Embed Size (px)
Citation preview
Juniper SD-WAN Alexandre Cezar – Consulting Systems Engineer, Security/Cloud [email protected]
MARKET DYNAMICS
Branch/WAN Evolution: PMOFMO Bring Agility and Enhanced Customer Experience Utilizing Cloud Technology
Router
NG Firewall
Switch
WLAN Controller
UTM Firewall
WAN Optimization
Expensive, complex all-in-one box or many vendor inline boxes and cumbersome refresh
Legacy Branch (PMO)
Simple, customizable and instantaneous refresh
VIRTUALIZED SERVICE
Juniper vSRX
Cloud CPE
Platform
• Services • Application
s
Future Branch (FMO)
Branch/WAN Disruption and Transformation Case for Cloud CPE w/ SD-WAN
User Experience Cloud/Connectivity Business
Hybrid WAN
Flexibility
Service Agility
& DevOps Visibility
and Control
Application
Aware WAN
On-Demand
Self Service Reduced
Capex/Opex
Open,
Flexible Choice
Centralized
Policy Control
Pay-As-You-Grow
Biz Model
What is SD-WAN ?
MPLS
Internet
Branch
Network Service Activator SD-WAN Controller Orchestrator
HQ
Data Center
SD-WAN has four characteristics
Must support multiple WAN connections MPLS, Internet, LTE etc.
Can do dynamic path selection Allows for load sharing across WAN links
Provides simplified WAN management Must support zero-touch provisioning of remote branch
Must support secure VPNs And have ability to integrate additional network services like Firewall, WAN Ops etc
Reference : https://goo.gl/IeJtbN
JUNIPER SOLUTION
Office365
Juniper SD-WAN Solution
NFX Series
App
Branch Campus
Branch
SRX Series
Managed
OTT
Managed
OTT
Managed
Juniper Sky ATP & Spotlight Secure
Service
Junos Space
vSRX
Service Orchestrator
Hybrid WAN
With Local Breakout Without Local Breakout
Secure Branch
MPLS
Internet
HQ
Optimized local break-out traffic
Branch
MPLS
Internet
HQ
Branch
Non-optimized backhauled traffic
Secure Cloud CPE Platform: NFX/SRX NFX Series
(NFX250 Shown)
• Router + switch + server providing robust foundation
to simultaneously deliver virtual services
• Automated provisioning and pre-integrated 3rd party
services and applications
CPU: Intel Multi-Core Xeon D
System Memory: up to 32 GB DDR4 RAM
System Drive: up to 400 GB SSD
Service T-Put: 20Gbps
Switch T-Put 88Gbps
SD-WAN | Security | Services | Applications
SRX Series
(SRX1500 Shown)
• Multipurpose security focused appliances, “right sized” for the need
SRX T-Put: 500Mbps – 10Gbps
(SRX300 – SRX1500 Series)
SD-WAN | Security
Open VNF Platform
Cloud CPE Product Portfolio F
lexib
ilit
y a
nd
Scale
Performance
Custom PFE
0.5-2.0 Gbps router
Crypto acceleration
Integrated Appliance/
No virtualization
VDSL, LTE
ATOM 4C/8C
2-4 VNFs
Crypto acceleration
Expansion slot / LTE
Server
Xeon D 6C /
Pentium D 4C
2-8 VNFs
AES-NI acceleration
1GE/10GE
Server + HW PFE
Xeon Multi-socket
High Performance
1/10GE and higher
Crypto acceleration
Expansion slots
Server
Shipping/SOPD
Investigation
SRX300
SRX320
SRX340
SRX345
NFX250 S2
NFX250 S1
NFX250 LS1
NFX Small
NFX Large
vSRX
VNF
VNF
VNF
vSRX
vSRX
Junos
CSO Automation, SD WAN, Security & LAN
Small Server Medium Server Large Server Small Appliances
Service Simplicity with Cloud CPE
NFX Series
Regional Branch
Campus
Local Branch
SRX Series
Centralized Management Automated Service Delivery
VNFs
Centralized Cloud CPE
Distributed Cloud CPE
vSRX
IT and Telco Cloud Consistency
Service Orchestrator/ Controller
Juniper Sky ATP &
Spotlight Secure Service
Ent. App
vSRX
Managed
OTT
Unmanaged VPN & POS
Application Aware (L7) Security Application Aware (L7) Routing
Centralized Policy Control
Secure and Managed VPN
Juniper SD-WAN Architecture
Branch Office
Managed Access
(Private WAN)
NFX
Corporate Office
Remote Office
vSRX VNF
Customer Premises
CSO with Network Services Controller
IPSec tunnels
Internet
BGP* App Perf Monitor* Net Act
SRX
SRX/MX Headend
*Roadmap items
Customer Premises
SRX and vSRX (with NFX) is the EDGE platform for the Juniper SD-WAN Solution
Configuration
Control (BGP)
App Analytics
IPSec VPN Connection
Standard data models for
• Device management
• VPN management
• Overlay Routing
• Policy Based Routing
• SLA measurement
• Telemetry/Analytics
Standardized
Overlay with P2P,
Hub/Spoke IPSec,
Auto VPN, AD-VPN
Netconf /
Openconfig for
configuration
BGP for Overlay
Routing
Standardized
probes: RPM
Contrail Service Orchestration (CSO)
Network Service Designer
• Define services
• Specify VNF onboarding process
• Create service chaining templates
Administration Portal
• Manages End-to-End Solution
• Allows Admin to Monitor and Troubleshoot
• Provides Workflows and Site Management
Network Svc Activator/Controller
• Downloads the image
• Configures the device
• Orchestrate device egress WAN policies
Customer Portal
• Provides Web Portal to Customer
• Select deployment model
• Self-select Network Services
• Application and User* aware policy based routing
• Load balance traffic over WAN Ifs based on link perf (RPM)
Advanced Policy
Based Routing
Carrier Class Routing
Highly Secure
Management and
Automation
SRX and vSRX SD-WAN Capabilities
• Multiple WAN interfaces types : TDM, DSL, LTE, Ethernet
• Full routing stack with overlay protocols (MPLS, GRE etc)
• FIPS 140-2 complaint IPSec VPN with flexible deployments
• Advanced threat detection & mitigation with IPS, UTM, Sky ATP
• Zero Touch Provisioning with centralized mgmt & orchestrator
• On-box / off-box scripting capabilities automate repetitive tasks
Zero Touch Provisioning
Activation Server
www.nfxweb.juniper.net/nfx
Contrail Controller
SRX320
Juniper Hosted Redirect tool
1
2
3
4
5
6
1. Administrator installs and setup activation server
and adds device info to the activation server and
Juniper hosted redirect tool
2. Device is powered up at remote branch and user
adds activation code to the device
3. Remote device communicates with the Redirect
tool and obtains contact info of activation server
4. Device authenticates itself to activation service
using activation code and X.509 certs. After
which it downloads Junos and configuration
5. Activation server sends a notification to the
management server
6. Once device upgraded and configured itself, it
connects to management server for further
device management and orchestration
Work Flow
Advanced Policy Based Routing (AppRoute/APBR)
Applications N
MPLS
Internet
Corporate HQ
Branch
Enterprise App Server
• APBR supports DPI and pattern-matching capabilities of AppID to identify application traffic or a user session within an application
• Benefits:
• APBR allows you to define the routing behavior based on applications
• APBR provides flexible traffic-handling capabilities with granular control for forwarding packets based on application attributes
• Supports 3K+ application signatures
• Enables exception path routing for SD-WAN
• Application groups for easy policy selections (Web, Gaming, Multimedia etc)
• Supported from Junos Release 15.1X49-D60 onwards on SRX/vSRX/NFX
SD-WAN - R2.1 Application Routing with vSRX/SRX/NFX
Telco POP/ Infrastructure
Branch /
Campus
Managed Access
Internet (IPsec)
NFX/SRX
Contrail Service Orchestration
VNFs
Edge Router (Existing PE device)
Network
Controller Admin Portal
MPLS Core
SD-VPN GW
Distributed Cloud CPE
Self Care
Portal
APBR Enhancements
GRE
• Support for following types of link level monitoring via SLA profiles on SCP
• Monitoring with Route Failover
• Monitoring with a DHCP Backup Interface
• Monitoring with Interface Failover Using Advanced Boolean Selection
• Monitoring in a Virtual Router
• Probe types supported in SLA profile
• HTTP GET request to a target URL
• HTTP GET request for metadata from a target URL
• ICMP echo request to a target IP address (the default)
• ICMP timestamp request to a target address
• UDP ping packets to a target device/IP
• TCP ping packets to a target device
• Dynamic failover to default path when threshold exceeded
SD-WAN - R2.1 Application Monitoring – Basic Link Level
Telco POP/ Infrastructure
Branch /
Campus
Managed Access
Internet (IPsec)
NFX/SRX/vSRX
Contrail Service Orchestration
VNFs
Edge Router (Existing PE device)
Network
Controller Admin Portal
MPLS Core
SD-VPN GW
Distributed Cloud CPE
Self Care
Portal
Link Level Monitoring
GRE
QUESTIONS?
Thank You
