Your SlideShare is downloading. ×
Extending the Virtualization Advantage with Network ...
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Extending the Virtualization Advantage with Network ...


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. WHITE PAPER EXTENDING THE VIRTUALIZATION ADVANTAGE WITH NETWORK VIRTUALIZATION Virtualization techniques in Juniper Networks MX Series 3D Universal Edge Routers Copyright © 2010, Juniper Networks, Inc. 1
  • 2. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Table of Contents Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Introduction: Industry Trends and the Need for Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Juniper’s Approach to Network Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Virtualization Technologies for MX Series 3D Universal Edge Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Deployment Example 1: Merger and Acquisitions at a Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Deployment Example 2: Scaling the Network for Web 2.0 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Deployment Example 3: Securing and Migrating Data in Health Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization . . . . . . . . . . . . . . . . . . .18 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Table of Figures Figure 1: Summary of required attributes necessary for virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Figure 2: Virtualization technologies in MX Series 3D Universal Edge Routers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Figure 3: Example of MPLS super core between Mega Bank and Regional Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Figure 4: Example of logical systems deployed in a bank’s data center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Figure 5: Multicast in financial markets Exchange-1 is Chicago—Exchange-2 is New York . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Figure 6: Traditional versus virtual application architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Figure 7: Mapping VRFs to security zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Figure 8: Server live migration of data between two colocated data centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Figure 9: Encrypted transport of data between the data center and hospital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Figure 10: Safe zone cloud controls access between branch offices and data centers by using firewalls . . . . . . . . . . . . . .18 Figure 11: Private MPLS interconnecting similar “silos” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 List of Tables Table 1: Business Trends, Network Impact, and Technologies to Minimize Adversities to the Network . . . . . . . . . . . . . . . . . 4 Table 2: Virtualization Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Table 3: Summary of Benefits of VR, VRF-Lite, and Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 2 Copyright © 2010, Juniper Networks, Inc.
  • 3. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Executive Summary This paper discusses the numerous virtualization technologies in Juniper Networks® MX Series 3D Universal Edge Routers, and Juniper’s network virtualization strategy and virtualization solutions. It also provides specific examples on how network-based virtualization helps achieve business goals. Today’s competitive environment and economy are driving organizations to respond to ever-increasing business challenges—while reducing cost and improving operational efficiency—at unprecedented levels. Many enterprises have responded to the business challenges by commonly deploying virtualization tools—such as storage, server, or desktop virtualization—which share assets across applications, departments, groups of users, etc. Virtualization facilitates a higher utilization of resources, resulting in greater asset efficiency and cost savings. Leading organizations are extending those virtualization advantages, with the addition of network virtualization. There are many key enterprise business requirements that are driving the need for network virtualization: • Establish traffic segmentation and improve privacy • Increase network resiliency • Improve network scalability and performance • Improve security • Rapidly deploy new services and applications • Improve end user application performance • Adhere to regulatory compliance Some enterprises are even taking network virtualization further by building their own virtualized cloud infrastructure, rather than purchasing from their providers. The numerous virtualization technologies make it possible to build this virtualized network infrastructure. Juniper offers a myriad of network virtualization technologies and uniquely offers them in one OS—with Juniper Networks Junos® operating system, running consistently across Juniper’s routing platforms: • Network Service Virtualization - Virtualizes network services—such as L2VPN, L3VPN, VPLS, and pseudowire—and offers many options for secure virtual connectivity - Virtualizes the transport of traffic with MPLS—and improves network utilization, scalability, and resiliency • Chassis Virtualization - Simplifies manageability by providing a unified control plane - Improves resource utilization and scalability - Improves resiliency by providing stateful redundancy • Device Virtualization - Improves routing utilization and simplifies configuration by managing virtual independent routers or physical interfaces • Link Virtualization - Improves link utilization, control, and security This white paper concludes with use cases and examples across different enterprises such as financial institutions, hospitals, Internet portals, and large enterprises with many divisional offices. Click on the bulleted use cases below which are available for direct viewing by clicking on the below links: • Deployment Example 1: Merger and Acquisitions at a Bank • Deployment Example 2: Scaling the Network for Web 2.0 Applications • Deployment Example 3: Securing and Migrating Data in Health Care • Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization Copyright © 2010, Juniper Networks, Inc. 3
  • 4. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Introduction: Industry Trends and the Need for Virtualization Today’s new economic realities have increased the need to improve an organization’s competitive advantages, irrespective of whether the organization is a financial, government, service, manufacturing, public utility, or health care concern. A change to improve a competitive advantage—such as mergers, acquisitions, or divestitures—has direct implications on the network, which many times translate into costly and disruptive upgrades. Juniper strives to help customers save costs and improve operational efficiencies with network virtualization, which offers the ability for customers to nimbly implement a key business initiative—such as mergers, acquisitions, or divestitures—without a disruptive network upgrade or costly change to their physical network. Table 1 shows some key business trends, the impact on the network, and virtualization technologies that can be applied. Detailed descriptions of the virtualization technologies are discussed in the next section. Table 1: Business Trends, Network Impact, and Technologies to Minimized Adversities to the Network BUSINESS TREND NETWORK IMPACT TECHNOLOGY Data center consolidation The need to reduce CapEx and OpEx is driving Virtualized transport using MPLS and VPLS can enterprises to consolidate data centers. reduce the number of required links; improve Consolidation can sometimes place additional the end user experience with traffic engineering; pressures on the WAN infrastructure, potentially and provide resiliency with carrier-class high translating into additional WAN costs or availability (HA) features. deterioration of the end user application experience. Compliance Enterprises that adhere to regulatory Enterprises can use MPLS for traffic compliance look for efficient ways to separate segmentation—and the benefits are improved traffic and services of the different business resiliency, privacy and security. groups or sensitive data and applications across their network infrastructure. Enterprises also need to easily classify and analyze traffic patterns for forensics. Many enterprises have deployed physically separate networks for compliance—and this becomes cost prohibitive over time. Business continuity Enterprises have built their competitive Technologies such as VPLS provide the ability advantages with critical data, and many want to migrate traffic across colocation data to protect their business by deploying data in centers, thereby ensuring business continuity colocation data centers. Network resiliency without the overhead of maintaining separate across data centers then becomes increasingly data migration links. important. Business agility Increased competition is driving enterprises MPLS TE (Traffic Engineering) provides to respond quickly to changes in the market. mechanisms to improve application For many organizations, increasing resiliency performance. MPLS also provides rapid or reducing network latency equates to a resiliency, with Bidirectional Forwarding competitive advantage. Detection (BFD) and MPLS fast reroute, which is critical to support business agility. Outsourcing and remote Many enterprises employ outsourcing and Encrypting traffic using IPsec before access remote workers for specialized skills. This trend transporting it over MPLS is a way for increases reliance on the public Internet, which providing secure transport over a virtualized can expose an enterprise to security risks. network to both remote workers and outsourced companies. 4 Copyright © 2010, Juniper Networks, Inc.
  • 5. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Juniper’s Approach to Network Virtualization We find that the most effective network virtualization solutions encompass the following strategic attributes, as shown in Figure 1. These attributes are encompassed in MX Series virtualization technologies. Scalable Transparent Flexible High-Performance MX Series Cloud Resilient Secure Figure 1: Summary of required attributes necessary for virtualization Table 2: Virtualization Attributes VIRTUALIZATION RATIONALE ATTRIBUTES High Scalability The technology must be readily scalable from modest traffic rates of a few Gbps to aggregate throughput of several 100 Gbps. The number of logical ports that can be supported, for example, must also scale dramatically to support a large number of applications and devices. Transparency Virtualization features must be implemented so that any change to the underlying virtualized network is completely transparent to applications. Security Security must be enhanced using a combination of countermeasures such as separation of traffic for privacy, and techniques to provide both network-layer and application-layer security. Resiliency The technology must provide not only hardware redundancy but also network and software redundancy. Nonstop routing (NSR) provides redundancy. Moreover, software must be easily upgradable with unified in-service software upgrade (ISSU) for major software releases. Flexibility Business goals are constantly changing, and enterprises need technology that can be easily and cost- effectively adapted to suit new business requirements. Copyright © 2010, Juniper Networks, Inc. 5
  • 6. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Virtualization Technologies for MX Series 3D Universal Edge Routers The MX Series has a myriad of virtualization features and technologies, as shown in Figure 2, to address enterprise data center requirements for Network Service, Chassis Virtualization, Device, and Link Virtualization. These features can be used individually or in combination to complement one another. It is not sufficient that there is a myriad of features, but it is also equally important that these features are implemented consistently in Junos, in one OS, across Juniper’s routing platforms—on top of Juniper’s advanced routing silicon, enabling a collapsed 2-tier data center architecture. L2 VPN L3 VPN VPLS Network L2 Point-to-Point L3 Multipoint-to-Multipoint L2 Point-to-Multipoint Service Virtualization MPLS Privacy Tra c Engineering Scalability Resiliency Chassis Virtual Chassis Virtualization Resiliency Simplifies Configuration Service Scalability Physical Port Scalability (Many-to-one) Device Virtual Router VRF Lite Logical Systems Bridge Group Virtual Switch Virtualization Scalable Routing Routing Routing and Simplifies Scalable Switching (One-to-many) Separation Separation Management Configuration Separation Separation VLAN LAG GRE MPLS LSP Link Tra c Scale Tunnel Tra c Virtualization Segmentation Bandwidth Non-IP tra c Segmentation Figure 2: Virtualization technologies in MX Series 3D Universal Edge Routers Network service virtualization—MPLS improves network utilization, scalability, and resiliency by virtualizing the transport of traffic. Virtualized network services—such as L2VPN, L3VPN, and VPLS—increase secure virtual connectivity options and can run on top of MPLS. All discussions in this paper focus on private MPLS rather than provider-managed MPLS. Private MPLS refers to the MPLS network that is owned and managed by enterprises. That is, the enterprise performs and manages its label switching. Provider-managed MPLS is an MPLS network that is purchased by enterprises, from service providers, but is owned and managed by service providers. • MPLS network virtualization enables the physical network to be configured and operated as many separate virtual networks. The resulting benefits are cost savings, improved privacy through traffic segmentation, improved end user experience with traffic engineering and quality of service (QoS), and improved network resiliency with functionality such as fast reroute and BFD. • Layer 2 VPN offers layer 2 services over MPLS to build point-to-point connections that connect different sites. L2VPNs are used to transport layer 2 packets across MPLS networks without any discovery of layer 3 information of the networks in the VPN. The technology allows data centers to transport their legacy L2 services—such as ATM over an IP/MPLS network—minimizing CapEx. The technology can also be used to transport Ethernet, allowing increased scalability. • L3 VPN provides private links between data center sites that share layer 3 infrastructure. A layer 3 VPN discovers routes within the network that the VPN interconnects. For example, by mapping L3VPNs to virtual security “zones” in advanced firewalls, such as Juniper Networks SRX Series Services Gateways, customers can layer many security policies selectively on the traffic. • VPLS provides Ethernet-based point-to-multipoint (P2MP) communication over IP/MPLS networks. It allows geographically dispersed data center LANs to connect to each other across an MPLS backbone while still maintaining L2 connectivity. In other words, VPLS creates a virtual network, giving the perception to the constituent nodes that they are on the same Ethernet LAN. VPLS can therefore provide an efficient and cost-effective method for data migration across enterprise data centers. 6 Copyright © 2010, Juniper Networks, Inc.
  • 7. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization VPLS can help data center managers migrate data between specific servers in colocated data centers. Enterprises no longer need dedicated layer 2 links between the data center, thus saving CapEx. Note that the ability to selectively apply VPLS to specific VLANS is crucial to most enterprises that are interested in migrating only specific application data and not all the data in the data center—and this enables greater scalability of the data center infrastructure. Chassis Virtualization (Many-to-One Virtualization): Virtual Chassis technology allows up to eight interconnected physical chassis to be monitored and managed as a single logical device. MX Series Virtual Chassis uses normal data ports to interconnect physical chassis. The benefits of Virtual Chassis are: • Simplifies manageability: Provides a unified control plane for all the physical chassis. • Improves resource utilization and scalability: Intelligently utilizes line interfaces and service line cards on physically different chassis. Customers can thus benefit from a “pay-as-you-grow” model. • Improves resiliency and Protects user sessions: Protects sessions across physical chassis, line card or port failure, using stateful redundancy. Device virtualization (One-to-Many Virtualization) improves routing utilization and simplifies configuration by managing virtual routers or physical interfaces. • Virtual router (VR) provides multiple routing tables for the same physical router. The functionality keeps routing instances separate. Hence, overlapping IP addresses can exist in the virtual router instances. Unlike the logical systems’ functionality, there is no separation of management of the different VR. • VRF-lite segments a physical router into multiple logical routers. Each logical router participates in a virtual routing environment in a peer-based fashion. Although it is simple to deploy, it does not scale for some enterprises because every router needs to maintain a virtual routing and forwarding (VRF) routing instance. • Logical systems segment a physical router into multiple independent routers that perform independent routing tasks. Each of the logical routers can be configured independently and operation (routing plane) of a physical router into subsets, for increased manageability and protection. Logical systems can provide individual business units with the perception that they are working on independent routers. The benefits are the following: - Improve routing utilization - Align virtual routing instances with business units Table 3, below, summarizes the benefits of virtual router, VRF-lite, and logical systems. Table 3: Summary of Benefits of VR, VRF-Lite, and Logical Systems VIRTUAL ROUTER VRF LITE LOGICAL SYSTEMS Logical platform partitioning ü ü ü Fault isolation on routing plane ü Multiple user access (management separation) ü Scalable routing separation ü ü • Bridge groups are a collection of network interfaces that form a broadcast domain and have their own set of forwarding tables and filters. They bring tremendous configuration flexibility by allowing an administrator to select multiple Ethernet and/or wireless interfaces and group them together, effectively creating an abstract or virtual L3 interface and/or L2 switch. A bridge group carries the same characteristics as a physical interface in that both can be assigned to a security zone where they are subject to an associated security policy. • Virtual switches are formed by grouping two or more bridge domains that perform layer 2 bridging and function as a layer 2 network. A bridge domain consists of a set of logical ports that share the same flooding or broadcast characteristics. Like a VLAN, a bridge domain spans one or more ports of multiple devices. Multiple virtual switches operate independently of the other virtual switches on the routing platform, and each virtual switch can participate in a different layer 2 network. A virtual switch can be configured to participate only in layer 2 bridging and optionally to perform layer 3 routing. Copyright © 2010, Juniper Networks, Inc. 7
  • 8. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Link virtualization improves link utilization, control, and security. • VLANs define a broadcast domain, a set of logical ports that share the same flooding or broadcast characteristics. VLANs span one or more ports on multiple devices. By default, each VLAN maintains its own Layer 2 forwarding database that contains MAC addresses learned from packets received on ports belonging to the VLAN. • Link aggregation provides a mechanism for combining multiple, physically separate layer 2 links as a single logical link. This helps enterprise data centers scale more bandwidth than a single Ethernet link can provide and saves on the expense of a higher-speed Ethernet link. This technology can also help enterprise data centers to provide redundant links for greater resiliency. Thus, data center managers can incrementally scale their investments by increasing utilization of existing resources while deriving increased security. • GRE tunnels provide a mechanism for encapsulating and transporting a wide variety of network-layer protocol packets inside point-to-point tunnels. GRE provides a very simple method of transport of protocols over a network that needs to be transparent to the tunneled protocol. It is a foundation protocol for other tunnel protocols. For example, MPPE/PPTP uses GRE to form the actual tunnel. Although GRE has generic tunneling capability, its most common use is for tunnels that carry non-IP traffic over IP tunnels • MPLS LSPs are label-switched paths (LSPs) that are virtual paths, established to transport MPLS packets between two MPLS routers. The logical separation between the MPLS paths ensures traffic segmentation. Deployment Scenarios Deployment Example 1: Merger and Acquisitions at a Bank Background Mega Bank, a very successful bank, acquires Regional Bank. Both banks have large networks. Mega Bank has been tasked to consolidate the new networks and for the interim, provide separation of traffic for the two banks until the organization is consolidated under one brand. Mega Bank’s customers benefit from rapid access to Mega Bank’s data regardless of where it is stored. Mega Bank’s key competitive advantage is its ultra-low network latency. Mega Bank wants to extend this competitive advantage to the merged organization. Challenges A) Legacy application requires expensive dedicated SONET transport and overlapping IP addresses • To guarantee low network latency and high resiliency for a critical legacy software application, Mega Bank anticipates spending millions of dollars on dedicated SONET transport between the different data centers of the merged organization. Mega Bank wants high availability (HA) to this critical software, with zero downtime. • Mega Bank requires guaranteed bandwidth to transport high-priority data between data centers, at specified times of the day. At other times, the data between the data centers is lower priority. Mega Bank is evaluating dedicated links between the data centers to carry the high-priority traffic. • Mega Bank’s consolidated infrastructure has overlapping IP addresses, and changing the address space of Mega Bank or Regional Bank is expensive. B) Regulatory compliance requires traffic segmentation • To adhere to regulations, and to prevent different business units from overwhelming scarce network resources, the merged bank needs to maintain traffic and resource segmentation across specific departments. C) Large volumes of unicast and multicast traffic need to scale • Mega Bank’s consolidated network needs to transmit large amounts of unicast and multicast messages to many customers. To support the rapid growth of business, Mega Bank needs multicast technology that is highly scalable and reliable. 8 Copyright © 2010, Juniper Networks, Inc.
  • 9. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Solution A) Eliminate the need for expensive dedicated SONET links and accommodate overlapping IP addresses with MPLS. Figure 3, below, depicts the data centers of the merged bank interconnected, using a private cloud of Ethernet links that run private MPLS. The resulting cloud is called the “super core.” The “super core” gives the enterprise greater control over critical metrics, such as latency, that are a key competitive advantage. The dashed links highlight specific fast reroute redundant paths in the network used for failover traffic and can also be used for routing low-priority traffic. The other links are traffic-engineered private MPLS LSPs that carry traffic between the data center and the corporate office. REGIONAL BANK CORPORATE WAN DATA CENTER Applications engineered into LSPs across MPLS supercore Critical applications protected by fast route detour paths and secondary LSPs MEGA BANK DATA CENTER MEGA BANK DATA CENTER LEGEND Illustrate primary tra c-engineered private MPLS LSPs between Mega and Regional Specific fast reroute redundant paths used for failover tra c and/or low-priority tra c Figure 3: Example of MPLS super core between Mega Bank and Regional Bank The inexpensive Ethernet links running MPLS offer a more cost-effective alternative to SONET links. MPLS offers the following as an alternative to SONET: • Fault detection—through the use of Operation, Administration, and Maintenance (OAM) functionality such as BFD— detects any faults in the inter-data center links and uses fast reroute to switch to the alternate path within 50 ms, offering the same resiliency as SONET. • Traffic Engineering (TE) and equal-cost multipath routing (ECMP) allow MPLS to route additional low-priority traffic over the protection link. In contrast, with SONET, the protected link is unused bandwidth. • It provides the ability to establish LSP dynamically between the data centers, when required, and guaranteed bandwidth. Thus, Mega Bank does not need dedicated links between the data centers to carry high-priority traffic at certain times in the day. • TE guarantees bandwidth and QoS for the applications. Thus, the merged bank’s delay-sensitive applications—such as the legacy application and VoIP traffic—experience little latency, higher priority, and greater throughput. By deploying private MPLS, Mega Bank can significantly reduce CapEx while simultaneously improving network resiliency and latency for the legacy software. Although Mega Bank achieves higher network resiliency through private MPLS, router failure—due to software or hardware faults—can adversely impact network access. The MX Series provides the following features to improve resiliency: • Hardware resiliency, with Virtual Router Redundancy Protocol (VRRP), supports failover between routers. • Software resiliency is provided through the “graceful restart” of routing protocols. This feature provides nonstop forwarding through individual routing protocol restart and re-convergence. Copyright © 2010, Juniper Networks, Inc. 9
  • 10. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization • Enhanced software resiliency for upgrades is available with unified ISSU. Without this feature, upgrading full software releases would require that the router be brought down during a scheduled maintenance window. Junos OS offers the ISSU feature that can provide for full software release upgrades while the router is still running. So far, Mega Bank has improved network resiliency. Mega Bank’s next step is to merge Regional’s networks to ensure secure access to applications from anywhere in the Mega Bank network. The combined network has many overlapping IP addresses. MPLS can tunnel the packets to and from the overlapping IP address endpoints while providing traffic segmentation, thereby ensuring secure access to the applications. B) Improve regulatory compliance with logical systems that provide routing segmentation and protection in the control plane; provide separate user access and permission per logical router. Figure 4, below, shows a representation of a logical systems deployment in Mega Bank’s data center. In this figure, Mega Bank’s different banking divisions—that is, Merchant Banking, Personal Banking, Stock Trading, and Intranet—are separated by assigning each to a logical router within the logical system. Each logical router in the logical systems has separate user access and permission and hence can be managed independently of the other logical routers. Virtualization through: Single router virtualized • Isolated Routing as many routers • Isolated Configuration Merchant Banking Intranet Network Network Personal Banking Stock Trading Network Network Investment Banking Network Figure 4: Example of logical systems deployed in a bank’s data center Logical systems offer Mega Bank the following benefits: • Increased privacy and security—Different business units are isolated so that their routing resources can be managed and operated independently. This compartmentalization improves privacy and security, facilitating greater compliance. • Improved availability of critical services—The isolation of resources virtually eliminates the chances of other business units exhausting resources, such as routing entries, which are needed for critical business units. • Easy manageability resulting in reduced OpEx—Logical systems provide easy manageability by consolidating the entities into one physical device. Software upgrades and physical device upgrades are no longer distributed, thereby reducing operating expenditure. • Easy consolidation—The routes can have overlapping IP addresses across the logical routers in the logical systems. Thus, Mega Bank can merge business units of the acquired enterprise on the same network easily by separating routing resources to different logical routers in the logical systems. • Reduced CapEx—The ability to use a single router as multiple routers improves asset utilization, enables improved network scalability, and enables lower capital expenditures. C) Scale large unicast and multicast traffic volumes. So far you have seen how different virtualization techniques help Mega Bank to meet its requirements for low latency, compliance, and reliability. Having resolved these concerns, the next section looks at how Mega Bank can focus on its core business services—including stock trading and investment banking—which involve getting up-to-the-microsecond market information to market participants. The bank’s trading network transmits millions of market messages in the course of a day. 10 Copyright © 2010, Juniper Networks, Inc.
  • 11. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Figure 5, below, describes the multicast network at Mega. Exchange-1 and Exchange-2 are primary trading centers located in Chicago and New York. The bank has customers with data centers—Customer-1 DC and Customer-2 DC with corporate offices, Customer-1 Corp and Customer-2 Corp, respectively. Exchange-1 transmits multicast messages to the Customer-1 DC and the Customer-1Corporation. Exchange-2 performs the same function for Customer-2 DC and Customer-2 Corporation. The customers place trades that are transmitted as unicast messages to the exchanges through the same network as that of the multicast messages. These unicast messages are unique to the specific trading needs of the customers and are key to providing Mega Bank with a competitive advantage. The unicast messages are delivered independent of multicast messages. To sustain the competitive advantage, Mega Bank needs scalable multicast technologies to improve services for acquiring and retaining existing customers. Juniper’s virtualization infrastructure involves the use of MPLS-based point to multipoint (P2MP) that optimizes next-generation MVPNs (NG MVPNs). NG MVPNs mitigate the scalability problem by intelligently leveraging adjacencies that exist in the MPLS network. This eliminates the need for every router to maintain separate adjacency information with every other router that participates in the MVPN. P2MP also brings other benefits—bandwidth reservation that guarantees QoS, fast reroute and OAM that guarantee HA, and deterministic routing. Through the use of NG MVPNs, Mega Bank can provide a variety of services—such as video on important market events and market messages—in a timely manner to its customers. EXCHANGE-1 EXCHANGE-2 Chicago Chicago New York New York Primary Redundant Redundant Primary ct Direct Direct Direct Dire MEGA BANK FINANCIAL INSTITUTIONS CUSTOMER-1 DC CUSTOMER-1 CUSTOMER-2 CUSTOMER-2 DC CORPORATE CORPORATE LEGEND Multicast Tra c from Exchanges to Financial Institutions Unicast Tra c from Financial Institution back to Exchanges Figure 5: Multicast in financial markets Exchange-1 is Chicago—Exchange-2 is New York Mega Bank’s competitive advantage also depends on its ability to offer services without any disruption. To provide reliable services, the P2MP technology maintains two distinct multicast trees. A multicast tree is a logical topology of nodes that is built to transmit multicast messages to the participating nodes. With redundant trees there are two distinct paths to reach the destination nodes. When there is performance degradation on one tree, traffic can be sent through the other tree. The maintenance of redundant trees is very inexpensive in resources because P2MP technology eliminates the need to maintain adjacencies and is easy to manage. Thus, the financial institution can be assured of timely delivery of the millions of market messages across the large organization to its customers. Note that Juniper supports other multicast technologies in addition to P2MP. Copyright © 2010, Juniper Networks, Inc. 11
  • 12. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Summary • The traffic-engineered virtual network provides resiliency and guarantees quality, thereby improving the company’s competitiveness with improved business continuity and agility. • The organization has protected its initial investment by investing in Juniper’s scalable technology and can scale the network gradually. • The virtualization techniques, in the form of logical systems and MPLS, create a transparent infrastructure that also provides security without the need for physically separate networks—thereby simplifying operations and reducing OpEx. NG MVPN technologies can help create and sustain a competitive advantage by dramatically improving scalability and reliability. Deployment Example 2: Scaling the Network for Web 2.0 Applications Background An enterprise supporting a large Internet portal—for example, with Web 2.0 applications—can have hundreds of multi- tiered (n-tiered) applications with complex interconnections between clients, database servers, firewalls, storage, and other devices. Over time, as the traffic grows, interconnections based upon a traditional physically layered architecture become increasingly complex and create scaling challenges, as shown in the left portion of Figure 6. Challenges A) Users require rapid secure access to large volume of distributed data for multi-tiered applications • The rapid growth of the data center, to support large volumes of data, has led to an explosion in the number of data center devices to manage. The devices include many database servers, firewalls, application servers, Web servers, storage, etc. This proliferation of devices has created challenges for users being able to quickly and securely access large volumes of data across the network. • The traditional architecture—as shown in Figure 6—has database, Web, DMZ, and application servers that are clearly demarcated in different network topologies. This architecture poses many challenges: - Increased CapEx—The software and network architecture are tightly coupled. Because of this tight coupling, the deployment of traffic-intensive applications, such as video, requires upgrades to the network. These upgrades include the addition of network devices, IP address allocation, and data center internal forwarding. - Increased latency—Database, Web, and application accesses are slower because of numerous physical firewalls and network devices. - Increased OpEx—Troubleshooting and the management of devices are complicated because of the myriad of devices in the data center. Everyday operational tasks—such as patching software, detecting faults, and migrating software—become more problematic. 12 Copyright © 2010, Juniper Networks, Inc.
  • 13. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization DMZ MX960 MX960 Architecture simplification: • Consolidated Web Firewalls (SRX5800) SRX5800 SRX5800 • Consolidated Scalable, High- Performance EX4200 App Routers (MX960) Network Virtualization Layer DMZ Exnet Web Apps AAA NOC DB NAS DB Traditional Data Center Next-Generation “Virtual” Architectures and Secure Layering Data Center Architecture Figure 6: Traditional versus virtual application architecture In figure 6 above, the left diagram shows traditional, physical multi-tiered application layering of applications and security. The right diagram shows simplified application architecture with network virtualization reduces complexity and improves network utilization. B) The large number of interconnections using the traditional, layered physical data center architecture leads to network utilization inefficiencies. • Fifty percent of links are used for switch-to-switch connectivity, and the Spanning Tree Protocol blocks half of those links—thus resulting in only 25 percent active links being available for inter-switch connectivity. Solutions A) Improve secure access to large volumes of distributed data, by moving from a traditional, layered physical architecture to a virtual architecture. The simplified virtual architecture shows on the right of Figure 6 a decoupling of the network architecture from the application deployment architecture. Any-to-any connectivity is provided between the end users and application services. This is achieved with the introduction of a virtualization layer that essentially decouples the network resource and the application services. This decoupling allows applications to be transparent to the underlying network resources. Moreover, once decoupled, network service virtualization can be mapped into virtual security “zones” or “trust zones” in the SRX Series platforms, providing the same or higher level of security than the traditional architecture. Figure 7, below, illustrates a simplified data center, where the network resources and applications are decoupled. Copyright © 2010, Juniper Networks, Inc. 13
  • 14. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization The figure illustrates two MX Series routers in the consolidated core layer of the enterprise data center connected to two SRX Series platforms that have many virtual security services that can be configured into independent security zones. The MX Series routers are connected to top-of-the-rack Juniper Networks EX Series Ethernet Switches in the access layer, which in turn aggregate the servers in the data center. The top-of-the-rack EX Series is configured to use its Virtual Chassis technology. The WAN edge connects the data center to the outside world and is composed of two Juniper Networks M Series Multiservice Edge Routers. WAN Edge M Series M Series Consolidated Core Layer • Mapping of VLANs to Security Zones • Map VRFs on core to Mapping SRX5800 routing instances on VRF to Firewall SRX Series MX960 MX960 Security #1 Zones IPS • Establish adjacency VRF VRF #1 Security between VRFs on core #1 #1 NAT #1 Zones • Traffic between • Firewall networks runs through VRF VRF Firewall #2 • IPS SRX Series by default, #2 #2 Mapping IPS • NAT or filtered on MX Series VRF to Security #2 IP VPN Zones Firewall #3 Access Layer VLANs EX4200 Virtual Chassis EX4200 Virtual Chassis HR Finance Guest Departments LEGEND Trunk VPN Server VLAN Figure 7: Mapping VRFs to security zones In Figure 7, the virtual security zones are indicated by Firewall #1, NAT #1, IPS #1, etc. on the SRX Series. The VRFs are indicated by VRF #1 and VRF #2 on the Juniper Networks MX960 3D Universal Edge Router. The VRF #1 is mapped to security zones Firewall #1, NAT #1, and IPS #1. VRF #2 is mapped to Firewall #2 and NAT #2. Two MX960 routers are shown to indicate HA between these devices. Data for the different departments (for example, human resources, finance, or guest) is hosted in different data center servers. The traffic to and from the departments is separated by different VPNs. A VRF can be configured to send specific VPN traffic to virtual security zones that contain IPS, NAT, firewall, etc. in the SRX Series. Other VPN traffic can be directed to the respective destination without further processing. The SRX Series can have several security zones (that is, virtualized firewall, IPS, etc.) that can apply specific policies for the VPN traffic. The VPN traffic can traverse multiple security zones inside the SRX Series before being sent to its destination VPN. 14 Copyright © 2010, Juniper Networks, Inc.
  • 15. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Network service virtualization also offers the following benefits: • Simplified management resulting in reduced OpEx—The management of VPNs and the network services is easy because of centralization of the services. The services can be logically separated for the VPNs and for each security zone. This simplification means reduced cost. • Reduced CapEx—Fewer physical network devices are now required with virtualization. • Flexibility of services—The layering of different services provides an easy mechanism for extending functionality for the VPNs. B) Improve network utilization with a collapsed 2-tier network architecture. Despite the previously described benefits, network service virtualization does not address poor network utilization within the data center, due to the large number of network devices and associated inter-switch connectivity. To address this challenge, the MX Series routers provide a high-performance and dense port routing platform, enabling a collapsed 2-tier network architecture. Traditional data center design comprises three layers—access, aggregation, and core. The MX Series reduces the number of required devices by collapsing the core and aggregation layer, and by consolidating WAN edge functionality. Further, the top-of-the-rack EX Series switches in the access layer—through the use of Virtual Chassis technology—can minimize the number of nodes in the access layer and provide for consolidated 10G uplinks to the MX Series switches. This 2-tier architecture eliminates many nodes in the data center and reduces inter-switch connectivity, thereby improving utilization and also reducing network latency. However, the enterprise is still faced with low utilization of links stemming from blocked spanning tree links. To address this challenge the enterprise can adopt VPLS technology, which permits full utilization of links. Summary • Juniper’s virtualization architecture ensures that the software services running on the server can be completely transparent to the underlying technology changes. • Transparency is achieved by maintaining the logical multi-tiered application architecture intact but hiding the underlying network architectural changes through virtualization. This architecture allows better scalability in a growing data center. • Additional security services can be layered easily, providing for a flexible design. Deployment Example 3: Securing and Migrating Data in Health Care Background A large hospital system requires rapid access and High Availability (HA) for large volumes of patient, imaging, and administrative data for clinics throughout the hospital system. HA is currently achieved by having two colocated data centers, mirroring, and load-balancing data. The hospital must ensure that sensitive patient data is secure, to comply with government privacy and security regulations. Challenges A) Expensive dedicated links with low utilization are used to guarantee bandwidth to critical applications • Forty separate 10G links between the two data centers are deployed to guarantee bandwidth for different applications, and only 1 percent of the bandwidth of each 10G link is used. The dedicated links are used for data migration between the data centers and are expensive to maintain. This is based upon a true story! • The data migration requires two servers to be in the same LAN. Running layer 2 Spanning Tree Protocol between the two data centers is inefficient because of its convergence time. B) Health care organizations require high security for regulatory compliance • Hospital users access very sensitive data from the data center. Hence, the hospital must provide secure transport of the data. C) The hospital has experienced security attacks • Although the hospital has implemented safe zones to isolate other traffic from sensitive patient data, the data center has experienced attacks from worms and malware, periodically disabling access to critical data. Copyright © 2010, Juniper Networks, Inc. 15
  • 16. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Solution A) Improve network utilization, cost savings, and security by migrating to a virtualized environment with MPLS and VPLS. Figure 8, shows two colocated data centers that are connected via an MPLS core network. The VMotion virtual network used to migrate data between the two data centers. Each of the two data centers has several hypervisor virtual servers, SAN, etc. These are connected to the EX Series deployed in a Virtual Chassis environment. The MX Series is connected to the EX Series and is in the core of the network. The M Series is deployed in the WAN edge and provides connectivity for the data center to the outside world. The figure also depicts VRRP for the MX Series routers across the two data centers. • Virtual machines traverse path created by L2 MPLS VPN/VPLS. CORE • Guaranteed bandwidth and low latency across WAN from VMotion M Series MX Series tra c (can be routed). • Configuration and bitmap traffic flows over VMotion network. • L2 connectivity must exist across data centers as default gateway of the MX Series MX Series VM did not change. • GSLB/BGP should immediately point tra c VRRP to other DC (in disaster). EX Series Virtual Chassis Virtual Chassis EX Series Virtual Virtual SAN 1 SAN Virtual Virtual Server 1 Center 1 Center 2 Server 2 DATA CENTER 1 DATA CENTER 2 LEGEND Production Network VMotion Network Storage Network Service OS Network Figure 8: Server live migration of data between two colocated data centers VMotion software needs layer 2 connectivity between the data centers, so that data can migrate live between data centers. To support the VMotion migration, the hospital has dedicated layer 2 links between the two data centers for the different departments such as account services, emergency care, radiology, lab services, and cardiology. This ensures that the different departments always have the necessary bandwidth for their data migration. Since the data migration on the independent links does not consume much bandwidth, the links are underutilized—resulting in huge OpEx for maintaining layer 2 connectivity between the data centers. A better alternative that provides layer 2 connectivity between the data centers is to use VPLS between the two MX Series devices in the two colocated data centers. The VPLS can be set up to transport only traffic on specific VLANs. Thus, only specific hypervisors that need to be migrated must be part of the VPLS domain, and all other traffic remains unaffected. VPLS not only emulates a layer 2 switch in the WAN but also runs on a private MPLS backbone. Private MPLS allows the hospital to take advantage of advanced routing features, such as TE. Traffic engineering allows the hospital to optimally allocate bandwidth for the different departments without the need for dedicated layer 2 links. 16 Copyright © 2010, Juniper Networks, Inc.
  • 17. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Besides traffic engineering, MPLS also offers the logical separation between the different departments—providing the same level of privacy that was achieved using physically separate links. Thus, VPLS provides enhanced security for different departments while reducing CapEx and OpEx by migrating traffic to the private MPLS backbone network. B) Provide secure data transport with encryption. The logical separation of data transport, in itself, does not make the data invisible to any node in the WAN network— and this can compromise patient privacy and regulatory compliance. To address this security challenge, the hospital can encrypt sensitive data, using IPsec offered in Multiservice Dense Port Concentrator (MS-DPC), while transmitting data between the data center and the hospital through the MPLS cloud. Unencrypted Decrypted Tra c Tra c DATA CENTER PRIVATE MPLS Hospital DATA CENTER LEGEND MPLS LSP carrying IPsec encrypted tra c MPLS LSP carrying unencrypted tra c Figure 9: Encrypted transport of data between the data center and hospital Figure 9 shows MX Series routers securely forwarding traffic, indicated by the solid line, between the hospital and the data center using IPsec encryption. All other non-sensitive traffic, indicated by the dashed line, is unencrypted. The encrypted and unencrypted traffic are tunneled through MPLS LSPs. The MX Series supports an MS-DPC that can selectively encrypt traffic. This form of selective encryption is important to a large enterprise, such as the hospital, Unencrypted or decrypted tra c where performance must not degrade as traffic is encrypted. C) Secure data center resources. In addition to securing data during transport, resources in the data center must also be secured. Malicious software can infect servers, making it impossible to access valuable information in a timely manner. To address these security exposures, the MS-DPC offers comprehensive security by leveraging multiple detection mechanisms—including signature detection, protocol anomaly detection, and traffic anomaly detection; and these security features can even thwart attacks that have not been seen before. In addition to identifying viruses and attacks, the MS-DPC supports Dynamic Application Awareness (DAA), which enables accurate detection and reporting of bandwidth volume used by applications such as social networking, peer- to-peer, or instant messaging. With improved visibility of applications’ behavior, administrators can improve capacity planning or use QoS to apply policies on specific traffic. For example, specific application traffic can be blocked or given high priority to meet business or regulatory compliance. Summary • The flexibility of virtualization allows customers to improve link and network utilization. • Application software, such as VMotion, is not impacted by the architectural change since virtualization provides transparency of the underlying network infrastructure. • The ability to easily layer security services such as stateful firewall and IPsec over the virtualized network provides not only data privacy but also secures the enterprise. • The virtualization techniques allow the enterprise to scale infrastructure without impacting performance. Copyright © 2010, Juniper Networks, Inc. 17
  • 18. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization Background A large enterprise has a rapidly growing business. To support this growth the enterprise has created many divisional branches and data centers throughout the country that are interconnected by a large network cloud that is a “safe- zone”, as shown in Figure 10. Security devices that reside in the perimeter of the cloud inspect all traffic to the cloud. Data communication is only between nodes and applications that belong to “silos” of the same type. The enterprise has three types of silos—sensitive, public, and management. Silos can be categorized based on traffic or user access privileges or other metrics. There is no access between silos of different types. Challenges A) The proliferation of security devices has resulted in complex network management of security policies, causing security holes • The number of new “silos” and access points to the cloud has been steadily increasing. This increase has resulted in more firewalls in the perimeter, raising the complexity of network management. • Most restrictions to accesses are enforced using ACLs. With the proliferation of access points, the ACLs have become unmanageable because of a large number of complex ACL entries. The ACL entries and security policies must be maintained consistently across security devices serving the same destination. SAN FRANCISCO DATA CENTER EXTENDED ENTERPRISE SRX Series SRX Series DALLAS Public Management Public DENVER SAFE ZONE SRX ACCESS SRX Series Series Sensitive Sensitive Public Public Management Management HEADQUARTERS ENTERPRISE/BRANCH Figure 10: Safe zone cloud controls access between branch offices and data centers by using firewalls Figure 10 shows headquarters, multiple divisional branches, and data centers interconnected using the safe zone cloud. The perimeter of the cloud consists of several firewall devices that restrict entry into the cloud and ensure that accesses are between similar silos. Data to and from San Francisco can traverse via nodes Denver and Dallas to reach the headquarters. Multiple paths through the safe zone pose a challenge. The challenge is to ensure that the firewalls in the perimeter of the cloud have identical security policies. If the security policies are not identical, the traffic from the source to the destination might receive unequal treatment in the two paths. For example, traffic through Denver has access to more nodes in the safe zone than that through Dallas. This indicates that traffic from unauthorized sources might travel to the destination. To prevent this breach of security, nodes in the safe zone have to implement identical ACL policies to restrict access. Thus, an increase in the number of access points raises the complexity of managing security policies. 18 Copyright © 2010, Juniper Networks, Inc.
  • 19. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization B) The traditional design, separating accesses through GRE tunnels, has resulted in a non-scalable architecture • After authentication, the users are assigned to specific VLANS—based on their privilege—that are mapped into GRE tunnels. Thus, the enterprise has as many GRE tunnels as there are privileged access groups. To secure the network, each GRE tunnel has a dedicated firewall. The resulting topology has hundreds of GRE tunnels and firewall devices that terminate at a central router. The number of GRE tunnels increases with the number of privilege levels, posing serious scalability challenges for the enterprise. Solution A) Enhancing security and simplifying network management through enterprise-wide virtualization. To address this network management challenge, the enterprise can deploy private MPLS between the different endpoints in its network. This connectivity through the safe zone eliminates complex ACLs at different points in the safe zone. This move reduces CapEx by consolidating firewall functionality closer to the destination and reduces OpEx by eliminating the need to maintain consistent firewall policies along different paths between the source and destination. Besides reducing OpEx, MPLS VPN can be used to interconnect similar “silos.” The MPLS VPNs completely segment accesses between different silos. This form of traffic segmentation is crucial to maintaining privacy and security of the different silos. This end-to-end segmentation also gives the enterprise flexibility to outsource the tunneling of MPLS VPNs through carriers. This reduces not only OpEx, but also reduces CapEx by allowing the enterprise to purchase fewer tunnels from the carrier while maintaining control of the segmentation of traffic. Figure 11, below, shows the modified network that has a private MPLS network. The L3VPNs connect “silos” of the same type. The routers in the enterprise behave as provider edge routers because they tunnel all the L3 VPNs, originating in the enterprise, through another MPLS tunnel or using GRE. This tunneling is done through the Internet/WAN cloud, which is a simplified safe zone. The user authenticates via 802.1x and is automatically placed into the designated VLAN. The VLAN is mapped to the L3 VPN or VPLS instance. EXTENDED ENTERPRISE Remote User Sensitive DISTRIBUTED ENTERPRISE/BRANCH CAMPUS M Series M Series INTERNET/WAN SRX Series SRX Series PE Sensitive Sensitive PE Public M Series Public Management PE SRX Series SRX Series Sensitive Public Management DATA CENTER Figure 11: Private MPLS interconnecting similar “silos” Copyright © 2010, Juniper Networks, Inc. 19
  • 20. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization B) Replacing GRE tunnel infrastructure with MPLS VPN. To address the scalability concern, the enterprise can deploy a private MPLS cloud that provides MPLS routing instead of the GRE tunnels to separate accesses between the silos. After authentication, the users are mapped to designated VLANS as before. However, the VLANs are mapped to VRF and are routed inside the private MPLS cloud. The private MPLS cloud allows the enterprise to route selected traffic to a location with a centralized firewall such as the SRX Series. The enterprise benefits from • Scalability of infrastructure than what can be achieved using GRE tunnel infrastructure • Simplified management of firewall devices because of centralization of firewalls • Enhanced security due to consistent firewall policies in the enterprise network Summary • The enterprise can provide the necessary privacy and security in the network using MPLS. • The network is more scalable because the number of firewalls to manage has been dramatically reduced. • MPLS provides a resilient architecture by working with fast reroute and BFD—services are available around the clock. • The architecture provides flexibility by allowing enterprises to outsource a portion of the services while maintaining control of key infrastructure. Conclusion Enterprises are increasingly being challenged to support and upgrade their network infrastructure, as they respond to new business demands and increased competitive pressures. Network virtualization, from Juniper, provides a substantial toolset to support and upgrade the network. At the same time, it improves cost savings and operational efficiencies. Enterprises reap numerous benefits from virtualization—increased privacy, improved security, increased velocity for application deployment, or improved regulatory compliance. Juniper provides a very comprehensive approach to network virtualization by offering a myriad of virtualization technologies that can work together or by themselves. Moreover, Juniper uniquely offers these virtualization features in Junos OS—one OS and one release working across Juniper Networks MX Series 3D Universal Edge Routers. 20 Copyright © 2010, Juniper Networks, Inc.
  • 21. WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization Glossary TECHNOLOGY DESCRIPTION Bidirectional Forwarding Detection (BFD) BFD is a network protocol used to detect faults between two forwarding engines connected by a link. It provides low-overhead detection of faults even on physical media that don't support failure detection of any kind—such as Ethernet, virtual circuits, tunnels, and MPLS LSPs. Dense Port Concentrator (DPC) This is the line card for Juniper routers. Equal-Cost Multipath (ECMP) ECMP is a routing strategy where next-hop packet forwarding to a single destination can occur over multiple "best paths," which tie for top place in routing metric calculations. Multiprotocol Label Switching (MPLS) MPLS is a highly scalable, protocol-agnostic, data-carrying mechanism. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, instead of IP addresses, without the need to examine the packet itself. Virtual Private LAN Service (VPLS) Stretch VLAN across multiple locations. It provides layer 2 connectivity across locations. Virtual Router Redundancy Protocol (VRRP) This is a first-hop redundancy protocol that provides open standards for HSRP. Traffic Engineering (TE) This provides a bandwidth guarantee on MPLS networks. About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks 1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park representative at 1-866-298-6428 or Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland authorized reseller. Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600 or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737 Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601 Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 2000342-002-EN May 2010 Printed on recycled paper Copyright © 2010, Juniper Networks, Inc. 21