white paper-juniper enterprise data center network reference architecture
Post on 08-Aug-2018
227 Views
Preview:
TRANSCRIPT
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
1/36
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408.745.2000
1.888 JUNIPER
www.juniper.net
Enterprise Data Center NetworkReference Architecture
Using a High Performance Network Backbone to Meet theRequirements of the Modern Enterprise Data Center
Part Number: 803001-003 Nov 2008
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
2/36
Copyright 2008, Juniper Networks, Inc.2
Enterprise Data Center Network Reference Architecture
Table o Contents
Executive Summary 4
Introduction 4
Trends and Challenges 4
Juniper Networks Approach and Solution 6Scope 6
Target Audience 6
Enterprise Data Center Network Design Considerations 7
Virtualization 8
High Availability Disaster Recovery 8
Visibility 8
Network Connectivity 8
Security 9
Policy and Control 9
Quality o Service (QoS) 10
High Perormance 10
A Green and Environmentally Friendly Data Center 10
Juniper Networks Data Center Network Architecture 11
Open Systems ApproachJuniper Networks Enterprise Framework 11
Location-Based Approach 12
Design Principles 13
High-Level Architecture 14
Edge Services Tier 16
Edge Services Connectivity 16Edge Services High Availability 16
Edge Services Perormance 17
Edge Services Security 17
Core Network Tier 18
Core Network Connectivity 19
Core Network HA 19
Core Network Virtualization 19
Network Services Tier 20
Data Center Security Services 21
Application Front Ending Services 22
Applications and Data Services Tier 23
Fibre Channel SANs 26
iSCSI SANs 26
Data Center Backbone 27
Data Center Network Management 28
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
3/36
Copyright 2008, Juniper Networks, Inc. 3
Enterprise Data Center Network Reference Architecture
Summary 30
Glossary 3
Appendix A Juniper Networks Data Center Network Solution Tables 33
Data Center Product Tables 33
Data Center Product Tables (by Tier) 33
Partner Products 34
Symantec 34
Kaspersky 34
SurControl and Websense 34
Avaya IG550 35
Appendix B Juniper Networks Core Network Power Eciency Analysis 35
About Juniper Networks 36
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
4/36
Copyright 2008, Juniper Networks, Inc.4
Enterprise Data Center Network Reference Architecture
Executive Summary
The data center is an extremely critical corporate asset As such, the data center network that
connects all critical servers, applications and storage services is a key component that should be
careully planned and managed to meet the growing perormance demands o users and many
network-centric applications Juniper Networks oers a comprehensive data center network solution
that combines best-in-class products with well-dened practices to build high-perormance, robust,virtualized, and cost eective and business supported data center networks
This reerence architecture proposes practices, technologies and products that help data center
architects and engineers responsible or answering the requirements o designing modern data
center networks
Introduction
Trends and Challenges
According to research conducted by Nemertes (2006), 91 percent o benchmarked companies were
under compliance constraints, and more than 50 percent o companies consolidated their dispersed
data centers into ewer but larger data centers in the last 12 months, with even more planning to
consolidate in the upcoming 12 months While enterprises are consolidating their data centers and
centralizing their servers, the opposite is happening with the employees themselves More than 90
percent o employees work remotely and more companies are opening a larger number o branch
oces to get closer to their customers These two divergent trends cause tremendous strain on
the enterprise WAN connectivity as more people attempt to access applications that are highly
centralized Further, perormance o these applications is becoming a critical bottleneck in terms o
employee productivity
Another interesting trend is that servers are continuing to grow at a high annual rate o 11 percent,
while storage is growing at an even higher rate o 22 percent; both o which are causing tremendous
strain on the data centers power and cooling capacity According to Gartner, OS and application
instability is increasing the server sprawl with utilization rates o 20 percent Also, Coordination
Implementation and Operations (CIOs) are increasingly demanding utilization/eciency reports on
servers and storage, which is leading to an increased adoption o virtualization technologies such as
VMWare and XenSource
The major challenges identied by customers regarding their data centers include the ollowing:
Power capacity
Cooling
Increasing growth o the data centers
Availability
Disaster recovery
Operational issues concerning change management and controlling operational costs
Enterprises demand zero-downtime or extreme availability as businesses become increasingly
global and unction 24x7
Gartner (2007) identies the ollowing trends rom a list o the top 10 disruptive technologies in the
data center
Unied Communications
The Web as a platorm to deliver applications
Virtualization that goes beyond consolidation
Mashups and composite applications
Green IT
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
5/36
Copyright 2008, Juniper Networks, Inc. 5
Enterprise Data Center Network Reference Architecture
Emerging applications that use Service Oriented Architecture (SOA) and Web services are increasingly
computational and network intensive
While businesses are attracted to the cost savings o consolidating data centers and thereore are
reducing the number o acilities and operating locations, architects ace the challenge o designing
a data center that centralizes servers and applications that are accessible rom a variety o locations
(see Figure 1) Throughout all o these challenges, todays data center must meet the perormance
requirements to ensure satisactory user experiences without compromising security and compliance
Figure 1: Location-Based Perspective of the Enterprise Network
In addition, Gartner (2007) asserts that 50 percent o the Ethernet switch ports within the data center
are used or switch interconnectivity
Simply designing a data center that only deploys more servers, storage and devices signicantly
increases network complexity and cost Organizations must change the way they view their data
center network architecture to maximize eciency gains rom technologies such as virtualization
The architecture must use virtualization capabilities such as MPLS and virtual private LAN service
(VPLS) to enable an extremely ast, high-perormance data center backbone network, to meet theperormance demands o the consolidated architecture The data center network also must oer
required components such as security, perormance acceleration, high density and a resilient network
inrastructure These critical components help ensure that users sustain the perormance needed
to succeed in their jobs, and that the network supports their business goals This document shares
Juniper Networks best practices in designing a highly ecient, secure, scalable and fexible data
center network This document also showcases advanced network technologies such as high-density
next-generation Ethernet switches, application delivery controllers and WAN acceleration that can be
employed to create a seamless user experience, irrespective o the location on the network
ISG/IDPSSG
SSG
WX/WXC
InfranetController
J-series
M-series
M-seriesInfranetController
WX/WXC
J-series
SSG
WX/WXC
SAseries WX/WXC
ISG/IDP
SSG
Remote Sales Ofce
VoIP Pilots
PrivateWAN
Headquarters Ofce
Large Regional Ofce
Manufacturing
Plant
Small Regional Ofce
Standalone Ofce
Retail Store
Data
Center
SSG
Internet
J-series
Gateway
VoIP
AVAYA
SRX-series
EX-series
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
6/36
Copyright 2008, Juniper Networks, Inc.6
Enterprise Data Center Network Reference Architecture
Juniper Networks Approach and Solution
The Juniper Networks strategy or designing the data center network uses an open systems approach
that enables enterprises to design a high-perormance data center network that consolidates network
elements into ewer networks and employs ewer network devices This approach simplies network
architecture, enables operational eciencies, and oers data center networks that are agnostic to
multiple media types
The architecture virtualizes critical network inrastructure components and unctionalities such as
security, load balancing and applications acceleration, and this architecture deploys and manages
based on a combination o business as well as technical heuristics The architecture optimizes
network perormance and increases eciencies within the network inrastructure The architecture
also automates network inrastructure management by connecting smoothly into the customers
existing management rameworks and third-party tools such as IBM Tivoli
Scope
The purpose o this document is to provide our partners, customers and potential customers with a
data center network architecture that mitigates business risk and supports the modern, consolidated
data center This document addresses the ollowing topics:
Network inrastructure
Security
Connectivity
Perormance aspects o the data center inrastructure
In addition, this document provides design guidance or the data center network, the inter-data
center and associated connectivity Discussions ocus on the ollowing network devices:
Routers
Switches
Firewalls
Intrusion prevention systems
VPN access devices
Application ront ends
WAN acceleration products
NOTE: Because application-specic components such as operating systems, processing machines,
databases and storage arrays are out o scope o this solution, they are not addressed in this
document
Target Audience
IT managers and security managers
Systems engineers
Network analysts and engineers
Network administrators
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
7/36
Copyright 2008, Juniper Networks, Inc. 7
Enterprise Data Center Network Reference Architecture
Enterprise Data Center Network Design Considerations
The ollowing section summarizes some o the technical considerations or designing a modern day
data center network that must support consolidated and centralized server and storage inrastructure
as well as enterprise applications
NOTE: The design considerations discussed are not necessarily specic to Juniper Networks solutions
and can be applied universally to any data center network design, regardless o the vendor
The unctional data center network design model (Figure 2) considers key design attributes Each o
these attributes is summarized in the ollowing sections
Figure 2: Center Network Functional Design Model
As data centers become consolidated, more servers become centralized The data center can beviewed rom the perspective o the dierent groups o people interacting to create a highly available
and unctional end user requirement or the enterprise These groups typically comprise storage,
server, application and network groups Observing all o the installed devices in the data center, we
obviously see large racks o servers (X86 servers, blade servers or mainrame systems), dierent
types o storage switches that use Fibre Channel (FC) and InniBand, and a variety o applications
(Oracle, SAP, Microsot) that utilize these resources to deliver business requirements These three silos
are connected through a ast, secure and reliable data center network abric which orms the ourth
silo o systems and devices in the data center The critical attributes or designing todays data center
or extreme availability and superior perormance are as ollows:
Virtualizationnetwork, server and storage
High Availability/Disaster Recovery (HADR)
Visibilitynot only in network trac and security events, but also into application trac
Connectivityubiquitous connectivity to disparate sets o resources
Security security and compliance
Policy and Controlcentralized policy and control
Quality o Service (QoS)
High Perormanceapplications, storage, servers and the network
Virt
ualiza
tion
HA/DR
Vis
ibil
ity
Con
nectivity Secur
ity
Cont
rol
Policy
&
QoS
HighPerformanc
e
STO
RAGE
APPLIC
AT
IONS
SERVERS
NetworkInfrastructure
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
8/36
Copyright 2008, Juniper Networks, Inc.8
Enterprise Data Center Network Reference Architecture
Virtualization
As described in Wikipedia, virtualization is a technique or hiding the physical characteristics o
computing resources rom the way in which other systems, applications or end users interact with
those resources This means making a single physical resource such as a server, an operating system,
an application or a storage device appear to unction as multiple logical resources; or making multiple
physical resources such as storage devices or servers appear as a single logical resource Virtualization
also means making one physical resource appear, with somewhat dierent characteristics, as one
logical resource
From a network virtualization perspective, there are various technologies that provide data, control
and management plane virtualization A data plane virtualization example is a single physical interace
that provides security to multiple network segments using 8021q VLAN tagging From a control plane
virtualization perspective, multiple routing domains and protocol instances are other examples A
management plane virtualization example supports multiple logical rewall/VPN security systems that
use Virtual Systems (VSYS) or true multi-department or multi-customer environments, such as large
enterprises or service providers who oer managed security services all in a single device
High Availability Disaster Recovery
High Availability Disaster Recovery (HADR) is a key requirement rom the data center network
perspective and must be considered not only rom what is happening within the data center, but
also rom across multiple data centers Network high availability should be deployed by using
a combination o link redundancy (both external and internal connectivity) and critical device
redundancy to ensure network operations and business continuity In addition, using site redundancy
(multiple data centers) is critical to meeting disaster recovery and regulatory compliance objectives
Moreover, devices and systems deployed within the connes o the data center should support
component-level high availability, such as redundant power supplies, ans and routing engines
Another important consideration is the sotware/rmware running on these devices, which should be
based on a modular architecture that provides eatures such as in-service sotware upgrades (ISSUs)
to prevent sotware ailures/upgrade events rom impacting the entire device Sotware ailures/
upgrades should only impact a particular module, thereby ensuring system availability
VisibilityIt is important to have visibility into network trac and security events to eectively maintain andmanage the resources It is critical to collect IP trac fow statistics to give enterprises insight into
data fow, resource utilization, ault isolation, capacity planning, and tuning and ofine security
analysis WAN utilization and user-level visibility can help IT better support application perormance
by leveraging network services and other resources Security visibility is crucial to granularly view
security events to help determine how these events get handled Further, extending this visibility
to develop a deeper understanding o application-specic trac is crucial or understanding a wide
range o operational and perormance inormation that can impact the users o these applications
For example, specic compression and acceleration technologies can be applied at the network
layer to accelerate email applications such as Microsot Exchange Another example is preventing
employees access to services such as YouTube and social networking sites rom impacting business
applications Understanding the application (YouTube, Instant Messaging) and enorcing policies
based on the application ensures that business critical applications meet or exceed the perormanceexpectations o end users
Network Connectivity
Customers, partners and employees all require immediate access to applications and inormation
Modern applications such as supply chain applications, IP telephony, Customer Relationship
Management (CRM), Enterprise Resource Planning (ERP), or sales orce automation applications
demand signicant network perormance Concurrently, the challenge o working rom any location
in the enterprise urther increases the complexity
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
9/36
Copyright 2008, Juniper Networks, Inc. 9
Enterprise Data Center Network Reference Architecture
As part o the data center network design, the ollowing critical aspects o external network
connectivity must be considered:
WAN connectivity to enable branch oce and campus users to access applications
Internet connectivity to enable partner access as well as secure remote access or remote
and mobile users
Superior speed or data center backbone connectivity, data replication, business continuity,
and use o technologies such as VPLS/MPL
The internal data center comprises one or more server network(s) or data center LANs The data
center LAN hosts a large population o servers that require high-speed and highly available network
connectivity In addition, there can be multiple LAN segments and networks deployed that dier in
security and capacity levels and other services oered Typically, connections o 1 Gbps and higher
(while 10 Gbps are becoming the standard) will be available in the data center network, providing at
least 1 Gbps to the server and preerably 10 Gbps at network choke points
Security
The critical resources in any enterprise location are typically the applications themselves and the
servers and supporting systems such as storage and databases Financial, human resources, and
manuacturing applications with supporting data typically represent a companys most critical assetsand, i compromised, can create a potential disaster or even the most stable enterprise The core
network security layers must protect these business critical resources rom unauthorized user access
and attacks, including application-level attacks
The security design must employ layers o protection rom the network edge through the core to the
various endpoints, or example deense in depth A layered security solution protects critical network
resources that reside on the network I one layer ails, the next layer will stop the attack and/or limit
the damages that can occur This level o security allows IT departments to apply the appropriate
level o resource protection to the various network entry points based upon their dierent security,
perormance and management requirements
Layers o security that should be deployed at the data center include the ollowing:
Denial o Service (DoS) protection at the edge
Firewalls to tightly control who and what gets in and out o the network
VPN to protect internal communications
Intrusion Prevention System (IPS) solutions to prevent a more generic set o application
layer attacks
Further, application-layer rewalls and gateways also play a key role in protecting specic application
trac such as XML
The above-listed solution guidelines address the requirements specied in the NIST recommended
best practices, as stated in Guide to General Server Security Guide to General Server Security.1
Policy and Control
Policy-based networking is a powerul concept that enables devices in the network to be ecientlymanaged, especially within virtualized congurations, and it can be used to provide granular network
access control The policy and control capabilities should allow organizations to centralize policy
management while at the same time oer distributed enorcement The network policy and control
solution should provide appropriate levels o access control, policy creation and management, and
network and service management, ensuring secure and reliable networks or all applications In
addition, the data center network inrastructure should integrate easily into customers existing
management rameworks and third-party tools such as Tivoli, and provide best-in-class centralized
management, monitoring and reporting services or network services and the inrastructure
1Guide to General Server Security, Recommendations o the National Institute o Standards and Technology, Special Publication 800-123
http://csrcnistgov/publications/nistpubs/800-123/SP800-123pd
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdfhttp://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf -
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
10/36
Copyright 2008, Juniper Networks, Inc.10
Enterprise Data Center Network Reference Architecture
Quality of Service (QoS)
To truly assure application experience over large networks, Quality o Service (QoS) is a key
requirement It is critical to assign and manage QoS levels to ensure satisactory perormance o the
various sotware applications A minimum o three levels o QoS (each o which determines a priority
or applications and resources) are as ollows:
Real-time
Business critical
Best eort
Multiple Protocol Label Switching networks and network trac engineering capabilities are typically
deployed to congure Label Switch Paths (LSPs) with Resource Reservation Protocol (RSVP) or Loader
Debugger Protocol (LDP) This is especially critical with voice and video deployments, as QoS can
mitigate latency and jitter issues by sending trac along preerred paths or by enabling ast reroute
to anticipate perormance problems or ailures The data center network design should allow the
fexibility to assign multiple QoS levels based on end-to-end assessment and allow rapid and ecient
management to ensure end-to-end QoS or the enterprise
High Performance
To eectively address perormance requirements related to virtualization, server centralization anddata center consolidation, the data center network should boost the perormance o all application
trac, whether local or remote The data center should oer LAN-like user experience levels or all
enterprise users irrespective o their physical location To accomplish this, the data center network
should optimize applications, servers, storage and network perormance
WAN optimization techniques that include data compression, TCP and application protocol
acceleration, bandwidth allocation and trac prioritization improve perormance network trac
These techniques can also be applied to data replication, backup and restoration between data
centers and remote sites, including disaster recovery sites
Within the data center, Application Front Ends (AFEs) and load balancing solutions boost the
perormance o both client-server and Web-based applications, as well as speeding Web page
downloads In addition, designers must consider ofoading CPU-intensive unctions, such as TCP
connection processing and HTTP compression, rom backend applications and Web servers
Beyond application acceleration, critical inrastructure components such as routers, switches,
rewalls, remote access platorms and other security devices should be built on non-blocking
modular architecture, so that they have the perormance characteristics necessary to handle the
higher volumes o mixed trac types associated with centralization and consolidation Designers also
should account or remote users
A Green and Environmentally Friendly Data Center
A green data center is a repository or the storage, management and dissemination o data in which
the mechanical, lighting, electrical and computer systems provide maximum energy eciency with
minimum environmental impact As older data center acilities are upgraded and newer data centers
are built, it is important to ensure that the data center network inrastructure is highly energy and
space ecient Network designers should consider power, space and cooling requirements or all
network components, and they should compare dierent architectures and systems so that they can
ascertain the environmental and cost impacts across the entire data center In some environments,
it might be more ecient to implement high-end, highly scalable systems that can replace a large
number o smaller components, thereby promoting energy and space eciency Green initiatives
that track resource usage, carbon emissions and ecient utilization o resources, such as power and
cooling are important actors when designing a data centerAppendix B presents an analysis o the
Juniper Networks MX960 Ethernet Services Routers eects on reductions in energy consumption
and ootprint within the data center Designers can use this appendix as an example or comparative
analysis against other core solutions
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
11/36
Copyright 2008, Juniper Networks, Inc. 11
Enterprise Data Center Network Reference Architecture
Juniper Networks Data Center Network Architecture
The intent o Juniper Networks approach or building the enterprise data center network is to allow
enterprises to take advantage o the most advanced technologies, oer a design model that supports
the current as well as uture applications and data processing requirements o the enterprise, while at
the same time reduce the risk and total cost o ownership
Open Systems ApproachJuniper Networks Enterprise Framework
Juniper Networks uses a simplied version o the Open Systems Interconnection (OSI) model that
includes three unctional layers controlled by a policy and management domain (Figure 3) These
unctional layers are as ollows:
Applications
Services
Inrastructure
The applications layer provides support to the various sotware applications that are required to
run the business It provides the environment that allows applications to run and interoperate The
services layer combines the traditional presentation, session and transport layers and provides
support to users and applications It includes security services, applications interaces, and
acceleration and optimization services The inrastructure layer combines the network, data link and
physical layers and consists o routing and switching eatures that manage the network, connection
management, data fow and QoS
The policy and management domain integrates with the customers centralized policy and
management unctions to help reduce operations costs while simultaneously enabling compliance
All three layers are interconnected with open standards-based interaces that allow enterprises to
seamlessly deploy a multivendor solution that provides fexibility to use the best technologies to meet
business requirements
Figure 3: The Juniper Networks Enterprise Framework
Applications
Services
InfrastructurePolicyandManagement
Alliance Products
Security
Products utilizing
open Interfaces
Accelerationand
OptimizationAccess
Routing Switching Wireless
r1PMJDZ
r*EFOUJUZ
r7JTJCJMJUZ
r0QUJNJ[BUJPO
r1SPWJTJPOJOH
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
12/36
Copyright 2008, Juniper Networks, Inc.12
Enterprise Data Center Network Reference Architecture
The Juniper Networks Enterprise Framework supports the next-generation data center network
by providing a best-in-class network environment that uses open, standards-based and
industry-accepted interaces Enterprises can use this ramework to logically view their network
inrastructure and applications in order to make decisions that best serve the requirements o
deploying enterprise applications
Juniper Networks takes a holistic approach to next-generation networking and takes into account the
user, network and applications perspectives Our understanding o applications and how they are
accessed rom a variety o locations enable us to provide an architecture that meets the demands o a
variety o users
Location-Based Approach
physical locations and geographies rom which data clients attempt to connect Enterprises typically
have campuses, regional oces, branch oces, a private WAN and data centers
The key intention o the data center is to ofoad always on requirements rom various enterprise
locations to a central, stable location that always contains the enterprises most recent application
data By decoupling the inormation store rom the physical location o the user, enterprises derive
greater eciencies by creating a centralized pool o resources This trend o centralizing applications
and consolidating multiple acilities makes the WAN or other external networks extremely critical,
because users now need to traverse a larger network in order to gain access to data As such, a great
deal o emphasis has been given to the design o the enterprise Private WAN and Internet edge,
which in many cases hosts branch oce connectivity and remote user connections
The data center does not typically host users and most certainly does not accommodate data center
application users However, this data center network design model can support dierent operational
requirements that are unique to certain enterprises Options such as administrative user access can
be built into any data center design
WAN services should extend to all o the remote location connections Among these services
are stateul rewalls, intrusion prevention and WAN acceleration Figure 4 depicts a high level
perspective, illustrating the overall enterprise connectivity into the data center and connectivity
between data centers
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
13/36
Copyright 2008, Juniper Networks, Inc. 13
Enterprise Data Center Network Reference Architecture
Figure 4: Enterprise Network Connectivity to the Data Centers
Design PrinciplesKey design principles originate rom business and technical reasons The business reasons are
airly clearoptimize capital expenditures and reduce operation expenses The top level technical
requirements include the ollowing:
Leverage shared inrastructures
Employ virtualization technologies to increase utilization and eciencies
Ensure scalability, fexibility, security and application perormance over the network
Juniper Networks key design principles are as ollows:
Consolidation o Data Centers and Centralization o Services rom Multiple Business Ofces
This principle imposes a variety o technical requirements on the data center network Centralizing
services typically does not improve overall processing time or data availability, but it oten increases
overall utilization and allows or more streamlined IT operations Additionally, centralizing services
requires maintenance o the unique aspects o legacy distributed processing congurations such that
dierent processing instances may belong to dierent business entities, such as nance and HR
Uniqueness and operational reedom should remain virtually independent
VirtualizationThe virtualization o processing has introduced a new standard in resource pooling
and resource utility optimization Virtualization technologies at various levels are introduced in the
data center rom virtualization o large storage arrays and servers to network virtualization and
Enterprise Private WAN
Data Center Backbone
Campus A
Campus BRegionalOfce B
RegionalOfce A
DataCenter A
DataCenter B
Branch
Branch
BranchBranch Branch
Branch 1
Branch 2
Branch n
PTP Network/Internet
PTP Network/Internet
DataCenter C
L2/L3
PTP Network/Internet
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
14/36
Copyright 2008, Juniper Networks, Inc.14
Enterprise Data Center Network Reference Architecture
network service The network inrastructure maniests virtualization through VPNs, labels and tags
o orwarding plane trac, while the network services maniest virtualization through the denition
o service instances and application o unique processing logic to the dierent instances The overall
data virtualization capabilities o the data center are key requirements that eectively drive network
virtualization
High AvailabilityConsolidating and centralizing resources, as well as virtual zing technologies,
makes guaranteeing data access all the more critical Data should be available regardless o the
location rom which it is being served The our key vectors that address network HA include the
ollowing:
Component
Device
Link
Site
Streamlined Operation and Management o Data Center ServicesIn a consolidated and
virtualized environment, one o the key elements is a single management platorm based on open
standards that knows how to control servers, applications, storage and network inrastructure as one
Hence, it is critical to use devices and systems that support open standards-based interaces and
protocols, so that these devices and systems can all be controlled rom existing and rom evolving
customer management systems
High-Level Architecture
Figure 5 illustrates the Juniper Networks data center network architecture; the ollowing lists the
major architectural tiers:
Edge Services Tierhosts all WAN services connecting to non-data center locations
Core Network Tierconnects all data center networks within and across data centers
Network Services Tiersupports WAN acceleration, Intrusion Prevention and other network
services
Applications and Data Servicesprovides network connectivity to the data center server and
application inrastructure
Data Center Backboneprovides connectivity between data center acilities or high
availability, replication and disaster recovery
In the paragraphs that ollow, we explore the dierent network tiers in greater detail
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
15/36
Copyright 2008, Juniper Networks, Inc. 15
Enterprise Data Center Network Reference Architecture
Figure 5: Juniper Networks Data Center Network Architecture
The data center network scalability requirements are rather signicant because they must supportcentralized applications and data center consolidation Hosting a large network in one location
requires some modularization that allows certain services to be re-applied to applications and areas
as needed
As the data center edge network serves as the key boundary to the data center, it is responsible or
maintaining reachability with all other external networks
It is important to support network applications with an extremely ast core network that is capable
o orwarding the total aggregate trac at line rate Eectively, the network core can span across
multiple locations and multiple devices Logically, the network core connects all data center networks
directly to itsel This attribute is critical in order to oer rack/location-agnostic server-to-network
binding, which is a key element in building a virtualized data center abric that supports automatic
repurposing o compute resources Another benet o this approach is that it maintains a more
controllable HA design, so that a single device includes its own redundancy component to augment
an additional device (or set o devices) as a backup system
Extending all networks to the data center core allows fexibility to enable or disable services to each
o the networks independently, in addition to allowing scalable services initiated rom demand and
available capacity A virtualized approach or enabling network services optimizes perormance and
eciency A common example is a stateul rewall that provides virtual domain security by directly
connecting to the core and by securing multiple physical networks This approach proves highly
useul in segmenting the network by rewall policy
Edge
Services
Network
Services
Core
Network
Applications
and Data
Services
WAN
Acceleration
VPN
Termination
GatewayServer
Security
Gateway
Internet
Access
Gateway
Intrusion
Detection
and Prevention
Secure Access
(SSL)
IP Storage
Network
Internal
Storage
Network
External
Storage
Network
Infrastructure
Storage
Network
WAN
Edge
Internet
Edge
Core Firewall
SRX-series
Internet
PrivateWAN
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
ISGISGISG
IDP
M-series
M-series
SAseries
WX/WXC
Core Device
MX-series
EX8200Series
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
16/36
Copyright 2008, Juniper Networks, Inc.16
Enterprise Data Center Network Reference Architecture
Edge Services Tier
The Edge Services tier is responsible or all connectivity and network level security aspects (up to
Layer 4) to connect the data center to the outside world Typically, routers and rewall/VPNs are
located in this tier It is likely that the data center connects to various leased lines connecting to
partners, branch oces and to the Internet For connecting all o these networks, it is important to
plan or the ollowing:
Internet routing isolation, or example separating the exterior routing protocols rom the
interior routing protocols
Network Address Translation (NAT) to convert your private IP addresses to public Internet
routable IP addresses
IPSec VPN tunnel termination or partner, branch and employee connections
Border security to enorce stateul rewall policies and content inspection
Quality o service (QoS)
Network architects have oten used L2 switches at the edge to orm a hierarchical mesh, with the
intention o allowing multitude links to provide ault protection during ailure The Juniper Networks
solution employs Juniper Networks M-series multiservice edge routers and Integrated Security
Gateway (ISG) rewalls or SRX rewalls Juniper Networks leverages the routing unctionality o therewalls to provide a routed connectivity solution instead o a traditional switched mesh approach
This method places ailure detection and correction into a domain that is solely routed, providing
more eective and intelligent network resource use The direct protocol interaction between the
routers (without intervening switches) eliminates the typical layer o Ethernet switches that are
commonly used at the edge
Edge Services Connectivity
Figure 6 shows the Juniper Networks edge services design and illustrates how the edge services tier
connects multiple, external networks to the data center Edge Services provide all connectivity and
network level (up to L4) security aspects or connecting the data center to the outside world The edge
routers and rewall VPNs reside in this tier
The edge routers are Juniper Networks M-series routers and are the edge devices or both Internet
and private WANs The M-series routers were selected or two primary reasons: interace capacity and
throughput
Each router has a single connection to the Internet (or private WAN) Connectivity between the edge
routers to each ISG rewall creates a ully meshed network You can link the edge routers to each
other using a single gigabit Ethernet link that provides a transit path around a less preerred or ailed
path In addition, Juniper Networks uses redundant hardware, Dynamic Routing Protocols (DRPs) and
ully meshed links to minimize the amount o ailure cases that could impede business continuity
Edge Services High Availability
The Edge Services tier should provide HA at three levels where appropriate:
Link
Device
Component
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
17/36
Copyright 2008, Juniper Networks, Inc. 17
Enterprise Data Center Network Reference Architecture
Link-level high availability should be applied at all Internet connections and in cases where
additional data centers are available, it is best to keep a single leased line/private WAN
connection in each data center Device-level high availability is relevant only when we enable
the link-level high availability setting, as multiple devices cannot utilize a single link themselves
Hence, Internet-acing routers and devices located within edge services layer should support
device-level high availability Additionally, component level high availability such as multiple
power supplies, ans and route engines should be mandatory or edge-deployed devices
Figure 6: Data Center Network Edge Services
In this solution, dynamic routing determines the fow o trac Each tier is deployed as a ully
meshed solution As a result, redundant paths are provided on each redundant device Duringa link ailure, a single device is not lost and this increases environment uptime by avoiding
bringing down a viable path, unless necessary
During a ailure, the network requires a minimum o one additional redundant path to route
around the ailure While this design itsel oers high availability, the addition o a second data
center urther ensures high availability, as an entire data center could be lost but avoid losing
network operability
Edge Services Performance
As in any other major server concentration, the data center should terminate a large number o
WAN acceleration tunnels These tunnels correspond to as many remote sites as are appropriate
or optimal user experience and perormance Some o the WAN acceleration technologies
include redundant WAN acceleration tunnels and load balanced WAN acceleration clusters Both
technologies integrate by using intelligent trac rerouting techniques in the data center
Edge Services Security
The edge services network serves three major security unctions First, it protects against Denial
o Service (DoS) attacks that are most eciently controlled at the data center edge without using
other valuable processing resources Second, the edge tier rewalls can perorm stateul inspection
Third, we implement VPN secure connectivity services This section covers the design guidelines
or these three security unctions These unctions cover the protection against the threats outlined
in NIST recommended best practice, as stated in the Guide to General Server Security2
2Guide to General Server Security, Recommendations o the National Institute o Standards and Technology, Special Publication 800-123
http://csrcnistgov/publications/nistpubs/800-123/SP800-123pd
Internet
Access
Gateways
Server
Security
Gateways
VPN
Termination
Gateway
Core
Network
Edge
Services
WAN
Acceleration
HA
HA HA
HA
M-series
M-series
M-series
ISG ISG ISG ISG ISGWX/WXC
InternetPrivateWAN
Core Device
MX-series
EX8200Series
Core Device
MX-series
EX8200Series
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdfhttp://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf -
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
18/36
Copyright 2008, Juniper Networks, Inc.18
Enterprise Data Center Network Reference Architecture
For large data centers, Juniper Networks recommends using three sets o rewalls in the Edge
Services tier The rst set, the Internet rewalls, must connect to the Internet and receive routing
inormation rom the edge routers to enable outbound trac routing to the Internet The second set,
the Secure Services Gateways (SSGs), secure the server and data resources and sotware applications
or inbound trac that originates rom the Internet The third set, the IPSec VPN rewalls comprise
the connectivity hub or all remote sites and terminate IPSec VPNs rom the Internet as well as rom
the private WAN The IPSec rewalls also terminate VPN tunnels or all o the remote branches overthe private WAN To provide services to the remote branches, the IPSec VPN rewalls must connect
to the network core Although these rewalls are shown as three sets, or smaller capacities and
perormance requirements, it is possible to consolidate the three rewalls into one or two sets
General DoS protection to all data center services should be perormed at the Edge Services tier
This moves the security intelligence closer to the provider edge, thereby decreasing the number o
devices that can potentially be compromised, especially with DoS attacks A large food can present
challenges to any network, as it can consume all available network bandwidth and might require
extra processing by stateul rewalls Large foods result in high CPU usage and slow response times
While stateul rewalls provide much needed visibility and ne-grade protection against a variety o
foods, all stateul rewalls have an upper limit in their capacity to deal with certain types o foods
such as SYN or Internet Control Message Protocol (ICMP) I a rewall is overwhelmed with a food,
the rewall experiences high-CPU loads and might drop legitimate trac The specic rate per attackvaries per rewall depending upon its conguration and sotware version To protect the rewall and
network against massive foods, rate limits should be implemented on routers protecting all rewall
interaces The goal is to limit certain types o trac, such as TCP control trac and ICMP types to
rates which will not impact available bandwidth and overwhelm the rewall
As part o the VPN design and encryption protocols selection, there are trade-os that must be made
Organizations should choose the strongest encryption that does not compromise the perormance
requirements or the network Encryption algorithms should be based on a balancing act between
security and perormance A longer key length provides more security against brute orce attacks
yet might require more computational power Thereore, this approach provides less perormance
or encrypting large amounts o data Note that perormance considerations should be made or all
devices participating in the VPN, not only devices that terminate at the headend Satellite devices
might not be as powerul as the application-specic integrated circuit (ASIC)-accelerated, crypto-powered headend systems When analyzing the elements, it is important to acknowledge the
handshake protocol encryption requirements These typically use asymmetric encryption algorithms
or improved security and might aect the devices dramatically, especially with many VPN peers
One also must consider bulk encryption algorithms Typically, these algorithms must be symmetrical
and at a minimum not be infuenced by design due to hardware assistance and the lower cost o hand
shakes However, i the design presents ew VPN peers and large amounts o data transer, this element
should be considered; the lowest common denominator will be the speed that determines the VPN
capacity Finally, one should consider hashing algorithms This selection is primarily done based on
security requirements, but i hardware assistance is involved, then design considerations diminish
Core Network Tier
The Juniper Networks design employs a data center network architecture consisting o two logicalorwarding tiers rather than a traditional
3-tier model Traditional 3-tier networks add an aggregation network between access networks and
core networks, and they are the primary method to extend networks because o scalability limitations
with most available core network devices Aggregation at the core allows or more fexibility and
easier support or virtualization, but it requires high-speed processing and high availability levels
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
19/36
Copyright 2008, Juniper Networks, Inc. 19
Enterprise Data Center Network Reference Architecture
One o the biggest advantages o a 2-tier design is a dramatic reduction in the number o devices
Reducing the number o devices provides the ollowing advantages:
Produces signicant power savings
Reduces the acilities ootprint o the system
Oers simplied device management
Allows tighter security control
Reduces the number o system ailure points
The scalability o the 2-tier model is typically limited by the scalability o the core network devices
The more traditional 3-tier design, which allows or high scalability requirements, is not discussed in
this paper
Core Network Connectivity
The core network provides the key data center abric connectivity by connecting routers, servers,
appliances and storage devices It does not directly allow connections between the dierent
networks that connect to the core, as each network must be contained in a separate routing instance
o Virtual Routing and Forwarding (VRF) In cases where trac should traverse between the VRFs,
the core rewall perorms the orwarding according to the security policy Eectively, the core
rewalls should connect between the dierent networks that reside on the same data center (see
Network Services Tier)
Core Network HA
The core network is a key component in enabling high availability in the data center network By
connecting all networks to the core network with ull redundancy at the core, high availability is
achieved without added complexity and dependency on the network protocols and convergence
Traditionally, adding high availability requires redesign o the network, whereas by using standards-
based redundancy protocols and a core network approach, high availability is provided at easier
operational overhead In addition to adding redundant devices, it is extremely important to ensure
that the core data center devices support in-service operations such as hot-swap interaces and
sotware upgrades
Core Network VirtualizationTo achieve network virtualization rom the server through the network core, there are a variety o
options to consider For all options, a key assumption is the deployment o network systems that
deliver line-rate throughput even when all eatures are turned on In general, there are two possible
approaches:
Extend VLANs rom the access layer or server all the way to the network core
Use VLANS between servers and access devices and divide the network by using MPLS rom
that point on through the core
There are advantages and disadvantages to each approach, and each approach might be more
practical on a dierent scale and or data center operators with dierent skill sets VLANs that extend
all the way to the core are more appropriate or smaller networks However, in the case o larger
networks that ace VLAN scaling limitations with more elaborate QoS requirements, MPLS is the
preerred choice Regardless o the approach, the Juniper Networks data center network architecture
and solution components provide both approaches without sacricing perormance
Multiple instances o a single VLAN, residing in dierent physical access networks, can be joined at
the core network across line cards (or not) without impacting perormance Additionally, multiple
distinct VLANs, all connecting to a single access switch port, can be seamlessly reclassied and
associated with MPLS Label Switched Paths (LSPs) with unique QoS and connectivity characteristics
The Juniper Networks 2-tier architecture provides or a more fexible design option, as depicted in
Figure 7The MX-series Ethernet Services Routers (ESRs) or EX 8200 series switches reside in the core
network and Juniper Networks EX-series Ethernet switch platorms reside in the access layer
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
20/36
Copyright 2008, Juniper Networks, Inc.20
Enterprise Data Center Network Reference Architecture
Figure 7: Data Center Core Network and Network Services
Network Services Tier
The network services tie closely to the network protocols that support data center applications
Network services are generally divided into two main categories:
Security services
Application services
Throughout this section, we describe both services in greater detail and address the key elements that
comprise the data center network architecture
The Network Services tier should extend itsel to any o the server networks hosted in the data center,
and apply a network-specic policy and set o congurations to behave appropriately with the trac
in that particular network section For example, using a security service such as trac SYN checking/sequence number checking might only be required or servers available to the outside world
Thereore, the architecture should support the application o these eatures only to those systems
or networks Most importantly, key characteristics are enabled by a direct logical attachment to the
network core o the data center
Leveraged throughout is the Network Services tiers ability to extend a shared pool o network
services to any o the server and data networks, while allowing or granular and specic network
service settings or each one o the services The network services are virtually available or each o
the backend data and service networks by sharing the network service resources across the entire
Core
Network
Network
Services
Network
Services
Applications
and Data
Services
WANAcceleration
WANAcceleration
VPNTermination
Gateway
ServerSecurity
Gateways
InternetAccess
Gateways
SecureAccess(SSL)
IntrusionDetection
and Prevention
IntrusionDetection
and Prevention
SecureAccess(SSL)
X Connect
IP StorageNetwork
ExternalServersNetwork
InternalServersNetwork
InfrastructureServersNetwork
EX4200Series
EX4200Series
EX4200Series
EX4200Series
IDP
WX/WXC
PrivateWAN
M-series
Internet
M-series
ISG ISG ISG ISG ISG
IDP
SAseries
EX4200Series
EX4200Series
SRX
Core Firewall
Core DeviceCore Device
MX-series
EX8200Series
MX-series
EX8200Series
SRX
Core Firewall
EX4200Series
EX4200Series
SAseries
WX/WXC
EX4200Series
EX4200Series
EX4200Series
EX4200Series
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
21/36
Copyright 2008, Juniper Networks, Inc. 21
Enterprise Data Center Network Reference Architecture
data center This approach allows the network designer to intelligently deploy network services to
dierent applications and networks in the data center Virtual instances are a key consideration in
designing the Network Services tier
Figure 8 illustrates the connectivity systems (MX-series ESR/EX-8200), application systems (Network
N), and the network service systems (depicted on the ar right o the diagram) This diagram provides a
core network perspective and shows the interaction between the core and the pooled service devices
The network services include the ollowing systems:
Security servicessuch as rewalls, Intrusion Detection and Prevention
Application rontend servicessuch as server load balancing, SSL ofoad, HTTP cache, TCP
multiplex, and global server load balancing (GSLB)
Figure 8: Connectivity Systems, Application Systems and Network Service Systems
Data Center Security Services
One o the most important services o the Network Services tier is the security service The securityservice essentially controls segmentation o the data center into separate networks, and it enables
secure connectivity between the dierent networks Because security services are broadly used,
multiple devices participate in the application o security services to the data center server network
These security services at the data center network services layer provide necessary isolation and
policy control or communication between servers located at data center These security services
also address the requirements specied in the NIST recommended best practices to protect the data
center network rom any attacks or malicious activity rom un-patched or compromised servers
Reer to the Guide to General Server Security3
Inbound
Firewall
(ISG Series)
Outbound
Firewall
(ISG Series)
VPN
Firewall
(ISG Series)
Core
Firewall
(SRX, NS Series)
AFE
SSL VPN(SA Series)
Network 2
Network 1
Network 4
Network 3
EXT EXT
VRF
4
VRF
3
VRF
2
VRF
1
Core Switch
MX960/EX 8200
Core Network
NetworkServices
Edge
Firewalls
Apps andData Services
3Guide to General Server Security, Recommendations o the National Institute o Standards and Technology, Special Publication 800-123
http://csrcnistgov/publications/nistpubs/800-123/SP800-123pd
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdfhttp://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf -
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
22/36
Copyright 2008, Juniper Networks, Inc.22
Enterprise Data Center Network Reference Architecture
Stateul rewalls are the cornerstone o the data center networks security service Stateul rewalls
enorce a security policy that aligns with business and operational requirements through the
identication and classication o networks In addition to being the primary L4 access control
system, the rewalls help with many security unctions in the data center, such as service DoS or
quota protections, Deep Inspection to specic applications where it is required and also potential
network address translation
Generally, the rst layer o deense inside the data center is the stateul rewall However, it
is important to recognize that the rewall must be capable o extending a logical subset o its
unctionality as you dedicate the rewall to a specic data center network The minimum amount o
resources that the rewall must dedicate is a separate control and orwarding engine (virtual router)
such that all trac streams are totally isolated, and orwarding decisions will not mistakenly puncture
the security protections An additional attribute in designing a consolidated data center services
instance is high availability capabilities that must extend themselves particularly at the services layer
to truly design a network that depends on the services or its core unctionality
The Juniper Networks NetScreen rewall systems can split into separate virtual domains o control
and orwarding instances or Virtual Systems (VSYS), creating separate virtual domains that allow
autonomy to dierent departments to control their security policies To connect all o the core
networks, the core rewall must participate in routing protocols within the data center network
The Juniper Networks SRX 5800 service gateway provides 120 Gbps rewall, 30 Gbps IDP and
350,000 connections per second Equipped with a ull range o security eatures, the SRX 5800 is
ideally suited or securing large data centers
Application SecurityIn addition to assuring secure connectivity at L4, the Network Services tier
should employ application security services such as Intrusion Prevention to protect the data center
inrastructure Because these application services are available to all users coming rom insecure
locations, the risk o application misuse or application DoS increases In addition, because multiple
applications are co-located, this creates a chain eect in which each application is aected by the risk
to which another is exposed
The platorms should support the level o perormance required by the data center and be able to
inspect L7 inormation at line-rate speeds It is necessary to understand that the protocols deconstruct
the data streams and build the right context to look or application threats Thereore, a poweruland rich application protocol decoder is necessary Also, the integration o the application protocol
decoding to rewalls is a key consideration to help reduce the number o devices and to increase
overall eectiveness Finally, virtualization or a context-based security policy application, in which the
security systems are able to uniquely treat dierent networks and applications, is another important
consideration
Application Front Ending Services
It is important to nd ways to scale the data center services without a linear increase in the
hardware ootprint and to ensure that the design does not increase the operational complexity A
key component o the Network Services tier is a solution that enables ofoading o non-specialized
services rom the data center servers
One should consider deploying a system that supports acceleration or the dierent application tiers
and also provides comprehensive capabilities around the more common and emerging application
areas like Web 20 A data center acceleration solution should boost the perormance o both client-
server, Web-based, and server-to server-applications, as well as speeding Web page downloads In
addition, the acceleration solution should ofoad CPU-intensive unctions such as TCP connection
processing and HTTP compression rom backend applications and Web servers For its part, the
application acceleration platorm should be seamlessly expandable through stacking or clustering
o multiple devices In addition to advanced trac management and acceleration, the application
ront ending service should serve as a standard load balancer This means orwarding trac to its
destination address rom a pool o available addresses
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
23/36
Copyright 2008, Juniper Networks, Inc. 23
Enterprise Data Center Network Reference Architecture
Organization/business requirements drive the need to allow dierent applications to be treated
dierently, and to allow dierent departments to control and dene what acceleration and ront ending
characteristics they require rom the network service Our solution addresses these requirements
Applications and Data Services Tier
The core network tier connects to the data center services and applications tier which hosts all o the
servers, databases and storage Generally, there are our types o networks and there can be multipleinstances o each type Primary reasons or the multiple instances are separation o duties within
the company and dierentiated business objectives and IT requirements or the dierent networks
Figure 9 illustrates the our networks A description o the our networks is as ollows:
External Applications Network can be multiple external networks serving separate network
segments These typically include applications such as the public Website, public mail transer
agent (MTA), Domain Name System (DNS) services and remote access and potential le
services that are available through unltered access
Internal Applications Network multiple internal networks serving dierent levels o internal
access rom within the campus o branch locations These networks typically connect internal
applications such as nance and human resources systems Partner applications also reside
in the internal network and any specic applications that are exposed to partners such as
inventory systems and manuacturing inormation
Infrastructure Services Network only servers that are accessible to users are allowed to
access inrastructure networks These are intended to operate only on an automatic basis and
perormance usually is quite predictable Common examples o inrastructure services include
Lightweight Directory Access Protocol (LDAP), databases, le sharing, content management
and middleware servers
Storage storage networks, such as Fibre Channel, InniBand or Internet Small Computer
System Interace (iSCSI) are part o the storage networks Critical application servers directly
connect to the storage devices through a separate Host Bus Adapter (HBA) to ensure ast
access to data Other servers connect using Ethernet to access storage acilities
Figure 9: Data Center Application Network Types/Purposes
Externally Facing Applications
Data Center Services and Applications
GSLB, DNS, SMTP, SSL, FTP
Internally Facing Applications
Infrastructure
Management
DNS, LDAP, SMTP, MAPI, Web Apps (J2EE, ASP), SIP, RTSP, CIFS
Infrastructure Services and Applications
SQL, LDAP, CIFS, Content Management
Storage
iSCSI, FC, CIFS
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
24/36
Copyright 2008, Juniper Networks, Inc.24
Enterprise Data Center Network Reference Architecture
The applications and data services tier is primarily responsible or connecting and wiring all servers
Juniper Networks solution provides a fexible deployment option using its Ethernet switching
platorm and virtual chassis capability Below are several fexible deployment options that Juniper
Networks provides
Redundant access switch top o the rack deployment
Server link aggregation with top o the rack deployment
End o the row access switch deployment
Redundant access switch top o the rack deployment: This deployment option requires two high-
speed, independent, top-o-rack switches that connect to the core network as a solution In data
center environments, servers are interconnected to access switches deployed within server racks
These access switches are oten reerred to as top-o-rack switches due to their location within
the data center Top-o-rack switching provides increased levels o availability because o multiple
independent operating characteristics and physical power sources Servers connect to two dierent
physical switches, each part o a separate virtual chassis ring Each ring in turn connects to the core
network while using a loop detection and high availability L2 protocol
Data center application connection is as ollows:
Each server has two, 1 Gbps access network switches; each server connects to a separate
access switch or redundancy purposesThe access switching layer connects to the core network using 10 Gbps uplink; each access
switch has separate 10 Gbps links
The server connection links and access switch uplinks can use VLAN trunking technology to
support both server virtual location and aggregation; all aggregating multiple L2 networks
then use ewer connections
Each internal and external applications network can be segmented into several sub networks (see
Figure 10) The servers that host these applications connect with at least a 1 Gbps (currently moving
towards 10 Gbps) link to the Juniper EX-series Virtual Chassisswitch The EX-series Virtual Chassis
switch connects to the network core through a 10 Gbps connection Depending on the number o
servers, multiple EX-series Virtual Chassis might be required, as shown in Figure 10 Juniper Networks
recommends dual homing the access layer switches using L3 with OSPF equal-cost multipath (ECMP)
instead o the Spanning Tree Protocol (STP) or deterministic behavior or minimal packet loss
Figure 10: Application and Data Services Network View
VC 1
VC 2
10/100/1000BASE-T/TX
10GBASE-SR LAG
Application
and
Data Services
Network Core
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
EX4200Series
Core Device
MX-series
EX8200Series
Core Device
MX-series
EX8200Series
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
25/36
Copyright 2008, Juniper Networks, Inc. 25
Enterprise Data Center Network Reference Architecture
In data center environments, servers are interconnected to access switches deployed within
server racks Typically, top-o-rack access switches are deployed in pairs to redundantly support
servers within a single rack Juniper Networks EX 4200 Virtual Chassis oers several advantages
when deployed as a top-o-rack access switch The EX 4200 supports a maximum o 48,
10/100/1000BASE-T/TX interaces or attached server devices at 1Gbps wire-rate per interace As
a result, perormance is not compromised Also, each EX 4200 oers additional wire-rate uplink
interaces, with a maximum o our GbE or two 10GbE uplink modules or interconnecting rom thetop rack back to the data center core
Server link aggregation with top o the rack deployment: This deployment requires two, high speed
top-o-rack switches that connect to the core network as the solution Both switches are part o
the same virtual chassis (the virtual chassis can extend to multiple racks, allowing a maximum o
10 switches and can be part o the same virtual chassis) Data center servers can connect to both
switches located at top-o-rack with link aggregation technology This deployment provides fexible
top-o-rack deployment with the additional advantage o desired high availability eatures such
as switch/link/uplink/power and abric redundancy This approach also provides ecient network
bandwidth utilization by actively using both links between server and access switch and by increasing
network throughput The virtual chassis can be dual-homed with an uplink to the core switches using
an L3 connection with OSPF equal-cost multipath (ECMP), instead o using STP or deterministic
behavior or minimal packet lossEnd o the row access switch deployment: With this deployment, all connections rom the data
center servers are extended to the switching rack at the end o the row This deployment model
was preerred because o the high availability eatures o a chassis-based solution which is typically
not available with small orm actor top-o-rack switches With Juniper Networks virtual chassis
technology, we can deploy top-o-rack switching deployment with all high availability eatures to
end-o-row deployment We can easily deploy a virtual chassis or the EX 8200 platorm or traditional
end-o-row deployment
With Juniper Networks virtual chassis capability, we can leverage ease and fexibility o top-o-rack
deployment without compromising any high availability eatures as compared to the traditional
chassis-based solution With virtual chassis technology, the top-o-rack deployment can expand
between data centers located a ew kilometers apart
The EX 4200 also supports the virtual chassis concept, whereby a maximum o 10 EX 4200 switches
can be interconnected through a redundant, high-speed 128 Gbps interconnect, yet still be managed
and maintained as a single logical device With the Virtual Chassis technology, the number o
managed devices can be reduced by a actor o 10, signicantly simpliying operations and reducing
costs associated with maintaining large numbers o legacy access switches Additionally, uplinks can
be distributed across multiple EX 4200s in a single virtual chassis, providing uplink perormance
fexibility and added redundancy levels unounded in legacy access switches
The deployment options considered with the application and data services tier provide optimized
data transer or the data center solution Server-to-server trac utilizes a high throughput virtual
chassis switch abric across access switches This provides necessary bandwidth or data transer
between application servers and the database as well as data replication between servers The user-
to-server trac utilizes aggregated links between the access switches and the core router using the
L3 connection o OSPF and ECMP Separating the network path or user-to-server and server-to-servertrac eciently utilizes network links and provides a predictable, consistent user experience
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
26/36
Copyright 2008, Juniper Networks, Inc.26
Enterprise Data Center Network Reference Architecture
Storage Area Networks (SANs)
A Storage Area Network (SAN) connects servers and storage devices across a packet-switched
network Storage Area Networks allow arbitrary block level access rom servers to storage devices
and among storage devices Multiple servers can thereore share storage or clustering and high
availability applications In addition, the storage devices themselves can implement data protection
services, such as synchronous data replication, asynchronous data replication or data snapshots
by directly moving data to another storage device Storage Area Networks also provide a set o
conguration, directory, discovery and notication services to attached devices
A data center typically contains multiple SANs, each serving a dierent application, set o
applications, work group or department Depending upon the specic requirements, these SANs can
be either FC (Fibre Channel) or iSCSI-based deployments Both Fibre Channel Protocol (FCP) and
iSCSI allow block access to storage devices using SCSI commands The Fibre Channel Protocol uses
the Fibre Channel communication structure o exchanges, sequences and rames The iSCSI protocol
uses TCP/IP with an overlay o iSCSI Protocol Data Units (PDUs) to implement SCSI commands and
data raming
Fibre Channel SANs
A Fibre Channel abric has link-level credit-based fow control making it essentially lossless without
equipment ailure Link speeds are 1/2/4 Gbps with 8 Gbps on the horizon Fibre Channel host busadaptors (HBAs) are FC protocol ofoad engines that handle most o the exchange management and
all o the rame transmission or other low level protocol work Frame orwarding is based on an equal
cost multipath link state protocolFabric Shortest Path First (FSPF) Switch implementation does not
reorder rames unless a ailure occurs The set o FC abric services are distributed throughout the
switches in the abric
iSCSI SANs
An iSCSI SAN can be based upon any network supporting the IP protocols In practice, this means
iSCSI SANs are built rom Ethernet switches Because iSCSI is based upon TCP/IP, it can in principle
run on any switching inrastructure In practice, depending upon the eatures o the Ethernet
switches, the perormance characteristics o TCP/IP with regard to dropped rames can limit iSCSI
deployments to low perormance SANs In addition, most iSCSI deployments presently only use 1
Gbps Ethernet with sotware drivers and the resulting perormance does not compare avorably to FCat 2 or 4 Gbps with an ofoad HBA However, iSCSI SANs can be considerably less expensive than FC
SANs The Internet Storage Name Service (iSNS) server provides all abric services in an iSCSI SAN
Where iSCSI-based SANs are desirable, Juniper Networks switches and core routers are excellent
platorms or creating the underlying network because they support symmetric fow control using
8023X pause rames, RED (random early detection), QoS and logical partitioning Discards due to
RED only occur in congested environments, and most SANs are designed to avoid all but transient
congestion Quality o Service allows trac priority to be set so that storage trac can have
improved throughput and delivery characteristics during congestion Logical partitioning allows the
networking equipment that implements the SANs to be tailored to t the needs o the specic data
center and its applications
Storage Area Networks s are oten linked to remote data centers so that data can be replicated as part
o a BC/DR (Business Continuity/Disaster Recovery) design The inter-data center connections can
run across direct optical repeater circuits such as dense wavelength-division multiplexing (DWDM),
private IP-based WAN connections or the Internet
Fibre Channel trac uses DWDM or metro-to-regional distances and uses specialized Fibre Channel
over IP (FCIP) tunnel gateways or regional to longer distances Using DWDM requires FC switches
with FC credits sucient to span the distance at the desired throughput Fibre Channel over IP
gateways create complete WAN acceleration services such as compression, large buering, security,
encapsulation and tunneling or FC trac
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
27/36
Copyright 2008, Juniper Networks, Inc. 27
Enterprise Data Center Network Reference Architecture
The iSCSI trac can directly traverse the WAN connection without requiring a gateway, but iSCSI
implementations do not generally provide sucient buering to ully utilize high-speed connections
The iSCSI implementations do not contain compression or other WAN optimization eatures
Thereore, iSCSI WAN trac can oten benet rom a WAN acceleration device such as the WX
application acceleration platorms The iSCSI trac also can benet rom a data security gateway
providing IPSec and VPN tunnels
Data Center Backbone
In considering the scale o processing perormed at data centers and the requirements or regulatory
compliance, the data center backbone is a key component in the architecture and design, primarily
or disaster recovery reasons As such, the data center backbone supports a variety o computational
services such as data mirroring to ensure that accurate data is represented at multiple data centers
All o the unctions that rely on a high-perormance data center backbone include the ollowing:
Data replication that supports application clustering and compliance
Data backup and restore services
The reach to a variety o location-specic services using ast and secure connectivity across
data centers to support service-oriented architecture applications
Legacy clustering technology support that requires L2 connectivity (See Figure 11)
Figure 11: Data Center Backbone Connectivity
Dierent rom any other WAN interconnect, the data center backbone must oer high-speed
connectivity, especially because o the real-time and consistent representations o data that needs to
be available across multiple data centers at any given time In many cases, high volumes o data are
exchanged between the data centers to accommodate mirroring, replication and backup operations
The Juniper Networks data center network architecture denes a ew key technical elements
as enablers or the data center backbone that network architects can leverage to satisy the
requirements o their enterprise These elements include the connectivity links encompassing high-
speed data connectivity between data centers (typically using ber-based high-speed transport)
The second element is the interconnect protocol, on top o the interconnecting link, that supports
the separation o trac types or QoS and security reasons These services can be obtained through
MPLS technologies most eectively In addition to the interconnect elements, there are the availability
protocols that extend the data presence beyond a single physical location To achieve this, an L3-
Data Center A
Core
Routers
DC A
Backbone
Connectivity
DC B
Backbone
Connectivity
Core
Routers
Ethernet
X
Connect
Ethernet
PTP Connection PrivateWAN
M-series
Data Center B
EthernetEthernet
PTP Connection M-series
MX-series
EX8200Series
MX-series
EX8200Series
X
Connect
MX-series
EX8200Series
MX-series
EX8200Series
-
8/22/2019 WHITE PAPER-Juniper Enterprise Data Center Network Reference Architecture
28/36
Copyright 2008, Juniper Networks, Inc.28
Enterprise Data Center Network Reference Architecture
based reachability or routing protocol peering exchange with Internet routers can be used to create
resilient connectivity at the IP level Additionally, employing an L7 DNS as a global, load server
balancing mechanism provides resilience at the service level
Interconnectivity between data centers can be implemented using MPLS or VPLS as routing and
orwarding technologies This allows distinct IP routing inormation to be shared across data centers,
and orwarding can be perormed based on the unique, per-domain logic exchanged across the
data center acilities Multiple Protocol Label Switching technologies allow or the exchange o the
orwarding and routing inormation base to achieve consistent orwarding across all networks that
interconnect using MPLS In addition to MPLS, L2 extensions and technologies can be used so that
non-IP or broadcast domain dependent/attached protocols can be connected as part o a single
network For such applications, pseudowires, data link switching (DLSw) and VPLS technologies
should be used with the MPLS implementation
Ensuring that the service is globally available and is enabled by the network services tier is a task that
extends beyond the network orwarding layer The key premise is that applications and users connect
and associate themselves to name conventions other than IP (HTT
top related