extending the virtualization advantage with network
DESCRIPTION
TRANSCRIPT
WHITE PAPER
Copyright © 2010, Juniper Networks, Inc. 1
EXTENDING THE VIRTUALIZATION ADVANTAGE WITH NETWORK VIRTUALIZATIONVirtualization techniques in Juniper Networks MX Series 3D Universal Edge Routers
2 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Introduction: Industry Trends and the Need for Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Juniper’s Approach to Network Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Virtualization Technologies for MX Series 3D Universal Edge Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Deployment Example 1: Merger and Acquisitions at a Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Deployment Example 2: Scaling the Network for Web 2.0 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Deployment Example 3: Securing and Migrating Data in Health Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization . . . . . . . . . . . . . . . . . . .18
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table of Figures
Figure 1: Summary of required attributes necessary for virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 2: Virtualization technologies in MX Series 3D Universal Edge Routers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 3: Example of MPLS super core between Mega Bank and Regional Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 4: Example of logical systems deployed in a bank’s data center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Figure 5: Multicast in financial markets Exchange-1 is Chicago—Exchange-2 is New York . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 6: Traditional versus virtual application architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 7: Mapping VRFs to security zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 8: Server live migration of data between two colocated data centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Figure 9: Encrypted transport of data between the data center and hospital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 10: Safe zone cloud controls access between branch offices and data centers by using firewalls . . . . . . . . . . . . . .18
Figure 11: Private MPLS interconnecting similar “silos” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
List of Tables
Table 1: Business Trends, Network Impact, and Technologies to Minimize Adversities to the Network . . . . . . . . . . . . . . . . . 4
Table 2: Virtualization Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 3: Summary of Benefits of VR, VRF-Lite, and Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Copyright © 2010, Juniper Networks, Inc. 3
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Executive Summary
This paper discusses the numerous virtualization technologies in Juniper Networks® MX Series 3D Universal Edge
Routers, and Juniper’s network virtualization strategy and virtualization solutions. It also provides specific examples on
how network-based virtualization helps achieve business goals.
Today’s competitive environment and economy are driving organizations to respond to ever-increasing business
challenges—while reducing cost and improving operational efficiency—at unprecedented levels. Many enterprises have
responded to the business challenges by commonly deploying virtualization tools—such as storage, server, or desktop
virtualization—which share assets across applications, departments, groups of users, etc. Virtualization facilitates a
higher utilization of resources, resulting in greater asset efficiency and cost savings.
Leading organizations are extending those virtualization advantages, with the addition of network virtualization. There
are many key enterprise business requirements that are driving the need for network virtualization:
• Establish traffic segmentation and improve privacy
• Increase network resiliency
• Improve network scalability and performance
• Improve security
• Rapidly deploy new services and applications
• Improve end user application performance
• Adhere to regulatory compliance
Some enterprises are even taking network virtualization further by building their own virtualized cloud infrastructure,
rather than purchasing from their providers. The numerous virtualization technologies make it possible to build this
virtualized network infrastructure.
Juniper offers a myriad of network virtualization technologies and uniquely offers them in one OS—with Juniper
Networks Junos® operating system, running consistently across Juniper’s routing platforms:
• Network Service Virtualization
- Virtualizes network services—such as L2VPN, L3VPN, VPLS, and pseudowire—and offers many options for secure
virtual connectivity
- Virtualizes the transport of traffic with MPLS—and improves network utilization, scalability, and resiliency
• Chassis Virtualization
- Simplifies manageability by providing a unified control plane
- Improves resource utilization and scalability
- Improves resiliency by providing stateful redundancy
• Device Virtualization
- Improves routing utilization and simplifies configuration by managing virtual independent routers or physical interfaces
• Link Virtualization
- Improves link utilization, control, and security
This white paper concludes with use cases and examples across different enterprises such as financial institutions,
hospitals, Internet portals, and large enterprises with many divisional offices. Click on the bulleted use cases below
which are available for direct viewing by clicking on the below links:
• Deployment Example 1: Merger and Acquisitions at a Bank
• Deployment Example 2: Scaling the Network for Web 2.0 Applications
• Deployment Example 3: Securing and Migrating Data in Health Care
• Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization
4 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Introduction: Industry Trends and the Need for Virtualization
Today’s new economic realities have increased the need to improve an organization’s competitive advantages,
irrespective of whether the organization is a financial, government, service, manufacturing, public utility, or health
care concern. A change to improve a competitive advantage—such as mergers, acquisitions, or divestitures—has direct
implications on the network, which many times translate into costly and disruptive upgrades. Juniper strives to help
customers save costs and improve operational efficiencies with network virtualization, which offers the ability for
customers to nimbly implement a key business initiative—such as mergers, acquisitions, or divestitures—without a
disruptive network upgrade or costly change to their physical network.
Table 1 shows some key business trends, the impact on the network, and virtualization technologies that can be
applied. Detailed descriptions of the virtualization technologies are discussed in the next section.
Table 1: Business Trends, Network Impact, and Technologies to Minimized Adversities to the Network
BUSINESS TREND NETWORK IMPACT TECHNOLOGY
Data center consolidation The need to reduce CapEx and OpEx is driving
enterprises to consolidate data centers.
Consolidation can sometimes place additional
pressures on the WAN infrastructure, potentially
translating into additional WAN costs or
deterioration of the end user application
experience.
Virtualized transport using MPLS and VPLS can
reduce the number of required links; improve
the end user experience with traffic engineering;
and provide resiliency with carrier-class high
availability (HA) features.
Compliance Enterprises that adhere to regulatory
compliance look for efficient ways to separate
traffic and services of the different business
groups or sensitive data and applications
across their network infrastructure. Enterprises
also need to easily classify and analyze traffic
patterns for forensics. Many enterprises have
deployed physically separate networks for
compliance—and this becomes cost prohibitive
over time.
Enterprises can use MPLS for traffic
segmentation—and the benefits are improved
resiliency, privacy and security.
Business continuity Enterprises have built their competitive
advantages with critical data, and many want
to protect their business by deploying data in
colocation data centers. Network resiliency
across data centers then becomes increasingly
important.
Technologies such as VPLS provide the ability
to migrate traffic across colocation data
centers, thereby ensuring business continuity
without the overhead of maintaining separate
data migration links.
Business agility Increased competition is driving enterprises
to respond quickly to changes in the market.
For many organizations, increasing resiliency
or reducing network latency equates to a
competitive advantage.
MPLS TE (Traffic Engineering) provides
mechanisms to improve application
performance. MPLS also provides rapid
resiliency, with Bidirectional Forwarding
Detection (BFD) and MPLS fast reroute, which
is critical to support business agility.
Outsourcing and remote
access
Many enterprises employ outsourcing and
remote workers for specialized skills. This trend
increases reliance on the public Internet, which
can expose an enterprise to security risks.
Encrypting traffic using IPsec before
transporting it over MPLS is a way for
providing secure transport over a virtualized
network to both remote workers and
outsourced companies.
Copyright © 2010, Juniper Networks, Inc. 5
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Juniper’s Approach to Network Virtualization
We find that the most effective network virtualization solutions encompass the following strategic attributes, as shown
in Figure 1. These attributes are encompassed in MX Series virtualization technologies.
Figure 1: Summary of required attributes necessary for virtualization
Table 2: Virtualization Attributes
VIRTUALIZATION ATTRIBUTES
RATIONALE
High Scalability The technology must be readily scalable from modest traffic rates of a few Gbps to aggregate throughput
of several 100 Gbps. The number of logical ports that can be supported, for example, must also scale
dramatically to support a large number of applications and devices.
Transparency Virtualization features must be implemented so that any change to the underlying virtualized network is
completely transparent to applications.
Security Security must be enhanced using a combination of countermeasures such as separation of traffic for
privacy, and techniques to provide both network-layer and application-layer security.
Resiliency The technology must provide not only hardware redundancy but also network and software redundancy.
Nonstop routing (NSR) provides redundancy. Moreover, software must be easily upgradable with unified
in-service software upgrade (ISSU) for major software releases.
Flexibility Business goals are constantly changing, and enterprises need technology that can be easily and cost-
effectively adapted to suit new business requirements.
Transparent
SecureResilient
Flexible
High-PerformanceMX Series Cloud
Scalable
6 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Virtualization Technologies for MX Series 3D Universal Edge Routers
The MX Series has a myriad of virtualization features and technologies, as shown in Figure 2, to address enterprise data
center requirements for Network Service, Chassis Virtualization, Device, and Link Virtualization. These features can be
used individually or in combination to complement one another. It is not sufficient that there is a myriad of features,
but it is also equally important that these features are implemented consistently in Junos, in one OS, across Juniper’s
routing platforms—on top of Juniper’s advanced routing silicon, enabling a collapsed 2-tier data center architecture.
Figure 2: Virtualization technologies in MX Series 3D Universal Edge Routers
Network service virtualization—MPLS improves network utilization, scalability, and resiliency by virtualizing
the transport of traffic. Virtualized network services—such as L2VPN, L3VPN, and VPLS—increase secure virtual
connectivity options and can run on top of MPLS. All discussions in this paper focus on private MPLS rather than
provider-managed MPLS. Private MPLS refers to the MPLS network that is owned and managed by enterprises. That
is, the enterprise performs and manages its label switching. Provider-managed MPLS is an MPLS network that is
purchased by enterprises, from service providers, but is owned and managed by service providers.
• MPLS network virtualization enables the physical network to be configured and operated as many separate virtual
networks. The resulting benefits are cost savings, improved privacy through traffic segmentation, improved end user
experience with traffic engineering and quality of service (QoS), and improved network resiliency with functionality
such as fast reroute and BFD.
• Layer2VPN offers layer 2 services over MPLS to build point-to-point connections that connect different sites.
L2VPNs are used to transport layer 2 packets across MPLS networks without any discovery of layer 3 information
of the networks in the VPN. The technology allows data centers to transport their legacy L2 services—such as
ATM over an IP/MPLS network—minimizing CapEx. The technology can also be used to transport Ethernet, allowing
increased scalability.
• L3VPN provides private links between data center sites that share layer 3 infrastructure. A layer 3 VPN discovers
routes within the network that the VPN interconnects. For example, by mapping L3VPNs to virtual security “zones”
in advanced firewalls, such as Juniper Networks SRX Series Services Gateways, customers can layer many security
policies selectively on the traffic.
• VPLS provides Ethernet-based point-to-multipoint (P2MP) communication over IP/MPLS networks. It allows
geographically dispersed data center LANs to connect to each other across an MPLS backbone while still
maintaining L2 connectivity. In other words, VPLS creates a virtual network, giving the perception to the constituent
nodes that they are on the same Ethernet LAN. VPLS can therefore provide an efficient and cost-effective method
for data migration across enterprise data centers.
L2 VPNL2 Point-to-PointNetwork
ServiceVirtualization
DeviceVirtualization
(One-to-many)
LinkVirtualization
Virtual RouterScalable Routing
Separation
VRF LiteRouting
Separation
Logical SystemsRouting and
ManagementSeparation
Bridge GroupSimplifies
Configuration
Virtual SwitchScalable Switching
Separation
ChassisVirtualization
(Many-to-one)
Virtual Chassis
L3 VPNL3 Multipoint-to-Multipoint
Privacy Tra�c Engineering Scalability Resiliency
Resiliency Simplifies Configuration Service Scalability Physical Port Scalability
VLANTra�c
Segmentation
LAGScale
Bandwidth
GRETunnel
Non-IP tra�c
MPLS LSPTra�c
Segmentation
MPLS
VPLSL2 Point-to-Multipoint
Copyright © 2010, Juniper Networks, Inc. 7
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
VPLS can help data center managers migrate data between specific servers in colocated data centers. Enterprises
no longer need dedicated layer 2 links between the data center, thus saving CapEx. Note that the ability to selectively
apply VPLS to specific VLANS is crucial to most enterprises that are interested in migrating only specific application
data and not all the data in the data center—and this enables greater scalability of the data center infrastructure.
Chassis Virtualization (Many-to-One Virtualization): Virtual Chassis technology allows up to eight interconnected
physical chassis to be monitored and managed as a single logical device. MX Series Virtual Chassis uses normal data
ports to interconnect physical chassis. The benefits of Virtual Chassis are:
• Simplifiesmanageability: Provides a unified control plane for all the physical chassis.
• Improvesresourceutilizationandscalability: Intelligently utilizes line interfaces and service line cards on physically
different chassis. Customers can thus benefit from a “pay-as-you-grow” model.
• ImprovesresiliencyandProtectsusersessions: Protects sessions across physical chassis, line card or port failure,
using stateful redundancy.
Device virtualization (One-to-Many Virtualization) improves routing utilization and simplifies configuration by
managing virtual routers or physical interfaces.
• Virtualrouter(VR) provides multiple routing tables for the same physical router. The functionality keeps routing
instances separate. Hence, overlapping IP addresses can exist in the virtual router instances. Unlike the logical
systems’ functionality, there is no separation of management of the different VR.
• VRF-lite segments a physical router into multiple logical routers. Each logical router participates in a virtual routing
environment in a peer-based fashion. Although it is simple to deploy, it does not scale for some enterprises because
every router needs to maintain a virtual routing and forwarding (VRF) routing instance.
• Logicalsystems segment a physical router into multiple independent routers that perform independent routing tasks.
Each of the logical routers can be configured independently and operation (routing plane) of a physical router into
subsets, for increased manageability and protection. Logical systems can provide individual business units with the
perception that they are working on independent routers. The benefits are the following:
- Improve routing utilization
- Align virtual routing instances with business units
Table 3, below, summarizes the benefits of virtual router, VRF-lite, and logical systems.
Table 3: Summary of Benefits of VR, VRF-Lite, and Logical SystemsVIRTUAL ROUTER VRF LITE LOGICAL SYSTEMS
Logical platform partitioning ü ü üFault isolation on routing plane üMultiple user access (management separation) üScalable routing separation ü ü
• Bridgegroups are a collection of network interfaces that form a broadcast domain and have their own set of
forwarding tables and filters. They bring tremendous configuration flexibility by allowing an administrator to select
multiple Ethernet and/or wireless interfaces and group them together, effectively creating an abstract or virtual L3
interface and/or L2 switch. A bridge group carries the same characteristics as a physical interface in that both can be
assigned to a security zone where they are subject to an associated security policy.
• Virtualswitches are formed by grouping two or more bridge domains that perform layer 2 bridging and function
as a layer 2 network. A bridge domain consists of a set of logical ports that share the same flooding or broadcast
characteristics. Like a VLAN, a bridge domain spans one or more ports of multiple devices. Multiple virtual switches
operate independently of the other virtual switches on the routing platform, and each virtual switch can participate
in a different layer 2 network. A virtual switch can be configured to participate only in layer 2 bridging and optionally
to perform layer 3 routing.
8 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Link virtualization improves link utilization, control, and security.
• VLANs define a broadcast domain, a set of logical ports that share the same flooding or broadcast characteristics.
VLANs span one or more ports on multiple devices. By default, each VLAN maintains its own Layer 2 forwarding
database that contains MAC addresses learned from packets received on ports belonging to the VLAN.
• Linkaggregation provides a mechanism for combining multiple, physically separate layer 2 links as a single logical
link. This helps enterprise data centers scale more bandwidth than a single Ethernet link can provide and saves
on the expense of a higher-speed Ethernet link. This technology can also help enterprise data centers to provide
redundant links for greater resiliency. Thus, data center managers can incrementally scale their investments by
increasing utilization of existing resources while deriving increased security.
• GRE tunnels provide a mechanism for encapsulating and transporting a wide variety of network-layer protocol
packets inside point-to-point tunnels. GRE provides a very simple method of transport of protocols over a network
that needs to be transparent to the tunneled protocol. It is a foundation protocol for other tunnel protocols. For
example, MPPE/PPTP uses GRE to form the actual tunnel. Although GRE has generic tunneling capability, its most
common use is for tunnels that carry non-IP traffic over IP tunnels
• MPLSLSPs are label-switched paths (LSPs) that are virtual paths, established to transport MPLS packets between
two MPLS routers. The logical separation between the MPLS paths ensures traffic segmentation.
Deployment Scenarios
Deployment Example 1: Merger and Acquisitions at a Bank
Background
Mega Bank, a very successful bank, acquires Regional Bank. Both banks have large networks. Mega Bank has been
tasked to consolidate the new networks and for the interim, provide separation of traffic for the two banks until the
organization is consolidated under one brand. Mega Bank’s customers benefit from rapid access to Mega Bank’s data
regardless of where it is stored. Mega Bank’s key competitive advantage is its ultra-low network latency. Mega Bank
wants to extend this competitive advantage to the merged organization.
Challenges
A) Legacy application requires expensive dedicated SONET transport and overlapping IP addresses
• To guarantee low network latency and high resiliency for a critical legacy software application, Mega Bank
anticipates spending millions of dollars on dedicated SONET transport between the different data centers of the
merged organization. Mega Bank wants high availability (HA) to this critical software, with zero downtime.
• Mega Bank requires guaranteed bandwidth to transport high-priority data between data centers, at specified times
of the day. At other times, the data between the data centers is lower priority. Mega Bank is evaluating dedicated
links between the data centers to carry the high-priority traffic.
• Mega Bank’s consolidated infrastructure has overlapping IP addresses, and changing the address space of Mega
Bank or Regional Bank is expensive.
B) Regulatory compliance requires traffic segmentation
• To adhere to regulations, and to prevent different business units from overwhelming scarce network resources, the
merged bank needs to maintain traffic and resource segmentation across specific departments.
C) Large volumes of unicast and multicast traffic need to scale
• Mega Bank’s consolidated network needs to transmit large amounts of unicast and multicast messages to many
customers. To support the rapid growth of business, Mega Bank needs multicast technology that is highly scalable
and reliable.
Copyright © 2010, Juniper Networks, Inc. 9
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Solution
A) Eliminate the need for expensive dedicated SONET links and accommodate overlapping IP addresses with MPLS.
Figure 3, below, depicts the data centers of the merged bank interconnected, using a private cloud of Ethernet links that
run private MPLS. The resulting cloud is called the “super core.” The “super core” gives the enterprise greater control over
critical metrics, such as latency, that are a key competitive advantage. The dashed links highlight specific fast reroute
redundant paths in the network used for failover traffic and can also be used for routing low-priority traffic. The other
links are traffic-engineered private MPLS LSPs that carry traffic between the data center and the corporate office.
Figure 3: Example of MPLS super core between Mega Bank and Regional Bank
The inexpensive Ethernet links running MPLS offer a more cost-effective alternative to SONET links. MPLS offers the
following as an alternative to SONET:
• Fault detection—through the use of Operation, Administration, and Maintenance (OAM) functionality such as BFD—
detects any faults in the inter-data center links and uses fast reroute to switch to the alternate path within 50 ms,
offering the same resiliency as SONET.
• Traffic Engineering (TE) and equal-cost multipath routing (ECMP) allow MPLS to route additional low-priority traffic
over the protection link. In contrast, with SONET, the protected link is unused bandwidth.
• It provides the ability to establish LSP dynamically between the data centers, when required, and guaranteed
bandwidth. Thus, Mega Bank does not need dedicated links between the data centers to carry high-priority traffic at
certain times in the day.
• TE guarantees bandwidth and QoS for the applications. Thus, the merged bank’s delay-sensitive applications—such
as the legacy application and VoIP traffic—experience little latency, higher priority, and greater throughput.
By deploying private MPLS, Mega Bank can significantly reduce CapEx while simultaneously improving network
resiliency and latency for the legacy software. Although Mega Bank achieves higher network resiliency through private
MPLS, router failure—due to software or hardware faults—can adversely impact network access. The MX Series
provides the following features to improve resiliency:
• Hardware resiliency, with Virtual Router Redundancy Protocol (VRRP), supports failover between routers.
• Software resiliency is provided through the “graceful restart” of routing protocols. This feature provides nonstop
forwarding through individual routing protocol restart and re-convergence.
MEGA BANK DATA CENTER MEGA BANK DATA CENTER
REGIONAL BANKDATA CENTERCORPORATE WAN
Applications engineered into
LSPs across MPLS supercore
Critical applications protected by fast
route detour paths and secondary LSPs
LEGEND
Specific fast reroute redundant paths used for failover trac and/or low-priority trac
Illustrate primary trac-engineered private MPLS LSPs between Mega and Regional
10 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
• Enhanced software resiliency for upgrades is available with unified ISSU. Without this feature, upgrading full
software releases would require that the router be brought down during a scheduled maintenance window. Junos OS
offers the ISSU feature that can provide for full software release upgrades while the router is still running.
So far, Mega Bank has improved network resiliency. Mega Bank’s next step is to merge Regional’s networks to ensure
secure access to applications from anywhere in the Mega Bank network. The combined network has many overlapping
IP addresses. MPLS can tunnel the packets to and from the overlapping IP address endpoints while providing traffic
segmentation, thereby ensuring secure access to the applications.
B) Improve regulatory compliance with logical systems that provide routing segmentation and protection in the
control plane; provide separate user access and permission per logical router.
Figure 4, below, shows a representation of a logical systems deployment in Mega Bank’s data center. In this figure,
Mega Bank’s different banking divisions—that is, Merchant Banking, Personal Banking, Stock Trading, and Intranet—are
separated by assigning each to a logical router within the logical system. Each logical router in the logical systems has
separate user access and permission and hence can be managed independently of the other logical routers.
Figure 4: Example of logical systems deployed in a bank’s data center
Logical systems offer Mega Bank the following benefits:
• Increased privacy and security—Different business units are isolated so that their routing resources can be managed
and operated independently. This compartmentalization improves privacy and security, facilitating greater
compliance.
• Improved availability of critical services—The isolation of resources virtually eliminates the chances of other business
units exhausting resources, such as routing entries, which are needed for critical business units.
• Easy manageability resulting in reduced OpEx—Logical systems provide easy manageability by consolidating the
entities into one physical device. Software upgrades and physical device upgrades are no longer distributed, thereby
reducing operating expenditure.
• Easy consolidation—The routes can have overlapping IP addresses across the logical routers in the logical systems.
Thus, Mega Bank can merge business units of the acquired enterprise on the same network easily by separating
routing resources to different logical routers in the logical systems.
• Reduced CapEx—The ability to use a single router as multiple routers improves asset utilization, enables improved
network scalability, and enables lower capital expenditures.
C) Scale large unicast and multicast traffic volumes.
So far you have seen how different virtualization techniques help Mega Bank to meet its requirements for low latency,
compliance, and reliability. Having resolved these concerns, the next section looks at how Mega Bank can focus on its
core business services—including stock trading and investment banking—which involve getting up-to-the-microsecond
market information to market participants. The bank’s trading network transmits millions of market messages in the
course of a day.
Single router virtualizedas many routers
Merchant BankingNetwork
Personal BankingNetwork
Investment BankingNetwork
Stock TradingNetwork
IntranetNetwork
Virtualization through:• Isolated Routing• Isolated Configuration
Copyright © 2010, Juniper Networks, Inc. 11
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Figure 5, below, describes the multicast network at Mega. Exchange-1 and Exchange-2 are primary trading centers
located in Chicago and New York. The bank has customers with data centers—Customer-1 DC and Customer-2 DC
with corporate offices, Customer-1 Corp and Customer-2 Corp, respectively. Exchange-1 transmits multicast messages
to the Customer-1 DC and the Customer-1Corporation. Exchange-2 performs the same function for Customer-2 DC
and Customer-2 Corporation. The customers place trades that are transmitted as unicast messages to the exchanges
through the same network as that of the multicast messages. These unicast messages are unique to the specific
trading needs of the customers and are key to providing Mega Bank with a competitive advantage. The unicast
messages are delivered independent of multicast messages.
To sustain the competitive advantage, Mega Bank needs scalable multicast technologies to improve services for
acquiring and retaining existing customers. Juniper’s virtualization infrastructure involves the use of MPLS-based point
to multipoint (P2MP) that optimizes next-generation MVPNs (NG MVPNs). NG MVPNs mitigate the scalability problem
by intelligently leveraging adjacencies that exist in the MPLS network. This eliminates the need for every router to
maintain separate adjacency information with every other router that participates in the MVPN. P2MP also brings other
benefits—bandwidth reservation that guarantees QoS, fast reroute and OAM that guarantee HA, and deterministic
routing. Through the use of NG MVPNs, Mega Bank can provide a variety of services—such as video on important
market events and market messages—in a timely manner to its customers.
Figure 5: Multicast in financial markets Exchange-1 is Chicago—Exchange-2 is New York
Mega Bank’s competitive advantage also depends on its ability to offer services without any disruption. To provide
reliable services, the P2MP technology maintains two distinct multicast trees. A multicast tree is a logical topology
of nodes that is built to transmit multicast messages to the participating nodes. With redundant trees there are two
distinct paths to reach the destination nodes. When there is performance degradation on one tree, traffic can be sent
through the other tree. The maintenance of redundant trees is very inexpensive in resources because P2MP technology
eliminates the need to maintain adjacencies and is easy to manage. Thus, the financial institution can be assured of
timely delivery of the millions of market messages across the large organization to its customers.
Note that Juniper supports other multicast technologies in addition to P2MP.
CUSTOMER-1 DC CUSTOMER-2 DCCUSTOMER-1CORPORATE
CUSTOMER-2CORPORATE
MEGA BANK
EXCHANGE-1 EXCHANGE-2
FINANCIALINSTITUTIONS
New YorkPrimary
New YorkRedundant
ChicagoPrimary
ChicagoRedundant
Dire
ct
Dire
ct
Dire
ct
Dire
ct
Unicast Tra�c from Financial Institution back to Exchanges
Multicast Tra�c from Exchanges to Financial Institutions
LEGEND
12 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Summary
• The traffic-engineered virtual network provides resiliency and guarantees quality, thereby improving the company’s
competitiveness with improved business continuity and agility.
• The organization has protected its initial investment by investing in Juniper’s scalable technology and can scale the
network gradually.
• The virtualization techniques, in the form of logical systems and MPLS, create a transparent infrastructure that also
provides security without the need for physically separate networks—thereby simplifying operations and reducing OpEx.
NG MVPN technologies can help create and sustain a competitive advantage by dramatically improving scalability
and reliability.
Deployment Example 2: Scaling the Network for Web 2.0 Applications
Background
An enterprise supporting a large Internet portal—for example, with Web 2.0 applications—can have hundreds of multi-
tiered (n-tiered) applications with complex interconnections between clients, database servers, firewalls, storage, and
other devices. Over time, as the traffic grows, interconnections based upon a traditional physically layered architecture
become increasingly complex and create scaling challenges, as shown in the left portion of Figure 6.
Challenges
A) Users require rapid secure access to large volume of distributed data for multi-tiered applications
• The rapid growth of the data center, to support large volumes of data, has led to an explosion in the number of data
center devices to manage. The devices include many database servers, firewalls, application servers, Web servers,
storage, etc. This proliferation of devices has created challenges for users being able to quickly and securely access
large volumes of data across the network.
• The traditional architecture—as shown in Figure 6—has database, Web, DMZ, and application servers that are clearly
demarcated in different network topologies. This architecture poses many challenges:
- Increased CapEx—The software and network architecture are tightly coupled. Because of this tight coupling, the
deployment of traffic-intensive applications, such as video, requires upgrades to the network. These upgrades
include the addition of network devices, IP address allocation, and data center internal forwarding.
- Increased latency—Database, Web, and application accesses are slower because of numerous physical firewalls
and network devices.
- Increased OpEx—Troubleshooting and the management of devices are complicated because of the myriad of
devices in the data center. Everyday operational tasks—such as patching software, detecting faults, and migrating
software—become more problematic.
Copyright © 2010, Juniper Networks, Inc. 13
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Figure 6: Traditional versus virtual application architecture
In figure 6 above, the left diagram shows traditional, physical multi-tiered application layering of applications and
security. The right diagram shows simplified application architecture with network virtualization reduces complexity
and improves network utilization.
B) The large number of interconnections using the traditional, layered physical data center architecture leads to
network utilization inefficiencies.
• Fifty percent of links are used for switch-to-switch connectivity, and the Spanning Tree Protocol blocks half of those
links—thus resulting in only 25 percent active links being available for inter-switch connectivity.
Solutions
A) Improve secure access to large volumes of distributed data, by moving from a traditional, layered physical
architecture to a virtual architecture.
The simplified virtual architecture shows on the right of Figure 6 a decoupling of the network architecture from the
application deployment architecture. Any-to-any connectivity is provided between the end users and application
services. This is achieved with the introduction of a virtualization layer that essentially decouples the network resource
and the application services. This decoupling allows applications to be transparent to the underlying network resources.
Moreover, once decoupled, network service virtualization can be mapped into virtual security “zones” or “trust zones” in
the SRX Series platforms, providing the same or higher level of security than the traditional architecture.
Figure 7, below, illustrates a simplified data center, where the network resources and applications are decoupled.
Architecture simplification:
• Consolidated Firewalls (SRX5800)
• Consolidated Scalable, High-Performance Routers (MX960)
Network Virtualization Layer
Next-Generation “Virtual”Data Center Architecture
DMZ Exnet Web
SRX5800
EX4200
SRX5800
MX960 MX960
Apps AAA NOC DB NAS
Traditional Data CenterArchitectures and Secure Layering
DMZ
Web
App
DB
14 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
The figure illustrates two MX Series routers in the consolidated core layer of the enterprise data center connected to
two SRX Series platforms that have many virtual security services that can be configured into independent security
zones. The MX Series routers are connected to top-of-the-rack Juniper Networks EX Series Ethernet Switches in the
access layer, which in turn aggregate the servers in the data center. The top-of-the-rack EX Series is configured to use
its Virtual Chassis technology. The WAN edge connects the data center to the outside world and is composed of two
Juniper Networks M Series Multiservice Edge Routers.
Figure 7: Mapping VRFs to security zones
In Figure 7, the virtual security zones are indicated by Firewall #1, NAT #1, IPS #1, etc. on the SRX Series. The VRFs are
indicated by VRF #1 and VRF #2 on the Juniper Networks MX960 3D Universal Edge Router. The VRF #1 is mapped to
security zones Firewall #1, NAT #1, and IPS #1. VRF #2 is mapped to Firewall #2 and NAT #2. Two MX960 routers are
shown to indicate HA between these devices.
Data for the different departments (for example, human resources, finance, or guest) is hosted in different data center
servers. The traffic to and from the departments is separated by different VPNs. A VRF can be configured to send
specific VPN traffic to virtual security zones that contain IPS, NAT, firewall, etc. in the SRX Series. Other VPN traffic can
be directed to the respective destination without further processing. The SRX Series can have several security zones
(that is, virtualized firewall, IPS, etc.) that can apply specific policies for the VPN traffic. The VPN traffic can traverse
multiple security zones inside the SRX Series before being sent to its destination VPN.
WAN Edge
Consolidated Core Layer
Access Layer VLANs
IP VPN
EX4200 Virtual Chassis
HR Finance Guest Departments
EX4200 Virtual Chassis
MX960
M Series
MX960
M Series
VRF#1
VRF#2
Trunk VPN Server VLAN
LEGEND
• Mapping of VLANs to Security Zones
• Map VRFs on core to routing instances on SRX Series
• Establish adjacency between VRFs on core
• Traffic between networks runs through SRX Series by default, or filtered on MX Series
SRX5800MappingVRF to
Security Zones
MappingVRF to
Security Zones
• Firewall• IPS• NAT
SecurityZones
IPS#2
Firewall#2
Firewall#3
VRF#1
VRF#2
Firewall#1
IPS#1
NAT#1
Copyright © 2010, Juniper Networks, Inc. 15
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Network service virtualization also offers the following benefits:
• Simplified management resulting in reduced OpEx—The management of VPNs and the network services is easy
because of centralization of the services. The services can be logically separated for the VPNs and for each security
zone. This simplification means reduced cost.
• Reduced CapEx—Fewer physical network devices are now required with virtualization.
• Flexibility of services—The layering of different services provides an easy mechanism for extending functionality for
the VPNs.
B) Improve network utilization with a collapsed 2-tier network architecture.
Despite the previously described benefits, network service virtualization does not address poor network utilization
within the data center, due to the large number of network devices and associated inter-switch connectivity. To address
this challenge, the MX Series routers provide a high-performance and dense port routing platform, enabling a collapsed
2-tier network architecture. Traditional data center design comprises three layers—access, aggregation, and core. The
MX Series reduces the number of required devices by collapsing the core and aggregation layer, and by consolidating
WAN edge functionality. Further, the top-of-the-rack EX Series switches in the access layer—through the use of Virtual
Chassis technology—can minimize the number of nodes in the access layer and provide for consolidated 10G uplinks
to the MX Series switches. This 2-tier architecture eliminates many nodes in the data center and reduces inter-switch
connectivity, thereby improving utilization and also reducing network latency.
However, the enterprise is still faced with low utilization of links stemming from blocked spanning tree links. To address
this challenge the enterprise can adopt VPLS technology, which permits full utilization of links.
Summary
• Juniper’s virtualization architecture ensures that the software services running on the server can be completely
transparent to the underlying technology changes.
• Transparency is achieved by maintaining the logical multi-tiered application architecture intact but hiding the
underlying network architectural changes through virtualization. This architecture allows better scalability in a
growing data center.
• Additional security services can be layered easily, providing for a flexible design.
Deployment Example 3: Securing and Migrating Data in Health Care
Background
A large hospital system requires rapid access and High Availability (HA) for large volumes of patient, imaging, and
administrative data for clinics throughout the hospital system. HA is currently achieved by having two colocated data
centers, mirroring, and load-balancing data. The hospital must ensure that sensitive patient data is secure, to comply
with government privacy and security regulations.
Challenges
A) Expensive dedicated links with low utilization are used to guarantee bandwidth to critical applications
• Forty separate 10G links between the two data centers are deployed to guarantee bandwidth for different
applications, and only 1 percent of the bandwidth of each 10G link is used. The dedicated links are used for data
migration between the data centers and are expensive to maintain. This is based upon a true story!
• The data migration requires two servers to be in the same LAN. Running layer 2 Spanning Tree Protocol between the
two data centers is inefficient because of its convergence time.
B) Health care organizations require high security for regulatory compliance
• Hospital users access very sensitive data from the data center. Hence, the hospital must provide secure transport of
the data.
C) The hospital has experienced security attacks
• Although the hospital has implemented safe zones to isolate other traffic from sensitive patient data, the data
center has experienced attacks from worms and malware, periodically disabling access to critical data.
16 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Solution
A) Improve network utilization, cost savings, and security by migrating to a virtualized environment with MPLS
and VPLS.
Figure 8, shows two colocated data centers that are connected via an MPLS core network. The VMotion virtual network
used to migrate data between the two data centers. Each of the two data centers has several hypervisor virtual servers,
SAN, etc. These are connected to the EX Series deployed in a Virtual Chassis environment. The MX Series is connected to
the EX Series and is in the core of the network. The M Series is deployed in the WAN edge and provides connectivity for
the data center to the outside world. The figure also depicts VRRP for the MX Series routers across the two data centers.
Figure 8: Server live migration of data between two colocated data centers
VMotion software needs layer 2 connectivity between the data centers, so that data can migrate live between data
centers. To support the VMotion migration, the hospital has dedicated layer 2 links between the two data centers
for the different departments such as account services, emergency care, radiology, lab services, and cardiology. This
ensures that the different departments always have the necessary bandwidth for their data migration. Since the data
migration on the independent links does not consume much bandwidth, the links are underutilized—resulting in huge
OpEx for maintaining layer 2 connectivity between the data centers.
A better alternative that provides layer 2 connectivity between the data centers is to use VPLS between the two
MX Series devices in the two colocated data centers. The VPLS can be set up to transport only traffic on specific
VLANs. Thus, only specific hypervisors that need to be migrated must be part of the VPLS domain, and all other traffic
remains unaffected. VPLS not only emulates a layer 2 switch in the WAN but also runs on a private MPLS backbone.
Private MPLS allows the hospital to take advantage of advanced routing features, such as TE. Traffic engineering
allows the hospital to optimally allocate bandwidth for the different departments without the need for dedicated
layer 2 links.
MPLSCORE
VRRP
MX SeriesM Series
MX Series
EX Series EX Series
VirtualServer 1
VirtualCenter 1
SAN 1 SAN VirtualCenter 2
VirtualServer 2
MX Series
Virtual Chassis
DATA CENTER 1 DATA CENTER 2
Virtual Chassis
• Virtual machines traverse path created by L2 VPN/VPLS.
• Guaranteed bandwidth and low latency across
WAN from VMotion tra�c (can be routed).
• Configuration and bitmap traffic flows over VMotion network.
• L2 connectivity must exist across data centers as default gateway of the VM did not change.
• GSLB/BGP should immediately point tra�c to other DC (in disaster).
Production Network VMotion Network Storage Network Service OS Network
LEGEND
Copyright © 2010, Juniper Networks, Inc. 17
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Besides traffic engineering, MPLS also offers the logical separation between the different departments—providing the
same level of privacy that was achieved using physically separate links. Thus, VPLS provides enhanced security for
different departments while reducing CapEx and OpEx by migrating traffic to the private MPLS backbone network.
B) Provide secure data transport with encryption.
The logical separation of data transport, in itself, does not make the data invisible to any node in the WAN network—
and this can compromise patient privacy and regulatory compliance. To address this security challenge, the hospital
can encrypt sensitive data, using IPsec offered in Multiservice Dense Port Concentrator (MS-DPC), while transmitting
data between the data center and the hospital through the MPLS cloud.
Figure 9: Encrypted transport of data between the data center and hospital
Figure 9 shows MX Series routers securely forwarding traffic, indicated by the solid line, between the hospital and the
data center using IPsec encryption. All other non-sensitive traffic, indicated by the dashed line, is unencrypted. The
encrypted and unencrypted traffic are tunneled through MPLS LSPs. The MX Series supports an MS-DPC that can
selectively encrypt traffic. This form of selective encryption is important to a large enterprise, such as the hospital,
where performance must not degrade as traffic is encrypted.
C) Secure data center resources.
In addition to securing data during transport, resources in the data center must also be secured. Malicious software
can infect servers, making it impossible to access valuable information in a timely manner. To address these security
exposures, the MS-DPC offers comprehensive security by leveraging multiple detection mechanisms—including
signature detection, protocol anomaly detection, and traffic anomaly detection; and these security features can even
thwart attacks that have not been seen before.
In addition to identifying viruses and attacks, the MS-DPC supports Dynamic Application Awareness (DAA), which
enables accurate detection and reporting of bandwidth volume used by applications such as social networking, peer-
to-peer, or instant messaging. With improved visibility of applications’ behavior, administrators can improve capacity
planning or use QoS to apply policies on specific traffic. For example, specific application traffic can be blocked or
given high priority to meet business or regulatory compliance.
Summary
• The flexibility of virtualization allows customers to improve link and network utilization.
• Application software, such as VMotion, is not impacted by the architectural change since virtualization provides
transparency of the underlying network infrastructure.
• The ability to easily layer security services such as stateful firewall and IPsec over the virtualized network provides
not only data privacy but also secures the enterprise.
• The virtualization techniques allow the enterprise to scale infrastructure without impacting performance.
DecryptedTra�c
Hospital
UnencryptedTra�c
DATA CENTER
DATA CENTER
PRIVATE MPLS
LEGEND
MPLS LSP carrying unencrypted tra�c
MPLS LSP carrying IPsec encrypted tra�c
Unencrypted or decrypted tra�c
18 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
Deployment Example 4: Simplifying Security and Services Using Enterprise-Wide Virtualization
Background
A large enterprise has a rapidly growing business. To support this growth the enterprise has created many divisional
branches and data centers throughout the country that are interconnected by a large network cloud that is a “safe-
zone”, as shown in Figure 10. Security devices that reside in the perimeter of the cloud inspect all traffic to the cloud.
Data communication is only between nodes and applications that belong to “silos” of the same type. The enterprise
has three types of silos—sensitive, public, and management. Silos can be categorized based on traffic or user access
privileges or other metrics. There is no access between silos of different types.
Challenges
A) The proliferation of security devices has resulted in complex network management of security policies, causing
security holes
• The number of new “silos” and access points to the cloud has been steadily increasing. This increase has resulted
in more firewalls in the perimeter, raising the complexity of network management.
• Most restrictions to accesses are enforced using ACLs. With the proliferation of access points, the ACLs have
become unmanageable because of a large number of complex ACL entries. The ACL entries and security policies
must be maintained consistently across security devices serving the same destination.
Figure 10: Safe zone cloud controls access between branch offices and data centers by using firewalls
Figure 10 shows headquarters, multiple divisional branches, and data centers interconnected using the safe zone
cloud. The perimeter of the cloud consists of several firewall devices that restrict entry into the cloud and ensure that
accesses are between similar silos. Data to and from San Francisco can traverse via nodes Denver and Dallas to reach
the headquarters.
Multiple paths through the safe zone pose a challenge. The challenge is to ensure that the firewalls in the perimeter
of the cloud have identical security policies. If the security policies are not identical, the traffic from the source to the
destination might receive unequal treatment in the two paths. For example, traffic through Denver has access to more
nodes in the safe zone than that through Dallas. This indicates that traffic from unauthorized sources might travel to
the destination. To prevent this breach of security, nodes in the safe zone have to implement identical ACL policies to
restrict access. Thus, an increase in the number of access points raises the complexity of managing security policies.
Management
Sensitive
PublicManagement
ENTERPRISE/BRANCH
EXTENDEDENTERPRISE
SRX Series
SAN FRANCISCODATA CENTER
SRX Series
HEADQUARTERS
PublicManagement
Sensitive
Public
Public
ACCESS
SAFE ZONE
DENVER
DALLAS
SRXSeries
SRXSeries
Copyright © 2010, Juniper Networks, Inc. 19
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
B) The traditional design, separating accesses through GRE tunnels, has resulted in a non-scalable architecture
• After authentication, the users are assigned to specific VLANS—based on their privilege—that are mapped into GRE
tunnels. Thus, the enterprise has as many GRE tunnels as there are privileged access groups. To secure the network,
each GRE tunnel has a dedicated firewall. The resulting topology has hundreds of GRE tunnels and firewall devices
that terminate at a central router. The number of GRE tunnels increases with the number of privilege levels, posing
serious scalability challenges for the enterprise.
Solution
A) Enhancing security and simplifying network management through enterprise-wide virtualization.
To address this network management challenge, the enterprise can deploy private MPLS between the different
endpoints in its network. This connectivity through the safe zone eliminates complex ACLs at different points in the safe
zone. This move reduces CapEx by consolidating firewall functionality closer to the destination and reduces OpEx by
eliminating the need to maintain consistent firewall policies along different paths between the source and destination.
Besides reducing OpEx, MPLS VPN can be used to interconnect similar “silos.” The MPLS VPNs completely segment
accesses between different silos. This form of traffic segmentation is crucial to maintaining privacy and security of the
different silos.
This end-to-end segmentation also gives the enterprise flexibility to outsource the tunneling of MPLS VPNs through
carriers. This reduces not only OpEx, but also reduces CapEx by allowing the enterprise to purchase fewer tunnels from
the carrier while maintaining control of the segmentation of traffic.
Figure 11, below, shows the modified network that has a private MPLS network. The L3VPNs connect “silos” of the same
type. The routers in the enterprise behave as provider edge routers because they tunnel all the L3 VPNs, originating
in the enterprise, through another MPLS tunnel or using GRE. This tunneling is done through the Internet/WAN cloud,
which is a simplified safe zone. The user authenticates via 802.1x and is automatically placed into the designated
VLAN. The VLAN is mapped to the L3 VPN or VPLS instance.
Figure 11: Private MPLS interconnecting similar “silos”
Management
Sensitive
Public
Management
Sensitive
Public
Sensitive
Sensitive
Public
EXTENDED ENTERPRISE
DATA CENTER
DISTRIBUTEDENTERPRISE/BRANCH CAMPUS
INTERNET/WAN
PE
PE
PE
M Series
M Series
M Series
SRX Series
RemoteUser
SRX Series
SRX Series
SRX Series
20 Copyright © 2010, Juniper Networks, Inc.
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
B) Replacing GRE tunnel infrastructure with MPLS VPN.
To address the scalability concern, the enterprise can deploy a private MPLS cloud that provides MPLS routing instead
of the GRE tunnels to separate accesses between the silos.
After authentication, the users are mapped to designated VLANS as before. However, the VLANs are mapped to VRF
and are routed inside the private MPLS cloud. The private MPLS cloud allows the enterprise to route selected traffic to
a location with a centralized firewall such as the SRX Series.
The enterprise benefits from
• Scalability of infrastructure than what can be achieved using GRE tunnel infrastructure
• Simplified management of firewall devices because of centralization of firewalls
• Enhanced security due to consistent firewall policies in the enterprise network
Summary
• The enterprise can provide the necessary privacy and security in the network using MPLS.
• The network is more scalable because the number of firewalls to manage has been dramatically reduced.
• MPLS provides a resilient architecture by working with fast reroute and BFD—services are available around the clock.
• The architecture provides flexibility by allowing enterprises to outsource a portion of the services while maintaining
control of key infrastructure.
Conclusion
Enterprises are increasingly being challenged to support and upgrade their network infrastructure, as they respond
to new business demands and increased competitive pressures. Network virtualization, from Juniper, provides a
substantial toolset to support and upgrade the network. At the same time, it improves cost savings and operational
efficiencies. Enterprises reap numerous benefits from virtualization—increased privacy, improved security, increased
velocity for application deployment, or improved regulatory compliance. Juniper provides a very comprehensive
approach to network virtualization by offering a myriad of virtualization technologies that can work together or by
themselves. Moreover, Juniper uniquely offers these virtualization features in Junos OS—one OS and one release
working across Juniper Networks MX Series 3D Universal Edge Routers.
Copyright © 2010, Juniper Networks, Inc. 21
WHITE PAPER - Extending the Virtualization Advantage with Network Virtualization
2000342-002-EN May 2010
Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
EMEA Headquarters
Juniper Networks Ireland
Airside Business Park
Swords, County Dublin, Ireland
Phone: 35.31.8903.600
EMEA Sales: 00800.4586.4737
Fax: 35.31.8903.601
APAC Headquarters
Juniper Networks (Hong Kong)
26/F, Cityplaza One
1111 King’s Road
Taikoo Shing, Hong Kong
Phone: 852.2332.3636
Fax: 852.2574.7803
Corporate and Sales Headquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888.JUNIPER (888.586.4737)
or 408.745.2000
Fax: 408.745.2100
www.juniper.net
To purchase Juniper Networks solutions,
please contact your Juniper Networks
representative at 1-866-298-6428 or
authorized reseller.
Printed on recycled paper
Glossary
TECHNOLOGY DESCRIPTION
Bidirectional Forwarding Detection (BFD) BFD is a network protocol used to detect faults between two forwarding engines
connected by a link. It provides low-overhead detection of faults even on physical
media that don't support failure detection of any kind—such as Ethernet, virtual
circuits, tunnels, and MPLS LSPs.
Dense Port Concentrator (DPC) This is the line card for Juniper routers.
Equal-Cost Multipath (ECMP) ECMP is a routing strategy where next-hop packet forwarding to a single
destination can occur over multiple "best paths," which tie for top place in
routing metric calculations.
Multiprotocol Label Switching (MPLS) MPLS is a highly scalable, protocol-agnostic, data-carrying mechanism. In an
MPLS network, data packets are assigned labels. Packet-forwarding decisions
are made solely on the contents of this label, instead of IP addresses, without
the need to examine the packet itself.
Virtual Private LAN Service (VPLS) Stretch VLAN across multiple locations. It provides layer 2 connectivity across
locations.
Virtual Router Redundancy Protocol (VRRP) This is a first-hop redundancy protocol that provides open standards for HSRP.
Traffic Engineering (TE) This provides a bandwidth guarantee on MPLS networks.
About Juniper Networks
Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network
infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and
applications over a single network. This fuels high-performance businesses. Additional information can be found at
www.juniper.net.