cloud-ready datacenter reference architecture

7/29/2019 Cloud-ready Datacenter Reference Architecture

1/37

REFERENCE ARCHITECTURE

Copyright 2011, Juniper Networks, Inc.

ClU-REA ATA CENTER

REFERENCE ARCHITECTURE


2/37

2 Copyright 2011, Juniper Networks, Inc.

REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

The Importance of ata Centers and Their Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

A ata Center by Any ther Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Supporting Enterprise and Coud ata Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Soution Profie verview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Key Trends in Todays ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Evoving Business Appication Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Server Virtuaization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Reducing pEx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Protecting Against Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Convergence of Fibre Channe and Ethernet Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Functiona Areas in the Coud-Ready ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Junipers Approach to a Coud-Ready ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Appication Traffic Fows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Simpified Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

istributed ata Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Junipers Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Compute and Storage Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Integrating Virtua Server Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

I/ Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Fibre Channe and FCoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Junipers Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Appication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Junipers Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Management, rchestration, and Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Profie of an Effective rchestration Patform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Management Infrastructure Supporting Coud-leve rchestration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Junipers Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Junos SpaceJuniper s pen Network rchestration Patform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Automation Based on Junos S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28


3/37

Copyright 2011, Juniper Networks, Inc. 3

REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur

Table of Figures

Figure 1. ata center reference framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Figure 2. Reference architecture network infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Figure 3. Compute and storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Figure 4. Consistent management of the physica and virtua network f rom Junos Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 5. Services functiona area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 6. F ow types in the new coud infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Figure 7. M anagement, orchestration, and automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 8. Juniper Networks management infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 9. Junos Space infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 10. Tansactiona data center network infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 11. Content and services hosting production data center network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 12. High per formance compute production data center network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 13. Enterprise IT data center network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Figure 14. Sma and midsize business IT data center network infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

ata Center Network esign Profies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Transactiona Production ata Center Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Content and Hosting Services Production ata Center Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

High-Performance Compute (HPC) Production ata Center Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Enterprise IT ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Sma and Midsize Business IT ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Concusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 6

Appendix A Juniper Products for the Coud-Ready ata Center Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Appication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

perating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Unified Network Cient. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

rchestration and Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Junos Space Patform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Technica Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


4/37



Introduction

The data center is an essentia corporate asset that connects a servers, appications and storage services. Businesses

rey on their data centers to support critica business operations and drive greater efficiency and vaue. As such, the

data center is a key component that needs to be panned and managed carefuy to meet the growing performance

demands of users and appications. Juniper Networks offers a comprehensive data center network soution that

combines best-in-cass products with we-defined practices to buid high-performance, robust, virtuaized and cost-

effective data center networks. This reference architecture proposes practices, technoogies and products that hep

data center architects and engineers who are responsibe for answering the requirements of designing modern data

center networks that support business goas.

Scope

This document introduces Juniper Networks architectura mode and its offerings in support of data center and coud

computing networks. The purpose of this reference architecture is to communicate Junipers conceptua framework

and architectura phiosophy in creating data center and coud computing networks for our customers.

This reference architecture is intended for the foowing personne:

Customers in the enterprise and pubic sector

Service providers

Juniper partners

IT and network industry anaysts

Individuas in saes, network design, system integration, technica support, product deveopment, management, and

marketing who have an interest in data center design

Framework

The Importance of Data Centers and Their Infrastructures

ata centers run the appications that deiver business processes and services. These appications provide critica

information and rich, differentiated content for users. Users now demand an agie, responsive infrastructure that

provides exacty the access that they need. This can be 24x7x365 for services that must be aways on and accessibe

from anywhere, or a series of schedued updates set to meet user needs for time-based information (houry, daiy,

weeky, monthy, or quartery).

For innovators and technoogy suppiers such as Juniper Networks, data center networks are centra to the business

mission, providing the foca point for soutions that unock vaue in unique and compeing ways for businesses and

their users.

A Data Center by Any Other Name

Not a data centers are the same. Their use, size and design vary with the needs of the business and the resuts that

must be achieved. Exampes incude:

nine transaction processing centers meeting strict transaction time constraints and carrying financia obigations

with transaction resuts (exchange trading patforms, onine financia services, onine retai saes)

Mutimedia content deivery with strict quaity and consistency requiremen ts (onine entertainment and news, video

conferencing, ive meetings)

Computationay intense workoads (homeand security, ogistics and production contro, fight contro, scientifi c

research and economic modeing)

Genera enterprise-grade operations data processing (CRM, ERP, human resources, finance, and messaging/

communication)

Cost-effective, reiabe and manageabe data center infrastructures for basic business operations


5/37


6/37



To accommodate the industrys embrace of coud computing, our reference architecture is fexibe enough to enabe

private, pubic or hybrid coud computing services and to support the appication environments that are critica to

achieving the organizations business objectives.

This document is intended to hep organizations that are considering coud computing, whether or not they have

started to impement any coud eements. We wi consider the impications of coud computing for data center

architectures and provide a reference for organizations who want to adopt coud computing as they move forward.

It is our objective to provide a reference architecture that is unsurpassed in its abiity to meet the needs of a diverserange of organizations, keeping in mind that the business objectives are primary, and that coud computing is the

enabing mode, not the end in itsef.

Key Trends in Todays Data Center

In this section, we present some of todays key market and technoogy trends and examine how these trends inherenty

affect data center requirements.

Evolving Business Application Architectures

Todays enterprises rey on their business appications. Business appications enabe transactions for interna

empoyees, coaboration with outside partners and customers and capabiities that improve the business competitive

advantage. In todays gobay competitive word, appications must be avaiabe everywhere and at a times. When

business appications perform on an as needed basis, the organization thrives; when they do not, business is ost.

Concurrenty, we aso note the evoution of a rich mix of appication architectures that must be supported in their own

right. In many cases, these are bended into mixed or tiered designs with a range of resuting fows. Some are stricty

constrained to a narrow, necessary content mix, whie others are more fuid and invove a varying mix of content and

transaction types depending on user choice. A key requirement of data center architectures is to support a wide range

of appications successfuy. Some of these appication types incude Service-riented Architecture (SA), Software

as a Service (SaaS), Web 2.0, Unified Communications (UC) and streaming services.

Server Virtualization

Aigned with the trend toward more powerfu servers, more open appication designs, and the need to accompish

more with ess in the data center infrastructure, the adoption of virtuaization in the server infrastructure continues to

increase. This produces a need to network the individua virtua machines with an additiona ayer of virtua switching

within each server. Because mutipe ogica hosts now run on an individua server, it becomes necessary to differentiate

their identities within the network and aow them to operate propery within their own ogica domains. This trend

creates the need to reate the virtua and physica network configurations, and it creates an interest in the abiity to

move appication workoads in a fexibe and seamess fashion.

Increasing emands on Bandwidth and Capacity

Rich media appications, proiferation of users and device types, compute and storage utiization, and access methods

continue to drive technoogy innovation. From a bandwidth perspective, we have seen a progression from GbE to 10GbE

to 40GbE and 100GbE inks, and this evoution wi continue to drive requirements in how data center networks are buit.

Reducing OpEx

Changes in the goba economy and the desire to achieve greater business vaue associated with IT investment are

creating more pressure to contro costs. espite more stringent requirements for high avaiabiity and resiiency, this is

particuary reevant for the ongoing operationa costs associated with maintaining IT and data center networks.

Protecting Against Security Threats

New types of attacks are constanty surfacing, and attackers often empoy new ways to expoit and hide in egitimate

traffic. This paces organizations in a continua mode of catch-up, trying to make sure that they have appropriate

protection against the atest vunerabiities and threats. With the emergence of new appications, the security

andscape continues to change. Athough existing intrusion prevention techniques are sti appicabe, simpy

identifying source and destination addresses and port combinations no onger offers sufficient protection. The concept

of appication fuency is required to address these evoving security threats.


7/37



Convergence of Fibre Channel and Ethernet Networks

esign evoution has aowed storage to be pooed for access over networks by a diverse popuation of servers and

computers. istinct technoogies have emerged to enabe designs to hande server-to-storage communications, and

this has ed to a desire to work towards the design of a converged storage and Ethernet data center network that woud

aow storage and appication traffic to share the same common network. This woud utimatey save money and aow

increased operationa efficiency.

Requirements

At the same time that we take note of the varying business objectives that drive organizations and their data centers,

we aso need to note the evoution of a rich mix of appication architectures that must be supported in their own

right, and in many cases are bended into mixed or tiered designs with a range of resuting fows. Some are stricty

constrained to a narrow, necessary content mix; whie others are more fuid and invove a varying mix of content and

transaction types depending on user choice. For exampe, the most significant impact of SA and Web 2.0 appications

is the variabiity of traffic oad and traffic patterns that both permit and often pace demands on the network

infrastructure. Without proper network panning, every new SA or Web 2.0 mashup appication is at risk of creating

congestion, performance probems and even appication faiures. latency, jitter and packet oss effects are important

predictors of UC and streaming services.

To successfuy support a range of appication types is a centra requirement of data center architectures. Foowing

are some of the key requirements that are emerging for businesses as they pan for the evoution of their appication

infrastructure and anticipate the impact of these changes on their data centers.

PerformanceTo an enterprises customers, partners and empoyees, business appications are the means to an

end, the abiity to obtain information, compete transactions, or perform a job. High performance is essentia to

empoyee productivity, customer satisfaction and the enterprises bottom ine. Appication response time is the most

fundamenta component of understanding appication and data center network performance.

ScalabilityIn existing computer and network environments, panning for growth and change is a costy and time-

consuming effort. A successfu organization must be abe to readiy and cost-effectivey scae business appications,

even when capacity imits are reached within existing data centers.

AccessibilityIn todays mobie and voatie word, users now require access anywhere in the word, on virtuay

any type of computer and network connection, 24 hours a day. Enterprises must support access from corporate

headquarters, branch offices, other business estabishments, home offices, wireess hotspots and ceuar networks

throughout the word.

AgilityAs the pace of goba economic activity continues to acceerate, organizations must be abe to respond quicky

to changes in demand and other market conditions. Agiity improves with the users abiity to reprovision infrastructure

resources rapidy and inexpensivey. Business appications that support agiity can hep reduce time to market,

strengthening the organizations competitive position and increasing market share.

Availability and ContinuityNo appication is 100 percent faiure proof. To protect an enterprises competitive edge,

business appications must be at east as avaiabe as those of competitors, and productivity must not suffer when

faiures occur. Furthermore, when a disaster occurs, the organization shoud recover with minima discontinuity, getting

business appications onine again quicky and ensuring that the associated user data is protected and avaiabe.

SecuritySecurity is a mutifaceted concern that touches upon amost every aspect of the business andscape.

rganizations must respond effectivey to evoving threats that can compromise business data or interfere with

appication avaiabiity. They must ensure secure operations in shared environments and meet industry compiance and

reguatory requirements. Business appications must aso support guaranteed service-eve agreements (SlAs) and be

consistent with stringent rea-time requirements.

ManageabilityTo hep reduce pEx, the data center network shoud be orchestrated to simpify the management

tasks associated with configuration, monitoring, maintenance and other administrative tasks.


8/37



Functional Areas in the Cloud-Ready Data Center

To deiver appications from the coud data center, organizations must divide the required tasks into optimized

functiona areas. Effective choices within each functiona area can hep designers meet appication goas with respect

to atency, avaiabiity, security and scae.

Figure 1 iustrates the framework we empoy to envision the data center network at its highest eve. It incudes the

foowing areas and their functiona interreationships:

Network Infrastructureprovides connectivity and transport for appications and services between users and the

data center, within the data center and across mutipe data centers. The Network infrastructure has three main sub

components, namey the access network, the core network and the edge network.

Compute and Storagerepresents the compute and storage infrastructure appropriate for appications (rack-mount

and chassis-based, cost-effective and muti-core, with unstructured content and highy structured transaction

databases). The compute and storage functiona area hosts a business appications such as Enterprise Resource

Panning (ERP), SaaS, SA and Web 2.0 appications (among others).

Servicessupports appications with security, user verification, and entitement, and appication support, incuding

appication acceeration, deep packet inspection (PI), and oad baancing

Management and Orchestrationties together a of the eements of the coud-computing infrastructure, enabing

efficient and responsive monitoring, management, and panning

Figure 1. Data center reference framework

Whie each component has its own characteristics, specific requirements and enabing technoogies, Juniper Networks

packages them a together with a common coud-computing architecture that meets the individua and combined

requirements with powerfu enabing technoogies. let us take a coser ook at each of the functiona components

beginning with business appications.

Services Network Infrastructure

EDGE

CORE

ACCESS

Management andOrchestration

Security

Acceleration

Server Load Balancing

Compute IP Storage

Converged Access

SAN NETWORK


9/37



Junipers Approach to a Cloud-Ready Data Center

To maximize effectiveness of the data center across the major functiona areas, Juniper has embraced a strategy

to optimize designs in mutipe dimensions: to simpify, share, and secure the data center network to the maximum

extent possibe and to provide a powerfu suite of automation toos. Each dimension brings concrete vaue to soution

designers, enabing data centers to meet important appication deivery objectives:

1. Simplify. By simpifying the data center network, we mean minimizing the number of network eements required to

achieve a particuar design, thus reducing both capita and operating costs. Simpifying aso means streaminingdata center network operations with consistenty impemented software and contros.

2. Share. By sharing the data center network, we mean inteigenty (and in many cases dynamicay) partitioning

the infrastructure to support diverse appications and user groups and to interconnect arge poos of resources

with maximum agiity. In many cases, this invoves powerfu virtuaization technoogies that aow mutipe ogica

operations to be performed on individua physica entities (such as switches, routers and appiances).

3. Secure. When we secure the data center network, we must extend protection to support enforcement and visibiity

across rich, distributed architectures that many appications currenty use. This requires a robust, scaabe,

mutidimensiona mode that enhances and extends the traditiona perimeter defense. By increasing the granuarity

and agiity of security poicies, we can enabe trusted sharing of incoming information and resident data within the

data center, whie compementing the functions embedded in operating systems and appications.

4. Automate. By automating, we mean capturing the key steps invoved in performing management, operationa, and

appication tasks, and embedding task execution in software that runs as an inteigent added vaue to the overa

data center operation. Tasks can incude synchronizing configurations among mutipe disparate eements, starting

and stopping critica operations under various conditions, and diagnosing or profiing operations on dimensions

important for managers to observe.

With the high-eve framework in mind, now we can discuss the individua functiona components and their associated

requirements and enabing technoogies.

Network Infrastructure

When designing the data center network, we must consider a communications occurring within the data center itsef,

between the data center and its users, and among data centers within the coud. The infrastructure consists of a

combination of eements in three domains, integrated in a variety of ways based on customer needs:

Access network

Core network

Edge network

The access network provides connectivity to a shared enterprise servers, appications, storage devices, and any IP or

office automation devices required in the data center faciity. Most data center access switches are depoyed at the top

of the rack or at the end of the row of server racks.

The core network provides a fabric for high-speed packet switching between mutipe access network devices. ue

to their ocation in the network, core-ayer switches must provide scaabe, high-performance, high-density, wire-rate

ports, and HA hardware and software features that deiver carrier-cass reiabiity and robustness. The core serves as

the gateway where a other modues such as the WAN edge meet. It typicay requires a 10GbE interface for high-eve

throughput, and maximum performance to meet oversubscription eves. The core provides high-speed throughput for

a data going into and out of the data center, and it must provide resiient, fai-safe layer 3 connectivity to mutipe

access ayer devices.

The edge network provides the communication inks to end user networks of various types. These can be private WAN

or campus backbones, mobie access networks, VPNs, or other types of Internet access. The high performance and

reiabiity of these connections improve user experience. Agiity ensures that users wi have access to appications and

services where and when they are needed. In addition, mutiayered security contros ensure that users, appications

and data are protected at appropriate eves.


10/37



Figure 2 shows the network infrastructure functiona area of the reference framework.

Figure 2. Reference architectu re network infrastructure

Application Trac Flows

In the past, appications were designed with a very specific traffic fow. Typicay, requests woud originate from a

cient system and be routed to a singe appication server, which woud then respond directy back to the cient. This

cient/server mode was, in effect, a singe direction north-south scheme. Because of demands for greater appication

performance and response time, and the continued adoption of virtuaization technoogies, appication architecture

has changed. A more distributed mode has aso had an impact on appication traffic fows. Today, a request originates

from a cient system and is routed to an appication, but the processing of the request resuts in information sharing

across mutipe servers, prior to responding to the origina request. Furthermore, these servers can exist across mutipe

physica machines and ocations. Because of this shift, the network infrastructure shoud optimize the abiity of the

appication infrastructure to hande the increasing eves of server-to-server communication streams.

Simplied Network Infrastructure

Another significant trend in data center networks is the continua need to provide scae and agiity for growth, whie

simutaneousy controing costs. As new appications and business modes emerge, the network design that worked

we for businesses may not be abe to support new demands on the IT infrastructure and, most importanty, new

business requirements. Networks buit on fragmented and oversubscribed tree structures have scaing and consistent

performance probems. As more devices are added, design and management compexity and costs increase

exponentiay. A simpified network infrastructure can hep meet these requirements of scae, whie mitigating the

concerns of cost and compexity.

Distributed Data Centers

ue to rapid growth, bandwidth, and atency considerations as we as space, power, or cooing capacity requirements,

data center ocations continue to mutipy. Whie this has catayzed a desire for improved simpification and

consoidation, organizations aso are considering ways that wi enabe the network infrastructure to connect these

different ocations together.

Network Infrastructure

EDGE

CORE

ACCESS


Converged Access


11/37


12/37



Figure 3. Compute and storage

Integrating Virtual Server Infrastructure

Server virtuaization reduces the number of physica servers in the data center and provides greater fexibiity to meet

rapidy changing business needs. However, server virtuaization introduces chaenges as we, some of which directy

invove the data center network. Virtua machines increase the density of traffic oads to and from individua machines

(because each virtua machine has its own operating system and appications). This increases network ink utiization

and paces additiona demands on the network fabric, especiay when we consider dynamic creation and migration of

virtua machines.

The use of virtua machines aso creates an additiona ogica (or virtua) ayer of networking within the server

endpoints and between the virtua machines. A virtua network extension aows separation and connection of traffic

to and from individua virtua machines, both within the physica servers and between the physica servers and the

rest of the network. This creates a need for configuration, state and poicy integration between the physica and virtua

parts of the network.

As workoads change, the data center infrastructure must support rapid, on demand reassignment of resources in a

way that is competey transparent to end users. Compute capacity must scae to meet the demands for appications

and services without disruption. Scaing must encompass high-density depoyment within the data center, and it must

provide processing power fexiby across mutipe data centers.

With virtuaization technoogy now supported on mutipe operating systems and computing patforms, the data center

network architect must evauate the impact of the virtuaized server environment on network architecture.

Increased capacity due to higher ink utiization (mutipe virtua machines now running on an individua physica

server) and associated resources (increased media access contro (MAC) and IP addresses and appications per

physica server)

Expanded avaiabiity requirements due to increased operationa risk (oss of one server means the oss of numerous

virtua machines)

Increased reevance of standards and automation in the integration of physica and virtua networks, dynamicay

and at scae

Increased importance of network-based services and their reation to virtua infrastructure such as firewas,

intrusion prevention systems (IPS), and oad baancers, a of which affect network performance.

Compute IP Storage

SAN NETWORK


13/37



Provisioning sufficient bandwidth to meet appication SlAs is a primary consideration. A conventionay oversubscribed

network design becomes unacceptabe in the face of increased ink utiization and dynamic traffic fows. To meet SlAs

architects must consider increasing ink bandwidth in the server and network infrastructures.

To provide oad baancing in the coud, some virtua machines may need to be moved across physica machines within

the data center or to other data centers, and the network must have the agiity to support this move.

In this environment, it is important that the network and virtua servers be synchronized automaticay with respect

to virtua machine configuration and poicies. This is critica for managing SlAs and meeting audit and compiancerequirements. For successfu virtua server networking, the architecture must embrace the emerging extensions to the

IEEE 802.X famiy of Ethernet protocos that enabes synchronization of physica and virtua network configurations

under the name of Virtua Ethernet Port Aggregator (VEPA). These standards hep customers maximize choice in

depoyment of virtua servers and confidenty support networking them with agiity and high performance, regardess

of the number of appications and hypervisor vendors used.

An additiona subtety in successfuy supporting the virtua server endpoints is enabing a successfu end-to-end

security architecture for the appications. In the virtua server environment, conventiona security practices such as

monitoring network activity, inspecting and fitering traffic, and maintaining stricty separate security domains are

often absent. Inter-virtua machine communication is a particuar bind spot. Virtua machine traffic does not touch the

physica network and is not protected by physica network monitoring or security.

Fitering traffic to and from a virtua server (or custer) is ony one part of the soution. To truy mitigate the risks within

the virtua environment, especiay those reated to inter-virtua machine communication, an in-depth defense at the

eve of individua virtua machines is required. An effective, mutiayered defense is ony feasibe if it maintains the

productive capacity of the host servers and remains independent of the maware it defends against. An approach that

integrates the capabiities of virtua appiances running within hypervisor environments with the security capabiities of

the physica data center network is the type of integrated, mutitiered, and mutiayered design required for end-to-end

success with virtua machines and the coud.

New data centers aso require managing virtuaized network and security profies and virtua machine configurations as

they migrate across physica hosts. Managing profies across physica hosts is difficut and may prevent organizations

from taking server virtuaization efforts beyond server consoidation and into dynamic resource aocation. Juniper

addresses this requirement with Juniper Networks Junos Space appications such as Virtua Contro, which aows for

management of virtua machine configurations and switch port profies on an integrated basis between the physica

and virtua domains.

I/O Convergence

The rising cost and compexity of buiding and operating modern data centers have ed organizations to seek new

ways to make the data center infrastructure simper and more efficient. Athough the cost of data center networking

equipment is reativey sma compared to the cost of server hardware and software, the underying network fabric is

the inchpin that connects a mission critica resources. A simper, more streamined data center fabric means greater

efficiency and productivity and ower operating costs. In addition, shared (centraized or distributed) storage, be it fie-

based ((Network Access Storage (NAS), or bock-based (storage area network (SAN) using Internet Sma Computer

System Interface (iSCSI), Fibre Channe (FC), and Fibre Channe over Ethernet (FCoE)) are essentia eements of

an effective compute and storage soution for data centers and the coud. They can be used in concert to support

advanced virtua systems and the overa virtua networking infrastructure.

Traditionay, servers are depoyed with mutipe I/ cards to connect to mutipe separate physica network segments

or even competey separate network infrastructures: dua SAN for disk access, another SAN or lAN for backup,

dua lAN for cient/server or campus lAN connection, out-of-band management, VMotion and custer traffic. I/

convergence heps to reduce the number of such interfaces and networks. It has been promoted aong with Ethernet or

IP-based storage technoogies such as iSCSI NAS and more recenty FCoE.

With the increased affordabiity and rapid adoption of 10GbE in the data center, Ethernet is poised to take on the

connectivity tasks formery reegated to InfiniBand and Fibre Channe to become the dominant data center networking

technoogy. Reducing the number of I/ cards and network ports drives many potentia savings.


14/37


15/37



Figure 4 shows Junos Space Virtua Contro appication managing both the physica and virtua network.

Figure 4. Consistent management of the physical and virtual network from Junos Space

Junos Space Virtual ControlJunos Space Virtua Contro aows network operators to discover, configure, provision,

and monitor a VMware vNetwork istributed Switch (vS) as we as a Juniper switch patform. This singe pane of

management faciitates synchronous configuration changes for both physica and virtua switching environments,

and it simpifies network operations by dynamicay mapping port profies to support VM mobiity. Junos Space Virtua

Contro everages VMware open APIs to achieve this functionaity, whie simiar integration with Junos Space can be

achieved with other virtua switching environments (Xen, PowerVM, Hyper-V) with simiar open interfaces. An emerging

standard is being deveoped to define the interface for virtua and physica switching environments caed Virtua

Ethernet Port Aggregator (VEPA). VEPA is a nondisruptive and cost-effective soution to inter-VM communications.

Impementation requires minima changes to the software running on the physica switch, not whoesae repacement

of the existing networking infrastructure. VEPA aows virtua switching to be extracted from the server, improving serve

performance and increasing the number of VMs that can run on each server. Finay, because VEPA is based on open

standards and is server- and hypervisor-agnostic, customers have maximum fexibiity in depoying server virtuaization

VEPA wi enabe rapid innovation in services for users, as we as operationa consistency, simpicity, and efficiency.

The pending VEPA standard aso contains a critica feature known as muticasting. Because many virtua servers

contain more than one virtua network switch, physica switches must be abe to identify the virtua switch source of

traffic coming to them. Whie this advanced feature wi require some hardware upgrades, the basic VEPA technoogy

can be supported with a simpe software upgrade.

I/O ConvergenceConverged data center networks wi require a robust and compete impementation of FCoE

and CB standards to be viabe in supporting the critica appication and data integrity requirements of data center

appications. Because of the timing of ratification of the respective standards (FCoE having preceded CB by

approximatey a year) and because of the incrementa progress in cost effectiveness in the reated infrastructures

(eary impementations not truy passing the cost effectiveness test), impementation of converged data center

networks wi occur in two phases. In phase one, convergence within the rack wi enabe partia gains whie supporting

separate lAN and SAN infrastructures using FCoE gateways between the two. In phase two, networks wi be converged

fuy by virtue of support of the fu CB standards suite and by aowing adequate support for a traffic types in an

optimized data center network.

Juniper Networks QFX3500 Switch is the first top-of-rack switch buit to sove a the chaenges of access ayer

convergence. It works for both rack-mounted servers and bade servers, and for organizations with combined or separate

lAN and SAN teams. It is aso the first product to everage a new generation of ASIC techniques. It offers 1.28 terabits

of bandwidth impemented with a sin ge utra ow atency (Ull) ASIC, soft programmabe ports capabe of GbE, 10GbE,

40GbE, and 2/4/8G FC, supporting through SF P+ GE copper, 10G Copper AC, and ptica, and via QSFP dense optica

connectivity. Pease refer to the foowing ink www.juniper.net/us/en/products-services/switching/qfx-series .

VM

VM

VM

VM

Virtual

Virtual

Physical
http://www.juniper.net/us/en/products-services/switching/qfx-serieshttp://www.juniper.net/us/en/products-services/switching/qfx-series


16/37



By maintaining active participation in the reated standardization efforts and by rethinking the technoogy and

economics of the data center network from the ground up, Juniper Networks provides customers with a winning set of

patforms. Juniper aso offers a pragmatic, innovative strategy to deveop a singe, converged data center fabric with

the fexibiity and performance required in a fuy virtuaized infrastructure, whie continuing to drive down the cost and

compexity of enabing it propery. For further information on the evoving standards in this space, pease refer to the

foowing white paper tited pportunities and Chaenges with the Convergence of ata Center Networks, visit

www.juniper.net/us/en/local/pdf/whitepapers/2000315-en.pdf.

Services

As we have seen, data centers are increasing agiity and versatiity for service deivery in highy virtuaized

environments. Whie this enabes managers to function responsivey, it aso exacerbates risks thatif not addressed

can compromise the effectiveness of the newy tuned environment. These risks are principay in the areas of

security and appication performance. Forward-ooking network architecture in the virtuaized word incudes

functionaity embedded in the network itsef that contros and mitigates many of the risks and faciitates optimum

performance. The idea is that protection and acceeration capabiities can run in the network on behaf of or in concert

with functionaity that executes in the appication endpoints, for overa effective, secure and responsive system

architecture. Figure 5 shows the services functiona area of the reference framework.

Figure 5. Services functional area

Junipers data center reference framework incudes a functiona area dedicated to deivery of virtuaized services. We

describe the capabiities of that area in this section.

The Services functiona area aows data center managers to address the foowing critica chaenges:

Evolving threat landscapeata center and coud service operators must address ever-escaating threats to

appication deivery, integrity and privacy. Major threats incude service disruption, appication denia-of-service

(oS) attacks, data eakage to the outside word, attacks on data integrity, and identity fraud.

Sharing of resourcesResource sharing aows organizations to reaize economies of scae that are essentia to

success with virtuaization and the coud. However, to reaize this potentia, operators must be confident that shared

resources such as virtua machines, appications and supporting patforms wi not be compromised.

Services

Security

Acceleration

Server Load Balancing


17/37



Managing virtualization risksIn the traditiona data center where resources and appications map directy to

physica equipment, security is straightforward because physica boundaries sti exist. However, as resources

become virtuaized, traditiona security contros are insufficient. Inteigence is required to hep operators understand

and imit the risks that arise when physica boundaries are repaced by virtua boundaries.

Granular policy controlManagers must secure the entire path between the end users source and the

destination appication. This requires extensive, granuar poicy contro for security and entitement throughout the

infrastructure. By using granuar contros, managers can ensure service integrity and meet SlAs.

Traffic integrity and confidentialityIn many cases, traffic fowing through the coud must be secured to prevent

unwarranted data discosure and ensure the confidentiaity of user information.

QoSTo assure the quaity of the end user experience, services are required to appy QoS metrics, such as preferred

service for VoIP traffic.

Compliance and SLACoud data center operators must meet auditing and risk assessment requirements

mandated by regiona reguatory authorities. Services can be depoyed to ensure that coud providers meet these

requirements and to demonstrate that security contros are effective in enforcing security poicies.

Application accelerationAppication acceeration services can boost the performance of major appications within

an enterprise. Appications may be business critica (for exampe, ERP appications such as SAP and race), or

contribute to empoyee productivity (such as Microsoft utook).

In prior designs, services were required ony at the data center edge, with gateways securing the connection betweenend users and the data center interior. This has been caed a perimeter defense. With current trends toward

consoidation and virtuaization in the data center and management of fows between data centers, security- and

appication-reated services are now required at a greater number of contro points in the data center and virtua

systems, not ony at the entry gate. A comprehensive and agie architecture of services inteigence must be depoyabe

from appications and hypervisors running in virtua machines, to critica protection points in the core of the network, to

the data center edge, and utimatey to the end user.

A we-designed infrastructure appies services where needed and enforces poicies dynamicay on network traffic.

eivery of services can be optimized by using resource poos that are shared across the network.

As with the network infrastructure, services in the data center must meet stringent requirements for performance,

scaabiity and avaiabiity. They must aso support granuar poicy contro and the inteigence to meet user- and

appication-specific SlAs.

The Services functiona area comprises two major groups of capabiities: security and appication services. Security

services contro access to resources and protect traffic within the coud. Appication services improve the performance,

scaabiity and agiity of appications and infrastructure and simpify operations.

The foowing section focuses on these types of services.

Security Services

A singe data center can incude many thousands of physica compute and storage arrays that enabe hundreds

of thousands of virtua endpoints used by tens or even hundreds of thousands of cients. The resut is a compex

set of fows between servers and cients (north-south) and among compute and storage systems (east- west).

Comprehensive, effective security must be depoyed to scrutinize a traffic and weed out any traffic that can pose a

risk to traffic fows or data integrity.

Figure 6 shows the major types of traffic fows that must be secured in the virtuaized data center word:

East-west traffic between servers within the data center and between compute and storage systems (server to

server).

North-sout h traffic between servers and end user systems, where the end users can be anywhere in the word,

use virtuay any type of cient device, and obtain access through amost any type of commercia access network

(customer to data center).

Traffic between data centers for fast response to changes in demand and oad conditions (data center to data

center).


18/37



Figure 6. Flow types in the new cloud infrastructure

Security services must aso take into account the fact that Web 2.0, UC, and rich media appications ead to

unpredictabe, chaenging traffic patterns. A cient no onger communicates with a server using a singe stream of

data (or TCP session) to compete a request. New appications present more chaenging traffic patterns invoving

communications between mutipe servers over mutipe sessions to fufi a singe user request. A singe appication

interaction now requires much more server-to-server communication and higher eves of modue performance to meet

requirements. Traffic fows invove muti-node appications, server virtuaization and storage over IP. Furthermore,

throughout the process, user and data identity and integrity are at stake.

Utimatey, at the user and operator eves, security of information handing is about trust. The fast evoving word

of virtuaization and the coud has been inhibited partiay in its uptake by the more sowy emerging architectures

designed to ensure trust. By putting appropriatey broad and effective security services in pace, organizations can

increase trust eves among end users and potentia subscribers, and drive increased satisfaction and demand.

Traditiona security patforms, incuding routers, firewas, IPS, VPN, and network access contro (NAC) continue to

be centra to the security of the data center. However, existing use of these eements is not sufficient to meet new

requirements of the coud. To meet security chaenges of the coud, requirements such as security scae, visibiity and

enforcement pay a more significant roe. An extended portfoio of interconnected security services is required, incuding

statefu firewas, IPS, appication and identity awareness, secure remote access, NAC, omain Name System/ynamic

Host Configuration Protoco (NS/HCP) services, and authentication, authorization, and accounting (AAA) services.

We highight the roe of each of these critica technoogies within the security functiona area of the coud in the

foowing sections.

Stateful firewallsata center operators have traditionay depoyed numerous firewas to separate servers by

function or tier in their system designs, for exampe, the database, appication, and Web tiers of a system. Mutipe

firewas were often depoyed at the same eve of the network and inhibited overa performance. In many cases,

firewas were bypassed when concerns about their abiity to pass rea-time traffic were considered paramount and the

desire for performance outweighed security concerns. Concerns about firewa impact on raw bandwidth, connections

per second, and sustained connections caused some data center operators to imit firewa use or even dispense with

firewas in some areas. A of these imitations of prior architectures have resuted in high-risk compromises that are

not sustainabe in the current privacy, compiance and high-performance end user environments.

Server to Server

Data Centers

DC to DC

Customer to DC

Clients Global High-Performance Network


19/37



The chaenge is to move from this existing situation, in which appiances are soution inhibitors, to the coud data

center network, in which firewas are soution enabers. This necessitates the introduction of high-performance,

statefu firewas at the data center core.

High-performance, statefu services are the cornerstone of security in the virtuaized data center. Statefu services

enforce poicies that aign with business and operationa requirements through the identification and cassification

of networks. In addition to being the primary layer 4 access contro system, statefu firewas can support many

additiona security functions such as oS or quota protections, PI on specific appications, and Network Address

Transation (NAT).

With statefu firewas, it is possibe to introduce fine-grained contro over a traffic fow types (intra-data center,

inter-data center, and data center WAN) and to support key security functions such as NAT, Appication layer Gateway

(AlG) services, IPsec VPN services, distributed oS, as we as unified threat management (UTM), which incudes

antivirus, anti-spam, and Web fitering.

Additiona capabiities can be inserted in a moduar manner on top of this foundation. When done in a moduar way per

poicy zone, this approach provides maximum agiity, efficiency and performance.

Securing the virtualized access layerServer Virtuaization changes the way physica devices operate and are

managed in the data center, which has significant security impications. For exampe, virtuaized environments create

a new access ayer, the virtua switch network. Typicay, each physica server hosts a virtua switch that supports

communication between virtua machines on the same host. The virtua network can grow rapidy as new virtua

machines (VMs) are created, resuting in compex networking fows and VlAN management.

IT administrators ose visibiity into, and contro over, some traffic, since communication between coocated VMs is

handed by the hosts virtua switch and never eaves the host. In a traditiona data center environment, appications

and appication components (such as databases and Web interfaces) run on distinct machines that are segregated by

firewas into zones of trust. In a virtuaized environment, these appications may be running in VMs on the same host,

so are abe to communicate without accessing the physica network. Consequenty, they are beyond the visibiity and

contro of traditiona firewas and not bound by zones of trust.

Security is further compicated by VM ive migration technoogies, such as VMware VMotion and RS. Whie these

technoogies ensure that host resources are maximized, aowing virtua machines to be created, moved, and

decommissioned as appication oads change, they essentiay break zones of trust. For exampe, traffic isoation

mechanisms such as VlANs can be circumvented when a VM is migrated to a host on a VlAN that is different from the

origina host. likewise, as VMs move, a server may end up hosting VMs with different trust eves, potentiay resuting in

priviege escaation for some users.

There is a cear need for a hypervisor-neutra soution in todays highy virtuaized data centers. A Virtua Firewa (VF)

that inspects a traffic to and from each VM can eiminate bind spots, and enforce poicies at the goba, group, and

per-VM eve. With a VF, enterprises can granuary define security poicies within zones of trust and precisey contro

whether VMs within the same zone of trust can communicate, ensuring isoation between and within trust eves, and

aowing for precise micro-segmentation. A comprehensive security approach woud incude mechanisms to integrate

the VF poicy on the hypervisor with the physica network firewa poicy above the hypervisor.

Intrusion prevention systemsNetwork and appication eve attacks are an ongoing concern, and the data center

network must be abe to detect and prevent attacks in traffic fows by supporting versatie, high-performance IPS

functionaity as part of the security service. Because appications must be avaiabe to users at ocations that are

not inherenty secure, the risk of misuse or appication oS wi aways be high. Moreover, because appications are

coocated in virtuaized data center infrastructures, a chain effect (in which an appication is affected by the risk towhich another appication is exposed) can be created too easiy.

IPS must be highy accurate in its detection and prevention capabiities, with ow numbers of fase positives and

fase negatives. Effective intrusion detection and prevention requires a mutidimensiona approach invoving protoco

anaysis, anomay detection, and signature anaysis. IPS shoud support mutipe detection modes and accommodate

pacement of sensors in different parts of the network.


20/37



As an exampe, sniffer modes invove network taps that passivey observe the fow of traffic and identify potentia threats,

whereas inine systems are depoyed with traffic fows and can potentiay prevent attacks in rea time. Mixed mode

soutions can deiver the benefits of both sniffer and inine methods. Actions that are triggered when an attack is detected

shoud incude the traditiona aow/deny aong with finer grained actions such as rate imiting, setting ifferentiated

Services code point (SCP) marking, cosing cient connections/server connections, and performing TCP resets.

The IPS patforms shoud support the performance and capacities required in data centers of varying sizes and inspect

layer 4 through layer 7 information at ine rates. They shoud coordinate threat responses with other access contro

gateways (SSl VPN and NAC) by sharing attacker information, so attacks can be mitigated cosest to their source.

Because protoco decoders in the IPS deconstruct streams and buid the right context to ook for threats, a powerfu

and rich protoco decoder must be in pace. Finay, network-based security services, incuding intrusion detection,

attack prevention, encryption, and monitoring, shoud be consoidated into highy scaabe, virtuaized security

patforms to reduce security device spraw.

Application visibility and controlHistoricay, attack prevention has focused on identifying and thwarting maicious

activity within aowed traffic, as evidenced by content security technoogies such as antivirus and anti-spyware. These

mechanisms have been a vita part of the network fabric and offer protection by identifying known attack patterns or

behaviors that deviate from the norm.

Unfortunatey, new types of attacks are constanty occurring, and attackers often empoy new ways to expoit and

hide in aowed traffic. This paces organizations in a continua mode of catch-up, trying to make sure that they have

appropriate attack coverage against the atest vunerabiities and threats. rganizations need tighter contro over whatcan and cannot be done within a given appication. In other words, the soution must evove from a reactive approach

to a more proactive security stance.

Juniper has introduced statefu appication fiters such as statefu signatures and detection of protoco anomaies.

These fiters contro the commands that are used within an appication, so that organizations can reduce the

opportunities for expoitation and increase the avaiabiity of information and networking services.

However, with the emergence of new appications, the appication networking and security andscape continues to

change. Athough existing intrusion prevention techniques are sti appicabe, simpy identifying source and destination

addresses and port combinations no onger offers sufficient protection.

Traditiona statefu security devices assume that an appication uses a service that runs over a fixed, predetermined,

and pubicay acknowedged TCP/UP port number, and that the traffic being processed can be identified by ooking

at the first packet in a session. This approach no onger works because the reationship between port numbers and

appications is simpy a convention that may not appy, and because it is necessary to examine subsequent packets to

estabish reiaby the actua appication and specific functions or commands that are being used.

The concept of visibiity and contro is intended to address these evoving security threats. The idea is to go beyond

traditiona security approaches to identify exacty what actions are aowed by specific users in specific appication

instances. Appication visibiity and contro are essentia for appications such as BitTorrent, Skype and ouTube that

are enabed on top of HTTP and use nonstandard ports (or even randomy assigned ports).

Appication contro is aso important to maintain agiity in the data center. If an IT organization wants to shut down

one appication and bring up a new one, it must be abe to do so quicky. If firewas support ony protoco and port

mappings, doing so becomes a time-consuming and tedious task. To enabe agiity, firewa configuration must be

supported at the appication eve with contros that are independent of ports and protocos.

To support appication visibiity and contro, network security patforms such as enforcement gateways, firewas and

monitoring systems must identify appication context and user conversations with thorough and inteigent signature-

based cassification. They must provide visibiity into the appication infrastructure, making it possibe to determine

appication usage profies and other vauabe appication-eve information. It must be possibe to contro appication

and resource access based on user identity, not just source IP address. With a mobie, dynamic workforce that

connects to appication eements that reside on mutipe servers within the coud, organizations can no onger assign

access privieges based on a we-controed and fixed user ocation represented by an IP address. Services must be

appication and identity aware.


21/37



Junipers approach to enabing security services in the data center and coud-computing environment enabes a of

these capabiities comprehensivey.

Secure remote accessGiven the trend towards consoidating appications into fewer numbers of data center sites, as

we as the trend towards enabing moduar appications to connect with each other in distributed appication designs

within and between those sites, users must securey access diverse resources from a variety of remote access points.

At the entry points to the coud, a endpoint access must be checked for compiance before access is granted, and the

security status of the endpoint must be monitored throughout the time that a session is in progress. Notification of

security issues must be done in a timey manner. IPsec VPNs are effective for site-to-site connectivity; however, they

are not idea for a remote access situations. For exampe, many empoyees must access corporate resources from

unmanaged devices such as home PCs, pubic kiosks or PAs. By contrast with IPsec, SSl VPNs aow granuar access

from any type of endpoint device (unmanaged or managed) if it compies with the minimum security poicy that is in

pace in the organization. The SSl VPN maintains productivity for empoyees by enabing them to work from anywhere

using any type of device.

Bending secure remote access into a comprehensive, moduar security design is an important goa of Junipers security

services architecture.

NACNAC contros access to a network by way of poicies, incuding pre-admission endpoint security checks and

post-admission contros over where users and devices can go on a network and what they can do. NAC services contro

a users initia access to the network and verify the integrity of the users system. For exampe, NAC services can verify

that the users system has up-to-date antivirus software instaed. NAC services shoud incude support for remotesoftware upgrades, incuding pushing upgrades to the user system (for exampe, to downoad a Windows service pack)

NAC shoud support poicies that determine the types of endpoints or user roes aowed to access designated areas of

the network, and shoud enforce them in switches, routers and firewas. NAC services shoud aso coordinate with IPS

for rea-time detection and prevention of attacks that can originate from sharing within the interna network.

DNS/DHCPThe data center network infrastructure must support fast and reiabe NS and HCP services. Issues

with NS cache refreshes and persistent HCP bindings can be a potentia security issue when customers are using

coud services. NS/HCP services must be configured correcty and run a the time so that poicies that are tied to

IP addresses can be appied quicky and accuratey. NS/HCP services aso are necessary to support VlAN operation

and address poo reservations.

AAAAAA services contro whether users can og into data center systems and they determine which resources each

user is permitted to access. The network security infrastructure shoud be abe to everage existing identity data stores,

incuding Active irectory (A) and lightweight irectory Access Protoco (lAP) servers.

Standard technoogies exist to hep different types of networks exchange identity and priviege information and share

common notions of user identities. Standards incude Security Assertion Markup language (SAMl), eXtensibe Access

Contro Markup language (XACMl), and Interface for Metadata Access Point (IF-MAP). These technoogies make

it easier for network security devices to coordinate and enforce poicies based on identity attributes. Products and

soutions that provide security services shoud support these standards to ensure that identity and access information

is shared among different networks.

To summarize, the integrated and virtuaized security services resident in the network can provide benefits to users and

appications that share the infrastructure. The comprehensive protection provided by these services can secure data

fows into, within and between data centers. A of these servi ces shoud be managed centray and the infrastructure

shoud enabe distributed enforcement through the appication itsef and the supporting identity-aware security poicies.

As a group, security services increase the confidence, trust and agiity with which virtuaized services can be deivered.

Application Services

In some cases, appications running on mutipe hosts can benefit from network-resident services that can be spread

across them efficienty to improve their performance and distribute oads. By incuding such services as part of an

inteigent network infrastructure, the pooed resources of the coud can operate much more efficienty. An important

way to do this is to provide speciaized services from systems ogicay and physicay embedded in the network that

offoad work from other data center servers. These appication services incude appication acceeration, PI and

goba server oad baancing.


22/37



Application Acceleration

Appication acceeration speeds performance for repetitive actions. For exampe, if a user accesses a document from

a website, the initia downoad might take severa minutes. With appication acceeration, the document is cached

foowing the initia downoad and subsequent requests can be done in seconds. Appication acceeration can be tied

to specific appications. For exampe, an appication acceeration service can be configured to recognize and acceerate

requests from an organizations SAP system.

ata center architects shoud consider depoying a system that supports acceeration for the different appicationtiers, and provides comprehensive capabiities in support of current and emerging appication areas such as Web 2.0,

SA and SaaS. The acceeration soution shoud boost the performance of cient/server, Web-based, and server-to-

server appications, and it shoud speed webpage downoads. In addition, the acceeration soution shoud offoad

CPU-intensive functions such as TCP connection processing and HTTP compression from backend appications and

Web servers. The appication acceeration patform shoud be seamessy expandabe through stacking or custering of

mutipe devices.

Deep Packet Inspection

QoS is impor tant to ensure appication experience over arge networks. QoS eves shoud be assigned and managed to

ensure satisfactory appication performance. PI technoogy heps deiver advanced services by identifying appications

based on key characteristics and by appying poicies appropriate to them. For exampe, a PI-enabed network eement

can appy QoS poicies to an appication to ensure preferred quaity for video streams. Instead of the appication adapting

to network constraints, the network can adapt to appication needs, providing a better user experience.

Global Server Load Balancing

It is important to find ways to scae data center services without a inear increase in the hardware footprint, and

to ensure that the design does not increase operationa compexity. Goba oad baancing adds fexibiity and

adaptabiity to the data center network, so users aways have access to appications and data, even if service to the

primary data center is interrupted. This type of technoogy heps organizations support the technica and business

goas of appication and data avaiabiity without sacrificing performance. Server overoad aso can be reduced by using

SSl offoad and acceeration services.

Integrated Virtual Services

Numerous and diverse services are needed to support the rich, compex network structure at the core of the virtuaized

data center. eivering these services on existing singe or imited purpose patforms can easiy ead to appiance

proiferation in the data center, as more and more patforms are introduced to deiver a richer set of security and

appication services. The resuting dupication of costs, physica space constraints, management overhead and

organizationa compexity can seriousy inhibit growth of a successfu data center or coud. Many of these concerns can

be resoved by introducing high-performance service processing patforms that support mutipe services and stitch

together with a common poicy architecture and management structure.

Junipers Approach

Traditionay, organizations have faced a difficut trade-off between providing network security and deivering

performance for appications. Juniper Networks eiminates this trade-off, making it possibe for data centers to have

the robust network security they require with performance that meets the most demanding appication and user

environments. Going further, Juniper Networks can consoidate network security for the data center into fewer devices

with centraized poicy and visibiity to improve significanty the operationa efficiency of the data center environment.

The Junos operating system is the foundation of Juniper Networks security services. Junos S provides a common

anguage across Junipers routing, switching, and security devices, reducing compexity in high-performance networks,

speeding depoyment, and simpifying provisioning and management. Because a Juniper networking products are

buit on Junos S, data center architects can be confident that services wi be compatibe, and IT staff can draw on a

common set of toos and experience.


23/37



Buiding on the Junos S foundation, Juniper offers integrated soutions to meet the major security chaenges in the

coud data center.

SRX Series Services Gateways for Comprehensive Security

Juniper Networks SRX Series Services Gateways serve as the cornerstone of consoidated security within the data

center, providing effective network segmentation, securing fows, deivering IPsec VPN encryption services, and offering

IPS protection, NAT, and AlGs. By consoidating switching, routing and security in a singe device, managers can

economicay deiver new appications, secure connectivity and deiver quaity end user experiences. With its ynamic

Services Architecture, the SRX Series supports new services without sacrificing performance.

vGW Security for Virtualized Environments

Juniper Networks vGW Virtua Gateway (formery Ator Networks), deivers a compete virtuaization security

regimen that enforces granuar access contro down to the individua VM and integrates tighty with existing security

technoogies, incuding Juniper Networks IP Series Intrusion etection and Prevention Appiances, Juniper Networks

STRM Series Security Threat Response Managers, as we as the SRX Series of high-performance security services

gateways for the physica network. With the vGW Virtua Gateway, security poicies are extended from the data

center perimeter to with the hypervisor and down to the individua VM. With this approach, the appication of access

contro is both continuous and comprehensive across physica and virtuaized workoads. HVX innovation aso adds

ayered defenses that are highy virtuaization-aware, enabing rea time detection of VM changes and movement, and

the automatic invocation of security poicies when those changes impact VM security and compiance posture in anegative way.

Unied Access Control to Secure LAN Access and Mitigate Insider Threats

Juniper Networks Unified Access Contro is a standards-based, scaabe soution for adaptive access contro that

reduces threat exposure and mitigates risks. It guards mission critica appications and sensitive data, and it provides

comprehensive contro, visibiity and monitoring.

The UAC approach to adaptive access contro reduces the cost and compexity of deivering and depoying granuar

NAC. It aso addresses chaenges such as insider threats, guest access, outsourcing and off-shoring and reguatory

compiance.

UAC is the industrys first NAC soution to offer fu layer 2 through layer 7 enforcement capabiities. It is based on

industry standards (802.1X, RAIUS, and IPsec) and open standards (Trusted Network Connect), incuding IF-MAP,

which empowers UAC to integrate with third-party network and security devices.

SSL VPN for Secure Remote Access

Juniper Networks SA Series SSl VPN Appiances provide enterprises and service providers with remote access

and sophisticated partner and customer extranet features. SA Series appiances enabe organizations to enforce

differentiated access to resources based on user roes and groups. These appiances are avaiabe with a baseine

software feature set or an advanced feature set that incudes options for more compex depoyments.

WXC Series Application Acceleration Platforms and WXC Client

Juniper Networks WXC Series Appication Acceeration Patforms acceerate mission critica appications over wide

area inks, providing compressed output that ranges from 2 Mbps to 155 Mbps rates. Each patform can support

mutipe remote sites, and mutipe communities of WXC Series devices can be configured to support an unimited

number of ocations.

The WXC Series uses compression and caching to reduce the amount of data actuay fowing across wide area inks. It

does this by eiminating redundant data patterns and boosting connection capacity to accommodate a greater voume

of traffic. It speeds the performance of specific appications and protocos over the WAN, cutting response times and

optimizing traffic fows to deiver a more lAN-ike experience for remote office users. Appications can make the most

efficient use of avaiabe inks and bandwidth to optimize performance and prioritize data traffic.


24/37



Juniper Networks WX Cient is Windows-based software for mobie end users that provide lAN-ike performance for

appications. Instaed on the end users aptop, the WX Cient improves appication response times by appying disk-

based caching, compression, and protoco acceeration techniques to WAN data traffic. Enterprises can now enabe

cost-effective, dynamicay provisioned, pervasive appication acceeration regardess of user ocation.

Management, Orchestration, and Automation

With an understanding of the attributes of the three major traffic processing areas of the data center infrastructure

compute/storage, network, and security/appication serviceswe can now turn our attention to the chaenges of

managing the data center coud in the most efficient, fexibe, and scaabe manner. It is a formidabe chaenge to

interconnect and supervise the growing number of physica and virtua devices in the coud in a coherent, efficient

way. Management compexity grows as more devices and users are added. To make data centers and the coud truy

responsive, a components must come together in a we-orchestrated ensembe under the IT organizations contro.

Figure 7 shows the management, orchestration and automation functiona area of the reference framework.

Figure 7. Management, orchestrat ion, and automation

The term orchestration refers to the automated arrangement, coordination and management of components

(compute, storage, network and service) to meet IT and business requirements.

In addition to the automation that is aready an integra part of each component, orchestration requires that

components interoperate with each other, business processes and rues are impemented propery, and end-to-end

services are deivered competey and reiaby. rchestration takes the data center a major step beyond ocaized

automation to encompass fuy coordinated visibiity and contro over the data centers disparate eements.

Because orchestration is compex and depends heaviy on an organizations specific systems, its requirements are

best met by a network orchestration patform that is open and extensibe for integration with diverse appication and

management systems. The network orchestration patform shoud support comprehensive network management

functions and use industry standard APIs to enabe integration with management and appication systems. It shoud

aso provide deveopment toos, incuding a software deveopment kit (SK), so that organizations can extend and

adapt the patform to create their own orchestration environments.



25/37


26/37



Support for security services, incuding threat anaysis, protection, and reporting, to identify risks, ensure reiabe

cloud-ready datacenter reference architecture

Documents