© 2019 Juniper Networks Juniper Business Use Only
TOP-TO-BOTTOM BRANCH AND WAN MANAGEMENT WITH CONTRAIL SD-WAN
Tony Sarathchandra – Product Management, Director
Nov 13th, 2019
© 2019 Juniper Networks Juniper Business Use Only
CONFIDENTIALITY AND LEGAL NOTICE
This material contains information that is confidential and proprietary to Juniper Networks, Inc. Recipient may not
distribute, copy, or repeat information in the document without a signed non-disclosure agreement (NDA).
Any statements of product direction contained in this presentation sets forth Juniper Networks’ current intention and is
subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature
or functionality depicted in this presentation.
Copyright 2019 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, Junos,
and NXTWORK are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other
trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to
change, modify, transfer, or otherwise revise this publication without notice.
2
© 2018 Juniper Networks Juniper Business Use Only
AGENDA
• SD-WAN Market Trends
• AI-Driven Enterprise
• Contrail SD-WAN Overview
• Customers & Use Cases
• Q & A
© 2018 Juniper Networks Juniper Business Use Only
Key Enterprise Customer triggers for SD-WAN
4
© 2018 Juniper Networks Juniper Business Use Only
SD-WAN Market Trends
5
© 2018 Juniper Networks Juniper Business Use Only
CloudManagement
AI-Driven EnterpriseSingle architecture with presentation layer by market segment
SwitchingWi-Fi SecurityRouting
ArtificialIntelligence
Open APIs
Wired & Wi-FiAssurance
MarvisVirtual Assistant
NetworkManagement
SD-WANOrchestration
ActionableInsights
AssetTracking
Cloud Services
AI Foundation
Domain Expertise
Data Science
Data Marvis
Open APIs
Junos Extension Toolkit
Streaming Telemetry
© 2018 Juniper Networks Juniper Business Use Only
Easy Out-of-The-Box Experience
7
• Day 2-365 Operating
• Topology view
• Router status
• Switch status
• AP status
• Contextual cross launch
• Security
MONITORING
• Day 2-365 Operating
• Network wide image
upgrades
• Security policy updates
• Config backup & restore
MAINTENANCE
• Day 1 deploying
• Device phone home
• Zero touch provisioning
• Multi-factor authentication
• Easy factory reset
• Template based
onboarding
ONBOARDING
• Day 0 configuration
• Branch creation workflow
• Campus creation workflow
• Extensible day 2
configuration changes
using templates.
CONFIGURATION
© 2018 Juniper Networks Juniper Business Use Only
Cloud Service Architecture Highlights
Open APIsAuto-scalingMicroservices Multi Tenant
• Container based design
• Independently deployed &
scaled
• Service level auto-
scaling/healing
• Hierarchical services
design
• Scales across multiple
regions
• REST API for 3rd party
OSS/BSS
• Flexible south bound
APIs including
Netconf/YANG
• Ideal for MSPs or resellers
• On-premises or IaaS
deployment
© 2018 Juniper Networks Juniper Business Use Only
Juniper Vision for AI-Driven Enterprise
SD-Campus & -Branch - Wired & Wireless - WAN & LAN
SD-Branch
Journey to the AI-Driven Enterprise
Hybrid-WAN & SD-WAN
Secure Router
Enterprise Branch
Enterprise Branch
Corporate HQ
Enterprise Branch
SRX Series secure CPEs
LTE
NFX Series universal CPE
LTE
SRX Series secure CPEs
LTE
Mist Wi-Fi APs
EX Series Access Switches
EX Series Agg/Core Switches
AI engine
(Marvis)
MX and SRX Series Secure gateways and hubs
vSRX virtual endpoint
© 2018 Juniper Networks Juniper Business Use Only
Contrail SD-WAN
© 2018 Juniper Networks Juniper Business Use Only
Contrail SD-WAN for Enterprise Campus & Branch
Campus and BranchEnterprise Sites
SaaS Applications IaaS, PaaS:VPCs for cloud-native apps
vSRX Virtual Firewallcloud-WAN endpoint
Private Clouds, Data Centers
Private or SP’sWAN backboneEnterprise Sites Public Cloud
Secure SD-LAN and SD-WAN
Juniper or provider managed aaS
Cloud-managed Contrail SD-WAN
or
Contrail SD-WAN
SRX Series Services Gateway Secure CPEs
LTE
NFX Series universal CPE
LTE
WANxvSRX
Mist Wi-Fi APs
EX Series Ethernet Switches
LAN & WLAN devices WAN Edge Devices
Contrail Service Orchestration (SDN)
SaaS FW passthrough
MX/SRX WAN Hubs for large topologies
Enterprise or SP hub gateways
Wi-Fi
Dedicated,
MPLS
Broadband,
Internet
Wireless, 4G/LTE
Legacy and xDSL
© 2019 Juniper Networks Juniper Business Use Only
WE BUILD IT
WE RUN IT
Contrail SD-WAN Cloud Service – Available Now
Security & PrivacyCloud based mgmt/control with on-prem data plane separation
Resiliency & Redundancy
Tier 1 global cloud infrastructure provider w/ multiple availability zones
Multi-TenancyTwo-tier multi-tenancy for both
enterprises and MSP
SLA99.9% monthly uptime, JTAC
24x7 availability monitoring
ScaleHorizontal scale for 100s of
tenants with 1000s of endpoints per tenant
Disaster Recovery
Online daily backups
Compliance
SOC compliant
• Accessible anywhere by web• Multi-tenant, HA, Scalable
• Secure: data traffic stays on customer network
• Monthly software / features updates• Lower Capex/Opex
© 2019 Juniper Networks Juniper Business Use Only
EX
BRANCH SITES
HQ / Campus / POP
EX2300/3400/4300
Servers / Applications
SRX3XX/550M/1500/4X00
Standalone NGFW
LTE
SRX3XX/550M/4X00/vSRX
NFX150/250
Mist AP61/43/41/21
SD-WAN CPE
EX2300/3400/4300
EX2300/3400/4300
3rd party CPE/FW
Standalone Switch
Mist AP61/43/41/21
Mist AP61/43/41/21
SRX1500/4X00/vSRX
MX240/480/960*
SD-WAN HubHybrid WAN tunnel
Primary Use Cases
1
2
3
Contrail SD-WAN/SD-LANCSO Controller
Internet
MPLS1
© 2019 Juniper Networks Juniper Business Use Only
Contrail SD-WAN Features At A Glance
• Dynamic Application Path Selection based on SLA
• Static/Preferred Application Path Selection
• Application Quality of Experience
• Flexible Internet Breakouts
• Hub and spoke topology
• Site to Site VPN topology – Full mesh / Partial mesh
• Network Segmentation
• MPLS/Internet/LTE/xDSL links
• Backup link
• Default link
• SD-WAN CPE in public cloud
• Third-party VNF service chain
• LAN/WLAN Integration
• L7 Firewall
• Web Filtering
• Content Filtering
• Antivirus
• Antispam
• User Firewall
• Zone-based Firewall
• SSL Forward Proxy
• IPS/IDS
• Integration with third-party cloud security e.g. Zscaler
• NAT – Static, Destination, Source
SD-WAN AND -BRANCH SECURITY
• Redundancy at branch/CPE
• Redundancy at Gateway/Hub
• Secure and Resilient OAM
• Backup and Restore
• Redundancy at Orchestrator
• Scale of endpoints/devices
• On-premise as well as Cloud delivery model
• Multi-tenancy at orchestrator
• Multi-tenancy at gateway/hub
• Integration with existingIP/VPN infrastructure
INFRASTRUCTURE
• Open APIs for northbound integration
• Zero touch provisioning of devices
• Reporting – email/recurrence for SD-WAN and Security
• Custom Roles andobject-based RBAC
• Audit logs
• Alarms and Alerts
• SLA Performance Monitoring
• Security Events Monitoring
• Application Visibility
• Portal rebranding and customization
• Third-party VNF onboarding tools
• Dashboard summary widgets
• Topology monitoring view
USEABILITY
SP critical features
Enterprise critical features
© 2019 Juniper Networks Juniper Business Use Only
Flexible Dynamic Meshed SD-WAN
Site 1 Site 2 Site 3
Path A Path A Path A
DeptDeptDept
Path B
tagtag
Tags: Gold, Silver, Bronze
Enterprise HUB
Dept
KPI: Session close rate
Gateway HQ Site
Provider Hub
Dept
Multiple mesh tags
Contrail SD-WAN/SD-LANCSO Controller
• Dynamic mesh for site-to-site links• User-defined mesh tags on WAN links• Mesh with different underlay types• Toggle switch to enable full/partial mesh• Dial for resource management • Monitoring and Visualization
Customer Benefits:• Support mesh between different underlay
types• Site-to-site tunnels based on link capacity• Geo-based meshing• Increased Dual CPE site availability
FEATURE SUPPORT
IP VPN
© 2019 Juniper Networks Juniper Business Use Only
Provider & Enterprise SD-WAN Hub Support
Cloud HUB
Site 3
Service Provider HUB
Dept
Depts
Cloud HUBEnterprise Hub
Depts
Site 2
Dept
Site 4
Dept
Site 1
Dept
Cloud HUB
Application routes
OSPF
• Multi-tenant Provider Hub in POPs/Colos
• Gateway/Peering to MPLS
• Tenant Specific Enterprise Hub in DC/HQ
• Static Enterprise Hub Mesh
• LAN side OSPF/BGP support
• Default route leak for DC Apps
• Lifecycle Management of Hub
• SRX4100/4200 cluster support
• Multiple SP/Enterprise Hub support
Customer Benefits:
• Built-in failover and HA
• Scale with multiple Hubs
USE CASEIP VPN
EnterpriseDC
Contrail SD-WAN/SD-LANCSO Controller
Enterprise Hub
Depts
© 2019 Juniper Networks Juniper Business Use Only
SD-WAN Meshing With Regional Enterprise Hubs
Internet
MPLS
Enterprise Hub 1
Branch
Enterprise Hub 3
Enterprise Hub 4Enterprise Hub 2
Region/PoP 1 Region/PoP 2
Fully Meshed Sites
Partially Meshed Sites with
On-demand Site-to-site
INTERNET
MPLS
© 2019 Juniper Networks Juniper Business Use Only
Comprehensive Application Based SD-WAN
19
• Contrail SD-WAN
supports more than
4200 application
signatures including
Lync, Skype,
WebEx and MS-
Teams
• The signatures are
regularly updated
• CSO offers easy UI
button to install
latest signatures on
to the devices
• Supports user
defined custom
signatures
App ID
© 2019 Juniper Networks Juniper Business Use Only
Real Time Optimized Mode Performance Metrics
Real-time Optimized mode Performance Metrics include:• Two way latency (RTT)• Ingress jitter • Egress jitter • Two way jitter • Packet loss %
Metrics are measured at both application level and path level
Application traffic to be probed is determined by Application selection in SLA Profile• Application sessions are chosen (based on sampling percentage config)
for passive probing
Active probes are performed on all candidate links• The probes try to mimic traffic behavior for the application (by
carrying similar DSCP value, packet sizes, burst count, etc)
App QOE
© 2019 Juniper Networks Juniper Business Use Only
Cloud HUB
Flexible SD-WAN Application Breakout Options
Site 1 Site 2 Site 3
Enterprise Hub
Service Provider HUB
Local BreakoutZscaler Breakout
3. Hub Breakout• Internet• IPVPN
Local BreakoutZscaler Breakout
Internet BreakoutZBO
Path A Path A Path A
Path A
Path B Path B Path B
DeptDeptDept
Depts
Depts
2. Central Internet Breakout• Application• Department• Internet
1. Local Breakout• Application• Department• Internet• Zscaler
Breakout capability, failover, redundancy • Intuitive Intent-based Breakout policy• Site Local Internet Breakout• Dept Local Internet Breakout • Application Local Internet breakout• Zscaler Internet Breakout • Central Breakout on Hub• Central Zscaler Breakout
Customer Benefits:• Granular control of traffic• Site level control of breakouts• Redundant breakout path for link failure
BREAKOUT FEATURES
IP VPN
EnterpriseDC
© 2019 Juniper Networks Juniper Business Use Only
• Isolate departmental traffic with Network Segmentation
• LAN side OSPF on Enterprise Hub• Automatically leak DC routes to all Spokes
> 25 Network Segments• Separate policy controls on each
segment• Special DC Department on Hub
BREAKOUT FEATURES
Network Segmentation And Departments
Spoke
Department 1 VRF
Department 2 VRF
Department 25 VRF
•
•
•
EnterpriseHub
Data Center VRF
Department 1 VRF
Department 2 VRF
Department 25 VRF
•
•
OSPF/BGP
P-Hub
Dept
LAN
Branch HQ
Contrail SD-WAN/SD-LANCSO Controller
EnterpriseDC
© 2019 Juniper Networks Juniper Business Use Only
Allows different users to have different application policies based on their role and group
Internet / Intranet
User Application Firewall Controls
Finance
Sales
CEO▪No apps blocked
▪ Anti-virus applied
▪ P2P apps blocked
▪ YouTube allowed
▪ Anti-virus applied
▪ P2P, YouTube blocked
▪ Anti-virus applied
SD-WAN CPE or Gateway
Enterprise AD Server
Contrail SD-WAN/SD-LANCSO Controller
© 2019 Juniper Networks Juniper Business Use Only
Unified Threat Management With SD-WAN
• Protection from top-tier AV partner
• Reputation-enhanced capabilities
• Multilayered spam protection
• Protection against APTs
ANTI-VIRUS ANTI-SPAM
• Block malicious URLs
• Prevent lost productivity
WEB FILTERING
• Filter out extraneous or malicious content
• Maintain bandwidth for essential traffic
CONTENT FILTERING
© 2019 Juniper Networks Juniper Business Use Only
Contrail SD-WAN With AWS
Cloud-managed Contrail SD-WAN
VPC VPC VPC VPC
Your future AWS OutpostsYour AWS regions and AZsYour remote OfficesYour campus and branch offices
Contrail automated setup of spoke site:
• Choose AWS region
• Choose AWS VPC
• Choose or create AWS subnet
• Download and run CloudFormation
template which does the work
• Activate spoke site
© 2019 Juniper Networks Juniper Business Use Only
Multi-tenancy & Multi-departments With SD-WAN
Multiple departments per CPE with per department security policies
VRF 1 VRF 2 VRF N VRF 1 VRF 2 VRF N
Dept100 Dept101 Dept1XX Dept100 Dept200 Dept2XX
i.e. Corp Intranet / Guest Wifi
Service Provider
Tenant A
LAN 1
Site 1 / CPE 1 Site 2 / CPE 2
LAN 2 LAN NLAN 3 LAN 2LAN 1 LAN 12 LAN N
Operating Company (MSP 1)
VRF 1 VRF 2 VRF N
Dept200 Dept201 Dept2XX
Site 3 / CPE 3
LAN 2LAN 1 LAN 3 LAN N
Tenant B
Operating Company B (MSP 2)
Tenant C Tenant D
Level 0 – SP Admin(Available for on-prem deployment only)
Level 1 –Operating Company
Level 2 – Tenant
Level 3 – Department
© 2019 Juniper Networks Juniper Business Use Only
Global coverage Dual-SIM LTE with active-passive auto-failover
SRX300s, SRX550M, SRX1500, SRX4x00s
Broad SRX portfolio from 100Mbps to 95Gbps
SRX SERIES NFX150, NFX250, NFX350
Industry-leader in universal CPE market share
NFX SERIES
WAN Edge Portfolio: 10 SRX Models, 3 NFX Models, vSRX
Industry First: Active-active clustering of 2 NFX devices for double the reliability and connection#1
LTE
Automated lifecycle management and policy for AWSAzure and GCP compatible
vSRX
© 2018 Juniper Networks Juniper Business Use Only
From SD-BRANCH to SD-ENTERPRISE
28
Cloud Delivered and On-Premise
EX Access Series
Contrail Service Orchestration (CSO)
Campus
Enterprise Branch
SRX Series CPE
LTE
LTE
NFX Series Universal CPE
VNFs
Branch
UniversityEnterpriseGovernmentHQ
Retail
Distribution
SRX Series CPE
EVPN-VXLAN
K12 School
MPLS/Internet/LTESD-WAN
3PP Secure Router
EX Access Series
EX Access Series
ESI-LAG
Core
Access
ESI-LAG
© 2018 Juniper Networks Juniper Business Use Only
SD-LAN Differentiation
29
Pre-provision or Auto-provision
Switch Operations and Monitoring
Virtual Chassis
Network Access Control
Mist Wireless Systems Integration
© 2018 Juniper Networks Juniper Business Use Only
SD-LAN Product Portfolio
EX4600
EX4650EX9250 EX9200
EX2300
EX2300 MPEX4300
EX4300 MPEX3400
Access Distribution / Core
Modular Power
Multigigabit / PoE++Fixed Power
Multigigabit
10/40GbE
10/25/100GbE
100/40/10GbE
100/40/10GbE
Modular
Platform
CSO 5.0.1 (Now)
© 2018 Juniper Networks Juniper Business Use Only
Operations and Monitoring
31
• Switch operational dashboard
• Visual monitoring of device, ports, VLAN, users, system health, port utilization
Customer Benefit
• Single pane workflow for switch operations and monitoring
Feature Support
New in
5.0.2
New in
5.0.2
© 2018 Juniper Networks Juniper Business Use Only
SD-LAN for Branch/Campus Evolution
33
ESI- LAG
(10GE)
EX46xx
…
ESI- LAG
(10GE)
ONBOARDDay 1 - ZTP
1OPERATE
Day 2 – Config ESI-LAG, IP
Fabric/EVPN-VXLAN, Deploy,
Monitor, Troubleshoot
MAINTAINUpgrade,
RMA, Compliance
2 3
SD-WAN
SRXxxx
EX46xx
IP Fabric for Campus
Use Case Key Requirement Technology/Architecture
Medium Enterprise Up to 2000 users / 5000
ports
Up to 150 access
switches
Collapsed Fabric, Access layer,
EX4600/EX4650 Dist/Agg / ESI-
LAG – Tier 2
Campus builder Automation w/ CSO
Programmable and open standard-based
L2/L3 connectivity w/ control plane-based learning
Scalable based on business needs
Network segmentation inside and across multiple campuses
MAC address mobility
Customer Benefits
© 2018 Juniper Networks Juniper Business Use Only
• Mist AP device inventory view in CSO
• Automatic AP to site mapping
• Seamless cross-launch of Mist AP WLAN monitoring via CSO
Customer Benefit
• Best of fixed and wireless workflows
Feature Support
CSO/Mist Integrated WI-FI AP Monitoring
34
© 2019 Juniper Networks Juniper Business Use Only
Federated Management
Contrail
Service Orchestration
Mist Cloud
Wired LAN Wireless Access EdgeSD-WAN Edge
API Federated
Contrail LAN fabric management Wired LAN management and assurance
UI portal-to-portal contextual pass through
WAN and Wi-Fi ambidextrous management intercepts the LAN in the middle.
Single data pipeline and engine for AI
Marvis
AI engine
© 2019 Juniper Networks Juniper Business Use Only
Customers & Use Cases
© 2019 Juniper Networks Juniper Business Use Only
Contrail SD-WAN Customers & Partners
Juniper’s cloud-managed Contrail SD-WAN has been a gamechanger. As Australasia’s largest end-to-end bakery-ingredients supplier, we needed a solution that could bridge boundaries across over 1300 employees and more than 20 manufacturing sites, mills, offices and distribution centers, all while also simplifying operations. Contrail offered that strong value proposition, and more. With Contrail, we can now manage all our branch offices, private and public clouds from a single platform – while also being able to seamlessly manage advanced functionality such as zero-touch provisioning, security policies, or even service-level agreements at a granular application level.
John Khoury , CIO, Allied Pinnacle
© 2019 Juniper Networks Juniper Business Use Only
IBM Cloud Managed Network SD-WAN Service
© 2019 Juniper Networks Juniper Business Use Only
Key Elements of IBM’s Network SD-WAN service
Internet,
Internet of
thigs (IoT)
1 Virtualized functions are optional and not included as part of base offering
Cloud based, multi-tenancy
Orchestration and Management, SD
WAN Controller
SD-WAN Cloud Gateways
Virtualized Network Function CPE1
Extensive set of managed VNF’s1
Network Service Operations Center
Enterprise
branch
WAN2
WAN1
Enterprise
data center
Hub
Juniper
SRX
320/340/345
Or NFX150,
NFX2501
vSRX Routing,
firewall and SD WAN,
WAN Optimization,
etc.
SRX SD WAN
Gateway
Orchestration and
management tools
CSO 4.0
IBM Global Technology Services®
(GTS) networking service operation
center (NOC)
Secure Overlay
management
Cloud servicesAmazon, Google,
IBM Bluemix,
Office 365, Salesforce VNF
3
Hub
SRX SD WAN
Gateway
2
1
4
5
3
2
1
4
5
Service Provider Networks
© 2019 Juniper Networks Juniper Business Use Only
VODAFONE SD-WAN DEPLOYMENT
Centrally automated, application aware, Ready Network
HQ/Large Site
Branch/Small site Remote sites
Policy Based control
Medium site
CloudConnect
4G
Cloud Providers
VPN +SD-WAN
+ NFV
Internet
MPLS
Combining our networks with SDN/NFV
Internet
4G 4G
MPLS
✓ Efficiency: hybrid networks, reduced hardware, on-demand, MPLS interworking
✓ Reliability: app policy based, E2E SLAs and visibility, range of site topologies, vCPE within-built 4G and vFW as standard
✓ Agility: self-adjust speeds and settings,‘best of breed’ cloud providers and VNFs
✓ Global coverage: 75 country direct, 182 indirect. Local and global product variants.
On-demand network, combining SD-WAN with integrated multi-vendor functions
© 2019 Juniper Networks Juniper Business Use Only
VODAFONE SD-WAN :THE FUTURE-READY SOFTWARE-DEFINED WAN
Scan me
https://www.vodafone.com/business/solutions/fixed-connectivity/ready-network/sd-wan
© 2019 Juniper Networks Juniper Business Use Only
42
Over 1,000,000 Branch SRXs Deployed
Financials Services National Governments Defense and Military
Retail Chains Managed Service Providers Distributed Enterprises
© 2019 Juniper Networks Juniper Business Use Only
DEMOS ONLINE15 FEATURES IN 15 MINUTES:
juniper.net/sdwan-playlist
more at juniper.net/sd-wan
© 2019 Juniper Networks Juniper Business Use Only
FREE TRIAL AND TOUR
more at juniper.net/sd-wan or juniper.net/try
SD-WAN
© 2019 Juniper Networks Juniper Business Use Only 4
Q & A?
© 2019 Juniper Networks Juniper Business Use Only
THANK YOU