVISION staff and those selected by DIVISION to evaluate the proposals. Following the award decision, all proposals become public information except for protected information (see number 5 above). A register of proposals and contract awards are posted at http://purchasing.utah.gov/vendor/bidtab.html. (e) Estimated quantities are for bidding purposes only, and not to be interpreted as a guarantee to purchase any amount. (f) Utah has a reciprocal preference law which will be applied against offerors offering products or services produced in states which discriminate against Utah products. For details see Section 63G-6-404 and 63G-6-405, Utah Code Annotated. (g) Multiple contracts may be awarded if the DIVISION determines it would be in its best interest. 9. DEBRIEFING OF UNSUCCESSFUL OFFERORS: State Purchasing does not conduct face to face or teleconference debriefings. All debriefings are to be conducted in writing. A debrief request must be submitted in writing to the Purchasing Agent within seven (7) calendar days of the award notification or rejection notification made through written correspondence or posted on BidSync. The debrief response will be limited to critiquing the strength/weakness of an offeror’s proposal based on the evaluation criteria. The debriefing is intended as a courtesy to offerors, providing feedback to be used for future opportunities. Comparisons between proposals or evaluations of other proposals will not be allowed.

10. DIVISION APPROVAL: Contracts written with the State of Utah, as a result of this proposal, will not be legally binding without the written approval of the Director of the DIVISION. 11. DEBARMENT: The CONTRACTOR certifies that neither it nor its principals are presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in this transaction (contract) by any governmental department or agency. If the CONTRACTOR cannot certify this statement, attach a written explanation for review by the DIVISION. 12. ENERGY CONSERVATION AND RECYCLED PRODUCTS: The contractor is encouraged to offer Energy Star certified products or products that meet FEMP (Federal Energy Management Program) standards for energy consumption. The State of Utah also encourages contractors to offer products that are produced with recycled materials, where appropriate, unless otherwise requested in this solicitation. 13. GOVERNING LAWS AND REGULATIONS: All State purchases are subject to the Utah Procurement Code, Title 63 Chapter 56 U.C.A. 1953, as amended, and the Procurement Rules as adopted by the Utah State Procurement Policy Board. These are available on the Internet at www.purchasing.utah.gov. By submitting a bid or offer, the bidder/offeror warrants that the bidder/offeror and any and all supplies, services equipment, and construction purchased by the State shall comply fully with all applicable Federal and State laws and regulations, including applicable licensure and certification requirements. 14. SALES TAX ID NUMBER: Utah Code Annotated (UCA) 59-12-106 requires anyone filing a bid with the state for the sale of tangible personal property or any other taxable transaction under UCA 59-12-103(1) to include their Utah sales tax license number with their bid. For information regarding a Utah sales tax license

see the Utah State Tax Commission’s website at www.tax.utah.gov/sales. The Tax Commission is located at 210 North 1950 West, Salt Lake City, UT 84134, and can be reached by phone at (801) 297-2200.

(Revision Date: 05 Nov 2012 - RFP Instructions)

http://purchasing.utah.gov/vendor/bidtab.html

http://www.purchasing.utah.gov/

http://www.tax.utah.gov/sales


Jul 1, 2013 5:09:04 PM MDT p. 9

WSCA-NASPO Data Communications Solicitation # JP14001

The State of Utah Division of Purchasing and General Services

In conjunction with

Request for Proposals

JP14001

WSCA-NASPO Master Agreement for DATA COMMUNICATIONS PRODUCTS & SERVICES

July 1, 2013

Page 1 of 45

Jul 1, 2013 5:09:04 PM MDT p. 10


WSCA-NASPO Data Communications Services Solicitation # JP14001

Table of Contents

Section 1: WSCA-NASPO Solicitation General Information 3

Section 2: General Proposal Requirements and Information 12

Section 3: Data Communications Provider Mandatory Minimum Requirements 13

Section 4: Data Communications Provider Qualifications 14

Section 5: Service Offering Qualifications 16

5.2 Data Communications Services – Requirements 17

5.2.1 DATA CENTER APPLICATION SERVICES 17

5.2.2 NETWORKING SOFTWARE 17

5.2.3 NETWORK OPTIMIZATION AND ACCELERATION 18

5.2.4 OPTICAL NETWORKING 18

5.2.5 ROUTERS 19

5.2.6 SECURITY 19

5.2.7 STORAGE NETWORKING 20

5.2.8 SWITCHES 20

5.2.9 WIRELESS 24

5.3.1 UNIFIED COMMUNICATIONS (UC) 25

5.3.2 SERVICES 27

Section 6: Evaluation 29

Section 7: Master Agreement Terms and Conditions/Exceptions 32

Attachment B – Reference Form 35

Attachment C – Cost Schedule 38

Page 2 of 45

Jul 1, 2013 5:09:04 PM MDT p. 11



REQUEST FOR PROPOSAL DATA COMMUNICATIONS PRODUCTS AND SERVICES CONTRACT

Solicitation # JP14001 Revised 5/30/2013

Section 1: WSCA-NASPO Solicitation General Information

1.1 Purpose of Request for Proposal (RFP)

The State of Utah, Division of Purchasing is requesting proposals in conjunction with WSCA-NASPO Cooperative Purchasing Organization, LLC (WSCA-NASPO). The purpose of this request for proposal is to establish master agreements with qualified manufacturers to provide Data Communications products and services outlined in the specifications for all participating States. The services resulting from the award of this solicitation are to be available to all state entities, cities, counties, higher education, school districts and other political subdivisions on an as needed basis under the same pricing and terms and conditions agreed to in the Master Agreement.

It is anticipated that this RFP may result in Master Agreement awards to multiple contractors.

While the primary purpose of this solicitation is to select a proposer(s) who can offer the Products or Services for all Participating States, proposers are permitted to submit a proposal on more limited geographical areas, but not less than one entire Participating State. Proposers must clearly describe the geographical limits (e.g. by State name) if proposing a geographical area less than that of all Participating States. However, if a proposer elects to submit a Proposal for a single State then the proposer must be willing to supply the entire State and will not be allowed to add additional States following award or at any time during the term of the contract or any renewals.

A Participating State may evaluate and select a proposer for award in more limited geographical areas (e.g. A single state) where judged to be in the best interests of the State or States involved.

Each participating entity shall select the authorized contractor(s) they choose to do business with during the participating addendum process. A participating entity may require the authorized contractor(s) to submit additional information regarding their firm as part of the selection process during the execution of a participating addendum. This information could include, but is not limited to; partners or resellers approved under their PA, business references, number of years in business, technical capabilities, and the experience of both their sales and installation personnel.

Each participating entity has the option to select one or more product categories or services from the resulting Master Agreement(s) during the execution of the participating addendum process.

Each participating entity has the option to negotiate an expanded product line within the product category offering and within the scope of this RFP during the Participating Addendum process. Any additional incremental discounts available to a Participating Entity, if offered, may be provided at the discretion and as the sole legal obligation of the Contract provider or their Authorized Sub-Contractor to the Participating Entity and negotiated during the Participating Addendum process. All Participating entities have the right to put dollar limits and certain line item, parts or on the total amount purchased per occasion on their individual PA’s as they deem appropriate.

The resulting Master Agreement will be awarded with the understanding and agreement that it is for the sole convenience of the participating entities. The participating entities reserve the right to obtain like goods or services from other sources when necessary.

This RFP is designed to provide interested proposers with sufficient basic information to submit proposals meeting minimum requirements, but is not intended to limit a proposal's content or exclude any relevant or essential data. Suppliers are encouraged to expand upon the specifications to evidence service and capability.

Page 3 of 45

Jul 1, 2013 5:09:04 PM MDT p. 12



1.2 WSCA-NASPO Background Information

WSCA-NASPO is a cooperative purchasing organization of all 50 states, the District of Columbia and the organized US territories. WSCA-NASPO is a subsidiary of the National Association of State Procurement Officials (NASPO). NASPO is a non-profit association dedicated to strengthening the procurement community through education, research, and communication. It is made up of the directors of the central purchasing offices in each of the 50 states, the District of Columbia and the territories of the United States. For more information consult the following websites www.wsca-naspo.org and www.naspo.org

Obligations under master agreements that result from this cooperative procurement are limited to those states and other eligible entities that execute a Participating Addendum:

63G-6a-2105. Participation of a public entity or a procurement unit in agreements or contracts of procurement units -- Cooperative purchasing -- State cooperative contracts.

(2) A public entity may obtain a procurement item from a state cooperative contract or a contract awarded by the chief procurement officer under Subsection (1), without signing a participating addendum if the quote, invitation for bids, or request for proposals used to obtain the contract includes a statement indicating that the resulting contract will be issued on behalf of a public entity in Utah.

Financial obligations of Participating States (Entities) are limited to the orders placed by the departments, agencies and institutions of that Participating State (Entity) having legally available funds. Participating States incur no financial obligations on behalf of its political subdivisions, other governmental entities or other eligible entities.

Unless otherwise specified in the solicitation or a Participating Addendum, the resulting master price agreement(s) will be permissive.

This RFP is designed to provide interested Offerors with sufficient basic information to submit proposals meeting minimum requirements, but is not intended to limit a proposal's content or exclude any relevant or essential data. Proposals must be succinct, concise, and as short as possible to allow for efficient evaluation. Blanket marketing material and unnecessary elaborate brochures or representations beyond what is sufficient to present a complete and effective proposal are not acceptable.

Offerors must respond to any or all of the 12 categories that follow. The following product and service categories are included in this RFP:

1. Data Center Application Services 2. Networking Software 3. Network Management and Automation 4. Network Optimization and Acceleration 5. Optical Networking 6. Routers 7. Security 8. Storage Networking 9. Switches 10. Wireless 11. Unified Communications 12. Services

1.3 Objective

The objective of this RFP is to obtain deeper volume price discounts than are obtainable by an individual state or local government entity. This discount is based on the collective volume of potential purchases by the numerous state and local government entities. The savings realized by the contractor in managing one comprehensive WSCA-NASPO Master Agreement rather than numerous state and local contracts should result in the most attractive service level and discounts available in the marketplace.

The Master Agreement(s) resulting from this procurement may be used by state governments (including

Page 4 of 45

http://www.wsca-naspo.org/

http://www.naspo.org/

Jul 1, 2013 5:09:04 PM MDT p. 13



departments, agencies, institutions), institutions of higher education, political subdivisions (i.e., colleges, school districts, counties, cities, etc.), and other eligible entities subject to approval of the individual state procurement director and local statutory provisions.

Participation by political subdivisions, other government entities and other eligible participants is with the authorization or acknowledgement of the specific state chief procurement official, and the execution of a Participating Addendum.

1.4 Solicitation Background

This is a rebid for the current for the WSCA-NASPO Data Communications Equipment, Supplies and Services contracts. Eight (8) Manufacturers currently have Master Contracts to provide Data Communications Equipments, Supplies and Services. They are as follows:

Alcatel-Lucent – AR1466

Brocade Communications – AR214 Cisco Systems – AR233 Enterasys Networks, Inc. – AR1471 Extreme Networks – AR1471

Hewlett-Packard - AR1464 Juniper Networks – AR229 Meru Networks – AR218

Although the State of Utah and WSCA-NASPO does not guarantee any usage or spend under these contracts, for bid purposes only, the total combined spend on these contracts for 2012 was $204 million dollars.

1.5 Issuing Office and Solicitation Number

The State of Utah, Division of Purchasing is the issuing office for this document and all subsequent addenda relating to it. The reference number for the transaction is Solicitation # JP14001. This number must be referred to on all proposals, correspondence, and documentation relating to the RFP.

1.6 WSCA-NASPO Contract Administrator

The WSCA-NASPO Contract Administrator designated by WSCA-NASPO and the State of Utah, Division of Purchasing and General Services is:

Name: Jennifer Porter State of Utah Division of Purchasing and General Services

State Office Building, Capitol Hill Room 3150 Salt Lake City, UT 84114-1061 Email: [email protected] Phone: 801-538-3064 Fax: 801-538-3882

1.7 Proposal Submittal

Offers must be received, according to instructions, by the posted due date and time. Offers received after the deadline will be non-responsive.

Proposals are due August 30, 2013 at 11:00 am MST

Questions will be accepted until July 26, 2013 at 11:00 am MST

Data Communication RFP Release Webinar is scheduled for July 11, 2013. Webinar details will be

Page 5 of 45


Jul 1, 2013 5:09:04 PM MDT p. 14



posted on the WSCA-NASPO website (www.wsca-naspo.org).

The preferred method of submitting your original ‘master’ proposal packet is electronically in Microsoft Word and Excel through BidSync, (www.bidsync.com), or you may mail or drop off your hard copies to the address noted in Section 1.6 of this RFP on or before the due date and time. The original ‘master’ proposal packet shall include a separate document or sealed envelope labeled “SOLICITATION # JP14001 Cost Schedule” that contains the pricing document. Please note that the State of Utah Division of Purchasing office is closed on Saturday and Sunday and therefore does not accept deliveries on those days.

When submitting an offer electronically through BidSync, please allow sufficient time to complete the online forms and upload documents. The solicitation will end at the closing time listed in the offer. If you are in the middle of uploading your documents at the closing time, the system will stop the process and your offer will not be received by the system. It is recommended that the submission process be completed the day prior to the due date, with the knowledge that any changes/updates will be accepted through the due date and time.

Electronic offers may require the uploading of electronic attachments. BidSync’s site will accept a wide variety of document types as attachments. However, the submission of documents containing embedded documents (zip files), mov, wmp, and mp3 files are prohibited. All documents should be attached as separate files.

BidSync customer support may be contacted at (800) 990-9339 for guidance on the BidSync site.

Respondents are responsible for ensuring that their BidSync registration information is current and correct.

The State of Utah accepts no responsibility for missing or incorrect information contained in the vendor registration in BidSync. Incorrect or missing vendor registration information may result in failure to receive notification from BidSync regarding this procurement.

In addition to the original ‘master’ proposal packet submission, Respondents are required to send one (1) hard copy and one (1) electronic version (Microsoft Word and Excel) of the complete proposal, excluding pricing information, to each of the evaluation team members listed below. Each proposal packet shall be marked with the solicitation number and be in accordance with the submittal requirements. The original ‘master’ sent to the WSCA-NASPO Master Agreement Administrator identified in Section 1.6 of this RFP will prevail in resolving any discrepancies.

Alaska – Ted Fawcett Contracting Officer [email protected]

California - Bonnie Bahnsen [email protected]

Nevada – Marti Marsh Purchasing Officer [email protected]

New Jersey – Vicente Azarcon Procurement Specialist [email protected]

Utah – Jennifer Porter Purchasing Agent State of Utah [email protected]

1.8 Current State Participants

The States currently participating in the existing contracts are: Alaska, Arkansas, California, Colorado, Delaware, District of Columbia, Hawaii, Idaho, Iowa, Kentucky, Louisiana, Minnesota, Missouri, Montana, Nevada, New Jersey, Oklahoma (Grand River Dam Authority), Oregon, South Dakota, Utah, Washington, Wisconsin and Wyoming.

Page 6 of 45






Jul 1, 2013 5:09:04 PM MDT p. 15



States with “Intent to Participate” – The following states have executed an Intent to Participate thru WSCA- NASPO, which simply indicates that they want to be formally listed in the published Request for Proposal as participating in the solicitation process: California, Hawaii, Minnesota, Missouri, Montana, Nevada, New Jersey, South Carolina, South Dakota, Utah, Vermont and Washington. All 56 NASPO members are eligible to participate in all WSCA-NASPO contracts when and if they decide they want to, in accordance with their individual statutory requirements.

1.9 Governing Laws and Regulations

This procurement is conducted by the State of Utah, Division of Purchasing & General Services, in accordance with the Utah Procurement Code. These are available at the Internet website www.purchasing.utah.gov for the State of Utah’s Division of Purchasing & General Services.

The laws of the State of Utah will govern all Master Agreements that result from this procurement unless the Data Communications Products and Services Provider and participating entity agree in a Participating Addendum that the laws of another jurisdiction will govern purchases made by purchasing entities within the jurisdiction of the participating entity.

1.10 Length of Contract

The Master Agreement(s) resulting from this RFP will be for a period of five years (initial term). The Master Agreement(s) may be extended beyond the original Master Agreement period for a two (2) year period, by mutual agreement.

1.11 Pricing Structure

Pricing Structure: Pricing for the WSCA-NASPO Master Agreements shall be based on the Percent Discount off the current global MSRP Schedule applicable to United States customers.

1.12 Price Guarantee Period

Price Guarantee Period: The Data Communication Provider’s Discount rate shall remain in effect for the term of the WSCA-NASPO Master Price Agreement.

1.13 Price Escalation

Equipment, Supplies and Services: Data Communications provider may update the pricing on their MSRP price list one time every year after the first year of the original contract term. The WSCA-NASPO Contract Administrator will review a documented request for a Price Schedule price list adjustment only after the Price Guarantee Period.

1.14 Price Reductions

In the event of a price decrease in any category of product at any time during the contract in a Provider’s Price Schedule, including renewal options, the WSCA-NASPO Contract Administrator shall be notified immediately. All Price Schedule price reductions shall be effective upon the notification provided to the WSCA-NASPO Master Agreement Administrator.

1.15 Usage Reporting Requirement

All Data Communication Provider’s will be required to provide quarterly usage reports to the WSCA-NASPO Contract Administrator or designee. The initiation and submission of the quarterly reports are the responsibility of the Data Communication Contract Provider. You are responsible to collect and report all sales data including your resellers and partners sales associated with your Master Agreement. There will be no prompting or notification provided by the WSCA-NASPO Contract Administrator. Quarterly reports must coincide with the quarters in the fiscal year as outlined below:

Page 7 of 45

http://www.purchasing.utah.gov/

Jul 1, 2013 5:09:04 PM MDT p. 16



Quarter #1: July 1 through September 30, due annually by October 30. Quarter #2: October 1 through December 31, due annually by January 30. Quarter #3: January 1 through March 31, due annually by April 30. Quarter #4: April 1 through June 30, due annually by July 30.

Respondents must identify the person responsible for providing the mandatory usage reports. This contact information must be kept current during the Master Agreement period. The WSCA-NASPO Contract Administrator must be notified if the contact information changes. The contact information for the person responsible for the mandatory quarterly usage reporting must be specified per Section 3.1.5.

The purpose of the Master Agreement usage-reporting requirement is to aid in Master Agreement management. The specific report content, scope, and format requirements will be provided to the awarded Data Communications Products and Services Provider’s during Master Agreement execution. Some WSCA- NASPO States may require additional reporting requirements. Those requirements will be addressed through the individual participating entity’s Participating Addendum process. Failure to comply with this requirement may result in Master Agreement cancellation.

1.16 Standard Contract Terms and Conditions

Any Master Agreement resulting from this RFP will include, but will not be limited to, the WSCA-NASPO Standard Master Agreement Terms and Conditions, the State of Utah Additional Terms and Conditions (Appendix A) and any additional terms and conditions specific to WSCA-NASPO participating addendums for participating entities. The WSCA-NASPO Master Agreement Terms and Conditions and State of Utah Additional Terms and Conditions will take highest precedence in any contract resulting from this solicitation. Vendors must clearly identify exceptions to the WSCA-NASPO Standard Master Agreement Terms and Conditions and the State of Utah Additional Terms and Conditions in the bid submission. Vendor exceptions must include proposed solution language. Failure to submit exceptions and/or solution language will constitute vendor acceptance of WSCA-NASPO and State of Utah Additional Terms and Conditions. No third party terms and conditions will be allowed in resulting contracts awarded under this solicitation. Additional vendor terms and conditions must be submitted with the solicitation bid response for legal review and contract applicability. Submission of vendor terms and conditions with a bid response does not guarantee acceptance. Vendor terms and condition will not include any reference to website URLs that house additional terms and conditions. All terms and conditions associated with resulting contracts will be identified and attached to the WSCA-NASPO Master Agreement. The State of Utah reserves the right to accept, reject, and/or negotiate vendor terms and conditions after the award(s) have been made if it is in the best interest of the State of Utah. Participating States reserve the right to negotiate vendor terms and conditions during the Participating Addendum process. Vendor terms and conditions included with a bid

response are limited to a maximum of 10 pages (81/2

x 11 inch paper, 10 pt Arial font, and single sided). Failure to adhere to these terms and conditions requirements may result in vendor disqualification.

1.17 Questions

All questions must be submitted through BidSync. Answers will be given via the BidSync website. Questions received after the Question/Answer period will not be answered. No agency employee, board member, or evaluation committee member should be contacted concerning this solicitation during the solicitation posting and selection process. Failure to comply with this requirement may result in vendor disqualification.

1.18 Discussions with Respondents (Oral Presentation)

An oral presentation by a Respondent to clarify a proposal may be required at the sole discretion of the WSCA-NASPO Master Agreement Administrator. However, the WSCA-NASPO Contract Administrator may award a Master Agreement based on the initial proposals received without discussion with the Respondent. If oral presentations are required, they will be scheduled after the submission of proposals. Oral presentations will be made at the Respondents expense.

1.19 Protected Information

The Government Records Access and Management Act (GRAMA), Utah Code Ann., Subsection 63-2-304,

Page 8 of 45

Jul 1, 2013 5:09:04 PM MDT p. 17



provides in part that:

the following records are protected if properly classified by a government entity:

(1) trade secrets as defined in Section 13-24-2 if the person submitting the trade secret has provided the governmental entity with the information specified in Section 63-2-308 (Business Confidentiality Claims);

(2) commercial information or non-individual financial information obtained from a person if:

(a) disclosure of the information could reasonably be expected to result in unfair

competitive injury to the person submitting the information or would impair the ability of the governmental entity to obtain necessary information in the future;

(b) the person submitting the information has a greater interest in prohibiting access than the public in obtaining access; and

(c) the person submitting the information has provided the governmental entity with the information specified in Section 63-2-308; * * * * *

(6) records the disclosure of which would impair governmental procurement

proceedings or give an unfair advantage to any person proposing to enter into a contract or agreement with a governmental entity, except that this Subsection (6) does not restrict the right of a person to see bids submitted to or by a governmental entity after bidding has closed; ....

GRAMA provides that trade secrets, commercial information or non-individual financial information may be protected by submitting a Claim of Business Confidentiality.

To protect information under a Claim of Business Confidentiality, the Respondent must:

1. provide a written Claim of Business Confidentiality at the time the information (proposal) is provided to the State, and

2. include a concise statement of reasons supporting the claim of business confidentiality (Subsection 63-2-308(1)).

3. submit an electronic “redacted” (excluding protected information) copy of your proposal response. Copy must clearly be marked “Redacted Version.” Failure to submit a redacted version may result in release of your entire proposal.

A Claim of Business Confidentiality may be appropriate for information such as client lists and non-public financial statements. Pricing and service elements cannot be protected. An entire proposal cannot be protected under a Claim of Business Confidentiality or Propritary. Failure to comply with this requirement many result in your proposal being ruled Non-Responsive and no longer considered.

The claim of business confidentiality must be submitted with your proposal on the form which may be accessed at: www.purchasing.utah.gov/contract/documents/confidentialityclaimform.doc

To ensure the information is protected, the Division of Purchasing asks the Respondent to clearly identify in the Executive Summary and in the body of the proposal any specific information for which a Respondent claims business confidentiality protection as "PROTECTED".

All materials submitted become the property of the State of Utah. Materials may be evaluated by anyone designated by the State as part of the sourcing team. Materials submitted may be returned only at the State's option.

1.20 WSCA Administrative Fee

The Contracted Supplier must pay a WSCA-NASPO administrative fee of one quarter of one percent (.025%) in accordance with the terms and conditions of the contract. The WSCA-NASPO administrative fee shall be submitted quarterly and is based on the actual sales of all products and services in conjunction with your quarterly reports. The WSCA-NASPO administrative fee must be included when determining the pricing offered. The WSCA-NASPO administrative fee is not negotiable and shall not be added as a separate line item on an invoice.

Page 9 of 45

http://www.purchasing.utah.gov/contract/documents/confidentialityclaimform.doc

Jul 1, 2013 5:09:04 PM MDT p. 18



Additionally, some WSCA-NASPO participating entities may require that an administrative fee be paid directly to the WSCA-NASPO participating entity on purchases made by purchasing entities within that State. For all such requests, the fee percentage, payment method and payment schedule for the participating entity’s administrative fee will be incorporated in the Participating Addendum. Data Communications Provider will be held harmless, and may adjust (increase) the WSCA-NASPO Master Agreement pricing by the fee percentage for that participating entity accordingly for purchases made by purchasing entities within the jurisdiction of the State. All such agreements may not affect the WSCA-NASPO fee or the prices paid by the purchasing entities outside the jurisdiction of the participating entities requesting the additional fee.

1.21 Interest

Any payments that a Contracted Supplier makes or causes to be made to WSCA-NASPO after the due date as indicated on the Quarterly Report schedule shall accrue interest at a rate of 18% per annum or the maximum rate permitted by law, whichever is less, until such overdue amount shall have been paid in full. The right to interest on late payments shall not preclude WSCA-NASPO from exercising any of its other rights or remedies pursuant to this agreement or otherwise with regards to Data Communication Provider’s failure to make timely remittances.

1.22 Proposal Offer Firm

Responses to this RFP, including proposed discounts offered will be considered firm for one hundred and sixty

(160) days after the proposal due date. By signature (electronic or otherwise) and submission of a proposal, the person signing verifies that they are authorized to submit the proposal and bind the firm to provide the products/services in the proposal and potential Master Agreement.

1.23 Cancellation of Procurement

This RFP may be canceled at any time and any and all proposals may be rejected in whole or in part when the State of Utah, Division of Purchasing and General Services determines such action to be in the best interest of the State of Utah.

1.24 Right to Waive

The sourcing team reserves the right to waive minor irregularities at its sole discretion.

1.25 Right to Accept All or Portion

It is our intent to accept the entire line of Data Communications Equipment and Services (included in the scope) from the awarded Data Communications Providers, however we reserve the right to accept all or a portion of a Respondents proposal.

1.26 Service Line Additions and Updates

During the term of the contract, Data Communications Providers may submit a request to update the awarded items (within the scope listed in IDENTIFY SECTION) as new technology is introduced, updated or removed from the market. The Master Agreement Administrator will evaluate requests and update the contract offering via written amendment as appropriate. The Data Communications Service Provider shall update the dedicated website, price lists, and catalogs to reflect approved changes. Pricing must utilize the same pricing structure as was used for services falling into the same service category.

1.27 Right to Publish

Throughout the duration of this procurement process and Master Agreement term, Respondents, Data Communications Providers and their authorized contractors must secure from the WSCA-NASPO Contract Administrator prior approval for the release of any information that pertains to the potential work or activities covered by this procurement or the Master Agreement. The Data Communications Provider shall not make any representations of WSCA-NASPO’s opinion or position as to the quality or effectiveness of the services that are the subject of this Master Agreement without prior written consent of the WSCA-NASPO Contract

Page 10 of 45

Jul 1, 2013 5:09:04 PM MDT p. 19



Administrator. Failure to adhere to this requirement may result in disqualification of the Respondents proposal

or termination of the Master Agreement for cause

1.28 Changes in Representation

The Contracted Supplier must notify the WSCA-NASPO Contract Administrator of changes in the Contracted Supplier’s key administrative personnel, to the extent that there may be adverse impacts to the contract. The WSCA-NASPO Contact Administrator reserves the right to require a change in Contracted Supplier(s) representatives if the assigned representative(s) is not, in the opinion of the WSCA-NASPO Contract Administrator, meeting the terms and conditions of the contract.

1.29 E-Rate Requirement

All award contractors must commit to participation in the Federal Communication Commission's E-rate discount program established under authority of the Federal Telecommunications Commission Act of 1996. Participation in, and implementation of, this program must be provided without the addition of any service or administration fee by the contractor.

1.30 Section 508 Compliant

Respondents must meet all Federal and State regulations required to these type of products including but limited to accessible products by describing their support of the applicable provisions of the Workforce Investment Act of 1998, Section 508.

1.31 Glossary

Authorized Contractor: The Prime Contractor as listed as Contractor under the resulting Master Agreement(s) as a result of this RFP.

Authorized Sub Contractor: sub Contractor, Reseller, Partner, etc. Authorized by the Contractor (Prime) to sell only the products and services listed under the Master Agreement (s) established as a result of this RFP. This authorized sub contractor must have the authority and ability to accurately reflect the ability of the Respondent to meet the requirements detailed in this RFP.

WSCA-NASPO Contract Administrator: A dedicated person with the authority and ability to manage compliance with the scope and terms and conditions for this contract.

Mandatory Minimum Requirements: Requirements that must be met in order to be considered for further evaluation. Mandatory minimum requirements are non-negotiable. An offer that does not meet the mandatory minimum requirements will be disqualified from further consideration.

Participating Addendum: A Participating Addendum must be executed by any State that decides to adopt a WSCA-NASPO Master Agreement.

A Participating Addendum shall be executed for each contractor by the individual State desiring to use their contract.

Additional States may be added with the consent of the contractor and the Lead State (on behalf of WSCA-NASPO) through execution of Participating Addendums.

A Participating Addendum allows for each Participating State to add terms and conditions that may be unique to their State.

The Participating State and the Contractor shall negotiate and agree upon any additional terms and conditions prior to the signing and execution of the Participating Addendum.

States are not mandated to sign a Participating Addendum with all awarded vendors.

Page 11 of 45

Jul 1, 2013 5:09:04 PM MDT p. 20



Participating Entity: A State that has indicated intent to participate in the solicitation process, or after award, a State that has executed a participating addendum.

Purchasing Entity: Any end-user in a participating State that is eligible to use the Master Agreement(s) through the participating addendum, including but not limited to State Agencies, Counties, Cities, Education, and other entities.

Qualified Entity: An entity that is eligible to use the Master Agreement(s).

Usage Report Administrator: A contractors person responsible for the quarterly sales reporting and payments described in Section 1.15 Usage Reporting Requirement.

Volume Discount: A percentage discount offered by the seller to the buyer for purchasing a stated dollar amount of Data Communications services and products to be delivered at one time or for a specified period.

Sourcing Team: The technical and business team charged with setting requirements for the Data Communications procurement, and its subsequent evaluation.

Section 2: General Proposal Requirements and Information

2.1 Proposal Content and Format Requirements

Proposals must be detailed and concise. Unless otherwise stated in your proposal as an “exception”, Respondents agree to comply with every section, subsection, attachment and addendum of this RFP. Each proposal must be submitted in Microsoft Word or Excel, labeled and organized in a manner that is congruent with the section number, headings, requirements, and terminology used in this RFP. Proposal documents must be Arial font size 10. Respondent responses that are limited to a specified number of pages are referring to single sided pages. As an example, a response that is limited to a document that is no more than two pages long may be submitted on one double sided page, but not two double sided pages.

2.2 RFP Revisions

Revisions, if any, and all written questions and the State’s answers, will be posted on the BidSync website. Solicitation documents will not be mailed to prospective Proposers. Respondents must register (free of charge) as a vendor with BidSync in order to have access to the RFP and related documents. Respondents are responsible for ensuring that their registration information is current and correct. The State of Utah accepts no responsibility for missing or incorrect information contained in the supplier’s registration information on BidSync. The State of Utah accepts no responsibility for a prospective Respondent not receiving solicitation documents and/or revisions to the solicitation. It is the responsibility of the prospective Respondent to obtain the information provided through BidSync.

2.3 Right to Waive

The State of Utah reserves the right to waive any informality or technicality in any proposal.

2.4 Proposals Become Property of the State of Utah

All proposal contents become the property of the State of Utah. All proposal content is proprietary during the proposal evaluation process. Upon Master Agreement award, the successful Respondents’ proposals will be open to public inspection, by request, with the exception of any proposal content that is marked as “proprietary or confidential” by the Respondent. All content designated as “proprietary or confidential” must be supported by documentation as to the rationale for the proprietary nature of the information.

2.5 News Releases

News releases or other public disclosure of information pertaining to this RFP or the statewide contracts may not be published without the prior written permission of the State of Utah.

2.6 State Seal Use

Page 12 of 45

Jul 1, 2013 5:09:04 PM MDT p. 21



The Utah Great Seal Rule states, in section R622-2-3.Custody and Use, that “no facsimile or reproduction of the Great Seal may be manufactured, used, displayed, or otherwise employed by anyone without the written approval of the Lieutenant Governor."

Other participating States have similar rules that must be adhered to by Respondents or interested parties.

Section 3: Data Communications Provider Mandatory Minimum Requirements


This section contains requirements that must be addressed in order for your proposal to be considered for the evaluation phase of this RFP. All of the items described in this section are non-negotiable. Respondents are required to complete:

Mandatory Requirements (M) All Respondents must meet the (M) requirements listed in this section, and explain how the requirement is met. A ‘no’ response on the acceptance document or omission of the required explanation will disqualify the service from further evaluation.

3.1.1 Equipment Offering

(M) Identify Equipment Offering in sections 5.2.1-5.3.0.

3.1.2 Service Offering

(M) Identify Service Offerings for all products offered in Sections 5.2.1-5.3.0.

3.1.3 Insurance Requirement

(M) This pertains to the State of Utah insurance requirements. Other Participating States may identify different insurance requirements during the participating addendum process.

Data Communications Provider’s and their authorized contractors shall procure and maintain insurance which shall protect the authorized contractor and The State and/or purchasing entity (as an additional insured) from any claims from bodily injury, property damage, or personal injury covered by the indemnification obligations set forth herein. The Data Communications Provider’s authorized contractor shall procure and maintain the insurance policies described below at their own expense and shall furnish to the procurement manager, upon award, an insurance certificate listing the participating State(s) as certificate holder and as an additional insured. The insurance certificate must document that the Commercial General Liability insurance coverage purchased by the authorized contractor to include contractual liability coverage applicable to this Master Agreement. In addition, the insurance certificate must provide the following information: the name and address of the insured; name, address, telephone number and signature of the authorized agent; name of the insurance company (authorized to operate in all States); a description of coverage in detailed standard terminology (including policy period, policy number, limits of liability, exclusions and endorsements) and an acknowledgment of notice of cancellation to the participating States.

Authorized contractor is required to maintain the following insurance coverage’s during the term of the WSCA-NASPO Master Agreement:

1) Workers’ Compensation Insurance – The Data Communications Provider’s authorized contractor must comply with Participating State’s requirements and provide a certificate of insurance. 2) Commercial General Liability Policy per occurrence - $1,000,000. Coverage to include bodily injury and property damage combined single limit. 3) Business Automobile Policy to include but not limited to liability coverage on any owned, non-

Page 13 of 45

Jul 1, 2013 5:09:04 PM MDT p. 22



owned, or hired vehicle used by Data Communications Provider’s authorized contractor personnel in the performance of this Master Agreement. The business automobile policy shall have the following limits of liability: Per Occurrence - $1,000,000, Annual Aggregate - $3,000,000, Annual Aggregate applying to products and services - $3,000,000. Coverage must include premises and operations, bodily injury and property damage, personal and advertising injury; blanket contractual, products and services, owner named as an additional insured. The State of Utah must be listed as an additional insured.

Within 10 days of contract award, the Contracted Supplier and/or Authorized Contractor must submit proof of certificate of insurance that meets the above requirements or the Participating States requirements.

3.1.4 Delivery

(M) The prices offered shall be the delivered price to any WSCA-NASPO purchasing entity. All

deliveries shall be F.O.B. destination with all transportation and handling charges paid by the contractor. Responsibility and liability for loss or damage shall remain the Contractor until final inspection and acceptance (within 30 days after delivery for external damage and 30 days for any concealed damage) when responsibility shall pass to the Buyer except as to latent defects, fraud

and Contractor’s warranty obligations. The minimum shipment amount will be found in the special terms and conditions. Any order for less than the specified amount is to be shipped with the freight prepaid and added as a separate item on the invoice. Any portion of an order to be shipped without transportation charges that is back ordered shall be shipped without charge.

3.1.5 Service Offering Documentation

(M) Upon request, user and/or technical documentation should be supplied for all procured products and services. Manuals may be available via the Contracted Supplier’s website. The manual shall contain user and technical instructions appropriate to the service.

3.1.6 Data Communications Provider Contract Administrator and Usage Report Administrator

(M) The Contracted Supplier shall provide a Contract Administrator to manage compliance with the scope and terms and conditions for this contract. The following Information, at a minimum, regarding the Contract Administrator shall be provided:

a. Administrator’s number of years experience in the Data Communications Services business.

b. Confirmation that the Data Communications Provider Contract Administrator has authority to enforce the scope of work and terms and conditions of the resulting contract.

The Contracted Supplier shall also provide a Usage Report Administrator responsible for the quarterly sales reporting described in Section 1.15 Usage Reporting Requirement.

3.1.7 eMarket Center Cooperation

(M) To be eligible for contract award, the Contractor must agree to cooperate with WSCA-NASPO

and SciQuest (and any authorized agent or successor entity to SciQuest) with uploading a hosted

catalog or integrating a punchout site. The contract requirements are in section 7.

Section 4: Data Communications Provider Qualifications

4.1 General Information:

Provide any pertinent general information about the depth and breadth of the Offeror’s product and service offerings and their overall use and acceptance in the Data Communications marketplace.

4.2 Warranty

Page 14 of 45

Jul 1, 2013 5:09:04 PM MDT p. 23



Specify the Offeror’s standard warranty offerings for the products and services proposed in the response to

this RFP.

4.3 Website

Award contractors are required to establish and maintain a website applicable to the WSCA/NASPO contract which will allow Participating States to see applicable contract price list, discounts on said price list, approved resellers or partners for their state and any additional information that may be required to assist the participating states in obtaining information concerning the contract award. The State of Utah representing WSCA/NASPO reserves the right to require the award contractor to add additional items to assist in this process. Specify Websites used by the Offeror to facilitate customer ordering under awarded contracts. This is a mandatory requirement.

4.4 Customer Service

Specify the Offeror’s standard customer service policies and detail the escalation process used to handle customer-generated issues.

4.5 irm

a. Provide a brief history of your firm including the following:

1. Number of years providing Data Communications Services being offered in response to

this RFP.

2. Number of separate services provided in each of the area categories described in this

RFP.

b. Describe specifically what makes your firm a stable long term partner for WSCA-NASPO.

c. Describe specifically what information the Data Communications Provider contract administrator

would provide at annual meetings with an entity that has executed a participating addendum.

d. Describe how you plan to implement the contract including having a single point of contact to

perform and manage all aspects of this contract.

e. Describe in detail your firm’s escalation management plan including contact information.

4.6 Authorized Sub Contractor Relationships

Respondents may propose the use of Servicing Subcontractors or partners however, the Contractor shall remain solely responsible for the performance under the terms and conditions of the Contract if Servicing Subcontractors are utilized. This includes sales report information. The Contractor will be responsible to collect, and report this information from all partners or resellers representing your contract.

a. Briefly describe what your firm requires from potential contractors to become an “Authorized Data

Communications Reseller”. Provide an Authorized Contractor List.

b. Describe in detail how your firm currently measures an authorized contractors’ performance.

c. Describe in detail the process for revoking a designation as a sub contractor from an authorized

contractor for issues related to customer service, or other authorized contractor performance

related issues.

d. Describe in detail how your firm will support and assist an authorized contractor in improving their

performance and the corrective action process.

Page 15 of 45

Jul 1, 2013 5:09:04 PM MDT p. 24



e. Describe in detail the process that your firm uses to track and respond to issues and concerns from

both your authorized contractors and from participating entities.

f. Describe in detail how your firm will track, report and verify sales from your designated Data

Communication partners and authorized contractors.

Section 5: Service Offering Qualifications

5.1 General Information This section contains mandatory minimum requirements that must be met in order for your proposal to be considered for the evaluation phase of this RFP. All of the items described in this section are non- negotiable. Respondents are required to complete:

Mandatory Requirements (M) All Respondents must meet the (M) requirements listed in this section, and explain how the requirement is met. A ‘no’ response on the acceptance document or omission of the required explanation will disqualify the service from further evaluation.

5.1.1 General Business Requirements

Each provider must meet the following mandatory general business requirements:

5.1.2 Terms and Conditions

(M) Respondents must indicate their acceptance of the State of Utah Standard Terms and Conditions in addition to the WSCA-NASPO Terms and Conditions attached to this RFP as Attachment A and Attachment B. Any exceptions to these terms and conditions must be clearly identified in bid response and during the question and answer period on BidSync. Significant exceptions may constitute grounds for rejecting Respondent proposals.

5.1.3 Experience

(M) Respondents must be able to provide reference service contracts from a minimum of five government or commercial customers for their Data Communications Product and Services offerings. Government references are preferred. References must include environments and complexity that is similar in scope to those described within this RFP. Any proposals from Respondents that cannot meet these requirements will not be considered. The Respondent must provide specific contact information describing their reference service contracts, which may be verified.

5.1.4 Financial Stability

(M) The Data Communications Product and Services vendor must provide audited financial statements to the State and should meet a minimum Dun and Bradstreet (D&B) credit rating of 4A2 or better, or a recognized equivalent rating. Please provide the Respondent’s D&B Number and the composite credit rating. The State reserves the right to verify this information. If a branch or wholly owned subsidiary is bidding on this RFP, please provide the D&B Number and score for the parent company that will be financially responsible for performance of the agreement. Prime contractors working on behalf of Respondents must submit financial statements that demonstrate financial stability, and adequate working capital, but do not need to meet 4A2 credit rating requirements.

5.1.5 Other General Responsibilities

Page 16 of 45

Jul 1, 2013 5:09:04 PM MDT p. 25



(M) The Respondent must provide the personnel, equipment, tools, and expertise to meet the

requirements in this RFP.

(M) Computer applications and Web sites must be accessible to people with disabilities, and must

comply with Participating entity accessibility policies and the Americans with Disability Act.

(M) Applications and content delivered through Web browsers must be accessible using current

released versions of multiple browser platforms (such as Internet Explorer, Firefox, Chrome, and Safari) at minimum.

5.2 Data Communications Services – Requirements Offerors may respond to any of the sections where they have substantive product offerings that address the scope detailed in each Section from 5.2.1-5.3.0. All Offerors must include a response to section 5.31 services, that addresses products proposed in 5.2.1-5.3.0.

Products may be used by the states in branch offices, main government offices and data centers, and by overall government data communications providers offering carrier class services. Responses should consider this breadth of use and users.

The scope and context of this solicitation does not include endpoints such as cell/smart phones, other mobile devices or devices designed exclusively for use by individual users. It is focused on the equipment and software infrastructure

required to support provisioning of a variety of network services within a modern digital network. The user context will vary from branch offices through enterprise and statewide data communication network installations. Respondents should offer a range of solutions that are appropriate for installations of varying size and complexity.

5.2.1 DATA CENTER APPLICATION SERVICES • Application networking solutions

and technologies that enable the successful and secure delivery of applications within data centers to local, remote, and branch-office users using technology to accelerate, secure, and increase availability of both application traffic and computing resources.

5.2.1.1 Virtualized Load Balancers • Virtual devices that act like a reverse proxy to

distribute network and/or application traffic across multiple servers to improve the concurrent user capacity and overall reliability of applications. Capabilities should include:

SSL (Secure Sockets Layer) Off-loading

Caching capabilities



Detailed Reporting

Supports multiple load balancers in the same system for multiple groups

Supports TLS1.2

5.2.1.2 WAN Optimization • An appliance utilizing a collection of techniques for

increasing data-transfer efficiencies across wide-area networks (WAN). Capabilities should include:

CIFS (Common Internet File System) acceleration

Data Compression

Page 17 of 45

Comment [OS1]: We do not currently have a Load Balancer as a product

Jul 1, 2013 5:09:04 PM MDT p. 26






5.2.2 NETWORKING SOFTWARE • Software that runs on a server and enables the

server to manage data, users, groups, security, applications, and other networking functions. The network operating system is designed to allow shared file and printer access among multiple computers in a network, typically a local area network (LAN), a private network or to other networks. Networking software capabilities should include:

Junos OS is Juniper Networks highly reliable, high-performance network operating system that provides a common language across our routing, switching, and security devices. The power of one Junos OS reduces complexity in high-performance networks to increase availability and deploy services faster—decreasing network operation costs by up to 40%

Complex networks that require extensive rework to scale and change can slow down marketplace response and new business initiatives. Evolving your network to cost-effectively scale with traffic growth, adapt along with changing business needs, and deliver new services—all while maintaining the operational stability of your infrastructure—begins with greater confidence in your underlying network foundation.

While old hardware and outdated or poorly integrated technologies present challenges, it is the software running in IP networks that consumes the most operational time, causes the majority of operational headaches, and creates obstacles to change. If you can trust the software supporting your infrastructure—particularly in its most strategic and distributed components—your team can focus more of its time and efforts keeping up with traffic demand, as well as new application and business requirements.

What sets Juniper Networks Junos OS apart from other network operating systems is the way it is built—one operating system delivered in one software release track and with one modular architecture.






Restartable Process

Yes, the Junos operating system has restartable processes. The modularity of the Junos OS architecture is integral to the high reliability, performance, and scalability delivered by its software design.



High availability options

In support of high-availability router functioning, Junos OS includes the following features:

Graceful restart – Enables a routing protocol, before it restarts, to inform its adjacent neighbors and peers of its condition. Most Junos OS routing protocols support graceful restart.

Comment [OS2]: We have discontinued our WAN Optimization product

Jul 1, 2013 5:09:04 PM MDT p. 27



Graceful Routing Engine switchover – On routers with dual Routing Engines, enables switching of mastership between Routing Engines without interruption to packet forwarding. For routers in which Adaptive Services, Multiservices, or Tunnel Services PICs or DPCs are installed, features that rely on their services are interrupted momentarily during a Routing Engine switchover. Features that do not use the services continue uninterrupted. After switchover, all features are restored and packet forwarding continues.

Targeted operating systems, i.e. DC, campus, core, wan, etc.

The Junos operating system is the industry’s only carrier-class, purpose-built “pure IP” OS and complements our other core competencies in architecture and silicon design.

Operating System Efficiencies



A single, cohesive operating system providing a consistent user experience makes planning easier, day-to-day operations more intuitive, and changes faster. Administrators can configure and manage functionality from the basic chassis to complex routing using the same tools across devices to monitor, manage, and update the entire network. In addition, Juniper Networks Junos Space provides one system to manage security, switching, and routing platforms.

5.2.2.1 Network Management and Automation • Software products and solutions for

data center automation, cloud computing, and IT systems management.

Designed for both service providers and enterprises, Junos Space simplifies and automates management of Juniper Networks switching, routing, and security devices. Providing a centralized management plane for a single point-of-contact into the network, and a common management platform for managing and creating applications that meet specific needs, Junos Space is a critical component of Juniper Networks Software Defined Network (SDN) strategy.

Junos Space consists of the following components:

A network management platform for deep element management;

Plug-n-play, domain-specific management applications that help you quickly provision new services and optimize workflow tasks;

A programmable Software Development Kit (SDK)―the industry’s most complete developer toolkit specifically designed for easy creation of customized network-aware applications.

Each of these components works together to deliver a unified network management and orchestration solution to help you more efficiently manage your network and reduce costs. While Junos Space offers broad fault, configuration, and device provisioning capabilities with a task-specific user interface, its multiple plug-n-play management applications extend the breadth of the platform to optimize workflow tasks for specific domains and use cases (e.g., core, edge, data center, campus and branch, security, mobility, and more). These applications enable you to automate the end-to-end provisioning of new services across thousands of devices with a simple point-n-click GUI interface.

5.2.2.2 Data Center Management and Automation • Software products and solutions

that capture and automate manual tasks across servers, network, applications, and virtualized infrastructure.

Using the Junos Space SDK, you can leverage the connections and intelligence embedded in your network to create and deploy complete, customized solutions that meet your specific business needs, simplifying and automating the network, improving network agility at both the platform and application levels, and delivering new services quickly―all from a single console. In addition to traditional network management and automation, the Junos operating system also offers automation solutions that allow for integration into existing IT practices and workflow systems. This automated solutions come in the form of on-box scripting, as well as off-box automation solution that give customers an endless

Jul 1, 2013 5:09:04 PM MDT p. 28



amount of possibilities for workflow automation. JUNOS automation scripts automate network and router management and troubleshooting. Automation scripts can perform any function available through the remote procedure calls (RPCs) supported by either of the two application programming interfaces (APIs): the JUNOS Extensible Markup Language (XML) API and the JUNOScript API. On Box scripting comes in three categories: Configuration Automation (commit script)

Simplify and enforce business rules to avert human errors and optimize network availability. Event Automation (event script)

Automate reactive and proactive actions in response to network events to achieve self-monitoring and self-diagnostic. Operations Automation (op script)

Customize and streamline manual tasks to increase operational efficiency and maximize staff expertise leverage. Off Box Automation

Off Box automation allow for an endless possibility of applications by the end user, Juniper professional services or third parties. One example of this, relative to Datacenter, is our integration with the Puppet Labs Server configuration tool. Puppet Labs’ integration with Juniper enables IT organizations to coordinate change management between their compute and networking resources. This integration solution includes Puppet Enterprise for Junos OS, which provides a native Puppet agent for Junos OS-based devices, as well as the netdev Puppet Forge module. With the Puppet Enterprise and Juniper integration solution, IT organizations can perform common network device configuration changes directly rather than through traditional methods such as change-request tickets, which are tedious, slow and error-prone. By automating network resource management, Puppet Enterprise reduces risk, increases agility, lowers operational costs, and improves overall service levels for IT infrastructure users.

5.2.2.3 Cloud Portal and Automation • Software products and solutions for cloud

management with policy-based controls for provisioning virtual and physical resources.

Junos Space Standard Edition includes the Junos Space Platform and a set of collaborative, out-of-the-box applications for automating the operations of Juniper Networks security and switching networks. Additionally, these applications provide plug-and-play solutions for security, mobility, the data center, and more when combined with additional Juniper Networks technologies. The Standard Edition enables quick responses and cost-effective management of highly distributed environments that change frequently. The Standard Edition also offers multi-layered security and support for new applications and services. If you are just starting out with Junos Space, Juniper Networks recommends you purchase this package.

Applications included in the Junos Space Standard Edition follow:

Network Director – Drastically simplifies enterprise deployment; provides rapid operationalization of campus and data center networks.

Security Design – Simple-to-use application makes it easier to design, validate, and deploy security policies across multi-domain networks.

Service Now – Simplifies and automates diagnostics to speed problem resolution and create additional operational efficiency.

Service Insight – Enables proactive network maintenance with targeted actionable network intelligence, and minimizes the cost of operations.

For integration with your virtual resources Juniper offers the Junos Space application Virtual Control.

Juniper Networks Junos Space Virtual Control allows users to manage, monitor, and control the virtual networks that run within virtualized servers deployed in the data center. Built on Junos Space—an open, extensible platform for developing and hosting applications designed to reduce cost and complexity while opening networks to new business opportunities—Junos Space Virtual Control contributes to a comprehensive solution that extends across the routing, switching, and security infrastructure.

Jul 1, 2013 5:09:04 PM MDT p. 29



Rather than rebuild the virtual switch that comes as part of the hypervisor software, Virtual Control integrates with the hypervisor vendor’s existing management tools, delivering a combined solution that benefits from both vendors’ innovation and Juniper Networks orchestration solutions.

5.2.2.4 Branch Office Management and Automation • Software products and

solutions for management of branch offices. Capabilities include remote troubleshooting, device management, WAN performance monitoring.

In addition to the aforementioned network management features and applications for Junos Space, Junos Space Network Director is specifically designed for Campus and Branch Office management and automation. Junos Space Network Director provides a single pane of glass view into both the wired and wireless networks, and creates a holistic, full lifecycle management solution for the network. Junos Space Network Director delivers:

Critical elements of advanced management applications by providing operational efficiency, expedited error free service roll-out, enhanced visibility and fast troubleshooting.

Operational efficiency by employing a correlated view of various networks elements. It offers a holistic view of every aspect of network operation to remove the need for disjointed applications throughout the lifecycle of the network.

Faster roll-out and activation of services while protecting against configuration errors with profile-based configuration and configuration pre-validation.

Single pane of glass management that provides a unified view of the network infrastructure including a correlated view of overlay services and user experience on top of network infrastructure. Junos Space Network Director also tracks aggregated utilization, network hotspots, failures, correlated RF data and usage to a user level providing deep visibility and easy troubleshooting of connectivity, equipment and general failures.

Additional Automation tools for network deployments can be built utilizing the Junos Automation toolset.

5.2.3 NETWORK OPTIMIZATION AND ACCELERATION • Devices and tools for

increasing data-transfer efficiencies across wide-area networks.

5.2.3.1 Dynamic Load Balancing • An appliance that performs a series of checks and

calculations to determine which server can best service each client request in order to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole.

5.2.3.2 WAN Acceleration • Appliance that optimizes bandwidth to improve the end

user's experience on a wide area network (WAN). Capabilities should include:

CIFS acceleration

Data Compression




5.2.3.3 High Availability and Redundancy • Limits any disruption to network uptime

should an appliance face unforeseen performance issues. Transparently redistributes workloads to surviving cluster appliances without impacting communication throughout the cluster.

Page 18 of 45

Juniper Networks MX Series Universal Edge Routing Solution Page i


5.2.4 OPTICAL NETWORKING • High capacity networks based on

optical technology and components that provide routing, grooming, and restoration at the wavelength level as well as wavelength based services.

5.2.4.1 Core DWDM (Dense Wavelength Division Multiplexing) Switches • Switches used in systems

designed for long haul and ultra long-haul optical networking applications.

5.2.4.2 Edge Optical Switches • Provide entry points into the

enterprise or service provider core networks.

5.2.4.3 Optical Network Management • Provides capabilities to

manage the optical network and allows operators to execute end-to-end circuit creation.

5.2.4.4 IP over DWDM (IPoDWDM) • A device utilized to

integrate IP Routers and Switches in the OTN (Optical

Transport Network).

5.2.5 ROUTERS • A device that forwards data packets along

networks. A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP's network. Routers are located at gateways, the places where two or more networks connect, and are the critical device that keeps data flowing between networks and keep the networks connected to the Internet.

5.2.5.1 Branch Routers • A multiservice router typically used

in branch offices or locations with limited numbers of users and supports flexible configurations/feature. For example: security, VoIP, wan acceleration, etc.

Juniper Networks SRX Series for the branch delivers the proven performance and deployment capabilities needed for an enterprise to build a worldwide network of thousands of sites. A wide variety of options allow configuration of performance, functionality, and price scaled to support a range of users, from a handful to thousands. The SRX Services Gateway for the branch offers the following:

Application level security – AppSecure is a suite of application-aware security services that classify traffic flows, bringing greater visibility, enforcement, control, and protection to network security. AppSecure uses advanced classification techniques to decode and identify applications including Web 2.0 encrypted and nested applications that run within trusted protocols such as HTTP.

Network security segmentation – Security zone, virtual LANs (VLANs), IPsec VPNs and virtual routers allow administrators to tailor security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups.

Fully integrated Unified Threat Management (UTM) – Allows enterprises to utilize the appropriate level of security needed at a particular site instead of deploying a multi-device solution. Includes two antivirus options (on-premise or cloud-based), intrusion prevention system (IPS), anti-spam, enhanced Web filtering, data loss prevention, and AppSecure.

5.2.5.2 Network Edge Routers • A specialized router residing at the

edge or boundary of a network. This router ensures the

Comment [OS3]: PTX may be a fit here but don’t believe so.

Jul 1, 2013 5:09:04 PM MDT p. ii

1. <Title> (cont.)


connectivity of its network with external networks, a wide area

network or the Internet. An edge router uses an External Border Gateway Protocol, which is used extensively over the Internet to provide connectivity with remote networks.

Juniper Networks MX Series 3D Universal Edge Routers are the only routers designed to provide the 3D scaling necessary to address today’s advanced Ethernet requirements. MX Series routers are purpose-built with full routing and switching capabilities to deliver the lowest cost per port without sacrificing performance, reliability, scalability, or functionality. Powered by Juniper Networks Junos operating system and high-performance silicon, such as the I-Chip and Junos Trio chipset, the MX Series enables service providers and enterprises to adapt to—and profit from—Ethernet services in a changing market. The MX Series provides the 3D scale, maximum performance, availability, and service agility that enterprises and service providers need to gain a competitive advantage in today’s Ethernet environment. These high-performance Ethernet routers function as a Universal Edge platform capable of supporting all types of business, mobile, and residential services. With powerful switching and security features, the MX Series delivers unmatched flexibility and reliability to support advanced services and applications. MX Series routers also separate control and forwarding functions to provide maximum scale and intelligent service delivery capabilities.


Powered by Junos OS, the MX Series provides a consistent operating environment that streamlines network operations and improves the availability, performance, and security of all types of services supported at the Universal Edge. It offers the most complete, advanced routing features in the industry without compromising performance, which maximizes investment protection. These features include traffic segmentation and virtualization with MPLS, ultra-low-latency multicast, as well as comprehensive security and QoS implementations to accelerate delivery of time-sensitive applications and services.


Graceful restart

Nonstop routing

Fast reroute (FRR)



VPLS multihoming

Small to Mid-Range MX Models include:

• MX5 – Juniper Networks MX5 midrange router is a versatile platform for small-scale environments with space and power constraints and is suitable for both enterprise and service provider networks needing full MX Series features and capabilities in a compact form factor. Only 2 RU high, this cost-effective router supports one MIC slot and is software upgradable to MX10, MX40, or MX80.

Jul 1, 2013 5:09:04 PM MDT p. iii

1. <Title> (cont.)


• MX10 – Juniper Networks MX10 midrange router is a cost-effective, versatile platform in a compact form factor. The MX10 is suitable for enterprise and service provider networks with space and power constraints that require the full MX Series features and capabilities in a compact form factor. This router measures 2 RU high, supports two MIC slots, and is software upgradable to the MX40 or MX80.

• MX40 – Juniper Networks MX40 midrange router is suitable for small-scale environments with space and power constraints, as well as enterprise and service provider networks needing the versatility of complete MX Series features and capabilities. This router supports two MIC slots and is software upgradable to MX80. Only 2 RU high, this router is designed to help customers drive down their TCO and increase operational efficiencies in both enterprise and service provider deployments without service compromise.

• MX80 – Juniper Networks MX80 is the most compact member of the MX Series product family. Only 2 RU high and equipped with front-end accessible redundant power supplies and fans, this platform is perfectly suited for environments requiring full Ethernet capabilities, but facing space or power constraints. In the enterprise, the MX80 and MX80-48T can be deployed in campus, small sites, and small data center WAN connectivity; and service providers can utilize the MX80 for mobile backhaul hub site aggregation, metro ring access nodes, cable and Multitenant Unit (MTU) aggregation, distributed PE and high-end CPE.

Juniper Networks Multiservice Interface MICs deliver the most widely used multiservice interfaces including DS3, OC3, OC12, and OC48. The Multiservice Interface MICs deliver these interfaces on all the MX Series routers. This allows the MX Series to address various multiservices scenarios, permitting service delivery with a single versatile platform. The Multiservice Interface MICs extend the latest advancements in traffic management technology, allowing service providers and enterprises to meet their most demanding WAN needs. Interface options include:

20 ports of 10/100/1000 Ethernet with small form-factor pluggable transceiver (SFP) interfaces

2 10gbE modular interface ports with 10-gigabit small form-factor pluggable transceiver (XFP) interfaces

40 ports of 10/100/1000 Ethernet with Tx interfaces

low density 4 port clear channel OC3, or 4 port OC12, or 1 port OC48

High density 8 port clear channel OC3, or 8 port OC12, or 4 port OC48

5.2.5.3 Core Routers - High performance, high speed, low latency

routers that enable Enterprises to deliver a suite of data, voice, and video services to enable next- generation applications such as IPTV and Video on Demand (VoD), and Software as a Service (SaaS).

With advanced services and applications such as IPTV, VoIP, and VPLS driving a more comprehensive set of sophisticated requirements, Juniper Networks has purpose-built our

MX Series portfolio to provide true carrier-grade Ethernet functionality with the scalability and performance needed to satisfy the most demanding network requirements. No other vendor comes close to matching the number of supported 1GE and 10GE ports and MAC

addresses of Juniper Networks MX Series. Because the MX Series supports more than twice as many interfaces per chassis as competing products, customers can increase the energy

efficiency of their networks and reduce power, space, and cooling costs by as much as 60 percent.

In addition to the models referenced in the previous sections additional models are available to provide scale in the core of the network. These models include:

Jul 1, 2013 5:09:04 PM MDT p. iv

1. <Title> (cont.)


MX104 – Juniper Networks MX104 is a modular, full-featured MX Series platform for

space- and power-constrained service provider and enterprise facilities. Optimized for the aggregation of mobile, enterprise WAN, business, and residential access services, the MX104 can also deliver edge services for metro providers. The MX104

comes in a space-efficient 3.5 RU, ETSI compliant chassis and supports 80 Gbps of throughput—setting a new benchmark for port density in its product category.

MX240 – Juniper Networks MX240 delivers increased port density over traditional carrier Ethernet platforms as well as performance, scalability, and reliability in a

space-efficient package. The MX240 offers fully redundant hardware that includes a redundant Switch Control Board (SCB) and Routing Engines (REs) to increase system

availability.

MX480 – Juniper Networks MX480 provides a dense, highly redundant platform primarily targeted for medium to large enterprise campus and data centers, as well as dense dedicated access aggregation and provider edge services in medium and large POPs. The MX480 offers common hardware redundancy including the SCBs, REs, fan trays, and power supplies.

5.2.5.4 Service Aggregation Routers • Provides multiservice

adaptation, aggregation and routing for Ethernet and IP/MPLS networks to enable service providers and enterprise edge networks simultaneously host resource-intensive integrated data, voice and video business and consumer services.

The MX Series Routers is the top choice for carries looking for Service Aggregation Solutions. The MX Series routers separate control and forwarding functions to provide maximum scale and intelligent service delivery capabilities. They are optimized for Ethernet services and address a wide range of deployments, architectures, port densities, and interfaces, for both service provider and enterprise environments. Some of the key capabilities that allow MX to be a market leader as service aggregator are:

Rich Virtualization Virtual Switches (L3-L2 stitching) Bridge Domains – VLAN Scaling. Virtual Routers Routing-instances

High Multi-dimensional Scale (these are typical customer scale requirements, not necessarily the MX maximum scale )

4000+ Routing-Instances of type VRF 4000 VRRP instances Up to 8000 eBGP sessions 4000 IPSec Tunnels each running an eBGP session 4000 GRE interfaces 8000 IRB interfaces 8000 Bridge Domains MPLS templates for 4000 IFL’s (both IPv4 and MPLS traffic)

100Gbe Capability for Data Center Interconnect Ability to provide multi-tenancy to customers offering MPLS, GRE& IPSec connectivity options

simultaneously.

Ability to terminate secure tunnels into VRF and tying VRF to Layer 2 domains

Jul 1, 2013 5:09:04 PM MDT p. v

1. <Title> (cont.)


Ethernet-based services present a significant new revenue opportunity for service providers across all market segments. These business, mobile, and residential services include VPNs, point-to-point connectivity, high-speed Internet access, and video-based offerings. With continuous technology advances and ongoing standards development, Ethernet is increasingly the technology of choice at the service provider edge—and the MX Series 3D Universal Edge Routers are capable of supporting all these services.

As an example of Juniper Networks commitment to delivering a Universal Edge solution to meet the needs of next-generation networks and services, the MX Series offers unmatched scalability, performance, reliability, and QoS for all types of business, mobile, and residential services. MX Series routers are the only high-density Layer 2 and Layer 3 Ethernet platforms designed with 3D Scaling for deployment in a number of service provider Ethernet edge scenarios.

Examples of the wide range of applications enabled by the MX Series in the Universal Edge include the following:

VPLS for multipoint connectivity – Supports high scale BGP and LDP support Virtual leased line for point-to-point services – Provides native support for point-to-point services RFC 2547.bis IP/MPLS VPN (L3VPN) – Provides full support for MPLS VPNs throughout the Ethernet

network Video distribution for IPTV services – Provides advanced capabilities such as multicast MPLS VPNs Ethernet aggregation at the multiservice edge – Supports up to 480 1GE ports or 192 10GE ports in a

single platform for maximum Ethernet density WAN interfaces for the multiservice edge – Provides support for most widely used multiservice

interfaces, including OC3, OC12, and OC48, facilitating service delivery with a single versatile platform Residential multiplay services – With subscriber management capabilities as well as high-density

Ethernet aggregation, fulfills multiple roles in the delivery of residential services Cloud computing – Provides the perfect platform for connectivity to and between clouds Data center consolidation – With advanced multicasting and unicast capabilities, provides data center

connectivity and server live-mirroring and migration VPLS and MPLS – Enable multiple services, improving network utilization Mobile backhaul and aggregation – Provides cost-effective transport and backhaul of mobile data traffic Application monitoring – With integrated performance monitoring systems such as StreamScope eRM

and Telchemy Embedded Performance Monitor (TePM), provides advanced application layer diagnostics to help service providers deliver a superior user experience for voice, video, and other multimedia services

In addition to the previously mentioned models, the following are options to provide even greater scale:

MX960 – Juniper Networks MX960 (shown in Figure xxx) is a high-density Layer 2 and Layer 3 Ethernet platform designed for deployment in a number of enterprise and service provider Ethernet scenarios. For service providers, the wide range of Ethernet services provided by the MX960 include VPLS services for multi-point connectivity, Virtual Leased Line for point-to-point services, full support for MPLS VPNs throughout the Ethernet network, Ethernet aggregation at the campus/enterprise edge, and Ethernet aggregation at the multiservice edge. In the enterprise, the MX960 can be used

Jul 1, 2013 5:09:04 PM MDT p. vi

1. <Title> (cont.)


for campus and data center core and aggregation, and as a WAN gateway.


MX2010 – Expanding the breadth of Juniper Networks Universal Edge portfolio, the MX2010 (shown in Figure xxx) provides service providers a common system and service delivery platform with variants that cover every market and geography, and offers the highest capacity and density for aggregation of massive numbers of businesses and consumers, in a highly reliable, resilient architecture. The MX2010 is built upon a highly scalable, redundant switch fabric, and a powerful, fully redundant control plane, providing a flexible, scalable, pay-as-you-grow power system supporting DC or AC power sources designed to be highly efficient now and for many years to come. The MX2010 delivers all of the benefits of the MX2020 and shares a common set of components and cards in a smaller, 10-slot form factor. Eight SFBs are installed to deliver 8.6 Tbps of switching capacity at inception. The MX2010 supports the same line cards as the MX2020 and offers the same powerful feature set as the MX Series family of products.

MX2020 – Expanding the breadth of Juniper Networks Universal Edge portfolio—from the 20 Gbps MX5 router to the 80 Tbps MX2020—the MX2020 (shown in Figure xxx) gives service providers a common system and service delivery platform with variants that cover every market and geography, and offers the highest capacity and density for aggregation of massive numbers of businesses and consumers, in a highly reliable, resilient architecture. The MX2020 is built upon a highly scalable, redundant switch fabric, and a powerful, fully redundant control plane, providing a flexible, scalable, pay-as-you-grow power system supporting DC or AC power sources designed to be highly efficient now and for many years to come. The MX2020 is a full rack, 20-slot Universal Edge routing platform that has been designed to scale to 80 Tbps (half-duplex) over the long haul. Eight Switch Fabric Boards (SFBs) are installed to deliver 17.2 Tbps of switching capacity at inception. Designed to fit into a standard 19-inch, 45 RU, 4-post equipment rack, the MX2020 is a fully redundant design for all common components, including fan trays, power supplies, and power cabling. Both -48 V DC or AC power modules are offered. AC power is available in Delta or Wye 3-phase configurations.

5.2.5.5 Carrier Ethernet Routers • High performance routers that

enable service providers to deliver a suite of data, voice, and video services to enable next- generation applications such as IPTV, Video on Demand (VoD), and Software as a Service (SaaS).

Juniper Networks MX Series 3D Universal Edge Routers are the only routers designed to provide the 3D Scaling necessary to address today’s advanced Ethernet requirements. Powered by Juniper Networks Junos operating system

Jul 1, 2013 5:09:04 PM MDT p. vii

1. <Title> (cont.)


and high-performance silicon—such as the I-Chip and Junos Trio chipset—the MX Series enables service providers and enterprises to adapt to, and profit from, Ethernet services in a changing market.





Jul 1, 2013 5:09:04 PM MDT p. 8



5.2.6 SECURITY

5.2.6.1 Data Center and Virtualization Security Products and Appliances •

Products designed to protect high-value data and data center resources with threat defense and policy control.

SRX Series: Overview and Models




Built on Junos software¬—which combines the routing heritage of Juniper Networks with the security heritage of ScreenOS—the SRX Series offers the high feature/service integration necessary to secure modern network infrastructures and applications. The SRX Series is equipped with a robust list of features that includes firewall, intrusion detection and prevention (IDP), DoS, NAT, and QoS.


Juniper Networks Datacenter SRX Portfolio supports the following IPS functionality:

• Modes of operation – In-line and in-line tap

• Active/active traffic monitoring


• Attack detection mechanisms – Stateful signatures, protocol anomaly detection (zero-day coverage), and application identification

• Attack response mechanisms – Drop connection, close connection, session packet log, session summary, and email

• Attack notification mechanisms – Structured syslog

• Worm protection

• Simplified installation through recommended policies

• Trojan protection

• Spyware, adware, and keylogger protection

• Other malware protection

• Application DoS protection

• Protection against attack proliferation from infected systems

• Reconnaissance protection

• Request and response side attack protection

• Compound attacks – Combines stateful signatures and protocol anomalies

Jul 1, 2013 5:09:04 PM MDT p. 9



• Create custom attack signatures

• Access contexts for customization – 500+

• Attack editing (port range or other)

• Stream signatures

• Protocol thresholds


• Approximate number of attacks covered – 8,000+

• Detailed threat descriptions and remediation/patch info

• Create and enforce appropriate application-usage policies

• Attacker and target audit trail and reporting

• Frequency of updates – Daily and emergency

Models







Juniper Networks vGW Virtual Gateway is a comprehensive virtualization security solution that includes a high-performance hypervisor-based stateful firewall, integrate intrusion detection system (IDS), virtualization-specific antivirus protection, and unrivaled scalability for managing multi-tenant cloud security (architecture shown in Figure xxx). The vGW brings forward powerful new features that offer layers of defense and automated security and compliance enforcement within virtual networks and clouds. By leveraging virtual machine introspection (VM Introspection) data and intelligence, and coupling it with Juniper Networks wide-ranging knowledge of the virtual network environment, vGW creates an extensive database of parameters by which security policies and compliance rules can be defined and enforced.


Security and compliance concerns are top of mind in virtualization and cloud deployments. Juniper Networks experience and innovative research in virtualization security has resulted in a powerful software suite capable of monitoring and protecting virtualized environments without negatively impacting performance. A hypervisor-based, VMsafe-certified virtualization security approach, in combination with “X-ray” level knowledge of each virtual machine through VM Introspection, gives the

Jul 1, 2013 5:09:04 PM MDT p. 10



vGW a unique vantage point in the virtualized fabric. Here, virtualization security can be applied efficiently and with context about the virtual environment and its state at any given moment.


• Visibility – Provides full view to all applications flowing between VMs, as well as complete VM and VM group inventory, including virtual network settings. Deep knowledge of VM state, including installed applications, operating systems, and patch level, is also available through VM Introspection.

• Protection – A VMsafe-certified stateful firewall provides access control over all traffic via policies that define which ports, protocols, destination VMs, etc. should be blocked. An integrated intrusion detection engine inspects packets for the presence of malware or malicious traffic and sends alerts as needed. Finally, virtualization-specific antivirus protections deliver highly-efficient on-demand and on-access scanning of VM disks and files with the ability to quarantine infected entities.

• Compliance – Allows for enforcement of corporate and regulatory policies for the presence of required or banned applications via VM Introspection. Some practical applications of compliance enforcement, such as assurance of segregation of duties, ensure that VMs are assigned to the right trust zones inside the virtual environment. In addition, pre-built compliance assessment is based on common industry best practices and leading regulatory standards. vGW can also enforce compliance to a VM “gold” image with quarantine and alerting for non-compliance, thereby ensuring that deviations from the desired VM configuration for not create a security risk.

Juniper Networks Junos DDoS Secure is a unique and advanced heuristic DDoS mitigation technology that dynamically responds to the loading of the protected resources, automatically providing the full spectrum of DDoS defense. Junos DDoS Secure mitigation technology has been ensuring availability of critical business resources for some of the world’s busiest e-commerce and public sector websites for over a decade.

During this time, DDoS has evolved from being a blunt weapon, using high-volume attacks to bring down web servers, to becoming a highly sophisticated tool designed to zero-in on strategic business resources. DDoS volumetric flood attacks are still a problem for online businesses, but with the right defense in place, these attacks can be nullified.

However, today’s new breed of “low and slow” application layer attacks are not as easy to detect, and therefore, are much more difficult to mitigate. Through an ongoing commitment to R&D—with 100% focus on DDoS mitigation—Juniper Networks world-class technology has kept pace with the changing threat landscape. By offering an equally sophisticated, fine-grained DDoS mitigation tool, Junos DDoS Secure software protects network resources, regardless of which attack vectors are being deployed.

Juniper Networks Junos WebApp Secure is the first Web Intrusion Deception system that detects, tracks, profiles, and prevents hackers in real time.

Traditional web application firewalls are seriously flawed as a result of their reliance on a library of signatures to detect attacks, making them susceptible to unknown (zero-day) web attacks. Junos WebApp Secure software technology uses Intrusion Deception to address this problem. Unlike signature-based approaches, Junos WebApp Secure inserts random, variable detection points, or tar traps, into the code of outbound Web application traffic to proactively identify attackers before they can do damage—without false positives.

Junos WebApp Secure puts in place the following three key elements to ensure protection from attacks:

No False Positives

Junos WebApp Secure inserts detection points into the code and creates a random and variable minefield all over the Web application. These detection points allow for detection of attackers during the reconnaissance phase of the attack, before they have successfully established an attack vector. Attackers are detected when they manipulate the tar traps inserted into the code. And because attackers are manipulating code that has nothing to do with your website or Web application, you can be absolutely certain that it is a malicious action—with no chance of a false positive.

Block Attackers, Not IPs

Junos WebApp Secure captures the IP address as one data point for tracking the attacker, but it also realizes that making decisions on attackers identified only by an IP address is fundamentally flawed because many legitimate users could be accessing your site from the same IP address. For this reason, Junos WebApp Secure tracks the attackers in significantly more granular ways.

For attackers who are using a browser to hack your website, Junos WebApp Secure tracks them by injecting a persistent token into their client. The token persists even if the attacker clears cache and cookies, and it has the capacity to persist in all browsers including those with various privacy control features. As a result of this persistent token, Junos WebApp Secure can prevent a single attacker from attacking your site, while allowing all legitimate users normal access. For attackers who are using software

Jul 1, 2013 5:09:04 PM MDT p. 11



and scripts to hack your website, Junos WebApp Secure tracks them using a fingerprinting technique to identify the machine delivering the script.

Prevent and Deceive

Detection with no false positives and client-level tracking are both vital for launching a countermeasure to prevent an attacker. Only with certainty-based detection can you safely prevent an attacker and ensure that you are not blocking legitimate users. The Smart Profiling technology profiles the attacker to determine the best response to prevent the attack. Responses can be as simple as a warning or as deceptive as simulating that the site is broken from the attacker’s perspective only. Every detected attacker gets a profile and every profile gets a name. The Smart Profile ultimately creates a threat level for each attacker in order to prevent attackers in real time, at the client level, with no false positives.

Smart Profiling provides IT security professionals with more valuable knowledge about attackers and the threat they pose than has ever before been available. With automated countermeasures, Junos WebApp Secure works around the clock detecting and preventing attackers. It doesn’t create log files for review; it simply reports how many attackers it has detected and what countermeasure response was applied. This security device works as part of your security team—even when you sleep.

The Junos WebApp Secure process follows:

Detect

Detect using deception – Junos WebApp Secure inserts detection points into web application code including URLs, forms, and server files to create a variable minefield. These traps detect hackers when they manipulate the detection points during the reconnaissance phase of the attack—before they can establish an attack vector. And because hackers are manipulating code that has nothing to do with the website or web application, the malicious action is certain.

Track

Track attackers beyond the IP address – Junos WebApp Secure captures an attacker’s IP address as one data point for tracking. But many legitimate users could also be accessing the site from the same IP address—for this reason, Junos WebApp Secure goes beyond the IP address and tracks attackers more granularly. Attackers using a browser are tracked by injecting a persistent token into their client. Attackers using scripts and tools are tracked using a fingerprinting technique to identify the machine delivering the script.

Profile

Understand attackers and record their attack – The tracking techniques allow us to profile the attacker and record the attack. Every attacker is assigned a name, and each incident is recorded along with a threat level based on their intent and skill.

Respond

Respond to attackers – Once an attack has been detected, an appropriate response—from a warning, to requiring a CAPTCHA, to blocking a user or forcing them to logout, can be deployed manually or automatically in real-time.

5.2.6.2 Intrusion Detection/Protection and Firewall Appliances • Provide

comprehensive inline network firewall security from worms, Trojans, spyware, key loggers, and other malware. This includes Next-Generation Firewalls (NGFW), which offer a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks. Intrusion Detection/Protection and Firewall Appliances should provide:

Non-disruptive in-line bump-in-the-wire configuration

In addition to supporting In-line and in-line tap on the Juniper SRX Datacenter firewalls, the SRX supports a wide range of Highly Available deployments. The primary goal is to ensure that the SRX can survive losing either the data or control plane in the event of a failure. Juniper Networks SRX brings a new idea to high availability design by enabling it to failover the control plane and/or the data plane between chassis.

This new hybrid design allows two individual boxes to act as one large chassis. In doing so, it allows two different systems to be spread across two units. In this scenario, it is not like a traditional active/backup cluster where one device does all of the work and the other device sits idle.

The control plane portion of the cluster is the Routing Engine. The Routing Engine can failover between the two chassis, with the first node passing traffic while the second node maintains the active Routing Engine. In the event of a failure, the system that is running on the failed chassis fails over to the second chassis. This is done in a stateful manor for all of the traffic passing through the

Jul 1, 2013 5:09:04 PM MDT p. 12



device. The only traffic that is lost is what is in the box or the wires that fail. In the data center, this provides the ease of deployment of active/backup with the flexibility that the second chassis can provide some backup services.

Juniper Networks SRX5800 supports the following functionality for high availability:

• Active/passive, active/active

• Configuration synchronization

• Session synchronization for firewall and IPsec VPN

• Session failover for routing change

• Device failure detection

• Link and upstream failure detection

• Dual control links

• Interface link aggregation/LACP

• Redundant data and control links*

• In-Service Software Upgrade (ISSU)**

Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.

Juniper Networks Datacenter SRX Portfolio supports the following firewall functionality:

Stateful Inspection

Network attack detection

DoS and DDoS protection

TCP reassembly for fragmented packet protection

Brute force attack mitigation

SYN cookie protection

Zone-based IP spoofing

Malformed packet protection

Traffic Inspection Methods include

Application identification - Identifies applications and tunneled applications independent of protocol and port numbers. This provides granular control over application traffic through smart FW policies.

Protocol anomaly detection – Verifies protocol usage against published RFCs to detect violations or abuse. This proactively protects network from undiscovered vulnerabilities.

Traffic anomaly detection - Utilizes heuristic rules to detect unexpected traffic patterns that may suggest reconnaissance or attacks. This proactively prevents reconnaissance activities or blocks DDoS attacks.

IP spoofing detection - Checks the validity of allowed addresses inside and outside the network. This permits only authentic traffic while blocking disguised sources.

DoS Detection - Supports SYN cookie-based protection from SYN flood attacks. This protects key network assets from being overwhelmed with SYN floods.

The SRX Datacenter Portfolio has a wide range of NAT support. NAT support methods are as follows:

Destination NAT

Juniper Networks SRX5800 supports the following functionality for destination NAT:

Destination NAT with PAT

Jul 1, 2013 5:09:04 PM MDT p. 13



Destination NAT within same subnet as ingress interface IP

Destination addresses and port numbers to one single address and a specific port number (M:1P)

Destination addresses to one single address (M:1)

Destination addresses to another range of addresses (M:M)

Source NAT

Juniper Networks SRX5800 supports the following functionality for source NAT:

Static Source NAT – IP-shifting DIP

Source NAT with PAT – Port-translated

Source NAT without PAT – Fix-port

Source NAT – IP address persistency

Source pool grouping

Source pool utilization alarm

Source IP outside of the interface subnet

Interface source NAT – Interface DIP

Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted

Symmetric NAT

Allocate multiple ranges in NAT pool

Proxy ARP for physical port

Source NAT with loopback grouping – DIP with loopback grouping

IPsec VPN Functionality

Juniper Networks SRX5800 supports the following IPsec VPN functionality:

Site-to-site tunnels up to 15,000

Tunnel interfaces up to 15,000

DES (56-bit), 3DES (168-bit), and AES encryption

MD5 and SHA-1 authentication

Manual key, IKE, PKI (X.509)

Perfect forward secrecy (DH groups) – 1, 2, 5

Replay attack prevention

Remote access VPN

Redundant VPN gateways

Application awareness, full stack visibility and granular control

6 Juniper Networks AppSecure is a suite of next-generation security capabilities that utilizes advanced application identification and classification to deliver greater visibility, enforcement, control, and protection over the network. Table xxx lists the features and benefits of the services provided by AppSecure.

Features are as follows:

AppTrack - Detailed analysis on application volume/usage throughout the network based on bytes, packets, and sessions. This provides the ability to track application usage to help identify high-risk applications and analyze traffic patterns for improved network management and control.

Jul 1, 2013 5:09:04 PM MDT p. 14



AppFW - Fine grained application control policies to allow or deny traffic based on dynamic application name or group names. This enhances security policy creation and enforcement based on applications and user roles rather than traditional port and protocol analysis.

AppQoS - Set prioritization of traffic based on application information and contexts. This provides the ability to prioritize traffic as well as limit and shape bandwidth based on application information and contexts for improved application and overall network performance.

AppDoS - Multi-stage detection methods used to identify and mitigate targeted attacks from disrupting critical applications and services. This identifies attacking botnet traffic against legitimate client traffic to prevent DDoS attacks targeting applications.

Application Signatures - More than 900 signatures for identifying applications and nested applications. This ensures that applications are accurately identified and the resulting information can be used for visibility, enforcement, control, and protection.

SSL Inspection - Inspection of HTTP traffic encrypted in SSL on any TCP/UDP port. This combined with application identification, provides visibility and protection against threats embedded in SSL encrypted traffic.

Capability to incorporate information from outside the firewall, e.g., directory- based policy, blacklists, white lists, etc.

Yes, the Juniper SRX Datacenter Firewall product portfolio has the ability to incorporate information from outside sources in several ways. This integration can be from Juniper products like policy changes integrated with the vGW product or UAC. Third-party solutions such as ThreatStop are also available. Also future products like the Juniper Spotlight Secure solution have the ability to integrate as well.

vGW Integration:

The SRX Series with vGW Virtual gateway integration delivers the security necessary for today’s data center with its mix of physical and virtualized workloads. Integrated with the SRX Series, the vGW Virtual gateway queries the SRX Series gateway for its zone, interface, network, and routing configuration. vGW then uses that information with the vGW management system (Security design for vGW) to create VM Smart groups so that users of vGW can see VM-to-zone attachments, create additional inter-VM zone policies, and incorporate zone knowledge into compliance checks (for example, is a client x VM connected to a client y zone).

In combination, the SRX Series and vGW deliver best-in-class security to the data center, enabling security administrators to guarantee that consistent security is enforced from the perimeter to the server VM. The SRX Series delivers zone-based segregation at the data center perimeter. vGW integrates the knowledge collected in SRX Series zones to ensure that zone integrity is enforced on the hypervisor using automated security concepts like Smart groups and virtual machine introspection. Together, these solutions deliver stateful firewall and optional malware detection for inter-zone and inter-VM traffic; compliance monitoring and enforcement of SRX Series zones within the virtualized environment; and automated quarantine of VMs that violate access, regulatory, or zone policies.

In terms of the benefits of zone synchronization between the SRX Series and vGW, implementers have:

Guaranteed integrity of zones on the hypervisor (virtualization operating system)

Automation and verification that VM connectivity does not violate zone policy

Enhancement of the SRX Series network with knowledge of VMs and their zone location Datacenter SRX and UAC Integration:

Juniper Networks firewall products act as Layer 3 through Layer 7 overlay enforcement points for UAC. Furthermore, with Juniper Networks standalone IDP Series appliances serving as role-based application-level policy enforcement points, UAC is able to deliver access control to the application within your network.

Threat Stop Integration:

ThreatSTOP is a cloud service that delivers IP addresses for known criminal sites to Juniper Networks® SRX Series Services

Jul 1, 2013 5:09:04 PM MDT p. 15



Gateways so that they can block all traffic to and from those sites. This blocklist is updated continually, and it is distributed to the SRX Series via a Domain Name System (DNS) lookup. The service can be enabled on an SRX Series device within an hour via a two-command install. No software, network reconfiguration, or user training is needed.

Botnets, spear-phishing, and related criminal malware are among the greatest network security risks today. Designed to steal valuable data and control your machines, these threats can cause great financial, competitive, productivity, and reputational damage. Industry surveys show botnet infection rates are near 100% for organizations of all sizes and types. No one is immune from this exponentially growing and pervasive problem.

Most of today’s security products rely on signature detection to spot threats. Used exclusively, this approach leads to low catch rates, slow detection, and high false positives. Equally important, these solutions do not stop malware from “calling home” to command and control hosts to pilfer your valuable financial, corporate, and customer data. Juniper Spotlight Secure:

Juniper Networks Junos Spotlight Secure is a cloud-based threat intelligence solution that identifies individual attackers at the device level (versus the IP address), tracks them in a global database, and shares them globally with security devices. The hacker device ID intelligence solution creates a persistent fingerprint of attacker devices based on more than 200 unique attributes to deliver precision identification and blocking of attackers—without false positives that could impact valid users. While current available reputation feeds rely only on IP addresses, Junos Spotlight Secure offers customers more reliable security against attackers and eliminates false positives.

Leveraged by Junos WebApp Secure and Juniper Networks SRX Series Services Gateways, Junos Spotlight Secure acts as the consolidation point for attacker and threat information, feeding intelligence in real time to Juniper Networks security solutions. In addition, it puts non IP- based attacker profiling at the center of a framework that will gather and distribute attacker fingerprints to a worldwide network of inline security solutions. With a broad security and networking product installed base and a new system for distributing definitive hacker IDs, Juniper Networks has changed the speed and accuracy with which customers prevent security breaches. The Junos Spotlight Secure global attacker intelligence service sets a new efficacy bar for all security and networking vendors.

Upgrade path to include future information feeds and security threats

Yes, the Juniper SRX product portfolio is future proofed and can receive outside feeds in several fashions as demonstrated in the previous section. Also more flexible solutions are available and can be customer build through the use of the Junos XML API and NETCONF.

SSL decryption to enable identifying undesirable encrypted applications (Optional)

Yes the Juniper SRX datacenter product portfolio through the use of its AppSecure feature set can inspect HTTP traffic encrypted in SSL on any TCP/UDP port. This combined with application identification, provides visibility and protection against threats embedded in SSL encrypted traffic.

6.2.3.2 Logging Appliances and Analysis Tools • Solutions utilized to collect,

classify, analyze, and securely store log messages.

Juniper Networks STRM Series Security Threat Response Managers provide situational awareness and compliance support to organizations that need to tighten security and improve policy monitoring with a modest investment in time and resources. STRM provides an all-in-one security solution that combines, analyzes, and manages an incomparable set of surveillance data―network behavior, security events, vulnerability profiles, and threat information―all from a single, secure console.






Jul 1, 2013 5:09:04 PM MDT p. 16



STRM uses two drivers for security analysis of external and internal threats:

Security Information Management (SIM) – Provides reporting and analysis of data from host systems, applications, and security devices to support security policy compliance management, internal threat management, and regulatory compliance initiatives.

Security Event Management (SEM) – Improves security incident response capabilities by processing data from security devices and network devices; helps network administrators to provide effective responses to external and internal threats.



STRM500

Juniper Networks STRM500 is ideal for deployments in small, medium, and large enterprises or departments that do not foresee the need to upgrade to higher events-per-second or flows-per-minute capacities. STRM500 can also be deployed as a dedicated QFlow collector for collection of network flows to provide Layer 7 analysis.

STRM2500

Juniper Networks STRM2500 is an enterprise-class appliance that provides a scalable network security management solution for medium-sized companies up to large, globally-deployed organizations. STRM2500 is the ideal solution for growing companies that will need additional flow and event monitoring capacity in the future. It is also the base platform for large companies that may be geographically dispersed and looking for an enterprise-class scalable solution. STRM2500 includes on-board event collection, correlation, and extensive reporting capabilities, and is expandable with additional STRM2500 appliances acting as event and flow collectors or a combination of both on a single appliance.

STRM5000

Juniper Networks STRM5000 is an enterprise and carrier-class appliance which provides a scalable network security management solution for medium-sized companies up to large, globally-deployed organizations. STRM5000 is the ideal solution for growing companies that anticipate the need for additional flow and event monitoring capacity in the future. It is also the base platform for large companies that are geographically dispersed and looking for a distributed enterprise/carrier-class scalable solution. STRM5000 utilizes on-board event/flow collection and correlation capabilities, and is expandable with additional STRM5000 appliances acting as event and flow collectors.

6.2.3.3 Secure Edge and Branch Integrated Security Products • Network security,

VPN, and intrusion prevention for branches and the network edge. Products typically consist of appliances or routers.

SRX Series for the Branch: Overview and Models




Perimeter security

Content security

Jul 1, 2013 5:09:04 PM MDT p. 17







Best-in-class firewall and VPN technologies secure the perimeter with minimal configuration and consistent performance. By using zones and policies, even new network administrators can configure and deploy an SRX Series gateway quickly and securely. The SRX Series also includes wizards for firewall, IPsec VPN, NAT, and initial set up to simplify configurations out of the box. Policy-based VPNs support more complex security architectures that require dynamic addressing and split tunneling. For content security, the branch SRX Series offers a complete suite of Unified Threat Management (UTM) services via content filtering, including:




Anti-spam



Select models (SRX550, SRX650, and high-memory versions of SRX210, SRX220, and SRX240) feature Content Security Accelerator for high-performance IPS and antivirus performance. The branch SRX Series integrates with other Juniper Networks security products to deliver enterprise-wide unified access control (UAC) and adaptive threat management. These capabilities give security professionals powerful tools in the fight against cybercrime and data loss.

The SRX Series for the branch brings high-performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of sites. The wide variety of options allows configuration of performance, functionality, and price scaled to support from a handful to thousands of users. Ethernet, serial, T1/E1, DS3/E3, xDSL, Wi-Fi, and 3G/4G LTE wireless are all available options for WAN or Internet connectivity to securely link your sites. Multiple form factors allow you to make cost-effective choices for mission-critical deployments. Managing the network is easy using the proven Junos CLI and scripting capabilities, a simple-to-use Web-based GUI, Juniper Networks Network and Security Manager (NSM) for large-scale deployments, or Juniper Networks Junos Space Security Design for centralized management.

Models

Shown in Figure xxx, Juniper Networks SRX Series for the branch includes the following models:





SRX240 – Juniper Networks SRX240 can support up to 1.8 Gbps firewall, 300 Mbps IPSec VPN, and 230 Mbps IPS. The SRX240 also supports UTM, and is ideally suited for securing branch distributed enterprise locations.

SRX550 – Juniper Networks SRX550 can support up to 5.5 Gbps firewall, 1.0 Gbps IPSec VPN, and 800 Mbps IPS. Additional security features include UTM, which consists of IPS, antispam, antivirus, and Web filtering. The SRX550 is ideally suited for securing small distributed enterprise locations.

SRX650 – Juniper Networks SRX650 can support up to 7.0 Gbps firewall, 1.5 Gbps IPSec VPN, and 1.0 Gbps IPS. The SRX650 also supports UTM, and is ideally suited for securing regional distributed enterprise locations.

Jul 1, 2013 5:09:04 PM MDT p. 18



6.2.3.4 Secure Mobility Products • Delivers secure, scalable access to corporate

applications across multiple mobile devices.

Junos Pulse: Overview

Juniper Networks Junos Pulse is an endpoint software platform that enables dynamic SSL VPN connectivity, network access control (NAC), mobile security, online meetings and collaboration, and application acceleration through a simple, yet elegant user interface. By removing the complexity from network connectivity and access control collaboration, as well as application acceleration, Junos Pulse provides dynamic connectivity and security, and delivers optimal connectivity to end users depending on their device type, security state, location, identity, and adherence to corporate access control policies. It is identity- and location-aware, and seamlessly migrates from one access method to another based on device location.











Junos Pulse Mobile Security Suite protects smartphones from viruses, malware, loss or theft, physical compromise, and other threats, and supports major mobile operating systems. It also provides robust remote device management tools. Junos Pulse Mobile Security Suite can remotely backup and restore data stored on smartphones, and it can monitor and control device use. It is simple to deploy, and enables enterprises to give personal smartphones secure access to corporate network and information resources.




Junos Pulse Application Acceleration Service enables dynamically provisioned, pervasive, location-agnostic application acceleration. When used in conjunction with the Junos Pulse Secure Access Service, Junos Pulse Application Acceleration Service delivers accelerated application access for mobile and remote users. The Junos Pulse Application Acceleration Service also provides an easy, affordable solution for small offices where a dedicated application acceleration appliance may not be economically feasible.


Junos Pulse Access Control Service enables safe, protected cloud, network, and application access for a diverse user audience over a variety of devices, including mobile devices. Junos Pulse Access

Jul 1, 2013 5:09:04 PM MDT p. 19



Control Service, working in concert with MAG Series Junos Pulse Gateways or IC Series Unified Access Control Appliances, delivers granular, secure access control for LANs, private or public clouds, as well as their applications and data based on user identity and role, device type and

integrity, and location.

6.2.3.5 Encryption Appliances • A network security device that applies crypto

services at the network transfer layer - above the data link level, but below the application level.

6.2.3.6 On-premise and Cloud-based services for Web and/or Email Security •

Solutions that provide threat protection, data loss prevention, message level encryption, acceptable use and application control capabilities to secure web and email communications.

6.2.3.7 Secure Access • Products that provide secure access to the network for any

device, including personally owned mobile devices (laptops, tablets, and smart phones). Capabilities should include:

Junos Pulse is a simplified, integrated, multiservice network client enabling anytime, anywhere connectivity, security, and acceleration that requires minimal user interaction. Junos Pulse makes secure network and cloud access easy through virtually any device—mobile or non-mobile, Wi-Fi or 3G-enabled, managed or unmanaged—over a broad array of computing and mobile operating systems.

Management visibility for device access

UAC correlates user identity and role information to network and application security and usage. With UAC, you will know who is accessing your network and applications, when your network and applications are being accessed, what is being accessed, and where the user and device has been on your network. UAC provides valuable, effective tracking and auditing of network and application access, which helps address regulatory compliance requirements and audits.

7 Detailed user access logs provide an audit of the authentication process. For more detailed troubleshooting of an individual user the

Junos Pulse Access Control Service allows you to troubleshoot problems by tracking events when a user signs into a realm. The Policy Tracing page allows you to record a policy trace file for an individual user. The Junos Pulse Access Control Service displays log entries that list the user’s actions and indicates why that user is allowed or denied access to various functions.

8 Additional tools like TCP dump and RADIUS troubleshooting are available to examine intricate detail of communications.

Self-service on-boarding

Centralized policy enforcement

Differentiated access and services

9 Junos Pulse Secure Access Service for the MAG Series gateways provides dynamic access privilege management capabilities without infrastructure changes, custom development, or software deployment/maintenance. This facilitates the easy deployment and maintenance of secure remote access, as well as secure extranets and intranets. When users log into MAG Series, they pass through a pre-authentication assessment, and are then dynamically mapped to the session role that combines established network, device, identity, and session policy settings. Granular resource authorization policies further ensure exact compliance to security restrictions.

Device Management

5.2.7 STORAGE NETWORKING • High-speed network of shared storage devices

connecting different types of storage devices with data servers.

5.2.7.1 Director Class SAN (Storage Area Network) Switches and Modules • A

scalable, high-performance, and protocol-independent designed primarily to fulfill the role of core switch in a core-edge Fibre Channel (FC), FCOE or similar SAN topology. A Fibre Channel director is, by current convention, a switch with at least 128 ports. It does not differ from a switch in core FC protocol functionality. Fibre Channel directors provide the most reliable, scalable, high-performance foundation for private cloud storage and highly virtualized environments.

5.2.7.2 Fabric and Blade Server Switches • A Fibre Channel switch is a network

switch compatible with the Fibre Channel (FC) protocol. It allows the creation of a Fibre Channel fabric, which is currently the core component of most SANs. The fabric is a network of Fibre Channel devices, which allows many-to-many communication, device name lookup, security, and redundancy. FC switches implement zoning; a mechanism that disables unwanted traffic between certain

Comment [OS4]: Unless we pitch hardware based ASIC encryption via the SRX, I don’t believe we play here.

Comment [OS5]: No product for this.

Jul 1, 2013 5:09:04 PM MDT p. 20



fabric nodes.

5.2.7.3 Enterprise and Data Center SAN and VSAN (Virtual Storage Area Network) Management • Management tools to provisions, monitors, troubleshoot, and

administers SANs and VSANs.

5.2.7.4 SAN Optimization • Tools to help optimize and secure SAN performance (ie.

Encryption of data-at-rest, data migration, capacity optimization, data reduction, etc.

5.2.8 SWITCHES • Layer 2/3 devices that are used to connect segments of a LAN (local

area network) or multiple LANs and to filter and forward packets among them.

5.2.8.1 Campus LAN – Access Switches •

Juniper Networks EX Series

With Juniper Networks EX Series, businesses can deploy a cost-effective family of switches that delivers the high availability, unified communications, integrated security, and operational excellence you need today—while providing a platform for supporting the requirements of tomorrow.


Juniper Networks EX Series exhibits five key areas of innovation that work together to deliver a true enterprise switching solution:

Carrier-class reliability

Integrated security

Network virtualization

Application control

Reduced total cost of ownership (TCO)

Working together, attributes advance the economics of networking by allowing businesses to spend less money and time on their network infrastructures―and more on innovative technologies that help them gain a competitive edge.

Carrier-class Reliability

The EX Series leverages much of the same field-proven Juniper Networks technology―including high performance ASICs, system architecture, and Junos software―that powers the world’s largest service provider networks. The result is a robust, time-tested and highly reliable network infrastructure solution for high performance enterprises.

Security Risk Management

The EX Series is fully compatible with Juniper Networks Unified Access Control (UAC) solution―delivering an extra layer of security by first authenticating users and performing virus checks, then enforcing precise, end-to-end security policies that determine who can access what network resources, as well as QoS policies to ensure delivery of business processes. Integrated anomaly-based threat detection provides additional protection by identifying and blocking DDoS attacks.

Network Virtualization

The EX220, EX3300, EX4200, EX4500, EX4550 feature Juniper Networks Virtual Chassis technology, which enables multiple switches to be interconnected and operate as a single system. With Virtual Chassis technology, users get the reliability, availability, and high-port densities of traditional chassis-based systems in a cost-effective, compact form factor—the best of both worlds.

Juniper Networks EX Series also supports GRE tunneling in hardware for sending mirrored traffic from remote locations to monitoring devices in the network operations center for centralized troubleshooting and analysis, or to build segregated overlay networks without the challenges associated with Spanning Tree.

Comment [OS6]: Don’t have products for this.

Jul 1, 2013 5:09:04 PM MDT p. 21



Application Control

Successfully managing a network requires knowing how it is being used in order to optimize application delivery and maximize efficiency. Applications are divided into categories―business, peer-to-peer, messaging, or gaming―for easy identification. Additional details such as top talkers, bandwidth consumption by application, and traffic distribution by location are available, providing a detailed snapshot of how applications are behaving across the network.

To ensure that application traffic is properly prioritized, the EX Series hardware supports a robust eight QoS queues per port―more than enough to establish separate queues for control plane, voice, video, and multiple levels of data traffic, with room to converge other networks such as building automation and security cameras.

Lower TCO

Juniper Networks EX Series reduces operational and capital expenses with:

A highly scalable pay-as-you-grow architecture.

Network designs with lower power consumption.

Reduced space and associated cooling requirements.

A common operating system.

Unified management tools across the Juniper Networks portfolio.

The high performance, high density EX Series platforms let users start small and grow incrementally, saving valuable space in crowded wiring closets and data centers, while lowering recurring power and cooling costs. Leveraging a common version of Junos software across the switch families ensures consistency throughout the infrastructure and accelerates the learning curve. In addition, unified management tools consolidate system monitoring and maintenance, saving time and money.

Forrester Consulting Report: Simplifying Data Center Networks with Juniper Networks EX Series Reduces Network OpEx

In August 2010, Juniper Networks commissioned Forrester Consulting to examine the total economic impact and potential ROI that an enterprise may realize by simplifying the network architecture of its data center with Juniper Networks EX Series running Junos OS. Forrester interviewed Townsend Analytics, an existing Juniper Networks customer that simplified its server farm network to two tiers by implementing the EX Series. Forrester’s subsequent financial analysis found that Townsend Analytics experienced a risk-adjusted ROI of 33%.

For the complete Forrester Consulting report—The Total Economic Impact of Network Simplification in an Enterprise Data Centers—please refer to the following website: http://www.juniper.net/us/en/local/pdf/analyst-reports/forrester-tei-network-simplification-townsend.pdf

EX Series Models

Juniper Networks EX Series switches are designed to deliver scalable port density and performance, providing you with an economical pay-as-you-grow approach to building your high performance network. EX Series models follow:

EX2200 – Juniper Networks EX2200 with Virtual Chassis technology delivers a high performance, highly available standalone solution at an economical price point with plug-and-play simplicity―ideal for access layer deployments in branch and remote offices, as well as campus networks.

o EX2200-C – Juniper Networks EX2200-C delivers a compact, silent, and power-efficient platform for low density micro-branch deployments and commercial access or enterprise workgroup environments outside the wiring closet.

EX3200 – Juniper Networks fixed-configuration EX3200 offers a high performance standalone solution for low-density access deployments in the wiring closets of remote offices and small LANs in large office buildings.

EX3300 – Juniper Networks EX3300 with Virtual Chassis technology offers a compact, cost-effective, highly scalable solution for supporting the most demanding converged enterprise access environments.

EX4200 – Juniper Networks EX4200 with Virtual Chassis technology combines the high availability and reliability of modular systems with the economics and flexibility of stackable platforms, delivering a high-performance, scalable solution for data center campus, and branch environments.

http://www.juniper.net/us/en/local/pdf/analyst-reports/forrester-tei-network-simplification-townsend.pdf

Jul 1, 2013 5:09:04 PM MDT p. 22



EX4500 Series – Juniper Networks EX4500 Series with Virtual Chassis technology delivers scalable, compact, high performance platforms for supporting high-density 10 Gbps data center, campus, and service provider deployments.

Provides initial connectivity for devices to the network and controls user and workgroup access to internetwork resources. The following are some of the features a campus LAN access switch should support:

Security

i. SSHv2 (Secure Shell Version 2)

Yes, the Juniper EX line supports both SSH v1/v2

ii. 802.1X (Port Based Network Access Control)

Yes, the Juniper EX line supports 802.1X authentication.

iii. Port Security

EX Series: Access Port Security Features

Juniper Networks EX4200 supports the following access port security features:

DHCP snooping – Filters and blocks ingress DHCP server messages on untrusted ports; builds and maintains an IP-address/MAC-address binding database (called the DHCP snooping database).

Dynamic ARP inspection (DAI) – Prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons.

MAC limiting – Protects against flooding of the Ethernet switching table.

MAC move limiting – Detects MAC movement and MAC spoofing on access ports and prevents hosts whose MAC addresses have not been learned by the switch from accessing the network.

Trusted DHCP server – With a DHCP server on a trusted port, protects against rogue DHCP servers sending leases.

iv. DHCP (Dynamic Host Configuration Protocol) Snooping

Yes, the EX series supports DHCP snooping.

VLANs

EX Series: VLAN Support

Juniper Networks EX Series switches use Layer 2 bridging protocols to discover the topology of their LAN and to forward traffic toward destinations on the LAN. Bridging divides a single physical LAN (a single broadcast domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of network nodes that are grouped together to form separate broadcast domains. On an Ethernet network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN. Frames that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within a VLAN and on the LAN as a whole.

On an Ethernet LAN, all network nodes must be physically connected to the same network. On VLANs, the physical location of the nodes is not important, so you can group network devices in any way that makes sense for your organization, such as by department or business function, types of network nodes, or even physical location. Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q encapsulation (discussed below).

Bridging

The transparent bridging protocol allows a switch to learn information about all the nodes on the LAN, including nodes on all the different VLANs. The switch uses this information to create address-lookup tables, called Ethernet switching tables that it consults when forwarding traffic to or toward a destination on the LAN.

Transparent bridging uses five mechanisms to create and maintain Ethernet switching tables on the switch:

1. Learning – When a switch is first connected to an Ethernet LAN or VLAN, it has no information about other nodes on the network. The switch goes through a learning process to obtain the MAC addresses of all the nodes on the network. It stores these in the Ethernet

Jul 1, 2013 5:09:04 PM MDT p. 23



switching table. To learn MAC addresses, the switch reads all packets that it detects on the LAN or on the local VLAN, looking for MAC addresses of sending nodes. It places these addresses into its Ethernet switching table, along with two other pieces of information—the interface (or port) on which the traffic was received and the time when the address was learned.

2. Forwarding – Switches forward traffic, passing it from an incoming interface to an outgoing interface that leads to or toward the destination. To forward frames, the switch consults the Ethernet switching table to see whether the table contains the MAC address corresponding to the frames' destination. If the Ethernet switching table contains an entry for the desired destination address, the switch sends the traffic out the interface associated with the MAC address. The switch also consults the Ethernet switching table in the same way when transmitting frames that originate on devices connected directly to the switch. If the Ethernet switching table does not contain an entry for the desired destination address, the switch uses flooding, which is the third bridging mechanism.

3. Flooding – Flooding is how the switch learns about destinations not in its Ethernet switching table. If this table has no entry for a particular destination MAC address, the switch floods the traffic out all interfaces except the interface on which it was received. (If traffic originates on the switch, the switch floods it out all interfaces.) When the destination node receives the flooded traffic, it sends an acknowledgment packet back to the switch, allowing it to learn the MAC address of the node and to add the address to its Ethernet switching table.

4. Filtering – Filtering is how broadcast traffic is limited to the local VLAN whenever possible. As the number of entries in the Ethernet switching table grows, the switch pieces together an increasingly complete picture of the VLAN and the larger LAN—of which nodes are in the local VLAN and which are on other network segments. The switch uses this information to filter traffic. Specifically, for traffic whose source and destination MAC addresses are in the local VLAN, filtering prevents the switch from forwarding this traffic to other network segments.

5. Aging – Finally, the switch uses aging, the fifth bridging mechanism, to keep the entries in the Ethernet switching table current. For each MAC address in the Ethernet switching table, the switch records a timestamp of when the information about the network node was learned. Each time the switch detects traffic from a MAC address, it updates the timestamp. A timer on the switch periodically checks the timestamp, and if it is older than a user-configured value, the switch removes the node's MAC address from the Ethernet switching table. This aging process ensures that the switch tracks only active nodes on the network and that it is able to flush out network nodes that are no longer available.

Switch Ports

The ports, or interfaces, on a switch operate in either access mode or trunk mode. An interface in access mode connects to a network device, such as a desktop computer, an IP telephone, a printer, a file server, or a security camera. The interface itself belongs to a single VLAN. The frames transmitted over an access interface are normal Ethernet frames. By default, when you boot a switch and use the factory-default configuration, or when you boot the switch and do not explicitly configure a port mode, all interfaces on the switch are in access mode.

Trunk interfaces handle traffic for multiple VLANs, multiplexing the traffic for all those VLANs over the same physical connection. Trunk interfaces are generally used to interconnect switches to one another.

IEEE 802.1Q Encapsulation and Tags

To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged and are encapsulated with 802.1Q tags.

For a simple network that has only a single VLAN, all traffic has the same 802.1Q tag.

When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique 802.1Q tag. The tag is applied to all frames so that the network nodes receiving the frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic among a number of VLANs, use the tag to determine to origin of frames and where to forward them.

Assignment of Traffic to VLANs

You assign traffic to a particular VLAN in one of the following ways:

By interface (port) on the switch – You specify that all traffic received on a particular interface on the switch is assigned to a specific VLAN. If you use the default factory switch settings, all traffic received on an access interface is untagged. This traffic is part of a default VLAN, but it is not tagged with an 802.1Q tag. When configuring the switch, you specify which VLAN to assign the traffic to. You configure the VLAN either by using a VLAN number (called a VLAN ID) or by using a name, which the switch translates into a numeric VLAN ID.

By MAC address – You can specify that all traffic received from a specific MAC address be forwarded to a specific egress interface (next hop) on the switch. This method is administratively cumbersome to configure manually, but it can be useful when you are using automated databases to manage the switches on your network.

Jul 1, 2013 5:09:04 PM MDT p. 24



Ethernet Switching Tables

As EX Series switches learn the MAC addresses of the devices on local VLANs, they store them in the bridge on the switch. With each MAC address, the Ethernet switching table stores and associates the name of the interface (or port) on which the switch learned that address. The switch uses the information in this table when forwarding packets toward their destination.

Layer 2 and Layer 3 Forwarding of VLAN Traffic

To pass traffic within a VLAN, the switch uses Layer 2 forwarding protocols, including IEEE 802.1Q, Spanning Tree Protocol (STP), and GARP VLAN Registration Protocol (GVRP).

To pass traffic between two VLANs, the switch uses standard Layer 3 routing protocols, such as static routing, OSPF, and RIP. On EX Series switches, the same interfaces that support Layer 2 bridging protocols also support Layer 3 routing protocols, providing multilayer switching.

GVRP

The GARP VLAN Registration Protocol (GVRP) is an application protocol of the Generic Attribute Registration Protocol (GARP) and is defined in the IEEE 802.1Q standard. GVRP learns VLANs on a particular 802.1Q trunk port and adds the corresponding trunk port to the VLAN if the advertised VLAN is preconfigured on the switch.

The VLAN registration information sent by GVRP includes the current VLANs membership—that is, which switches are members of which VLANs—and which switch ports are in which VLAN. GVRP shares all VLAN information configured manually on a local switch.

As part of ensuring that VLAN membership information is current, GVRP removes switches and ports from the VLAN information when they become unavailable. Pruning VLAN information:

Limits the network VLAN configuration to active participants only, reducing network overhead.

Targets the scope of broadcast, unknown unicast, and multicast (BUM) traffic to interested devices only.

Routed VLAN Interface

In a traditional network, broadcast domains consist of either physical ports connected to a single switch or logical ports connected to one or more switches through VLAN configurations. Switches send traffic to hosts that are part of the same broadcast domain, but routers are needed to route traffic from one broadcast domain to another and to perform other Layer 3 functions such as traffic engineering. EX Series switches use a routed VLAN interface (RVI) to perform these routing functions, using it to route data to other Layer 3 interfaces. This functionality eliminates the need for having both a switch and a router.

The RVI interface must be configured as part of a broadcast domain or VPLS routing instance in order for Layer 3 traffic to be routed out of it. The RVI interface supports IPv4, IPv6, MPLS, and ISIS traffic. At least one Layer 2 logical interface should be operationally up in order for the RVI interface to be operationally up. You must configure an RVI broadcast domain or VPLS routing instance just as you would configure a VLAN on a switch. Multicast data, broadcast data, or unicast data is switched between ports within the same RVI broadcast domain or VPLS routing instance. The RVI interface routes data that is destined for the router’s media access control (MAC) address.

Fast Ethernet/Gigabit Ethernet

6 EX2200/EX3200/EX3300/EX4200 offer 24-port and 48-port configuration options offer simple plug-and-play 10/100/1000BASE-T connectivity meet today’s converged networking needs. With optional full or partial Power over Ethernet (PoE) ports, the EX Series can support IP-enabled devices such as telephones, security cameras, WLAN access points in converged network environments.

7 The EX4200 offers a 24-port fiber switch offering 100/1000BASE-X support.

PoE (Power over Ethernet)

Juniper Networks EX Series supports PoE, which is the implementation of IEEE 802.3af, allowing both data and electric power to pass over a copper Ethernet LAN cable. PoE ports provide electrical current to devices through the network cables so that separate power cords for devices such as IP phones, wireless access points, and security cameras are unnecessary. This technology allows VoIP telephones, wireless access points, video cameras, and point-of-sale devices to safely receive power from the same access ports that are used to connect personal computers to the network.

EX Series switches have options of full or partial PoE capability. Full PoE models are primarily used in IP telephony environments. Partial PoE models are used in environments where, for example, only a few ports for wireless access points or security cameras are required.

Jul 1, 2013 5:09:04 PM MDT p. 25



PoE and Power Supply Units in EX Series Switches

EX Series switch models provide either 8, 24 or 48 PoE ports.

All 802.3af-compliant powered devices require no more than 12.95 watts. Thus, if you follow the recommended guidelines for selecting power supply units to support the number of PoE ports, the switch should be able to supply power to all connected powered devices. If you install a higher capacity power supply unit on a switch model that has only eight PoE ports, it does not extend PoE capabilities to the non-PoE ports.

Power Management Mode

The power management mode is used to determine the number of interfaces that can be provided with power. There are two modes of power management:

Static – In this mode the power allocated for each interface can be configured.

Class – In this mode the power allocation for interfaces is decided based on the class of powered device connected.

link aggregation

8 Juniper Networks EX Series supports link aggregation. You can combine multiple physical Ethernet ports to form a logical point-to-point link, known as a link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single Ethernet link can provide. Additionally, link aggregation provides network redundancy by load-balancing traffic across all available links. If one of the links should fail, the system automatically load-balances traffic across all remaining links.

9 You can select up to eight Ethernet interfaces and include them within a link aggregation group.

10 Gb support 10 EX3200/EX4200 Optional four-port 1GE and two-port 10GE uplink modules with pluggable optics are also available for supporting

high-speed connections to other switches or upstream devices such as routers. 11 EX3300 Offers four dual mode 1GE SFP/10GE SFP+ uplink ports available for supporting high-speed connections to other switches

or upstream devices such as routers. 12 EX4500 offers up to 48 wire-speed 10GE ports in a 2 RU platform it delivers full Layer 2 and Layer 3 connectivity to networked

devices such as servers and other switches. This is delivered in 40 fixed ports are complemented by two optional high-speed uplink modules available for configuration flexibility, offering four additional 10GE small form-factor pluggable transceiver (SFP+) ports for connecting to upstream devices.

13 The EX4550 features up to 48 wire-speed 1GE or 10GE small form-factor pluggable transceivers (SFP/SFP+), or 100M/1GBASE-T/10GBASE-T ports in a compact 1 RU form factor, the EX4550 provides support for 480 Gbps of Layer 2 and Layer 3 connectivity to networked devices, such as servers and other switches. Two versions of the EX4550 are available—a 32-port fiber-based version and a 32-port copper-based version—which feature two expansion slots that can accommodate one of four optional expansion modules, providing tremendous configuration and deployment flexibility for campus and data center access as well as aggregation networks.

Port mirroring

Yes, the EX Series switches support port mirroring.

Span Taps


Standards-based rapid spanning tree

EX Series: Rapid Spanning Tree Protocol (RSTP)

Juniper Networks EX Series uses Rapid Spanning Tree Protocol (RSTP) to provide better reconvergence time than the original STP. RSTP identifies certain links as point to point. When a point-to-point link fails, the alternate link can transition to the forwarding state.

Although STP provides basic loop prevention functionality, it does not provide fast network convergence when there are topology changes. STP’s process to determine network state transitions is slower than RSTP's because it is timer-based. A device must reinitialize every time a topology change occurs. The device must start in the listening state and transition to the learning state and eventually to a forwarding or blocking state. When default values are used for the maximum age (20 seconds) and forward delay (15

Comment [OS7]: Not sure on this one.

Comment [OS8]: Need to further research

Jul 1, 2013 5:09:04 PM MDT p. 26



seconds), it takes 50 seconds for the device to converge. RSTP converges faster because it uses a handshake mechanism based on point-to-point links instead of the timer-based process used by STP.

An RSTP domain running on an EX Series switch has the following components:

Root port – The “best path” to the root device

Designated port – Indicates that the switch is the designated bridge for the other switch connecting to this port

Alternate port – Provides an alternate root port

Backup port – Provides an alternate designated port.

Port assignments change through messages exchanged throughout the domain. An RSTP device generates configuration messages once every hello time interval. If an RSTP device does not receive a configuration message from its neighbor after an interval of three hello times, it determines it has lost connection with that neighbor. When a root port or a designated port fails on a device, the device generates a configuration message with the proposal bit set. Once its neighbor device receives this message, it verifies that this configuration message is better than the one saved for that port and then it starts a synchronizing operation to ensure that all of its ports are in sync with the new information.

Similar waves of proposal agreement handshake messages propagate toward the leaves of the network, restoring the connectivity very quickly after a topology change (in a well-designed network that uses RSTP, network convergence can take as little as 0.5 seconds). If a device does not receive an agreement to a proposal message it has sent, it returns to the original IEEE 802.D convention.

RSTP was originally defined in the IEEE 802.1w draft specification and later incorporated into the IEEE 802.1D-2004 specification.

Netflow Support (Optional).

EX4200: sFlow



Packet-based sampling – Samples one packet out of a specified number of packets from an interface enabled for sFlow technology

Time-based sampling – Samples interface statistics at a specified interval from an interface enabled for sFlow technology








sFlow data can be used to provide network traffic visibility information. The IP address to be assigned to source data can be configured. If it has not been configured, the IP address of the configured Gigabit Ethernet interface, 10GE interface, or the RVI is

http://www.sflow.org/

Jul 1, 2013 5:09:04 PM MDT p. 27



used as the source IP address. Infrequent sampling flows are not reported in the sFlow information, but over time the majority of flows are reported. Based on a defined sampling rate, 1 out of N packets is captured and sent to the collector. This type of sampling does not provide a 100 percent accurate result in the analysis, but it does provide a result with quantifiable accuracy. A polling interval defines how often the sFlow data for a specific interface are sent to the collector, but an sFlow agent is free to schedule polling.



13.2.8.2 Campus LAN – Core Switches • Campus core switches are generally used for

the campus backbone and are responsible for transporting large amounts of traffic both reliably and quickly.

EX9200 Series: Overview and Models

Juniper Networks EX9200 Series next-generation carrier-class campus and data center core Ethernet switching platforms (shown in Figure xxx) are designed for performance and scale―delivering greater port densities, space efficiency, and an on-ramp to 40GE and 100GE for enterprise customers.

The EX9200 line of programmable, flexible, and scalable modular Ethernet core switches simplifies the deployment of cloud applications, virtualized servers and rich media collaboration tools across campus and data center environments. As a key element of Juniper Networks “Simply Connected” portfolio of resilient switching, security, routing, and wireless products, the EX9200 Series enables collaboration and provides simple and secure access to mission critical applications. In the data center, the EX9200 simplifies network architectures and network operations to better align the network with today’s dynamic business environments.

As networks become a more strategic part of an enterprise’s business, they need to be more agile. Network agility requires programmability, and the EX9200 provides that and more in its silicon and at the system and networking levels. The EX9200 is based on Juniper One custom silicon—an ASIC designed by Juniper Networks which provides a programmable Packet Forwarding Engine (PFE) and allows for native support of networking protocols such as virtualization using MPLS over IP and overlay network protocols. ASIC micro code changes delivered through updates to Juniper Networks Junos OS provide investment protection by allowing existing hardware to support new or future networking protocols.

All EX9200 system programmability provides support for Junos OS-based automation along with the Junos SDK, which enables integration with Puppet, OpenFlow, and other automation applications. The EX9200 network programmability also enables integration with leading orchestration applications.

Trends such as mobility and increasing rich-media traffic in the campus, combined with virtualization and cloud computing in the data center, mandate a core switch that can deliver:

Increased bandwidth and throughput via 40GE and 100GE interfaces;

Increased logical scale needed to support more devices and servers;

Increased 10GE port densities;

Form factor alternatives;

Programmability to address future business needs;

Carrier grade availability.

Juniper Networks EX9200 Series is ready to handle changing networking demands for at least the next decade.

Jul 1, 2013 5:09:04 PM MDT p. 28



Core switches should provide:

High bandwidth

14 Fully configured, a single EX9214 chassis can support up to 320 10GE ports (240 at wire speed for all packet sizes), delivering one of the industry’s highest line-rate 10GE port densities for this class of feature rich and programmable switch.

15 The EX9200 switch fabric is capable of delivering 240 Gbps (full duplex) per slot, enabling scalable wire-rate performance on all ports for any packet size. The pass-through midplane design also supports a future capacity of up to 13.2 Tbps.

Low latency

In the data center, the EX9200 architecture is designed for very large deployments, with no head-of-line blocking, a single tier low latency switch fabric, efficient multicast replication handling, and deep buffering to ensure performance at scale. The EX9200 chassis midplane distributes the control and management signals over independent paths to the various system components and distributes power throughout the system. Data plane signals pass directly from the EX9200 line cards to the EX9200 Switch Fabric modules via a unique pass-through connector system that provides unparalleled signal quality for future generations of fabric ASICs.


To maintain uninterrupted operation, the EX9200’s fan trays cool the line cards, Routing Engine, and Switch Fabric modules with redundant, variable speed fans. In addition, the EX9200 power supplies convert building power to the internal voltage required by the system. All EX9200 components are hot-swappable, and all central functions are available in redundant configurations, providing high operational availability by allowing continuous system operation during maintenance or repairs.

Security

i. SSHv2

Yes, SSHv1 and SSHv2 are supported by the Ex9200

ii. MacSec encryption

No, MacSec is not currently supported and is being investigated for a future release.

iii. Role-Based Access Control Lists (ACL)


Yes, the EX9200 switch supports both IPv4 and IPv6.

Comment [OS9]: Further research required

Jul 1, 2013 5:09:04 PM MDT p. 29



1/10/40/100 Gbps support

All three EX9200 chassis can accommodate any combination of EX9200 Ethernet line cards (shown in Figure xxx). Options include the following:

EX9200-40T – 40-port 10/100/1000BASE-T RJ-45 line card

EX9200-40F – 40-port 100FX/1000BASE-X SFP line card

EX9200-32XS – 32-port 10GE SFP+ line card

EX9200-4QS – 4-port 40GE quad SFP (QSFP+) line card

IGP (Interior Gateway Protocol) routing

The EX9200 Series supports RIP v1/v2, OSPF v1/v2/v3, and IS-IS

EGP (Exterior Gateway Protocol) routing

The EX9200 Series supports BGP

VPLS (Virtual Private LAN Service) Support

Yes, the EX9200 supports MPLS/VPLS

VRRP (Virtual Router Redundancy Protocol) Support

Yes, the EX9200 supports VRRP

Netflow Support.

Netflow 13.2, sFlow 13.3

15.2.8.2 Campus Distribution Switches • Collect the data from all the access layer

switches and forward it to the core layer switches. Traffic that is generated at Layer 2 on a switched network needs to be managed, or segmented into Virtual Local Area Networks (VLANs), Distribution layer switches provides the inter- VLAN routing functions so that one VLAN can communicate with another on the network. Distribution layer switches provides advanced security policies that can be applied to network traffic using Access Control Lists (ACLs).

16 Juniper Networks EX4550 Ethernet Switch delivers a scalable, high-performance platform for supporting high-density 10 Gbps data center top-of-rack deployments, as well as data center, campus, and service provider aggregation environments. Featuring up to 48 wire-speed 1GE or 10GE small form-factor pluggable transceivers (SFP/SFP+), or 100M/1GBASE-T/10GBASE-T ports in a compact 1 RU form factor, the EX4550 provides support for 480 Gbps of Layer 2 and Layer 3 connectivity to networked devices, such as servers and other switches.

Two versions of the EX4550 base switch are available:

32-port fiber-based version, providing 32 fixed 10GE SFP/SFP+ pluggable ports

32-port copper-based version, providing 32 fixed 100M/1GBASE-T/10GBASE-T ports

Both versions feature two expansion slots, one in front and one in back, that can accommodate one of four optional expansion modules, providing tremendous configuration and deployment flexibility for campus and data center access as well as aggregation networks. The four expansion modules include the following:

128 Gbps Virtual Chassis module

8 x 10GBASE-T copper expansion module

8 x 10GBASE SFP/SFP+ fiber expansion module

2 x 40GE expansion module

Virtual Chassis Technology

Juniper Networks EX4550 is also designed to support Juniper Networks unique Virtual Chassis technology, which enables up to 10 interconnected switches to operate as a single, logical device with a single IP address. Virtual Chassis technology enables enterprises to separate physical topology from logical groupings of endpoints and, as a result, provides efficient resource utilization.

Comment [OS10]: Need to Verify

Comment [OS11]: Need to verify and clean up

Jul 1, 2013 5:09:04 PM MDT p. 30



The EX4550 can participate in the same Virtual Chassis configuration with any combination of Juniper Networks EX4200 and EX4500 Ethernet Switches, delivering highly flexible and scalable configuration options for campus and data center deployments. EX4550 switches in a Virtual Chassis configuration can be connected using dedicated 128 Gbps interconnect ports on the Virtual Chassis expansion module, or via link aggregation groups (LAGs) across 10GE/40GE ports, providing aggregate backplane capacity of up to 320 Gbps.

In the data center, EX4550 Virtual Chassis deployments can extend across multiple top-of- rack or end-of-row switches, providing tremendous configuration flexibility for 10GE server connectivity by only requiring redundant links between Virtual Chassis groups, rather than each physical switch to ensure high availability. In addition, mixed Virtual Chassis configurations featuring EX4200, EX4500, and EX4550 switches provide an ideal solution for data centers with a mix of 1GE and 10GE servers, or for environments transitioning from 1GE to 10GE server connectivity.

High bandwidth A single EX4550 switch can support up to 48 10GE ports at line rate, providing a highly scalable solution for even the most demanding environments. In addition, Virtual Chassis technology allows for easy network scalability and reduces management complexity. By adding switches to a Virtual Chassis configuration, it is possible to grow the number of switch ports without increasing the number of devices to manage. As more switches are added to the Virtual Chassis configuration, backplane bandwidth demands can also be scaled to maintain adequate oversubscription ratios. The EX4550 Virtual Chassis bandwidth can be increased to 256 Gbps by inserting 128 Gbps Virtual Chassis expansion modules in each of the two available expansion slots.

Low latency

17 Juniper Networks EX4550 also offers an economical, power-efficient, and compact solution for aggregating 10GE expansions from access devices in building and campus deployments. The switch’s dual-speed interfaces also support environments transitioning from 1GE to 10GE.

18 The EX4550 easily meets enterprise core switch requirements, delivering low latency (~2us), wire-speed performance on every port, full device redundancy, support for Layer 3 dynamic routing protocols, such as RIP and OSPF, Layer 2 and Layer 3 MPLS VPNs, and a comprehensive set of security and QoS features.


Yes, the EX4550 has both redundant, hot-swappable power supplies and redundant, field-replaceable, hot-swappable fans.

Security (SSHv2 and/or 802.1X)

The EX4550 supports both SSHv1/v2 and 802.1x


The EX4550 supports both IPv4 and IPv4

Jumbo Frames Support

The EX4550 supports Jumbo Frames

Dynamic Trunking Protocol (DTP)

The EX4550 does not support DTP as this is a proprietary protocol.

Per-VLAN Rapid Spanning Tree (PVRST+)

The EX4550 provides the following Spanning Tree Protocol Support:

Rapid Spanning Tree Protocol (RSTP) and VLAN Spanning Tree Protocol (VSTP) running concurrently. VSTP maintains a separate spanning tree instance for each VLAN, and is compatible with the Per-VLAN Spanning Tree Plus (PVST+) and Rapid-PVST+ protocols supported on Cisco Systems routers and switches.

Spanning Tree Protocol (802.1D)

Multiple Spanning Tree Protocol (MSTP) (802.1s)

RSTP (802.1w)

VSTP – VLAN Spanning Tree

BPDU protect

Loop protect

Comment [OS12]: This is a Cisco feature

Comment [OS13]: Need to verify as this came out of the MX. Assuming same applies to EX.

Jul 1, 2013 5:09:04 PM MDT p. 31



Root protect

Switch-port auto recovery

NetFlow Support or equivalent

EX4550: sFlow















18.2.8.2 Data Center Switches • Data center switches, or Layer 2/3 switches, switch all

packets in the data center by switching or routing good ones to their final destinations, and discard unwanted traffic using Access Control Lists (ACLs), all

Comment [OS14]: Need to research

Jul 1, 2013 5:09:04 PM MDT p. 32



at Gigabit and 10 Gigabit speeds. High availability and modularity differentiates a typical Layer 2/3 switch from a data center switch.

QFabric System: Overview






System Components

The QFabric System consists of three separate but interdependent edge, interconnect, and control devices—the QFabric Node, QFabric Interconnect, and QFabric Director. As shown in Figure xxx, these components represent the internal elements of a traditional switch.

QFabric Node – In a QFabric system, the line cards that typically reside within a modular chassis switch become high-density, fixed-configuration, 1 RU edge devices that provide access into and out of the fabric. The Nodes, which can also operate as independent top-of-rack 10GE switches, provide compute, storage, services, and network access for the QFabric System. There are two types of QFabric Nodes available: the QFX3500, which offers a variety of connectivity options ranging from 1GE to 10GE, Fibre Channel (FC), and FC over Ethernet (FCoE); and the QFX3600, which offers 10GE and 40GE connectivity options. Both the QFX3500 and QFX3600 Nodes can be used in a single system.

QFabric Interconnect – The QFabric Interconnect represents the typical backplane of a modular switch, connecting all QFabric Node edge devices in a flat, any-to-any topology. This topology provides the data plane connectivity between all Nodes, with the Interconnect acting as the high-performance backplane. Two QFabric Interconnect options are available. The QFX3000-M uses the 1 RU fixed configuration QFX3600-I QFabric Interconnect, which supports up to 16 connected QFabric Nodes to create a single fabric capable of supporting 768 10GE ports. The QFX3000-G uses the modular QFX3008-I, which connects up to 128 QFabric Nodes to create a single fabric capable of supporting 6,144 10GE ports.

QFabric Director – The Routing Engines embedded within a modular switch are externalized in the QFabric system via the QFX3100 QFabric Director, which provides control and management services for the fabric. Deployed in clusters to provide redundancy, QFabric Directors provide a single management interface to manage the scalable data plane provided by the Node and Interconnect devices. The QFabric Node and QFabric Interconnect devices together create the distributed data plane for the QFabric System over which all data traffic to and from servers and storage is carried. Existing QFabric system components can be redeployed between a QFX3000-M and a QFX3000-G, greatly simplifying flexibility and migration. Users can initially deploy a QFX3000-M and, as their 10GE demands grow, migrate to a QFX3000-G with the simple replacement of the QFabric Interconnect, dramatically increasing scale.

One of the greatest advantages of QFabric technology is its manageability. Unlike traditional deployments with multiple touch points for provisioning and troubleshooting, a QFabric System presents a single management interface for provisioning, managing,

Jul 1, 2013 5:09:04 PM MDT p. 33



and troubleshooting the data center. Up to 128 top-of-rack switches in a QFX3000-G system and up to 16 top-of-rack switches in a QFX3000-M system work together to connect network, compute, and storage resources.


High bandwidth

Juniper Networks QFabric System is designed to provide a low latency fabric that can scale to more than 6,000 ports and be deployed in a variety of environments. With the advent of server virtualization, the IT infrastructure is providing business efficiency by consolidating many physical servers into fewer high-performance virtualized servers. However, this introduces new challenges in the data center by significantly increasing network utilization and requiring faster access-layer connectivity.


The QFabric system offers the following advantages for high-performance access:

Full-featured, standards-based Layer 2 and Layer 3 switching capabilities

Low latency switching on up to 56 10GE ports with the QFX3600 Node, or 48 10GE ports with the QFX3500 Node

Scaling options for 768 10GE ports with the QFX3000-M system, or 6,144 10GE ports with the QFX3000-G system using QFX3500 or QFX3600 Nodes at 3:1 or 6:1 oversubscription

Scaling options for up to 896 10GE ports with the QFX3000-M system, or 7,168 10GE ports with the QFX3000-G system using QFX3600 nodes at 7:1 oversubscription

Support for the same Junos OS that powers other Juniper Networks switches, routers, and security products, as well as Juniper Networks Junos Space management platform

Low latency

19 Every QFabric Node in a QFabric System adds high-performance, ultra-low latency (ULL) 10GE ports, making it possible to support large-scale server virtualization deployments—with a large media access control (MAC) address table with ultra-low latency (5 microseconds port-to-port under typical loads for a QFX3000-G system, and 3 microseconds port-to-port under typical loads for a QFX3000-M system) at Layer 2 and Layer 3 from server node to server node.


20 QFX3008-I Interconnect: Cooling System and Airflow

21 Juniper Networks QFX3008-I cooling system consists of ten fan trays and nine air filters. The fan trays and air filters are hot-insertable and hot-removable FRUs.

22 Eight fan trays install vertically on the front sides of the chassis, one fan tray installs directly below the front card cage, and one fan tray installs in the rear of the chassis at the top. The chassis has front-to-back airflow.

23 QFX3008-I Interconnect: Power Supply Overview

24 Juniper Networks QFX3008-I has six power supplies and two wiring trays. The power supplies (shown in Figure xxx) are installed at the rear bottom of the chassis in slots 0 through 5 (left to right when viewed from the rear of the chassis). Wiring trays are installed at the rear bottom of the chassis on either side of the power supplies. The wiring tray in slot Wiring Tray 0 provides input power to the power supplies in slots 0 through 2. The wiring tray in slot Wiring Tray 1 provides input power to the power supplies in slots 3 through 5. The AC power supply in a QFX3008-I Interconnect device is a hot-insertable and hot-removable field-replaceable unit (FRU).

25 QFX3100 Director: Cooling System and Airflow

26 Juniper Networks QFX3100 cooling system consists of three fan modules as well as a single fan in each AC power supply. The fan modules are located in the fan module slots on the rear of the QFX3100. The QFX3100 also provides front-to-back airflow.

27 Temperature sensors in the chassis monitor the temperature within the chassis. The system raises an alarm if the fan fails or if the temperature inside the chassis rises above permitted levels. If the temperature inside the chassis rises above the threshold, the system shuts down automatically.

Jul 1, 2013 5:09:04 PM MDT p. 34



28

29 QFX3100 Director: Power Supply Overview

30 Juniper Networks QFX3100 power supplies (shown in Figure xxx) are hot-removable and hot-insertable FRUs. Up to two AC power supplies may be installed in a QFX3100 device. Power supplies are installed in the power supply slots on the back of the chassis. Each QFX3100 Director is shipped with two AC power supplies.

Each power supply has its own fan and is cooled by its own internal cooling system. Hot air exhausts from the rear of the chassis.

560 W AC

Approximate weight – 2.5 lb (1.1 kg)

QFX3500 Switch: Cooling System and Airflow

Juniper Networks QFX3500 cooling system consists of two field-replaceable unit (FRU) fan trays with two fan modules each and two fan modules on the management board FRU (Figure xxx). In addition, the power supplies have internal fans to cool themselves.

The QFX3500 device provides FRU-side-to-port-side or port-side-to-FRU-side airflow depending on the device model you purchase. In the QFX3500 device models that have FRU-side-to-port-side airflow, the air intake to cool the chassis is located on the front panel of the chassis, where the FRUs are installed. Air is pulled into the chassis and pushed away from the fan trays and management board. Hot air exhausts from the rear of the chassis, where the ports are located.

In the QFX3500 device models that have port-side-to-FRU-side airflow, the air intake to cool the chassis is located on the rear panel of the chassis, the side with access and uplink ports. Air is pulled into the chassis and pulled through the fan trays and management boards. Hot air exhausts from the front of the chassis, where the FRUs are installed.

Each airflow type requires specific fan trays, management boards, and power supplies that have fan modules oriented in the proper direction. The fan trays and management boards are designed so that they can only be inserted into the QFX3500 device model that supports the same airflow type. The power supplies have labels and arrows on the handles that depict the direction of airflow. The label AFI denotes FRU-side-to-port-side airflow; AFO denotes port-side-to-FRU-side airflow.

The chassis includes a fan speed-control system. Under normal operating conditions, fans operate at reduced speed to reduce noise and power consumption. Temperature sensors in the chassis monitor the temperature within the chassis. The system raises an alarm if a fan fails or if the temperature inside the chassis rises above permitted levels. If the temperature inside the chassis rises above the threshold, the device shuts down automatically. You can see the status of fans and the temperature remotely through the CLI by issuing the operational mode command show chassis environment.

A single fan module cannot be replaced. If one or more fan modules fail, the entire fan tray or management board must be replaced.

QFX3500 Switch: Power Supply Overview

Juniper Networks QFX3500 power supplies (shown in Figures xxx and xxx) are hot-removable and hot-insertable FRUs that can be installed on the front panel without powering off the switch or disrupting the switching function. Both AC and DC power supplies are 650 W.

The power supply provides FRU-side-to-port-side or port-side-to-FRU-side airflow depending on the model you purchase. The power supplies have labels and arrows on the handles that depict the direction of airflow. The label AFI denotes FRU-side-to-port-side airflow; AFO denotes port-side-to FRU-side airflow.

QFX3600 Switch: Power Supply and Fan Modules

Juniper Networks QFX3600 power supply and fan specifications follow:

• Dual-redundant (1+1) and hot-pluggable power supplies

• 100 to 240 V single-phase AC power or -40 to -72 V DC power

• Redundant and hot-pluggable fan modules

Ultra-low latency through wire-speed ports with nanosecond port-to-port latency and hardware-based Inter-Switch Link (ISL) trunking

The QFX3500 features sub-microsecond latency across all packet sizes in both cut-through and store-and-forward modes. ISL is a proprietary protocol and not supported.

Comment [OS15]: ISL is Cisco Propriatary

Jul 1, 2013 5:09:04 PM MDT p. 35



Load Balancing across Trunk group able to use packet based load balancing scheme

QFabric supports LACP (IEEE 802.3ad) for link aggregation and redundancy.

Bridging of Fibre Channel SANs and Ethernet fabrics

The QFX3500 is a fully IEEE DCB- and T11 FC-BB-5-based FCoE Transit Switch and FCoE-FC Gateway, delivering a high-performance solution for converged server edge access environments. The QFX3500 provides configurable ports capable of 1GE, 10GE, and 2/4/8 Gbps FC connectivity.

FCoE Transit Switch – As an FCoE Transit Switch, the QFX3500 provides a pure IEEE DCB converged access layer between FCoE-enabled servers and an FCoE-enabled Fibre Channel SAN. The QFX3500 offers a full-featured DCB implementation that provides strong monitoring capabilities on the top-of-rack switch for SAN and LAN administration teams, while maintaining a clear separation of management. In addition, FC Initiation Protocol (FIP) snooping provides perimeter protection, ensuring that the presence of an Ethernet layer does not impact existing SAN security policies. The FCoE Transit Switch functionality, along with Priority-based Flow Control (PFC), Enhanced Transmission Selection (ETS), and Data Center Bridging Exchange (DCBX), are included as part of the default software; no additional licenses are required.

FCoE-FC Gateway – In FCoE-FC Gateway mode, the QFX3500 eliminates the need for FCoE enablement in the SAN backbone. Organizations can add a converged access layer and interoperate with existing SANs without disrupting the network. The QFX3500 allows up to 12 ports to be converted to Fibre Channel without additional switch hardware modules, and gateway functionality can be soft-provisioned with a software license to protect existing investments. The QFX3500 provides N-Port ID virtualization (NPIV) proxy functionality between FCoE-enabled servers and traditional Fibre Channel SANs. As a top-of-rack switch with FCoE-FC Gateway functionality, the QFX3500 presents itself as an FCoE-enabled switch to the rack or blade servers, and as a group of logical FC servers to the traditional Fibre Channel SAN.

iSCSI Transit Switch – As an iSCSI Transit Switch, the QFX3500 provides a pure IEEE DCB-converged network between iSCSI-enabled servers and iSCSI-enabled storage. The QFX3500 offers a full-featured DCB implementation that provides strong monitoring capabilities on the top-of-the-rack switch for storage and LAN administration teams, while maintaining a clear separation of management. The iSCSI Transit Switch functionality, notably Priority-based Flow Control (PFC), Enhanced Transmission Selection (ETS), and Data Center Bridging Exchange (DCBX), including the iSCSI Application TLV, are included as part of the default software; no additional licenses are required.

Juniper Networks QFabric System Fibre Channel specifications follow:

Fibre Channel over Ethernet (FCoE)

FCoE Transit Switch (FIP snooping)

FCoE-FC Gateway

iSCSI Transit Switch (iSCSI tlv)

Fibre Channel Standard

Fibre Channel port speeds – 2, 4, 8 Gbps

Fibre Channel port types – N_Port and VF_Port (Fabric only mode)

Fibre Channel classes of service – Class 3

Fibre Channel services – N_Port Virtualizer Device (FCoE to FC)

Fibre Channel services – N_Port ID Virtualization (NPIV) gateway

FCoE Support – FC-BB-5 FC-BB_E, including FIP Snooping

Jumbo Frame Support

The Juniper QFabric supports Jumbo Frames

Plug and Play Fabric formation that allows a new switch that joins the fabric to automatically become a member

The Director group in a QFabric system automatically recognizes when devices are added or replaced in the QFabric system. The Director group sends each device its own portion of the Junos OS configuration and adds the device to the QFabric system inventory. The QFabric system upgrades the Node device to the version of

Comment [OS16]: Need to validate

Jul 1, 2013 5:09:04 PM MDT p. 36



software installed on the QFX3100 Director devices.

Ability to remotely disable and enable individual ports

Yes, you can remotely disable and enable individual ports. <Insert command here>

Support NetFlow or equivalent QFabric: sFlow Juniper Networks QFabric supports sFlow to monitor high-speed switched or routed networks. sFlow randomly samples network packets and sends the samples to a monitoring station. You can configure sFlow on the EX4200 to continuously monitor traffic at wire speed on all interfaces simultaneously. sFlow uses the following two sampling mechanisms: • Packet-based sampling – Samples one packet out of a specified number of packets from an interface enabled for sFlow technology • Time-based sampling – Samples interface statistics at a specified interval from an interface enabled for sFlow technology The sampling information is used to create a network traffic visibility picture. Junos fully supports the sFlow version 5 standard described at sFlow.org (refer to the following website: www.sflow.org). An sFlow monitoring system consists of an sFlow agent embedded in the switch and a centralized collector. The sFlow agent’s two main activities are random sampling and statistics gathering. It combines interface counters and flow samples and sends them across the network to the sFlow collector. The EX4200 adopts the distributed sFlow architecture. The sFlow agent has two separate sampling entities that are associated with each packet forwarding engine. These sampling entities are known as subagents. Each subagent has a unique ID that is used by the collector to identify the data source. A subagent has its own independent state and forwards its own sample messages to the sFlow agent. The sFlow agent is responsible for packaging the samples into datagrams and sending them to the sFlow collector. Because sampling is distributed across subagents, the protocol overheads associated with sFlow are significantly reduced at the collector. If the mastership assignment changes in a Virtual Chassis setup, sFlow technology continues to function. The sFlow collector uses the sFlow agent’s IP address to determine the source of the sFlow data. The IP address assigned to the agent is based on the following order of priority of interfaces configured on the switch: 1. Virtual management Ethernet (VME) interface 2. Management Ethernet interface If any of the above interfaces have not been configured, the IP address of any Layer 3 interface or the routed VLAN (RVI) interface is used as the IP address for the agent. At least one interface must be configured for an IP address to be assigned to the agent. sFlow data can be used to provide network traffic visibility information. The IP address to be assigned to source data can be configured. If it has not been configured, the IP address of the configured Gigabit Ethernet interface, 10GE interface, or the RVI is used as the source IP address. Infrequent sampling flows are not reported in the sFlow information, but over time the majority of flows are reported. Based on a defined sampling rate, 1 out of N packets is captured and sent to the collector. This type of sampling does not provide a 100 percent accurate result in the analysis, but it does provide a result with quantifiable accuracy. A polling interval defines how often the sFlow data for a specific interface are sent to the collector, but an sFlow agent is free to schedule polling. QFabric uses adaptive sampling to ensure both sampling accuracy and efficiency. Adaptive sampling is a process of monitoring the overall incoming traffic rate on the network device and providing intelligent feedback to interfaces to dynamically adapt their sampling rate to the traffic conditions. Interfaces on which incoming traffic exceeds the system threshold are penalized so that all violations can be regulated without affecting the traffic on other interfaces. Every five seconds, the agent checks interfaces to get the number of samples, and interfaces are grouped based on the slot that they belong to. The top five interfaces that produce the highest samples are selected. Using the binary backoff algorithm, the sampling load on these top five interfaces is reduced to half and adjusted on interfaces that have a lower sample rate. Therefore, when the processor limit is reached , the sampling rate is adapted so that it does not load the processor any further. If the switch is rebooted, the adaptive sample rate is reset to the user configured sample rate. Also, if you modify the sample rate, the adaptive sample rate changes. The advantage of adaptive sampling is that the switch continues to operate at its optimum level even when there is a change in the traffic patterns in the interfaces. You do not need to make any changes. Since the sampling rate is adapted dynamically based on the network conditions, the resources are utilized optimally thereby resulting in a high-performance network.

Page 22 of 45

Comment [OS17]: Insert command here.

Jul 1, 2013 5:09:04 PM MDT p. 37



30.2.8.2 Software Defined Networks (SDN) - Virtualized Switches and Routers •

Technology utilized to support software manipulation of hardware for specific use cases.

JunosV Firefly

JunosV Firefly virtual security software is a significant innovation from Juniper that brings the power of the Junos operating system to x86-based virtualization environments. With JunosV Firefly, large enterprises and service providers can leverage their virtualization investment to create a granular security perimeter, giving dedicated security resources within a cloud construct to tenants and service subscribers. For some service providers this is THE enabler to rolling out hosted cloud security services while for others it will mean expanded customer choice in deployment options spanning dedicated hardware, high-end hardware, and now, virtual machines.

30.2.8.3 Software Defined Networks (SDN) • Controllers - is an application in software-

defined networking (SDN) that manages flow control to enable intelligent networking. SDN controllers are based on protocols, such as OpenFlow, that allow servers to tell switches where to send packets. The SDN controller lies between network devices at one end and applications at the other end. Any communications between applications and devices have to go through the controller. The controller uses multiple routing protocols including OpenFlow to configure network devices and choose the optimal network path for application traffic.

SDN and JunosV Contrail

Trio ASICs (used in the Juniper Networks MX series 3d universal edge routers) and one asICs (used in the newly announced eX9200 Ethernet aggregation switch) are uniquely positioned to solve these challenges because of their flexible and programmable microcode architecture. Their ability to look deep into the encapsulated packets and extract the virtual network identifier allows them to maintain per-tenant statistics which aid in troubleshooting and debugging. Their ability to do fine-grained queuing allows them to provide per-tenant Qos, which helps to isolate tenants from each other, if needed. The micro programmable architecture also allows Juniper to support new data plane protocols without respinning the ASICs, which provides future proofing in the still developing area of SDN. Furthermore, Juniper is building the virtual overlay (including service chaining) and the physical underlay in such a way that 1 + 1 will add up to more than 2. The virtual overlay will be aware of the physical underlay and vice versa. Some examples of the integration between virtual and physical world include:

Flow-through provisioning of the gateway functions, for example in EX series switches, QFabric ™ Family of Products, and MX series routers where the virtual network meets the physical network

Flow-through provisioning of service chaining, including the steering of traffic into the right service chains on the virtual and physical service appliances

Tenant awareness in the underlay for troubleshooting and QoS

Efficient and scalable solutions for dealing with broadcast and multicast traffic in the overlay without requiring multicast in the underlay

JunosV Contrail is a networking virtualization and intelligence system designed to increase business innovation, improve system-level orchestration, and decrease networking costs. It works within the OpenStack and CloudStack architecture, and includes an open, standards-based SDN controller that virtualizes the network to enable automation and orchestration of hybrid cloud environments, elastic service chaining of network and security services, and a robust “Big Data for Infrastructure” (BDI) analytics engine providing a real-time view of the entire network. JunosV Contrail is the industry’s first truly open standards-based IP solution that natively enables Network as a Service (NaaS) across heterogeneous and federated cloud networks. Designed for cloud providers offering IaaS and enterprises delivering ITaaS in emerging application environments, JunosV Contrail software is a complete virtual network automation and intelligence system that offers a standards-

Jul 1, 2013 5:09:04 PM MDT p. 38



based scale-out virtual overlay solution for network virtualization, automated SDN service-chaining of L4-L7 services, and seamless resource delivery across any cloud. Unlike closed, proprietary solutions which lack interoperability with existing networks, do not deliver network/service abstractions, and introduce single points of failure, JunosV Contrail is the industry’s first truly open standards-based IP solution that natively enables NaaS across heterogeneous and federated cloud networks. With JunosV Contrail, the network is no longer a roadblock to speed and agility. It is a vehicle to business innovation.

30.2.8.4 Carrier Aggregation Switches • Carrier aggregation switches route traffic in

addition to bridging (transmitted) Layer 2/Ethernet traffic.






Carrier aggregation switches’ major characteristics are:

Designed for Metro Ethernet networks

Juniper Networks MX Series is optimized for Ethernet, and addresses a wide range of deployments, architectures, port densities, and interfaces for both service provider and enterprise environments. In both markets, MX Series routers provide thescalable, high port density routing and switching required for applications such as data centers. For service providers, MX Series routers surpass the requirements of carrier Ethernet routing and switching as defined by the Metro Ethernet Forum, making Juniper Networks routers the platforms of choice for service providers seeking 3D Scaling in the Universal Edge. These features can also be deployed in high performance enterprise data centers and enterprise campus networks.

Designed for video and other high bandwidth applications

31 Built in 65-nanometer technology, Junos Trio includes four chips with a total of 1.5 billion transistors and 320 simultaneous processes, yielding total router throughput up to 2.6 terabits per second and up to 2.3 million subscribers per rack—far exceeding the performance and scale possible through off-the-shelf silicon. Junos Trio includes advanced forwarding, queuing, scheduling, synchronization, and end-to-end resiliency features, helping customers provide service-level guarantees for voice, video, and data delivery. Junos Trio also incorporates significant power efficiency features to enable more environmentally conscious data center and service provider networks.

Supports a variety of interface types, especially those commonly used by Service Providers

Jul 1, 2013 5:09:04 PM MDT p. 39



WAN interfaces for the multiservice edge – Provides support for most widely used multiservice interfaces, including OC3, OC12, and OC48, facilitating service delivery with a single versatile platform

Flexible Physical Interface Card (PIC) Concentrators (FPCs) support non-Ethernet interfaces on Juniper Networks MX Series. The MX FPC and PIC combination is used to support SONET/SDH interfaces.

MX FPCs use a modular architecture to provide a clean separation between Layer 3 and Layer 2 forwarding functionality on the PFE, and Layer 1 processing on PICs. The FPCs contain the PFE, made up of the I-CHIP and Ethernet Services Engine (ESE). PICs plug into the FPC to support the following functions:

Physical media connectivity

SONET/SDH, T3/E3, T1/E1 framing

HDLC processing

Deep-channelization of OC12 and OC48 interfaces to OC3, T3/E3, T1/E1 and NxDS0 sub-interfaces

CoS support on channelized interfaces, since the PFE on the FPCs support per-port queuing only

Two types of MX FPCs and PICs are supported on the MX Series. They vary in the port speeds supported as well the physical form factor of the PICs themselves.

Type3 MX FPCs – Support Type3 PICs. Each Type3 PIC typically supports an aggregate bandwidth of OC192 or 10 Gbps. The Type3 MX FPC supports PC form factor PICs that are also used on Juniper Networks T Series, M120, and M320 routers. Type3 PICs support OC192 and OC48 ports.

Type2 MX FPCs – Support Type2 PICs. Each Type2 PIC typically supports an aggregate bandwidth of up to OC48 or 4 Gbps. The Type2 MX FPC supports PB form factor PICs that are also used on Juniper Networks T Series, M120, and M320 routers. Type2 PICs support OC48, OC12, OC3, and deep-channelized OC48 and OC12 ports.

All Layer 3 and MPLS routing and forwarding functionality supported by the DPCs are supported on both the MX FPCs. The ESE NPU is used to support VPLS functionality on the MX FPCs for non-Ethernet interfaces.

Type3 MX FPCs and PICs can be used to provide non-Ethernet uplink functionality on MX platforms. Using the ESE NPU, the MX FPC provides VPLS functionality on PPP, Frame Relay, or Cisco HDLC encapsulated packets that contain Ethernet payload. The PICs perform the SONET and HDLC processing, and forward the packet to the ESE NPU. The ESE NPU extracts the Ethernet packets from the pseudo-wire and forwards the packet into a VPLS network using a Layer 2 forwarding table.

Type2 MX FPCs and PICs can be used to connect the MX to non-Ethernet access networks. The PICs support OC48, OC12, and OC3 ports. The Type2 MX FPC is also used to support deep channelization. IQE PICs provide flexible channelization from OC12 to OC3, T3/E3, T1/E1, and NxDS0 interfaces. They also support hierarchical CoS per channelized interface on the PIC.


Redundant Processors Yes, the Juniper MX series has redundant Routing Engines

Redundant Power

Yes, the Juniper MX series had redundant Power Supplies

IPv4 and IPv6 unicast and multicast

MX Series: IPv4 and IPv6 Routing Protocols

Junos implements full IP routing functionality, providing support for IPv4 and IPv6. The routing protocols are fully interoperable with existing IP routing protocols, and they have been developed to provide the scale and control necessary for the Internet core.


Unicast Routing Protocols


Jul 1, 2013 5:09:04 PM MDT p. 40








Multicast Routing Protocols

Support for multicast routing protocols includes:

DVMRP – Distance Vector Multicast Routing Protocol is a dense-mode (flood-and-prune) multicast routing protocol.

IGMP – Internet Group Management Protocol, versions 1 and 2, is used to manage membership in multicast groups.

MSDP – Multicast Source Discovery Protocol enables multiple Protocol Independent Multicast (PIM) sparse mode domains to be joined. A rendezvous point (RP) in a PIM sparse mode domain has a peer relationship with an RP in another domain, enabling it to discover multicast sources from other domains.

PIM sparse mode and dense mode – Protocol-Independent Multicast is a multicast routing protocol. PIM sparse mode routes to multicast groups that might span wide-area and interdomain internets. PIM dense mode is a flood-and-prune protocol.

SAP/SDP – Session Announcement Protocol and Session Description Protocol handle conference session announcements.

MPLS Applications Protocols

Support for MPLS applications protocols includes:

LDP – The Label Distribution Protocol provides a mechanism for distributing labels in nontraffic-engineered applications. LDP enables routers to establish label-switched paths (LSPs) through a network by mapping network-layer routing information directly to data-link layer switched paths. LSPs created by LDP can also traverse LSPs created by the Resource Reservation Protocol (RSVP).

MPLS – Multiprotocol Label Switching, formerly known as tag switching, enables you to manually or dynamically configure LSPs through a network. It lets you direct traffic through particular paths rather than rely on the IGP’s least-cost algorithm to choose a path.

RSVP – The Resource Reservation Protocol, version 1, provides a mechanism for engineering network traffic patterns that is independent of the shortest path decided upon by a routing protocol. RSVP itself is not a routing protocol; it operates with current and future unicast and multicast routing protocols. The primary purpose of the Junos RSVP software is to support dynamic signaling for MPLS LSPs.


Junos implements IP routing functionality for IPv6 to provide the scale and control necessary for the Internet core. Junos supports the following IPv6 unicast protocols:

BGP (v4)

ICMP

IS-IS

OSPF

Jul 1, 2013 5:09:04 PM MDT p. 41



RIP

High bandwidth

32 Ethernet bandwidth requirements continue to rise as a result of companies needing high-speed connectivity between their geographically dispersed sites. In addition, there is an increased reliance on collaborative applications across a globally distributed user base which requires sharing data across the WAN. These are often multimedia applications—including video conferencing and video streaming—and thus require extremely high bandwidth and low latency.

33 In addition to these basic requirements, service providers seeking to provide a differentiated user experience are finding they must scale their networks to support increasingly higher amounts of bandwidth, services, and subscribers. Scaling the network in these three dimensions will be critical to securing competitive differentiation for the next generation of services. Scalability is further enhanced by the ability to interconnect and manage multiple chassis as a single, logical device—improving operational efficiency while lowering TCO.

34 To address these requirements, Juniper Networks MX Series 3D Universal Edge Routers deliver a high-performance network infrastructure that provides fast, secure, and reliable delivery of the applications that drive business processes—while containing cost and increasing operational efficiency.

Low latency

Powered by Juniper Networks Junos operating system, the MX Series provides a consistent operating environment that streamlines network operations and improves the availability, performance, and security of all types of services supported at the Universal Edge. The MX Series maximizes investment protection by offering the most complete, advanced routing features in the industry without compromising performance. These features include:

Traffic segmentation and virtualization with MPLS;

Sophisticated virtualization techniques such as Virtual Chassis, logical systems, and ultra-low-latency multicast;

Comprehensive security and QoS implementations to accelerate delivery of time-sensitive applications and services.

The carrier-class reliability and high availability features available on the MX Series include graceful restart, nonstop routing (NSR), fast reroute (FRR), Unified In-Service Software Upgrade (ISSU), and VPLS multihoming.


MPLS (Multiprotocol Label Switching).

As an industry leader in the development and deployment of MPLS, Juniper Networks leads the way in making it possible for enterprises and service providers to implement network architectures and services based on MPLS. Our MX Series provides a wide range of MPLS features and functionality powered by Junos OS. The feature richness of Junos OS provides the MX Series an advantage over other operating systems that are either too immature to support the required MPLS feature breadth or architected in a monolithic fashion, making them too complicated or unwieldy to efficiently manage.

MPLS has traditionally been found in network backbones to provide traffic engineering and allow the efficient transport of a wide range of Layer 2 and Layer 3 traffic such as IP, Frame Relay, and ATM. Extending MPLS to Ethernet networks provides complementary capabilities to help:

Deal with more traffic types.

Provide greater resiliency, QoS, restoration techniques, and OA&M diagnostic capabilities.

Further enable users to consolidate traffic types on a single, common IP/MPLS network.

BGP (Border Gateway Protocol)




Comment [OS18]: Need to check on IPv6 Multicast support.

Comment [OS19]: Research

Jul 1, 2013 5:09:04 PM MDT p. 42






Software router virtualization and/or multiple routing tables

The Juniper MX series can virtualize one device to many devices using services such as a Virtual Router, Logical Systems, and a Virtual Switch, which virtualizes physical routers as multiple logical entities

Policy based routing

Yes, the Juniper MX series supports Policy Based Routing

Layer 2 functionality

i. Per VLAN Spanning Tree

Juniper Networks MX Series supports the VLAN Spanning Tree Protocol (VSTP). VSTP maintains a separate spanning tree instance for each VLAN, and is compatible with the Per-VLAN Spanning Tree Plus (PVST+) and Rapid-PVST+ protocols supported on Cisco Systems routers and switches.

ii. Rapid Spanning Tree

To provide Layer 2 loop prevention, Juniper Networks MX Series 3D Universal Edge routers support a range of STP varieties, including Rapid Spanning Tree protocol (RSTP), Multiple Spanning Tree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP). In each of these flavors, a loop-free network is computed through the exchange of a special type of frame called bridge protocol data unit (BPDU), which contains information such as bridge IDs and root path costs.

iii. VLAN IDs up to 4096

The Juniper MX Series supports VLAN Identifiers 0 through 4095

iv. Layer 2 Class of Service (IEEE 802.1p)

Yes, the Juniper MX Series supports 801.1p

v. Link Aggregation Control Protocol (LACP)

Yes, the Juniper MX supports LACP

vi. QinQ (IEEE 802.1ad)

Yes, the Juniper MX supports 802.1ad

34.2.8.2 Carrier Ethernet Access Switches • A carrier Ethernet access switch can

connect directly to the customer or be utilized as a network interface on the service side to provide layer 2 services.

ACX Series: Overview and Models

Juniper Networks ACX Series Universal Access Routers are built to support adaptive services architecture, enabling rapid deployment of access services and transforming the network to create a seamless end-to-end service delivery platform. Many networks have reaped benefits from convergence in the core as well as on the edge, and a similar transformation is clearly required in the access network. The ACX Series is an architecture that extends operational intelligence to that network.


Jul 1, 2013 5:09:04 PM MDT p. 43



The ACX Series is well-positioned to address the growing bandwidth needs in the access network. These platforms deliver the scale and performance needed to support multi-generation services. With support for extensive hardware and software features, the ACX Series extends the operational intelligence all the way to the access network.

Powered by Junos OS, the ACX Series family complements Juniper Networks Universal Edge and Universal WAN solutions, integrating the mobile network with a flexible, scalable enterprise branch routing portfolio. The ACX Series is optimized to support rapidly growing mobile, video, and cloud computing applications.



Interfaces for both time-division multiplexing (TDM)

Ethernet high density (1GE, PoE, and 10GE)


Mobile networks evolution path from 2G/2.5G to 3G/4G/Long Term Evolution (LTE)


ACX Series Models


ACX1000 – Juniper Networks ACX1000 (shown in Figure xxx) with fan-less passive cooling and a compact 1 RU (1.75 in.) form factor is an ideal access platform for external cabinet deployments. The fixed-port configuration includes eight T1/E1 interfaces, eight copper 1GE (10/100/1000) interfaces, and four 1GE combination ports (fiber or copper).

ACX1100 – Juniper Networks ACX1100 with fan-less passive cooling and a compact 1 RU (1.75 in.) form factor is an Ethernet-only access platform with a mix of copper and fiber 1GE interfaces. The fixed-port configuration includes four copper 10/100/1000 Mbps interfaces, four 1GE combination ports (copper or fiber interfaces), and four 1GE SFP ports.

ACX2000 – Juniper Networks ACX2000 with fan-less passive cooling provides a versatile access platform in a compact 1 RU (1.75 in.) fixed-form factor that includes TDM, 1GE, and 10GE interfaces. The fixed-port configuration includes 16 TDM (T1/E1) interfaces, eight copper 1GE interfaces with PoE+ (65W) capability on two ports, two 1GE SFP ports, and two10GE SFP+ ports.


ACX4000 – Juniper Networks ACX4000 Universal Access Router is an environmentally hardened, actively cooled, 2 RU (2.5 in.) modular system that includes TDM, 1GE, and 10GE interfaces to provide a versatile access platform. The modular configuration includes 16 T1/E1 interfaces, eight copper 1GE interfaces, two 1GE SFP ports, two PoE+ ports, two 10GE SFP+ ports, and a choice of two modular interface cards (MICs).

Page 23 of 45

Jul 1, 2013 5:09:04 PM MDT p. 44



Hot-swappable and field-replaceable integrated power supply and fan tray

AC or DC power supply with DC input ranging from 18V to 32 VDC and 36V to 72 VDC




AC power – 90 -240 VAC, for ACX1100-AC only

Maximum power draw:

o ACX1100 – 35 W

o ACX1100-DC – 40 W



DC power

o -48 V or -60 V Telco nominal or +24 VDC nominal

Maximum power draw – 70 W (plus PoE power)



DC power – -48 V or- 60 V Telco nominal or +24 VDC nominal

AC power – 90-240 VAC, for ACX-2100 only

Maximum power draw:

o ACX2100 – 60 W

o ACX2100-DC – 80 W




AC power – 90-240 VAC

Maximum power draw:

o Without MICs – 150 W

o Each MIC – 45 W

o Each PoE++ port – 65 W

Ethernet and console port for manageability

Yes, the Juniper ACX series can be managed via console or Ethernet

SD flash card slot for additional external storage

The Juniper ACX has a USB slot for external storage

Stratum 3 network clock

ACX hardware and software supports various clocking options where the chassis can lock to physical

Jul 1, 2013 5:09:04 PM MDT p. 45



layer based SyncE, PTP/1588v2 messages, line timing and BITS and drives out clock on T1/E1, BITS,

Synchronous Ethernet on FE/GE/XE ports and 1 PPS. ACX uses OCXO (Stratum 3E) type of oscillator.

Line-rate performance with a minimum of 62-million packets per second (MPPS) forwarding rate

The ACX Delivers line-rate performance with a packet forwarding capacity ranging from 36Mpps (ACX1000/1100) to 125 Mpps (AXC4000).

Support for dying gasp on loss of power

Support for a variety of small form factor pluggable transceiver (SFP and SFP+) with support for Device Object Model (DOM)

Onboard and modular interface options: ACX1000 unit, 8xT1/E1, 8xGbE copper, 4xGbE combination (copper or SFP) ACX1100 unit, 8xGbE copper and 4xGbE combination (copper or SFP), ACX2000 unit, 16xT1/E1, 2x10GbE SFP+, 8xGbE copper with PoE++ on two ports, 2xGbE SFP ACX2100 unit, 16xT1/E1, 2x10GbE SFP+, 4xGbE copper, 4xGbE combination (copper or fiber), 2xGbE SFP ACX4000 modular unit, 2x10GbE SFP+, 8xGbE combo (copper/fiber) with PoE++ on two ports, 2xGbE SFP 6xGbE copper/SFP MIC for ACX4000 4xCHOC3/STM-1/1xCHOC12/STM-4 MIC for ACX4000 16x T1/E1 MIC for ACX4000

Timing services for a converged access network to support mobile solutions, including Radio Access Network (RAN) applications

ACX is a Cell/Hub Site Router (CSR/HSR), primarily targeted to deploy in mobile backhaul networks to hand off variety of TDM, ATM, and Ethernet traffic into IP/MPLS network. ACX can be directly connected to multiple variants of base stations (like BTS in 2G, NodeB in 3G and eNodeB in 4G) and can form a ring or mesh topology or can act as a head-end/aggregation node of the ring that can be connected to metro ring. Juniper’s MX node can be used on the other side where the TDM, ATM and Ethernet traffic is handed over to the controller stations. On top of delivering various services, clocking is an important feature on ACX where it should be able to extract the network clock and pass on synchronization information to the base stations to help these nodes to be in sync with the controller stations.

Support for Synchronous Ethernet (SyncE) services

35 ACX hardware and software supports various clocking options where the chassis can lock to physical layer based SyncE, PTP/1588v2 messages, line timing and BITS and drives out clock on T1/E1, BITS, Synchronous Ethernet on FE/GE/XE ports and 1 PPS. ACX uses OCXO (Stratum 3E) type of oscillator.

Supports Hierarchical Quality of Service (H-QoS) to provide granular traffic- shaping policies

ACX: QoS Features

QoS features supported by Juniper Networks ACX2000 include the following:

Firewall filters (ACLs):

o Standard firewall filter match conditions for MPLS traffic

o family inet

o family ccc/any

Policing:

o Per logical interface

o Per physical interface

o Per family

TrTCM (color aware, color blind)

SrTCM (color aware, color blind)

Host protection

Comment [OS20]: Need to validate

Comment [OS21]: Not sure about DOM

Jul 1, 2013 5:09:04 PM MDT p. 46



8 queues per port

Priority queuing

Rate control

Scheduling with 2 different priorities

Low Latency Queue (LLQ)

WRED with 2 levels of DP

Classification:

o DSCP

o MPLS EXP

o IEEE 802.1p

Rewrite:

o DSCP

o MPLS EXP

o IEE 802.1p

o MPLS and DCP to different values

Supports Resilient Ethernet Protocol REP/G.8032 for rapid layer-two convergence

35.2.9 WIRELESS • Provides connectivity to wireless devices within a limited

geographic area.

The demands of a mobile workforce and the “consumerization” of IT have forever changed the requirements for enterprise-class wireless networking solutions. Legacy WLAN networks are challenged to support the onslaught of mobile devices accessing the network and the drain on network resources caused by a vast array of media-rich applications. You need a new network, one that can deliver always-on wireless access to the resources that give you a competitive advantage.

Juniper has delivered this network to thousands of customers around the globe. We have designed an innovative, high-performance wireless solution to address the challenges of today’s market and enable businesses to take advantage of the shifts taking place. Juniper WLAN products deliver the highest level of wireless LAN reliability, performance, security and management for the most demanding mobile applications and users.

With an understanding of your current wireless deployment and projected growth and applications, we propose the following Juniper Networks platforms as the ideal solution for meeting your short-term business goals and long-term architectural requirements:

Wireless LAN (WLAN) solution – Juniper Networks’ innovative wireless controllers, access points and management tools are the most scalable and reliable in the industry, and are the only ones that offer hitless failover for all sessions—even under the most extreme network failure conditions. The Juniper solutions also offer simple yet complete access control for guest, employee owned (BYOD) and corporate owned devices.

System capabilities should include:

Redundancy and automatic failover



Jul 1, 2013 5:09:04 PM MDT p. 47



IPv6 compatibility Configuring IPv6 addresses is not supported, but IPv6 clients are supported. The WLC can view IPv6 session information and control IPv6 ACLs. The session information now includes:

IPv6 information of both dual-stack and IPv6 only clients. 16 of the most recent IPv6 addresses plus one local link address of a client. For dual stack clients, the IPv4 session is kept for storing IPv6 addresses.

Pv6 packets are classified at QoS level based on the DSCP value. In the IPv6 header the six most significant bits of the Traffic class field are used for DSCP. For downstream traffic, the WLC marks the DSCP in the Tunnel encapsulation, based on 802.1p or DSCP value mapped to the internal CoS value. The WLA maps the Tunnel DSCP to the internal CoS value and marks the packet user priority based on the internal CoS value. For upstream traffic, the WLA classifies packets based on the user priority in the 802.11 header and maps this to the internal CoS value. Then, the WLA marks the DSCP value in the Tunnel header based on the internal CoS value. The WLC classifies the packet based on DSCP and maps it to the internal CoS value. Based on the internal CoS value, the WLC marks the 802.1p value and also the DSCP field if a tunnel is present

NTP Support

35.2.9.1 Access Points • A wireless Access Point (AP) is a device that allows wireless

devices to connect to a wired network using Wi-Fi, or related standards. Capabilities should include:

802.11a/b/g/n

Juniper Wireless Portfolio support 802.11 a/b/g/n

802.11n






802.11ac

802.11AC is a roadmap item for the Juniper Wireless Solution



UL2043 plenum rated for safe mounting in a variety of indoor environments

The Juniper WLA522E and WLA532E models are UL2043 plenum rated

Support AES-CCMP (128-bit)


WIDS/WIPS



35.2.9.2 Outdoor Wireless Access Points • Outdoor APs are rugged, with a metal

cover and a DIN rail or other type of mount. During operations they can tolerate a wide temperature range, high humidity and exposure to water, dust, and oil.

Comment [OS23]: research

Comment [OS24]: Need to revise


Jul 1, 2013 5:09:04 PM MDT p. 48



36 Juniper Networks WLA632 Wireless LAN Access Point (shown in Figure xxx) is a ruggedized dual-radio 3x3 MIMO access point designed for outdoor deployment in all weather conditions. In addition to enabling wireless users to stay seamlessly connected as they roam from building to building, it also provides mesh services to extend wireless access in areas where Ethernet cabling cannot reach or is not desired. Point-to-point bridging is also supported, allowing the WLA632 to interconnect different sites over the air, without needing to lay or lease fiber.

37 The WLA632 comes with complete security and networking services, along with advanced performance and scalability features which enable the access points to offload controllers by inspecting and forwarding traffic locally and performing encryption and security enforcement at the access point. The WLA632 also provides band steering, client load balancing, dynamic authorization, QoS, and bandwidth management—all of which provide a more consistent user experience as traffic is more evenly distributed across controllers, access points, and radios. This also improves scalability, providing the same consistent user experience for thousands of mobile users and devices.


Flexible Deployment Options

Installation and configuration specifications for Juniper Networks WLA632 follow:

Mounting

o Outdoor pole mount brackets and swivel collar

Powering

o External PSU 48VDC with 8-pin (male) DIN connector


WIDS/WIPS




38 Yes, the Juniper WLAs can use DHCP Options (VSAs) to locate their controller.

38.2.8.1 Wireless LAN Controllers • An onsite or offsite solution utilized to manage light-weight access

points in large quantities by the network administrator or network operations center. The WLAN

controller automatically handles the configuration of wireless access-points.

Juniper Networks WLC Series WLAN Controllers enable seamless integration of reliable, scalable, secure WLANs with existing wired infrastructures in installations of any size—from corporate small branch offices to the largest business or university campus.



The WLC Series provides Layer 2 Ethernet switching, stateful per user and per service firewalls, wireless intrusion protection, 802.1Q trunking, Per-VLAN Spanning Tree Plus (PVST+), complete wired to wireless QoS, and automated radio frequency (RF) management.

Jul 1, 2013 5:09:04 PM MDT p. 49



The WLC Series delivers all of the standard security and networking functionality expected of wireless LANs with the added benefits of intelligent switching, identity-based roaming, bridging and mesh services, and nonstop wireless availability. These features are consistent and supported across every model. The WLC Series includes the following models.


Ability to monitor and mitigate RF interference/self-heal

39 WLC Series controllers play a key role in rogue and intrusion detection, as well as DoS attack detection. Working in conjunction with access points, the controllers systematically scan all 802.11 channels while simultaneously providing client services. When rogue or interference sources are detected, the WLC Series coordinates the appropriate mitigation response to ensure the highest air quality for efficient and high-performing wireless access services. If an access point goes out of service and leaves a coverage hole, WLC Series controllers can change channels or adjust power levels on multiple nearby access points in a coordinated fashion in order to restore Wi-Fi coverage.

Support seamless roaming from AP to AP without requiring re-authentication

40 WLC Series controllers give users the same identity-based services and privileges, no matter where they connect. The WLC Series offers seamless roaming at a single location, and it enables the same secure mobility and consistent service profiles at multiple locations in the same network.

41 Applying identity-based networking globally offers great benefits to users who frequently work at different sites (for example, doctors who serve at many hospitals with a hospital system, teachers across a school district, or IT users across multiple campuses). Whatever the experience a user has at one site, it can be replicated at another similar site.


System encrypts all management layer traffic and passes it through a secure tunnel

The Juniper WLC products provides encryption of data path tunnels, between pairs of WLC and remote APs

Policy management of users and devices provides ability to de-authorize or deny devices without denying the credentials of the user, nor disrupting other AP traffic


41.2.8.2 Wireless LAN Network Services and Management • Enables network

administrators to quickly plan, configure and deploy a wireless network, as well as provide additional WLAN services. Some examples include wireless security, asset tracking, and location services.

Juniper Networks RingMaster Global is a secure, highly scalable platform that consolidates the management of multiple RingMaster Software-based wireless LANs. It provides network status data and alarms for each WLAN as well as network loading and traffic patterns across the entire wireless deployment.

Features of Ringmaster Global follow:

Management of up to 20 fully loaded RingMaster servers or WLM1200 Management appliances

Support for as many as 100,000 access points

Standard reports for executive-level snapshots, including network health status and utilization trends

Support for a variety of deployment models, including distributed mode and centralized mode

Secure single sign-on to RingMaster Global, RingMaster Software-based servers, and other network resources via RADIUS

RingMaster Global makes it possible to drill down to any level of detail anywhere in the entire wireless deployment, including the user, device, access point, or controller level.


Comment [OS27]: Need to Clarify



Jul 1, 2013 5:09:04 PM MDT p. 50



RingMaster Global has a flexible architecture which supports alternate WLAN management approaches adopted by different organizations. In a distributed mode, RingMaster Global consolidates information from distributed RingMaster Software-based servers deployed locally on the wireless network it is managing. In centralized mode, RingMaster Global consolidates information from fewer RingMaster Software-based servers located in the same NOC, with each managing one or more smaller networks around the globe.


Provide for redundancy and automatic failover

Historical trend and real time performance reporting is supported

42 With periodic audits, RingMaster can detect such conditions as missing or incorrectly configured equipment and services. If 43 a problem is found, RingMaster instantaneously sends out an alarm, with such notifications as client authentication failures, 44 spoofed media access control (MAC) addresses, controller failures, denial-of-service (DoS) attacks and Power over ethernet 45 (PoE) failures detected. 46

47 Reports are generated according to predefined schedules, with the output stored on the RingMaster server and accessible via secure Internet connections or email. RingMaster stores one year of comprehensive historical records and 30 days of location history. A wide range of predefined report types are provided, including inventory, client session summary, clients per locale, SSID usage and availability, rogue summary, switch configuration, and equipment installation. Custom reports with access to almost any data set can be created, with a wide range of output and report sharing options.

48

Management access to wireless network components is secured

SNMPv3 enabled

RFC 1213 compliant

Automatically discover wireless network components

Capability to alert for outages and utilization threshold exceptions

Capability to support Apple’s Bonjour Protocol / mDNS

QoS / Application identification capability

48.2.8.2 Cloud-based services for Access Points • Cloud-based management of

campus-wide WiFi deployments and distributed multi-site networks. Capabilities include:

Zero-touch access point provisioning

Network-wide visibility and control

RF optimization,

Firmware updates

48.2.8.3 Bring Your Own Device (BYOD) • Mobile Data Management (MDM)

technology utilized to allow employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged government information and applications in a secure manner. Capabilities should include:

Ability to apply corporate policy to new devices accessing the network resources, whether wired or wireless

Provide user and devices authentication to the network

Page 25 of 45

Jul 1, 2013 5:09:04 PM MDT p. 51



Provide secure remote access capability

Support 802.1x

Network optimization for performance, scalability, and user experience

5.3.1 UNIFIED COMMUNICATIONS (UC) • A set of products that provides a consistent

unified user interface and user experience across multiple devices and media types. Unified Communications that is able to provide services such as session management, voice, video, messaging, mobility, and web conferencing. It can provide the foundation for advanced unified communications capabilities of IM and presence-based services and extends telephony features and capabilities to packet telephony network devices such as IP phones, media processing devices, Voice over IP (VoIP) gateways, and multimedia applications. Additional services, such as unified messaging, multimedia conferencing, collaborative contact centers, and interactive multimedia response systems, are made possible through open telephony APIs. General UC solution capabilities should include:

High Availability for Call Processing

Hardware Platform High Availability

Network Connectivity High Availability

Call Processing Redundancy

5.3.1.1 IP Telephony • Solutions utilized to provide the delivery of the telephony

application (for example, call setup and teardown, and telephony features) over IP, instead of using circuit-switched or other modalities. Capabilities should include:

Support for analog, digital, and IP endpoints

Centralized Management

Provide basic hunt group and call queuing capabilities

Flexibility to configure queue depth and hold time, play unique announcements and Music on Hold (MoH), log in and log out users from a queue and basic queue statistics (from the phone

E911 Support

5.3.1.2 Instant messaging/ Presence • Solutions that allow communication over the

Internet that offers quick transmission of text-based messages from sender to receiver. In push mode between two or more people using personal computers or other devices, along with shared clients, instant messaging basically offers real- time direct written language-based online chat. Instant messaging may also provide video calling, file sharing, PC-to-PC voice calling and PC-to-regular- phone calling.

5.3.1.3 Unified messaging • Integration of different electronic messaging and

communications media (e-mail, SMS, Fax, voicemail, video messaging, etc.) technologies into a single interface, accessible from a variety of different devices.

Ability to access and manage voice messages in a variety of ways, using email inbox, Web browser, desktop client, VoIP phone, or mobile phone

Visual Voicemail Support (Optional)

5.3.1.4 Contact Center • A computer-based system that provides call and contact

routing for high-volume telephony transactions, with specialist answering “agent” stations and a sophisticated real-time contact management system. The definition includes all contact center systems that provide inbound contact handling capabilities and automatic contact distribution, combined with a high degree of sophistication in terms of dynamic contact traffic management.

Page 26 of 45

Jul 1, 2013 5:09:04 PM MDT p. 52




Attendant Consoles

IP Phones

5.3.1.6 UC Network Management • Provides end-to-end service management for

Unified Communications. Capabilities include testing, performance monitoring, configuration management, and business intelligence reporting.

5.3.1.7 Collaboration • Voice, video, and web conferencing; messaging; mobile

applications; and enterprise social software.

5.3.1.8 Collaborative Video • A set of immersive video technologies that enable

people to feel or appear as if they were present in a location that they are not physically in. Immersive video consists of a multiple codec video system, where each meeting attendee uses an immersive video room to “dial in” and can see/talk to every other member on a screen (or screens) as if they were in the same room and provides call control that enables intelligent video bandwidth management.

5.3.1.8.1 Content Delivery Systems (CDS) • A large distributed system

of servers deployed in multiple data centers connected by the Internet. The purpose of the content delivery system is to serve content to end-users with high availability and high performance. CDSs serve content over the Internet, including web objects (text, graphics, URLs, and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks.

5.3.1.8.2 Physical Security • Technology utilized to restricting physical

access by unauthorized people to controlled facilities. Technologies include:

a. Access control systems

b. Detection/Identification systems, such as surveillance systems, closed circuit television cameras, or IP camera networks and the associated monitoring systems.

c. Response systems such as alert systems, desktop monitoring systems, radios, mobile phones, IP phones, and digital signage

d. Building and energy controls

5.3.1 SERVICES • For each Category above (5.21-5.30), the following services should

be available for procurement as well at the time of product purchase or anytime afterwards.

5.3.1.1 Maintenance Services • Capability to provide technical support, flexible

hardware coverage, and smart, proactive device diagnostics for hardware.

5.3.1.2 Professional Services

Deployment Services

• Survey/ Design Services • Includes, but not limited to, discovery, design, architecture review/validation, and readiness assessment.

• Implementation Services • Includes, but not limited to, basic installation and configuration or end-to-end integration and deployment.

Page 27 of 45

Jul 1, 2013 5:09:04 PM MDT p. 53



• Optimization • Includes, but not limited to, assessing operational environment readiness, identify ways to increase efficiencies throughout the network, and optimize Customer’s infrastructure, applications and service management.

Remote Management Services • Includes, but not limited to, continuous monitoring, incident management, problem management, change management, and utilization and performance reporting that may be on a subscription basis.

Consulting/Advisory Services • Includes, but not limited to, assessing the availability, reliability, security and performance of Customer’s existing solutions.

Data Communications Architectural Design Services • Developing architectural strategies and roadmaps for transforming Customer’s existing network architecture and operations management.

Statement of Work (SOW) Services • Customer-specific tasks to be accomplished and/or services to be delivered based on Customer’s business and technical requirements.

5.3.1.3 Partner Services • Provided by Contractor’s Authorized Partners/Resellers.

Subject to Contractor’s approval and the certifications held by its Partners/Resellers, many Partners/Resellers can also offer and provide some or all of the Services as listed above at competitive pricing, along with local presence and support. As the prime, Contractor is still ultimately responsible for the performance of its Partners/ Resellers. Customers can have the option to purchase the Services to be directly delivered by Contractor (OEM) or its certified Partners/Resellers.

5.3.1.4 Training • Learning offerings for IT professionals on networking technologies,

including but not limited to designing, implementing, operating, configuring, and troubleshooting network systems pertaining to items provided under the master agreement.

5.3.2 ADDING PRODUCTS

The ability to add new equipment and services is for the convenience and benefit of WSCA- NASPO, the Participating States, and all the Authorized Purchasers. The intent of this process is to promote “one-stop shopping” and convenience for the customers and equally important, to make the contract flexible in keeping up with rapid technological advances. The option to add new product or service categories and/items will expedite the delivery and implementation of new technology solutions for the benefit of the Authorized Purchasers.

After the contracts are awarded, additional IT product categories and/or items may be added per the request of the Contractor, a Participating State, an Authorized Purchaser or WSCA-NASPO. Additions may be ad hoc and temporary in nature or permanent. All additions to an awarded Contractor or Manufacturer’s offerings must be products, services, software, or solutions that are commercially available at the time they are added to the contract award and fall within the original scope and intent of the RFP (i.e., converged technologies, value adds to manufacturer’s solution offerings, etc.).

5.3.2.1 New Product from Contractors • If Contractor, a Participating State, an Authorized

Purchaser or WSCA-NASPO itself requests to add new product categories permanently, then all awarded Contractors (Manufacturers) will be notified of the proposed change and will have the opportunity to work with WSCA to determine applicability, introduction, etc. Any new products or services must be reviewed and approved by the WSCA-NASPO Contract Administrator.

5.3.2.2 Ad Hoc Product Additions • A request for an ad hoc, temporary addition of a product

Page 28 of 45

Jul 1, 2013 5:09:04 PM MDT p. 54



category/item must be submitted to WSCA-NAPOS via the governmental entity’s contracting/purchasing officer. Ad hoc, temporary requests will be handled on a case-by-case basis.

5.3.2.3 Pricelist Updates • As part of each Contractor’s ongoing updates to its pricelists

throughout the contract term, Contractor can add new SKUs to its awarded product categories that may have been developed in-house or obtained through mergers, acquisitions or joint ventures; provided, however, that such new SKUs fall within the Contractor’s awarded product categories.

Section 6: Evaluation


Proposals will be evaluated for completeness and compliance with the requirements of this RFP by a sourcing team. The sourcing team may engage additional qualified individuals during the process to assist with technical, financial, legal, or other matters.

Except at the invitation of the sourcing team, no activity or comments from Offerors regarding this RFP shall be discussed with any member of the sourcing team during the evaluation process. An Offeror who contacts a member of the sourcing team in reference to this RFP may have its proposal rejected.

Each proposal must be submitted in Microsoft Word or Excel, or PDF labeled and organized in a manner that is congruent with the section number, headings, requirements, and terminology used in this RFP. Proposal documents must be use Arial font size 10. All proposals must be submitted in electronic form.

6.2 Administrative Requirements Compliance

The sourcing team will evaluate each proposal for compliance with administrative requirements. Non compliance with any of these requirements will render a proposal non-responsive. Only those proposals that pass the administrative requirements will be evaluated further.

In order to pass the Administrative Requirements, the following must be received by due date and time associated with this RFP as listed in Bid Sync.

6.2.1 References

Vendor must provide a least three current account references for which your company provides similar Data Communications services for private, state and/or large local government clients (preferably government/public entities). Offerors are required to submit Attachment B - Reference Form, for business references. The business providing the reference must submit the Reference Form directly to the State of Utah, Division of Purchasing. It is the offeror’s responsibility to ensure that completed

forms are received by the State of Utah Division of Purchasing on or before the proposal submission deadline for inclusion in the evaluation process. Business references not received, or not complete, may adversely affect the offeror’s score in the evaluation process. The Purchasing Division reserves the right to contact any or all business references for validation of information submitted.

6.3 Minimum Scope Requirements Compliance

Page 29 of 45

Jul 1, 2013 5:09:04 PM MDT p. 55



The sourcing team will evaluate each proposal that passed the administrative requirements for compliance with Section 5.2 Data Communications Services – Requirements. Scope requirements are evaluated in terms of the breadth and depth of the offeror proposal for each of the section 5.2.1-5.3.0 Scope categories. Only those proposals in each section that score 70% or better will move on to cost evaluation.

6.4 Evaluation Criteria

The following table details how each proposal shall be evaluated on a basis of 100 points.

An evaluation committee comprised of representatives from some WSCA-NASPO member States will be appointed by the WSCA-NASPO Contract Administrator to perform the proposal evaluation.

All Offeror’s proposals will be initially reviewed for compliance with the mandatory general requirements in Section 3 and Sections 5.1.1-5.1.5 stated within the RFP. Any proposal failing to meet one or more mandatory requirement(s) will be considered non-responsive and deemed “unacceptable”, and will be eliminated from further consideration.

Those proposals deemed “acceptable” or “potentially acceptable” will be evaluated against the following proposal evaluation criteria using a point-based scoring methodology. Proposal evaluation criteria are listed in relative order of importance:

6.4.1 Cost – (bid sheets including discounts off list price attached) – 30%

Given that technology products generally depreciate over time and go through typical product lifecycles, it is more favorable for customers to have prime contracts be based on minimum discounts off the Offeror’s’ commercially published pricelists versus fixed pricing. In addition, Offerors must have the ability to update and refresh their respective price books, as long as the agreed-upon discounts are fixed. Minimum guaranteed contract discounts do not preclude an Offeror and/or its authorized resellers from providing deeper or additional, incremental discounts at there sole discretion.

6.4.1.1 Refurbished Equipment – Many IT manufacturers offer refurbished

equipment at a substantially lower cost with attractive warranties that also address risk concerns some customers may have with refurbished gear. Offerors may add an optional provision for manufacturer-certified refurbished equipment to be available for procurement under this contract. This offering will not be evaluated as part of the cost scoring process.

6.4.2 Demonstrate ability to provide products and services within scope of the RFP (Section 5.2-5.31) – 25%

6.4.3 Qualifications, technical ability, maintenance, training and value added services – 10%

6.4.4 Ability to supply to WSCA / NASPO member states/geographical coverage -10%

6.4.5 Offer profile and references (i.e., financial stability, presence in marketplace, adequate staff, marketing efforts etc.) – 20%

6.4.6 Administrative (i.e., report generating ability, e-commerce, account reps, problem resolution, customer satisfaction, website hosting and other administrative related issues) – 5%

At the option of the evaluation committee the WSCA-NASPO Contract Administrator may initiate discussion(s) with Offerors who submit responsive or potentially responsive proposals for the purpose of clarifying aspects of the proposal(s), however, proposals may be evaluated without

Page 30 of 45

Jul 1, 2013 5:09:04 PM MDT p. 56



such discussion(s). Such discussion(s) is not to be initiated by Offerors.

Based on the competitive range of the evaluation scores, the evaluation committee may choose to make a “finalist list” of offeror’s; if opted for, all offeror’s will be notified of their status at this juncture by the Procurement Manager.

Finalist Offeror’s may be required, at the option of the evaluation committee, to present their proposals and possibly demonstrate their Internet website to the evaluation committee. The Procurement Manager will schedule the time and location for each Offeror presentation. Each Offeror presentation will be of equal duration for all offeror’s and may also include an additional amount of time reserved for questions/answers.

The sourcing team will evaluate each proposal that has passed the administrative requirements and met or exceeded the Section 3 and Section 5.1.1-5.1.5 Mandatory Requirements.

Page 31 of 45

Jul 1, 2013 5:09:04 PM MDT p. 57



WSCA-NASPO Data Communications Equipment and Associated Products #JP14001

Firm Name:

Section Number:

Evaluator:

Date:

Score will be assigned as follows:

0 = Failure, no response

1 = Poor, inadequate, fails to meet requirement

2 = Fair, only partially responsive

3 = Average, meets minimum requirement

4 = Above average, exceeds minimum requirement

5 = Superior

Score

(0-5)

Weight Points

1. Demonstrated Ability to meet scope of

requirements (25 points possible)

------- -------

Scope and Varity of products provided 8 points possible X 1.6 Experience and technical ability of

manufacturer

7 points possible X 1.4

Maintenance Program 2 points

possible

X .40

Training Program 2 points

possible

X .40

Service Program 2 points

possible

X .40

Demonstrate Effective Reseller Program

managed by the manufacturer in WSCA /

NASPO States

4 points

possible

X .80

2. Demonstrate Qualifications and Technical

Ability (10 points possible)

------- ---------

Technical Staff Qualifications 2 points possible X .40 Maintenance Staff Qualifications 2 points possible X .40 Training Staff Qualifications 2 points possible X .40 Technical Suitability of Products 4 points possible X .80 3. Demonstrate ability to supply WSCA /

NASPO member States

(10 points possible)

10 points

possible

X 2

4. Company profile and references (20 points) ----- -------- Financial Statements and Records 10 points

possible

X 2

References, Reputation, Breadth and Depth of

Offering

10 points

possible

X 2

5. Demonstrate ability to provide

administrative support (5 points possible)

5 points possible X 1

6. Cost (30 points possible)* 30 points ------- -------- * Inserted

Page 32 of 45

Jul 1, 2013 5:09:04 PM MDT p. 58



Services (10 Points)

Product Offering Discount Percentage (20 points)

possible by

Purchasing

TOTAL EVALUATION POINTS (100 points

possible)

Total

* Purchasing will use the following cost formula for the “Services”: The points assigned to

each Offeror’s cost proposal will be based on the lowest proposal price. The offeror with the

lowest Proposed Price will receive 100% of the price points. All other Offerors will receive a

portion of the total cost points based on what percentage higher their Proposed Price is than

the Lowest Proposed Price. An Offeror who’s Proposed Price is more than double (200%)

the Lowest Proposed Price will receive no points. The formula to compute the points is: Cost

Points x (2- Proposed Price/Lowest Proposed Price).

Purchasing will use the following cost formula for the “Product Offering Discount Percentage”:

The points assigned to each Offeror’s cost proposal will be based on the highest discount

percentage. The Offeror with the highest discount percentage will receive 100% of the price

points. All other Offerors will receive a portion of the total cost points based on what

percentage lower their discount percentage is than the highest discount percentage. An

Offeror who’s Proposed percentage discount is less than double (200%) the highest discount

percentage will receive no points. The formula to compute the points is: Cost Points x (2-

Highest Proposed Discount/Proposed Discount).

Section 7: Master Agreement Terms and Conditions/Exceptions

7.1 WSCA-NASPO Master Agreement Terms and Conditions

7.1.1 The WSCA-NASPO Contract Administrator referred to in section 2 of the WSCA- NASPO Master Agreement Terms and Conditions is Debra Gunderson, State of Utah Division of Purchasing and General Services. This RFP represents the WSCA-NASPO Contract Administrator’s written approval of the modifications, waivers, alterations, amendments, and supplements to the Master Agreement Terms and Conditions made in this RFP and this Section 7.

7.1.2 Except as limited in this section or elsewhere in this RFP, Participating Entities who execute a Participating Addendum may alter, modify, supplement, or amend the WSCA- NASPO Master Agreement Terms and Conditions as necessary to comply with Participating Entity law or policy with respect to their orders under the Master Agreement. A Contractor may not deliver Products or perform services under this Master Agreement until a Participating Addendum acceptable to the Participating Entity and Contractor is executed. The WSCA-NASPO Terms and Conditions are applicable to any order by a Participating Entity, except to the extent altered, modified, supplemented or amended by a Participating Addendum. By way of illustration and not limitation, this authority may apply to unique delivery and invoicing requirements, confidentiality requirements, defaults on orders, governing law and venue relating to orders by a Participating Entity, Indemnification, and insurance requirements. Statutory or constitutional requirements relating to availability of funds may require specific language in some Participating Addenda in order to comply with applicable law. The expectation is that these alterations, modifications, supplements, or amendments will be addressed in the Participating Addendum or, with the consent of the Participating Entity and Contractor, may be included in the commitment voucher (e.g. purchase order or contract) used by the Participating Entity to place the order.

Page 33 of 45

Jul 1, 2013 5:09:04 PM MDT p. 59



7.1.3 The term Purchasing Entity and Participating Entity shall both mean “Participating Entity” as that term is defined in WSCA-NASPO Master Agreement Terms and Conditions.

7.1.4 With respect to section 11, Indemnification, the terms of any Participating Addendum may alter, modify, supplement, or amend the language in section 11 and may include a limitation of liability mutually agreeable to the Participating Entity and the Contractor.

7.1.5 With regard to section 20, Participants, Participating Entities who are not states may under some circumstances sign their own Participating Addendum, subject to the approval of the Chief Procurement Official of the state where the Participating Entity is located. Contractors may upon request obtain a copy of the written authorization from the WSCA-NASPO Contract Administrator.

7.2 Offeror Exceptions to Terms and Conditions

7.2.1 The Lead State discourages exceptions to contract terms and conditions in the RFP, attached Participating Entity terms and conditions (if any), and the WSCA-NASPO Master Agreement Terms and Conditions. As specified in this RFP, exceptions may cause a proposal to be rejected as nonresponsive when, in the sole judgment of the Lead State (and its evaluation team), the proposal appears to be conditioned on the exception or correction of what is deemed to be a deficiency or unacceptable exception would require a substantial proposal rewrite to correct. Moreover, Offerors are cautioned that award may be made on receipt of initial proposals without clarification or an opportunity for discussion, and the nature of exceptions would be evaluated. Further, the nature of exceptions will be considered in the competitive range determination if one is conducted. Exceptions will be evaluated to determine the extent to which the alternative language or approach poses unreasonable, additional risk to the state, is judged to inhibit achieving the objectives of the RFP, or whose ambiguity makes evaluation difficult and a fair resolution (available to all vendors) impractical given the timeframe for the RFP.

7.2.2 The Lead State will entertain exceptions to contract terms and conditions in this RFP, including the WSCA-NASPO Master Agreement Terms and Conditions. Offerors are strongly encouraged to be judicious in identifying exceptions.

7.2.3 Based on the market research conducted by the Lead State, the following provisions are intended to frame the contours of exceptions that may be acceptable, additional risk so long as the Offeror’s exceptions are specified with sufficient particularity.

7.2.4 The Lead State will consider Offeror standard terms for inspection and acceptance, so long as a reasonable time for acceptance is stated. However, the Participating Entities right to exercise revocation of acceptance under its Uniform Commercial Code must be preserved. Submit the standard terms with the offer and describe generally how commerciality in their use is established, e.g., identify publicly-available catalogs where the warranty terms are used and how long they have been in use.

7.2.5 The Lead State will consider standard warranty and/or maintenance terms, but the alternative warranty and/or maintenance will be evaluated to determine whether they provide comparable protection to the warranty specified in section 30 of the WSCA- NASPO Master Agreement Terms and Conditions. Provide the terms of the warranty and maintenance in the offer. Also describe generally how commerciality is established for those terms, e.g., publicly-available catalogs the warranty terms are used and how long

Page 34 of 45

Jul 1, 2013 5:09:04 PM MDT p. 60



they have been in use. Provide one reference from a customer having comparable sales volume who is using the warranty and maintenance provisions, where the warranty term has expired, and who has exercised rights under the warranty.

7.2.6 Intellectual property. The Lead State will consider license terms and conditions that as a minimum convey to Participating Entities a nonexclusive, irrevocable, perpetual, paid-up, royalty free license to use software or other intellectual property delivered with or inherent in the commodity or service, and to transfer the license rights to third parties for government purposes. Provide the terms of the license, including any terms that cover third party intellectual property used in the Offeror’s solution. Offerors should be aware that Participating Entities using federal funds may be required to negotiate additional or different terms to satisfy minimum rights requirements of their federal grants.

7.2.7 Any limitation of liability provision – including any exclusion of damages clause – proposed by an Offeror to be the default limitation of liability provision under the Master Agreement must preserve a reasonable amount of direct damages for breach of contract, additionally permit the Participating Entity to recoup amounts paid for supplies or services not finally accepted (as in the case of advance or progress payments, if used), and preserve the right of the Participating Entity to be held harmless from costs of litigation as well as ultimate liability within limits agreed by the parties.

Moreover, any limitation of liability clause proposed by an Offeror should be reciprocal, cover lost profits, and exclude claims or liability arising out of intellectual property infringement, bodily injury (including death), damage to tangible property, and data breach. Include the text of any such language if proposed. Further, provide contact information for a public entity, or private entity if no public entity exists, where the limitation of liability clause (or another clause substantially similar) operated to limit liability. If no such example exists, provide contact information for a state, or if no state exists, a higher education institution, or if none exists, a city or county represented by counsel in the negotiations who has agreed to the proposed terms and conditions.

7.2.8 The enumerated examples in subsection 7.2 are not intended to limit the ability of Offerors to propose additional, reasonable exceptions. For any other exception, where the exception is based on claims of standard or normal commercial practice, provide contact information for a state, or if no state exists, a higher education institution, or if none exists, a city or county represented by counsel in the negotiations who has agreed to the proposed terms and conditions.

7.3 WSCA-NASPO eMarket Center

7.3.1 In July 2011, WSCA-NASPO entered into a multi-year agreement with SciQuest,

Inc. whereby SciQuest will provide certain electronic catalog hosting and management

services to enable eligible WSCA-NASPO entity’s customers to access a central online

website to view and/or shop the goods and services available from existing WSCA-

NASPO Cooperative Contracts. The central online website is referred to as the WSCA-

NASPO eMarket Center Contractor shall either upload a hosted catalog into the eMarket

Center or integrate a punchout site with the eMarket Center.

Supplier’s Interface with the eMarket Center

There is no cost charged by SciQuest to the Contractor for loading a hosted catalog or integrating a punchout site.

Page 35 of 45

Jul 1, 2013 5:09:04 PM MDT p. 61



At a minimum, the Contractor agrees to the following:

1. Implementation Timeline: WSCA-NASPO eMarket Center Site Admin shall

provide a written request to the Contractor to begin enablement process.

The Contractor shall have fifteen (15) days from receipt of written request to

work with WSCA-NASPO and SciQuest to set up an enablement schedule,

at which time SciQuest’s technical documentation shall be provided to the

Contractor. The schedule will include future calls and milestone dates

related to test and go live dates. The contractor shall have a total of Ninety

(90) days to deliver either a (1) hosted catalog or (2) punch-out catalog, from date of receipt of written request.

2. Definition of Hosted and Punchout: WSCA-NASPO and SciQuest will work

with the Contractor, to decide which of the catalog structures (either hosted or punch-out as further described below) shall be provided by the Contractor. Whether hosted or punch-out, the catalog must be strictly

limited to the Contractor’s awarded contract offering (e.g. products and/or services not authorized through the resulting cooperative

contract should not be viewable by WSCA-NASPO Participating Entity users).

a. Hosted Catalog. By providing a hosted catalog, the Contractor is

providing a list of its awarded products/services and pricing in an

electronic data file in a format acceptable to SciQuest, such as Tab

Delimited Text files. In this scenario, the Contractor must submit updated electronic data annually to the the eMarket Center for WSCA-

NASPO Contract Administrator’s approval to maintain the most up-todate version of its product/service offering under the cooperative

contract in the eMarket Center.

b. Punch-Out Catalog. By providing a punch-out catalog, the Contractor is

providing its own online catalog, which must be capable of being

integrated with the eMarket Center as a. Standard punch-in via

Commerce eXtensible Markup Language (cXML). In this scenario, the

Contractor shall validate that its online catalog is up-to-date by providing

a written update quarterly to the Contract Administrator stating they

have audited the offered products/services and pricing listed on its

online catalog. The site must also return detailed UNSPSC codes (as

outlined in line 3) for each line item. Contractor also agrees to provide

e-Quote functionality to facilitate volume discounts.

3. Revising Pricing and Product Offerings: Any revisions (whether an increase or

decrease) to pricing or product/service offerings (new products, altered SKUs, etc.)

must be pre-approved by the WSCA-NASPO Contract Administrator and shall be

subject to any other applicable restrictions with respect to the frequency or amount of such revisions. However, no cooperative contract enabled in the eMarket

Center may include price changes on a more frequent basis than once per quarter. The following conditions apply with respect to hosted catalogs:

Page 36 of 45

Jul 1, 2013 5:09:04 PM MDT p. 62



a. Updated pricing files are required by the 1st of the month and shall go

into effect in the eMarket Center on the 1st day of the following month (i.e. file received on 1/01/14 would be effective in the eMarket Center on

2/01/14). Files received after the 1st of the month may be delayed up to a month (i.e. file received on 11/06/14 would be effect in the eMarket Center on 1/01/15).

b. Contract Administrator-approved price changes are not effective until

implemented within the eMarket Center. Errors in the Contractor’s

submitted pricing files will delay the implementation of the price

changes in eMarket Center.

4. Supplier Network Requirements: Contractor shall join the SciQuest Supplier

Network (SQSN) and shall use the SciQuest’s Supplier Portal to import the

Contractor’s catalog and pricing, into the SciQuest system, and view reports on catalog spend and product/pricing freshness. The Contractor can receive orders

through electronic delivery (cXML) or through low-tech options such as fax. More information about the SQSN can be found at: www.sciquest.com or call the

SciQuest Supplier Network Services team at 800-233-1121.

5. Minimum Requirements: Whether the Contractor is providing a hosted catalog or a

punch-out catalog, the Contractor agrees to meet the following requirements:

a. Catalog must contain the most current pricing, including all applicable

administrative fees and/or discounts, as well as the most up-to-date product/service offering the Contractor is authorized to provide in accordance with the cooperative contract; and

b. The accuracy of the catalog must be maintained by Contractor

throughout the duration of the cooperative contract between the Contractor and the Contract Administrator; and

c. The Catalog must include a Lead State contract identification number;

and

d. The Catalog must include detailed product line item descriptions; and

e. The Catalog must include pictures when possible; and

f. The Catalog must include any additional WSCA-NASPO and Participating Addendum requirements.*

6. Order Acceptance Requirements: Contractor must be able to accept Purchase

Orders via fax or cXML.

Page 37 of 45

http://www.sciquest.com/

Jul 1, 2013 5:09:04 PM MDT p. 63



a. The Contractor shall provide positive confirmation via phone or email within 24 hours of the Contractor’s receipt of the Purchase Order. If the

Purchasing Order is received after 3pm EST on the day before a weekend or holiday, the Contractor must provide positive confirmation

via phone or email on the next business day.

7. UNSPSC Requirements: Contractor shall support use of the United Nations

Standard Product and Services Code (UNSPSC). UNSPSC versions that

must be adhered to are driven by SciQuest for the suppliers and are

upgraded every year. WSCA-NASPO reserves the right to migrate to future versions of the UNSPSC and the Contractor shall be required to support

the migration effort. All line items, goods or services provided under the resulting statewide contract must be associated to a UNSPSC code. All

line items must be identified at the most detailed UNSPSC level indicated

by segment, family, class and commodity. More information about the UNSPSC is available at: http://www.unspsc.com and

http://www.unspsc.com/FAQs.asp#howdoesunspscwork.

8. Applicability: Contractor agrees that WSCA-NASPO controls which contracts

appear in the eMarket Center and that WSCA-NASPO may elect at any time to

remove any supplier’s offering from the eMarket Center.

9. The WSCA-NASPO Contract Administrator reserves the right to approve the pricing

on the eMarket Center. This catalog review right is solely for the benefit of the

WSCA-NASPO Contract Administrator and Participating Entities, and the review

and approval shall not waive the requirement that products and services be offered

at prices (and approved fees) required by the Master Agreement.

* Although suppliers in the SQSN normally submit one (1) catalog, it is

possible to have multiple contracts applicable to different WSCA-NASPO

Participating Entities. For example, a supplier may have different pricing for

state government agencies and Board of Regents institutions. Suppliers

have the ability and responsibility to submit separate contract pricing for the

same catalog if applicable. The system will deliver the appropriate contract

pricing to the user viewing the catalog.

Several WSCA-NASPO Participating Entities currently maintain separate

SciQuest eMarketplaces, these Participating Entities do enable certain

WSCA-NASPO Cooperative Contracts. In the event one of these entities

elects to use this WSCA-NASPO Cooperative Contract (available through

the eMarket Center) but publish to their own eMarketplace, the Contractor

agrees to work in good faith with the entity and WSCA-NASPO to

implement the catalog. WSCA-NASPO does not anticipate that this will

require substantial additional efforts by the Contractor; however, the

supplier agrees to take commercially reasonable efforts to enable such

separate SciQuest catalogs.

Page 38 of 45

http://www.unspsc.com/

http://www.unspsc.com/FAQs.asp#howdoesunspscwork

Jul 1, 2013 5:09:04 PM MDT p. 64



Attachment B – Reference Form

Solicitation Number JP14001 WSCA-NASPO Data Communications RFP

Please complete the following:

(Full Name of Company Requesting Reference)

(Your Company Name)

This form is being submitted to your company for completion as a business reference for the company listed above. This form is to be returned to the State of Utah, Division of Purchasing, via email to [email protected] or by fax to the attention of Tara Eutsler at 801-538-3882, no later than , 2011, and must not be returned to the company requesting the reference.

For questions or concerns regarding this form, please contact the State of Utah, Division of Purchasing, at [email protected] . When contacting the State, please be sure to include the solicitation number listed at the top of this page.

CONFIDENTIAL INFORMATION WHEN COMPLETED

Company providing reference: Contact Name and Title/Position: Contact Telephone Number: Contact Email Address:

QUESTIONS:

1. In what capacity have you worked with this firm in the past?

COMMENTS:

2. How would you rate this firm’s knowledge and expertise? (3=Excellent; 2=Satisfactory; 1=Unsatisfactory; 0=Unacceptable) COMMENTS:

Page 39 of 45



Jul 1, 2013 5:09:04 PM MDT p. 65



3. How would you rate this firm’s flexibility relative to changes in the project scope and timelines? (3=Excellent; 2=Satisfactory; 1=Unsatisfactory; 0=Unacceptable) COMMENTS:

4. What is your level of satisfaction with materials produced by this firm? (3=Excellent; 2=Satisfactory; 1=Unsatisfactory; 0=Unacceptable) COMMENTS:

5. How would you rate the dynamics/interaction between firm and your staff? (3=Excellent; 2=Satisfactory; 1=Unsatisfactory; 0=Unacceptable) COMMENTS:

6. Who were the firm’s principal representatives involved in your project and how would you rate them individually? Please comment on the skills, knowledge, behavior or other factors on which you based the rating? (3=Excellent; 2=Satisfactory; 1=Unsatisfactory; 0=Unacceptable)

Principal Representative’s Name: Rating:

Principal Representative’s Name: Rating:

Principal Representative’s Name: Rating: COMMENTS:

7. How satisfied are you with the manner in which the firm handled confidential, personal, and sensitive information? (3=Excellent; 2=Satisfactory; 1=Unsatisfactory; 0=Unacceptable) COMMENTS:

8. With what aspect(s) of this firm’s services are you most satisfied? COMMENTS:

Page 40 of 45

Jul 1, 2013 5:09:04 PM MDT p. 66



9. With which aspect(s) of this firm’s services are you least satisfied? COMMENTS:

10. Would you recommend this firm’s services to your organization again? COMMENTS:

Page 41 of 45

Jul 1, 2013 5:09:04 PM MDT p. 67



Attachment C – Cost Schedule

Solicitation Number JP14001 WSCA-NASPO Data Communications RFP

Product Offerings By Category. Specify Discount Percent % Offered for products in each category from section 5. Highest discount will apply for products referenced in detail listings for multiple categories. Provide a detailed product offering for each category.

5.2.1 DATA CENTER APPLICATION SERVICES Discount %

5.2.1.1 Virtualized Load Balancers

5.2.1.2 WAN Optimization

5.2.2 NETWORKING SOFTWARE Discount %

5.2.2.1 Network Management and Automation

5.2.2.2 Data Center Management and Automation

5.2.2.3 Cloud Portal and Automation

5.2.2.4 Branch Office Management and Automation

5.2.3 NETWORK OPTIMIZATION AND ACCELERATION Discount %

5.2.3.1 Dynamic Load Balancing

5.2.3.2 WAN Acceleration

5.2.3.3 High Availability and Redundancy

5.2.4 OPTICAL NETWORKING Discount %

5.2.4.1 Core DWDM (Dense Wavelength Division Multiplexing) Switches

5.2.4.2 Edge Optical Switches

5.2.4.3 Optical Network Management

5.2.4.4 IP over DWDM (IPoDWDM)

5.2.5 ROUTERS Discount %

5.2.5.1 Branch Routers

5.2.5.2 Network Edge Routers

Page 42 of 45

Jul 1, 2013 5:09:04 PM MDT p. 68



5.2.5.3 Core Routers

5.2.5.4 Service Aggregation Routers

5.2.5.5 Carrier Ethernet Routers

5.2.6 SECURITY Discount %

5.2.6.1 Data Center and Virtualization Security Products and Appliances

5.2.6.2 Intrusion Detection/Protection and Firewall Appliances

5.2.6.3 Logging Appliances and Analysis Tools

5.2.6.4 Secure Edge and Branch Integrated Security Products

5.2.6.5 Secure Mobility Products

5.2.6.6 Encryption Appliances

5.2.6.7 On-premise and Cloud-based services for Web and/or Email Security

5.2.6.8 Secure Access

5.2.7 STORAGE NETWORKING Discount %

5.2.7.1 Director Class SAN (Storage Area Network) Switches and Modules

5.2.7.2 Fabric and Blade Server Switches

5.2.7.3 Enterprise and Data Center SAN and VSAN (Virtual Storage Area Network) Management

5.2.7.4 SAN Optimization

5.2.8 SWITCHES Discount %

5.2.8.1 Campus LAN – Access Switches

5.2.8.2 Campus LAN – Core Switches

5.2.8.3 Campus Distribution

5.2.8.4 Data Center Switches

5.2.8.5 Software Defined Networks (SDN) - Virtualized Switches and Routers

5.2.8.6 Software Defined Networks (SDN) • Controllers.

5.2.8.7 Carrier Aggregation Switches

5.2.8.8 Carrier Ethernet Access Switches

5.2.9 WIRELESS Discount %

5.2.9.1 Access Points

5.2.9.2 Outdoor Wireless Access

5.2.9.3 Wireless LAN Controllers

5.2.9.3 Wireless LAN Network Services and Management

5.2.9.4 Cloud-based services for Access Points

Page 43 of 45

Jul 1, 2013 5:09:04 PM MDT p. 69



5.2.9.5 Bring Your Own Device (BYOD)

5.3.1 UNIFIED COMMUNICATIONS (UC) Discount %

5.3.1.1 IP Telephony

5.3.1.2 Instant messaging/ Presence

5.3.1.3 Unified messaging

5.3.1.4 Contact Center


5.3.1.6 UC Network Management

5.3.1.7 Collaboration

5.3.1.8 Collaborative Video

5.3.1.8.1 Content Delivery Systems (CDS)

5.3.1.8.2 Physical Security

Average Discount Percentage for all Product Bid Categories Discount %

--------------------------------------------------------------------------------------------------------------------------

5.3.1 SERVICES For each category (5.2.1-5.3.0) provide post sale on site service and

consulting rates that are inclusive of travel, lodging and meals. Remote access rates for non- warranty and consultation services must be expressed as a separate net hourly labor rate.

Maintenance Services

Onsite Hourly Rate $

Professional Services

Remote Hourly Rate $

Deployment Services Onsite Hourly Rate $

Consulting/Advisory Services



Architectural Design Services




Statement of Work Services Onsite Hourly Rate $


Partner Services Onsite Hourly Rate $


Training Deployment Services Onsite Hourly Rate $

Page 44 of 45

Jul 1, 2013 5:09:04 PM MDT p. 70



Online Hourly Rate $

Page 45 of 45

Jul 1, 2013 5:09:04 PM MDT p. 71


WSCA-NASPO Master Agreement Terms and Conditions

1. AGREEMENT ORDER OF PRECEDENCE:

The Master Agreement shall consist of the following documents: 1. A Participating Entity’s Participating Addendum (“PA”); 2. WSCA-NASPO Master Agreement Terms and Conditions;

3. The Statement of Work; 4. The Solicitation; and 5. Contractor's response to the Solicitation.

These documents shall be read to be consistent and complementary. Any conflict among

these documents shall be resolved by giving priority to these documents in the order listed

above. Contractor terms and conditions that apply to this Master Agreement are only those

that are expressly accepted by the Lead State and must be in writing and attached to this

Master Agreement as an Exhibit or Attachment. No other terms and conditions shall apply,

including terms and conditions listed in the Contractor’s response to the Solicitation, or terms

listed or referenced on the Contractor's website, in the Contractor quotation/sales order or in

similar documents subsequently provided by the Contractor.

2. AMENDMENTS The terms of this Master Agreement shall not be waived, altered, modified,

supplemented or amended in any manner whatsoever without prior written approval of the

WSCA-NASPO Contract Administrator.

3. ASSIGNMENT/SUBCONTRACT Contractor shall not assign, sell, transfer, subcontract or

sublet rights, or delegate responsibilities under this contract, in whole or in part, without the

prior written approval of the WSCA-NASPO Contract Administrator.

4. CANCELLATION Unless otherwise stated in the special terms and conditions, any Master

Agreement may be canceled by either party upon 60 days notice, in writing, prior to the

effective date of the cancellation. Further, any Participating State may cancel its

participation upon 30 days written notice, unless otherwise limited or stated in the special

terms and conditions of this solicitation. Cancellation may be in whole or in part. Any

cancellation under this provision shall not effect the rights and obligations attending orders

outstanding at the time of cancellation, including any right of and Purchasing Entity to

indemnification by the Contractor, rights of payment for goods/services delivered and

1

Jul 1, 2013 5:09:04 PM MDT p. 72


accepted, and rights attending any warranty or default in performance in association with any

order. Cancellation of the Master Agreement due to Contractor default may be immediate.

5. CONFIDENTIALITY, NON-DISCLOSURE AND INJUNCTIVE RELIEF

5.1 Confidentiality. Contractor acknowledges that it and its employees or agents may, in the

course of providing the Product under this Master Agreement, be exposed to or acquire

information that is confidential to Participating Entity or Participating Entity’s clients. Any

and all information of any form that is marked as confidential or would by its nature be

deemed confidential obtained by Contractor or its employees or agents in the performance of

this Master Agreement, including, but not necessarily limited to (a) any Participating Entity

records, (b) personnel records, and (c) information concerning individuals, is confidential

information of Participating Entity (“Confidential Information”). Any reports or other

documents or items (including software) that result from the use of the Confidential

Information by Contractor shall be treated in the same manner as the Confidential

Information. Confidential Information does not include information that (a) is or becomes

(other than by disclosure by Contractor) publicly known; (b) is furnished by Participating

Entity to others without restrictions similar to those imposed by this Master Agreement; (c) is

rightfully in Contractor’s possession without the obligation of nondisclosure prior to the time

of its disclosure under this Master Agreement; (d) is obtained from a source other than

Participating Entity without the obligation of confidentiality, (e) is disclosed with the written

consent of Participating Entity or; (f) is independently developed by employees, agents or

subcontractors of Contractor who can be shown to have had no access to the Confidential

Information.

5.2 Non-Disclosure. Contractor shall hold Confidential Information in confidence, using at

least the industry standard of confidentiality, and not to copy, reproduce, sell, assign,

license, market, transfer or otherwise dispose of, give, or disclose Confidential Information to

third parties or use Confidential Information for any purposes whatsoever other than the

performance of this Master Agreement to Participating Entity hereunder, and to advise each

of its employees and agents of their obligations to keep Confidential Information confidential.

Contractor shall use commercially reasonable efforts to assist Participating Entity in

identifying and preventing any unauthorized use or disclosure of any Confidential Information.

Without limiting the generality of the foregoing, Contractor shall advise Participating Entity

immediately if Contractor learns or has reason to believe that any person who has had access

to Confidential Information has violated or intends to violate the terms of this Master

Agreement and Contractor shall at its expense cooperate with Participating Entity in seeking

injunctive or other equitable relief in the name of Participating Entity or Contractor against

any such person. Except as directed by Participating Entity, Contractor will not at any time

during or after the term of this Master Agreement disclose, directly or indirectly, any

Confidential Information to any person, except in accordance with this Master Agreement,

and that upon termination of this Master Agreement or at Participating Entity’s request,

Contractor shall turn over to Participating Entity all documents, papers, and other matter in

Contractor's possession that embody Confidential Information. Notwithstanding the

2

Jul 1, 2013 5:09:04 PM MDT p. 73


foregoing, Contractor may keep one copy of such Confidential Information necessary for

quality assurance, audits and evidence of the performance of this Master Agreement.

5.3 Injunctive Relief. Contractor acknowledges that breach of this Section, including

disclosure of any Confidential Information, will cause irreparable injury to Participating Entity

that is inadequately compensable in damages. Accordingly, Participating Entity may seek and

obtain injunctive relief against the breach or threatened breach of the foregoing

undertakings, in addition to any other legal remedies that may be available. Contractor

acknowledges and agrees that the covenants contained herein are necessary for the

protection of the legitimate business interests of Participating Entity and are reasonable in

scope and content.

6. DEBARMENT The contractor certifies that neither it nor its principals are presently

debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded

from participation in this transaction (contract) by any governmental department or agency.

If the contractor cannot certify this statement, attach a written explanation for review by

WSCA-NASPO.

7. DEFAULTS & REMEDIES

a. The occurrence of any of the following events shall be an event of default under this Master Agreement:

i. Nonperformance of contractual requirements; or ii. A material breach of any term or condition of this Master Agreement; or iii. Any representation or warranty by Contractor in response to the solicitation or in this Master Agreement proves to be untrue or materially misleading; or

iv. Institution of proceedings under any bankruptcy, insolvency, reorganization or similar law, by or against Contractor, or the appointment of a receiver or similar officer for Contractor or any of its property, which is not vacated or fully stayed within thirty (30) calendar days after the institution or occurrence thereof; or

v. Any default specified in another section of this Master Agreement. b. Upon the occurrence of an event of default, Lead State shall issue a written notice of default, identifying the nature of the default, and providing a period of 15 calendar days in which Contractor shall have an opportunity to cure the default. The Lead State shall not be required to provide advance written notice or a cure period and may immediately terminate this Master Agreement in whole or in part if the Lead State, in its sole discretion, determines that it is reasonably necessary to preserve public safety or prevent immediate public crisis. Time allowed for cure shall not diminish or eliminate Contractor’s liability for damages, including liquidated damages to the extent provided for under this Master Agreement.

c. If Contractor is afforded an opportunity to cure and fails to cure the default within the period specified in the written notice of default, Contractor shall be in breach of its obligations under this Master Agreement and Lead State shall have the right to exercise any or all of the following remedies:

i. Exercise any remedy provided by law; and

ii. Terminate this Master Agreement and any related Contracts or portions thereof; and iii. Impose liquidated damages as provided in this Master Agreement; and iv. Suspend Contractor from receiving future bid solicitations; and v. Suspend Contractor’s performance; and

3

Jul 1, 2013 5:09:04 PM MDT p. 74


vi. Withhold payment until the default is remedied.

d. In the event of a default under a Participating Addendum, a Participating Entity shall provide a written notice of default as described in this section and have all of the rights and remedies under this paragraph regarding its participation in the Master Agreement, in addition to those set forth in its Participating Addendum.

8. DELIVERY Unless otherwise indicated in the Master Agreement, the prices are the delivered

price to any Participating State agency or political subdivision. All deliveries shall be F.O.B.

destination with all transportation and handling charges paid by the contractor. Responsibility

and liability for loss or damage shall remain the Contractor until final inspection and

acceptance when responsibility shall pass to the Buyer except as to latent defects, fraud and

Contractor’s warranty obligations. The minimum shipment amount will be found in the special

terms and conditions. Any order for less than the specified amount is to be shipped with the

freight prepaid and added as a separate item on the invoice. Any portion of an order to be

shipped without transportation charges that is back ordered shall be shipped without charge.

9. FORCE MAJEURE Neither party to this Master Agreement shall be held responsible for

delay or default caused by fire, riot, acts of God and/or war which is beyond that party’s

reasonable control. WSCA-NASPO may terminate this Master Agreement after determining

such delay or default will reasonably prevent successful performance of the Master

Agreement.

10. GOVERNING LAW This procurement and the resulting agreement shall be governed by

and construed in accordance with the laws of the state sponsoring and administering the

procurement. The construction and effect of any Participating Addendum or order against

the Master Agreement(s) shall be governed by and construed in accordance with the laws of

the Participating Entity’s State. Venue for any claim, dispute or action concerning an order

placed against the Master Agreement(s) or the effect of an Participating Addendum shall be in

the Purchasing Entity’s State.

11. INDEMNIFICATION The Contractor shall defend, indemnify and hold harmless WSCA-

NASPO, the Lead State and Participating Entities along with their officers, agencies, and

employees as well as any person or entity for which they may be liable from and against

claims, damages or causes of action including reasonable attorneys’ fees and related costs for

any death, injury, or damage to property arising from act(s), error(s), or omission(s) of the

Contractor, its employees or subcontractors or volunteers, at any tier, relating to the

performance under the Master Agreement. This section is not subject to any limitations of

liability in this Master Agreement or in any other document executed in conjunction with this

Master Agreement

12. INDEMNIFICATION – INTELLECTUAL PROPERTY The Contractor shall defend, indemnify

and hold harmless WSCA-NASPO, the Lead State and Participating Entities along with their

officers, agencies, and employees as well as any person or entity for which they may be liable

4

Jul 1, 2013 5:09:04 PM MDT p. 75


("Indemnified Party") from and against claims, damages or causes of action including

reasonable attorneys’ fees and related costs arising out of the claim that the Product or its

use, infringes Intellectual Property rights ("Intellectual Property Claim"). The Contractor’s

obligations under this section shall not extend to any combination of the Product with any

other product, system or method, unless:

(1) the Product, system or method is:

(a) provided by the Contractor or the Contractor’s subsidiaries or affiliates;

(b) specified by the Contractor to work with the Product; or

(c) reasonably required, in order to use the Product in its intended manner, and the

infringement could not have been avoided by substituting another reasonably available

product, system or method capable of performing the same function; or

(2) it would be reasonably expected to use the Product in combination with such product,

system or method.

The Indemnified Party shall notify the Contractor within a reasonable time after receiving

notice of an Intellectual Property Claim. Even if the Indemnified Party fails to provide

reasonable notice, the Contractor shall not be relieved from its obligations unless the

Contractor can demonstrate that it was prejudiced in defending the Intellectual Property

Claim resulting in increased expenses or loss to the Contractor. If the Contractor promptly

and reasonably investigates and defends any Intellectual Property Claim, it shall have control

over the defense and settlement of it. However, the Indemnified Party must consent in

writing for any money damages or obligations for which it may be responsible. The

Indemnified Party shall furnish, at the Contractor’s reasonable request and expense,

information and assistance necessary for such defense. If the Contractor fails to vigorously

pursue the defense or settlement of the Intellectual Property Claim, the Indemnified Party

may assume the defense or settlement of it and the Contractor shall be liable for all costs and

expenses, including reasonable attorneys’ fees and related costs, incurred by the Indemnified

Party in the pursuit of the Intellectual Property Claim. This section is not subject to any

limitations of liability in this Master Agreement or in any other document executed in

conjunction with this Master Agreement.

13. INDEPENDENT CONTRACTOR The contractor shall be an independent contractor, and as

such shall have no authorization, express or implied to bind WSCA-NASPO or the respective

states to any agreements, settlements, liability or understanding whatsoever, and agrees not

to perform any acts as agent for WSCA-NASPO or the states, except as expressly set forth

herein.

14. INDIVIDUAL CUSTOMER Except to the extent modified by a Participating Addendum, each Participating Entity shall follow the terms and conditions of the Master Agreement and applicable Participating Addendum and will have the same rights and responsibilities for their purchases as the Lead State has in the Master Agreement, including but not limited to, any indemnity or to recover any costs allowed in the Master Agreement and applicable Participating Addendum for their purchases. Each Participating Entity will be responsible for

5

Jul 1, 2013 5:09:04 PM MDT p. 76


its own charges, fees, and liabilities. The Contractor will apply the charges and invoice each Participating Entity individually.

15. INSURANCE Contractor shall, during the term of this Master Agreement, maintain in full force and effect, the insurance described in this section. Contractor shall acquire such insurance from an insurance carrier or carriers licensed to conduct business in the Participating Entity’s state and having a rating of A-, Class VII or better, in the most recently published edition of Best’s Reports. Failure to buy and maintain the required insurance may result in this Master Agreement’s termination or at a Participating Entity’s option, result in termination of its Participating Addendum.

Coverage shall be written on an occurrence basis. The minimum acceptable limits shall be as

indicated below, with no deductible for each of the following categories:

a) Commercial General Liability covering the risks of bodily injury (including death), property

damage and personal injury, including coverage for contractual liability, with a limit of not

less than $1 million per occurrence/$2 million general aggregate;

b) Contractor must comply with any applicable State Workers Compensation or Employers

Liability Insurance requirements.

Contractor shall pay premiums on all insurance policies. Such policies shall also reference

this Master Agreement and shall have a condition that they not be revoked by the insurer until

thirty (30) calendar days after notice of intended revocation thereof shall have been given to

Participating Entity by the Contractor.

Prior to commencement of the work, Contractor shall provide to the Participating Entity a

written endorsement to the Contractor’s general liability insurance policy that (i) names the

Participating Entity as an additional insured, (ii) provides that no material alteration,

cancellation, non-renewal, or expiration of the coverage contained in such policy shall have

effect unless the named Participating Entity has been given at least thirty (30) days prior

written notice, and (iii) provides that the Contractor’s liability insurance policy shall be

primary, with any liability insurance of the Participating Entity as secondary and

noncontributory.

Contractor shall furnish to Participating Entity copies of certificates of all required insurance

within thirty (30) calendar days of the Participating Addendum’s effective date and prior to

performing any work. Copies of renewal certificates of all required insurance shall be

furnished within thirty (30) days after renewal date. These certificates of insurance must

expressly indicate compliance with each and every insurance requirement specified in this

section. Failure to provide evidence of coverage may, at State’s sole option, result in this

Master Agreement’s termination.

Coverage and limits shall not limit Contractor’s liability and obligations under this Master

Agreement.

6

Jul 1, 2013 5:09:04 PM MDT p. 77


16. LAWS AND REGULATIONS Any and all supplies, services and equipment offered and

furnished shall comply fully with all applicable Federal and State laws and regulations.

17. LICENSE OF PRE-EXISTING INTELLECTUAL PROPERTY Contractor grants to the

Participating Entity a nonexclusive, perpetual, royalty-free, irrevocable, unlimited license to

publish, translate, reproduce, modify, deliver, perform, display, and dispose of the

Intellectual Property, and its derivatives, used or delivered under this Master Agreement, but

not created under it (“Pre-existing Intellectual Property”). The license shall be subject to any

third party rights in the Pre-existing Intellectual Property. Contractor shall obtain, at its own

expense, on behalf of the Participating Entity, written consent of the owner for the licensed

Pre-existing Intellectual Property.

18. NO WAIVER OF SOVEREIGN IMMUNITY In no event shall this Master Agreement, any

Participating Addendum or any contract or any purchase order issued thereunder, or any act

of a Lead State or a Participating Entity, be a waiver by the Participating Entity of any form

of defense or immunity, whether sovereign immunity, governmental immunity, immunity

based on the Eleventh Amendment to the Constitution of the United States or otherwise, from

any claim or from the jurisdiction of any court.

If a claim must be brought in a federal forum, then it must be brought and

adjudicated solely and exclusively within the United States District Court for the

Participating State. This section applies to a claim brought against the

Participating State only to the extent Congress has appropriately abrogated the

Participating State’s sovereign immunity and is not consent by the Participating

State to be sued in federal court. This section is also not a waiver by the

Participating State of any form of immunity, including but not limited to sovereign

immunity and immunity based on the Eleventh Amendment to the Constitution of

the United States.

19. ORDER NUMBERS Master Agreement order and purchase order numbers shall be clearly

shown on all acknowledgments, shipping labels, packing slips, invoices, and on all

correspondence.

20. PARTICIPANTS WSCA-NASPO is the cooperative purchasing arm of the National Association

of State Procurement Officials. It is a cooperative group contracting consortium for state

government departments, institutions, agencies and political subdivisions (e.g., colleges,

school districts, counties, cities, etc.,) for all 50 states, the District of Columbia and the

organized US territories. Obligations under this Master Agreement are limited to those

Participating States who have signed a Participating Addendum where contemplated by the

solicitation. Financial obligations of Participating States are limited to the orders placed by

the departments or other state agencies and institutions having available funds. Participating

States incur no financial obligations on behalf of political subdivisions. Unless otherwise

specified in the solicitation, the resulting award(s) will be permissive.

7

Jul 1, 2013 5:09:04 PM MDT p. 78


21. ENTITY PARTICIPATION Use of specific WSCA-NASPO cooperative Master Agreements by

state agencies, political subdivisions and other entities (including cooperatives) authorized by

individual state’s statutes to use state contracts are subject to the approval of the respective

State Chief Procurement Official. Issues of interpretation and eligibility for participation are

solely within the authority of the respective State Chief Procurement Official.

22. PAYMENT Payment for completion of a contract order is normally made within 30 days

following the date the entire order is delivered or the date a correct invoice is received,

whichever is later. After 45 days the Contractor may assess overdue account charges up to a

maximum rate of one percent per month on the outstanding balance. Payments will be

remitted by mail. Payments may be made via a State or political subdivision “Purchasing

Card” with no additional charge.

23. PUBLIC INFORMATION This Master Agreement and all related documents are subject to

disclosure pursuant to the Participating Entity’s public information laws.

24. RECORDS ADMINISTRATION AND AUDIT The contractor will maintain, or supervise the

maintenance of all records necessary to properly account for the payments made to the

contractor for costs authorized by this Master Agreement. These records will be retained by

the contractor for at least four years after the Master Agreement terminates, or until all

audits initiated within the four years have been completed, whichever is later. The

contractor agrees to allow WSCA-NASPO, State and Federal auditors, and state agency staff

access to all the records of this Master Agreement and any order placed under this Master

Agreement, for audit and inspection, and monitoring of services. Such access will be during

normal business hours, or by appointment.

25. REPORTS and ADMINISTRATIVE FEES The contractor shall submit quarterly reports to the

WSCA-NASPO Contract Administrator showing the quantities and dollar volume of purchases by

each participating entity.

The contractor must pay a WSCA-NASPO administrative fee of one quarter of one percent

(.25%) in accordance with the terms and conditions of the Master Agreement. The WSCA-

NASPO administrative fee shall be submitted quarterly and is based on sales of products and

services. The WSCA-NASPO administration fee is not negotiable. This fee is to be included as

part of the pricing submitted with proposal.

Additionally, some States may require that an additional fee be paid directly to the State on

purchases made by procuring entities within that State. For all such requests, the fee level,

payment method and schedule for such reports and payments will be incorporated in a

Participating Addendum that is made a part of the Master Agreement. The contractor may

adjust the Master Agreement pricing accordingly for purchases made by procuring agencies

within the jurisdiction of the State. All such agreements may not affect the WSCA-NASPO

administrative fee or the prices paid by the procuring agencies outside the jurisdiction of the

State requesting the additional fee.

8

Jul 1, 2013 5:09:04 PM MDT p. 79


26. STANDARD OF PERFORMANCE AND ACCEPTANCE The Standard of Performance applies to

all Product(s) purchased under this Master Agreement, including any additional, replacement,

or substitute Product(s) and any Product(s) which are modified by or with the written approval

of Contractor after Acceptance by the Participating Entity. The Acceptance Testing period

shall be thirty (30) calendar days or other time period identified in the solicitation or the

Participating Addendum, starting from the day after the Product is installed and Contractor

certifies that the Product is ready for Acceptance Testing. If the Product does not meet the

Standard of Performance during the initial period of Acceptance Testing, Participating Entity

may, at its discretion, continue Acceptance Testing on a day-to-day basis until the Standard of

Performance is met. Upon rejection, the Contractor will have fifteen

(15) calendar days to cure the Standard of Performance issue(s). If after the cure period, the

Product still has not met the Standard of Performance Participating Entity may, at its option:

(1) declare Contractor to be in breach and terminate the Order; (2) demand replacement

Product from Contractor at no additional cost to Participating Entity; or, (3) continue the

cure period for an additional time period agreed upon by the Participating Entity and the

Contractor. Contractor shall pay all costs related to the preparation and shipping of Product

returned pursuant to the section. No Product shall be accepted and no charges shall be paid

until the Standard of Performance is met. The warranty period will begin upon Acceptance.

27. SYSTEM FAILURE OR DAMAGE In the event of system failure or damage caused by the

Contractor or its Product, the Contractor agrees to use its best efforts to restore or assist in

restoring the system to operational capacity.

28. TITLE OF PRODUCT Upon Acceptance by the Participating Entity, Contractor shall

convey to Participating Entity title to the Product free and clear of all liens, encumbrances,

or other security interests.Transfer of title to the Product shall include an irrevocable and

perpetual license to use the Embedded Software in the Product. If Participating Entity

subsequently transfers title of the Product to another entity, Participating Entity shall have

the right to transfer the license to use the Embedded Software with the transfer of Product

title. A subsequent transfer of this software license shall be at no additional cost or charge

to either Participating Entity or Participating Entity’s transferee.

29. WAIVER OF BREACH Failure of Lead State or Participating Entity to declare a default or

enforce any rights and remedies shall not operate as a waiver under this Master Agreement or

Participating Addendum. Any waiver by the Lead State or Participating Entity must be in

writing. Waiver by the Lead State or Participating Entity of any default, right or remedy

under this Master Agreement or Participating Addendum, or breach of any terms or

requirements shall not be construed or operate as a waiver of any subsequent default or

breach of such term or requirement, or of any other term or requirement under this Master

Agreement or Participating Addendum.

30. WARRANTY The Contractor warrants for a period of one year from the date of Acceptance

that: (a) the Product performs according to all specific claims that the Contractor made in its

response to the solicitation, (b) the Product is suitable for the ordinary purposes

9

Jul 1, 2013 5:09:04 PM MDT p. 80


for which such Product is used, (c) the Product is suitable for any special purposes identified

in the solicitation or for which the Participating Entity has relied on the Contractor’s skill or

judgment, (d) the Product is designed and manufactured in a commercially reasonable

manner, and (e) the Product is free of defects. Upon breach of the warranty, the Contractor

will repair or replace (at no charge to the Participating Entity) the Product whose

nonconformance is discovered and made known to the Contractor. If the repaired and/or

replaced Product proves to be inadequate, or fails of its essential purpose, the Contractor will

refund the full amount of any payments that have been made. The rights and remedies of the

parties under this warranty are in addition to any other rights and remedies of the parties

provided by law or equity, including, without limitation, actual damages, and, as applicable

and awarded under the law, to a prevailing party, reasonable attorneys’ fees and costs.

31. ASSIGNMENT OF ANTITRUST RIGHTS Contractor irrevocably assigns to a Participating

Entity any claim for relief or cause of action which the Contractor now has or which may

accrue to the Contractor in the future by reason of any violation of state or federal antitrust

laws (15 U.S.C. § 1-15 or a Participating Entity’s state antitrust provisions), as now in effect

and as may be amended from time to time, in connection with any goods or services provided

to the Contractor for the purpose of carrying out the Contractor's obligations under this

Master Agreement or Participating Addendum, including, at a Participating Entity's option, the

right to control any such litigation on such claim for relief or cause of action.

Contractor shall require any subcontractors hired to perform any of Contractor's obligations,

under this Master Agreement or Participating Addendum, to irrevocably assign to a

Participating Entity, as third party beneficiary, any right, title or interest that has accrued or

which may accrue in the future by reason of any violation of state or federal antitrust laws

(15 U.S.C. § 1-15 or a Participating Entity’s state antitrust provisions), as now in effect and as

may be amended from time to time, in connection with any goods or services provided to the

subcontractor for the purpose of carrying out the subcontractor's obligations to the Contractor

in pursuance of this Master Agreement or Participating Addendum, including, at a

Participating Entity's option, the right to control any such litigation on such claim for relief or

cause of action.

32. WSCA-NASPO eMARKET CENTER Awarded responders are required to participate in the

WSCA-NASPO eMarket Center and, working through WSCA-NASPO’s contractor (SciQuest),

connect with the eMarket Center. The ideal situation would be to use either a hosted (by

SciQuest) or Punchout Level 2 catalog configurations, but actual requirements will be

determined by the Lead State Contract Administrator, WSCA-NASPO, WSCA-NASPO’s

contractor (SciQuest) and the awarded contractor, after award. Participation does not

require an awarded responder to have any special level of technology or technological

understanding.

Definitions

10

Jul 1, 2013 5:09:04 PM MDT p. 81


Acceptance - means a written notice from a purchasing entity to contractor advising Contractor that the Product has passed its Acceptance Testing. Acceptance of a product for which acceptance testing is not required shall occur following the completion of delivery, installation, if required, and a reasonable time for inspection of the product, unless the Purchasing Entity provides a written notice of rejection to contractor.

Acceptance Testing - means the process for ascertaining that the Product meets the standards set forth in the section titled Standard of Performance and Acceptance, prior to Acceptance by the Purchasing Entity.

Contractor - means the person or entity delivering Products or performing services under the

terms and conditions set forth in this Master Agreement.

Intellectual Property – means any and all patents, copyrights, service marks, trademarks,

trade secrets, trade names, patentable inventions, or other similar proprietary rights, in

tangible or intangible form, and all rights, title, and interest therein.

Lead State - means the State conducting this cooperative solicitation and centrally administering any resulting Master Agreement with the permission of the Signatory States.

Master Agreement – means the underlying agreement executed by and between the Lead State, as WSCA-NASPO contract administrator, acting on behalf of WSCA-NASPO, and the Contractor, as now or hereafter amended.

Order - means any purchase order, sales order, or other document used by a Participating Entity to order the Products.

Participating Addendum - means a bilateral agreement executed by a Contractor and a Participating Entity incorporating this Master Agreement and any other additional Participating Entity specific language or other requirements ,e.g. ordering procedures specific to the Participating Entity, other terms and conditions.

Participating Entity - means a state, or other legal entity, properly authorized by a state to enter into the Master Agreement or Participating Addendum or who is authorized to order under the Master Agreement or Participating Addendum.

Product - Any equipment, software (including embedded software), documentation, or deliverable supplied or created by the Contractor pursuant to this Master Agreement.

WSCA-NASPO -is a cooperative group contracting consortium for state procurement officials, representing departments, institutions, agencies, and political subdivisions (i.e., colleges, school districts, counties, cities, etc.) for all states and the District of Columbia. WSCA- NASPO is a cooperative purchasing arm of the National Association of State Procurement Officials (NASPO).

Additional Definitions and Alternative Terms for Consideration

11

Jul 1, 2013 5:09:04 PM MDT p. 82


Below are additional definitions and alternative terms for consideration by the sourcing teams

depending upon the nature of the solicitation and negotiations between the Contractor and

Vendor.

Embedded Software - means one or more software applications which permanently reside on

a computing device.

Machine Code – means microcode, basic input/output system code, utility programs, device

drivers, diagnostics, and another code delivered with a computing device for the purpose of

enabling the function of the computing device, as stated in its published specifications.

(revised March 2013)

12

Jul 1, 2013 5:09:04 PM MDT p. 83


ATTACHMENT A STATE OF UTAH STANDARD INFORMATION TECHNOLOGY TERMS AND CONDITIONS

(FOR WSCA CONTRACTS and DTS RELATED CONTRACTS)

1. AUTHORITY: Provisions of this contract are pursuant to the authority set forth in 63G-6, Utah Code Annotated, 1953, as amended, Utah State

Procurement Rules (Utah Administrative Code Section R33), and related statutes which permit the State to purchase certain specified services, and other approved purchases for the State.

2. CONTRACT JURISDICTION, CHOICE OF LAW, AND VENUE: The provisions of this contract shall be governed by the laws of the

State of Utah. The parties will submit to the jurisdiction of the courts of the State of Utah for any dispute arising out of this Contract or the breach thereof. Venue shall be in Salt Lake City, in the Third Judicial District Court for Salt Lake County.

3. LAWS AND REGULATIONS: The Contractor and any and all supplies, services, equipment, and construction furnished under this contract

will comply fully with all applicable Federal and State laws and regulations, including applicable licensure and certification requirements.

4. RECORDS ADMINISTRATION: The Contractor shall maintain, or supervise the maintenance of all records necessary to properly account

for the payments made to the Contractor for costs authorized by this contract. These records shall be retained by the Contractor for at least four

years after the contract terminates, or until all audits initiated within the four years, have been completed, whichever is later. The Contractor

agrees to allow State and Federal auditors, and State Agency Staff, access to all the records to this contract, for audit and inspection, and

monitoring of services. Such access will be during normal business hours, or by appointment.

5. CERTIFY REGISTRATION AND USE OF EMPLOYMENT "STATUS VERIFICATION SYSTEM”: The Status Verification System,

also referred to as “E-verify”, only applies to contracts issued through a Request for Proposal process, and to sole sources that are included

within a Request for Proposal. It does not apply to Invitation for Bids or to the Multi-Step Process.

1. Status Verification System (1) Each offeror and each person signing on behalf of any offeror certifies as to its own entity, under penalty of perjury, that the named

Contractor has registered and is participating in the Status Verification System to verify the work eligibility status of the contractor’s new

employees that are employed in the State of Utah in accordance with applicable immigration laws including UCA Section 63G-12-302.

(2) The Contractor shall require that the following provision be placed in each subcontract at every tier: “The subcontractor shall certify to the

main (prime or general) contractor by affidavit that the subcontractor has verified through the Status Verification System the employment status

of each new employee of the respective subcontractor, all in accordance with applicable immigration laws including UCA Section 63G-12-302

and to comply with all applicable employee status verification laws. Such affidavit must be provided prior to the notice to proceed for the subcontractor to perform the work.” (3) The State will not consider a proposal for award, nor will it make any award where there has not been compliance with this Section.

(4) Manually or electronically signing the Proposal is deemed the Contractor’s certification of compliance with all provisions of this

employment status verification certification required by all applicable status verification laws including UCA Section 63G-12-302.

2. Indemnity Clause for Status Verification System (1) Contractor (includes, but is not limited to any Contractor, Design Professional, Designer or Consultant) shall protect, indemnify and hold harmless, the State and its officers, employees, agents, representatives and anyone that the State may be liable for, against any claim, damages or

liability arising out of or resulting from violations of the above Status Verification System Section whether violated by employees, agents, or contractors of the following: (a) Contractor; (b) Subcontractor at any tier; and/or (c) any entity or person for whom the Contractor or

Subcontractor may be liable.

(2) Notwithstanding Section 1. above, Design Professionals or Designers under direct contract with the State shall only be required to

indemnify the State for a liability claim that arises out of the design professional's services, unless the liability claim arises from the Design

Professional's negligent act, wrongful act, error or omission, or other liability imposed by law except that the design professional shall be

required to indemnify the State in regard to subcontractors or subconsultants at any tier that are under the direct or indirect control or responsibility of the Design Professional, and includes all independent contractors, agents, employees or anyone else for whom the Design

Professional may be liable at any tier.

6. CONFLICT OF INTEREST: Contractor represents that none of its officers or employees are officers or employees of the State of Utah, unless

disclosure has been made in accordance with 67-16-8, Utah Code Annotated, 1953, as amended.

7. CONFLICT OF INTEREST WITH STATE EMPLOYEES: In addition to the provisions of State of Utah Terms and Conditions # 6, Conflict of Interest, the Contractor certifies that no person in the State’s employment, directly or through subcontract, will receive any private

financial interest, direct or indirect, in the contract. The Contractor will not hire or subcontract with any person having such conflicting interest.

8. CONTRACTOR ACCESS TO SECURE STATE FACILITIES / CRIMINAL CONVICTION INFORMATION / FORMER FELONS:

The Contractor shall provide (at its own expense) the State with sufficient personal information about its agents or employees, and the agents

and employees of its subcontractors (if any) who will enter upon secure premises controlled, held, leased, or occupied by the State during the

course of performing this contract so as to facilitate a criminal record check, at State expense. “Sufficient personal information” about its agents

or employees, and the agents and employees of its subcontractors (if any) means for the Contractor to provide to the State Project Manager, in

advance of any on-site work, a list of the full names of the designated employees, including their social security number, driver license number

and the state of issuance, and their birth date. Thereafter, on their first site visit, each contractor employee expected to work on-site shall be

fingerprinted by the State, and the State is authorized to conduct a federal criminal background check based upon those fingerprints and personal information provided. Contractor, in executing any duty or exercising any right under this contract, shall not cause or permit any of its agents or

employees, and the agents and employees of its subcontractors (if any) who have been convicted of a felony and misdemeanors other than minor

Jul 1, 2013 5:09:04 PM MDT p. 84


misdemeanors to enter upon any premises controlled, held, leased, or occupied by the State. A felony and misdemeanor are defined by the jurisdiction of the State of Utah, regardless of where the conviction occurred.

9. DRUG-FREE WORKPLACE: The Contractor agrees to abide by the Department of Technology Services (DTS) drug-free workplace

policies while on State of Utah premises. DTS will provide the Contractor with a copy of these written “drug-free workplace policies” upon

request.

10. CODE OF CONDUCT: When Contractor employees are working on-site, the Contractor agrees to follow and enforce DTS Policy 2000-001

Code of Conduct. If Contractor is working at facilities controlled by other State agencies, Contractor agrees to follow and enforce the Code of

Conduct Policy of these other State agencies when Contractor is providing services at these facilities under provisions of this contract. The

Contractor will assure that each employee or volunteer under Contractor’s supervision receives a copy of such Code of Conduct, and a signed

statement to this effect must be in each Contractor or Subcontractor employee’s/volunteer’s file and is subject to inspection and review by the

State’s monitors. Upon request, DTS agrees to provide Contractor with a copy of any applicable codes of conduct. If a Contractor or

Subcontractor is working at any State agency which has a Code of Conduct applicable to this Contract, the DTS Project Manager will provide

the Contractor with a copy in advance of the Contractor’s on-site contract services performance.

11. INDEMNITY CLAUSE: The Contractor agrees to indemnify, save harmless, and release the State of Utah, and all its officers, agents,

volunteers, and employees from and against any and all loss, damages, injury, liability, suits, and proceedings arising out of the performance of

this contract which are caused in whole or in part by the acts or negligence of the Contractor's officers, agents, volunteers, or employees, but not

for claims arising from the State's sole negligence. The parties agree that if there are any Limitations of the Contractor’s Liability, including a

limitation of liability for anyone for whom the Contractor is responsible, such Limitations of Liability will not apply to injuries to persons,

including death, or to damages to property.

12. EMPLOYMENT PRACTICES CLAUSE: The Contractor agrees to abide by the provisions of Title VI and VII of the Civil Rights Act of

1964 (42USC 2000e) which prohibits discrimination against any employee or applicant for employment or any applicant or recipient of services,

on the basis of race, religion, color, or national origin; and further agrees to abide by Executive Order No. 11246, as amended, which prohibits

discrimination on the basis of sex; 45 CFR 90 which prohibits discrimination on the basis of age; and Section 504 of the Rehabilitation Act of

1973, or the Americans with Disabilities Act of 1990 which prohibits discrimination on the basis of disabilities. Also, the Contractor agrees to

abide by Utah's Executive Order, dated March 17, 1993, which prohibits sexual harassment in the work place.

13. TERMINATION: Unless otherwise stated in the Special Terms and Conditions, this contract may be terminated, with cause by either party, in advance of the specified termination date, upon written notice being given by the other party. The party in violation will be given ten (10)

working days after notification to correct and cease the violations, after which the contract may be terminated for cause. This contract may be

terminated without cause, in advance of the specified expiration date, by either party, upon sixty (60) days prior written notice being given the

other party. On termination of this contract, all accounts and payments will be processed according to the financial arrangements set forth herein

for approved services rendered to date of termination.

In the event of such termination, and professional services apply to the contract; the Contractor shall be compensated for services properly

performed under this Contract up to the effective date of the notice of termination. The Contractor agrees that in the event of such termination

for cause or without cause, Contractor’s sole remedy and monetary recovery from the State is limited to full payment for all work properly performed as authorized under this Contract up to the date of termination as well as any reasonable monies owed as a result of the Contractor

having to terminate contracts necessarily and appropriately entered into by the Contractor pursuant to this Contract. Contractor further

acknowledges that in the event of such termination, all work product, which includes but is not limited to all manuals, forms, contracts,

schedules, reports, and any and all documents produced by Contractor under this Contract up to the date of termination are the property of the

State and shall be promptly delivered to the State.

14. SUSPENSION OF WORK: Should circumstances arise which would cause the State to suspend the work, but not terminate the contract, this

will be done by formal notice. The work may be reinstated upon advance formal notice from the State.

15. NONAPPROPRIATION OF FUNDS: The Contractor acknowledges that the State cannot contract for the payment of funds not yet

appropriated by the Utah State Legislature. If funding to the State is reduced due to an order by the Legislature or the Governor, or is required

by State law, or if federal funding (when applicable) is not provided, the State may terminate this contract or proportionately reduce the services

and purchase obligations and the amount due from the State upon 30 days written notice. In the case that funds are not appropriated or are

reduced, the State will reimburse Contractor for products delivered or services performed through the date of cancellation or reduction, and the

State will not be liable for any future commitments, penalties, or liquidated damages.

16. SALES TAX EXEMPTION: The State of Utah’s sales and use tax exemption number is 11736850-010-STC, located at

http://purchasing.utah.gov/contract/documents/salestaxexemptionformsigned.pdf. The tangible personal property or services being purchased

are being paid from State funds and used in the exercise of that entity’s essential functions. If the items being purchased are construction

materials, they will be converted into real property by employees of this government entity, unless otherwise stated in the contract.

17. SECURE PROTECTION AND HANDLING OF DATA:

1. Network Security: Contractor agrees at all times to maintain network security that - at a minimum - includes: network firewall

provisioning, intrusion detection, and regular third party penetration testing. Likewise Contractor agrees to maintain network security that

conforms to one of the following:

a. Those standards the State of Utah applies to its own network, found at http://www.dts.utah.gov;

http://purchasing.utah.gov/contract/documents/salestaxexemptionformsigned.pdf

http://purchasing.utah.gov/contract/documents/salestaxexemptionformsigned.pdf

Jul 1, 2013 5:09:04 PM MDT p. 85


b. Current standards set forth and maintained by the National Institute of Standards and Technology, includes those at:

http://web.nvd.nist.gov/view/ncp/repository/; or

c. Any generally recognized comparable standard that Contractor then applies to its own network and approved by DTS in writing.

2. Data security: Contractor agrees to protect and maintain the security of the State of Utah data with protection that is at least as good as or

better than that maintained by the State of Utah. These security measures included but are not limited to maintaining secure environments

that are patched and up to date with all appropriate security updates as designated, (ex. Microsoft Notification).

3. Data Transmission: Contractor agrees that any and all transmission or exchange of system application data with the State of Utah and/or

any other parties expressly designated by the State of Utah, shall take place via secure means, (ex. HTTPS or FTPS).

4. Data Storage: Contractor agrees that any and all State of Utah data will be stored, processed, and maintained solely on designated target

servers approved of by DTS and that no State of Utah data at any time will be processed on or transferred to any portable or laptop

computing device or any portable storage medium, unless such medium is part of the Contractor's designated backup and recovery process.

5. Data Encryption: Contractor agrees to store all State of Utah backup data as part of its designated backup and recovery process in

encrypted form, using no less than 128 bit key.

6. Password Protection. Contractor agrees that any portable or laptop computer that has access to a State of Utah network, or stores any

non-public State of Utah data is equipped with strong and secure password protection.

7. Data Re-Use: Contractor agrees that any and all data exchanged shall be used expressly and solely for the purpose enumerated in this

Contract. Contractor further agrees that no State of Utah data of any kind shall be transmitted, exchanged or otherwise passed to other

Contractors or interested parties except on a case-by-case basis as specifically agreed to in writing by DTS.

8. Data Destruction: The Contractor agrees that upon termination of this Agreement it shall erase, destroy, and render unreadable all State of

Utah data from all non-state computer systems and backups, and certify in writing that these actions have been completed within 30 days of the termination of this Agreement or within 7 days of the request of DTS, whichever shall come first.

18. NOTIFICATION AND DATA BREACHES: Contractor agrees to comply with all applicable laws that require the notification of individuals

in the event of unauthorized release of personally-identifiable information or other events requiring notification in accordance with DTS Policy

5000-1250-PR1 Computer Incident Reporting Procedure (copy available upon request). In the event of a data breach of any Contractor's

security obligations or other event requiring notification under applicable law (Utah Code Annotated § 13-44-101 thru 301 et al), Contractor

agrees at its own expense to assume responsibility for informing all such individuals in accordance with applicable laws and to indemnify, hold

harmless and defend the State of Utah against any claims, damages, or other harm related to such Notification Event.

19. CHANGE MANAGEMENT: Contractor agrees to comply with DTS Change Management Policy 4000-0004. This DTS policy requires that

any work performed by the Contractor that has the potential to cause any form of outage, or modify the State’s infrastructure architecture must

first be reviewed by the DTS Change Management Committee, and coordinated accordingly. The DTS Project Manager will inform the

Contractor if this change control requirement is applicable. Following this notification, any failure by the Contractor that causes outages or data

security breaches caused by the Contractor as a direct result of failure to comply, will result in the Contractor’s liability for the damages.

For reference purposes, the latest version of DTS Change Management Policy 4000-0004 is detailed at

http://dts.utah.gov/policies/documents/4000-0004changemanagementpolicy.pdf.

20. PUBLIC INFORMATION: Contractor agrees that the contract, related Sales Orders, and Invoices will be public documents, and may be

available for distribution. Contractor gives the State express permission to make copies of the contract, related Sales Orders, and Invoices in

accordance with the State of Utah Government Records Access and Management Act (GRAMA). Except for sections identified in writing and

expressly approved by the State Division of Purchasing, Contractor also agrees that the Contractor’s response to the solicitation will be a public

document, and copies may be given to the public under GRAMA laws. The permission to make copies as noted will take precedence over any

statements of confidentiality, proprietary information, copyright information, or similar notation.

21. CREDITING STATE IN ADVERTISING / PUBLICITY: Any publicity given to the project or services provided herein shall identify the

State of Utah’s managing agency as the sponsoring agency and shall not be released without prior written approval by that State agency’s

Project Manager.

22. STATE AGENCY WEB SITE BRANDING: The Contractor agrees to use the DTS logo, or a newer version if replaced in the future, on

websites produced under terms of this contract. Contractor further agrees to allow a State agency to also utilize their own web site branding and

logo, if requested by that State agency.

23. ORDERING AND INVOICING: All orders will be shipped promptly in accordance with the delivery schedule. The Contractor will

promptly submit invoices (within 30 days of shipment or delivery of services) to the State. The State contract number and/or the agency purchase order number shall be listed on all invoices, freight tickets, and correspondence relating to the contract order. The prices paid by the

State will be those prices listed in the contract. The State has the right to adjust or return any invoice reflecting incorrect pricing.

24. PROMPT PAYMENT DISCOUNT: Offeror may quote a prompt payment discount based upon early payment; however, discounts offered for

less than 30 days will not be considered in making the award. Contractor shall list Payment Discount Terms on invoices. The prompt payment

discount will apply to payments made with purchasing cards and checks. The date from which discount time is calculated will be the date a

http://web.nvd.nist.gov/view/ncp/repository/%3B

http://dts.utah.gov/policies/documents/4000-0004changemanagementpolicy.pdf

Jul 1, 2013 5:09:04 PM MDT p. 86


correct invoice is received or receipt of shipment, whichever is later; except that if testing is performed, the date will be the date of acceptance of the merchandise.

25. PAYMENT:

1. Payments are normally made within 30 days following the date the order is delivered or the date a correct invoice is received, whichever is

later. After 60 days from the date a correct invoice is received by the appropriate State official, the Contractor may assess interest on overdue,

undisputed account charges up to a maximum of the interest rate paid by the IRS on taxpayer refund claims, plus two percent, computed

similarly as the requirements of Utah Code Annotated Section 15-6-3. The IRS interest rate is adjusted quarterly, and is applied on a per annum

basis, on the invoice amount that is overdue.

2. The contract total may be changed only by written amendment executed by authorized personnel of the parties. Unless otherwise stated in

the Contract, all payments to the Contractor will be remitted by mail, electronic funds transfer, or the State of Utah’s purchasing card (major

credit card). The State of Utah will not allow the Contractor to charge end users electronic payment fees of any kind.

3. The acceptance by the Contractor of final payment without a written protest filed with the State within ten (10) working days of receipt of final payment shall release the State from all claims and all liability to the Contractor for fees and costs of the performance of the services

pursuant to this Contract.

4. Overpayment: The Contractor agrees that if during or subsequent to the contract performance, a CPA audit, or a State agency audit

determines that payments were incorrectly reported or paid the State may adjust the payments. The Contractor shall, upon written request,

immediately refund to DTS any such overpayments. The Contractor further agrees that the State shall have the right to withhold any or all-

subsequent payments under this or other contracts that the Contractor may have with the State until recoupment of overpayment is made.

5. Payment withholding: the Contractor agrees that the adequate reporting, record keeping, and compliance requirements specified in this

contract are a material element of performance and that if the Contractor’s record keeping practices, compliance, and/or reporting to DTS are not

conducted in a timely and satisfactory manner, DTS may withhold part or all payments under this or any other contract until such deficiencies

have been remedied. This includes, but is not limited to, Contractors failure to provide timely invoicing, and/or other requirements described

elsewhere within this contract. In the event of the payment(s) being withheld, DTS agrees to provide ten (10) day advance Notice to the

Contractor of the deficiencies that must be corrected in order to bring about the release of withheld payment. Contractor shall have ten (10) days

thereafter to correct the cited reporting or record keeping practice deficiencies or the contract may be terminated.

26. COPYRIGHT: The contractor agrees that any and all Deliverables prepared for the State of Utah as required by this contract, to the extent to

which it is eligible under copyright law in any country, shall be deemed a work made for hire, such that all rights, title and interest in the work

and Deliverables shall be exclusively owned by the State of Utah. State of Utah reserves a royalty-free, nonexclusive, and irrevocable license to

reproduce, publish, or otherwise use and to authorize others to use for Federal or State Government purposes, such software, modifications and

documentation. To the extent any Deliverable is deemed not to be, for any reason whatsoever, work made for hire, Contractor agrees to assign

and hereby assigns all right title and interest, including but not limited to copyright patent, trademark and trade secret, to such Deliverables, and

all extensions and renewals thereof, to the State of Utah. Contractor further agrees to provide all assistance reasonably requested by the State of

Utah in the establishment, preservation, and enforcement of its rights in such Deliverables, without any additional compensation to Contractor.

Contractor agrees to and hereby, to the extent permissible, waives all legal and equitable rights relating to the Deliverables, including without

limitation any and all rights of identification of authorship and any and all rights of approval, restriction or limitation on use or subsequent

modifications.

27. OWNERSHIP, PROTECTION AND USE OF RECORDS: Except for confidential medical records held by direct care providers, the State

shall own exclusive title to all information gathered, reports developed, and conclusions reached in performance of this Contract. The

Contractor may not use, except in meeting its obligations under this contract, information gathered, reports developed, or conclusions reached in

performance of this Contract without the express written consent of the State. The improper use or disclosure of any information concerning a

State of Utah client, or a State of Utah employee for any purpose not directly connected with the administration of the State, or the Contractor’s

responsibilities with respect to services purchased under this agreement, is prohibited except on written consent of the state agency employee,

state agency client, their attorney, or their responsible parent or guardian. The Contractor will be required to sign a Confidential Information

Certification form in situations where they will be given access to confidential computerized records. The Contractor agrees to maintain the

confidentiality of records it holds as agent for the State as required by Government Records Access and Management Act (“GRAMA”), or other

applicable federal or state law. The State of Utah shall own and retain unlimited rights to use, disclose, or duplicate all information and data

(copyrighted or otherwise) developed, derived, documented, stored, or furnished by the Contractor under the Contract. The Contractor, and any

subcontractors under its control, expressly agrees not to use confidential client, or confidential federal, state, or local government data, without

prior written permission from the State of Utah Project Manager and appropriate officials of the State Agency.

28. OWNERSHIP, PROTECTION, AND USE OF CONFIDENTIAL FEDERAL, STATE, OR LOCAL GOVERNMENT INTERNAL BUSINESS PROCESSES AND PROCEDURES: The improper use or disclosure by any party of protected internal Federal or State business processes, polices, procedures, or practices is prohibited. Confidential federal or state business processes, policies, procedures, or practices shall

not be divulged by the Contractor, Contractor’s employees, or their Subcontractors, unless prior written consent has been obtained in advance

from the State of Utah Project Manager.

29. OWNERSHIP, PROTECTION, AND RETURN OF DOCUMENTS AND DATA UPON CONTRACT TERMINATION OR

COMPLETION: All documents and data pertaining to work required by this contract will be the property of the State and must be delivered to the State within 30 working days after termination or completion of the contract, regardless of the reason for contract termination, and without

restriction or limitation to their future use. Any State data that may be returned under provisions of this clause must either be in the format as originally provided, or in a format that is readily usable by the State or that can be formatted in a way that it can be used. Costs for all of these

described items will be considered as included in the basic contract compensation of the work described used by the State.

Jul 1, 2013 5:09:04 PM MDT p. 87


30. CONFIDENTIALITY: Contractor, and anyone for whom the Contractor may be liable, must maintain the confidentiality of any non-public

personal information. Personal information includes, but is not limited to, names, social security numbers, birth dates, address, credit card

numbers and financial account numbers. The State reserves the right to identify additional reasonable types or categories of information that

must be kept confidential by the Contractor and anyone for whom the Contractor may be liable. This duty of confidentiality shall be ongoing

and survive the term of this contract.

31. TERMINATION UPON DEFAULT: In the event this contract is terminated as a result of a default by the Contractor, the State may procure

or otherwise obtain, upon such terms and conditions as the State deems appropriate, services similar to those terminated, and Contractor shall be liable to the State for any and all damages arising there from, including, but not limited to, attorneys’ fees and excess costs incurred by the State

in obtaining similar services.

32. PROCUREMENT ETHICS: The Contractor understands that a person who is interested in any way in the sale of any supplies, services,

construction, or insurance to the State of Utah is violating the law if the person gives or offers to give any compensation, gratuity, contribution,

loan or reward, or any promise thereof to any person acting as a procurement officer on behalf of the State, or who in any official capacity

participates in the procurement of such supplies, services, construction, or insurance, whether it is given for their own use or for the use or

benefit of any other person or organization (63G-6-1002, Utah Code Annotated, 1953, as amended).

33. WORKERS’ COMPENSATION: The Contractor shall furnish proof to the State, upon request and maintain during the life of this contract, workers’ compensation insurance for all its employees as well as any subcontractor employees related to this contract.

34. LIABILITY INSURANCE: The Contractor agrees to provide and to maintain during the performance of the contract, at its sole expense, a

policy of liability insurance. The limits of the policy shall be no less than $1,000,000.00 for each occurrence and $3,000,000.00 aggregate.

It shall be the responsibility of the Contractor to require any of their Subcontractor(s) to secure the same insurance coverage as prescribed herein

for the Contractor.

35. ENTIRE AGREEMENT: This Agreement, including all Attachments, and documents incorporated hereunder, and the related State

Solicitation constitutes the entire agreement between the parties with respect to the subject matter, and supersedes any and all other prior and

contemporaneous agreements and understandings between the parties, whether oral or written. The terms of this Agreement shall supersede any

additional or conflicting terms or provisions that may be set forth or printed on the Contractor’s work plans, cost estimate forms, receiving

tickets, invoices, or any other related standard forms or documents of the Contractor that may subsequently be used to implement, record, or

invoice services hereunder from time to time, even if such standard forms or documents have been signed or initialed by a representative of the

State. The parties agree that the terms of this Agreement shall prevail in any dispute between the terms of this Agreement and the terms printed

on any such standard forms or documents, and such standard forms or documents shall not be considered written amendments of this

Agreement.

36. SURVIVORSHIP: This paragraph defines the specific contractual provisions that will remain in effect after the completion of or termination

of this contract, for whatever reason: (a) State of Utah Standard IT Terms and Conditions # 2, Contract Jurisdiction, Choice of Law, and Venue;

(b) State of Utah Standard IT Terms and Conditions # 17, Secure Protection and Handling of Data; (c) State of Utah Standard IT Terms and

Conditions # 18, Notification and Data Breaches; (d) State of Utah Standard IT Terms and Conditions # 26, Copyright; (e) State of Utah

Standard IT Terms and Conditions #27, Ownership, Protection, and Use of Records, including Residuals of such records; and (f) State of Utah

Standard IT Terms and Conditions # 28, Ownership, Protection, and Use of Confidential Federal, State, or Local Government Internal Business Processes, including Residuals of such confidential business processes; (g) State of Utah Standard IT Terms and Conditions # 29, Ownership,

Protection, and Return of Documents and Data Upon Contract Termination or Completion; and (h) State of Utah Standard IT Terms and

Conditions # 30, Confidentiality.

37. WAIVER: The waiver by either party of any provision, term, covenant or condition of this Contract shall not be deemed to be a waiver of any

other provision, term, covenant or condition of this Contract nor any subsequent breach of the same or any other provision, term, covenant or

condition of this Contract.

If professional services are applicable to this solicitation/contract, the following terms and conditions apply:

38. TIME: The Contractor shall complete the scope of services work in a manner to achieve any milestones identified in the procurement

documents related to this Contract and the attachments to this Contract. The full scope of services work shall be completed by any applicable

deadline stated in the solicitation.

39. TIME IS OF THE ESSENCE: For all work and services under this Contract, time is of the essence and Contractor shall be liable for all

damages to the State of Utah and anyone for whom the State of Utah may be liable, as a result of the failure to timely complete the scope of

work required under this Contract.

40. CHANGES IN SCOPE: Any changes in the scope of the services to be performed under this Contract shall be in the form of a written

amendment to this Contract, mutually agreed to and signed by duly authorized representatives of both parties, specifying any such changes, fee

adjustments, any adjustment in time of performance, or any other significant factors arising from the changes in the scope of services.

41. PERFORMANCE EVALUATION: The State of Utah may conduct a performance evaluation of the Contractor’s services, including specific

personnel of the Contractor. References in the Contract to Contractor shall include Contractor, Contractor’s subcontractors, or subconsultants at any tier, if any. Results of any evaluation will be made available to the Contractor.

Jul 1, 2013 5:09:04 PM MDT p. 88


42. WAIVERS: No waiver by the State or Contractor of any default shall constitute a waiver of the same default at a later time or of a different default.

43. INSURANCE:

1. To protect against liability, loss and/or expense in connection with the performance of services described under this Contract, the Contractor

shall obtain and maintain in force during the entire period of this Contract without interruption, at its own expense, insurance as listed below

from insurance companies authorized to do business in the State of Utah and with an A.M. Best rating as approved by the State of Utah Division

of Risk Management.

2. The following are minimum coverages that may be supplemented by additional requirements contained in the solicitation for this Contract or

provided in an Attachment to this Contract; if no insurance limits are identified in the solicitation, insurance minimums will default to Section 44. Liability Insurance Requirements:

(1) Worker’s Compensation Insurance and Employers’ Liability Insurance. Worker’s compensation insurance shall cover full liability under

the worker’s compensation laws of the jurisdiction in which the service is performed at the statutory limits required by said jurisdiction. (2) Professional liability insurance in the amount as described in the solicitation for this Contract, if applicable.

(3) Any other insurance described in the solicitation for this Contract, if applicable.

3. Any type of insurance or any increase of limits of liability not described in this Contract which the Contractor requires for its own protection

or on account of any statute, rule, or regulation shall be its own responsibility, and shall be provided at Contractor’s own expense.

4. The carrying of insurance required by this Contract shall not be interpreted as relieving the Contractor of any other responsibility or liability

under this Contract or any applicable law, statute, rule, regulation, or order.

44. STANDARD OF CARE: The services of Contractor and its subcontractors and subconsultants at any tier, if any, shall be performed in

accordance with the standard of care exercised by licensed members of their respective professions having substantial experience providing

similar services which similarities include the type, magnitude and complexity of the services that are the subject of this Contract. The Contractor shall be liable to the State of Utah for claims, liabilities, additional burdens, penalties, damages or third party claims (i.e. another

Contractor’s claim against the State of Utah), to the extent caused by wrongful acts, errors or omissions that do not meet this standard of care.

45. STATE REVIEWS, LIMITATIONS: The right of the State to perform plan checks, plan reviews, other reviews and/or comment upon the

services of the Contractor, as well as any approval by the State, shall not be construed as relieving the Contractor from its professional and legal

responsibility for services required under this Contract. No review by the State or any entity/user, approval or acceptance, or payment for any of

the services required under this Contract shall be construed to operate as a waiver by the State of any right under this Contract or of any cause of

action arising out of the performance or nonperformance of this Contract, and the Contractor shall be and remain liable to the State in

accordance with applicable law for all damages to the State caused by the wrongful acts, errors and/or omissions of the Contractor or its subcontractors or subconsultants at any tier, if any.

(Revised July 1, 2013)

Jul 1, 2013 5:09:04 PM MDT p. 89


Question and Answers for Bid #JP14001 - Data Communications Products & Services

OVERALL BID QUESTIONS

There are no questions associated with this bid. If you would like to submit a question,

please click on the "Create New Question" button below.

Question Deadline: Jul 26, 2013 11:00:00 AM MDT

WSCA-NASPO Master Agreement Terms and Conditions

1. AGREEMENT ORDER OF PRECEDENCE:The Master Agreement shall consist of the following documents: 1. A Participating Entity’s Participating Addendum (“PA”);2. WSCA-NASPO Master Agreement Terms and Conditions;3. The Statement of Work;4. The Solicitation; and5. Contractor's response to the Solicitation.

These documents shall be read to be consistent and complementary. Any conflict among these documents shall be resolved by giving priority to these documents in the order listed above. Contractor terms and conditions that apply to this Master Agreement are only those that are expressly accepted by the Lead State and must be in writing and attached to this Master Agreement as an Exhibit or Attachment. No other terms and conditions shall apply, including terms and conditions listed in the Contractor’s response to the Solicitation, or terms listed or referenced on the Contractor's website, in the Contractor quotation/sales order or in similar documents subsequently provided by the Contractor.

2. AMENDMENTS The terms of this Master Agreement shall not be waived, altered, modified, supplemented or amended in any manner whatsoever without prior written approval of the WSCA-NASPO Contract Administrator.

3. ASSIGNMENT/SUBCONTRACT Contractor Neither party shall not assign, sell, transfer, subcontract or sublet rights, or delegate responsibilities under this contract, in whole or in part, without the prior written approval of the WSCA-NASPO Contract Administratorthe other party. A merger, acquisition or internal reorganization shall not constitute an assignment under this clause.

4. CANCELLATION Unless otherwise stated in the special

terms and conditions, any Master Agreement may be canceled by either party upon 60 days notice, in writing, prior to the effective date of the cancellation. Further, any Participating State may cancel its participation upon 30 days written notice, unless otherwise limited or stated in the special terms and conditions of this solicitation. Cancellation may be in whole or in part. Any cancellation under this provision shall not effect the rights and obligations attending orders outstanding at the time of cancellation, including any right of and Purchasing Entity to indemnification by the Contractor, rights of payment for goods/services delivered and accepted, and rights attending any warranty or default in performance in association with any order. Cancellation of the Master Agreement due to Contractor default may be immediate.

5. CONFIDENTIALITY, NON-DISCLOSURE AND INJUNCTIVE

RELIEF 5.1 Confidentiality. Contractor acknowledges that it and its employees or agents may, in the course of providing the Product under this Master Agreement, be exposed to or acquire information that is confidential to Participating Entity or Participating Entity’s clients. Any and all information of any form that is marked as confidential or would by its nature be deemed confidential obtained by Contractor or its employees or agents in the performance of this Master Agreement, including, but not necessarily limited to (a) any Participating Entity records, (b) personnel records, and (c) information concerning individuals, is confidential information of Participating Entity (“Confidential Information”). Any reports or other documents or items (including software) that result from the use of the Confidential Information by Contractor shall be treated in the same manner as the Confidential Information. Confidential Information does not include information that (a) is or becomes (other than by disclosure by Contractor) publicly known; (b) is furnished by Participating Entity to others without restrictions similar to those imposed by this Master Agreement; (c) is rightfully in Contractor’s possession without the obligation of nondisclosure prior to the

time of its disclosure under this Master Agreement; (d) is obtained from a source other than Participating Entity without the obligation of confidentiality, (e) is disclosed with the written consent of Participating Entity or; (f) is independently developed by employees, agents or subcontractors of Contractor who can be shown to have had no access to the Confidential Information.5.2 Non-Disclosure. Contractor shall hold Confidential Information in confidence, using at least the industry standard of confidentiality, and not to copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose Confidential Information to third parties or use Confidential Information for any purposes whatsoever other than the performance of this Master Agreement to Participating Entity hereunder, and to advise each of its employees and agents of their obligations to keep Confidential Information confidential. Contractor shall use commercially reasonable efforts to assist Participating Entity in identifying and preventing any unauthorized use or disclosure of any Confidential Information. Without limiting the generality of the foregoing, Contractor shall advise Participating Entity immediately if Contractor learns or has reason to believe that any person who has had access to Confidential Information has violated or intends to violate the terms of this Master Agreement and Contractor shall at its expense cooperate with Participating Entity in seeking injunctive or other equitable relief in the name of Participating Entity or Contractor against any such person. Except as directed by Participating Entity, Contractor will not at any time during or after the term of this Master Agreement disclose, directly or indirectly, any Confidential Information to any person, except in accordance with this Master Agreement, and that upon termination of this Master Agreement or at Participating Entity’s request, Contractor shall turn over to Participating Entity all documents, papers, and other matter in Contractor's possession that embody Confidential Information. Notwithstanding the

foregoing, Contractor may keep one copy of such Confidential Information necessary for quality assurance, audits and

evidence of the performance of this Master Agreement.5.3

Injunctive Relief. Contractor acknowledges that breach of this Section, including disclosure of any Confidential Information, will cause irreparable injury to Participating Entity that is inadequately compensable in damages. Accordingly, Participating Entity may seek and obtain injunctive relief against the breach or threatened breach of the foregoing undertakings, in addition to any other legal remedies that may be available. Contractor acknowledges and agrees that the covenants contained herein are necessary for the protection of the legitimate business interests of Participating Entity and are reasonable in scope and content.

6. DEBARMENT The contractor certifies that neither it nor its principals are presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in this transaction (contract) by any governmental department or agency. If the contractor cannot certify this statement, attach a written explanation for review by WSCA-NASPO.

7. DEFAULTS & REMEDIES

a. The occurrence of any of the following events shall be an event of default under this Master Agreement:

i. Nonperformance of contractual requirements; orii. A material breach of any term or condition of this Master Agreement; oriii. Any representation or warranty by Contractor in response to the solicitation or in this Master Agreement proves to be untrue or materially misleading; oriv. Institution of proceedings under any bankruptcy, insolvency, reorganization or similar law, by or against Contractor, or the appointment of a receiver or similar officer for Contractor or any of its property, which is not vacated or fully stayed within sixtythirty (630) calendar days after the institution or occurrence thereof; orv. Any default specified in another section of this Master Agreement.

b. Upon the occurrence of an event of default, Lead State shall issue a written notice of default, identifying the nature of the default, and providing a period of 6015 calendar days in which Contractor shall have an opportunity to cure the default. The Lead State shall not be required to provide advance written notice or a cure period and may immediately terminate this Master Agreement in whole or in part if the Lead State, in its sole discretion, determines that it is reasonably necessary to preserve public safety or prevent immediate public crisis. Time allowed for cure shall not diminish or eliminate Contractor’s liability for damages, including liquidated damages to the extent provided for under this Master Agreement.

c. If Contractor is afforded an opportunity to cure and fails to cure the default within the period specified in the written notice of default, Contractor shall be in breach of its obligations under this Master Agreement and Lead State shall have the right to exercise any or all of the following remedies:

i. Exercise any remedy provided by law; andii. Terminate this Master Agreement and any related Contracts or portions thereof; andiii. Impose liquidated damages as provided in this Master Agreement; andiv. Suspend Contractor from receiving future bid solicitations; andv. Suspend Contractor’s performance; and

vi. Withhold payment until the default is remedied.d. In the event of a default under a Participating Addendum, a Participating Entity shall provide a written notice of default as described in this section and have all of the rights and remedies under this paragraph regarding its participation in the Master Agreement, in addition to those set forth in its Participating Addendum.

8. DELIVERY Unless otherwise indicated in the Master Agreement, the prices are the delivered price to any Participating State agency or political subdivision. All deliveries shall be F.O.B. destination with all transportation and handling

charges paid by the contractor. Responsibility and liability for loss or damage shall remain the Contractor until final inspection and acceptance when responsibility shall pass to the Buyer except as to latent defects, fraud and Contractor’s warranty obligationsdelivery. The minimum shipment amount will be found in the special terms and conditions. Any order for less than the specified amount is to be shipped with the freight prepaid and added as a separate item on the invoice. Any portion of an order to be shipped without transportation charges that is back ordered shall be shipped without charge.

9. FORCE MAJEURE Neither party to this Master Agreement shall be held responsible for delay or default caused by fire, riot, acts of God and/or war which is beyond that party’s reasonable control. WSCA-NASPO may terminate this Master Agreement after determining such delay or default will reasonably prevent successful performance of the Master Agreement.

10.GOVERNING LAW This procurement and the resulting agreement shall be governed by and construed in accordance with the laws of the state sponsoring and administering the procurement. The construction and effect of any Participating Addendum or order against the Master Agreement(s) shall be governed by and construed in accordance with the laws of the Participating Entity’s State. Venue for any claim, dispute or action concerning an order placed against the Master Agreement(s) or the effect of an Participating Addendum shall be in the Purchasing Entity’s State.

11. INDEMNIFICATION

Subject to governmental immunities of the Participating States, each party to this

Agreement and to each Participating Addendum, as the case may be, shall defend,

indemnify and hold harmless the other, its corporate affiliates and their respective

officers, directors, employees, and agents and their respective successors and assigns

from and against any and all claims, losses, liabilities, damages, and expenses (including,

without limitation, reasonable attorneys' fees), including without limitation those based

on contract or tort, arising out of or in connection with a claim, suit or proceeding

brought by a third party based upon bodily injury (including death) or damage to tangible

personal property (not including lost or damaged data) arising from the negligent or

intentional acts or omissions of the indemnifying party or its subcontractors, or the

officers, directors, employees, agents, successors and assigns of any of them. In the

event hat the indemnified party's or a third party's negligent or intentional acts or

omissions contributed to cause the injury or damage for which a claim of indemnity is

being asserted against the indemnifying party hereunder, the damages and expenses

(including, without limitation, reasonable attorneys' fees) shall be allocated or

reallocated, as the case may be, between the indemnified party, the indemnifying party

and any other party bearing responsibility in such proportion as appropriately reflects the

relative fault of such parties, or their subcontractors, or the officers, directors, employees,

agents, successors and assigns of any of them, and the liability of the indemnifying party

shall be proportionately reduced.

The foregoing indemnification obligations are conditioned upon the indemnified party

promptly notifying the indemnifying party in writing of the claim, suit or proceeding for

which the indemnifying party is obligated under this Subsection, cooperating with,

assisting and providing information to, the indemnifying party as reasonably required,

and granting the indemnifying party the exclusive right to defend or settle such claim,

suit or proceeding; provided that any such settlement or compromise includes a release of

the indemnified party from all liability arising out of such claim, suit or proceeding.

The Contractor shall defend, indemnify and hold harmless WSCA- NASPO, the Lead State and Participating Entities along with their officers, agencies, and employees as well as any person or entity for which they may be liable from and against claims, damages or causes of action including reasonable attorneys’ fees and related costs for any death, injury, or damage to property arising from act(s), error(s), or omission(s) of the Contractor, its employees or subcontractors or volunteers, at any tier, relating to the performance under the Master Agreement. This section is not subject to any limitations of liability in this Master Agreement or in any other document executed in conjunction with this Master Agreement

12. INDEMNIFICATION– INTELLECTUAL PROPERTY; LIMITATION OF

LIABILITY; WAIVER OF CONSEQUENTIAL DAMAGES

A) Indemnity from Juniper Networks. Juniper Networks will defend any suit

brought against WSCA- NASPO, the Lead State and Participating Entities along with

their officers, agencies, and employees (“Indemnitees”) to the extent it is based on a

third-party claim that the System sold to The State infringes any U.S. patent or copyright,

and will pay all damages and costs that a court finally awards against Indemnitees as a

result of such claim, provided that Indemnitees gives Juniper Networks (i) prompt written

notice of such suit within 30 days of the receipt of same, and furnishes Juniper Networks

Formatted: Font: 12 pt

Formatted: No bullets or numbering



with a copy of all communications, relating to the claim; (ii) at the time notice of such

claim is delivered to Juniper Networks, sole control over the defense and settlement of

the claim and (iii) all reasonable information and assistance in the defense effort f. In no

event shall Juniper Networks be liable to indemnify Indemnitees for any settlement

entered into without Juniper Networks’ prior written consent. Should the System become,

or in Juniper Networks opinion, be likely to become, the subject of a claim of

infringement of a U.S. patent or copyright, Juniper Networks may, at its option, either:

(A) procure for Indemnitees the right to continue using the System, or (B) replace or

modify the System to make it non-infringing. If neither of the foregoing alternatives is

commercially available to Juniper Networks, then Juniper Networks will grant

Indemnitees a refund for the purchase price paid by Indemnitees of the relevant System

depreciated on a five-year straight-line basis and accept return of the relevant System.

Notwithstanding the foregoing, Juniper Networks shall have no liability for, and

Indemnitees shall indemnify Juniper Networks against, any claim to the extent it is based

upon or arising out of, in whole or in part, (I) alteration or modification of the System

which was not approved by Juniper Networks, (II) combination, operation or use of the

System with any hardware, software or other device not furnished by Juniper Networks if

such claim would not have arisen had such combination, operation or use not occurred

and (III) any product or service not provided by Juniper Networks; (IV) Juniper

Networks’ compliance with Indemnitees’s specifications, designs or instructions; (V)

Indemnitees’s failure to promptly implement an update or modification to the System

(e.g., install a Software Release) provided by Juniper Networks; (VI) use of the System in

a manner other than which it was designed or in a manner other than as specified by

Juniper Networks.

THIS INFRINGEMENT INDEMNITY SET FORTH IN THIS SECTION STATES

JUNIPER NETWORKS’ ENTIRE LIABILITY AND OBLIGATION AND

CUSTOMER’S SOLE REMEDY FOR ANY CLAIM OF INFRINGEMENT OF

THIRD PARTY PATENT, COPYRIGHT, TRADEMARK, TRADE SECRET OR

OTHER INTELLECTUAL PROPERTY RIGHTS.

B) Limitation of Liability. EXCEPT FOR THOSE OBLIGATIONS UNDER the

INTELLECTUAL PROPERTY INFRINGEMENT SECTION THE GENERAL

INDEMNITY SECTION, NOTWITHSTANDING ANYTHING ELSE HEREIN, ALL

LIABILITY OF CONTRACTOR AND ITS SUPPLIERS TO ANY PURCHASER FOR

CLAIMS ARISING UNDER THIS AGREEMENT, THE APPLICABLE

PARTICIPATING ADDENDUM, OR OTHERWISE SHALL BE LIMITED TO THE

MONEY PAID TO CONTRACTOR FOR PRODUCTS OR FOR SERVICES WITH

RESPECT TO SUCH PURCHASER DURING THE TWELVE (12) MONTH PERIOD

PRECEDING THE EVENT OR CIRCUMSTANCES GIVING RISE TO SUCH

LIABILITY. THIS LIMITATION OF LIABILITY IS CUMULATIVE AND NOT PER

INCIDENT.

C) Waiver of Consequential and Other Damages. IN NO EVENT SHALL

CONTRACTOR OR ITS SUPPLIERS BE LIABLE FOR ANY INCIDENTAL,

SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, LOST REVENUE, LOST

PROFITS, OR LOST OR DAMAGED DATA, WHETHER ARISING IN CONTRACT,

TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF CONTRACTOR

OR ITS SUPPLIERS HAVE BEEN INFORMED OF THE POSSIBILITY THEREOF.

The Contractor shall defend, indemnify and hold harmless WSCA-NASPO, the Lead State and Participating Entities along with their officers, agencies, and employees as well as any person or entity for which they may be liable

("Indemnified Party") from and against claims, damages or causes of action including reasonable attorneys’ fees and related costs arising out of the claim that the Product or its use, infringes Intellectual Property rights ("Intellectual Property Claim"). The Contractor’s obligations under this section shall not extend to any combination of the Product with any other product, system or method, unless:(1) the Product, system or method is:(a) provided by the Contractor or the Contractor’s subsidiaries or affiliates;(b) specified by the Contractor to work with the Product; or(c) reasonably required, in order to use the Product in its intended manner, and the infringement could not have been avoided by substituting another reasonably available product, system or method capable of performing the same function; or(2) it would be reasonably expected to use the Product in combination with such product, system or method.

The Indemnified Party shall notify the Contractor within a reasonable time after receiving notice of an Intellectual Property Claim. Even if the Indemnified Party fails to provide reasonable notice, the Contractor shall not be relieved from its obligations unless the Contractor can demonstrate that it was prejudiced in defending the Intellectual Property Claim resulting in increased expenses or loss to the Contractor. If the Contractor promptly and reasonably investigates and defends any Intellectual Property Claim, it shall have control over the defense and settlement of it. However, the Indemnified Party must consent in writing for any money damages or obligations

for which it may be responsible. The Indemnified Party shall furnish, at the Contractor’s reasonable request and expense, information and assistance necessary for such defense. If the Contractor fails to vigorously pursue the defense or settlement of the Intellectual Property Claim, the Indemnified Party may assume the defense or settlement of it and the Contractor shall be liable for all costs and expenses, including reasonable attorneys’ fees and related costs, incurred by the Indemnified Party in the pursuit of the Intellectual Property Claim. This section is not subject to any limitations of liability in this Master Agreement or in any other document executed in conjunction with this Master Agreement.

13. INDEPENDENT CONTRACTOR The contractor shall be an independent contractor, and as such shall have no authorization, express or implied to bind WSCA-NASPO or the respective states to any agreements, settlements, liability or understanding whatsoever, and agrees not to perform any acts as agent for WSCA-NASPO or the states, except as expressly set forth herein.

14. INDIVIDUAL CUSTOMER Except to the extent modified by a Participating Addendum, each Participating Entity shall follow the terms and conditions of the Master Agreement and applicable Participating Addendum and will have the same rights and responsibilities for their purchases as the Lead State has in the Master Agreement, including but not limited to, any indemnity or to recover any costs allowed in the Master Agreement and applicable Participating Addendum for their purchases. Each Participating Entity will be responsible for its own charges, fees, and liabilities. The Contractor will apply the charges and invoice each Participating Entity individually.

15. INSURANCE Contractor shall, during the term of this Master Agreement, maintain in full force and effect, the insurance described in this section. Contractor shall acquire such insurance from an insurance carrier or carriers licensed to conduct business in the Participating Entity’s state and having a

rating of A-, Class VII or better, in the most recently published edition of Best’s Reports. Failure to buy and maintain the required insurance may result in this Master Agreement’s termination or at a Participating Entity’s option, result in termination of its Participating Addendum.

Coverage shall be written on an occurrence basis. The minimum acceptable limits shall be as indicated below, with no deductible for each of the following categories:a) Commercial General Liability covering the risks of bodily injury (including death), property damage and personal injury, including coverage for contractual liability, with a limit of not less than $1 million per occurrence/$2 million general aggregate;

b) Contractor must comply with any applicable State Workers Compensation or Employers Liability Insurance requirements.

Contractor shall pay premiums on all insurance policies. Such policies shall also reference this Master Agreement and shall have a condition that they not be revoked by the insurer until thirty (30) calendar days after notice of intended revocation thereof shall have been given to Participating Entity by the Contractor.

Prior to commencement of the work, Contractor shall provide to the Participating Entity a written endorsement to the Contractor’s general liability insurance policy that (i) names the Participating Entity as an additional insured, (ii) provides that no material alteration, cancellation, non-renewal, or expiration of the coverage contained in such policy shall have effect unless the named Participating Entity has been given at least thirty (30) days prior written notice, and (iii) provides that the Contractor’s liability insurance policy shall be primary, with any liability insurance of the Participating Entity as secondary and noncontributory.

Contractor shall furnish to Participating Entity copies of certificates of all required insurance within thirty (30) calendar

days of the Participating Addendum’s effective date and prior to performing any work. Copies of renewal certificates of all required insurance shall be furnished within thirty (30) days after renewal date. These certificates of insurance must expressly indicate compliance with each and every insurance requirement specified in this section. Failure to provide evidence of coverage may, at State’s sole option, result in this Master Agreement’s termination.

Coverage and limits shall not limit Contractor’s liability and obligations under this Master Agreement.

16. LAWS AND REGULATIONS Any and all supplies, services and equipment offered and furnished shall comply fully with all applicable Federal and State laws and regulations.

17. LICENSE OF PRE-EXISTING INTELLECTUAL PROPERTY Contractor grants to the Participating Entity a nonexclusive, perpetual, royalty-free, irrevocable, unlimited license to publish, translate, reproduce, modify, deliver, perform, display, and dispose of the Intellectual Property, and its derivatives, used or delivered under this Master Agreement, but not created under it (“Pre-existing Intellectual Property”). The license shall be subject to any third party rights in the Pre-existing Intellectual Property. Contractor shall obtain, at its own expense, on behalf of the Participating Entity, written consent of the owner for the licensed Pre-existing Intellectual Property.Reserved. See Juniper’s End User License Agreement.

18. NO WAIVER OF SOVEREIGN IMMUNITY In no event shall this Master Agreement, any Participating Addendum or any contract or any purchase order issued thereunder, or any act of a Lead State or a Participating Entity, be a waiver by the Participating Entity of any form of defense or immunity, whether sovereign immunity, governmental immunity, immunity based on the Eleventh Amendment to the Constitution of the United States or otherwise, from any claim or from the jurisdiction of any court.

If a claim must be brought in a federal forum, then it must be brought and adjudicated solely and exclusively within the United States District Court for the Participating State. This section applies to a claim brought against the Participating State only to the extent Congress has appropriately abrogated the Participating State’s sovereign immunity and is not consent by the Participating State to be sued in federal court. This section is also not a waiver by the Participating State of any form of immunity, including but not limited to sovereign immunity and immunity based on the Eleventh Amendment to the Constitution of the United States.

19. ORDER NUMBERS Master Agreement order and purchase order numbers shall be clearly shown on all acknowledgments, shipping labels, packing slips, invoices, and on all correspondence.

20. PARTICIPANTS WSCA-NASPO is the cooperative purchasing arm of the National Association of State Procurement Officials. It is a cooperative group contracting consortium for state government departments, institutions, agencies and political subdivisions (e.g., colleges, school districts, counties, cities, etc.,) for all 50 states, the District of Columbia and the organized US territories. Obligations under this Master Agreement are limited to those Participating States who have signed a Participating Addendum where contemplated by the solicitation. Financial obligations of Participating States are limited to the orders placed by the departments or other state agencies and institutions having available funds. Participating States incur no financial obligations on behalf of political subdivisions. Unless otherwise specified in the solicitation, the resulting award(s) will be permissive.

21. ENTITY PARTICIPATION Use of specific WSCA-NASPO cooperative Master Agreements by state agencies, political subdivisions and other entities (including cooperatives) authorized by individual state’s statutes to use state contracts are subject to the approval of the respective State Chief

Procurement Official. Issues of interpretation and eligibility for participation are solely within the authority of the respective State Chief Procurement Official.

22.PAYMENT Payment for completion of a contract order is normally made within 30 days following the date the entire order is delivered or the date a correct invoice is received, whichever is later. After 45 days the Contractor may assess overdue account charges up to a maximum rate of one percent per month on the outstanding balance. Payments will be remitted by mail. Payments may be made via a State or political subdivision “Purchasing Card” with no additional charge.

23. PUBLIC INFORMATION This Master Agreement and all related documents are subject to disclosure pursuant to the Participating Entity’s public information laws.

24. RECORDS ADMINISTRATION AND AUDIT

Contractor shall maintain complete, accurate and truthful records of purchases

and amounts billable to and payments made by Purchaser hereunder directly

through Contractor in accordance with generally accepted accounting principles

and practices for audit purposes only. Contractor shall retain such records for at

least a period of four (4) years from the date of termination of this Agreement, or

longer if expressly required by the law of the applicable Participating State.

The Participating State will give Contractor thirty (30) days advance written

notice to perform an audit of Contractor's records, identified above, as it pertains

only to such Participating State's Purchaser(s). Except for compelling

circumstances, Participating State's audits are limited to a commercially

reasonable frequency per Participating State, and such audit will be conducted

during Contractor's normal business hours and shall not unduly interrupt or

interfere with Contractor's normal business operations, and provided further that

in the event that such audit is conducted by a third party, such third party shall,

prior to conducting such audit, to the extent permitted by law, execute a

confidentiality agreement for the benefit of Contractor in a form reasonably

satisfactory to Contractor.

In the event that the audit discovers an overpayment in excess of 5% (five

percent) of the amount actually paid, Contractor shall pay the costs of the audit. In

all other circumstances, the audit fees shall be paid by the Participating State.

Contractor shall require that any Subcontractor will also maintain their records

Formatted: Indent: Left: 0.5", No bulletsor numbering

and agree to abide by this Section.

The contractor will maintain, or supervise the maintenance of all records necessary to properly account for the payments made to the contractor for costs authorized by this Master Agreement. These records will be retained by the contractor for at least four years after the Master Agreement terminates, or until all audits initiated within the four years have been completed, whichever is later. The contractor agrees to allow WSCA-NASPO, State and Federal auditors, and state agency staff access to all the records of this Master Agreement and any order placed under this Master Agreement, for audit and inspection, and monitoring of services. Such access will be during normal business hours, or by appointment.

25.REPORTS and ADMINISTRATIVE FEES The contractor shall submit quarterly reports to the WSCA-NASPO Contract Administrator showing the quantities and dollar volume of purchases by each participating entity.

The contractor must pay a WSCA-NASPO administrative fee of one quarter of one percent (.25%) in accordance with the terms and conditions of the Master Agreement. The WSCA- NASPO administrative fee shall be submitted quarterly and is based on sales of products and services. The WSCA-NASPO administration fee is not negotiable. This fee is to be included as part of the pricing submitted with proposal.

Additionally, some States may require that an additional fee be paid directly to the State on purchases made by procuring entities within that State. For all such requests, the fee level, payment method and schedule for such reports and payments will be incorporated in a Participating Addendum that is made a part of the Master Agreement. The contractor may adjust the Master Agreement pricing accordingly for purchases made by procuring agencies within the jurisdiction of the State. All such agreements may not affect the WSCA-NASPO administrative fee or the prices paid by the procuring agencies outside the

jurisdiction of the State requesting the additional fee.

26. EVALUATION PRODUCTS. Upon request, Contractor shall provide

mutually agreed demonstration and evaluation samples of its products in

accordance with Contractor’s Equipment Loan and License Agreement set

forth as Attachment B hereto.

Any prospective Purchaser may conduct testing on the product in question

to ensure that its performance meets the Purchasers needs prior to submitting

orders for such products. STANDARD OF PERFORMANCE AND

ACCEPTANCE The Standard of Performance applies to all Product(s) purchased under this Master Agreement, including any additional, replacement, or substitute Product(s) and any Product(s) which are modified by or with the written approval of Contractor after Acceptance by the Participating Entity. The Acceptance Testing period shall be thirty (30) calendar days or other time period identified in the solicitation or the Participating Addendum, starting from the day after the Product is installed and Contractor certifies that the Product is ready for Acceptance Testing. If the Product does not meet the Standard of Performance during the initial period of Acceptance Testing, Participating Entity may, at its discretion, continue Acceptance Testing on a day-to-day basis until the Standard of Performance is met. Upon rejection, the Contractor will have fifteen (15) calendar days to cure the Standard of Performance issue(s). If after the cure period, the Product still has not met the Standard of Performance Participating Entity may, at its option: (1) declare Contractor to be in breach and terminate the Order; (2) demand replacement Product from Contractor at no additional cost to Participating Entity; or, (3) continue the cure period for an additional time period agreed upon by the Participating Entity and the Contractor. Contractor shall pay all costs related to the preparation and shipping of Product returned pursuant to the section. No Product shall be accepted and no charges shall be paid until the Standard of Performance is met. The warranty period will begin upon Acceptance.

27. SYSTEM FAILURE OR DAMAGE In the event of system

Formatted: Font: Times, 14 pt


Formatted: Font: Not Bold

Formatted: Font: Times, 14 pt, Not Bold



Formatted: Font: Times, 14 pt

failure or damage caused by the Contractor or its Product, the Contractor agrees to use its best efforts to restore or assist in restoring the system to operational capacity.See Section 30

(“Warranty”).

28. TITLE OF PRODUCT Upon delivery toAcceptance by the Participating Entity, Contractor shall convey to Participating Entity title to the Product free and clear of all liens, encumbrances, or other security interests. License terms for software are covered in Juniper’s End User License Agreement. Transfer of title to the Product shall include an irrevocable and perpetual license to use the Embedded Software in the Product. If Participating Entity subsequently transfers title of the Product to another entity, Participating Entity shall have the right to transfer the license to use the Embedded Software with the transfer of Product title. A subsequent transfer of this software license shall be at no additional cost or charge to either Participating Entity or Participating Entity’s transferee.

29. WAIVER OF BREACH Failure of Lead State or Participating Entity to declare a default or enforce any rights and remedies shall not operate as a waiver under this Master Agreement or Participating Addendum. Any waiver by the Lead State or Participating Entity must be in writing. Waiver by the Lead State or Participating Entity of any default, right or remedy under this Master Agreement or Participating Addendum, or breach of any terms or requirements shall not be construed or operate as a waiver of any subsequent default or breach of such term or requirement, or of any other term or requirement under this Master Agreement or Participating Addendum.

30. WARRANTY

a) Hardware Warranty. Juniper Networks warrants that the

Hardware sold hereunder shall be free of defects in material and

workmanship under normal authorized use consistent with the

product instructions for a period of (1) one year from the Delivery

Date. This product warranty extends only to the original purchaser.

In the event that Juniper Networks receives notice during the

warranty period that any Hardware does not conform to its warranty,

Purchase’s sole and exclusive remedy, and Juniper Networks sole

and exclusive liability, shall be for Juniper Networks, at its sole

option, to either repair or replace the non-conforming Hardware in

accordance with this limited warranty. Hardware replaced under the

terms of any such warranty may be refurbished or new equipment

substituted at the option of Juniper Networks. Juniper Networks will

use commercially reasonable efforts to ship the replacement

Hardware within twenty (20) business days after receipt of the

product at a Juniper Networks Repair Center. Actual delivery times

may vary depending on the customer location.

b) Software Warranty. Juniper Networks warrants that the media on

which the Software is recorded shall be free from defects in material

and workmanship under normal use for a period of 90 days from the

Delivery Date. Purchase’s sole and exclusive remedy, and Juniper

Networks sole and exclusive liability, shall be replacement of the

media in accordance with this limited warranty. In addition, with

respect to Software embedded in Juniper Networks security

products, application acceleration products or certain other

Hardware products, as more specifically set forth on

http://www.juniper.net/support, for a period of fifteen (15) days

from the date a customer receives such Hardware product, Juniper

Networks will provide the customer that purchased such Hardware

product access to one (1) download of the most recent

commercially-available version of Software that is embedded in

such product. Purchase may download the Software by going to

http://www.juniper.net/support This right to download extends only

to the original purchaser.

c) Hardware Return Procedures. Any defective item can only be

returned if it references a return material authorization (“RMA”)

number issued by authorized Juniper Networks service personnel.

To request an RMA number, Purchase must contact Juniper

Networks Technical Assistance Center (“JTAC”) via the online

resource available at the URL: http://www.juniper.net/support.

JTAC will only assist Purchases with online RMA processing

http://www.juniper.net/support


pursuant to the terms of this warranty and will not provide any

troubleshooting, configuration or installation assistance. Telephone

calls to JTAC will not be accepted unless the Purchase has

purchased a valid Juniper Networks service contract that is in effect

as of the time of the call. The RMA number must be included on

the outside carton label of the returned item. Transportation costs, if

any, incurred in connection with the return of a defective item to

Juniper Networks shall be borne by customer to the in-country

location, if available. Juniper Networks shall pay any transportation

costs incurred with the redelivery of a repaired or replaced item. If,

however, Juniper Networks reasonably determines that the item is

functional, the Purchase shall pay any transportation cost. If Juniper

Networks determines, at its sole discretion, that the allegedly

defective item is not covered by the terms of the warranty provided

hereunder or that a warranty claim is made after the warranty period,

the cost of repair by Juniper Networks, including all shipping

expenses, shall be paid by Purchase. JUNIPER NETWORKS

SHALL HAVE NO LIABILITY WITH RESPECT TO DATA

CONTAINED IN ANY SYSTEM RETURNED TO JUNIPER

NETWORKS.

d) Exclusions. The foregoing warranty and remedies are for

Purchase’s exclusive benefit and are nontransferable. Any and all

warranties shall be deemed void and no warranty will apply if the

Hardware or Software: (i) has been altered except by Juniper

Networks; (ii) has not been installed, operated, repaired, or

maintained in accordance with instructions supplied by Juniper

Networks in the enclosed documentation; or (iii) has been subjected

to unreasonable physical, thermal or electrical stress, misuse,

negligence, or accident. In addition, Hardware or Software is not

designed or intended for use in (i) the design, construction,

operation or maintenance of any nuclear facility, (ii) navigating or

operating aircraft; or (iii) operating life-support or life-critical

medical equipment, and Juniper Networks disclaims any express or

implied warranty of fitness for such uses. Purchase is solely

responsible for backing up its programs and data to protect against

loss or corruption. Juniper Networks warranty obligations do not

include installation support.

e) Non-Juniper Networks Products. Where a product not

manufactured or created by Juniper Networks is sold by Juniper

Networks hereunder to complete an order, Purchase’s sole remedy

shall be pursuant to the original manufacturer’s or licensor’s

warranty to Purchase, to the extent permitted by the original

manufacturer or licensor.

f) Dead on Arrival (“DOA”). For up to thirty (30) days from the

Delivery Date, Juniper Networks will provide expedited replacement of

affected field replaceable units of Hardware that fail to operate within

twenty-four (24) hours of initial installation. For purposes of this DOA

policy, “fail to operate” shall mean a material failure to substantially

perform in accordance with the Hardware’s technical specifications and

shall not include cosmetic or other deficiencies that do not materially

affect Hardware performance. A new field replaceable unit will be

shipped from Juniper Networks' manufacturing facilities within two (2)

business days of Juniper Networks' receipt and validation of Purchase's

notification of an inoperative unit. Notification must be sent by

Purchase via online procedures set forth above. Defective Hardware

must be returned within thirty (30) days of failure, or Purchase pays

purchase price of replacement Hardware. Non-U.S. Purchases should

allow for additional transit time due to international customs clearance.

g) Disclaimer. EXCEPT AS SET FORTH IN SECTIONS 11(a)

and 11(b) ABOVE, JUNIPER NETWORKS EXPRESSLY

EXCLUDES AND DISCLAIMS ALL WARRANTIES,

WHETHER EXPRESS OR IMPLIED, STATUTORY OR

OTHERWISE REGARDING PRODUCTS AND SUPPORT

SERVICES PROVIDED UNDER THIS AGREEMENT,

INCLUDING, WITHOUT LIMITATION, ANY IMPLIED

WARRANTY OF MERCHANTABILITY, OF FITNESS FOR A

PARTICULAR PURPOSE, OF ABSENCE OF HIDDEN

DEFECTS, OF NONINFRINGEMENT AND ANY WARRANTY

THAT MAY ARISE BY REASON OF USAGE OR TRADE OR

COURSE OF DEALING.

WARRANTY The Contractor warrants for a period of one year from the date of Acceptance that: (a) the Product performs according to all specific claims that the Contractor made in its response to the solicitation, (b) the Product is suitable for the ordinary purposes for which such Product is used, (c) the Product is suitable for any special purposes identified in the solicitation or for which the Participating Entity has relied on the Contractor’s skill or judgment, (d) the Product is designed and manufactured in a commercially reasonable manner, and (e) the Product is free of defects. Upon breach of the warranty, the Contractor will repair or replace (at no charge to the Participating Entity) the Product whose nonconformance is discovered and made known to the Contractor. If the repaired and/or replaced Product proves to be inadequate, or fails of its essential purpose, the Contractor will refund the full amount of any payments that have been made. The rights and remedies of the parties under this warranty are in addition to any other rights and remedies of the parties provided by law or equity, including, without limitation, actual damages, and, as applicable and awarded under the law, to a prevailing party, reasonable attorneys’ fees and costs.

31. ASSIGNMENT OF ANTITRUST RIGHTS Contractor irrevocably assigns to a Participating Entity any claim for relief or cause of action which the Contractor now has or which may accrue to the Contractor in the future by reason of any violation of state or federal antitrust laws (15 U.S.C. § 1-15 or a Participating Entity’s state antitrust provisions), as now in effect and as may be amended from time to time, in connection with any goods or services provided to the Contractor for the purpose of carrying out the Contractor's obligations under this Master Agreement or Participating Addendum, including, at a Participating Entity's option, the right to control any such litigation on such claim for relief or cause of action.

Contractor shall require any subcontractors hired to perform

any of Contractor's obligations, under this Master Agreement or Participating Addendum, to irrevocably assign to a Participating Entity, as third party beneficiary, any right, title or interest that has accrued or which may accrue in the future by reason of any violation of state or federal antitrust laws (15 U.S.C. § 1-15 or a Participating Entity’s state antitrust provisions), as now in effect and as may be amended from time to time, in connection with any goods or services provided to the subcontractor for the purpose of carrying out the subcontractor's obligations to the Contractor in pursuance of this Master Agreement or Participating Addendum, including, at a Participating Entity's option, the right to control any such litigation on such claim for relief or cause of action.

32. WSCA-NASPO eMARKET CENTER Awarded responders are required to participate in the WSCA-NASPO eMarket Center and, working through WSCA-NASPO’s contractor (SciQuest), connect with the eMarket Center. The ideal situation would be to use either a hosted (by SciQuest) or Punchout Level 2 catalog configurations, but actual requirements will be determined by the Lead State Contract Administrator, WSCA-NASPO, WSCA-NASPO’s contractor (SciQuest) and the awarded contractor, after award. Participation does not require an awarded responder to have any special level of technology or technological understanding.

Acceptance - means a written notice from a purchasing entity to contractor advising Contractor that the Product has passed its Acceptance Testing. Acceptance of a product for which acceptance testing is not required shall occur following the completion of delivery, installation, if required, and a reasonable time for inspection of the product, unless the Purchasing Entity provides a written notice of rejection to contractor.Reserved.

Acceptance Testing - means the process for ascertaining that the Product meets the standards set forth in the section titled Standard of Performance and Acceptance, prior to Acceptance

by the Purchasing Entity.Reserved.

Contractor - means the person or entity delivering Products or performing services under the terms and conditions set forth in this Master Agreement.

Intellectual Property – means any and all patents, copyrights, service marks, trademarks, trade secrets, trade names, patentable inventions, or other similar proprietary rights, in tangible or intangible form, and all rights, title, and interest therein.

Lead State - means the State conducting this cooperative solicitation and centrally administering any resulting Master Agreement with the permission of the Signatory States.

Master Agreement – means the underlying agreement executed by and between the Lead State, as WSCA-NASPO contract administrator, acting on behalf of WSCA-NASPO, and the Contractor, as now or hereafter amended.

Order - means any purchase order, sales order, or other document used by a Participating Entity to order the Products.

Participating Addendum - means a bilateral agreement executed by a Contractor and a Participating Entity incorporating this Master Agreement and any other additional Participating Entity specific language or other requirements ,e.g. ordering procedures specific to the Participating Entity, other terms and conditions.

Participating Entity - means a state, or other legal entity, properly authorized by a state to enter into the Master Agreement or Participating Addendum or who is authorized to order under the Master Agreement or Participating Addendum.

Product - Any equipment, software (including embedded software), documentation, or deliverable supplied or created by the Contractor pursuant to this Master Agreement.

WSCA-NASPO -is a cooperative group contracting consortium for state procurement officials, representing departments, institutions, agencies, and political subdivisions (i.e., colleges, school districts, counties, cities, etc.) for all states and the District of Columbia. WSCA- NASPO is a cooperative purchasing arm of the National Association of State Procurement Officials (NASPO).

Additional Definitions and Alternative Terms for Consideration

Below are additional definitions and alternative terms for consideration by the sourcing teams depending upon the nature of the solicitation and negotiations between the Contractor and Vendor.

Embedded Software - means one or more software applications which permanently reside on a computing device.

Machine Code – means microcode, basic input/output system code, utility programs, device drivers, diagnostics, and another code delivered with a computing device for the purpose of enabling the function of the computing device, as stated in its published specifications.

ATTACHMENT A

STATE OF UTAH STANDARD INFORMATION TECHNOLOGY TERMS

AND CONDITIONS (FOR WSCA CONTRACTS and DTS RELATED

CONTRACTS)

1. AUTHORITY: Provisions of this contract are pursuant to the authority set forth in

63G-6, Utah Code Annotated, 1953, as amended, Utah State Procurement Rules

(Utah Administrative Code Section R33), and related statutes which permit the

State to purchase certain specified services, and other approved purchases for the

State.

2. CONTRACT JURISDICTION, CHOICE OF LAW, AND VENUE: The provisions of

this contract shall be governed by the laws of the State of Utah. The parties will

submit to the jurisdiction of the courts of the State of Utah for any dispute arising

out of this Contract or the breach thereof. Venue shall be in Salt Lake City, in the

Third Judicial District Court for Salt Lake County.

3. LAWS AND REGULATIONS: The Contractor and any and all supplies, services,

equipment, and construction furnished under this contract will comply fully with

all applicable Federal and State laws and regulations, including applicable

licensure and certification requirements.

4. RECORDS ADMINISTRATION:

See Section 24 above.

4. The Contractor shall maintain, or supervise the maintenance of all records

necessary to properly account for the payments made to the Contractor for costs

authorized by this contract. These records shall be retained by the Contractor for

at least four years after the contract terminates, or until all audits initiated within

the four years, have been completed, whichever is later. The Contractor agrees to

allow State and Federal auditors, and State Agency Staff, access to all the records

to this contract, for audit and inspection, and monitoring of services. Such access

will be during normal business hours, or by appointment.

5. CERTIFY REGISTRATION AND USE OF EMPLOYMENT "STATUS

VERIFICATION SYSTEM”: The Status Verification System, also referred to as

“E-verify”, only applies to contracts issued through a Request for Proposal

process, and to sole sources that are included within a Request for Proposal. It

does not apply to Invitation for Bids or to the Multi-Step Process. 1. Status

Verification System (1) Each offeror and each person signing on behalf of any

offeror certifies as to its own entity, under penalty of perjury, that the named

Contractor has registered and is participating in the Status Verification System to

verify the work eligibility status of the contractor’s new employees that are

employed in the State of Utah in accordance with applicable immigration laws

including UCA Section 63G-12-302. (2) The Contractor shall require that the

following provision be placed in each subcontract at every tier: “The

subcontractor shall certify to the main (prime or general) contractor by affidavit

that the subcontractor has verified through the Status Verification System the

employment status of each new employee of the respective subcontractor, all in

accordance with applicable immigration laws including UCA Section 63G-12-302

and to comply with all applicable employee status verification laws. Such

affidavit must be provided prior to the notice to proceed for the subcontractor to

perform the work.” (3) The State will not consider a proposal for award, nor

will it make any award where there has not been compliance with this

Section. (4) Manually or electronically signing the Proposal is deemed the

Contractor’s certification of compliance with all provisions of this employment

status verification certification required by all applicable status verification laws

including UCA Section 63G-12-302. 2. Indemnity Clause for Status

Verification System (1) Contractor (includes, but is not limited to any

Contractor, Design Professional, Designer or Consultant) shall protect, indemnify

and hold harmless, the State and its officers, employees, agents, representatives

and anyone that the State may be liable for, against any claim, damages or

liability arising out of or resulting from violations of the above Status Verification


System Section whether violated by employees, agents, or contractors of the

following: (a) Contractor; (b) Subcontractor at any tier; and/or (c) any entity or

person for whom the Contractor or Subcontractor may be liable. (2)

Notwithstanding Section 1. above, Design Professionals or Designers under direct

contract with the State shall only be required to indemnify the State for a liability

claim that arises out of the design professional's services, unless the liability claim

arises from the Design Professional's negligent act, wrongful act, error or

omission, or other liability imposed by law except that the design professional

shall be required to indemnify the State in regard to subcontractors or

subconsultants at any tier that are under the direct or indirect control or

responsibility of the Design Professional, and includes all independent

contractors, agents, employees or anyone else for whom the Design Professional

may be liable at any tier.

6. CONFLICT OF INTEREST: Contractor represents that none of its officers or

employees are officers or employees of the State of Utah, unless disclosure has

been made in accordance with 67-16-8, Utah Code Annotated, 1953, as amended.

7. CONFLICT OF INTEREST WITH STATE EMPLOYEES: In addition to the

provisions of State of Utah Terms and Conditions # 6, Conflict of Interest, the

Contractor certifies that no person in the State’s employment, directly or through

subcontract, will receive any private financial interest, direct or indirect, in the

contract. The Contractor will not hire or subcontract with any person having such

conflicting interest.

8. CONTRACTOR ACCESS TO SECURE STATE FACILITIES / CRIMINAL

CONVICTION INFORMATION / FORMER FELONS: The Contractor shall provide

(at its own expense) the State with sufficient personal information about its agents or

employees, and the agents and employees of its subcontractors (if any) who will enter

upon secure premises controlled, held, leased, or occupied by the State during the course

of performing this contract so as to facilitate a criminal record check, at State expense.

“Sufficient personal information” about its agents or employees, and the agents and

employees of its subcontractors (if any) means for the Contractor to provide to the State

Project Manager, in advance of any on-site work, a list of the full names of the designated

employees, including their social security number, driver license number and the state of

issuance, and their birth date. Thereafter, on their first site visit, each contractor employee

expected to work on-site shall be fingerprinted by the State, and the State is authorized to

conduct a federal criminal background check based upon those fingerprints and personal

information provided. Contractor, in executing any duty or exercising any right under this

contract, shall not cause or permit any of its agents or employees, and the agents and

employees of its subcontractors (if any) who have been convicted of a felony and

misdemeanors other than minor misdemeanors to enter upon any premises controlled,

held, leased, or occupied by the State. A felony and misdemeanor are defined by the

jurisdiction of the State of Utah, regardless of where the conviction occurred.

DRUG-FREE WORKPLACE: The Contractor agrees to abide by the Department of

Technology Services (DTS) drug-free workplace policies while on State of Utah

premises. DTS will provide the Contractor with a copy of these written “drug-free

workplace policies” upon request.

10. CODE OF CONDUCT: When Contractor employees are working on-site, the

Contractor agrees to follow and enforce DTS Policy 2000-001 Code of Conduct. If

Contractor is working at facilities controlled by other State agencies, Contractor agrees to

follow and enforce the Code of Conduct Policy of these other State agencies when

Contractor is providing services at these facilities under provisions of this contract. The

Contractor will assure that each employee or volunteer under Contractor’s supervision

receives a copy of such Code of Conduct, and a signed statement to this effect must be in

each Contractor or Subcontractor employee’s/volunteer’s file and is subject to inspection

and review by the State’s monitors. Upon request, DTS agrees to provide Contractor with

a copy of any applicable codes of conduct. If a Contractor or Subcontractor is working at

any State agency which has a Code of Conduct applicable to this Contract, the DTS

Project Manager will provide the Contractor with a copy in advance of the Contractor’s

on-site contract services performance.

12.

INDEMNITY CLAUSE:

See the General Indemnity Clause in Section 11 above.

The Contractor agrees to indemnify, save harmless, and release the State of Utah, and all

its officers, agents, volunteers, and employees from and against any and all loss,

damages, injury, liability, suits, and proceedings arising out of the performance of this

contract which are caused in whole or in part by the acts or negligence of the Contractor's

officers, agents, volunteers, or employees, but not for claims arising from the State's sole

negligence. The parties agree that if there are any Limitations of the Contractor’s

Liability, including a limitation of liability for anyone for whom the Contractor is

responsible, such Limitations of Liability will not apply to injuries to persons, including

death, or to damages to property.

EMPLOYMENT PRACTICES CLAUSE: The Contractor agrees to abide by the

provisions of Title VI and VII of the Civil Rights Act of 1964 (42USC 2000e) which

prohibits discrimination against any employee or applicant for employment or any

applicant or recipient of services, on the basis of race, religion, color, or national origin;

and further agrees to abide by Executive Order No. 11246, as amended, which prohibits

discrimination on the basis of sex; 45 CFR 90 which prohibits discrimination on the basis

of age; and Section 504 of the Rehabilitation Act of 1973, or the Americans with

Disabilities Act of 1990 which prohibits discrimination on the basis of disabilities. Also,

the Contractor agrees to abide by Utah's Executive Order, dated March 17, 1993, which

prohibits sexual harassment in the work place.

13. TERMINATION: Unless otherwise stated in the Special Terms and Conditions, this

contract may be terminated, with cause by either party, in advance of the specified

termination date, upon written notice being given by the other party. The party in

violation will be given ten (10) working days after notification to correct and cease the

violations, after which the contract may be terminated for cause. This contract may be

terminated without cause, in advance of the specified expiration date, by either party,

upon sixty (60) days prior written notice being given the other party. On termination of

this contract, all accounts and payments will be processed according to the financial

arrangements set forth herein for approved services rendered to date of termination.

In the event of such termination, and professional services apply to the contract; the

Contractor shall be compensated for services properly performed under this Contract up

to the effective date of the notice of termination. The Contractor agrees that in the event

of such termination for cause or without cause, Contractor’s sole remedy and monetary

recovery from the State is limited to full payment for all work properly performed as

authorized under this Contract up to the date of termination as well as any reasonable

monies owed as a result of the Contractor having to terminate contracts necessarily and

appropriately entered into by the Contractor pursuant to this Contract. Contractor further

acknowledges that in the event of such termination, all work product, which includes but

is not limited to all manuals, forms, contracts, schedules, reports, and any and all

documents produced by Contractor under this Contract up to the date of termination are

the property of the State and shall be promptly delivered to the State.

14. SUSPENSION OF WORK: Should circumstances arise which would cause the State

to suspend the work, but not terminate the contract, this will be done by formal notice.

The work may be reinstated upon advance formal notice from the State.

15. NONAPPROPRIATION OF FUNDS: The Contractor acknowledges that the State

cannot contract for the payment of funds not yet appropriated by the Utah State

Legislature. If funding to the State is reduced due to an order by the Legislature or the

Governor, or is required by State law, or if federal funding (when applicable) is not

provided, the State may terminate this contract or proportionately reduce the services and

purchase obligations and the amount due from the State upon 30 days written notice. In

the case that funds are not appropriated or are reduced, the State will reimburse

Contractor for products delivered or services performed through the date of cancellation

or reduction, and the State will not be liable for any future commitments, penalties, or

liquidated damages.

16. SALES TAX EXEMPTION: The State of Utah’s sales and use tax exemption number

is 11736850-010-STC, located at

http://purchasing.utah.gov/contract/documents/salestaxexemptionformsigned.pdf. The

tangible personal property or services being purchased are being paid from State funds

and used in the exercise of that entity’s essential functions. If the items being purchased

are construction materials, they will be converted into real property by employees of this

government entity, unless otherwise stated in the contract.

17. SECURE PROTECTION AND HANDLING OF DATA:

1. Network Security: Contractor agrees at all times to maintain network security that - at

a minimum - includes: network firewall provisioning, intrusion detection, and regular

third party penetration testing. Likewise Contractor agrees to maintain network security

that conforms to one of the following:

a. Those standards the State of Utah applies to its own network, found at

http://www.dts.utah.gov;

b. Current standards set forth and maintained by the National Institute of Standards and

Technology, includes those at:

http://web.nvd.nist.gov/view/ncp/repository/; or c. Any generally recognized

comparable standard that Contractor then applies to its own network and approved by

DTS in writing.

2. Data security: Contractor agrees to protect and maintain the security of the State of

Utah data with protection that is at least as good as or better than that maintained

by the State of Utah. These security measures included but are not limited to

maintaining secure environments that are patched and up to date with all

appropriate security updates as designated, (ex. Microsoft Notification).

3. Data Transmission: Contractor agrees that any and all transmission or exchange of

system application data with the State of Utah and/or any other parties expressly

designated by the State of Utah, shall take place via secure means, (ex. HTTPS or

FTPS).

4. Data Storage: Contractor agrees that any and all State of Utah data will be stored,

processed, and maintained solely on designated target servers approved of by

DTS and that no State of Utah data at any time will be processed on or transferred

to any portable or laptop computing device or any portable storage medium,

unless such medium is part of the Contractor's designated backup and recovery

process.

5. Data Encryption: Contractor agrees to store all State of Utah backup data as part of its

designated backup and recovery process in encrypted form, using no less than 128

bit key.

6. Password Protection. Contractor agrees that any portable or laptop computer that has

access to a State of Utah network, or stores any non-public State of Utah data is

equipped with strong and secure password protection.

7. Data Re-Use: Contractor agrees that any and all data exchanged shall be used expressly

and solely for the purpose enumerated in this Contract. Contractor further agrees

that no State of Utah data of any kind shall be transmitted, exchanged or

otherwise passed to other Contractors or interested parties except on a case-by-

case basis as specifically agreed to in writing by DTS.

8. Data Destruction: The Contractor agrees that upon termination of this Agreement it

shall erase, destroy, and render unreadable all State of Utah data from all non-

state computer systems and backups, and certify in writing that these actions have

been completed within 30 days of the termination of this Agreement or within 7

days of the request of DTS, whichever shall come first.

18. NOTIFICATION AND DATA BREACHES: Contractor agrees to comply with all

applicable laws that require the notification of individuals in the event of unauthorized

release of personally-identifiable information or other events requiring notification in

accordance with DTS Policy 5000-1250-PR1 Computer Incident Reporting Procedure

(copy available upon request). In the event of a data breach of any Contractor's security

obligations or other event requiring notification under applicable law (Utah Code

Annotated § 13-44-101 thru 301 et al), Contractor agrees at its own expense to assume

responsibility for informing all such individuals in accordance with applicable laws and

to indemnify, hold harmless and defend the State of Utah against any claims, damages, or

other harm related to such Notification Event.

19. CHANGE MANAGEMENT: Contractor agrees to comply with DTS Change

Management Policy 4000-0004. This DTS policy requires that any work performed by

the Contractor that has the potential to cause any form of outage, or modify the State’s

infrastructure architecture must first be reviewed by the DTS Change Management

Committee, and coordinated accordingly. The DTS Project Manager will inform the

Contractor if this change control requirement is applicable. Following this notification,

any failure by the Contractor that causes outages or data security breaches caused by the

Contractor as a direct result of failure to comply, will result in the Contractor’s liability

for the damages.

For reference purposes, the latest version of DTS Change Management Policy 4000-0004

is detailed at http://dts.utah.gov/policies/documents/4000-

0004changemanagementpolicy.pdf.

20. PUBLIC INFORMATION: Contractor agrees that the contract, related Sales Orders,

and Invoices will be public documents, and may be available for distribution. Contractor

gives the State express permission to make copies of the contract, related Sales Orders,

and Invoices in accordance with the State of Utah Government Records Access and

Management Act (GRAMA). Except for sections identified in writing and expressly

approved by the State Division of Purchasing, Contractor also agrees that the

Contractor’s response to the solicitation will be a public document, and copies may be

given to the public under GRAMA laws. The permission to make copies as noted will

take precedence over any statements of confidentiality, proprietary information,

copyright information, or similar notation.

21. CREDITING STATE IN ADVERTISING / PUBLICITY: Any publicity given to the

project or services provided herein shall identify the State of Utah’s managing agency as

the sponsoring agency and shall not be released without prior written approval by that

State agency’s Project Manager.

22. STATE AGENCY WEB SITE BRANDING: The Contractor agrees to use the

DTS logo, or a newer version if replaced in the future, on websites produced

under terms of this contract. Contractor further agrees to allow a State agency to

also utilize their own web site branding and logo, if requested by that State

agency.

23. ORDERING AND INVOICING: All orders will be shipped promptly in

accordance with the delivery schedule. The Contractor will promptly submit

invoices (within 30 days of shipment or delivery of services) to the State. The

State contract number and/or the agency purchase order number shall be listed on

all invoices, freight tickets, and correspondence relating to the contract order. The

prices paid by the State will be those prices listed in the contract. The State has

the right to adjust or return any invoice reflecting incorrect pricing. Orders issued

pursuant to this Agreement may not be cancelled or rescheduled less than 30 days

prior to the scheduled shipping date.

23.

24. PROMPT PAYMENT DISCOUNT: Offeror may quote a prompt payment discount

based upon early payment; however, discounts offered for less than 30 days will not be

considered in making the award. Contractor shall list Payment Discount Terms on

invoices. The prompt payment discount will apply to payments made with purchasing

cards and checks. The date from which discount time is calculated will be the date a

correct invoice is received or receipt of shipment, whichever is later; except that if testing

is performed, the date will be the date of acceptance of the merchandise.

25. PAYMENT:

1. Payments are normally made within 30 days following the date the order is delivered

or the date a correct invoice is received, whichever is later. After 60 days from the date a

correct invoice is received by the appropriate State official, the Contractor may assess

interest on overdue, undisputed account charges up to a maximum of the interest rate paid

by the IRS on taxpayer refund claims, plus two percent, computed similarly as the

requirements of Utah Code Annotated Section 15-6-3. The IRS interest rate is adjusted

quarterly, and is applied on a per annum basis, on the invoice amount that is overdue.

2. The contract total may be changed only by written amendment executed by authorized

personnel of the parties. Unless otherwise stated in the Contract, all payments to the

Contractor will be remitted by mail, electronic funds transfer, or the State of Utah’s

purchasing card (major credit card). The State of Utah will not allow the Contractor to

charge end users electronic payment fees of any kind.

3. The acceptance by the Contractor of final payment without a written protest filed with

the State within ten (10) working days of receipt of final payment shall release the State

from all claims and all liability to the Contractor for fees and costs of the performance of

the services pursuant to this Contract.

4. Overpayment: The Contractor agrees that if during or subsequent to the contract

performance, a CPA audit, or a State agency audit determines that payments were

incorrectly reported or paid the State may adjust the payments. The Contractor shall,


upon written request, immediately refund to DTS any such overpayments. The Contractor

further agrees that the State shall have the right to withhold any or all- subsequent

payments under this or other contracts that the Contractor may have with the State until

recoupment of overpayment is made.

5. Payment withholding: the Contractor agrees that the adequate reporting, record

keeping, and compliance requirements specified in this contract are a material element of

performance and that if the Contractor’s record keeping practices, compliance, and/or

reporting to DTS are not conducted in a timely and satisfactory manner, DTS may

withhold part or all payments under this or any other contract until such deficiencies have

been remedied. This includes, but is not limited to, Contractors failure to provide timely

invoicing, and/or other requirements described elsewhere within this contract. In the

event of the payment(s) being withheld, DTS agrees to provide ten (10) day advance

Notice to the Contractor of the deficiencies that must be corrected in order to bring about

the release of withheld payment. Contractor shall have ten (10) days thereafter to correct

the cited reporting or record keeping practice deficiencies or the contract may be

terminated.

26. COPYRIGHT: The contractor agrees that any and all Deliverables prepared for the

State of Utah as required by this contract, to the extent to which it is eligible under

copyright law in any country, shall be deemed a work made for hire, such that all rights,

title and interest in the work and Deliverables shall be exclusively owned by the State of

Utah. State of Utah reserves a royalty-free, nonexclusive, and irrevocable license to

reproduce, publish, or otherwise use and to authorize others to use for Federal or State

Government purposes, such software, modifications and documentation. To the extent

any Deliverable is deemed not to be, for any reason whatsoever, work made for hire,

Contractor agrees to assign and hereby assigns all right title and interest, including but

not limited to copyright patent, trademark and trade secret, to such Deliverables, and all

extensions and renewals thereof, to the State of Utah. Contractor further agrees to provide

all assistance reasonably requested by the State of Utah in the establishment,

preservation, and enforcement of its rights in such Deliverables, without any additional

compensation to Contractor. Contractor agrees to and hereby, to the extent permissible,

waives all legal and equitable rights relating to the Deliverables, including without

limitation any and all rights of identification of authorship and any and all rights of

approval, restriction or limitation on use or subsequent modifications.

27. OWNERSHIP, PROTECTION AND USE OF CONFIDENTIAL

INFORMATIONRECORDS: Except for confidential medical records held by direct care

providers, the State shall own exclusive title to all of its Confidential

Informationinformation gathered, reports developed, and conclusions reached in

performance of this Contract. The Contractor may not use, except in meeting its

obligations under this contract, information gathered, reports developed, or conclusions

reached in performance of this Contractthe State’s Confidential Information without the

express written consent of the State. The improper use or disclosure of any information

Confidential Information concerning a State of Utah client, or a State of Utah employee

for any purpose not directly connected with the administration of the State, or the

Contractor’s responsibilities with respect to services purchased under this agreement, is

prohibited except on written consent of the state agency employee, state agency client,

their attorney, or their responsible parent or guardian. The Contractor will be required to

sign a Confidential Information Certification form in situations where they will be given

access to confidential computerized records. The Contractor agrees to maintain the

confidentiality of records it holds as agent for the State as required by Government

Records Access and Management Act (“GRAMA”), or other applicable federal or state

law. The State of Utah shall own and retain unlimited rights to use, disclose, or duplicate

all information and data (copyrighted or otherwise) developed, derived, documented,

stored, or furnished by the Contractor under the Contract. The Contractor, and any

subcontractors under its control, expressly agrees not to use confidential client, or

confidential federal, state, or local government data, without prior written permission

from the State of Utah Project Manager and appropriate officials of the State Agency.

28. OWNERSHIP, PROTECTION, AND USE OF CONFIDENTIAL FEDERAL,

STATE, OR LOCAL GOVERNMENT INTERNAL BUSINESS PROCESSES AND

PROCEDURES: The improper use or disclosure by any party of protected internal

Federal or State business processes, polices, procedures, or practices is prohibited.

Confidential federal or state business processes, policies, procedures, or practices shall

not be divulged by the Contractor, Contractor’s employees, or their Subcontractors,

unless prior written consent has been obtained in advance from the State of Utah Project

Manager.

29. OWNERSHIP OF DOCUMENTS AND DATA.

Juniper shall at all times retain all right, title and interest in and to all pre-existing

Intellectual Property owned by Juniper as of the Effective Date and all Intellectual

Property in and to the Services, Juniper Products, Deliverables or other Intellectual

Property provided or developed by Juniper or a third party on Juniper’s behalf thereafter.

Customer shall at all times retain all right, title and interest in and to all pre-existing

Intellectual Property owned by a Purchaser or the State as of the Effective Date and all

Intellectual Property that is developed by a Purchaser or the State or by a third party on

their behalf thereafter without the benefit of any of Juniper’s Intellectual Property. Third

Party Products shall at all times be owned by the applicable third party.

, PROTECTION, AND RETURN OF DOCUMENTS AND DATA UPON CONTRACT

TERMINATION OR COMPLETION: All documents and data pertaining to work

required by this contract will be the property of the State and must be delivered to the

State within 30 working days after termination or completion of the contract, regardless

of the reason for contract termination, and without restriction or limitation to their future

use. Any State data that may be returned under provisions of this clause must either be in

the format as originally provided, or in a format that is readily usable by the State or that

can be formatted in a way that it can be used. Costs for all of these described items will

be considered as included in the basic contract compensation of the work described used

by the State.

30. CONFIDENTIALITY: Contractor, and anyone for whom the Contractor may be

liable, must maintain the confidentiality of any non-public personal information. Personal

information includes, but is not limited to, names, social security numbers, birth dates,

address, credit card numbers and financial account numbers. The State reserves the right

to identify additional reasonable types or categories of information that must be kept

confidential by the Contractor and anyone for whom the Contractor may be liable. This

duty of confidentiality shall be ongoing and survive the term of this contract.

31. TERMINATION UPON DEFAULT: In the event this contract is terminated as a

result of a default by the Contractor, the State may procure or otherwise obtain, upon

such terms and conditions as the State deems appropriate, services similar to those

terminated, and Contractor shall be liable to the State for any and all damages arising

there from, including, but not limited to, attorneys’ fees and excess costs incurred by the

State in obtaining similar services.

32. PROCUREMENT ETHICS: The Contractor understands that a person who is

interested in any way in the sale of any supplies, services, construction, or insurance to

the State of Utah is violating the law if the person gives or offers to give any

compensation, gratuity, contribution, loan or reward, or any promise thereof to any

person acting as a procurement officer on behalf of the State, or who in any official

capacity participates in the procurement of such supplies, services, construction, or

insurance, whether it is given for their own use or for the use or benefit of any other

person or organization (63G-6-1002, Utah Code Annotated, 1953, as amended).

33. WORKERS’ COMPENSATION: The Contractor shall furnish proof to the State,

upon request and maintain during the life of this contract, workers’ compensation

insurance for all its employees as well as any subcontractor employees related to this

contract.

34. LIABILITY INSURANCE: The Contractor agrees to provide and to maintain during

the performance of the contract, at its sole expense, a policy of liability insurance. The

limits of the policy shall be no less than $1,000,000.00 for each occurrence and

$3,000,000.00 aggregate.

It shall be the responsibility of the Contractor to require any of their Subcontractor(s) to

secure the same insurance coverage as prescribed herein for the Contractor.

35. ENTIRE AGREEMENT: This Agreement, including all Attachments, and documents

incorporated hereunder, and the related State Solicitation constitutes the entire agreement

between the parties with respect to the subject matter, and supersedes any and all other

prior and contemporaneous agreements and understandings between the parties, whether

oral or written. The terms of this Agreement shall supersede any additional or conflicting

terms or provisions that may be set forth or printed on the Contractor’s work plans, cost

estimate forms, receiving tickets, invoices, or any other related standard forms or

documents of the Contractor that may subsequently be used to implement, record, or

invoice services hereunder from time to time, even if such standard forms or documents

have been signed or initialed by a representative of the State. The parties agree that the

terms of this Agreement shall prevail in any dispute between the terms of this Agreement

and the terms printed on any such standard forms or documents, and such standard forms

or documents shall not be considered written amendments of this Agreement.

36. SURVIVORSHIP: This paragraph defines the specific contractual provisions that will

remain in effect after the completion of or termination of this contract, for whatever

reason: (a) State of Utah Standard IT Terms and Conditions # 2, Contract Jurisdiction,

Choice of Law, and Venue; (b) State of Utah Standard IT Terms and Conditions # 17,

Secure Protection and Handling of Data; (c) State of Utah Standard IT Terms and

Conditions # 18, Notification and Data Breaches; (d) State of Utah Standard IT Terms

and Conditions # 26, Copyright; (e) State of Utah Standard IT Terms and Conditions #27,

Ownership, Protection, and Use of Records, including Residuals of such records; and (f)

State of Utah Standard IT Terms and Conditions # 28, Ownership, Protection, and Use of

Confidential Federal, State, or Local Government Internal Business Processes, including

Residuals of such confidential business processes; (g) State of Utah Standard IT Terms

and Conditions # 29, Ownership, Protection, and Return of Documents and Data Upon

Contract Termination or Completion; and (h) State of Utah Standard IT Terms and

Conditions # 30, Confidentiality.

37. WAIVER: The waiver by either party of any provision, term, covenant or condition

of this Contract shall not be deemed to be a waiver of any other provision, term, covenant

or condition of this Contract nor any subsequent breach of the same or any other

provision, term, covenant or condition of this Contract.

If professional services are applicable to this solicitation/contract, the following terms

and conditions apply:

38. TIME: The Contractor shall complete the scope of services work in a manner to

achieve any milestones identified in the procurement documents related to this Contract

and the attachments to this Contract. The full scope of services work shall be completed

by any applicable deadline stated in the solicitation.

39. TIME IS OF THE ESSENCE: For all work and services under this Contract, time

is of the essence and Contractor shall be liable for all damages to the State of Utah

and anyone for whom the State of Utah may be liable, as a result of the failure to

timely complete the scope of work required under this Contract.

40. CHANGES IN SCOPE: Any changes in the scope of the services to be performed

under this Contract shall be in the form of a written amendment to this Contract,

mutually agreed to and signed by duly authorized representatives of both parties,

specifying any such changes, fee adjustments, any adjustment in time of

performance, or any other significant factors arising from the changes in the scope

of services.

41. PERFORMANCE EVALUATION: The State of Utah may conduct a

performance evaluation of the Contractor’s services, including specific personnel

of the Contractor. References in the Contract to Contractor shall include

Contractor, Contractor’s subcontractors, or subconsultants at any tier, if any.

Results of any evaluation will be made available to the Contractor.

42. WAIVERS: No waiver by the State or Contractor of any default shall constitute a

waiver of the same default at a later time or of a different default.

43. INSURANCE:

1. To protect against liability, loss and/or expense in connection with the performance of

services described under this Contract, the Contractor shall obtain and maintain in force

during the entire period of this Contract without interruption, at its own expense,

insurance as listed below from insurance companies authorized to do business in the State

of Utah and with an A.M. Best rating as approved by the State of Utah Division of Risk

Management.

2. The following are minimum coverages that may be supplemented by additional

requirements contained in the solicitation for this Contract or provided in an Attachment

to this Contract; if no insurance limits are identified in the solicitation, insurance

minimums will default to Section 44. Liability Insurance Requirements: (1) Worker’s

Compensation Insurance and Employers’ Liability Insurance. Worker’s compensation

insurance shall cover full liability under the worker’s compensation laws of the

jurisdiction in which the service is performed at the statutory limits required by said

jurisdiction.

(2) Professional liability insurance in the amount as described in the solicitation for this

Contract, if applicable. (3) Any other insurance described in the solicitation for this

Contract, if applicable.

3. Any type of insurance or any increase of limits of liability not described in this

Contract which the Contractor requires for its own protection or on account of any

statute, rule, or regulation shall be its own responsibility, and shall be provided at

Contractor’s own expense.

4. The carrying of insurance required by this Contract shall not be interpreted as relieving

the Contractor of any other responsibility or liability under this Contract or any

applicable law, statute, rule, regulation, or order.

44. STANDARD OF CARE: The services of Contractor and its subcontractors and

subconsultants at any tier, if any, shall be performed in accordance with the standard of

care exercised by licensed members of their respective professions having substantial

experience providing similar services which similarities include the type, magnitude and

complexity of the services that are the subject of this Contract. The Contractor shall be

liable to the State of Utah for claims, liabilities, additional burdens, penalties, damages or

third party claims (i.e. another Contractor’s claim against the State of Utah), to the extent

caused by wrongful acts, errors or omissions that do not meet this standard of care.

45. STATE REVIEWS, LIMITATIONS: The right of the State to perform plan checks,

plan reviews, other reviews and/or comment upon the services of the Contractor, as well

as any approval by the State, shall not be construed as relieving the Contractor from its

professional and legal responsibility for services required under this Contract. No review

by the State or any entity/user, approval or acceptance, or payment for any of the services

required under this Contract shall be construed to operate as a waiver by the State of any

right under this Contract or of any cause of action arising out of the performance or

nonperformance of this Contract, and the Contractor shall be and remain liable to the

State in accordance with applicable law for all damages to the State caused by the

wrongful acts, errors and/or omissions of the Contractor or its subcontractors or

subconsultants at any tier, if any.

(Revised July 1, 2013)

Attachment B EQUIPMENT LOAN AND LICENSE AGREEMENT (AMERICAS) READ THIS EQUIPMENT LOAN AND LICENSE AGREEMENT (“AGREEMENT”) BEFORE INSTALLING OR USING THE EQUIPMENT AND/OR DOWNLOADING, INSTALLING OR USING THE SOFTWARE EMBEDDED OR LOADED THEREIN OR DELIVERED THEREWITH. BY INSTALLING OR USING THE EQUIPMENT AND/OR DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE EQUIPMENT AND/OR SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks (US), Inc.

(for Equipment to be installed in a Customer location in the Americas), (ii) Juniper Networks International B.V. (for Equipment to be installed in a Customer location in Europe, Middle East, Africa or the Asia Pacific region) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that received from Juniper or an authorized Juniper reseller the applicable equipment and software license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Equipment and Software. In this Agreement, “Equipment” means the hardware, Software, associated documentation and other tools that are provided to Customer herein. “Software” means the program modules and features of the Juniper or Juniper-supplied software embedded in, loaded onto the hardware or delivered therewith and also includes updates, upgrades and new releases of such software.

3. Loan Period. The “Loan Period” commences on the delivery date of the Equipment to Customer and shall continue for a period of sixty (60) days thereafter, unless otherwise extended by Supplier in its sole discretion.

4. License Grant. Subject to the limitations and restrictions set forth herein, Juniper grants to Customer a revocable, non-exclusive and non-transferable license, without right to sublicense, to use the Equipment and Software embedded in, loaded on or delivered with the Equipment, in executable form only, (a) solely for Customer’s internal testing and evaluation in a non-production environment, (b) only on the Equipment and at the Customer site to which the Equipment was originally delivered by Juniper, and only in a manner consistent with the documentation that accompany the Equipment. This license shall terminate upon the earlier of (1) termination of this Agreement by Juniper or (2) expiration of the

Loan Period. Customer shall pay any taxes or duties however designated or imposed with respect to the loan of the Equipment and shall promptly reimburse Juniper for any and all taxes or duties that Juniper may be required to pay in connection with this Agreement or its performance.

5. Use Prohibitions. The Equipment provided hereunder is demonstration Equipment that is non-transferable and not for resale. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software; (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) distribute any key for the Software provided by Juniper to any third party; (g) use embedded Software on non-Juniper equipment; (h) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (i) use the Software in any manner other than as expressly provided herein.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation and any test results, business and technical plans or financial information related to Juniper or the Equipment are the confidential property of Juniper (“Confidential Information”). As such, Customer shall exercise all reasonable commercial efforts to maintain the Confidential Information in confidence, which at a minimum includes restricting access to the Confidential Information to Customer employees and contractors having a need to use the Confidential Information for Customer’s internal business purposes.

7. Ownership and Risk of Loss. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including, without limitation all patent, copyright, trade secret, trademark or other intellectual property rights) in and to the Equipment, Software, associated documentation, and all copies of the Software and associated documentation. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Equipment, Software or associated documentation, or a sale of the Equipment, Software, associated documentation, or copies of the Software. Customer assumes all risk of loss or damage to the Equipment while the Equipment is in Customer’ possession. Customer shall pay all reasonable costs of repair, replacement, or refurbishment caused by Customer’s use of the Equipment or by Customer’s failure to comply with this Agreement.

8. Warranty, Disclaimer of Warranty, Limitation of Liability. THE EQUIPMENT IS PROVIDED “AS-IS” AND MAY BE NEW OR REFURBISHED EQUIPMENT. JUNIPER OR ITS AFFILIATES, LICENSORS OR SUPPLIERS MAKE NO REPRESENTATION OR WARRANTY OF ANY KIND, AND EXPRESSLY DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR

TRADE PRACTICE. IN NO EVENT DOES JUNIPER OR ITS AFFILIATES, LICENSORS OR SUPPLIERS WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER OR ITS AFFILIATES, LICENSORS OR SUPPLIERS SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, OF ANY KIND REGARDLESS OF THE FORM OF THE ACTION, ARISING OUT OF THIS AGREEMENT, ANY JUNIPER OR JUNIPER-SUPPLIED EQUIPMENT, EVEN IF JUNIPER OR ITS AFFILIATES, LICENSORS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH ACTION. IN NO EVENT SHALL JUNIPER OR ITS AFFILIATES, LICENSORS OR SUPPLIERS BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED EQUIPMENT.

9. Termination. Any breach of this Agreement shall result in automatic termination of this Agreement and the license granted herein. Upon such termination or upon expiration of the Loan Period, Customer shall return the Equipment to Juniper in its original packaging within five (5) calendar days of notice of termination or expiration of the Loan Period.

10. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

11. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

12. Notices. All notices (“Notices”) shall be in writing and delivered by personal delivery, by certified or registered mail, return receipt requested or by a recognized overnight delivery service. Any such Notices shall be considered given upon receipt, as confirmed by the delivery confirmation record. All Notices shall be sent to the respective address, as set forth below, or to such other address as may be specified by either party to the other in writing in accordance with this Section.

If to Juniper: Juniper Networks. Inc. Attn: General Counsel 1194 North Mathilda Avenue Sunnyvale, CA 94089-1206 Telephone: 408.745.2000

13. Miscellaneous. This Agreement constitutes the entire and sole agreement

between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

END USER LICENSE AGREEMENT (July 21, 2011 version)

READ THIS END USER LICENSE AGREEMENT ("AGREEMENT") BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. JUNIPER IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY IF YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS AGREEMENT. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE

EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU INDIVIDUALLY AND ON BEHALF OF THE BUSINESS OR OTHER ORGANIZATION THAT YOU REPRESENT CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE (OR, AS APPLICABLE THE JUNIPER EQUIPMENT IN WHICH THE SOFTWARE IS EMBEDDED), AND (B) WITHIN 30 DAYS AFTER RECEIPT OF THE SOFTWARE, EITHER RETURN THE SOFTWARE TO JUNIPER OR THE APPLICABLE RESELLER FOR FULL REFUND OF THE SOFTWARE LICENSE FEE, OR, IF THE SOFTWARE WAS EMBEDDED IN JUNIPER EQUIPMENT FOR WHICH SOFTWARE NO SEPARATE LICENSE FEE WAS CHARGED, RETURN THE EQUIPMENT AND EMBEDDED SOFTWARE, UNUSED, TO JUNIPER OR THE APPLICABLE RESELLER FOR A FULL REFUND OF THE PURCHASE PRICE.

This Agreement, as may be modified by any applicable Country-Specific Terms, defined below, governs Customer's access to and use of the Software (as defined below) first placed in use by Customer on or after the release date of this Agreement; provided that if there is a valid, unexpired separate written agreement signed by Customer and Juniper Networks governing Customer's use of the Software, then to the extent of a conflict between their provisions the order of precedence shall be (i) that signed written agreement, and (ii) this End User License Agreement as may be modified by any Country-Specific Terms as they apply to use of Software in a particular country. In addition, any non-English translated version of this Agreement posted at http://www.juniper.net/support/eula.html shall be the governing version of this Agreement for purposes of use of the Software in the territory designated at such website as the territory for which such translation applies. IF YOU ARE USING JUNIPER SOFTWARE OUTSIDE THE UNITED STATES, CHECK http://www.juniper.net/support/eula.html TO SEE IF ANY COUNTRY-SPECIFIC TERMS OR TRANSLATION APPLY.

1. Definitions. In this Agreement and in the Entitlements (unless the Entitlement otherwise expressly provides),

the following capitalized terms shall have the meaning set forth below:

a. "Authorized Users" means the number of Users that Customer is licensed to have access to the

Software.

b. "Concurrent Users" means the number of Users that Customer is licensed to have concurrently accessing the Software. If a single User connects to Software using multiple concurrent log-ins or connections, each such active logical connection or log-in is counted toward the number of Concurrent Users.

c. "Country-Specific Terms" means those terms posted at http://www.juniper.net/support/eula.html and

designated as replacing one or more terms of this End User License Agreement solely for Customers to the extent they use the Software in a particular country or group of countries (herein "Geography"). Any Country-Specific Terms applicable to Customers using the Software in a stated Geography shall take precedence over any inconsistent terms of this Agreement with respect to Customer's use of the Software in such Geography.

d. "Customer" or "You" means the individual or other legal entity or other business, governmental or not-for-profit organization that (A) is the original end user purchaser of a license to the Software from Juniper or a Juniper-authorized reseller, (B) accepts the terms of this Agreement, and (C) is identified as Customer or end user in the applicable Entitlement or in the authorized reseller's invoice for such license to the Software. If Software is lawfully received from Juniper or from an authorized reseller but there is no Entitlement, then "Customer" means the party that first so received the software from Juniper or its authorized reseller and accepts the terms of this Agreement. (See Section 2.k, below, with respect to license limitations where there is no Entitlement.)

e. "Device" means any device such as a computer, handset, tablet, laptop, server, switch or router. A

Device may also be a physical or virtual machine, hardware partition or blade.

f. "Embedded Software" means a copy of operating system software delivered embedded in or loaded onto Juniper hardware equipment when such equipment is sold by Juniper; PROVIDED, however, that no Separately Licensable Feature incorporated in such Embedded Software shall itself be deemed licensed along with the Embedded Software unless an Entitlement expressly so provides. If the Customer has an Entitlement to an Update of such Embedded Software, then such Update is itself

http://www.juniper.net/support/eula.html



deemed "Embedded Software" to the extent such Update would be deemed Embedded Software without regard to this sentence had it been delivered installed on the Juniper equipment.

g. "End-point" means any Device that terminates a network connection.

h. "Entitlement" means the set of documents issued by (or under authority granted by) Juniper that specify (i) the Software licensed (by Juniper product number), (ii) the license term, (iii) the Licensed Units, (iv) the authorized use, if any, (v) the Customer, and (vi) the license fee charged, if any, and, if none is charged, the fact that the license was granted to Customer free-of-charge.

i. By way of illustration, "Entitlements" may be composed of, among other things, any of the following or combinations of the following, as long as together they meet the criteria of the preceding sentence: written agreement signed by Customer and Juniper, a product description in the Juniper price list, a Juniper invoice, a Juniper-issued e-certificate, a Juniper-issued email transmitting authorization codes, as to Updates, a Juniper website-posted Services Description Document, or an End User Services Agreement.

ii. In the event of inconsistency with respect to any two Entitlement documents or between this Agreement and any Entitlement document, the one most restrictive of the rights of the Customer shall take precedence.

i. "Juniper" means (a) Juniper Networks (Ireland) and/or its authorized service representative(s) if Customer has acquired its license rights to the Software for use in Europe, the Middle East or Africa; (b) Juniper Networks (Hong Kong) Ltd. and/or its authorized service representative(s) if Customer has acquired its license rights to the Software for use in the Asia Pacific Rim; or (c) Juniper Networks (U.S.), Inc. and/or its authorized service representative(s) if Customer has acquired its license rights to the Software for use in North America, Central America or South America.

j. "Licensed Unit" means a unit of measure by which Customer's licensed use of Software is limited, as specified in the Entitlement. Examples of Licensed Units include, but are not limited to, seats, users, sessions, calls, connections, subscribers, clusters, nodes, devices, links, ports, events or transactions. Licensed Units may also be based on throughput (such as gigabytes per second), performance, configuration, bandwidth, interfaces, processing, or geographic scope. Some Licensed Units are defined in this Section 1 and those definitions shall apply to all Entitlements except as otherwise expressly provided in such Entitlements. Such defined Licensed Units include: Authorized Users, Concurrent Users, Device, End-point, Managed Device, Subscriber, and User.

k. "Managed Device" is a Device that (1) is recognized by the Software as authorized to be configured, administered, managed, provisioned, monitored or otherwise acted upon by the Software or (2) has been configured, administered, managed, provisioned, monitored or otherwise acted upon by the Software.

l. "Network" means a set of networked Devices or other network elements of the Customer that are under the common management and operational control of Customer, and in the case of an internet service provider are located within a single country unless Customer's Entitlement otherwise expressly provides.

m. "Separately Licensable Feature" means any module, feature, function, service, application,

operation, or capability furnished in combination within other Software (herein, collectively, "feature"), which feature is separately licensable from Juniper or its authorized resellers for additional fee, whether such feature is 'locked' or key-restricted or even of the feature can be activated or used without a Juniper-issued product activation key.

n. "Software" means an instance of a program, module, feature, function, service, application, operation, or capability of the Juniper or Juniper-supplied software either (i) identified in an Entitlement as licensed to Customer or (ii) made available to Customer by Juniper or a Juniper-authorized reseller for Evaluation Use. "Software" may also consist of an instance either of a Separately Licensable Feature distributed in combination with other Software and or of an Update of other Software.

o. "Subscriber" is a Device, individual, Customer billing record or other identity that is recognized by the

Software as authorized (presently, in the past or in the future) to receive services, usage, access or content which were, are or could be provided, managed, distributed, provisioned, billed or otherwise enabled by the Software.

p. "Subscription License" means a license to Software with respect to which the Entitlement states a finite, fixed term of use for the Software and either identifies the license as a "subscription" or expressly includes the right to Updates throughout the fixed term of use without need to purchase a separate Support Contract.

q. "Support Contract" means a support services contract that includes rights to receive certain Updates of the Software, which contract is either (i) a Juniper-issued contract purchased by Customer either from Juniper or from a Juniper-authorized reseller, or (ii) a support services contract issued by a support services provider to Customer under authorization granted by Juniper.

r. "Update" means Software that is an update, upgrade, bug fix or other new releases of other Software. Updates are either "Major Releases" (meaning a revision of Software as determined by Juniper Networks to have significant additional functionality or improved performance) or "Minor Releases" (meaning a bug fix, maintenance release, service release or a revision of a software application as determined by Juniper Networks to be limited to minor additional functionality or corrections of errors). An Entitlement to Updates may for certain cases exclude Major Releases.

s. "Usage Monitor" means a network management appliance or application software furnished to Customer (or approved in writing) by Juniper for monitoring use of the Software.

t. "User" means Device, individual, Customer billing record or other identity usable to gain access to any Software functionality (whether or not such account is restricted to a particular Device). User may be an individual or another Device. In counting Users for purposes of measuring usage against the licensed number of "Authorized Users" or "Concurrent Users," if a User can access the Software through another User each such User shall be counted separately.

2. License Grant. Subject to payment of the applicable fees and subject to the terms of this Agreement, Juniper

grants to Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, and only within the restrictions and subject to the conditions set forth in the Entitlement and those set forth in this Agreement. Unless otherwise expressly provided in the Entitlement:

a. Embedded Software. Customer shall use Embedded Software solely for execution on the unit of

Juniper equipment originally delivered to Customer with such Software installed. Any Update of such Embedded Software that Customer has licensed under a Support Contract may be loaded and executed only on the Juniper equipment on which the originally licensed Embedded Software is authorized to execute. Further, if Customer also licenses any Separately Licensable Feature combined with or incorporated in the Embedded Software (whether in dormant or active form), Customer may use such Separately Licensable Feature only for execution on the Juniper equipment on which the Embedded Software is authorized to execute. The license term for any such Separately Licensable Feature or Update shall be as specified in its own Entitlement. Notwithstanding any other provision of this Agreement, except as may otherwise be required by applicable law, no license is granted for installation or use of any Embedded Software or associated Update or Separately Licensable Feature on any Juniper equipment resold by anyone who is not an authorized reseller of such equipment.

b. Single Instance/Single Device. Except to the extent otherwise explicitly stated in the Entitlement (including, without limitation, where the Entitlement states that the license is a "Network License") Customer shall use a single instance of the Software on a single Device and the quantity of all applicable Licensed Units shall be one (1).

c. Non-transferability of Licensed Units. Unless expressly permitted by the Entitlement, quantities of Licensed Units purchased separately are not allowed to be transferred or allocated between or among different licenses or instances of the Software.

d. Separately Licensable Features and Updates. Unless otherwise expressly stated in an Entitlement purchased by Customer, a license to a particular release of Software shall not entitle Customer to receive or use any Separately Licensable Feature delivered in combination with that Software or any Update of that Software. An Entitlement to a Separately Licensable Feature or to an Update may specify terms, conditions and restrictions, including different Licensed Units and different term of use, that are different than those of that underlying licensed Software; provided however, that in no event shall any such Entitlement be construed to expand implicitly any terms, conditions or restriction of use of the underlying licensed Software.

e. Network License. If the Entitlement specifies that it is a Network License, Customer may allocate the applicable Licensed Units across the licensed number of Software instances provided that (i) such instances are all running on the Customer Network specified in Customer's Entitlement; (ii) the total number of Licensed Units does not exceed the number licensed under that Entitlement and (iii) a Usage Monitor is used to validate (i) and (ii) and to report such usage to Juniper. Customer shall not alter or disable the Usage Monitor at any time during the term of the network license and shall not disable, alter or destroy the Usage Monitor, its connection to Juniper or any data collected by such Usage Monitor. If the network license is granted as to a particular number of Licensed Units, then all licensed copies of the software in the Customer Network may not be used to support in the aggregate more than that number of Licensed Units.

f. Updates. Except as expressly provided below in Section 2.g, below, with respect to Subscription Licenses or as otherwise expressly provided in an Entitlement or Support Contract, Customer shall have no rights in any Update to Software, nor any rights to support services associated with such Software.

g. Subscription License. In case of a Subscription License of Software, Juniper Networks shall make available to Customer during the term of the Subscription License the Supported Updates (as defined below) solely for support of the Customer's licensed copy(ies) of such Software during the term of the Subscription License, subject to the terms and conditions set forth below:

i. As used herein, "Supported Updates" as of any particular time during the term of the Subscription License means any Update of such Software then available generally to Customers who have purchased a Subscription License to such Software.

ii. Rights in Supported Updates. For each Supported Update, the Customer's rights in such Update will be subject to the same terms, restrictions and conditions as apply to the Software (including without limitation the terms, restrictions or conditions on use set forth in this Agreement and in any "Entitlement" as it applies to the Software).

h. Specific license terms applicable to particular products:

i. Junos Space Software. If this license is granted in fulfillment of a Customer purchase order (or associated fulfillment documentation) placed with Juniper or any Juniper-authorized reseller or support services provider (including any Operate Specialist) for any package of Junos Space Software, then Customer is authorized to use Junos Space in a networked environment on the Customer Network identified in the Entitlement solely to manage Devices in such Customer Network, but only to the extent of Licensed Units specified in the Entitlement. If, instead, Customer's license in a package of Junos Space Software is granted in fulfillment of a feature of a Support Contract, the scope of the license shall be as set forth in that Support Contract, an associated Service Description Document or another associated Entitlement.

ii. Steel-Belted Radius or Odyssey Access Client Software. Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA Software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

1. The Global Enterprise Edition of the Steel-Belted Radius Software may be used by Customer only to manage access to Customer's enterprise network. Specifically, service provider Customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius Software to support any commercial network access services.

i. If the Entitlement specifies "Research and Development Use", then Customer may only use the Software in Customer's own internal lab activities for research and development, excluding (A) research and development activities conducted as a paid contractor on behalf of a third party, and (B) any use of Software supporting, or installed or incorporated in whole or in part in, a product or service made commercially available or supporting live network traffic in the ordinary course of Customer's business.

j. If the Entitlement specifies "Lab Use", then Customer may only use the Software in Customer's own internal lab activities to evaluate and test network setup and configuration and feature testing, but excluding (A) lab testing or other activities conducted as a paid contractor on behalf of a third party, and (B) any use of Software supporting, or installed or incorporated in whole or in part in, a product or service made commercially available or supporting live network traffic in the ordinary course of Customer's business.

k. If there is no Entitlement, or if there is an Entitlement that specifies "Evaluation", "Demonstration" or "Trial" use then Customer may only use the Software for its internal evaluation or qualification of the Software (or the equipment in which it is embedded) and only in a development or test network environment in contemplation of potential future licensing for a commercial or other use.

l. Except to the extent otherwise required by applicable law or expressly provided in the Entitlement, this license is not sublicensable, transferable or assignable by Customer and any attempted sublicense, transfer or assignment shall be null and void.

3. Use Prohibitions. Notwithstanding the foregoing, this license does not permit the Customer to, and Customer agrees that it shall not, alone or through another party: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make copies of the Software (except as necessary for backup purposes and as otherwise expressly permitted in the Entitlement); (c) remove any proprietary notices, labels, or marks on or in the Software; (d) distribute any copy of the Software to any third party, including Embedded Software in Juniper equipment sold in any secondhand market; (e) use any feature, function, service, application, operation, or capability embedded within Software (herein, collectively, "feature") where such feature is 'locked,' key-restricted or otherwise identified as not licensed for use without paying a separate fee, unless Customer first purchases the applicable license(s) and obtains a valid authorization from Juniper supported by an Entitlement explicitly authorizing such feature; this prohibition applies even if the feature can be activated or used without a Juniper-issued product activation key; (f) distribute any product activation key for the Software provided by Juniper to any third party; (g) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (h) use Embedded Software on non-Juniper equipment; (i) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (j) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; (k) attempt to alter or deface any notice or marking on any copy of the Software or attempt to assign or transfer any rights (whether by contract, by operation of law or otherwise) under this Agreement or under any Entitlement; (l) use any Update to which Customer may otherwise be entitled if either (1) at the time of acquiring such Update, Customer does not already hold a valid license to the original Software or (2) Customer has not paid the applicable fee for the Update (or the Support Contract under which the Update is furnished); (m) deactivate or modify or impair the functioning of any Usage Monitor or any record, log or functionality designed to monitor, measure or limit use of the Software or compliance with the license terms of this Agreement; (n) unless otherwise expressly provided in the Entitlement, permit any other User to use its access to any Software features or functionality in support of any business activity in which such other User for a fee grants third parties access to such features or functionality; or (o) use the Software or permit any User or any other third party to use the Software in violation of any applicable law or regulation or to support any illegal activity.

4. Audit. Customer agrees to allow Juniper or its independent professionals the right, at any times during the term of any license to any Software licensed by Juniper to Customer hereunder and thereafter until three years after the latest termination or expiration date of any such license, to inspect and copy during normal business hours the Usage Monitor logs, other Software logs and other relevant Customer records to verify Customer's compliance with this Agreement and the Entitlement; provided that any such inspection and copying shall be conducted under reasonable and customary restrictions to protect against use or disclosure of confidential Customer information therein other than as appropriate to verify Customer's compliance with the terms of this Agreement and any Entitlement and to enforce Juniper's rights thereunder. In the event such inspection discloses non-compliance with this Agreement, Customer shall promptly pay to Juniper the appropriate license fees, plus the reasonable cost of conducting the audit.

5. Recordkeeping. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer's internal business purposes.

7. Ownership. Juniper and Juniper's licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a sale or other transfer or conveyance of any right, title, or interest in the Software or associated documentation.

8. Warranty. Except as may otherwise be provided in the warranty posted at http://www.juniper.net/support/warranty/ applicable to the Software, and except for Software excluded from warranty coverage under subsection (f), below, Juniper warrants for the sole benefit of Customer that for a period of ninety (90) days from the Start Date, the media on which software is delivered, shall be free from defects in material and workmanship under normal authorized use consistent with the product instructions, subject to the following:

a. In addition, with respect to Embedded Software embedded in Juniper security products, application acceleration products or certain other Hardware products, as more specifically set forth on http://www.juniper.net/support, for a period of fifteen (15) days from the date a Customer receives such Hardware product Juniper will provide the Customer that purchased such Hardware product access to one (1) download of the most recent commercially-available revision of Software that is embedded in

http://www.juniper.net/support/warranty/


such hardware product. Customer may download the Software by going to http://www.juniper.net/support. Such download shall be treated as though it were an Update for purposes of this Agreement. This right to download extends only to the Customer and not to any subsequent transferee of the Hardware product on which it is embedded;

b. In any event, THE SOLE AND EXCLUSIVE REMEDY OF THE CUSTOMER AND THE ENTIRE LIABILITY OF JUNIPER UNDER THIS LIMITED WARRANTY SHALL BE THE REPLACEMENT OF THE MEDIA CONTAINING THE SOFTWARE.

c. Restrictions: No warranty will apply if the Software (i) has been altered, except by Juniper Networks; (ii) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by Juniper; (iii) has been subjected to unreasonable physical, thermal or electrical stress, misuse, negligence, or accident or (iv) has been licensed solely for Evaluation Use or demonstration use or is beta software or otherwise not commercially released. In addition, Software is not designed or intended for use in (i) the design, construction, operation or maintenance of any nuclear facility, (ii) navigating or operating aircraft; or (iii) operating life-support or life-critical medical equipment, and Juniper disclaims any express or implied warranty of fitness for such uses. Customer is solely responsible for backing up its programs and data to protect against loss or corruption. Juniper warranty obligations do not include installation, reinstallation or backup support.

d. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK.

e. Nothing in this Agreement shall give rise to any obligation on the part of Juniper to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement.

f. Exclusions: Software licensed for research and development use, lab use, evaluation use or demonstration use, shall be furnished "AS IS" and without warranty of any kind, expressly or implied.

g. Disclaimer of implied Warranties. EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 8, TO THE EXTENT PERMITTED BY LAW JUNIPER DISCLAIMS ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, ACCURACY OF INFORMATIONAL CONTENT, OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE EXPRESS WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY. THIS WARRANTY GIVES CUSTOMER SPECIFIC LEGAL RIGHTS, AND CUSTOMER MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty fails of its essential purpose.

9. Exclusion of Certain Damages. TO THE EXTENT PERMITTED BY LAW, NEITHER JUNIPER NOR ITS SUPPLIERS OR LICENSORS BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT OR RELATING TO THE SOFTWARE OR USE OF THE SOFTWARE. IN NO EVENT SHALL JUNIPER OR ITS SUPPLIERS OR LICENSORS BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. BECAUSE SOME JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, SOME OR ALL OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

10. Limitation of Damages. IN NO EVENT SHALL JUNIPER'S OR ITS SUPPLIERS' OR LICENSORS' CUMULATIVE LIABILITY TO CUSTOMER FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, EXCEED THE GREATER OF (I) ONE HUNDRED US DOLLARS ($100.00) IN THE AGGREGATE OVER ALL COPIES OF ANY AND ALL SOFTWARE LICENSED TO CUSTOMER BY JUNIPER OR ITS DISTRIBUTORS OR RESELLERS; OR (II) THE PRICE PAID TO JUNIPER FOR LICENSED RIGHTS TO THE SOFTWARE THAT GAVE RISE TO THE CLAIM. BECAUSE SOME JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, SOME OR ALL OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect


an allocation of risk between the Parties, and that the same form an essential basis of the bargain between the Parties.

11. No Liability to any Third Party. TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL LIABILITIES OR OBLIGATIONS WHATSOEVER RELATED TO THE SOFTWARE OR ITS LICENSING TO OR USE BY ANYONE OTHER THAN CUSTOMER. Customer shall defend, indemnify and hold Juniper harmless from and against any liability, damages, loss or cost (including attorneys' fees) arising out of or relating to any dispute, lawsuit, administrative hearing, arbitration or settlement based on any claim by a party other than Customer relating to the Software originally licensed to Customer (or relating to a service offered by Customer involving use of the Software).

12. 12. Term and Termination.

a. This License is granted for the license term specified in the Entitlement, if any.

b. If no license term is specified in the Entitlement, then

i. As to any Embedded Software, unless the license is for Lab Use, Research and Development Use, Evaluation Use, Demonstration Use or Trial Use, the license shall be terminable only for non-payment or other breach under Section 12.c, below.

ii. If Software is licensed under a Subscription License, or under annual Support Contract or other time-limited basis, all rights to use such Software cease upon the expiration of the applicable subscription period or of the applicable Support Contract, subject to any renewal rights explicitly set forth in the Entitlement to the extent properly exercised by the Customer.

iii. As to any other Software, if the Customer has lawfully received the Software without any Entitlement, then the license term shall be thirty (30) days from date of delivery to Customer of the first copy of the Software; provided that Customer may not perform multiple downloads of Software (or otherwise take delivery of multiple successive copies of the Software) to circumvent such term limitation.

c. Any breach of this Agreement (including any Entitlement) or failure by Customer to pay any applicable fees due shall result in termination of the license granted herein ten days after failure by Customer to cure any curable breach.

d. Upon any expiration or other termination of any license to Software, Customer's right to use the Software shall terminate and Customer shall promptly destroy or return to Juniper all copies of the Software and related documentation in Customer's possession or control.

13. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer's payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer's non-compliance or delay with its responsibilities herein. Customer's obligations under this Section shall survive termination or expiration of this Agreement.

14. Export. Customer agrees to comply in its use of the Software with all applicable export laws and restrictions and regulations of the United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be solely liable for any such violations.

15. Commercial Computer Software. The Software is a "commercial item" as defined at Federal Acquisition Regulation (48 C.F.R.) ("FAR") section 2.101 comprised of "commercial computer software" and "commercial computer software documentation" as such terms are used in FAR 12.212. Consequently, regardless of whether the Customer is the US Government or a department or agency thereof, the Customer shall acquire only such rights with respect to the Software as are set forth in this Agreement and the Entitlement.

16. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

17. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License ("GPL") or the GNU Library General Public License ("LGPL")), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html. Open source information and information on contacting Juniper can be found at http://www.juniper.net/support/products/ as applicable.

18. Governing Law and Localized Versions of this Agreement. This Agreement shall be governed by the laws of the State of California (without reference to its conflicts of laws principles). The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in the courts of the state of California (and the US District Court for the district of Northern California).

19. Miscellaneous. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. Neither any modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern unless otherwise expressly stated in applicable Country-Specific Terms.

http://www.gnu.org/licenses/gpl.html

http://www.gnu.org/licenses/lgpl.html

http://www.juniper.net/support/products/