TOP-TO-BOTTOM BRANCH AND WAN MANAGEMENT WITH … · This material contains information that is...

© 2019 Juniper Networks Juniper Business Use Only

TOP-TO-BOTTOM BRANCH AND WAN MANAGEMENT WITH CONTRAIL SD-WAN

Tony Sarathchandra – Product Management, Director

Nov 13th, 2019


CONFIDENTIALITY AND LEGAL NOTICE

This material contains information that is confidential and proprietary to Juniper Networks, Inc. Recipient may not

distribute, copy, or repeat information in the document without a signed non-disclosure agreement (NDA).

Any statements of product direction contained in this presentation sets forth Juniper Networks’ current intention and is

subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature

or functionality depicted in this presentation.

Copyright 2019 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, Junos,

and NXTWORK are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other

trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to

change, modify, transfer, or otherwise revise this publication without notice.

2


AGENDA

• SD-WAN Market Trends

• AI-Driven Enterprise

• Contrail SD-WAN Overview

• Customers & Use Cases

• Q & A


Key Enterprise Customer triggers for SD-WAN

4


SD-WAN Market Trends

5


CloudManagement

AI-Driven EnterpriseSingle architecture with presentation layer by market segment

SwitchingWi-Fi SecurityRouting

ArtificialIntelligence

Open APIs

Wired & Wi-FiAssurance

MarvisVirtual Assistant

NetworkManagement

SD-WANOrchestration

ActionableInsights

AssetTracking

Cloud Services

AI Foundation

Domain Expertise

Data Science

Data Marvis

Open APIs

Junos Extension Toolkit

Streaming Telemetry


Easy Out-of-The-Box Experience

7

• Day 2-365 Operating

• Topology view

• Router status

• Switch status

• AP status

• Contextual cross launch

• Security

MONITORING

• Day 2-365 Operating

• Network wide image

upgrades

• Security policy updates

• Config backup & restore

MAINTENANCE

• Day 1 deploying

• Device phone home

• Zero touch provisioning

• Multi-factor authentication

• Easy factory reset

• Template based

onboarding

ONBOARDING

• Day 0 configuration

• Branch creation workflow

• Campus creation workflow

• Extensible day 2

configuration changes

using templates.

CONFIGURATION


Cloud Service Architecture Highlights

Open APIsAuto-scalingMicroservices Multi Tenant

• Container based design

• Independently deployed &

scaled

• Service level auto-

scaling/healing

• Hierarchical services

design

• Scales across multiple

regions

• REST API for 3rd party

OSS/BSS

• Flexible south bound

APIs including

Netconf/YANG

• Ideal for MSPs or resellers

• On-premises or IaaS

deployment


Juniper Vision for AI-Driven Enterprise

SD-Campus & -Branch - Wired & Wireless - WAN & LAN

SD-Branch

Journey to the AI-Driven Enterprise

Hybrid-WAN & SD-WAN

Secure Router

Enterprise Branch

Enterprise Branch

Corporate HQ

Enterprise Branch

SRX Series secure CPEs

LTE

NFX Series universal CPE

LTE

SRX Series secure CPEs

LTE

Mist Wi-Fi APs

EX Series Access Switches

EX Series Agg/Core Switches

AI engine

(Marvis)

MX and SRX Series Secure gateways and hubs

vSRX virtual endpoint


Contrail SD-WAN


Contrail SD-WAN for Enterprise Campus & Branch

Campus and BranchEnterprise Sites

SaaS Applications IaaS, PaaS:VPCs for cloud-native apps

vSRX Virtual Firewallcloud-WAN endpoint

Private Clouds, Data Centers

Private or SP’sWAN backboneEnterprise Sites Public Cloud

Secure SD-LAN and SD-WAN

Juniper or provider managed aaS

Cloud-managed Contrail SD-WAN

or

Contrail SD-WAN

SRX Series Services Gateway Secure CPEs

LTE

NFX Series universal CPE

LTE

WANxvSRX

Mist Wi-Fi APs

EX Series Ethernet Switches

LAN & WLAN devices WAN Edge Devices

Contrail Service Orchestration (SDN)

SaaS FW passthrough

MX/SRX WAN Hubs for large topologies

Enterprise or SP hub gateways

Wi-Fi

Dedicated,

MPLS

Broadband,

Internet

Wireless, 4G/LTE

Legacy and xDSL


WE BUILD IT

WE RUN IT

Contrail SD-WAN Cloud Service – Available Now

Security & PrivacyCloud based mgmt/control with on-prem data plane separation

Resiliency & Redundancy

Tier 1 global cloud infrastructure provider w/ multiple availability zones

Multi-TenancyTwo-tier multi-tenancy for both

enterprises and MSP

SLA99.9% monthly uptime, JTAC

24x7 availability monitoring

ScaleHorizontal scale for 100s of

tenants with 1000s of endpoints per tenant

Disaster Recovery

Online daily backups

Compliance

SOC compliant

• Accessible anywhere by web• Multi-tenant, HA, Scalable

• Secure: data traffic stays on customer network

• Monthly software / features updates• Lower Capex/Opex


EX

BRANCH SITES

HQ / Campus / POP

EX2300/3400/4300

Servers / Applications

SRX3XX/550M/1500/4X00

Standalone NGFW

LTE

SRX3XX/550M/4X00/vSRX

NFX150/250

Mist AP61/43/41/21

SD-WAN CPE

EX2300/3400/4300

EX2300/3400/4300

3rd party CPE/FW

Standalone Switch

Mist AP61/43/41/21

Mist AP61/43/41/21

SRX1500/4X00/vSRX

MX240/480/960*

SD-WAN HubHybrid WAN tunnel

Primary Use Cases

1

2

3

Contrail SD-WAN/SD-LANCSO Controller

Internet

MPLS1


Contrail SD-WAN Features At A Glance

• Dynamic Application Path Selection based on SLA

• Static/Preferred Application Path Selection

• Application Quality of Experience

• Flexible Internet Breakouts

• Hub and spoke topology

• Site to Site VPN topology – Full mesh / Partial mesh

• Network Segmentation

• MPLS/Internet/LTE/xDSL links

• Backup link

• Default link

• SD-WAN CPE in public cloud

• Third-party VNF service chain

• LAN/WLAN Integration

• L7 Firewall

• Web Filtering

• Content Filtering

• Antivirus

• Antispam

• User Firewall

• Zone-based Firewall

• SSL Forward Proxy

• IPS/IDS

• Integration with third-party cloud security e.g. Zscaler

• NAT – Static, Destination, Source

SD-WAN AND -BRANCH SECURITY

• Redundancy at branch/CPE

• Redundancy at Gateway/Hub

• Secure and Resilient OAM

• Backup and Restore

• Redundancy at Orchestrator

• Scale of endpoints/devices

• On-premise as well as Cloud delivery model

• Multi-tenancy at orchestrator

• Multi-tenancy at gateway/hub

• Integration with existingIP/VPN infrastructure

INFRASTRUCTURE

• Open APIs for northbound integration

• Zero touch provisioning of devices

• Reporting – email/recurrence for SD-WAN and Security

• Custom Roles andobject-based RBAC

• Audit logs

• Alarms and Alerts

• SLA Performance Monitoring

• Security Events Monitoring

• Application Visibility

• Portal rebranding and customization

• Third-party VNF onboarding tools

• Dashboard summary widgets

• Topology monitoring view

USEABILITY

SP critical features

Enterprise critical features


Flexible Dynamic Meshed SD-WAN

Site 1 Site 2 Site 3

Path A Path A Path A

DeptDeptDept

Path B

tagtag

Tags: Gold, Silver, Bronze

Enterprise HUB

Dept

KPI: Session close rate

Gateway HQ Site

Provider Hub

Dept

Multiple mesh tags


• Dynamic mesh for site-to-site links• User-defined mesh tags on WAN links• Mesh with different underlay types• Toggle switch to enable full/partial mesh• Dial for resource management • Monitoring and Visualization

Customer Benefits:• Support mesh between different underlay

types• Site-to-site tunnels based on link capacity• Geo-based meshing• Increased Dual CPE site availability

FEATURE SUPPORT

IP VPN


Provider & Enterprise SD-WAN Hub Support

Cloud HUB

Site 3

Service Provider HUB

Dept

Depts

Cloud HUBEnterprise Hub

Depts

Site 2

Dept

Site 4

Dept

Site 1

Dept

Cloud HUB

Application routes

OSPF

• Multi-tenant Provider Hub in POPs/Colos

• Gateway/Peering to MPLS

• Tenant Specific Enterprise Hub in DC/HQ

• Static Enterprise Hub Mesh

• LAN side OSPF/BGP support

• Default route leak for DC Apps

• Lifecycle Management of Hub

• SRX4100/4200 cluster support

• Multiple SP/Enterprise Hub support

Customer Benefits:

• Built-in failover and HA

• Scale with multiple Hubs

USE CASEIP VPN

EnterpriseDC


Enterprise Hub

Depts


SD-WAN Meshing With Regional Enterprise Hubs

Internet

MPLS

Enterprise Hub 1

Branch

Enterprise Hub 3

Enterprise Hub 4Enterprise Hub 2

Region/PoP 1 Region/PoP 2

Fully Meshed Sites

Partially Meshed Sites with

On-demand Site-to-site

INTERNET

MPLS


Comprehensive Application Based SD-WAN

19

• Contrail SD-WAN

supports more than

4200 application

signatures including

Lync, Skype,

WebEx and MS-

Teams

• The signatures are

regularly updated

• CSO offers easy UI

button to install

latest signatures on

to the devices

• Supports user

defined custom

signatures

App ID


Real Time Optimized Mode Performance Metrics

Real-time Optimized mode Performance Metrics include:• Two way latency (RTT)• Ingress jitter • Egress jitter • Two way jitter • Packet loss %

Metrics are measured at both application level and path level

Application traffic to be probed is determined by Application selection in SLA Profile• Application sessions are chosen (based on sampling percentage config)

for passive probing

Active probes are performed on all candidate links• The probes try to mimic traffic behavior for the application (by

carrying similar DSCP value, packet sizes, burst count, etc)

App QOE


Cloud HUB

Flexible SD-WAN Application Breakout Options

Site 1 Site 2 Site 3

Enterprise Hub

Service Provider HUB

Local BreakoutZscaler Breakout

3. Hub Breakout• Internet• IPVPN

Local BreakoutZscaler Breakout

Internet BreakoutZBO

Path A Path A Path A

Path A

Path B Path B Path B

DeptDeptDept

Depts

Depts

2. Central Internet Breakout• Application• Department• Internet

1. Local Breakout• Application• Department• Internet• Zscaler

Breakout capability, failover, redundancy • Intuitive Intent-based Breakout policy• Site Local Internet Breakout• Dept Local Internet Breakout • Application Local Internet breakout• Zscaler Internet Breakout • Central Breakout on Hub• Central Zscaler Breakout

Customer Benefits:• Granular control of traffic• Site level control of breakouts• Redundant breakout path for link failure

BREAKOUT FEATURES

IP VPN

EnterpriseDC


• Isolate departmental traffic with Network Segmentation

• LAN side OSPF on Enterprise Hub• Automatically leak DC routes to all Spokes

> 25 Network Segments• Separate policy controls on each

segment• Special DC Department on Hub

BREAKOUT FEATURES

Network Segmentation And Departments

Spoke

Department 1 VRF

Department 2 VRF

Department 25 VRF

•

•

•

EnterpriseHub

Data Center VRF

Department 1 VRF

Department 2 VRF

Department 25 VRF

•

•

OSPF/BGP

P-Hub

Dept

LAN

Branch HQ


EnterpriseDC


Allows different users to have different application policies based on their role and group

Internet / Intranet

User Application Firewall Controls

Finance

Sales

CEO▪No apps blocked

▪ Anti-virus applied

▪ P2P apps blocked

▪ YouTube allowed


▪ P2P, YouTube blocked


SD-WAN CPE or Gateway

Enterprise AD Server



Unified Threat Management With SD-WAN

• Protection from top-tier AV partner

• Reputation-enhanced capabilities

• Multilayered spam protection

• Protection against APTs

ANTI-VIRUS ANTI-SPAM

• Block malicious URLs

• Prevent lost productivity

WEB FILTERING

• Filter out extraneous or malicious content

• Maintain bandwidth for essential traffic

CONTENT FILTERING


Contrail SD-WAN With AWS

Cloud-managed Contrail SD-WAN

VPC VPC VPC VPC

Your future AWS OutpostsYour AWS regions and AZsYour remote OfficesYour campus and branch offices

Contrail automated setup of spoke site:

• Choose AWS region

• Choose AWS VPC

• Choose or create AWS subnet

• Download and run CloudFormation

template which does the work

• Activate spoke site


Multi-tenancy & Multi-departments With SD-WAN

Multiple departments per CPE with per department security policies

VRF 1 VRF 2 VRF N VRF 1 VRF 2 VRF N

Dept100 Dept101 Dept1XX Dept100 Dept200 Dept2XX

i.e. Corp Intranet / Guest Wifi

Service Provider

Tenant A

LAN 1

Site 1 / CPE 1 Site 2 / CPE 2

LAN 2 LAN NLAN 3 LAN 2LAN 1 LAN 12 LAN N

Operating Company (MSP 1)

VRF 1 VRF 2 VRF N

Dept200 Dept201 Dept2XX

Site 3 / CPE 3

LAN 2LAN 1 LAN 3 LAN N

Tenant B

Operating Company B (MSP 2)

Tenant C Tenant D

Level 0 – SP Admin(Available for on-prem deployment only)

Level 1 –Operating Company

Level 2 – Tenant

Level 3 – Department


Global coverage Dual-SIM LTE with active-passive auto-failover

SRX300s, SRX550M, SRX1500, SRX4x00s

Broad SRX portfolio from 100Mbps to 95Gbps

SRX SERIES NFX150, NFX250, NFX350

Industry-leader in universal CPE market share

NFX SERIES

WAN Edge Portfolio: 10 SRX Models, 3 NFX Models, vSRX

Industry First: Active-active clustering of 2 NFX devices for double the reliability and connection#1

LTE

Automated lifecycle management and policy for AWSAzure and GCP compatible

vSRX


From SD-BRANCH to SD-ENTERPRISE

28

Cloud Delivered and On-Premise

EX Access Series

Contrail Service Orchestration (CSO)

Campus

Enterprise Branch

SRX Series CPE

LTE

LTE

NFX Series Universal CPE

VNFs

Branch

UniversityEnterpriseGovernmentHQ

Retail

Distribution

SRX Series CPE

EVPN-VXLAN

K12 School

MPLS/Internet/LTESD-WAN

3PP Secure Router

EX Access Series

EX Access Series

ESI-LAG

Core

Access

ESI-LAG


SD-LAN Differentiation

29

Pre-provision or Auto-provision

Switch Operations and Monitoring

Virtual Chassis

Network Access Control

Mist Wireless Systems Integration


SD-LAN Product Portfolio

EX4600

EX4650EX9250 EX9200

EX2300

EX2300 MPEX4300

EX4300 MPEX3400

Access Distribution / Core

Modular Power

Multigigabit / PoE++Fixed Power

Multigigabit

10/40GbE

10/25/100GbE

100/40/10GbE

100/40/10GbE

Modular

Platform

CSO 5.0.1 (Now)


Operations and Monitoring

31

• Switch operational dashboard

• Visual monitoring of device, ports, VLAN, users, system health, port utilization

Customer Benefit

• Single pane workflow for switch operations and monitoring

Feature Support

New in

5.0.2

New in

5.0.2


SD-LAN for Branch/Campus Evolution

33

ESI- LAG

(10GE)

EX46xx

…

ESI- LAG

(10GE)

ONBOARDDay 1 - ZTP

1OPERATE

Day 2 – Config ESI-LAG, IP

Fabric/EVPN-VXLAN, Deploy,

Monitor, Troubleshoot

MAINTAINUpgrade,

RMA, Compliance

2 3

SD-WAN

SRXxxx

EX46xx

IP Fabric for Campus

Use Case Key Requirement Technology/Architecture

Medium Enterprise Up to 2000 users / 5000

ports

Up to 150 access

switches

Collapsed Fabric, Access layer,

EX4600/EX4650 Dist/Agg / ESI-

LAG – Tier 2

Campus builder Automation w/ CSO

Programmable and open standard-based

L2/L3 connectivity w/ control plane-based learning

Scalable based on business needs

Network segmentation inside and across multiple campuses

MAC address mobility

Customer Benefits


• Mist AP device inventory view in CSO

• Automatic AP to site mapping

• Seamless cross-launch of Mist AP WLAN monitoring via CSO

Customer Benefit

• Best of fixed and wireless workflows

Feature Support

CSO/Mist Integrated WI-FI AP Monitoring

34


Federated Management

Contrail

Service Orchestration

Mist Cloud

Wired LAN Wireless Access EdgeSD-WAN Edge

API Federated

Contrail LAN fabric management Wired LAN management and assurance

UI portal-to-portal contextual pass through

WAN and Wi-Fi ambidextrous management intercepts the LAN in the middle.

Single data pipeline and engine for AI

Marvis

AI engine


Customers & Use Cases


Contrail SD-WAN Customers & Partners

Juniper’s cloud-managed Contrail SD-WAN has been a gamechanger. As Australasia’s largest end-to-end bakery-ingredients supplier, we needed a solution that could bridge boundaries across over 1300 employees and more than 20 manufacturing sites, mills, offices and distribution centers, all while also simplifying operations. Contrail offered that strong value proposition, and more. With Contrail, we can now manage all our branch offices, private and public clouds from a single platform – while also being able to seamlessly manage advanced functionality such as zero-touch provisioning, security policies, or even service-level agreements at a granular application level.

John Khoury , CIO, Allied Pinnacle


IBM Cloud Managed Network SD-WAN Service


Key Elements of IBM’s Network SD-WAN service

Internet,

Internet of

thigs (IoT)

1 Virtualized functions are optional and not included as part of base offering

Cloud based, multi-tenancy

Orchestration and Management, SD

WAN Controller

SD-WAN Cloud Gateways

Virtualized Network Function CPE1

Extensive set of managed VNF’s1

Network Service Operations Center

Enterprise

branch

WAN2

WAN1

Enterprise

data center

Hub

Juniper

SRX

320/340/345

Or NFX150,

NFX2501

vSRX Routing,

firewall and SD WAN,

WAN Optimization,

etc.

SRX SD WAN

Gateway

Orchestration and

management tools

CSO 4.0

IBM Global Technology Services®

(GTS) networking service operation

center (NOC)

Secure Overlay

management

Cloud servicesAmazon, Google,

IBM Bluemix,

Office 365, Salesforce VNF

3

Hub

SRX SD WAN

Gateway

2

1

4

5

3

2

1

4

5

Service Provider Networks


VODAFONE SD-WAN DEPLOYMENT

Centrally automated, application aware, Ready Network

HQ/Large Site

Branch/Small site Remote sites

Policy Based control

Medium site

CloudConnect

4G

Cloud Providers

VPN +SD-WAN

+ NFV

Internet

MPLS

Combining our networks with SDN/NFV

Internet

4G 4G

MPLS

✓ Efficiency: hybrid networks, reduced hardware, on-demand, MPLS interworking

✓ Reliability: app policy based, E2E SLAs and visibility, range of site topologies, vCPE within-built 4G and vFW as standard

✓ Agility: self-adjust speeds and settings,‘best of breed’ cloud providers and VNFs

✓ Global coverage: 75 country direct, 182 indirect. Local and global product variants.

On-demand network, combining SD-WAN with integrated multi-vendor functions


VODAFONE SD-WAN :THE FUTURE-READY SOFTWARE-DEFINED WAN

Scan me

https://www.vodafone.com/business/solutions/fixed-connectivity/ready-network/sd-wan

https://www.vodafone.com/business/solutions/fixed-connectivity/ready-network/sd-wan


42

Over 1,000,000 Branch SRXs Deployed

Financials Services National Governments Defense and Military

Retail Chains Managed Service Providers Distributed Enterprises


DEMOS ONLINE15 FEATURES IN 15 MINUTES:

juniper.net/sdwan-playlist

more at juniper.net/sd-wan


FREE TRIAL AND TOUR

more at juniper.net/sd-wan or juniper.net/try

SD-WAN

© 2019 Juniper Networks Juniper Business Use Only 4

Q & A?


THANK YOU

Date post:	24-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

TOP-TO-BOTTOM BRANCH AND WAN MANAGEMENT WITH … · This material contains information that is...

Documents