Lan Connectivity Guide Juniper 905012

8/14/2019 Lan Connectivity Guide Juniper 905012

1/30

Design Guide

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, Cali ornia 94089USA408.745.20001.888 JUNIPERwww.juniper.net

Branch LAN Connectivity Design Guide

Design Considerations or the High-Per ormanceBranch O fce LAN

Part Number: 905012-001 January 2008


2/30

2


Copyright 2008, Juniper Networks, Inc.

Table o ContentsExecutive Summary ................................................................................................4

Introduction ............................................................................................................4

Branch LAN Categories .........................................................................................4

Services Needed in the Branch .............................................................................5

Branch LAN Design Considerations .........................................................................6

Enterprise Computing Trends ...............................................................................6

Considerations or Di erent Branch Con gurations ..............................................7

Branch Architecture Overview.................................................................................8

Layered Approach .................................................................................................8

Bene ts ..........................................................................................................9

Challenges ......................................................................................................9

A Network Revolution .....................................................................................9

Access Layer ...........................................................................................................9

Services ..............................................................................................................10

Design Considerations ........................................................................................10

VLAN and Spanning Tree Protocol (STP) ............. .............. ............. .............. ....... 11

Using Layer 2 Versus Layer 3 at the Access Layer .............. ............. .............. .......12

Implementing Uni ed Communications ..................... .............. ............. ..............13

Considerations ...................................................................................................13

Access Layer Security with IEEE 802.1X and Uni ed Access Control .....................16

IEEE 802.1X .......................................................................................................16

UAC ....................................................................................................................16

Access Layer Hardware Con gurations ..................................................................17

Scalable Con guration with Virtual Chassis Technology ......................................17

Aggregation Layer .................................................................................................19

Services and Considerations ...............................................................................19

Branch O ce Recommendations .......................................................................19

WAN Edge Integration ..........................................................................................22

WAN Edge Considerations ..................................................................................22

HA ................................................................................................................22

Voice Gateway ..............................................................................................22

WAN Acceleration .........................................................................................22

Firewall/VPN .................................................................................................22

WAN Edge Recommendations ............................................................................23

J-series Services Routers .......................... ............. .............. .............. ...........23

Operational Simplicity and Uni ed Management .................................................24

Achieving Operational Simplicity with JUNOS So tware ......................................25

The Power o JUNOS So tware ......................................................................25

Modular Processes ............. ............. .............. .............. ............. .............. .......25

Rollback Capability .......................................................................................26

Advanced Features .......................................................................................26

Bene ts ........................................................................................................26

Impact ..........................................................................................................26

Uni ed Management with Juniper Networks NetScreen-Security Manager ........27

Bene ts ........................................................................................................27


3/30

Copyright 2008, Juniper Networks, Inc. 3


Remote Con guration and Management with J-Web ............. .............. .............. ..27

Bene ts ........................................................................................................27

Recommended Branch LAN Con gurations ..........................................................28

Conclusion ............................................................................................................30

About Juniper Networks ........................................................................................30

List o TablesTable 1: Branch LAN Categories ..............................................................................4

Table 2: Highly Available Branch LAN Design Considerations ..................................8

Table 3: JUNOS Operating E ciencies (Lake Partners 2007) ............ .............. .......26

Table 4: Recommended Branch LAN Con gurations .............................................28

List o FiguresFigure 1: Highly Available Branch O ce LAN Con gurations ..................................7

Figure 2: The Layered Approach..............................................................................8

Figure 3: Access Layer at a Highly Available Medium Branch O ce LAN .................9

Figure 4: Layer 2 versus Layer 3 at Access Layer ...................................................12

Figure 5: IP Phone Connectivity Options ............. ............. .............. .............. .........15

Figure 6: Virtual Chassis Technology .....................................................................17

Figure 7: Reducing CAPEX and OPEX with Virtual Chassis Technology .................18

Figure 8: Aggregation Layer in a Highly Available Large Branch O ce LAN ...........20

Figure 9: WAN Edge in a Highly Available Large Branch O ce LAN ......................22

Figure 10: J-series Services Router in a Highly Available Large BranchO ce LAN ..........................................................................................................23

Figure 11: JUNOS The Three Ones: One Source Code, One Train, and

One Modular Architecture ..................................................................................25


4/30

4



Executive SummaryNow more than ever, the corporate network is a strategic tool that businesses rely on to supportday-to-day operations and succeed in the marketplace. The corporate LAN design is alsochanging to accommodate an increasingly decentralized work orce as an estimated 89 percent

o employees work outside o headquarters (Nemertes Research 2006) in remote branch o ces.Business productivity increasingly depends upon the critical operations carried out at distributedbranch o ces, as enterprises are centralizing applications to simpli y operations and reducecosts. These changes create new in rastructure challenges as branch o ce users require the sameast, secure and reliable access to applications and network resources as those at headquarters.Existing branch o ce in rastructure solutions cannot meet the requirements needed to providesecure and high-per ormance access or branch o ce users, nor do they provide the centralizedmanagement capabilities critical or reducing costs and streamlining operations.

A new branch o ce LAN design that meets branch o ce security, connectivity and per ormancechallenges while enabling key IT initiatives is needed. It also must scale and fexiblyaccommodate new computing trends without an entire redesign. This document introducesthe issues related to changing branch o ce needs and also presents design considerations and

recommendations or branch LANs o all sizes. In addition, it shows how in rastructure solutionsrom Juniper Networks advance the economics o networking, allowing businesses to changethe rules with their IT investments, and create a truly innovative and competitive environmentthat helps them increase revenue and raise productivity today and into the uture.

IntroductionRemote branch acilities typically contain a relatively small amount o computing resourcescompared to central acilities or data centers, yet branch o ce employees have the same resourceneeds as their colleagues in company headquarters. As most business processes are carriedout online, any branch LAN downtime or ine ciency has a negative impact on the corporatebottom line. Secure, high-per ormance, highly available LAN services are crucial to ensure thateach branch acility is always online so that business productivity and customer satis action are

maximized.

Branch LAN Categories

Branch LANs vary greatly in size, rom accommodating one or two users to hundreds o employees, and are categorized as ollows or this document:

Table 1: Branch LAN Categories

Branch LAN Category Port Capacity Example

Highly available Micro Branch O ce Up to 5-8 ports Gas station / Conveniencestore

Highly available Small Branch O ce Up to 48 ports Retail bank branch

Highly available Medium BranchO ce

Up to 100 ports Regional sales o ce

Highly available Large Branch O ce 100s o ports Big box retailer /Department store


5/30



Services Needed in the Branch

Regardless o branch o ce size, the ollowing high-level services are required to optimizee cient business operations:

LAN and WAN Connectivity

The branch o ce in rastructure must provide secure wired and wireless LAN connectivityor an increasing number o IP devices such as computers, telephones, PDAs, cashregisters, kiosks, inventory scanners and surveillance cameras. In addition, the branchmust be securely and reliably connected to headquarters and data centers or centralizedresources such as le services, data replication and collaboration.

Internet Access

For optimal Web services per ormance, branch o ces today connect directly to theInternet rather than backhauling tra c to headquarters. The Internet is also o ten usedto securely connect to headquarters and data centers via a VPN. Guest Internet accessmay also be required or partners and/or customers, introducing a new set o security,per ormance, connectivity and reliability challenges.

High-Performance

Branch application per ormance must match that ound in headquarters and also bemaintained over the WAN when accessing any centralized applications or resources.

High Availability (HA)

Since branch o ces typically lack local IT sta to manage the network, networkingequipment and so tware that is cost-e ective, eature-rich, highly reliable and o erscentralized management capabilities is vital. Robust, reliable connectivity is alsorequired. In addition, emerging technologies such as uni ed communications dependon an optimized and always-on, high-per ormance network rom end-to-end to unctione ectively.

Security

Security is critical to all branch LAN services. Access to networks and applications must

be open and pervasive, yet remain secure and controlled. Todays networks not onlyneed to e ectively handle unmanaged devices and guest users attempting networkaccess; they also need to address support or unmanageable devices, post admissioncontrol, and application access control, visibility and monitoring. In addition to standardUni ed Threat Management (UTM) services, security policies supporting demilitarizedzones (DMZs), ensuring Quality o Service (QoS), mitigating Denial o Service (DoS) anddistributed DoS (DDoS) attacks and threats, and ensuring that the organization meetscompliance criteria are needed. All security policies should be centrally managed andremotely deployed.

Each o these areas is addressed in more detail in this document and, when appropriate,additional considerations or challenges or a speci c service, eature or branch o cecategory are presented.


6/30

6



Branch LAN Design ConsiderationsA new branch o ce LAN design is needed as legacy solutions cannot meet these key requirements,nor reduce costs and streamline operations. The LAN design must also scale and accommodateemerging computing trends and additional network services without an entire redesign.

Enterprise Computing Trends

In addition to work orce decentralization and the services previously mentioned, the ollowingtrends must be considered in a branch LAN design:

The Proliferation of Uni ed Communications

The adoption o uni ed communications including voice, video and data services is onthe rise. According to Forrester Research (2006), 46 percent o all companies in NorthAmerica have installed IP telephony systems and 39 percent use VoIP to communicatewith their remote users. Such deployments have a direct impact on the high-per ormanceand HA requirements o a branch LAN. For example, not only must adequate LAN andWAN bandwidth be provisioned, but QoS rules must identi y, classi y and prioritize tra c

to deliver e ective VoIP communication services. Bandwidth Hungry Applications

In addition to the increased bandwidth needed or uni ed communications, manypopular business applications such as Oracle, SAP and PeopleSo t have introduced Web-enabled versions that require, in some instances, more than 10 times the bandwidtho their LAN-based counterparts, seriously impacting per ormance, reliability andavailability.

Increasing Focus on Security

FBI/CSI statistics show that 72 percent o all companies surveyed reported at least onesecurity incident in 2006. Not surprisingly, a 2006 Forrester Research survey ound that57 percent o all rms consider upgrading security environment a top priority. Ascritical business processes become more distributed and uni ed communications present

new vulnerabilities, the need or robust security is likely to intensi y. Branch Servers and Server Consolidation

Forrester also reports that 51 percent o all rms consider server centralization and datacenter consolidation key priorities. At the same time, many branches still need localservers that require extra security, and this requires bandwidth optimization and tra cprioritization. Companies also demand consolidated, centralized management solutionsthat help reduce the time and resources devoted to keeping branch o ces online andoperational.


7/30



Considerations or Di erent Branch Confgurations

The network in rastructure in todays branch o ces is no longer su cient to satis y theserequirements. Instead o adding additional costly layers o legacy equipment and highly skilledIT resources to support the growing number o devices and services in the branch, enterprises

need a new, more integrated and consolidated branch o ce solution.

Juniper Networks delivers a proven IP in rastructure or the branch o ce that meets thesechallenges, enabling the per ormance, scalability, fexibility, security and intelligence needed tonot just meet but increase branch o ce user productivity. Juniper o ers fexible con gurationsand price points that meet the needs o all branch o ces, regardless o size, while deliveringhigh-per ormance throughput with services such as rewall, UTM, VPN, MPLS, IPV6 andConnectionless Network Service (CLNS)-enabled.

In addition to the security, scalability and per ormance issues inherent in branch o ces o allsizes, the design considerations in Table 2 should be taken into account when planning or eachhighly available branch o ce con guration:

Figure 1: Highly Available Branch O fce LAN Confgurations

SecurityCamera

POE

POE

POE

SecurityCamera

POE

POE

POE

V i r t u a l C h a s s i s



A c c e s s P o i n t






J - s e r i e s

SecurityCamera

LocalServers

POEPOE

POE



E X 4 2 0 0 S e r i e s

J - s e r i e s

SecurityCamera

SecurityCamera

LocalServers

POEPOE

POE



I n t e r n e t / W A N

I n t e r n e t I n t e r n e t

I n t e r n e t I n t e r n e t

J - s e r i e s



J 6 3 5 0 J 6 3 5 0

Data Centeror HQ

Floor N

Highly Available

Large Branch Ofce

Highly AvailableMedium Branch Ofce

Highly AvailableSmall Branch Ofce

Highly AvailableMicro Branch Ofce

Floor 1


8/30


9/30


10/30

10



Services

The access layer provides connectivity, Power over Ethernet (PoE), QoS, and security withauthentication services and network access control.

Design Considerations

1. Connectivity: Wired Ports and WLAN AccessAccounting or an adequate number o wired ports or all computers, IP phones, CCTVcameras and other IP devices is the rst step to addressing port requirements. Its alsoimportant to determine the breadth o WLAN access needed or partners, customersand employees. The logical segmentation required and the number o logically separatenetworks that should share the same LAN must also be determined. These considerationshelp establish what type o hardware con guration is needed.

Juniper o ers a series o reliable, secure, expandable and scalable hardwarecon gurations to address any wired port needs. Many commercial solutions are availableor o ces that need to provide secure WLAN services. For branches with wireless accessrequirements, WLAN solutions rom Juniper partners Aruba Networks, Trapeze Networksand Meru Networks are recommended.

2. PoEMost highly available branch o ces have IP phones, many o which require PoE tounction. Other branch acilities may have PoE security cameras and WLAN devices.Accounting or the correct number o PoE ports is vital as the system con gurationdepends on it. Some access equipment doesnt provide PoE services, so its important tomake sure to use traditional wall-powered IP phones, CCTV cameras and WLAN accesspoints in those installations.

3. HA in the Branch Network

Its crucial that branch o ce networks operate with the same reliability and uptimeas the headquarter network. Depending on the branch networks needs and availablebudget, varying levels o HA may be implemented.

a. Device-Level HA

Most device ailures are due to power supply ailures or mechanical cooling problems.It is important to always support business processes with high quality, carrier-classnetwork devices such as the Juniper Networks J-series or EX-series plat orms. Purchasingequipment with dual power supplies and redundant ans or blowers to minimizeequipment ailure is always recommended, and raises the mean time to repair (MTTR).Additional device-level HA can be provided by doubling up on key devices to assure thatthere is a backup device to pick up in the event o a ailed device. Not all budgets orcon gurations support a ull set o backup devices. In that event, purchasing extra keydevice components, such as a backup set o eld-serviceable or hot-swappable powersupplies or ans, helps mitigate the impact o a device ailure.

b. Link-Level HA

Ensuring that business processes maintain vital data fow through internal and external

resources is provided through Link-level HA. At the branch o ce, Link-level HA requiresthat two links operate in an active/backup con guration, such that i one link ails,the other can take over or reinstate the orwarding o tra c that had been previouslyorwarded over the ailed link. Based on the budget and HA requirements, a backuppublic switched telephone network (PSTN), ISDN or broadband link is provided. In morecomplex networks, Link-level HA may also be provided between network switches.


11/30



c. Network So tware HA

JUNOSso tware is the consistent operating system that powers all o Juniper Networksswitch, router and rewall solutions. It provides carrier-class network so tware to highlyavailable branch o ces o all sizes. JUNOS so tware supports eatures like nonstoporwarding (NSF), grace ul restart, in-service so tware upgrade (ISSU), BidirectionalForwarding Detection (BFD) and other eatures which together make IP networking asailure-sa e and reliable as telephony networks. The JUNOS so twares modularity anduni orm implementation o all eatures enables the smallest branch o ce to bene trom the same hardened services in their devices running JUNOS so tware as the largestservice providers.

VLAN and Spanning Tree Protocol (STP)

Branch o ce LANs use VLANs to logically group any set o users, devices or data, regardless o location, into logical networks through so tware con guration instead o physically relocatingdevices on the LAN. VLANs help address issues such as scalability, security and networkmanagement.

VLANs are in essence Layer 2 broadcast domains that exist only within a de ned set o switches.Using the IEEE 802.1Q standard as an encapsulation protocol, packets are marked with a uniqueVLAN tag. Tagged packets are then orwarded and fooded only to stations in the same VLAN.Tagged packets must be orwarded through a routing device to reach any station not belonging tothe same VLAN. Any switch or switch port can be dynamically or statically grouped into a VLAN.Alternately, tra c may be grouped into a VLAN and orwarded through speci c ports based onthe speci c data protocol being sent over the LAN. For example, VoIP tra c rom a so t phonecan be segmented rom other tra c and put into a VLAN that gets a higher quality o service.

1. STP

VLANs may create multiple active paths between network nodes, resulting in problematicbridge loops. Since the same MAC addresses are seen on multiple ports, the switchorwarding table can ail. Also, broadcast packets may end up being orwarded in anendless loop between switches, consuming all available bandwidth and CPU resources.STP, the IEEE 802.1D standard, ensures a loop ree topology or any bridged LAN. STP isdesigned to leave a single active path between any two network nodes by rst creatinga tree within a mesh network o connected LAN switches and then disabling the linkswhich are not part o that tree. STP thus allows a network design to include redundantlinks to provide automatic backup paths i an active link ails, without the danger o bridge loops, or the need or manual enabling/disabling o these backup links. Each VLANcan run a separate instance o Spanning Tree Protocol.

2. Issues with STP

Troubleshooting may be challenging with STP due to complicated routing, incorrectcon guration, or mis-cabling. Since every packet must go through the root bridge o thespanning tree, routing per ormance with STP can also be non-optimal. STP o ten createsunderutilized links and lacks a load balancing mechanism as well. In addition, STP hasa slow convergence o up to 30 to 40 seconds a ter a topology change. To combat this,

Rapid Spanning Tree Protocol (RSTP) was created, providing sub-second convergence, butonly on point-to-point links. Multiple Spanning Tree Protocol (MSTP), the 802.1s standard,supports multiple instances o STP, but it also increases con guration complexity.


12/30

12



Using Layer 2 Versus Layer 3 at the Access Layer

Access switches are con gured to use Layer 2 or Layer 3.

Figure 4: Layer 2 versus Layer 3 at Access Layer

1. Using Layer 2 at the Access Layer

Using Layer 2 at the access layer is the traditional con guration. This provides plug-and-play con guration and makes the deployment in smaller networks easier to implementand manage.

Since this option usually requires Spanning Tree with legacy solutions, troubleshootingcan be more di cult in more complex networks, and convergence in case o a switch orlink ailure o ten takes too long or larger highly available branch o ce LANs.

2. Using Layer 3 at the Access Layer

Routing is enabled on the switch when using Layer 3 at the access layer, but it stillprovides the capability to put users into di erent VLANs. Layer 3 is more deterministic.No Layer 2 loops are created in this design. STP can be disabled making it easier totroubleshoot, which can be an issue in larger networks. Using OSPF or other open-standard protocols or rapid convergence, sub-second convergence can also be expected.For larger or more complex networks, this is a low-maintenance solution in comparisonto using Layer 2 at the access layer.

This option is more costly to deploy with legacy network equipment as Layer 3 usuallyrequires an additional license ee.

3. Recommendation

Unlike competitive products, Juniper Networks solutions provide the ability to delivereither Layer 2 or Layer 3 at the access layer without any added expense, as Layer 3eatures are built into the base plat orm with no extra license required. Instead o STP,

Juniper solutions also use open-standard protocols such as OSPF or rapid convergence.LAN designs using the Juniper EX 4200 series with Virtual Chassis technology alsobene t rom Redundant Trunk Group (RTG) protocol as a built-in, optimized replacementto STP or sub-second convergence and automatic load balancing. And, according toan independent 2007 Lake Partners 1 study, operating expense with Juniper Networkssolutions can be up to 29 percent lower than competitive solutions. Since cost is not anissue, LAN size and complexity best determine when each solution is most appropriate.

1How Operating Systems Create Network E ciency - Lake Partners Strategy Consultants, Inc 2007

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h Layer 3

Layer 2

Layer 2 at Access Layer 3 at Access

Layer 3

Layer 2

WAN Edge

Aggregation Layer

Access Layer


13/30



a. Highly available Micro, Small and Medium Branch O ces

Juniper recommends using Layer 2 at the access layer or highly available micro, smalland medium branch o ces. Since the micro branch o ce LAN uses a uni ed device, thesmall branch o ce LAN uses just one access device and one edge device, and mediumbranch o ce LANs utilize EX 4200 series switches with Virtual Chassis technology, STPis not required. The resulting designs have ewer devices to manage and eliminate STP,increasing convergence response while reducing CAPEX and OPEX.

b. Highly Available Large Branch O ces

Since the LAN design or highly available large branch o ces has a series o redundantdevices and connections, Juniper recommends using Layer 3 at the access layer, which isincluded at no extra cost. In this design, Juniper switches with Virtual Chassis technologydeliver high-per ormance load balancing and simpli ed device management. Thisequates to lower CAPEX and OPEX compared to competing solutions.

Implementing Unifed CommunicationsDelivering voice, video and data on a single network in rastructure o ers many cost savings andoperational simplicity bene ts. It lowers communications expense and decreases the overall cost

o network ownership. It also simpli es network administration and maintenance operations.However, it also presents a number o network challenges including QoS, security and port-con guration requirements.

Considerations

Uni ed communications have real-time requirements that are not necessary or most dataapplications. VoIP packets, or example, must be e ciently transported throughout the LANand WAN to ensure high quality voice communications, even when the network is experiencinghigh utilization or congestion. Simply adding more LAN or WAN bandwidth doesnt make thenetwork voice- riendly. Latency, jitter and packet loss are common VoIP challenges that must beaccounted or with QoS queuing and scheduling to ensure high quality VoIP communications. Inaddition to access-based security measures, addressing port density and PoE requirements or IPphones are undamental to a success ul design.

1. QoS

a. Classi cation and En orcement

Each type o data fow on the LAN has di erent QoS requirements. Traditionalapplications such as Web browsing and email work ne with the best-e ort deliverystandard on IP networks. However, additional requirements must be met to ensuree ective delivery o voice, video con erencing and other real-time applications. Unlikestreaming video, or example, real-time voice data cant be cached nor have lost packetsretransmitted since both would add an unacceptable delay, ruin the quality o thecommunication and result in a poor user experience. Voice packets, there ore, must begiven top priority when creating QoS policies.

IP phones and other communication devices are likely to be spread throughout the LANin many di erent physical locations. VLANs, as discussed earlier, can be used to identi yand segment voice, video con erencing and data tra c, regardless o location, into logicalVLANs so that the appropriate QoS parameters can be easily applied to maintain optimalservice or each data fow.

To acilitate QoS, data can be classi ed by a combination o physical port, device andprotocol. For example, a block o IP phones connected to a speci c LAN segment couldbe placed in a VLAN designated or voice tra c based on their port numbers. Or LinkLayer Detection Protocol-Media Endpoint (LLDP-MED) could be used to discover an IPphone and automatically place it on a VLAN using 802.1X. Or tra c rom a so t phone


14/30

14



can be analyzed at the protocol level, with voice data given top priority regardless o thesource port. Once the data is classi ed with the appropriate Di erentiated Services CodePoint (DSCP), it needs to be queued and scheduled. Most importantly, the same QoSrules need to be en orced consistently throughout the LAN and WAN.

b. Built-In Quality o Service

QoS or Class o Service (CoS) eatures are built into all Juniper in rastructure, securityand application acceleration solutions. JUNOS so tware comes standard with a ullcomplement o QoS services; the EX-series supports eight queues per port and o ersa range o policing options rom best e ort delivery to enhanced delivery to assureddelivery. Since the same JUNOS so tware is ound across all Juniper router and switchsolutions, the same QoS policies can be used throughout the LAN and WAN design oreasy and consistent tra c management. In addition, application-speci c integratedcircuits (ASICs) in all Juniper solutions support QoS by processing prioritized data andminimizing CPU load.

Note: For more on VoIP QoS, read Juniper pub# 351113-001 August 2005 - VoIP on the WAN: Itsa Matter o Priorities.

2. Security

Implementing uni ed communications on the data network increases security concernsthat can have serious service impacts. Malicious attacks rom outside the network andinadvertent attacks rom within the network must be prevented. New ways o toll raudand new security risks like eavesdropping are being discovered at an ever-increasingrate. Additional points o entry are created; a hacked VoIP system now provides a backdoor to the corporate LAN. Security risks range rom viruses, worms and DoS attacks tounauthorized access. Deployment o VoIP solutions, similar to other network appliances,must account or the security o the device itsel , as well as how it can be used toattack the network as a whole. Juniper Networks Intrusion Detection and Prevention(IDP) solutions are recommended to thwart VoIP-related attacks in addition to typicalintrusions. An 802.1X solution should be used to authenticate and manage endpoints viapolicy-based access. Using the protocol-speci c Application Level Gateway (ALG) eatures

on all rewalls is recommended to dynamically open and close ports or each VoIP call.3. Port Requirements

Implementing uni ed communications has a direct impact on port density and PoErequirements.

a. Port Density

An adequate number o ports must be available to provide LAN connectivity or eachIP phone or other communication device. Juniper EX-series switches support two mainoptions to connect IP phones to the LAN, each presenting di erent port requirements.


15/30



Figure 5: IP Phone Connectivity Options

- Daisy-Chaining to LAN Via IP Phone

Most IP phones have a 10/100 pass-through LAN port, allowing the PC and IP phone to bedaisy-chained and then connected to the LAN via one LAN port. Data and voice tra c canbe combined in one VLAN, or better yet, segmented into two separate VLANs. Since thesecond con guration uses only one physical LAN port and takes advantage o separateVLANs, it is commonly used in IP phone deployments.

With this option, a broadcast-intensive PC or a broadcast-heavy domain may hamperreal-time communications. Since all data rom the PC needs to go through the phoneto get to the LAN or rom the LAN through the phone to get to the PC, unexpected datatra c could potentially overload the phone and ruin e ective communication. High-broadcast environments are there ore strongly discouraged to provide an acceptable userexperience and optimal audio quality. To mitigate this risk, it is recommended that voiceand data be kept on separate VLANs. I voice and data must be mixed, the VLAN shouldcontain no more than 250 other hosts and have as low a broadcast rate as possible.

The maximum broadcast rate should not surpass 500 per second and have an absolutemaximum o 1,000 per second.

Note: For more details, please read the Avaya IP Telephony Implementation Guide, COMPAS ID95180.

- Using Independent LAN Connections

Two LAN ports are used in this con guration to provide physical separation o boththe devices and data fow or security and easier VLAN segmentation. Usually used in10/100BASE-T LANS, this method ensures that the voice data is not mixed with nora ected by any potential data fooding rom or to the PC.

Data and Voice VLAN

Voice VLANData VLAN

or

Independent LAN Connections

Voice VLANData VLAN

Daisy Chaining to LAN via IP Phone

V i r t u a l C h a s s

i s




16/30

16



The issue with this option is in not having enough physical ports available, which iseasily addressed with the scalable Juniper EX-series switches presented in the AccessLayer Hardware Con gurations section. Depending on the number o phones required,however, it may be more costly than the rst option.

b. PoE

Many IP phones and CCTV devices have neither internal nor external power supplies andinstead obtain their system power rom a PoE connection. All devices needing PoE mustbe accounted or when compiling port requirements. Its also important to know the classo each IP phone and the power draw o each device.

The access layer devices traditionally used by highly available micro branch o ces donto er PoE services. Wall-powered IP phones and cameras need to be used when planningor uni ed communications in that type o branch LAN.

For branches with IP telephony and uni ed communications requirements, solutionsrom Juniper partners Avaya and Microso t are recommended.

Access Layer Security with IEEE 802.1X and Unifed Access Control

Increasing security threats and risks orce branch o ce LANs to remain secure and controlledon all ronts, yet also provide open and pervasive access to maintain and increase productivity.802.1X and Juniper Networks Uni ed Access Control (UAC) are used to e ectively handleunmanaged devices and guest users attempting network access, as well as to supportunmanageable devices, post admission control, and application access control, visibility andmonitoring.

IEEE 802.1X

The 802.1X standard provides a strong ramework or authentication, access control and dataprivacy or port-based network access control. An 802.1X access control solution completesthe authentication o network credentials even be ore a network IP address is assigned, thuspreventing unauthorized access and ensuring that viruses and other threats are halted be orethey can spread into an organization. A ter login, Dynamic Port-Based Role Con guration is used

to then restrict use o speci c resources.UAC

Juniper Networks UAC solution combines identity-based policy and endpoint intelligence to giveenterprises real-time visibility and policy control throughout the network. The UAC solution maymake use o all or some o the ollowing components: an In ranet Controller, which serves asa centralized policy manager; a UAC Agent, which is dynamically downloadable or agentlessendpoint so tware, and several di erent orms o en orcement points that include both rewallsand vendor-agnostic 802.1X-compliant switches and/or WLAN access points. UAC provides acost-e ective solution to the problem o unmanaged or ill-managed endpoint security throughoutthe LAN. In essence UAC enables the creation o a power ul network perimeter de ense viarobust admission controls that ensure that endpoints comply with required OS updates, securitypatches, personal rewall requirements, virus signatures, and so on, be ore being allowed access

the LAN.


17/30



Access Layer Hardware Confgurations

To meet the access requirements o any sized branch o ce, Juniper provides a scalable chassissolution.

Scalable Confguration with Virtual Chassis TechnologyA branch o ce LAN must be able to accommodate growth and adapt to new technologies. Thisneeds to be done economically rom capital expense, network overhead and network operationalexpense perspectives. Juniper Networks addresses these requirements with a true innovation: EX4200 series switches. This solution advances the economics o networking by delivering the HighAvailability and high port densities o a modular chassis in a compact, cost-e ective, pay-as-you-grow plat orm.

1. Features and Bene ts

Each compact EX 4200 series switch o ers either 24 100BASE-FX/1000BASE-X ports,24 10/100/1000BASE-T ports or 48 10/100/1000BASE-T ports. The 10/100/1000BASE-Tplat orms o er either ull or partial PoE options (partial solutions provide PoE on the rst

eight ports o the switch; ull options provide PoE on all 24 or 48 ports). Each PoE portdelivers up to 15.4 watts o power and is compatible with class 0-3 IP phones. The EX4200 series switches built in LLDEP-MED services help automate and extend the powermanagement o these PoE endpoints as well as assist with inventory management anddirectories.

Each EX 4200 series switch supports optional ront-panel uplink modules supportingeither our GbE or two 10 GbE ports or high-speed connections to aggregation or coreswitches. These uplinks support online insertion and removal.

Figure 6: Virtual Chassis Technology

2. Pay-As-You-Grow Scalability

The Juniper Networks Virtual Chassis technology enables a branch to add as many EX4200 series switches as needed to meet its connectivity needs. Junipers unique pay-as-you-grow model allows a branch to start with a single EX 4200 series switch (1 RU)and incrementally add up to nine more switches to the virtual chassis at any time ora total o 10 switches be ore starting another virtual chassis. Resiliently interconnectedvia a 128 Gbps virtual backplane or 10 GbE uplink module, a ully-loaded Virtual Chassiscon guration supports up to 240 100BASE-FX/1000BASE-X ports, 480 10/100/1000BASE-Tports, or any combination o the two, plus up to twenty 10 GbE uplink ports. Not onlydoes Virtual Chassis technology lower capital expenses when compared to traditionalchassis systems, but it dramatically reduces operating expenses by enabling any group o interconnected switches to appear on the network and be remotely managed as a singleunit. Coupled with the incremental, pay-as-you-grow model, the compact orm actoro the virtual chassis enables the branch to save not only on up ront and recurring rackspace usage but also on costly power and cooling ees.

Virtual ChassisSwitch: 1 RU;

24 GbE ports + 2 10GbE

Legacy Aggregation Switch:12-15 Rack Units (RUs)

48-288 GbE ports + 4 10GbE

E X 4 2 0 0 S e

r i e s





V i r t u a l C h a

s s i s

V i r t u a l C h a

s s i s

E X 4 2 0 0 S e r i e s



E X 4 2 0 0 S e r i e s


18/30

18



Small branch o ces on a budget may consider the Juniper Networks EX 3200 seriesswitch, which provides most o the same robust eatures as the EX 4200 series with theexception o Virtual Chassis technology.

3. Carrier-Class Reliability

The EX 4200 series switches with Virtual Chassis technology also provide the sameHA eatures as modular chassis-based systems. Each switch supports redundant, load-sharing, hot-swappable AC or DC power supplies, as well as a eld-replaceable hot-swappable an tray with redundant blowers, any o which can ail without a ectingoperations.

Virtual Chassis technology provides unparalleled device and link HA utilizing the virtualbackplane protocol and JUNOS so tware. Each set o interconnected switches withVirtual Chassis technology automatically takes ull advantage o the multiple routeengines present to deliver Grace ul Route Engine Switchover (GRES) and non-stoporwarding to ensure uninterrupted operation in the rare event o any individual switchailure. For added device and link HA, a virtual chassis can be con gured to address anyrequirements. For example, a single virtual-chassis con guration o 10 switches couldbe con gured instead as two ve-switch virtual-chassis con gurations, or in any other

desired combination.4. Location Independence

Another key eature o Virtual Chassis technology is that the virtual backplane protocolcan also be extended across the 10 GbE uplink ports to interconnect switches that aremore than a ew meters apart; creating a single virtual switch that spans multiple wiringclosets, foors or even data center server racks. Even when separated by long distances,interconnected switches with Virtual Chassis technology can be managed, monitored,upgraded and otherwise treated as a single resilient switch, dramatically reducingrecurring management and maintenance costs.

Figure 7: Reducing CAPEX and OPEX with Virtual Chassis Technology

WestCloset

EastCloset

Floor N

WestCloset

EastCloset

50% fewerwiring closets

to manage

Floor 1

WestCloset

EastCloset

Floor N

WestCloset

EastCloset

Floor 1









L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h









L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h

L 2 / L 3 S w i t c h


19/30



5. Reducing CAPEX and OPEX

At one eighth the ootprint and less than one third the cost o the most commonlypurchased chassis-based switch o ering 48 ber GbE ports and our 10 GbE wire-speedports, the Juniper EX 4200 series with Virtual Chassis technology represents the newgeneration o switching.

The Juniper EX 4200 series switches come standard with eatures that are costly add-onsin competitive solutions. For example, the EX 4200 series includes Layer 3 in the baseplat orm, o ers built-in 10 GbE uplink capability, delivers partial or ull PoE, providesbuilt-in redundant power supplies and more in a single cost-optimized plat orm. OPEXsavings include the uni ed JUNOS so tware eature set and remote mirroring capabilityor ull troubleshooting rom a central Network Operations Center (NOC), rather thanhaving to send IT sta onsite or maintenance, upgrades and debugging.

Not only does Juniper Networks lower capital and operational expense by collapsinglayers and there ore reducing the number o devices in the network that need to bepurchased and managed, but Virtual Chassis technology saves on valuable rack space, aswell as recurring power and cooling costs. Delivering greater value while reducing capitaland operational expenses, Virtual Chassis technology rees up precious IT budget dollars

that can be more wisely invested in new technologies that improve business productivity.Note: For a ull set o eatures, bene ts and speci cations, please view the Juniper Networks EX4200 series with Virtual Chassis Technology Data Sheet.

Aggregation Layer

The aggregation layer, sometimes re erred to as the distribution layer, aggregates connectionsand tra c fows rom multiple access layer switches to provide connectivity to LAN core or WANedge layer switches.

Services and Considerations

Due to their location in the network, aggregation-layer switches must provide scalability, high-density, wire-rate ports, and high-availability hardware and so tware eatures that deliver carrier-

class reliability and robustness.The aggregation layer is also a location rom which to deploy additional services, such asDynamic Host Con guration Protocol (DHCP), a vital service used by networked devices andclients. DHCP is necessary or the branch o ce LAN to unction at all i WAN connectivity to theheadquarters or data center is lost. Another valuable aggregation layer service is in providinghigh- per ormance connectivity to local application servers in the branch o ce.

Branch O fce Recommendations

1. Highly Available Micro Branch O ce

In a micro branch o ce, all layers, including the aggregation layer, are collapsed into theWAN edge layer. A Juniper Networks J-series Services Router, covered in more detail in theWAN Edge section, is used or all services.

2. Highly Available Small and Medium Branch O ceIn small and medium branch o ces, the aggregation layer is collapsed into the accesslayer. The EX 4200 series switches with Virtual Chassis technology not only providehardware HA eatures and pay-as-you-grow scalability with eatures such as ull orpartial PoE, but the EX 4200 series switches high throughput capacity and 10 GbEuplink capacity eliminates the need or aggregation switches in these branch designs.Additionally, the EX 4200 series switches deliver wire-rate connectivity, high throughputcapacity and industry-leading low latency, making them the ideal plat orm with which toconnect local servers. This reduces capital expenses and simpli es network operations.


20/30

20



The EX 4200 series switches also run the JUNOS so tware, providing ull networkso tware HA eatures and urther simpli ying network operations. These solutions alsoconnect to a J-series services router at the WAN edge, which also provides DHCP.

3. Highly Available Large Branch O ce

Due to the per ormance requirements o a highly available large branch o ce, HAeatures and scalability are increased with a LAN design including an aggregation layer.

Figure 8: Aggregation Layer in a Highly Available Large Branch O fce LAN

In addition to the EX 4200 series switches with Virtual Chassis technology deployed atthe access layer, two more virtual chassis are added as aggregation layer devices betweenthe access layer switches and the two J-series Services Routers at the WAN edge.

a. HAVirtual Chassis technology enables ail-sa e operations, as each unit is capable o passingdata rom one to another in the event o a ailure. Redundant links to each WAN edgedevice are also provided in the event o a device or link ailure. In addition to the deviceHA eatures standard in the EX 4200 series switches, all equipment runs JUNOS so tware,providing so tware HA eatures such as QoS and GRES, preserving orwarding and routingoperations during device events with non-stop orwarding and automatic load balancing.

b. Scalable Per ormance

Each EX 4200 series switch with Virtual Chassis technology provides pay-as-you-growscalability with eatures such as no ( ber only), ull or partial PoE capability (8/24 or 8/48ports). Virtual Chassis technology enables seamless scaling by allowing up to 10 EX 4200series switches to be interconnected via a 128 Gbps backplane or via optional 10 GbE

uplink modules. Virtual Chassis technology simpli es administration as these devices canbe managed as one unit. In addition, multiple 10 GbE uplinks rom any o the switchesthat are members o the same virtual-chassis con guration, regardless o physicallocation, can be link-aggregated or higher bandwidth connections to other aggregationor core switches. Up to 10 EX 4200 series switches can be connected via Fiber Channelinto a Linked Aggregator Group (LAG) to provide load balancing or increased upstreamper ormance and urther Link-level HA.

I more ports or throughput is required, another virtual chassis o up to 10 EX 4200 seriesswitches can be created. I extra device and link redundancy is required, as many virtualchassis as desired can be deployed.

Floor N

Floor 1

SecurityCamera

POEAggregation

Layer

POE

POE

SecurityCamera

POE

POE

POE



J - s e r i e s

J - s e r i e s

W A N

I n t e r n e t

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s


21/30



To meet the aggregation demands o even the largest branch o ce, the top-o -the-line EX8200 Terabit-chassis switch delivers a power ul, high-density, high-per ormance solution.Capable o up to 3.2Tbps throughput, the EX 8200 series Ethernet switches o er up to 64(eight-slot chassis) or 128 (16-slot chassis) wire-speed 10 GbE ports.

c. CAPEX and OPEX Savings

Typically more than two layers o legacy Layer 3 switches are required to achieve thewire-speed port densities demanded by todays high-per ormance large branch o ce. The

Juniper Networks EX 4200 series switches, however, meets these needs and also enablethe collapse o the LAN core and aggregation layers, creating a direct positive impacton the economics o networking. Virtual Chassis technology also simpli es networkoperations and lowers operating expense on all ronts, rom JUNOS so tware upgradesand moves, adds and changes to troubleshooting and problem resolution.

Previously, only expensive chassis-based switches could provide the combination o high 1000BASE-X ber port densities and the HA eatures required to satis y aggregationlayer requirements. While certainly scalable and highly available, these modular chassis-based switches are not a very cost-e ective solution or such applications. First, theyrequire a considerable up- ront investment or the chassis and common equipment,

even i not ully populated. Second, because o their size, modular chassis require morespace in already crowded racks, taking up valuable real estate. Third, modular chassisrequire more power and coolingrecurring costs that increase operational expenses andcontribute to the production o greenhouse gasses that threaten the environment.

The Juniper EX 4200 series switches with Virtual Chassis technology represent the newgeneration o aggregation switching. They deliver greater value while reducing capitaland operating expenses, reeing up valuable IT resources to invest in new technologies toimprove business productivity.

Note: For a ull set o eatures, bene ts and speci cations, please view the Juniper Networks EX4200 Switches with Virtual Chassis Technology data sheet.


22/30

22



WAN Edge IntegrationWAN connectivity provides a vital link rom the branch o ce to centralized services andresources. Designing and scaling a branch LAN or assured network connectivity andper ormance is a challenge that every high-per ormance organization aces.

Figure 9: WAN Edge in a Highly Available Large Branch O fce LAN

WAN Edge Considerations

HA

All WAN edge devices must provide a ull complement o HA services to maintain critical WANconnectivity. The hardware must be robust and ideally o er dual hot-swappable power suppliesand ans, pre erably on-board. Based on the budget and HA requirements, key devices shouldbe paired in active/active routing states. A PSTN link, at minimum, should be provisioned as abackup or alternate connection to the Internet or WAN.

Voice Gateway

Secure and optimized voice services should be provided at the WAN edge to enable e ectivecommunications across the LAN and WAN. Either an integrated or standalone VoIP gateway maybe implemented.

WAN Acceleration

Adding more bandwidth doesnt automatically deliver LAN-like per ormance across the WAN.Acceleration services are needed to optimize per ormance o centralized applications across theWAN at all times, even when bandwidth is constrained.

Firewall/VPN

Security must be provided at the WAN edge, including VPN connections to remote locations andusers as well as integrated rewall services to protect against worms, trojans, viruses and othermalware. Such services should be centrally managed to acilitate rapid deployment and minimizeongoing operational costs.

Floor N

Floor 1

SecurityCamera

POEWAN Edge Layer

POE

POE

SecurityCamera

POE

POE

POE



J - s e r i e s

J - s e r i e s

W A N

I n t e r n e t

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s

E X 4 2 0 0 S e r i e s


23/30



WAN Edge Recommendations

A WAN edge routing plat orm must o er su cient high-speed Ethernet ports to provideconnectivity between the WAN and the aggregation or access layer. The Juniper Networks J-seriesServices Router meets these requirements and more. The J-series runs JUNOS so tware, providing

advanced carrier-class and eld-proven routing eatures including QoS, and also o ers rewalland VPN services or securing WAN tra c.

Should security be the primary ocus at the WAN edge, the Juniper Secure Services Gateway(SSG) plat orms could also be considered.

J-series Services Routers

The J-series is a services router that provides predictably high per ormance and a modular,carrier-class inter ace that delivers secure, reliable and scalable network connectivity. It is used inall highly available branch o ce solutions in a number o capacities: as a uni ed device or microbranch o ces, and as a WAN edge plat orm or small, medium and large branch o ces.

Figure 10: J-series Services Router in a Highly Available Micro Branch O fce LAN

1. Features and Bene ts

In addition to providing high-throughput and high-capacity wired ports, all J-seriesplat orms run the modular JUNOS so tware, which o ers advanced services such asMPLS, IPv6, QoS and multicast in the base system at no additional license ee or upgrade.This not only reduces operating expense, but also capital expense, by consolidatingmultiple physical networks and providing support or diverse Layer 2 networks over acommon in rastructure.

2. Integrated Services

In addition to a Command Line Inter ace (CLI), J-Webbuilt-in JUNOS so twareo ersremote Web-based management o all J-series models. Built-in troubleshooting alsominimizes network downtime and decreases operating expenses and revenue losses dueto outages. The J-series also includes integrated voice, WAN acceleration, and rewall andVPN services.

a. Integrated Voice Gateway

The Avaya IG550 voice-gateway is integrated as a standard eature on some J-seriesmodels, and is available as an option on other models, providing best-in-class IPtelephony. Juniper and Avaya equip branches o all sizes with access to a ull suite o intelligent communications applications in a way that keeps costs under control and


W A N

I n t e r n e t

J - s e r i e s


24/30

24



minimizes complexity or local IT sta . In addition, this joint solution o ers multiplelevels o business continuity options, designed to enable branches to continue e ectiveoperations under a variety o emergency or network conditions.

b. Application Acceleration with the WXC Integrated Services Module

Included in the J-series, the WXC Integrated Services Module provides distributedenterprises with an easy-to-use, scalable approach to accelerating application deliveryover the WAN. Based on the integrated WX Framework, the WXC module optimizesbandwidth use on WAN circuits and accelerates application per ormance by leveraging amix o bandwidth management, compression, caching, path optimization and protocolacceleration techniques. For example, the WXC module lowers bandwidth requirementsor le sharing and data replication processes by up to 98 percent, and even VoIPbandwidth can be reduced by up to 30 percent. A broad set o centralized managementtools ensures that remote per ormance remains on a par with local access, even overconstrained and contentious links.

c. Firewall/VPN

The J-series solutions provide the essential security unctions required or securelyconnecting sites over the Internet, including integrated rewall and IPSec VPN. The

plat orm also supports centralized user security policy and enables a unique HA option inthe orm o dynamic route-based VPNs. Virtualization technologies allow segmentation o the network into many separate zones within a single plat orm or en orcing complianceto corporate security policies.

3. HA Hardware

The J-series provides dual eld-serviceable power supplies and dual eld-serviceable ansstandard on some models and optional on others to maximize device-level HA.

4. Expandability

The J-series o ers the per ormance headroom and extensible memory to meet uturedemands, providing unmatched reliability, investment protection and value or theenterprise. Each J-series unit can be enhanced with a variety o optional physical inter acemodules (PIMs). Though it o ers no PoE capabilities, its port capacity can be easily

expanded from four to 48 10/100/1000BASE-T ports with a series of PIMs.Note: For a ull set o eatures, bene ts and speci cations, please see the Juniper Networks

J-series Services Routers Data Sheet.

Operational Simplicity and Unifed ManagementNetwork operations orm a large portion o any IT budget, and any methods o simpli yingbranch LAN operations help reduce operations expense. The our main challenges thatcomplicate the streamlining o network operations are:

Inconsistent Feature Set

Most hardware solutions have di erent operating systems or eature implementationsor each plat orm. This requires IT to invest considerably in training to master a varietyo inter aces. It also adds a layer o ine ciency and complexity while increasing thepotential or miscon guration when trying to apply consistent enterprise-wide servicesacross the branch o ce LAN and WAN.

Upgrades and Deployments

Testing and deploying operating system upgrades or patches can be a time-consumingand ongoing process due to the number o di erent operating systems ound in mostlegacy branch LAN solutions and the varying release schedules to which each adheres.


25/30



Unreliable Monolithic Operating Systems

Legacy hardware solutions have operating systems built on a monolithic architecturewith each code unction intertwined with the others. I any part o the monolithicprogram ails or example, a bug in Simple Network Management Protocol (SNMP)the operating system crashes. Such a ault can cause the line cards to crash or restart,resulting in hundreds o seconds o downtime.

Lack of Uni ed Management

The lack o uni ed eatures also impacts all aspects o setting and managing devicecon gurations, network settings and security policies. Not only do di erent inter acesincrease the time o each task, but operations costs are urther increased as IT needs tovisit remote branch locations to con gure devices, apply network settings and set securitypolicies. Whats needed instead is a set o uni ed and centralized management tools toaddress these types o operations remotely.

Juniper Networks addresses all o these issues and reduces costs by providing JUNOS so tware, Juniper Networks NetScreen-Security Manager (NSM), and J-Web.

Achieving Operational Simplicity with JUNOS So tware

JUNOS so tware is the common operating system on all Juniper Networks switches, routers,rewalls and acceleration solutions. Not only does JUNOS so tware deliver advanced carrier-classnetwork services, it provides a consistent eature set, and a centralized management capabilitywhich simpli es planning, speeds implementation, and enables intuitive day-to-day operationsand management o any network.

The Power o JUNOS So tware

Fundamental to the value o the JUNOS so tware are the three onesone source code, onerelease train and one modular architecture. By running a common operating system on allproducts, Juniper dramatically reduces maintenance and management overhead while ensuringinteroperability and a consistent eature set across all products.

Figure 11: JUNOS So twareThe Three Ones: One Source Code, One Train and One ModularArchitecture

Modular Processes

The JUNOS so tware is a completely modular operating system, enabling a unctional divisiono labor or seamless development and operation o many advanced eatures and capabilities.By partitioning the so tware system, tasks are broken into manageable subsets that interactin requently and provide new levels o ault-tolerance. Unlike monolithic operating systems, eachkey JUNOS so tware unction executes as an independent process and runs in its own protectedmemory space. Loading or executing one doesnt a ect the others. One daemon can restartindependently without disrupting another or orcing a ull system crash or restart. A bene t o this approach is the ability to maintain ull control o the switch or router at all times. Because o the separation o control, orwarding and services, lters can be added in real time to thwart aDDoS attack.

One OS One Release One Architecture

9.1

Q208

9.0

Q108

8.5

Q407Module

X A

P I

J - s e r i e s

T X M a t r i x


26/30

26



Rollback Capability

JUNOS so tware also o ers error-resilient con guration that prevents operators rominadvertently bringing down the network. IT must explicitly commit changes a ter entering andreviewing all modi cations. I a con guration change causes loss o connectivity to the deviceand no ollow-up con rmation is provided, the device automatically reverts back to the previouscon guration, restoring connectivity, saving time and ensuring Link-level HA or remotelyoperated branch deployments. In addition to automatically checking or errors or incorrectlyconstructed con gurations that could cause potential problems, JUNOS so tware provides arollback command to quickly restore any o the 50 prior con gurations.

Advanced Features

The JUNOS so tware also provides a broad spectrum o advanced routing and security eaturessuch as state ul rewall, IPSec, MPLS and IPv6 without requiring an additional so tware license.In addition, the JUNOS so tware provides comprehensive QoS unctions to classi y, prioritizeand schedule tra c or applications such as VoIP. For medium and large branches using VirtualChassis technology, the JUNOS so tware enables bidirectional orwarding detection or earlydetection o node or link ailures.

BeneftsBy running a common operating system, these Juniper solutions dramatically reducemaintenance and management overhead while ensuring a consistent eature set across allproducts, as well as a consistent implementation and management o those eatures. Thisequates to time savings in all categories o operations. In addition to a reduction in training time,the inherent interoperability across all plat orms greatly simpli es new eature deployment,so tware upgrades and other network modi cations. A single consistent code set also enablescustomers to quali y and deploy just one release. For many customers, the testing time o a newrelease is cut rom what was months down to just a ew weeks. JUNOS so tware also provideseatures to acilitate ast restoration o previous con gurations.

Impact

In an independent study conducted in 2007, Lake Partners quanti ed the time savings Juniper

Networks customers experienced using the JUNOS so tware across a number o commonnetwork operational tasks. The results are presented in Table 3:

Table 3: JUNOS So tware Operating E fciencies (Lake Partners 2007)

Network Operations Task Average JUNOS E fciency

Adding In rastructure 29 percent

Upgrading and Planned Events 23 percent

Troubleshooting and Unplanned Events 54 percent

Monitoring and Optimizing 24 percent

Average Time Saved With JUNOS Software 25 percent

This time savings translates to a substantial, tangible cost savings. According to Lake Partners,

an in rastructure o any size running JUNOS so tware can save up to 29 percent on operationalcosts. Seeing that the IT department o a typical enterprise spends 40 to 60 percent o its budgetto maintain and enhance basic IT services (McKinsey & Company 2006), this savings could beconsiderable.


27/30



Unifed Management with Juniper Networks NetScreen-Security Manager

The Juniper Networks NetScreen-Security Manager (NSM) product is a power ul, centralizedmanagement solution that controls the entire device li e cycle o rewall/IPSec VPN andIDP devices, including basic setup and network con guration with local and global security

policy deployment. Unmatched role-based administration allows IT departments to delegateappropriate levels o administrative access to speci c users, thereby minimizing the possibility o a con guration error that may result in a security hole. NSM can easily scale to meet the needso any enterprise with branch o ces. A wide range o reporting tools are available, enablingIT to view and analyze network tra c, device and VPN statistics, system resources and otheradministrative in ormation. IT can also customize templates or commonly used reports andgenerate these reports on a regularly scheduled basis.

Benefts

NSM lowers operational costs by presenting a Graphical User Inter ace (GUI) to simpli y complextasks such as device con guration, supplying device templates to minimize con guration errors,providing investigative tools or complete visibility into the network, and more.

Remote Confguration and Management with J-Web

In addition to a ull- eatured CLI, J-Web, a Web-based tool, is available to con gure and manageany JUNOS so tware powered device.

Benefts

Built on JUNOS so tware, J-Web o ers highly available branch o ces o all sizes a GUI or devicemanagement that complements the exciting suite o element and service management productsrom Juniper. J-Web provides IT administrators and network operators with simple-to-use toolsto quickly and seamlessly monitor, con gure, troubleshoot and manage any switch, router orrewall.

J-Web allows non-technical users in branch o ce/small o ce environments to commissionand bring a switch or router online quickly and easily. It o ers seamless GUI access to all o the eatures and unctions o JUNOS so tware, reducing timelines or new service deployments.

J-Web can be quickly integrated into existing network management or OSS (Operational SupportSystem) applications such as Micromuse Netcool Omnibus, Dorado RedCell Manager, IBMTivoli and HP Openview, thereby minimizing complexity or the service provider or enterprisecustomer. Fast, error- ree service changes and upgrades can be made with J-Webs quickcon guration wizards, and new services can be rapidly created and deployed with the use o con guration and QoS wizards that allow or real-time changes to service parameters.


28/30

28



Recommended Branch LAN ConfgurationsWith all o these design considerations in mind, Juniper Networks recommends the ollowingcon gurations or branch LANs.

Table 4: Recommended Branch LAN Confgurations

Branch LANCategory

Design Considerations Branch LAN Design

Highly AvailableMicro BranchO ce

This design is ocused on:

Secure Connectivity

Simplicity

High Availability

Juniper solutions:

The J-series ServicesRouter is used as an all-in-one solution or accessconnectivity, aggregation,and WAN edge services suchas voice, WAN optimization,rewall security and VPN.

Highly AvailableSmall BranchO ce

In addition to the microbranch o ce considerations,this design is ocused on:

PoE Increased levels of High

Availability

Local Server Infrastructure

Juniper solutions:

The EX 3200 series or EX4200 series switches areused as access layer deviceswith PoE or IP phonesand WLAN access points,and HA eatures. They alsoprovide high throughputconnectivity to local servers.

The J-series Services Routeris used as a WAN edgedevice.

SecurityCamera


W A N

I n t e r n e t J - s e r i e s

SecurityCamera

LocalServers

POEPOE POE

Highly AvailableSmall Branch Ofce


S e r i e s


29/30



Branch LANCategory

Design Considerations Branch LAN Design

Highly AvailableMedium BranchO ce

In addition to the smallbranch o ce considerations,this design is ocused on:

Scalability

High Availability.

Juniper solutions:

Two EX 4200 seriesswitches with VirtualChassis technology are usedas a uni ed access layerswitch with PoE and HAeatures. The uni ed VirtualChassis also provides highthroughput connectivity tolocal servers.

J-series Services Router isused as a WAN edge device.

Highly AvailableLarge BranchO ce

In addition to the mediumo ce considerations, thisdesign is ocused on:

The Layered Approach

Scalability

High Availability

Juniper solutions:

Multiple EX 4200 seriesswitches with Virtual

Chassis technology are usedto create two access layerswitches or scalability andHA. Two Virtual Chassisdeployments are used asaggregation-layer switchesor high throughput andlocal server connectivity.

Two J-series ServicesRouters are used as WANedge devices or addedDevice and Link-level HA.

SecurityCamera

LocalServers

POEPOE POE



W A N

I n t e r n e t

E X 4 2 0 0 S e r i e s

J - s e r i e s

Floor 1

Floor N

SecurityCamera

POE

POE

POE

SecurityCamera

POE

POE

POE


30/30


Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks,the Juniper Networks logo, NetScreen, and ScreenOS are registered t rademarkso Juniper Networks, Inc. in the United States and other countries. JUNOS andJUNOSe are trademarks o Juniper Networks, Inc. All other trademarks, servicemarks, registered trademarks, or registered service marks are the propertyo their respective owners. Juniper Networks assumes no responsibility orany inaccuracies in this document. Juniper Networks reserves the right tochange, modi y, trans er, or otherwise revise this publication without notice.

CORPORATE HEADQUARTERSAND SALES HEADQUARTERS FORNORTH AND SOUTH AMERICAJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax: 408.745.2100www.juniper.net

EAST COAST OFFICEJuniper Networks, Inc.10 Technology Park DriveWest ord, MA 01886-3146 USAPhone: 978.589.5800Fax: 978.589.0800

ASIA PACIFIC REGIONAL SALES HEADQUARTERSJuniper Networks (Hong Kong) Ltd.26/F, Cityplaza One1111 Kings RoadTaikoo Shing, Hong Kong

Phone: 852.2332.3636Fax: 852.2574.7803

EUROPE, MIDDLE EAST, AFRICAREGIONAL SALES HEADQUARTERSJuniper Networks (UK) LimitedBuilding 1Aviator ParkStation RoadAddlestoneSurrey, KT15 2PG, U.K.Phone: 44.(0).1372.385500Fax: 44.(0).1372.385501

To purchase Juniper Networks solutions, pleasecontact your Juniper Networks sales representative

at 1-866-298-6428 or authorized reseller.

ConclusionThe network plays an integral role in todays business, making it arguably the most valuablecorporate asset. With a trend towards a decentralized work orce, branch LANs are becomingincreasingly critical to overall business success. Legacy solutions cannot meet the growing branch

o ce LAN needs or security, connectivity, per ormance and HA. A new branch o ce LANdesign that meets these needs while enabling key IT initiatives is needed. It must also scale andfexibly accommodate new computing trends without an entire redesign.

Juniper solutions, including a new amily o high-per ormance Ethernet switches, rede nethe way businesses build branch o ce networks. O ering high port densities, wire-speedconnectivity and HA in compact, pay-as-you-grow plat orms, Juniper switches represent apower ul yet cost-e ective alternative to the aging and expensive solutions pushed by todaysdominant switch vendors. By o ering a smaller ootprint in the wiring closet, combined withlower power and cooling requirements, the Juniper switches represent the e cient and greensolutions users are looking or to power their networks o the uture. In addition to a ull suiteo secure services, Juniper products provide the end-to-end QoS required or sensitive andbandwidth-hungry applications such as VoIP.

The JUNOS so tware, a single, consistent operating system, is used across all Juniper switch,router and rewall products, making the network in rastructure exceedingly easy to deploy,con gure and upgrade, saving considerable time and operating resources that can be reallocatedto urther improve business operations and maximize customer satis action.

Branch o ce in rastructure solutions rom Juniper Networks advance the economics o networking, allowing businesses to change the rules with their IT investments and createa truly innovative and competitive environment that helps them increase revenue and raiseproductivity today and into the uture.

About Juniper Networks Juniper Networks, Inc. is the leader in high-per ormance networking. Juniper o ers a

high-per ormance network in rastructure that creates a responsive and trusted environmentor accelerating the deployment o services and applications over a single network. This uelshigh-per ormance businesses. Additional in ormation can be ound at www.juniper.net.

Documents

Lan Connectivity Guide Juniper 905012