THE SOLUTION FOR DISTRIBUTED ENTERPRISE SERVICES WITHOUT BOUNDARIES May 2009 Presentation for Technical Decision Makers 1 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Agenda 1. What’s Happening and Juniper’s Vision 2. Distributed Enterprise Reference Architecture 3. Consistent Functionality Across All Locations 4. HA, Ad. TM, and UC Solution Use Cases 5. Juniper Advantages – Competitive Analysis 2 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
What’s happening to the enterprise Enterprises are more distributed than ever before § 62% – increasing the amount of branch offices § 89% – support virtual workers § 30% – workers are virtual § Top applications for distributed workers – Telephony, email and access to business applications Source: Nemertes 8/08 3 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Trends with the distributed enterprise What is the problem? Corporate Office Remote Office Home Office Branch Office Data Center ATM Retail Government Manufacture Locations Employees Users 4 | Kiosk Bank Customers Guest Partners Vendors Suppliers Contractors Off-shore Outsourced Devices SOA Applications Web 2. 0 Supporting more applications, more devices and more locations for more users and diverse audiences… Copyright © 2009 Juniper Networks, Inc. | www. juniper. net with decreasing IT budgets. SAAS
Juniper’s distributed enterprise vision ec nn Co Enterprise-wide access control, Adaptive Threat Management and integrated multi-function products re cu Client Satisfaction Lower TCO Se Switching, Routing and Application Acceleration for delivering converged applications t User Productivity Manage Customer Retention Consistent functionality, centralized administration and proactive services IT SERVICES WITHOUT BOUNDARIES 5 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Typical solution element placements SRX Series EX Series IC Series Routing & Switching Security Management NSM Express STRM Series 6 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net FW/VPN IDP Series WX/WXC MX Series J Series
Agenda 1. What’s Happening and Juniper’s Vision 2. Distributed Enterprise Reference Architecture 3. Consistent Functionality Across All Locations 4. HA, Ad. TM, and UC Solution Use Cases 5. Juniper Advantages – Competitive Analysis 7 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Enterprise network reference architecture Virtual Desktops LAN Access Control Unified Comms Saa. S Collaboration SOA Server Virtualization Network Administration Interface SRX 3000 Line Employee MX Series EX 8200 EX 4200 IC Series Enterprise own Core SA Series SRX Series HQ/Campus. WX Series / WXC Series Guest WX Series / WXC Series Branch Private WAN (Managed Service) EX Series EX 8200 EX 4200 Datacenter WAN (Internet) Web Server MX Series M Series Color Code Legend: Managed/Hosted Datacenter Enterprise Loc. 8 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Access Server SRX 5000 WX/WXC Remote Intranet Server EX 4200 Public WAN Partner Finance Server SRX 5000 Line WX Series / WXC Series IDP Series M Series SRX Series Customer Video Server M Series Hosted / Mgd Svc WAN MX Series Access Video Server
Enterprise connectivity – 1, 000 mile view DATACENTERS HEADQUARTER / CAMPUS Enterprise own Core BRANCH OFFICE Public WAN (Internet) NOC DATACENTER REMOTE OFFICE Private WAN (Managed Services) 3 G wireless SOHO OFFICE 9 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net MANAGED/HOSTED DATACENTER
Enterprise connectivity with key components IC Series WX Series / WXC Series SA Series NOC EX 4200 NSM Express EX 8200 HQ/CAMPUS SRX 3000 Line MX Series DATACENTERS Enterprise own Core SA Series WX Series / WXC Series IC Series SRX Series BRANCH OFFICE EX 4200 VC STRM Series WX Series / WXC Series M Series Public WAN EX Series (Internet) SRX Series SRX 5000 Line EX 2200/3200 MX Series REMOTE OFFICE DATACENTER Private WAN (Managed Services) EX Series 3 G wireless SRX Series SOHO OFFICE M Series SRX 5000 Line MX Series MANAGED/HOSTED DATACENTER 10 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Agenda 1. What’s Happening and Juniper’s Vision 2. Distributed Enterprise Reference Architecture 3. Consistent Functionality Across All Locations 4. HA, Ad. TM, and UC Solution Use Cases 5. Juniper Advantages – Competitive Analysis 11 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Services without boundaries Consistent functionality and high performance across all locations Redundancy HQ/Campus Branch Office Remote Office SOHO Mobile Worker § Scaling based on User Size and Survivability § Integrated and scalable connectivity, Security, and Management Integration 1 5 50 12 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net 500 >1000 Size
Branch office architecture – small office home office (SOHO) CONNECTIVITY § Integrated Secure Router – FW, VPN § Po. E and PSTN interfaces § Standard-based Group Encryption VPN § Integrated 3 G Wireless Connection HEADQUARTER / CAMPUS § WAN interfaces and Qo. S Support § IPSec Tunnels to DC with Tunnel HA § OSPF, BGP and RIP v 1/v 2 Routing § Network Segmentation § WAN Acceleration BRANCH OFFICE MANAGEMENT SECURITY § Adaptive Threat Management § NSM, STRM, J-Web and CLI § Full UAC IE Support L 4 Policy Management § IPSec VPN secure Vo. IP traffic § One box Convenience § Stateful FW to mitigate threats at DATACENTERS Software § JUNOS DATACENTERS source § Full UTM features, Anti-Virus, IDP Enterprise own § Personal Firewall – Odyssey Core Access Client (OAC) NOC NSM Express Private WAN (Managed Services) Public WAN (Internet) SRX Series 3 G wireless NOC DATA CENTER DATACENTER PSTN 3 G wireless REMOTE OFFICE STRM Private WAN (Managed Services) WX Series Client SOHO OFFICE 13 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net MANAGED/HOSTED DATACENTER
Branch office architecture – remote office CONNECTIVITY MANAGEMENT SECURITY § Local switch with integrated Po. E § Granular Qo. S, 802. 1 p/DSCP/Phone Marking § Standard-based Group Encryption VPN § Voice Vlan and 802. 1 P / CAMPUSfor HEADQUARTER auto-sense Vo. IP Phone or PC attached to phone § Integrated 3 G or commodity Internet backup § IPSec Tunnels to DC with Tunnel HA with Split Tunneling capability § WAN Acceleration § Adaptive Threat Management § NSM, STRM, J-Web and CLI mgmt § Full UAC IE Support L 4 Policy § JUNOS Software § UAC Agent with 802. 1 X supplicant § Unified Open Management § Full UTM features, Anti-Virus & IDP DATACENTERS § Personal Firewall – Odyssey DATACENTERS Access Client (OAC) BRANCH OFFICE Enterprise own Core NOC NSM Express Public WAN 3 G wireless Access (Internet) Point STRM POE Private WAN (Managed Services 3 G wireless SRX DC REMOTE OFFICE EX 2200/ EX 3200 Private WAN PSTN POE Local Printer NOC DATA CENTER DATACENTER (Managed Services) WX Client SOHO OFFICE 14 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net MANAGED/HOSTED DATACENTER
Branch office architecture – medium to large branch office CONNECTIVITY MANAGEMENT SECURITY § Virtual Chassis technology § Full local switch with up to 10 x 48 Po. E Ports § Redundant Power Supply HEADQUARTER / CAMPUS § Standard-based Group Encryption VPN § Adaptive Threat Management for § NSM, STRM, J-Web and CLI malicious web-conferencing, filemgmt sharing between OCS clients § JUNOS Software § Full UTM features, Anti. Virus & IDP § Unified Open Management § Full UAC IE Support L 4 Policy DATACENTERS § UAC Agent with 802. 1 X supplicant Enterprise own § Personal Firewall – Odyssey Access Client (OAC) Core NOC BRANCH OFFICE Public WAN (Internet) Private WAN SRX 3 G wireless REMOTE OFFICE Internet DC SRX Access Point NSM Express POE EX 4200 STRM Virtual Chassis Local Printer NOC DATA CENTER DATACENTER Private WAN (Managed Services) POE SOHO OFFICEPSTN WX Client 15 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net MANAGED/HOSTED DATACENTER
Branch office architecture – branch office with WXC Series capabilities CONNECTIVITY SECURITY § § MANAGEMENT § Adaptive Threat Management for § NSM, STRM, J-Web & CLI Mgmt malicious web-conferencing, file§ JUNOS Software sharing between OCS clients § Integrated Security/VPN/WX & Vo. IP services DATACENTERS § IPS, UAC & UTM § Full UAC IE Support as 802. 1 X Enforcer Enterprise own § Personal Firewall Core MPLS L 2/L 3 Tunnels to DC Integrated WX Module Card in J Series Integrated 3 g wireless End-to-end Qo. S including Co. S, c. RTP, LFI for x. DSL HEADQUARTER / CAMPUS § Integrated Avaya Vo. IP GW with PSTN interfaces § Vo. IP phone and terminal auto-sense NOC BRANCH OFFICE WXC J Series Public WAN (Internet) Access Point NSM Express POE STRM Private WAN NOC SRX REMOTE OFFICE Internet SOHO OFFICE J Series Virtual Chassis 3 G wireless Private WAN DC Avaya SRX (Managed Services) DATA CENTER DATACENTER POE PSTN 16 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Local Printer WX Client MANAGED/HOSTED DATACENTER
HQ/Campus architecture – 2 tier CONNECTIVITY SECURITY § Access Switches with Virtual Chassis § LLDP-Med for Auto Phone Detection § L 3 to the Edge or L 2 STP/RTP § Gb. E uplinks & 10 Gb. E Upgradable § GVRP auto vlan pruning HEADQUARTER / CAMPUS § Local WAN Acceleration § Adaptive Threat Mgmt § Full UAC supplicant § Standalone IDP § Web-Filtering, Anti-Virus, Anti-Spam § ALG for Vo. IP security Enterprise own Core CORE TIER WX DATACENTERS Public WAN EX 4200 Virtual Chassis POE Private WAN SRX (Managed Services) Local Printer EX 8200 or MX Series EX 4200 M Series Intranet Controller SOHO OFFICE DATACENTER BUILDING 1 IDP Internet NOC DATA CENTER POE 3 G wireless REMOTE OFFICE NSM Express Local Printer STRM EX 8200 or MX Series SRX M Series NOC ACCESS TIER POE (Internet) Private WAN § NSM, STRM, J-Web & CLI Mgmt § Unified Open Mgmt Access Point SRX 3000 BRANCH OFFICE MANAGEMENT SA Series Local Servers Core 17 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net POE Virtual Chassis MANAGED/HOSTED DATACENTER POE BUILDING 2
Distributed switch architecture for multi-building campus § Gb. E/10 Gb. E VC ring deployed in a campus or within a building § Deployment example § Utilize the same MM fiber § One-switch LAN § 1 to manage § 1 to upgrade § Admin Bldg 1 1 software version EX 4200 Virtual Chassis § No L 2 Loop/No STP required § High Availability § Redundant Pwr/Cooling § Redundant Switch Fabric § Sub-second Convergence in case of device/link failure 1 Gb. E uplink Lab Bldg 2 EX 4200 Virtual Chassis Gb. E/10 Gb. E VCP MX Series 1 Gb. E uplink WAN MX Series Recreation Bldg 5 One Virtual Chassis to Manage for the entire campus EX 4200 Virtual Chassis Gb. E/10 Gb. E VCP § Integrated Access Security § Integrated Qo. S for Voice/Video/Data Classroom Bldg 3 Classroom Bldg 4 EX 4200 Virtual Chassis Gb. E/10 Gb. E VCP 18 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Gb. E/10 Gb. E VCP
Typical campus 3 tier LAN connectivity Vo. IP 10/1000 B ASE-T EX 4200 Virtual Chassis Gb. E LAG EX 4200 Virtual Chassis 10 Gb. E EX 4200 Virtual Chassis § Oversubscription common § Po. E § Layer 2/3 § NAC/UAC § Access Security § Auto detect/config § Qo. S boundary LAN Access § No Oversubscription § Redundant power/cooling § Redundant Control Plane & fabric § Layer 3 § Qo. S enforcement § Collapsed or 2 -tier § MX* - for Advanced routing features such as MPLS/VPLS, low latency multicast, etc. EX 4200 EX 8200 LAN Aggregation/Core EX 4200 EX 8200 MX Series ISG/IDP SBR HQ DC MX Series SBR STRM 500 IC Series NSM Xpress WAN ISG/IDP M Series 19 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Remote DC(s) STRM 500 IC Series NSM Xpress
Distributed enterprise architecture – HQ/campus (2 -tier) and DC co-located BRANCH OFFICE CONNECTIVITY REMOTE OFFICE Access Point Virtual Chassis POE SECURITY Local Printer EX 2200 /3200 POE SOHO Local Printer EX 4200 SRX SRX MANAGEMENT Local Server SRX PSTN CORE/AGGREGATION TIER ACCESS TIER Private WAN Access Point (MPLS, ATM) SRX 3000 Enterprise Own Core Internet DATA CENTER CORE/AGGREGATION TIER M Series EX 4200 -24 F WX Series /WXC Series POE POE BUILDING 1 Security Camera ISG/IDP Local Printer EX 8200 or MX Series SRX 5800 Local Servers EX 8200 or MX Series Virtual Chassis EX 8200 or MX Series EX 4200 Series ACCESS TIER Communications Mgr Virtual Chassis ISG/IDP IC Series OCS and Servers NSM 20 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net STRM PSTN POE SA Series PSTN Local Printer POE EX 4200 -24 F DC Media POE EX 4200 -24 F BUILDING N POE CAMPUS
Distributed enterprise architecture – HQ/campus (3 -tier) and DC separated BRANCH OFFICE CONNECTIVITY REMOTE OFFICE Access Point Virtual Chassis POE SECURITY Local Printer POE VLAN Trunk EX 2200 / EX 3200 SOHO Local Printer EX 4200 SRX MANAGEMENT Local Server PSTN Local Server SRX CORE TIER Private WAN Access Point WX/WXC Internet EX 4200 -24 F M Series Virtual Chassis POE M Series POE IDP CORE/AGGREGATION TIER Security Camera WX Series/WXC Series SRX SA Series ISG/IDP IC Series M Series Intranet Controller EX 4200 -24 F Local Servers POE Virtual Chassis POE BUILDING N SRX 5800 CAMPUS EX 8200 or MX Series Virtual Chassis EX 4200 Line ACCESS TIER PSTN Communications Mgr OCS and Servers NSMCM 21 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net STRM BUILDING 1 Local Printer EX 8200 SA Series EX 8200 or MX Series PSTN Local Printer POE SRX DATA CENTER DC SRX 3000 DMZ ZONE (MPLS, ATM) PSTN AGGREGATION ACCESS Media TIER
Agenda 1. What’s Happening and Juniper’s Vision 2. Distributed Enterprise Reference Architecture 3. Consistent Functionality Across All Locations 4. HA, Ad. TM, and UC Solution Use Cases 5. Juniper Advantages – Competitive Analysis 22 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
HA use case 1 – internet backhaul only Products: SRX 210, M Series, ISG/SRX, MX Series, Virtual Chassis 1 2 The Internet traffic is back-hauled into DC and then flows to Internet from DC 3 IPSec tunnel that connects branch and DC can be on top of a leased line, or MPLS L 3 or L 2 VPN 4 This SOHO office or retail store profile only has an Internet or managed services link to increase revenue 5 SRX All traffic sent from the branch office pass through WAN to DC in IPSec tunnel This use case primarily applies to branches where saving costs is paramount SOHO EX 4200 SRX Series Virtual Chassis BRANCH OFFICE WAN M Series SRX Series HQ/CAMPUS Internet NSM Series NOC STRM Series ISG Series SA Series IDP Series DATA CENTER 23 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net IC Series
HA use case 2 – internet as backup 1 Traffic from branch office takes the primary route to DC through P-WAN over IPSec VPN Tunnel 2 Internet traffic to DC goes through primary route and then flows to Internet from DC 3 IPSec tunnels that connect branch and DC primarily on leased line or MPLS VPN 4 Secondary goes through Internet over IPSec to DC 5 Security in ISDN or x. DSL with integrated VPN and routing capabilities 6 Most relevant use case where cost effectiveness and security are both critical Products: SRX Series EX Series, SRX 210, M Series, ISG/SRX, MX Series, Virtual Chassis SOHO EX 4200 SRX Series Virtual Chassis BRANCH OFFICE WAN M Series SRX Series HQ/CAMPUS Internet NSM Series NOC STRM Series ISG Series SA Series IDP Series DATA CENTER 24 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net IC Series
HA use case 3 – internet and PTP split tunnel Products: SOHO EX 4200 SRX Series Virtual Chassis BRANCH OFFICE WAN HQ/CAMPUS Internet NOC STRM Series Internet traffic in this case is backhauled via DC to Internet 3 Traffic to DC through secondary route Internet over IPSec 4 Internet traffic flows directly to the Internet 5 IPSec tunnels that connect branch and DC primarily on DS 3 or MPLS L 2/L 3 VPN, secondary on T 1 etc. Most comprehensive scenario where best-inclass security and connectivity are required M Series SRX Series NSM Series 1 6 SRX Series Traffic from distributed HQ / campus to DC through primary route PWAN over IPSec 2 EX 4200, EX 8200, SRX, M Series, ISG/SRX, MX Series, Virtual Chassis M Series ISG Series SA Series IDP Series DATA CENTER 25 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net IC Series
Ad. TM use case 1 – adaptive protection for insider threat (Branch user) Products: Your computer has been quarantined… UAC, IDP, EX 4200, SRX, M Series, SRX, STRM, NSM REMOTE USER 1 IC Series Internet SRX Series BRANCH OFFICE SRX 5000 Line Real-time, enterprise-widea Employee launches 2 attack on the FTP server threat mitigation EX 4200 Series HQ/CAMPUS 3 SRX (L 3) /EX (L 2) NSM Express NOC STRM Series IDP in DC detects Proactively and signals the IC quarantines malicious user IC changes the access or host 4 policy on the branch M Series ISG Series An. Benefits a Employee at branch logs in and logs into the IC SA Series IDP Series DATA CENTER 26 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Infranet Controller Adaptive protection Policy is applied 5 from Day Zero at branch office attacks 6 User is contacted for remediation Streamlines compliance Infranet Enforcers: SRX(L 3 enforcement) or EX (L 2 enforcement )switches
Ad. TM use case 2 – adaptive protection for insider threat (Campus user) Products: REMOTE USER UAC, IDP, EX 4200, SRX/SSG, SRX, M Series, SRX, STRM NSM STRM, and NSM IC Series Internet SRX Series BRANCH OFFICE SRX 5000 Line NSM Express STRM Series EX 4200 Series Your computer has been quarantined… M Series NOC IDP Series Real-time, enterprisewide threat mitigation 2 HQ/CAMPUS ISG Series 1 SA Series Infranet Controller DATA CENTER 27 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Benefits Campus User connects through IC in campus Attack is launched Proactively quarantines malicious 3 IDP detects attack user or host 4 IDP communicates to IC & STRM Adaptive protection from Day Zero 5 User is quarantined attacks 6 Streamlines STRM reports attack compliance Infranet Enforcers: SRX 3000 or EX Series
Ad. TM use case guest access/insider threat protection § Ensure only the "right" people can access your network, and your sensitive applications and data – Verify the identity and role of individuals before allowing them to access your network, applications, and data § Limit guest user access – For example, establish that guest users may only access the Internet § Prevent infected devices from accessing and contaminating your network § Detect anomalous or malicious network behavior on your network and take fast, explicit action against these threats – before they propagate § STRM – Log and report on who is accessing specific applications, and when § NSM – Manage the entire solution via NSM 28 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Dynamic threat management – leverage IDP for dynamic user quarantine § IDP can identify network threats and signal IC § IC can narrow threat to specific user or device § IC then executes a configurable policy action – Quarantine user or device by VLAN – Change roles to deny access – Terminate user session – Disable user session until re-enabled by administrator – Log only § Ties access control to actual traffic in addition to user identity and endpoint integrity 29 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Juniper UTM in the distributed enterprise • Secure against Internet threats (inbound) • Secure the Internet against threats in the branch (outbound) • Secure the enterprise WAN/VPN from the branch (outbound and inbound) Enterprise Branch Internet Head-End • • Anti-Virus Web Filtering/ Web Security Intrusion Detection & Prevention Content Filtering Head-End Data Center 30 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Head-End • • • Enterprise HQ Anti-Virus Web Filtering/ Web Security Intrusion Detection & Prevention Content Filtering Anti-Spam
UTM on JUNOS § Anti-Virus – Kaspersky • Protect against viruses in email (SMTP, POP, IMAP protocols), webmail (HTTP) and FTP traffic • Integrated AV engines and virus signature databases – updated periodically, available via AV subscription license • Express AV (SRX only, not J Series) – packet-based, high speed AV solution (HW acceleration) – NEW • Full AV – file-based, high detection AV solution § Web Filtering – Websense / Surf. Control • Control (allow/deny) access to websites based on URL category • Off-box (in-the-cloud or on-premise) URL servers/ databases • Integrated WF – hosted 40 -category Surf. Control solution, available via WF subscription • Redirect WF – on-premise Websense solution with web security; purchase direct from Websense 31 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
UTM on JUNOS (cont. . . ) § Anti-Spam – Symantec • Stop email spam based on IP address / reputation of sender • Off-box spam blacklist database – Symantec SBL / RBL (Spam / Real -time Block List) – that is available via AS subscription license § Content Filtering – NEW • Provides basic DLP (Data Loss Prevention) functionality – filters traffic based on file/MIME type, file extension and protocol commands; keyword matching expected in the future § Intrusion Detection and Prevention (IDP) • Fully integrated, comprehensive signature and anomaly-based solution that matches stand-alone IDP solution • Hardware scanning and acceleration (SRX only, not J Series) • Service is available via IDP subscription license 32 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Unified communications enablement in the distributed enterprise Products: Microsoft OCS 2007, IP hones, SRX 210, UAC, IDP, M Series, X 4200/EX 8200, J Series, MX Series REMOTE USER WX/ Series WXC Series Vo. IP SRX 3000 SRX 210 Internet EX 2200/3200 WX/ Series WXC Series EX Series BRANCH OFFICE Media Vo. IP HQ/CAMPUS 1 2 End to End Qo. S 3 c. RTP, LFI for RTP voice packets 4 PSTN Security for Vo. IP applications 5 JUNOS software M Series Media ISG Series IDP Series SA Series WX/WXC EX 4200 Microsoft OCS and Other Servers Po. E for Vo. IP Phones IC Series DATA CENTER 33 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Key functions and components for UC enablement Convergence Components UC Functions § Connectivity – branch, data center and Campus LAN § WAN Access – MPLS/VPLS for end to end Qo. S § Network Access Control (PCs, IP Phones etc. ) § Firewall/VPN Security for UC § SSL/VPN for Remote/Mobile user access to voice/video communications 34 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net § § § § § EX Series (Po. E and Enforcer) MX Series (MPLS, Qo. S, HA) M Series (Qo. S, HA) J Series (c. RTP, Qo. S, LFI) ISG and NS Firewalls/VPN SSG IDP SSL IC
UC use cases with Microsoft OCS Use Cases Components § Auto-sense Configuration § EX 2200/3200/4200 (Full or Partial Po. E ports) § End-to-End Qo. S § EX-2200/3200/4200 (Qo. S) § J Series (c. RTP, Qo. S, LFI) § MX (Qo. S, MPLS Traffic Engineering) § M Series (Qo. S) § Vo. IP Security § IPSec/FW, VLAN for voice § Deep Inspection with IDP § IDP, SSG, SRX 35 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Use case: WAN acceleration deployment with WX/WXC in the distributed enterprise Branch Office Intranet/Extranet SRX Series J Series WXC Internet WX Series SA Series Mobile Employees Data Center Remote Partners and Contractors WX Client 36 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net WX Series CMS
Agenda 1. What’s Happening and Juniper’s Vision 2. Distributed Enterprise Reference Architecture 3. Consistent Functionality Across All Locations 4. HA, Ad. TM, and UC Solution Use Cases 5. Juniper Advantages – Competitive Analysis 37 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Juniper distributed enterprise value proposition nn Co Lower TCO re cu Se ec t IT Services without boundaries at lower TCO Manage NEW Comprehensive Portfolio Virtual Chassis SRX Series EX 8200 Series 38 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net WX Series / WXC Series ISG/IDP IC Series NSMXpress STRM Series SSL VPN MX Series
Distributed ROI highlights to be used… Connect • • • 44% savings from optimized network design (VC, DS) 30% savings by offering Layer 3 in base licenses 38 x improvement in per hop latency 27% reduction in network downtime (Forrester report) 41% increase in network stability/reliability (Forrester report) Secure • • 7 x flow sources accepted (STRM) 2 x+ devices supported (STRM) 80% data reduction of logs (STRM) 4 x anomaly detection accuracy (STRM) 3 x application awareness (STRM) 3 x forensics (STRM) 3 x reporting capabilities (STRM) Manage • 41% savings with JUNOS (Forrester report) • 40% decrease in time to resolution (Forrester report) • 25% reduction in cost to deploy (Forrester report) 39 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Using highlights on previous slide – savings § Typical Configuration § § One Headquarters, 1800 users Three regional offices, 500 users each § Seven district offices, 100 users each Fifty small offices of 10 users Savings $$ Total List Price $2. 35 M $3. 62 M Up to 35% CAPEX Maintenance and Support Costs $53. 7 k $105. 4 k Up to 49% Support JUNOS IOS Up to 25% OPEX Operating Systems (time to manage) Juniper Solution Source: Publicly available data sheets, price lists, Lake Partner study § § § EX Series Switches UAC NSM STRM AIS JUNOS Cisco Solution § § § Catalyst Switches ISR NAC CSM SCH IOS + + Source: publicly available data sheets, price lists, Lake Partner study 40 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
JUNOS simplifies distributed enterprise network Secure Manage Security Management Services without Boundaries – Connect Switch Router L 2 Switch Product Catalyst ASR ISR / 7200 OS IOS-SX, IOS-mainline IOS-XE, CAT-OS IOS-XE IOS -mainline Number of Release Trains Too many, inconsistent Product EX Series MX / M Series SRX NSM / STRM OS JUNOS Manage All Elements Number of Release Trains 41 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net ASA 55 xx FWSM /VPNSM PIX-OS 8. x 1 IPS PIX-OS Linux 7. x CW, CSM DM, MC Manage IOS Devices Manage Cat. OS, IPS
Branch competitive analysis – Juniper vs. Cisco § Juniper’s Advantages § § § Integrated Functionality § – Fewer devices, Simplified deployment – Virtual Chassis in the large branch Unified network management and monitoring – Fewer OS to learn/maintain – UTM features managed with NSM/STRM – Network topology and provisioning support Lower TCO JUNOS: Single OS, Highly reliable UC Competitive: – Freedom of Choice – Support for 8 QOS queues on EX 3200/4200 verses Juniper Network Management ( NSM and STRM) Cisco Network Management ( Cisco. Works IPS MC + Cat. OS DM + CSM Suit + MARS + NOC separate UTM Trend. Micro AV server) – Many disparate pieces to manage branches NOC NSM Express STRM 4 in Catalyst 3560 E – Support standard power over full clustering on all POE ports concurrently – POE support on all model including T-model – Redundant Power supply in EX switch for Po. E DATA CENTER SRX Series EX Series SRX Series Juniper Small Branch: SRX branch service gateway (Integrated FW/VPN services with Full IPS capability) Cisco Small Branch: ASA or FW software + ISR + VPN Module + IPS Module 42 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Juniper Remote Office: J Series/SRX + EX 4200 Virtual Chassis Cisco Remote Site: ASA + ISR + VPN Module + IPS Module + Catalyst switches
Campus competitive analysis – Juniper vs. Cisco Juniper Campus solution: SRX + M Series + EX 8200 + EX 4200 Virtual Chassis Cisco Campus: DMZ SRX 3000 ASA + 7200 + Catalyst core + aggregation + access switches + FW module + VPN module + IPS module Po. E Virtual Chassis Juniper Advantage: § Simplified Campus Core – Fewer Devices with higher performance § Simplified Operation Access M Series – JUNOS: Single OS, Highly reliable – Unified Management Po. E EX 8200 or MX Series Core/Aggregation § High Performance Services – Enablement of Services without performance degradation – Lower latency – Robust features § Lower TCO SRX Series EX Series SRX Series Juniper Small Branch: SRX service gateway (Integrated FW/VPN services with Full IPS capability) Local Servers Juniper Remote Office: SRX + EX 4200 Virtual Chassis Cisco Remote Site: Cisco Small Branch: ASA + ISR + VPN Module + IPS Module + Catalyst switches ASA or FW software + ISR + VPN Module + IPS Module 43 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
One box convenience – more functionality in a box = SRX FW VPN IPS AV Anti Spam Spy + ASA Web Filter WAN NAC L 3 NAC L 2 802. 1 x + ASA 44 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Wi. Fi 802. 11 abg = ISR less CAPEX $ less OPEX $/mo more CAPEX $ more OPEX $/mo
Competitive comparison: EX 4200 vs. Cisco Catalyst 3750 / 3750 E EX 4200 VC Cat 3750 stackable Cat 3750 E stackable Backplane capacity Virtual Chassis extension (via 10 Gb. E) Dedicated Master & Standby Route Engine Graceful Route Engine Switchover (GRES) Non-stop routing (NSR) In-service software upgrade (ISSU) Field-swappable PSU Redundant & hot-swappable internal PSUs Field-serviceable fan tray w/ redundant fans MPLS & GRE tunnel PFE hardware support LCD device management interface 128 Gbps 32 Gbps 64 Gbps* ** Uses chassis module config & numbering = Roadmap *Combined stack of 3750 and 3750 E reduces bandwidth to 32 Gbps **Master and Backup RE on Cat 3750 E syncs only MAC and IP addresses and NOT L 2/L 3 protocols database as well as states 45 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Juniper EX 8200 vs. Cisco Cat 6500 Features / Products EX 8208 Switching Capacity 6. 2 Tbps 720 Gbps I/O slots with redundant RE / SF 8 7 Max PPS throughput per System 952 Mpps Maximum throughput per line card 120 Mpps 64 bytes throughput per line card 120 Mpps 10 Gb. E ports wire rate per system 64 32 10 Gb. E ports wire rate per slot 8 4 Gb. E ports wire rate per system 384 284 Gb. E Line Rate ports / slot 48 40 Gb. E Oversubscribed ports / slot N/A 48 46 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Cat 6509 450 Mpps ($$$, requires DFC 3) 60 Mpps ($$$ requires DFC 3) 44 Mpps ($$$ requires DFC 3)
Juniper EX 8200 vs. Cisco Cat 6500 EX 8208 Cat 6509 256 K 96 K 4 K 4 K IPv 4 unicast routes 512 K 1 M IPv 4 multicast routes 16 K 256 K Link Aggregation Groups 255 128 Max member ports per LAG 12 8 Number of queues per port 8 1 to 8 depending on the line card Features / Products MAC addresses VLANs 47 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Juniper MX 960 vs. Cisco 7600 Services Router System Capacity MX 960 (12 slots) Cisco 7600 (9 slots) Total fabric capacity 960 Gbps (480 full duplex) 720 Gbps (360 full duplex) (280 Gbps useable full duplex) Redundant fabric capacity 960 Gbps (480 full duplex) 720 Gbps (360 full duplex) Maximum packets/second throughput per system 720 Mpps 400 Mpps (with DFC 3) 10 Gb. E packets/second IPv 4 / IPv 6 720 Mpps / 720 Mpps 400 Mpps / 200 Mpps (with distributed forwarding card 3) Line Card Capacity MX 960 (12 slots) Cisco 7600 (9 slots) Fabric data-rate/slot I/O slots with redundant RE/SF 10 Gb. E packets/second IPv 4 40 Gbps 32 Gbps (40 Gbps advertized) 12 (11 with redundant SF) 7 (With Redundant SF) 60 Mpps 44 Mpps 10 Gb. E packets/second IPv 6 60 Mpps 22 Mpps Line rate for all packet sizes Yes No 48 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Juniper MX 960 vs. Cisco 7600 – continued Features / Products MX 960 (12 slots) Cisco 7600 (9 Slots) MAC address VLANs IPv 4 unicast/multicast routes Security ACLs MPLS Number of LAGs supported Maximum member ports/LAG 1 million 4 K/interface & 64 K/system 1 mil/286 K 250 K+ Yes 480 16 96 K 4 K 1 mil/256 K (with 3 BXL) 32 K (2 K for extended ACL) Yes 128 8 Number of 802. 1 s instances 200 65 Hardware queues per port Rate limiting/policing 8/16 K 256 K (1 mil future) 1 to 8, depending on line card Yes, both directions Power per Gb. E/10 Gb. E 115 watts/10 Gb. E (75 watts/10 Gb. E actual) 260 – 860 Watts/10 Gb. E (H/W configuration dependent) GRES/hitless forwarding Yes (for all supported L 2/L 3 protocols & services) Hitless L 2/3 forwarding during management module failover NSR ISSU BFD Yes (for all protocols) Yes, based on NSR Yes No support Yes with NSF, no with NSR Yes 49 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Virtual Chassis technology cost benefits Configuration Catalyst 4500 Virtual Chassis Savings ü Campus Wiring Closet ü 144 10/1000 ports ü All ports Class 3 Po. E capable ü 4 1000 Base-SX uplinks ü Redundant power Space Requirements Power Requirements Cooling Requirements 10 Rack Units 876 W* 2982 BTU/hr* 3 RU 70% 632 W* 28% 1775 BTU/hr* 40% Deployment Cost $61, 965 $44, 200 29% Sparing Cost $32, 980 $15, 150 54% * Base system power and cooling, Po. E additional 50 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Virtual Chassis technology cost benefits Configuration Catalyst 6500 Virtual Chassis Savings ü Campus Wiring Closet ü 144 10/1000 ports ü All ports Class 3 Po. E capable ü 4 1000 Base-SX uplinks ü Redundant power Space Requirements Power Requirements Cooling Requirements 12 Rack Units 787 W* 2688 BTU/hr* 3 RU 75% 632 W* 20% 1775 BTU/hr* 34% Deployment Cost $55, 500 $44, 200 20% Sparing Cost $27, 995 $15, 150 46% * Base system power and cooling, Po. E additional 51 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Cisco enhanced Po. E (e. Po. E) § Cisco enhanced Po. E (e. Po. E) is proprietary – Capable of provisioning up to 20 Watts* to the end point – Available on Catalyst 6500, 4500 E, 3560 E, 3750 E switches § Major Caveats – e. Po. E is a Cisco proprietary feature on Catalyst Switches – End point must support proprietary Cisco Discovery Protocol (CDP) to draw e. Po. E – Catalyst 4500 E Series premium Po. E line card needed § Will Support e. Po. E with a future sw upgrade – Catalyst 3750 E and 3560 E support e. Po. E on existing Po. E models with a sw upgrade § NOT all the ports may be e. Po. E capable – Future standards based Po. E+ (802. 3 at) support on Catalyst switches requires forklift upgrade § Cisco proprietary e. Po. E not compatible with draft Po. E+ standards *Press release says 18. 5 W, datasheet says 20 W 52 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Security solutions competitive analysis – Juniper UAC vs. Cisco NAC Juniper UAC Advantages - Open, flexible and integral § Features flexible enforcement § Enables seamless integration with existing enterprise infrastructure IC Series § Utilizes open specification from TNC to leverage diverse endpoint technologies § Offers security without compromise on performance or complexity § Has ability to provide admission control via 802. 1 X, as well as granular access control § Provides report and log management as a part of the UAC solution Juniper UAC Agent Juniper EX Series Switches Juniper Intrusion Detection and Prevention Juniper Firewalls * Application Servers * SRX support 9. 5 53 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Juniper UAC vs. Cisco NAC – differences at a glance Feature Juniper Unified Access Control (UAC) Cisco Network Admission Control (NAC) Ease of Deployment § UAC features flexible enforcement models, including the user of any vendor’s 802. 1 X switches or access point, using firewalls, or both § Requires upgrade or replacement to switch and router infrastructure. The solution is very complex. The agent has to be preinstalled on all clients. Integration with existing § Enabled seamless integration with existing enterprise authentication infrastructure § Limited integration with only RADIUS, LDAP, AD and Kerberos. Proprietary AAA server § Utilizes open specification from the Trusted Computing Group’s Trusted Network Connect (TNC) to leverage diverse endpoint technologies § Endpoint checks are written by 3 rd party vendors. They cannot be created simply by the administrator. § Security without compromise on performance or complexity § To add actual enforcement capabilities, the customer must also deploy the Cisco Security Agent (CSA), which adds further cost and complexity Infrastructure Quality of endpoint assessment Security Policy Enforcement § Ability to bind network based protection with endpoint § No 802. 1 x support for Linux. Managing Access controls on LAN § Ability to provide admission control via 802. 1 X, as well as very granular access control § No way to provide granular access for clients that do not have the CTA installed. Management § Report and log management are a part of the UAC solution. § Requires a separate logging and management server. and Reporting *The problem with Cisco NAC is the fact that its implementation requires all Cisco proprietary gears and that the solution increases overall complexity and cost of the deployment, while Juniper ‘s UAC is open to all vendor’s. 54 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Network management competitive analysis – Juniper vs. Cisco CSM Suite Cisco IOS Cisco FWSM Cisco ASA Cisco IPS Cisco Devices IC Series NS MX Series SSL VPN SSG Series EX 4200 M Series ISG Series IDP Series EX 3200 EX 8200 Series Juniper Advantages Cisco SDM Cisco PDM Cisco ADSM Cisco Network Full Device and UTM support Element Managers Cisco IPS MC - § NSM § One console manages the entire Juniper infrastructure + + § Centralized policy management Cisco ACS Server STRM CSM console Logs + Cisco RME 4. 04 § STRM Separate IPS Management § Correlates logs to show a single view + + for the entire network NSM Xpress Cisco CSM 3. 01 Server 55 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net Cisco MARS Server Device Manager 6500/7600
WAN acceleration competitive analysis – Juniper vs. Cisco Branch Office Intranet/Extranet SRX Series J Series WXC Series Internet Juniper Advantages WX Series Client WXCMS SA Series Mobile Employees Remote WX Series Data Center Consistent, High-performance, Secure § Provides dedicated appliance or integrated module/software solutions § Solution scales without hardware replacement (simply license upgrade) § Solution validated by main application vendors (Oracle, SAP, Microsoft) § WX supports the largest amount of concurrent flows => end-users §WX supports thousands of locations all accelerated Juniper WX: WX/WXC Appliance/Module/Client Cisco WAAS: • standalone appliances that compete with Juniper WXC platforms • ISR branch router modules that compete with Juniper ISM modules for J Series • PC-Client solution that will compete with Juniper WX Client 56 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Juniper’s advantage – WX Series vs. WAAS Juniper WX Series Cisco WAAS § A simple high-performance secured solution for customers § Complex Solution - WAAS installation normally is a day long task. § Gartner latest Magic Quadrant Leader addresses overall customer needs with clear vision & execution § Unclear strategy/solution - Cisco doesn’t fully own its WAN Optimization solution. Its PC-Client solution is based on an OEM product (ICT). § Comprehensive and consistent in standalone appliances, integrated modules, and coming WX Series Client fully compatible with SSL-VPN PC-Client. § New recent enhancements good on datasheet, but far from useful for customers § WAN Optimization appliances and modules run the same code and can all be centrally managed. § Weak scalability - Cisco doesn’t have a low-end appliance solution. Their first appliance starts at 20 Mbps. § Each WXC Series appliance and module scales to different levels with a simple license upgrade that doesn’t even require a reboot. § Inconsistent capacity - while the Cisco appliances appear to have high bandwidth capacity numbers, it is inconsistent and corresponding TCP flow capabilities are very low. § Provides the highest scalability in concurrent flows and end users accelerated. 57 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
THANK YOU 58 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Faster solution – high performance core/access Juniper vs. Cisco Latency (Microsecond) § Objective: Compare campus LAN solution between Juniper (EX Series) and Cisco (Catalyst series) § Finding: Juniper EX Series solution is clearly faster than Cisco in every aspect – Juniper EX Series solution is 70% faster in MTU 1518 bytes than that of competing Cisco Catalysts with CEF (Cisco Express Forwarding) feature turned on. § Conclusion: – Juniper EX 8200 / EX 4200 solution has much lower latency that provides better performance for real-time applications such as voice, video services and also helps reduce TCP timeouts. 59 | Copyright © 2009 Juniper Networks, Inc. | www. juniper. net
Скачать презентацию THE SOLUTION FOR DISTRIBUTED ENTERPRISE SERVICES WITHOUT BOUNDARIES
a5a05937692d780998221e761a0522ea.ppt