extending the virtualization advantage with network

WHITE PAPER

Copyright © 2010, Juniper Networks, Inc. 1

EXTENDING THE VIRTUALIZATION ADVANTAGE WITH NETWORK VIRTUALIZATIONVirtualization techniques in Juniper Networks MX Series 3D Universal Edge Routers

2 Copyright © 2010, Juniper Networks, Inc.

WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Introduction: Industry Trends and the Need for Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Juniper’s Approach to Network Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Virtualization Technologies for MX Series 3D Universal Edge Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Deployment Example 1: Merger and Acquisitions at a Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Deployment Example 2: Scaling the Network for Web 2.0 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Deployment Example 3: Securing and Migrating Data in Health Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization . . . . . . . . . . . . . . . . . . .18

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table of Figures

Figure 1: Summary of required attributes necessary for virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Figure 2: Virtualization technologies in MX Series 3D Universal Edge Routers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Figure 3: Example of MPLS super core between Mega Bank and Regional Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 4: Example of logical systems deployed in a bank’s data center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Figure 5: Multicast in financial markets Exchange-1 is Chicago—Exchange-2 is New York . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Figure 6: Traditional versus virtual application architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Figure 7: Mapping VRFs to security zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 8: Server live migration of data between two colocated data centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Figure 9: Encrypted transport of data between the data center and hospital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 10: Safe zone cloud controls access between branch offices and data centers by using firewalls . . . . . . . . . . . . . .18

Figure 11: Private MPLS interconnecting similar “silos” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

List of Tables

Table 1: Business Trends, Network Impact, and Technologies to Minimize Adversities to the Network . . . . . . . . . . . . . . . . . 4

Table 2: Virtualization Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Table 3: Summary of Benefits of VR, VRF-Lite, and Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7



Executive Summary

This paper discusses the numerous virtualization technologies in Juniper Networks® MX Series 3D Universal Edge

Routers, and Juniper’s network virtualization strategy and virtualization solutions. It also provides specific examples on

how network-based virtualization helps achieve business goals.

Today’s competitive environment and economy are driving organizations to respond to ever-increasing business

challenges—while reducing cost and improving operational efficiency—at unprecedented levels. Many enterprises have

responded to the business challenges by commonly deploying virtualization tools—such as storage, server, or desktop

virtualization—which share assets across applications, departments, groups of users, etc. Virtualization facilitates a

higher utilization of resources, resulting in greater asset efficiency and cost savings.

Leading organizations are extending those virtualization advantages, with the addition of network virtualization. There

are many key enterprise business requirements that are driving the need for network virtualization:

• Establish traffic segmentation and improve privacy

• Increase network resiliency

• Improve network scalability and performance

• Improve security

• Rapidly deploy new services and applications

• Improve end user application performance

• Adhere to regulatory compliance

Some enterprises are even taking network virtualization further by building their own virtualized cloud infrastructure,

rather than purchasing from their providers. The numerous virtualization technologies make it possible to build this

virtualized network infrastructure.

Juniper offers a myriad of network virtualization technologies and uniquely offers them in one OS—with Juniper

Networks Junos® operating system, running consistently across Juniper’s routing platforms:

• Network Service Virtualization

- Virtualizes network services—such as L2VPN, L3VPN, VPLS, and pseudowire—and offers many options for secure

virtual connectivity

- Virtualizes the transport of traffic with MPLS—and improves network utilization, scalability, and resiliency

• Chassis Virtualization

- Simplifies manageability by providing a unified control plane

- Improves resource utilization and scalability

- Improves resiliency by providing stateful redundancy

• Device Virtualization

- Improves routing utilization and simplifies configuration by managing virtual independent routers or physical interfaces

• Link Virtualization

- Improves link utilization, control, and security

This white paper concludes with use cases and examples across different enterprises such as financial institutions,

hospitals, Internet portals, and large enterprises with many divisional offices. Click on the bulleted use cases below

which are available for direct viewing by clicking on the below links:

• Deployment Example 1: Merger and Acquisitions at a Bank

• Deployment Example 2: Scaling the Network for Web 2.0 Applications

• Deployment Example 3: Securing and Migrating Data in Health Care

• Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization



Introduction: Industry Trends and the Need for Virtualization

Today’s new economic realities have increased the need to improve an organization’s competitive advantages,

irrespective of whether the organization is a financial, government, service, manufacturing, public utility, or health

care concern. A change to improve a competitive advantage—such as mergers, acquisitions, or divestitures—has direct

implications on the network, which many times translate into costly and disruptive upgrades. Juniper strives to help

customers save costs and improve operational efficiencies with network virtualization, which offers the ability for

customers to nimbly implement a key business initiative—such as mergers, acquisitions, or divestitures—without a

disruptive network upgrade or costly change to their physical network.

Table 1 shows some key business trends, the impact on the network, and virtualization technologies that can be

applied. Detailed descriptions of the virtualization technologies are discussed in the next section.

Table 1: Business Trends, Network Impact, and Technologies to Minimized Adversities to the Network

BUSINESS TREND NETWORK IMPACT TECHNOLOGY

Data center consolidation The need to reduce CapEx and OpEx is driving

enterprises to consolidate data centers.

Consolidation can sometimes place additional

pressures on the WAN infrastructure, potentially

translating into additional WAN costs or

deterioration of the end user application

experience.

Virtualized transport using MPLS and VPLS can

reduce the number of required links; improve

the end user experience with traffic engineering;

and provide resiliency with carrier-class high

availability (HA) features.

Compliance Enterprises that adhere to regulatory

compliance look for efficient ways to separate

traffic and services of the different business

groups or sensitive data and applications

across their network infrastructure. Enterprises

also need to easily classify and analyze traffic

patterns for forensics. Many enterprises have

deployed physically separate networks for

compliance—and this becomes cost prohibitive

over time.

Enterprises can use MPLS for traffic

segmentation—and the benefits are improved

resiliency, privacy and security.

Business continuity Enterprises have built their competitive

advantages with critical data, and many want

to protect their business by deploying data in

colocation data centers. Network resiliency

across data centers then becomes increasingly

important.

Technologies such as VPLS provide the ability

to migrate traffic across colocation data

centers, thereby ensuring business continuity

without the overhead of maintaining separate

data migration links.

Business agility Increased competition is driving enterprises

to respond quickly to changes in the market.

For many organizations, increasing resiliency

or reducing network latency equates to a

competitive advantage.

MPLS TE (Traffic Engineering) provides

mechanisms to improve application

performance. MPLS also provides rapid

resiliency, with Bidirectional Forwarding

Detection (BFD) and MPLS fast reroute, which

is critical to support business agility.

Outsourcing and remote

access

Many enterprises employ outsourcing and

remote workers for specialized skills. This trend

increases reliance on the public Internet, which

can expose an enterprise to security risks.

Encrypting traffic using IPsec before

transporting it over MPLS is a way for

providing secure transport over a virtualized

network to both remote workers and

outsourced companies.



Juniper’s Approach to Network Virtualization

We find that the most effective network virtualization solutions encompass the following strategic attributes, as shown

in Figure 1. These attributes are encompassed in MX Series virtualization technologies.

Figure 1: Summary of required attributes necessary for virtualization

Table 2: Virtualization Attributes

VIRTUALIZATION ATTRIBUTES

RATIONALE

High Scalability The technology must be readily scalable from modest traffic rates of a few Gbps to aggregate throughput

of several 100 Gbps. The number of logical ports that can be supported, for example, must also scale

dramatically to support a large number of applications and devices.

Transparency Virtualization features must be implemented so that any change to the underlying virtualized network is

completely transparent to applications.

Security Security must be enhanced using a combination of countermeasures such as separation of traffic for

privacy, and techniques to provide both network-layer and application-layer security.

Resiliency The technology must provide not only hardware redundancy but also network and software redundancy.

Nonstop routing (NSR) provides redundancy. Moreover, software must be easily upgradable with unified

in-service software upgrade (ISSU) for major software releases.

Flexibility Business goals are constantly changing, and enterprises need technology that can be easily and cost-

effectively adapted to suit new business requirements.

Transparent

SecureResilient

Flexible

High-PerformanceMX Series Cloud

Scalable



Virtualization Technologies for MX Series 3D Universal Edge Routers

The MX Series has a myriad of virtualization features and technologies, as shown in Figure 2, to address enterprise data

center requirements for Network Service, Chassis Virtualization, Device, and Link Virtualization. These features can be

used individually or in combination to complement one another. It is not sufficient that there is a myriad of features,

but it is also equally important that these features are implemented consistently in Junos, in one OS, across Juniper’s

routing platforms—on top of Juniper’s advanced routing silicon, enabling a collapsed 2-tier data center architecture.

Figure 2: Virtualization technologies in MX Series 3D Universal Edge Routers

Network service virtualization—MPLS improves network utilization, scalability, and resiliency by virtualizing

the transport of traffic. Virtualized network services—such as L2VPN, L3VPN, and VPLS—increase secure virtual

connectivity options and can run on top of MPLS. All discussions in this paper focus on private MPLS rather than

provider-managed MPLS. Private MPLS refers to the MPLS network that is owned and managed by enterprises. That

is, the enterprise performs and manages its label switching. Provider-managed MPLS is an MPLS network that is

purchased by enterprises, from service providers, but is owned and managed by service providers.

• MPLS network virtualization enables the physical network to be configured and operated as many separate virtual

networks. The resulting benefits are cost savings, improved privacy through traffic segmentation, improved end user

experience with traffic engineering and quality of service (QoS), and improved network resiliency with functionality

such as fast reroute and BFD.

• Layer2VPN offers layer 2 services over MPLS to build point-to-point connections that connect different sites.

L2VPNs are used to transport layer 2 packets across MPLS networks without any discovery of layer 3 information

of the networks in the VPN. The technology allows data centers to transport their legacy L2 services—such as

ATM over an IP/MPLS network—minimizing CapEx. The technology can also be used to transport Ethernet, allowing

increased scalability.

• L3VPN provides private links between data center sites that share layer 3 infrastructure. A layer 3 VPN discovers

routes within the network that the VPN interconnects. For example, by mapping L3VPNs to virtual security “zones”

in advanced firewalls, such as Juniper Networks SRX Series Services Gateways, customers can layer many security

policies selectively on the traffic.

• VPLS provides Ethernet-based point-to-multipoint (P2MP) communication over IP/MPLS networks. It allows

geographically dispersed data center LANs to connect to each other across an MPLS backbone while still

maintaining L2 connectivity. In other words, VPLS creates a virtual network, giving the perception to the constituent

nodes that they are on the same Ethernet LAN. VPLS can therefore provide an efficient and cost-effective method

for data migration across enterprise data centers.

L2 VPNL2 Point-to-PointNetwork

ServiceVirtualization

DeviceVirtualization

(One-to-many)

LinkVirtualization

Virtual RouterScalable Routing

Separation

VRF LiteRouting

Separation

Logical SystemsRouting and

ManagementSeparation

Bridge GroupSimplifies

Configuration

Virtual SwitchScalable Switching

Separation

ChassisVirtualization

(Many-to-one)

Virtual Chassis

L3 VPNL3 Multipoint-to-Multipoint

Privacy Tra�c Engineering Scalability Resiliency

Resiliency Simplifies Configuration Service Scalability Physical Port Scalability

VLANTra�c

Segmentation

LAGScale

Bandwidth

GRETunnel

Non-IP tra�c

MPLS LSPTra�c

Segmentation

MPLS

VPLSL2 Point-to-Multipoint



VPLS can help data center managers migrate data between specific servers in colocated data centers. Enterprises

no longer need dedicated layer 2 links between the data center, thus saving CapEx. Note that the ability to selectively

apply VPLS to specific VLANS is crucial to most enterprises that are interested in migrating only specific application

data and not all the data in the data center—and this enables greater scalability of the data center infrastructure.

Chassis Virtualization (Many-to-One Virtualization): Virtual Chassis technology allows up to eight interconnected

physical chassis to be monitored and managed as a single logical device. MX Series Virtual Chassis uses normal data

ports to interconnect physical chassis. The benefits of Virtual Chassis are:

• Simplifiesmanageability: Provides a unified control plane for all the physical chassis.

• Improvesresourceutilizationandscalability: Intelligently utilizes line interfaces and service line cards on physically

different chassis. Customers can thus benefit from a “pay-as-you-grow” model.

• ImprovesresiliencyandProtectsusersessions: Protects sessions across physical chassis, line card or port failure,

using stateful redundancy.

Device virtualization (One-to-Many Virtualization) improves routing utilization and simplifies configuration by

managing virtual routers or physical interfaces.

• Virtualrouter(VR) provides multiple routing tables for the same physical router. The functionality keeps routing

instances separate. Hence, overlapping IP addresses can exist in the virtual router instances. Unlike the logical

systems’ functionality, there is no separation of management of the different VR.

• VRF-lite segments a physical router into multiple logical routers. Each logical router participates in a virtual routing

environment in a peer-based fashion. Although it is simple to deploy, it does not scale for some enterprises because

every router needs to maintain a virtual routing and forwarding (VRF) routing instance.

• Logicalsystems segment a physical router into multiple independent routers that perform independent routing tasks.

Each of the logical routers can be configured independently and operation (routing plane) of a physical router into

subsets, for increased manageability and protection. Logical systems can provide individual business units with the

perception that they are working on independent routers. The benefits are the following:

- Improve routing utilization

- Align virtual routing instances with business units

Table 3, below, summarizes the benefits of virtual router, VRF-lite, and logical systems.

Table 3: Summary of Benefits of VR, VRF-Lite, and Logical SystemsVIRTUAL ROUTER VRF LITE LOGICAL SYSTEMS

Logical platform partitioning ü ü üFault isolation on routing plane üMultiple user access (management separation) üScalable routing separation ü ü

• Bridgegroups are a collection of network interfaces that form a broadcast domain and have their own set of

forwarding tables and filters. They bring tremendous configuration flexibility by allowing an administrator to select

multiple Ethernet and/or wireless interfaces and group them together, effectively creating an abstract or virtual L3

interface and/or L2 switch. A bridge group carries the same characteristics as a physical interface in that both can be

assigned to a security zone where they are subject to an associated security policy.

• Virtualswitches are formed by grouping two or more bridge domains that perform layer 2 bridging and function

as a layer 2 network. A bridge domain consists of a set of logical ports that share the same flooding or broadcast

characteristics. Like a VLAN, a bridge domain spans one or more ports of multiple devices. Multiple virtual switches

operate independently of the other virtual switches on the routing platform, and each virtual switch can participate

in a different layer 2 network. A virtual switch can be configured to participate only in layer 2 bridging and optionally

to perform layer 3 routing.



Link virtualization improves link utilization, control, and security.

• VLANs define a broadcast domain, a set of logical ports that share the same flooding or broadcast characteristics.

VLANs span one or more ports on multiple devices. By default, each VLAN maintains its own Layer 2 forwarding

database that contains MAC addresses learned from packets received on ports belonging to the VLAN.

• Linkaggregation provides a mechanism for combining multiple, physically separate layer 2 links as a single logical

link. This helps enterprise data centers scale more bandwidth than a single Ethernet link can provide and saves

on the expense of a higher-speed Ethernet link. This technology can also help enterprise data centers to provide

redundant links for greater resiliency. Thus, data center managers can incrementally scale their investments by

increasing utilization of existing resources while deriving increased security.

• GRE tunnels provide a mechanism for encapsulating and transporting a wide variety of network-layer protocol

packets inside point-to-point tunnels. GRE provides a very simple method of transport of protocols over a network

that needs to be transparent to the tunneled protocol. It is a foundation protocol for other tunnel protocols. For

example, MPPE/PPTP uses GRE to form the actual tunnel. Although GRE has generic tunneling capability, its most

common use is for tunnels that carry non-IP traffic over IP tunnels

• MPLSLSPs are label-switched paths (LSPs) that are virtual paths, established to transport MPLS packets between

two MPLS routers. The logical separation between the MPLS paths ensures traffic segmentation.

Deployment Scenarios

Deployment Example 1: Merger and Acquisitions at a Bank

Background

Mega Bank, a very successful bank, acquires Regional Bank. Both banks have large networks. Mega Bank has been

tasked to consolidate the new networks and for the interim, provide separation of traffic for the two banks until the

organization is consolidated under one brand. Mega Bank’s customers benefit from rapid access to Mega Bank’s data

regardless of where it is stored. Mega Bank’s key competitive advantage is its ultra-low network latency. Mega Bank

wants to extend this competitive advantage to the merged organization.

Challenges

A) Legacy application requires expensive dedicated SONET transport and overlapping IP addresses

• To guarantee low network latency and high resiliency for a critical legacy software application, Mega Bank

anticipates spending millions of dollars on dedicated SONET transport between the different data centers of the

merged organization. Mega Bank wants high availability (HA) to this critical software, with zero downtime.

• Mega Bank requires guaranteed bandwidth to transport high-priority data between data centers, at specified times

of the day. At other times, the data between the data centers is lower priority. Mega Bank is evaluating dedicated

links between the data centers to carry the high-priority traffic.

• Mega Bank’s consolidated infrastructure has overlapping IP addresses, and changing the address space of Mega

Bank or Regional Bank is expensive.

B) Regulatory compliance requires traffic segmentation

• To adhere to regulations, and to prevent different business units from overwhelming scarce network resources, the

merged bank needs to maintain traffic and resource segmentation across specific departments.

C) Large volumes of unicast and multicast traffic need to scale

• Mega Bank’s consolidated network needs to transmit large amounts of unicast and multicast messages to many

customers. To support the rapid growth of business, Mega Bank needs multicast technology that is highly scalable

and reliable.



Solution

A) Eliminate the need for expensive dedicated SONET links and accommodate overlapping IP addresses with MPLS.

Figure 3, below, depicts the data centers of the merged bank interconnected, using a private cloud of Ethernet links that

run private MPLS. The resulting cloud is called the “super core.” The “super core” gives the enterprise greater control over

critical metrics, such as latency, that are a key competitive advantage. The dashed links highlight specific fast reroute

redundant paths in the network used for failover traffic and can also be used for routing low-priority traffic. The other

links are traffic-engineered private MPLS LSPs that carry traffic between the data center and the corporate office.

Figure 3: Example of MPLS super core between Mega Bank and Regional Bank

The inexpensive Ethernet links running MPLS offer a more cost-effective alternative to SONET links. MPLS offers the

following as an alternative to SONET:

• Fault detection—through the use of Operation, Administration, and Maintenance (OAM) functionality such as BFD—

detects any faults in the inter-data center links and uses fast reroute to switch to the alternate path within 50 ms,

offering the same resiliency as SONET.

• Traffic Engineering (TE) and equal-cost multipath routing (ECMP) allow MPLS to route additional low-priority traffic

over the protection link. In contrast, with SONET, the protected link is unused bandwidth.

• It provides the ability to establish LSP dynamically between the data centers, when required, and guaranteed

bandwidth. Thus, Mega Bank does not need dedicated links between the data centers to carry high-priority traffic at

certain times in the day.

• TE guarantees bandwidth and QoS for the applications. Thus, the merged bank’s delay-sensitive applications—such

as the legacy application and VoIP traffic—experience little latency, higher priority, and greater throughput.

By deploying private MPLS, Mega Bank can significantly reduce CapEx while simultaneously improving network

resiliency and latency for the legacy software. Although Mega Bank achieves higher network resiliency through private

MPLS, router failure—due to software or hardware faults—can adversely impact network access. The MX Series

provides the following features to improve resiliency:

• Hardware resiliency, with Virtual Router Redundancy Protocol (VRRP), supports failover between routers.

• Software resiliency is provided through the “graceful restart” of routing protocols. This feature provides nonstop

forwarding through individual routing protocol restart and re-convergence.

MEGA BANK DATA CENTER MEGA BANK DATA CENTER

REGIONAL BANKDATA CENTERCORPORATE WAN

Applications engineered into

LSPs across MPLS supercore

Critical applications protected by fast

route detour paths and secondary LSPs

LEGEND

Specific fast reroute redundant paths used for failover trac and/or low-priority trac

Illustrate primary trac-engineered private MPLS LSPs between Mega and Regional



• Enhanced software resiliency for upgrades is available with unified ISSU. Without this feature, upgrading full

software releases would require that the router be brought down during a scheduled maintenance window. Junos OS

offers the ISSU feature that can provide for full software release upgrades while the router is still running.

So far, Mega Bank has improved network resiliency. Mega Bank’s next step is to merge Regional’s networks to ensure

secure access to applications from anywhere in the Mega Bank network. The combined network has many overlapping

IP addresses. MPLS can tunnel the packets to and from the overlapping IP address endpoints while providing traffic

segmentation, thereby ensuring secure access to the applications.

B) Improve regulatory compliance with logical systems that provide routing segmentation and protection in the

control plane; provide separate user access and permission per logical router.

Figure 4, below, shows a representation of a logical systems deployment in Mega Bank’s data center. In this figure,

Mega Bank’s different banking divisions—that is, Merchant Banking, Personal Banking, Stock Trading, and Intranet—are

separated by assigning each to a logical router within the logical system. Each logical router in the logical systems has

separate user access and permission and hence can be managed independently of the other logical routers.

Figure 4: Example of logical systems deployed in a bank’s data center

Logical systems offer Mega Bank the following benefits:

• Increased privacy and security—Different business units are isolated so that their routing resources can be managed

and operated independently. This compartmentalization improves privacy and security, facilitating greater

compliance.

• Improved availability of critical services—The isolation of resources virtually eliminates the chances of other business

units exhausting resources, such as routing entries, which are needed for critical business units.

• Easy manageability resulting in reduced OpEx—Logical systems provide easy manageability by consolidating the

entities into one physical device. Software upgrades and physical device upgrades are no longer distributed, thereby

reducing operating expenditure.

• Easy consolidation—The routes can have overlapping IP addresses across the logical routers in the logical systems.

Thus, Mega Bank can merge business units of the acquired enterprise on the same network easily by separating

routing resources to different logical routers in the logical systems.

• Reduced CapEx—The ability to use a single router as multiple routers improves asset utilization, enables improved

network scalability, and enables lower capital expenditures.

C) Scale large unicast and multicast traffic volumes.

So far you have seen how different virtualization techniques help Mega Bank to meet its requirements for low latency,

compliance, and reliability. Having resolved these concerns, the next section looks at how Mega Bank can focus on its

core business services—including stock trading and investment banking—which involve getting up-to-the-microsecond

market information to market participants. The bank’s trading network transmits millions of market messages in the

course of a day.

Single router virtualizedas many routers

Merchant BankingNetwork

Personal BankingNetwork

Investment BankingNetwork

Stock TradingNetwork

IntranetNetwork

Virtualization through:• Isolated Routing• Isolated Configuration



Figure 5, below, describes the multicast network at Mega. Exchange-1 and Exchange-2 are primary trading centers

located in Chicago and New York. The bank has customers with data centers—Customer-1 DC and Customer-2 DC

with corporate offices, Customer-1 Corp and Customer-2 Corp, respectively. Exchange-1 transmits multicast messages

to the Customer-1 DC and the Customer-1Corporation. Exchange-2 performs the same function for Customer-2 DC

and Customer-2 Corporation. The customers place trades that are transmitted as unicast messages to the exchanges

through the same network as that of the multicast messages. These unicast messages are unique to the specific

trading needs of the customers and are key to providing Mega Bank with a competitive advantage. The unicast

messages are delivered independent of multicast messages.

To sustain the competitive advantage, Mega Bank needs scalable multicast technologies to improve services for

acquiring and retaining existing customers. Juniper’s virtualization infrastructure involves the use of MPLS-based point

to multipoint (P2MP) that optimizes next-generation MVPNs (NG MVPNs). NG MVPNs mitigate the scalability problem

by intelligently leveraging adjacencies that exist in the MPLS network. This eliminates the need for every router to

maintain separate adjacency information with every other router that participates in the MVPN. P2MP also brings other

benefits—bandwidth reservation that guarantees QoS, fast reroute and OAM that guarantee HA, and deterministic

routing. Through the use of NG MVPNs, Mega Bank can provide a variety of services—such as video on important

market events and market messages—in a timely manner to its customers.

Figure 5: Multicast in financial markets Exchange-1 is Chicago—Exchange-2 is New York

Mega Bank’s competitive advantage also depends on its ability to offer services without any disruption. To provide

reliable services, the P2MP technology maintains two distinct multicast trees. A multicast tree is a logical topology

of nodes that is built to transmit multicast messages to the participating nodes. With redundant trees there are two

distinct paths to reach the destination nodes. When there is performance degradation on one tree, traffic can be sent

through the other tree. The maintenance of redundant trees is very inexpensive in resources because P2MP technology

eliminates the need to maintain adjacencies and is easy to manage. Thus, the financial institution can be assured of

timely delivery of the millions of market messages across the large organization to its customers.

Note that Juniper supports other multicast technologies in addition to P2MP.

CUSTOMER-1 DC CUSTOMER-2 DCCUSTOMER-1CORPORATE

CUSTOMER-2CORPORATE

MEGA BANK

EXCHANGE-1 EXCHANGE-2

FINANCIALINSTITUTIONS

New YorkPrimary

New YorkRedundant

ChicagoPrimary

ChicagoRedundant

Dire

ct

Dire

ct

Dire

ct

Dire

ct

Unicast Tra�c from Financial Institution back to Exchanges

Multicast Tra�c from Exchanges to Financial Institutions

LEGEND



Summary

• The traffic-engineered virtual network provides resiliency and guarantees quality, thereby improving the company’s

competitiveness with improved business continuity and agility.

• The organization has protected its initial investment by investing in Juniper’s scalable technology and can scale the

network gradually.

• The virtualization techniques, in the form of logical systems and MPLS, create a transparent infrastructure that also

provides security without the need for physically separate networks—thereby simplifying operations and reducing OpEx.

NG MVPN technologies can help create and sustain a competitive advantage by dramatically improving scalability

and reliability.

Deployment Example 2: Scaling the Network for Web 2.0 Applications

Background

An enterprise supporting a large Internet portal—for example, with Web 2.0 applications—can have hundreds of multi-

tiered (n-tiered) applications with complex interconnections between clients, database servers, firewalls, storage, and

other devices. Over time, as the traffic grows, interconnections based upon a traditional physically layered architecture

become increasingly complex and create scaling challenges, as shown in the left portion of Figure 6.

Challenges

A) Users require rapid secure access to large volume of distributed data for multi-tiered applications

• The rapid growth of the data center, to support large volumes of data, has led to an explosion in the number of data

center devices to manage. The devices include many database servers, firewalls, application servers, Web servers,

storage, etc. This proliferation of devices has created challenges for users being able to quickly and securely access

large volumes of data across the network.

• The traditional architecture—as shown in Figure 6—has database, Web, DMZ, and application servers that are clearly

demarcated in different network topologies. This architecture poses many challenges:

- Increased CapEx—The software and network architecture are tightly coupled. Because of this tight coupling, the

deployment of traffic-intensive applications, such as video, requires upgrades to the network. These upgrades

include the addition of network devices, IP address allocation, and data center internal forwarding.

- Increased latency—Database, Web, and application accesses are slower because of numerous physical firewalls

and network devices.

- Increased OpEx—Troubleshooting and the management of devices are complicated because of the myriad of

devices in the data center. Everyday operational tasks—such as patching software, detecting faults, and migrating

software—become more problematic.



Figure 6: Traditional versus virtual application architecture

In figure 6 above, the left diagram shows traditional, physical multi-tiered application layering of applications and

security. The right diagram shows simplified application architecture with network virtualization reduces complexity

and improves network utilization.

B) The large number of interconnections using the traditional, layered physical data center architecture leads to

network utilization inefficiencies.

• Fifty percent of links are used for switch-to-switch connectivity, and the Spanning Tree Protocol blocks half of those

links—thus resulting in only 25 percent active links being available for inter-switch connectivity.

Solutions

A) Improve secure access to large volumes of distributed data, by moving from a traditional, layered physical

architecture to a virtual architecture.

The simplified virtual architecture shows on the right of Figure 6 a decoupling of the network architecture from the

application deployment architecture. Any-to-any connectivity is provided between the end users and application

services. This is achieved with the introduction of a virtualization layer that essentially decouples the network resource

and the application services. This decoupling allows applications to be transparent to the underlying network resources.

Moreover, once decoupled, network service virtualization can be mapped into virtual security “zones” or “trust zones” in

the SRX Series platforms, providing the same or higher level of security than the traditional architecture.

Figure 7, below, illustrates a simplified data center, where the network resources and applications are decoupled.

Architecture simplification:

• Consolidated Firewalls (SRX5800)

• Consolidated Scalable, High-Performance Routers (MX960)

Network Virtualization Layer

Next-Generation “Virtual”Data Center Architecture

DMZ Exnet Web

SRX5800

EX4200

SRX5800

MX960 MX960

Apps AAA NOC DB NAS

Traditional Data CenterArchitectures and Secure Layering

DMZ

Web

App

DB



The figure illustrates two MX Series routers in the consolidated core layer of the enterprise data center connected to

two SRX Series platforms that have many virtual security services that can be configured into independent security

zones. The MX Series routers are connected to top-of-the-rack Juniper Networks EX Series Ethernet Switches in the

access layer, which in turn aggregate the servers in the data center. The top-of-the-rack EX Series is configured to use

its Virtual Chassis technology. The WAN edge connects the data center to the outside world and is composed of two

Juniper Networks M Series Multiservice Edge Routers.

Figure 7: Mapping VRFs to security zones

In Figure 7, the virtual security zones are indicated by Firewall #1, NAT #1, IPS #1, etc. on the SRX Series. The VRFs are

indicated by VRF #1 and VRF #2 on the Juniper Networks MX960 3D Universal Edge Router. The VRF #1 is mapped to

security zones Firewall #1, NAT #1, and IPS #1. VRF #2 is mapped to Firewall #2 and NAT #2. Two MX960 routers are

shown to indicate HA between these devices.

Data for the different departments (for example, human resources, finance, or guest) is hosted in different data center

servers. The traffic to and from the departments is separated by different VPNs. A VRF can be configured to send

specific VPN traffic to virtual security zones that contain IPS, NAT, firewall, etc. in the SRX Series. Other VPN traffic can

be directed to the respective destination without further processing. The SRX Series can have several security zones

(that is, virtualized firewall, IPS, etc.) that can apply specific policies for the VPN traffic. The VPN traffic can traverse

multiple security zones inside the SRX Series before being sent to its destination VPN.

WAN Edge

Consolidated Core Layer

Access Layer VLANs

IP VPN

EX4200 Virtual Chassis

HR Finance Guest Departments

EX4200 Virtual Chassis

MX960

M Series

MX960

M Series

VRF#1

VRF#2

Trunk VPN Server VLAN

LEGEND

• Mapping of VLANs to Security Zones

• Map VRFs on core to routing instances on SRX Series

• Establish adjacency between VRFs on core

• Traffic between networks runs through SRX Series by default, or filtered on MX Series

SRX5800MappingVRF to

Security Zones

MappingVRF to

Security Zones

• Firewall• IPS• NAT

SecurityZones

IPS#2

Firewall#2

Firewall#3

VRF#1

VRF#2

Firewall#1

IPS#1

NAT#1



Network service virtualization also offers the following benefits:

• Simplified management resulting in reduced OpEx—The management of VPNs and the network services is easy

because of centralization of the services. The services can be logically separated for the VPNs and for each security

zone. This simplification means reduced cost.

• Reduced CapEx—Fewer physical network devices are now required with virtualization.

• Flexibility of services—The layering of different services provides an easy mechanism for extending functionality for

the VPNs.

B) Improve network utilization with a collapsed 2-tier network architecture.

Despite the previously described benefits, network service virtualization does not address poor network utilization

within the data center, due to the large number of network devices and associated inter-switch connectivity. To address

this challenge, the MX Series routers provide a high-performance and dense port routing platform, enabling a collapsed

2-tier network architecture. Traditional data center design comprises three layers—access, aggregation, and core. The

MX Series reduces the number of required devices by collapsing the core and aggregation layer, and by consolidating

WAN edge functionality. Further, the top-of-the-rack EX Series switches in the access layer—through the use of Virtual

Chassis technology—can minimize the number of nodes in the access layer and provide for consolidated 10G uplinks

to the MX Series switches. This 2-tier architecture eliminates many nodes in the data center and reduces inter-switch

connectivity, thereby improving utilization and also reducing network latency.

However, the enterprise is still faced with low utilization of links stemming from blocked spanning tree links. To address

this challenge the enterprise can adopt VPLS technology, which permits full utilization of links.

Summary

• Juniper’s virtualization architecture ensures that the software services running on the server can be completely

transparent to the underlying technology changes.

• Transparency is achieved by maintaining the logical multi-tiered application architecture intact but hiding the

underlying network architectural changes through virtualization. This architecture allows better scalability in a

growing data center.

• Additional security services can be layered easily, providing for a flexible design.

Deployment Example 3: Securing and Migrating Data in Health Care

Background

A large hospital system requires rapid access and High Availability (HA) for large volumes of patient, imaging, and

administrative data for clinics throughout the hospital system. HA is currently achieved by having two colocated data

centers, mirroring, and load-balancing data. The hospital must ensure that sensitive patient data is secure, to comply

with government privacy and security regulations.

Challenges

A) Expensive dedicated links with low utilization are used to guarantee bandwidth to critical applications

• Forty separate 10G links between the two data centers are deployed to guarantee bandwidth for different

applications, and only 1 percent of the bandwidth of each 10G link is used. The dedicated links are used for data

migration between the data centers and are expensive to maintain. This is based upon a true story!

• The data migration requires two servers to be in the same LAN. Running layer 2 Spanning Tree Protocol between the

two data centers is inefficient because of its convergence time.

B) Health care organizations require high security for regulatory compliance

• Hospital users access very sensitive data from the data center. Hence, the hospital must provide secure transport of

the data.

C) The hospital has experienced security attacks

• Although the hospital has implemented safe zones to isolate other traffic from sensitive patient data, the data

center has experienced attacks from worms and malware, periodically disabling access to critical data.



Solution

A) Improve network utilization, cost savings, and security by migrating to a virtualized environment with MPLS

and VPLS.

Figure 8, shows two colocated data centers that are connected via an MPLS core network. The VMotion virtual network

used to migrate data between the two data centers. Each of the two data centers has several hypervisor virtual servers,

SAN, etc. These are connected to the EX Series deployed in a Virtual Chassis environment. The MX Series is connected to

the EX Series and is in the core of the network. The M Series is deployed in the WAN edge and provides connectivity for

the data center to the outside world. The figure also depicts VRRP for the MX Series routers across the two data centers.

Figure 8: Server live migration of data between two colocated data centers

VMotion software needs layer 2 connectivity between the data centers, so that data can migrate live between data

centers. To support the VMotion migration, the hospital has dedicated layer 2 links between the two data centers

for the different departments such as account services, emergency care, radiology, lab services, and cardiology. This

ensures that the different departments always have the necessary bandwidth for their data migration. Since the data

migration on the independent links does not consume much bandwidth, the links are underutilized—resulting in huge

OpEx for maintaining layer 2 connectivity between the data centers.

A better alternative that provides layer 2 connectivity between the data centers is to use VPLS between the two

MX Series devices in the two colocated data centers. The VPLS can be set up to transport only traffic on specific

VLANs. Thus, only specific hypervisors that need to be migrated must be part of the VPLS domain, and all other traffic

remains unaffected. VPLS not only emulates a layer 2 switch in the WAN but also runs on a private MPLS backbone.

Private MPLS allows the hospital to take advantage of advanced routing features, such as TE. Traffic engineering

allows the hospital to optimally allocate bandwidth for the different departments without the need for dedicated

layer 2 links.

MPLSCORE

VRRP

MX SeriesM Series

MX Series

EX Series EX Series

VirtualServer 1

VirtualCenter 1

SAN 1 SAN VirtualCenter 2

VirtualServer 2

MX Series

Virtual Chassis

DATA CENTER 1 DATA CENTER 2

Virtual Chassis

• Virtual machines traverse path created by L2 VPN/VPLS.

• Guaranteed bandwidth and low latency across

WAN from VMotion tra�c (can be routed).

• Configuration and bitmap traffic flows over VMotion network.

• L2 connectivity must exist across data centers as default gateway of the VM did not change.

• GSLB/BGP should immediately point tra�c to other DC (in disaster).

Production Network VMotion Network Storage Network Service OS Network

LEGEND



Besides traffic engineering, MPLS also offers the logical separation between the different departments—providing the

same level of privacy that was achieved using physically separate links. Thus, VPLS provides enhanced security for

different departments while reducing CapEx and OpEx by migrating traffic to the private MPLS backbone network.

B) Provide secure data transport with encryption.

The logical separation of data transport, in itself, does not make the data invisible to any node in the WAN network—

and this can compromise patient privacy and regulatory compliance. To address this security challenge, the hospital

can encrypt sensitive data, using IPsec offered in Multiservice Dense Port Concentrator (MS-DPC), while transmitting

data between the data center and the hospital through the MPLS cloud.

Figure 9: Encrypted transport of data between the data center and hospital

Figure 9 shows MX Series routers securely forwarding traffic, indicated by the solid line, between the hospital and the

data center using IPsec encryption. All other non-sensitive traffic, indicated by the dashed line, is unencrypted. The

encrypted and unencrypted traffic are tunneled through MPLS LSPs. The MX Series supports an MS-DPC that can

selectively encrypt traffic. This form of selective encryption is important to a large enterprise, such as the hospital,

where performance must not degrade as traffic is encrypted.

C) Secure data center resources.

In addition to securing data during transport, resources in the data center must also be secured. Malicious software

can infect servers, making it impossible to access valuable information in a timely manner. To address these security

exposures, the MS-DPC offers comprehensive security by leveraging multiple detection mechanisms—including

signature detection, protocol anomaly detection, and traffic anomaly detection; and these security features can even

thwart attacks that have not been seen before.

In addition to identifying viruses and attacks, the MS-DPC supports Dynamic Application Awareness (DAA), which

enables accurate detection and reporting of bandwidth volume used by applications such as social networking, peer-

to-peer, or instant messaging. With improved visibility of applications’ behavior, administrators can improve capacity

planning or use QoS to apply policies on specific traffic. For example, specific application traffic can be blocked or

given high priority to meet business or regulatory compliance.

Summary

• The flexibility of virtualization allows customers to improve link and network utilization.

• Application software, such as VMotion, is not impacted by the architectural change since virtualization provides

transparency of the underlying network infrastructure.

• The ability to easily layer security services such as stateful firewall and IPsec over the virtualized network provides

not only data privacy but also secures the enterprise.

• The virtualization techniques allow the enterprise to scale infrastructure without impacting performance.

DecryptedTra�c

Hospital

UnencryptedTra�c

DATA CENTER

DATA CENTER

PRIVATE MPLS

LEGEND

MPLS LSP carrying unencrypted tra�c

MPLS LSP carrying IPsec encrypted tra�c

Unencrypted or decrypted tra�c



Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization

Background

A large enterprise has a rapidly growing business. To support this growth the enterprise has created many divisional

branches and data centers throughout the country that are interconnected by a large network cloud that is a “safe-

zone”, as shown in Figure 10. Security devices that reside in the perimeter of the cloud inspect all traffic to the cloud.

Data communication is only between nodes and applications that belong to “silos” of the same type. The enterprise

has three types of silos—sensitive, public, and management. Silos can be categorized based on traffic or user access

privileges or other metrics. There is no access between silos of different types.

Challenges

A) The proliferation of security devices has resulted in complex network management of security policies, causing

security holes

• The number of new “silos” and access points to the cloud has been steadily increasing. This increase has resulted

in more firewalls in the perimeter, raising the complexity of network management.

• Most restrictions to accesses are enforced using ACLs. With the proliferation of access points, the ACLs have

become unmanageable because of a large number of complex ACL entries. The ACL entries and security policies

must be maintained consistently across security devices serving the same destination.

Figure 10: Safe zone cloud controls access between branch offices and data centers by using firewalls

Figure 10 shows headquarters, multiple divisional branches, and data centers interconnected using the safe zone

cloud. The perimeter of the cloud consists of several firewall devices that restrict entry into the cloud and ensure that

accesses are between similar silos. Data to and from San Francisco can traverse via nodes Denver and Dallas to reach

the headquarters.

Multiple paths through the safe zone pose a challenge. The challenge is to ensure that the firewalls in the perimeter

of the cloud have identical security policies. If the security policies are not identical, the traffic from the source to the

destination might receive unequal treatment in the two paths. For example, traffic through Denver has access to more

nodes in the safe zone than that through Dallas. This indicates that traffic from unauthorized sources might travel to

the destination. To prevent this breach of security, nodes in the safe zone have to implement identical ACL policies to

restrict access. Thus, an increase in the number of access points raises the complexity of managing security policies.

Management

Sensitive

PublicManagement

ENTERPRISE/BRANCH

EXTENDEDENTERPRISE

SRX Series

SAN FRANCISCODATA CENTER

SRX Series

HEADQUARTERS

PublicManagement

Sensitive

Public

Public

ACCESS

SAFE ZONE

DENVER

DALLAS

SRXSeries

SRXSeries



B) The traditional design, separating accesses through GRE tunnels, has resulted in a non-scalable architecture

• After authentication, the users are assigned to specific VLANS—based on their privilege—that are mapped into GRE

tunnels. Thus, the enterprise has as many GRE tunnels as there are privileged access groups. To secure the network,

each GRE tunnel has a dedicated firewall. The resulting topology has hundreds of GRE tunnels and firewall devices

that terminate at a central router. The number of GRE tunnels increases with the number of privilege levels, posing

serious scalability challenges for the enterprise.

Solution

A) Enhancing security and simplifying network management through enterprise-wide virtualization.

To address this network management challenge, the enterprise can deploy private MPLS between the different

endpoints in its network. This connectivity through the safe zone eliminates complex ACLs at different points in the safe

zone. This move reduces CapEx by consolidating firewall functionality closer to the destination and reduces OpEx by

eliminating the need to maintain consistent firewall policies along different paths between the source and destination.

Besides reducing OpEx, MPLS VPN can be used to interconnect similar “silos.” The MPLS VPNs completely segment

accesses between different silos. This form of traffic segmentation is crucial to maintaining privacy and security of the

different silos.

This end-to-end segmentation also gives the enterprise flexibility to outsource the tunneling of MPLS VPNs through

carriers. This reduces not only OpEx, but also reduces CapEx by allowing the enterprise to purchase fewer tunnels from

the carrier while maintaining control of the segmentation of traffic.

Figure 11, below, shows the modified network that has a private MPLS network. The L3VPNs connect “silos” of the same

type. The routers in the enterprise behave as provider edge routers because they tunnel all the L3 VPNs, originating

in the enterprise, through another MPLS tunnel or using GRE. This tunneling is done through the Internet/WAN cloud,

which is a simplified safe zone. The user authenticates via 802.1x and is automatically placed into the designated

VLAN. The VLAN is mapped to the L3 VPN or VPLS instance.

Figure 11: Private MPLS interconnecting similar “silos”

Management

Sensitive

Public

Management

Sensitive

Public

Sensitive

Sensitive

Public

EXTENDED ENTERPRISE

DATA CENTER

DISTRIBUTEDENTERPRISE/BRANCH CAMPUS

INTERNET/WAN

PE

PE

PE

M Series

M Series

M Series

SRX Series

RemoteUser

SRX Series

SRX Series

SRX Series



B) Replacing GRE tunnel infrastructure with MPLS VPN.

To address the scalability concern, the enterprise can deploy a private MPLS cloud that provides MPLS routing instead

of the GRE tunnels to separate accesses between the silos.

After authentication, the users are mapped to designated VLANS as before. However, the VLANs are mapped to VRF

and are routed inside the private MPLS cloud. The private MPLS cloud allows the enterprise to route selected traffic to

a location with a centralized firewall such as the SRX Series.

The enterprise benefits from

• Scalability of infrastructure than what can be achieved using GRE tunnel infrastructure

• Simplified management of firewall devices because of centralization of firewalls

• Enhanced security due to consistent firewall policies in the enterprise network

Summary

• The enterprise can provide the necessary privacy and security in the network using MPLS.

• The network is more scalable because the number of firewalls to manage has been dramatically reduced.

• MPLS provides a resilient architecture by working with fast reroute and BFD—services are available around the clock.

• The architecture provides flexibility by allowing enterprises to outsource a portion of the services while maintaining

control of key infrastructure.

Conclusion

Enterprises are increasingly being challenged to support and upgrade their network infrastructure, as they respond

to new business demands and increased competitive pressures. Network virtualization, from Juniper, provides a

substantial toolset to support and upgrade the network. At the same time, it improves cost savings and operational

efficiencies. Enterprises reap numerous benefits from virtualization—increased privacy, improved security, increased

velocity for application deployment, or improved regulatory compliance. Juniper provides a very comprehensive

approach to network virtualization by offering a myriad of virtualization technologies that can work together or by

themselves. Moreover, Juniper uniquely offers these virtualization features in Junos OS—one OS and one release

working across Juniper Networks MX Series 3D Universal Edge Routers.



2000342-002-EN May 2010

Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

EMEA Headquarters

Juniper Networks Ireland

Airside Business Park

Swords, County Dublin, Ireland

Phone: 35.31.8903.600

EMEA Sales: 00800.4586.4737

Fax: 35.31.8903.601

APAC Headquarters

Juniper Networks (Hong Kong)

26/F, Cityplaza One

1111 King’s Road

Taikoo Shing, Hong Kong

Phone: 852.2332.3636

Fax: 852.2574.7803

Corporate and Sales Headquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or 408.745.2000

Fax: 408.745.2100

www.juniper.net

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at 1-866-298-6428 or

authorized reseller.

Printed on recycled paper

Glossary

TECHNOLOGY DESCRIPTION

Bidirectional Forwarding Detection (BFD) BFD is a network protocol used to detect faults between two forwarding engines

connected by a link. It provides low-overhead detection of faults even on physical

media that don't support failure detection of any kind—such as Ethernet, virtual

circuits, tunnels, and MPLS LSPs.

Dense Port Concentrator (DPC) This is the line card for Juniper routers.

Equal-Cost Multipath (ECMP) ECMP is a routing strategy where next-hop packet forwarding to a single

destination can occur over multiple "best paths," which tie for top place in

routing metric calculations.

Multiprotocol Label Switching (MPLS) MPLS is a highly scalable, protocol-agnostic, data-carrying mechanism. In an

MPLS network, data packets are assigned labels. Packet-forwarding decisions

are made solely on the contents of this label, instead of IP addresses, without

the need to examine the packet itself.

Virtual Private LAN Service (VPLS) Stretch VLAN across multiple locations. It provides layer 2 connectivity across

locations.

Virtual Router Redundancy Protocol (VRRP) This is a first-hop redundancy protocol that provides open standards for HSRP.

Traffic Engineering (TE) This provides a bandwidth guarantee on MPLS networks.

About Juniper Networks

Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network

infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and

applications over a single network. This fuels high-performance businesses. Additional information can be found at

www.juniper.net.

extending the virtualization advantage with network

Technology