Cloud-ready Datacenter Reference Architecture
-
Upload
tranceforge -
Category
Documents
-
view
227 -
download
0
Transcript of Cloud-ready Datacenter Reference Architecture
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
1/37
REFERENCE ARCHITECTURE
Copyright 2011, Juniper Networks, Inc.
ClU-REA ATA CENTER
REFERENCE ARCHITECTURE
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
2/37
2 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Importance of ata Centers and Their Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
A ata Center by Any ther Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Supporting Enterprise and Coud ata Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Soution Profie verview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Key Trends in Todays ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Evoving Business Appication Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Server Virtuaization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Reducing pEx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Protecting Against Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Convergence of Fibre Channe and Ethernet Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Functiona Areas in the Coud-Ready ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Junipers Approach to a Coud-Ready ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Appication Traffic Fows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Simpified Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
istributed ata Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Junipers Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Compute and Storage Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Integrating Virtua Server Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
I/ Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Fibre Channe and FCoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Junipers Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Appication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Junipers Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Management, rchestration, and Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Profie of an Effective rchestration Patform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Management Infrastructure Supporting Coud-leve rchestration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Junipers Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Junos SpaceJuniper s pen Network rchestration Patform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Automation Based on Junos S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
3/37
Copyright 2011, Juniper Networks, Inc. 3
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
Table of Figures
Figure 1. ata center reference framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 2. Reference architecture network infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Figure 3. Compute and storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 4. Consistent management of the physica and virtua network f rom Junos Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 5. Services functiona area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 6. F ow types in the new coud infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Figure 7. M anagement, orchestration, and automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 8. Juniper Networks management infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 9. Junos Space infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 10. Tansactiona data center network infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 11. Content and services hosting production data center network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 12. High per formance compute production data center network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 13. Enterprise IT data center network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 14. Sma and midsize business IT data center network infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
ata Center Network esign Profies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Transactiona Production ata Center Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Content and Hosting Services Production ata Center Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
High-Performance Compute (HPC) Production ata Center Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Enterprise IT ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Sma and Midsize Business IT ata Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Concusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 6
Appendix A Juniper Products for the Coud-Ready ata Center Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Appication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
perating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Unified Network Cient. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
rchestration and Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Junos Space Patform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Technica Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
4/37
4 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Introduction
The data center is an essentia corporate asset that connects a servers, appications and storage services. Businesses
rey on their data centers to support critica business operations and drive greater efficiency and vaue. As such, the
data center is a key component that needs to be panned and managed carefuy to meet the growing performance
demands of users and appications. Juniper Networks offers a comprehensive data center network soution that
combines best-in-cass products with we-defined practices to buid high-performance, robust, virtuaized and cost-
effective data center networks. This reference architecture proposes practices, technoogies and products that hep
data center architects and engineers who are responsibe for answering the requirements of designing modern data
center networks that support business goas.
Scope
This document introduces Juniper Networks architectura mode and its offerings in support of data center and coud
computing networks. The purpose of this reference architecture is to communicate Junipers conceptua framework
and architectura phiosophy in creating data center and coud computing networks for our customers.
This reference architecture is intended for the foowing personne:
Customers in the enterprise and pubic sector
Service providers
Juniper partners
IT and network industry anaysts
Individuas in saes, network design, system integration, technica support, product deveopment, management, and
marketing who have an interest in data center design
Framework
The Importance of Data Centers and Their Infrastructures
ata centers run the appications that deiver business processes and services. These appications provide critica
information and rich, differentiated content for users. Users now demand an agie, responsive infrastructure that
provides exacty the access that they need. This can be 24x7x365 for services that must be aways on and accessibe
from anywhere, or a series of schedued updates set to meet user needs for time-based information (houry, daiy,
weeky, monthy, or quartery).
For innovators and technoogy suppiers such as Juniper Networks, data center networks are centra to the business
mission, providing the foca point for soutions that unock vaue in unique and compeing ways for businesses and
their users.
A Data Center by Any Other Name
Not a data centers are the same. Their use, size and design vary with the needs of the business and the resuts that
must be achieved. Exampes incude:
nine transaction processing centers meeting strict transaction time constraints and carrying financia obigations
with transaction resuts (exchange trading patforms, onine financia services, onine retai saes)
Mutimedia content deivery with strict quaity and consistency requiremen ts (onine entertainment and news, video
conferencing, ive meetings)
Computationay intense workoads (homeand security, ogistics and production contro, fight contro, scientifi c
research and economic modeing)
Genera enterprise-grade operations data processing (CRM, ERP, human resources, finance, and messaging/
communication)
Cost-effective, reiabe and manageabe data center infrastructures for basic business operations
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
5/37
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
6/37
6 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
To accommodate the industrys embrace of coud computing, our reference architecture is fexibe enough to enabe
private, pubic or hybrid coud computing services and to support the appication environments that are critica to
achieving the organizations business objectives.
This document is intended to hep organizations that are considering coud computing, whether or not they have
started to impement any coud eements. We wi consider the impications of coud computing for data center
architectures and provide a reference for organizations who want to adopt coud computing as they move forward.
It is our objective to provide a reference architecture that is unsurpassed in its abiity to meet the needs of a diverserange of organizations, keeping in mind that the business objectives are primary, and that coud computing is the
enabing mode, not the end in itsef.
Key Trends in Todays Data Center
In this section, we present some of todays key market and technoogy trends and examine how these trends inherenty
affect data center requirements.
Evolving Business Application Architectures
Todays enterprises rey on their business appications. Business appications enabe transactions for interna
empoyees, coaboration with outside partners and customers and capabiities that improve the business competitive
advantage. In todays gobay competitive word, appications must be avaiabe everywhere and at a times. When
business appications perform on an as needed basis, the organization thrives; when they do not, business is ost.
Concurrenty, we aso note the evoution of a rich mix of appication architectures that must be supported in their own
right. In many cases, these are bended into mixed or tiered designs with a range of resuting fows. Some are stricty
constrained to a narrow, necessary content mix, whie others are more fuid and invove a varying mix of content and
transaction types depending on user choice. A key requirement of data center architectures is to support a wide range
of appications successfuy. Some of these appication types incude Service-riented Architecture (SA), Software
as a Service (SaaS), Web 2.0, Unified Communications (UC) and streaming services.
Server Virtualization
Aigned with the trend toward more powerfu servers, more open appication designs, and the need to accompish
more with ess in the data center infrastructure, the adoption of virtuaization in the server infrastructure continues to
increase. This produces a need to network the individua virtua machines with an additiona ayer of virtua switching
within each server. Because mutipe ogica hosts now run on an individua server, it becomes necessary to differentiate
their identities within the network and aow them to operate propery within their own ogica domains. This trend
creates the need to reate the virtua and physica network configurations, and it creates an interest in the abiity to
move appication workoads in a fexibe and seamess fashion.
Increasing emands on Bandwidth and Capacity
Rich media appications, proiferation of users and device types, compute and storage utiization, and access methods
continue to drive technoogy innovation. From a bandwidth perspective, we have seen a progression from GbE to 10GbE
to 40GbE and 100GbE inks, and this evoution wi continue to drive requirements in how data center networks are buit.
Reducing OpEx
Changes in the goba economy and the desire to achieve greater business vaue associated with IT investment are
creating more pressure to contro costs. espite more stringent requirements for high avaiabiity and resiiency, this is
particuary reevant for the ongoing operationa costs associated with maintaining IT and data center networks.
Protecting Against Security Threats
New types of attacks are constanty surfacing, and attackers often empoy new ways to expoit and hide in egitimate
traffic. This paces organizations in a continua mode of catch-up, trying to make sure that they have appropriate
protection against the atest vunerabiities and threats. With the emergence of new appications, the security
andscape continues to change. Athough existing intrusion prevention techniques are sti appicabe, simpy
identifying source and destination addresses and port combinations no onger offers sufficient protection. The concept
of appication fuency is required to address these evoving security threats.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
7/37
Copyright 2011, Juniper Networks, Inc. 7
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
Convergence of Fibre Channel and Ethernet Networks
esign evoution has aowed storage to be pooed for access over networks by a diverse popuation of servers and
computers. istinct technoogies have emerged to enabe designs to hande server-to-storage communications, and
this has ed to a desire to work towards the design of a converged storage and Ethernet data center network that woud
aow storage and appication traffic to share the same common network. This woud utimatey save money and aow
increased operationa efficiency.
Requirements
At the same time that we take note of the varying business objectives that drive organizations and their data centers,
we aso need to note the evoution of a rich mix of appication architectures that must be supported in their own
right, and in many cases are bended into mixed or tiered designs with a range of resuting fows. Some are stricty
constrained to a narrow, necessary content mix; whie others are more fuid and invove a varying mix of content and
transaction types depending on user choice. For exampe, the most significant impact of SA and Web 2.0 appications
is the variabiity of traffic oad and traffic patterns that both permit and often pace demands on the network
infrastructure. Without proper network panning, every new SA or Web 2.0 mashup appication is at risk of creating
congestion, performance probems and even appication faiures. latency, jitter and packet oss effects are important
predictors of UC and streaming services.
To successfuy support a range of appication types is a centra requirement of data center architectures. Foowing
are some of the key requirements that are emerging for businesses as they pan for the evoution of their appication
infrastructure and anticipate the impact of these changes on their data centers.
PerformanceTo an enterprises customers, partners and empoyees, business appications are the means to an
end, the abiity to obtain information, compete transactions, or perform a job. High performance is essentia to
empoyee productivity, customer satisfaction and the enterprises bottom ine. Appication response time is the most
fundamenta component of understanding appication and data center network performance.
ScalabilityIn existing computer and network environments, panning for growth and change is a costy and time-
consuming effort. A successfu organization must be abe to readiy and cost-effectivey scae business appications,
even when capacity imits are reached within existing data centers.
AccessibilityIn todays mobie and voatie word, users now require access anywhere in the word, on virtuay
any type of computer and network connection, 24 hours a day. Enterprises must support access from corporate
headquarters, branch offices, other business estabishments, home offices, wireess hotspots and ceuar networks
throughout the word.
AgilityAs the pace of goba economic activity continues to acceerate, organizations must be abe to respond quicky
to changes in demand and other market conditions. Agiity improves with the users abiity to reprovision infrastructure
resources rapidy and inexpensivey. Business appications that support agiity can hep reduce time to market,
strengthening the organizations competitive position and increasing market share.
Availability and ContinuityNo appication is 100 percent faiure proof. To protect an enterprises competitive edge,
business appications must be at east as avaiabe as those of competitors, and productivity must not suffer when
faiures occur. Furthermore, when a disaster occurs, the organization shoud recover with minima discontinuity, getting
business appications onine again quicky and ensuring that the associated user data is protected and avaiabe.
SecuritySecurity is a mutifaceted concern that touches upon amost every aspect of the business andscape.
rganizations must respond effectivey to evoving threats that can compromise business data or interfere with
appication avaiabiity. They must ensure secure operations in shared environments and meet industry compiance and
reguatory requirements. Business appications must aso support guaranteed service-eve agreements (SlAs) and be
consistent with stringent rea-time requirements.
ManageabilityTo hep reduce pEx, the data center network shoud be orchestrated to simpify the management
tasks associated with configuration, monitoring, maintenance and other administrative tasks.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
8/37
8 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Functional Areas in the Cloud-Ready Data Center
To deiver appications from the coud data center, organizations must divide the required tasks into optimized
functiona areas. Effective choices within each functiona area can hep designers meet appication goas with respect
to atency, avaiabiity, security and scae.
Figure 1 iustrates the framework we empoy to envision the data center network at its highest eve. It incudes the
foowing areas and their functiona interreationships:
Network Infrastructureprovides connectivity and transport for appications and services between users and the
data center, within the data center and across mutipe data centers. The Network infrastructure has three main sub
components, namey the access network, the core network and the edge network.
Compute and Storagerepresents the compute and storage infrastructure appropriate for appications (rack-mount
and chassis-based, cost-effective and muti-core, with unstructured content and highy structured transaction
databases). The compute and storage functiona area hosts a business appications such as Enterprise Resource
Panning (ERP), SaaS, SA and Web 2.0 appications (among others).
Servicessupports appications with security, user verification, and entitement, and appication support, incuding
appication acceeration, deep packet inspection (PI), and oad baancing
Management and Orchestrationties together a of the eements of the coud-computing infrastructure, enabing
efficient and responsive monitoring, management, and panning
Figure 1. Data center reference framework
Whie each component has its own characteristics, specific requirements and enabing technoogies, Juniper Networks
packages them a together with a common coud-computing architecture that meets the individua and combined
requirements with powerfu enabing technoogies. let us take a coser ook at each of the functiona components
beginning with business appications.
Services Network Infrastructure
EDGE
CORE
ACCESS
Management andOrchestration
Security
Acceleration
Server Load Balancing
Compute IP Storage
Converged Access
SAN NETWORK
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
9/37
Copyright 2011, Juniper Networks, Inc. 9
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
Junipers Approach to a Cloud-Ready Data Center
To maximize effectiveness of the data center across the major functiona areas, Juniper has embraced a strategy
to optimize designs in mutipe dimensions: to simpify, share, and secure the data center network to the maximum
extent possibe and to provide a powerfu suite of automation toos. Each dimension brings concrete vaue to soution
designers, enabing data centers to meet important appication deivery objectives:
1. Simplify. By simpifying the data center network, we mean minimizing the number of network eements required to
achieve a particuar design, thus reducing both capita and operating costs. Simpifying aso means streaminingdata center network operations with consistenty impemented software and contros.
2. Share. By sharing the data center network, we mean inteigenty (and in many cases dynamicay) partitioning
the infrastructure to support diverse appications and user groups and to interconnect arge poos of resources
with maximum agiity. In many cases, this invoves powerfu virtuaization technoogies that aow mutipe ogica
operations to be performed on individua physica entities (such as switches, routers and appiances).
3. Secure. When we secure the data center network, we must extend protection to support enforcement and visibiity
across rich, distributed architectures that many appications currenty use. This requires a robust, scaabe,
mutidimensiona mode that enhances and extends the traditiona perimeter defense. By increasing the granuarity
and agiity of security poicies, we can enabe trusted sharing of incoming information and resident data within the
data center, whie compementing the functions embedded in operating systems and appications.
4. Automate. By automating, we mean capturing the key steps invoved in performing management, operationa, and
appication tasks, and embedding task execution in software that runs as an inteigent added vaue to the overa
data center operation. Tasks can incude synchronizing configurations among mutipe disparate eements, starting
and stopping critica operations under various conditions, and diagnosing or profiing operations on dimensions
important for managers to observe.
With the high-eve framework in mind, now we can discuss the individua functiona components and their associated
requirements and enabing technoogies.
Network Infrastructure
When designing the data center network, we must consider a communications occurring within the data center itsef,
between the data center and its users, and among data centers within the coud. The infrastructure consists of a
combination of eements in three domains, integrated in a variety of ways based on customer needs:
Access network
Core network
Edge network
The access network provides connectivity to a shared enterprise servers, appications, storage devices, and any IP or
office automation devices required in the data center faciity. Most data center access switches are depoyed at the top
of the rack or at the end of the row of server racks.
The core network provides a fabric for high-speed packet switching between mutipe access network devices. ue
to their ocation in the network, core-ayer switches must provide scaabe, high-performance, high-density, wire-rate
ports, and HA hardware and software features that deiver carrier-cass reiabiity and robustness. The core serves as
the gateway where a other modues such as the WAN edge meet. It typicay requires a 10GbE interface for high-eve
throughput, and maximum performance to meet oversubscription eves. The core provides high-speed throughput for
a data going into and out of the data center, and it must provide resiient, fai-safe layer 3 connectivity to mutipe
access ayer devices.
The edge network provides the communication inks to end user networks of various types. These can be private WAN
or campus backbones, mobie access networks, VPNs, or other types of Internet access. The high performance and
reiabiity of these connections improve user experience. Agiity ensures that users wi have access to appications and
services where and when they are needed. In addition, mutiayered security contros ensure that users, appications
and data are protected at appropriate eves.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
10/37
10 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Figure 2 shows the network infrastructure functiona area of the reference framework.
Figure 2. Reference architectu re network infrastructure
Application Trac Flows
In the past, appications were designed with a very specific traffic fow. Typicay, requests woud originate from a
cient system and be routed to a singe appication server, which woud then respond directy back to the cient. This
cient/server mode was, in effect, a singe direction north-south scheme. Because of demands for greater appication
performance and response time, and the continued adoption of virtuaization technoogies, appication architecture
has changed. A more distributed mode has aso had an impact on appication traffic fows. Today, a request originates
from a cient system and is routed to an appication, but the processing of the request resuts in information sharing
across mutipe servers, prior to responding to the origina request. Furthermore, these servers can exist across mutipe
physica machines and ocations. Because of this shift, the network infrastructure shoud optimize the abiity of the
appication infrastructure to hande the increasing eves of server-to-server communication streams.
Simplied Network Infrastructure
Another significant trend in data center networks is the continua need to provide scae and agiity for growth, whie
simutaneousy controing costs. As new appications and business modes emerge, the network design that worked
we for businesses may not be abe to support new demands on the IT infrastructure and, most importanty, new
business requirements. Networks buit on fragmented and oversubscribed tree structures have scaing and consistent
performance probems. As more devices are added, design and management compexity and costs increase
exponentiay. A simpified network infrastructure can hep meet these requirements of scae, whie mitigating the
concerns of cost and compexity.
Distributed Data Centers
ue to rapid growth, bandwidth, and atency considerations as we as space, power, or cooing capacity requirements,
data center ocations continue to mutipy. Whie this has catayzed a desire for improved simpification and
consoidation, organizations aso are considering ways that wi enabe the network infrastructure to connect these
different ocations together.
Network Infrastructure
EDGE
CORE
ACCESS
Management andOrchestration
Converged Access
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
11/37
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
12/37
12 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Figure 3. Compute and storage
Integrating Virtual Server Infrastructure
Server virtuaization reduces the number of physica servers in the data center and provides greater fexibiity to meet
rapidy changing business needs. However, server virtuaization introduces chaenges as we, some of which directy
invove the data center network. Virtua machines increase the density of traffic oads to and from individua machines
(because each virtua machine has its own operating system and appications). This increases network ink utiization
and paces additiona demands on the network fabric, especiay when we consider dynamic creation and migration of
virtua machines.
The use of virtua machines aso creates an additiona ogica (or virtua) ayer of networking within the server
endpoints and between the virtua machines. A virtua network extension aows separation and connection of traffic
to and from individua virtua machines, both within the physica servers and between the physica servers and the
rest of the network. This creates a need for configuration, state and poicy integration between the physica and virtua
parts of the network.
As workoads change, the data center infrastructure must support rapid, on demand reassignment of resources in a
way that is competey transparent to end users. Compute capacity must scae to meet the demands for appications
and services without disruption. Scaing must encompass high-density depoyment within the data center, and it must
provide processing power fexiby across mutipe data centers.
With virtuaization technoogy now supported on mutipe operating systems and computing patforms, the data center
network architect must evauate the impact of the virtuaized server environment on network architecture.
Increased capacity due to higher ink utiization (mutipe virtua machines now running on an individua physica
server) and associated resources (increased media access contro (MAC) and IP addresses and appications per
physica server)
Expanded avaiabiity requirements due to increased operationa risk (oss of one server means the oss of numerous
virtua machines)
Increased reevance of standards and automation in the integration of physica and virtua networks, dynamicay
and at scae
Increased importance of network-based services and their reation to virtua infrastructure such as firewas,
intrusion prevention systems (IPS), and oad baancers, a of which affect network performance.
Compute IP Storage
SAN NETWORK
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
13/37
Copyright 2011, Juniper Networks, Inc. 13
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
Provisioning sufficient bandwidth to meet appication SlAs is a primary consideration. A conventionay oversubscribed
network design becomes unacceptabe in the face of increased ink utiization and dynamic traffic fows. To meet SlAs
architects must consider increasing ink bandwidth in the server and network infrastructures.
To provide oad baancing in the coud, some virtua machines may need to be moved across physica machines within
the data center or to other data centers, and the network must have the agiity to support this move.
In this environment, it is important that the network and virtua servers be synchronized automaticay with respect
to virtua machine configuration and poicies. This is critica for managing SlAs and meeting audit and compiancerequirements. For successfu virtua server networking, the architecture must embrace the emerging extensions to the
IEEE 802.X famiy of Ethernet protocos that enabes synchronization of physica and virtua network configurations
under the name of Virtua Ethernet Port Aggregator (VEPA). These standards hep customers maximize choice in
depoyment of virtua servers and confidenty support networking them with agiity and high performance, regardess
of the number of appications and hypervisor vendors used.
An additiona subtety in successfuy supporting the virtua server endpoints is enabing a successfu end-to-end
security architecture for the appications. In the virtua server environment, conventiona security practices such as
monitoring network activity, inspecting and fitering traffic, and maintaining stricty separate security domains are
often absent. Inter-virtua machine communication is a particuar bind spot. Virtua machine traffic does not touch the
physica network and is not protected by physica network monitoring or security.
Fitering traffic to and from a virtua server (or custer) is ony one part of the soution. To truy mitigate the risks within
the virtua environment, especiay those reated to inter-virtua machine communication, an in-depth defense at the
eve of individua virtua machines is required. An effective, mutiayered defense is ony feasibe if it maintains the
productive capacity of the host servers and remains independent of the maware it defends against. An approach that
integrates the capabiities of virtua appiances running within hypervisor environments with the security capabiities of
the physica data center network is the type of integrated, mutitiered, and mutiayered design required for end-to-end
success with virtua machines and the coud.
New data centers aso require managing virtuaized network and security profies and virtua machine configurations as
they migrate across physica hosts. Managing profies across physica hosts is difficut and may prevent organizations
from taking server virtuaization efforts beyond server consoidation and into dynamic resource aocation. Juniper
addresses this requirement with Juniper Networks Junos Space appications such as Virtua Contro, which aows for
management of virtua machine configurations and switch port profies on an integrated basis between the physica
and virtua domains.
I/O Convergence
The rising cost and compexity of buiding and operating modern data centers have ed organizations to seek new
ways to make the data center infrastructure simper and more efficient. Athough the cost of data center networking
equipment is reativey sma compared to the cost of server hardware and software, the underying network fabric is
the inchpin that connects a mission critica resources. A simper, more streamined data center fabric means greater
efficiency and productivity and ower operating costs. In addition, shared (centraized or distributed) storage, be it fie-
based ((Network Access Storage (NAS), or bock-based (storage area network (SAN) using Internet Sma Computer
System Interface (iSCSI), Fibre Channe (FC), and Fibre Channe over Ethernet (FCoE)) are essentia eements of
an effective compute and storage soution for data centers and the coud. They can be used in concert to support
advanced virtua systems and the overa virtua networking infrastructure.
Traditionay, servers are depoyed with mutipe I/ cards to connect to mutipe separate physica network segments
or even competey separate network infrastructures: dua SAN for disk access, another SAN or lAN for backup,
dua lAN for cient/server or campus lAN connection, out-of-band management, VMotion and custer traffic. I/
convergence heps to reduce the number of such interfaces and networks. It has been promoted aong with Ethernet or
IP-based storage technoogies such as iSCSI NAS and more recenty FCoE.
With the increased affordabiity and rapid adoption of 10GbE in the data center, Ethernet is poised to take on the
connectivity tasks formery reegated to InfiniBand and Fibre Channe to become the dominant data center networking
technoogy. Reducing the number of I/ cards and network ports drives many potentia savings.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
14/37
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
15/37
Copyright 2011, Juniper Networks, Inc. 15
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
Figure 4 shows Junos Space Virtua Contro appication managing both the physica and virtua network.
Figure 4. Consistent management of the physical and virtual network from Junos Space
Junos Space Virtual ControlJunos Space Virtua Contro aows network operators to discover, configure, provision,
and monitor a VMware vNetwork istributed Switch (vS) as we as a Juniper switch patform. This singe pane of
management faciitates synchronous configuration changes for both physica and virtua switching environments,
and it simpifies network operations by dynamicay mapping port profies to support VM mobiity. Junos Space Virtua
Contro everages VMware open APIs to achieve this functionaity, whie simiar integration with Junos Space can be
achieved with other virtua switching environments (Xen, PowerVM, Hyper-V) with simiar open interfaces. An emerging
standard is being deveoped to define the interface for virtua and physica switching environments caed Virtua
Ethernet Port Aggregator (VEPA). VEPA is a nondisruptive and cost-effective soution to inter-VM communications.
Impementation requires minima changes to the software running on the physica switch, not whoesae repacement
of the existing networking infrastructure. VEPA aows virtua switching to be extracted from the server, improving serve
performance and increasing the number of VMs that can run on each server. Finay, because VEPA is based on open
standards and is server- and hypervisor-agnostic, customers have maximum fexibiity in depoying server virtuaization
VEPA wi enabe rapid innovation in services for users, as we as operationa consistency, simpicity, and efficiency.
The pending VEPA standard aso contains a critica feature known as muticasting. Because many virtua servers
contain more than one virtua network switch, physica switches must be abe to identify the virtua switch source of
traffic coming to them. Whie this advanced feature wi require some hardware upgrades, the basic VEPA technoogy
can be supported with a simpe software upgrade.
I/O ConvergenceConverged data center networks wi require a robust and compete impementation of FCoE
and CB standards to be viabe in supporting the critica appication and data integrity requirements of data center
appications. Because of the timing of ratification of the respective standards (FCoE having preceded CB by
approximatey a year) and because of the incrementa progress in cost effectiveness in the reated infrastructures
(eary impementations not truy passing the cost effectiveness test), impementation of converged data center
networks wi occur in two phases. In phase one, convergence within the rack wi enabe partia gains whie supporting
separate lAN and SAN infrastructures using FCoE gateways between the two. In phase two, networks wi be converged
fuy by virtue of support of the fu CB standards suite and by aowing adequate support for a traffic types in an
optimized data center network.
Juniper Networks QFX3500 Switch is the first top-of-rack switch buit to sove a the chaenges of access ayer
convergence. It works for both rack-mounted servers and bade servers, and for organizations with combined or separate
lAN and SAN teams. It is aso the first product to everage a new generation of ASIC techniques. It offers 1.28 terabits
of bandwidth impemented with a sin ge utra ow atency (Ull) ASIC, soft programmabe ports capabe of GbE, 10GbE,
40GbE, and 2/4/8G FC, supporting through SF P+ GE copper, 10G Copper AC, and ptica, and via QSFP dense optica
connectivity. Pease refer to the foowing ink www.juniper.net/us/en/products-services/switching/qfx-series .
VM
VM
VM
VM
Virtual
Virtual
Physical
http://www.juniper.net/us/en/products-services/switching/qfx-serieshttp://www.juniper.net/us/en/products-services/switching/qfx-series -
7/29/2019 Cloud-ready Datacenter Reference Architecture
16/37
16 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
By maintaining active participation in the reated standardization efforts and by rethinking the technoogy and
economics of the data center network from the ground up, Juniper Networks provides customers with a winning set of
patforms. Juniper aso offers a pragmatic, innovative strategy to deveop a singe, converged data center fabric with
the fexibiity and performance required in a fuy virtuaized infrastructure, whie continuing to drive down the cost and
compexity of enabing it propery. For further information on the evoving standards in this space, pease refer to the
foowing white paper tited pportunities and Chaenges with the Convergence of ata Center Networks, visit
www.juniper.net/us/en/local/pdf/whitepapers/2000315-en.pdf.
Services
As we have seen, data centers are increasing agiity and versatiity for service deivery in highy virtuaized
environments. Whie this enabes managers to function responsivey, it aso exacerbates risks thatif not addressed
can compromise the effectiveness of the newy tuned environment. These risks are principay in the areas of
security and appication performance. Forward-ooking network architecture in the virtuaized word incudes
functionaity embedded in the network itsef that contros and mitigates many of the risks and faciitates optimum
performance. The idea is that protection and acceeration capabiities can run in the network on behaf of or in concert
with functionaity that executes in the appication endpoints, for overa effective, secure and responsive system
architecture. Figure 5 shows the services functiona area of the reference framework.
Figure 5. Services functional area
Junipers data center reference framework incudes a functiona area dedicated to deivery of virtuaized services. We
describe the capabiities of that area in this section.
The Services functiona area aows data center managers to address the foowing critica chaenges:
Evolving threat landscapeata center and coud service operators must address ever-escaating threats to
appication deivery, integrity and privacy. Major threats incude service disruption, appication denia-of-service
(oS) attacks, data eakage to the outside word, attacks on data integrity, and identity fraud.
Sharing of resourcesResource sharing aows organizations to reaize economies of scae that are essentia to
success with virtuaization and the coud. However, to reaize this potentia, operators must be confident that shared
resources such as virtua machines, appications and supporting patforms wi not be compromised.
Services
Security
Acceleration
Server Load Balancing
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
17/37
Copyright 2011, Juniper Networks, Inc. 17
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
Managing virtualization risksIn the traditiona data center where resources and appications map directy to
physica equipment, security is straightforward because physica boundaries sti exist. However, as resources
become virtuaized, traditiona security contros are insufficient. Inteigence is required to hep operators understand
and imit the risks that arise when physica boundaries are repaced by virtua boundaries.
Granular policy controlManagers must secure the entire path between the end users source and the
destination appication. This requires extensive, granuar poicy contro for security and entitement throughout the
infrastructure. By using granuar contros, managers can ensure service integrity and meet SlAs.
Traffic integrity and confidentialityIn many cases, traffic fowing through the coud must be secured to prevent
unwarranted data discosure and ensure the confidentiaity of user information.
QoSTo assure the quaity of the end user experience, services are required to appy QoS metrics, such as preferred
service for VoIP traffic.
Compliance and SLACoud data center operators must meet auditing and risk assessment requirements
mandated by regiona reguatory authorities. Services can be depoyed to ensure that coud providers meet these
requirements and to demonstrate that security contros are effective in enforcing security poicies.
Application accelerationAppication acceeration services can boost the performance of major appications within
an enterprise. Appications may be business critica (for exampe, ERP appications such as SAP and race), or
contribute to empoyee productivity (such as Microsoft utook).
In prior designs, services were required ony at the data center edge, with gateways securing the connection betweenend users and the data center interior. This has been caed a perimeter defense. With current trends toward
consoidation and virtuaization in the data center and management of fows between data centers, security- and
appication-reated services are now required at a greater number of contro points in the data center and virtua
systems, not ony at the entry gate. A comprehensive and agie architecture of services inteigence must be depoyabe
from appications and hypervisors running in virtua machines, to critica protection points in the core of the network, to
the data center edge, and utimatey to the end user.
A we-designed infrastructure appies services where needed and enforces poicies dynamicay on network traffic.
eivery of services can be optimized by using resource poos that are shared across the network.
As with the network infrastructure, services in the data center must meet stringent requirements for performance,
scaabiity and avaiabiity. They must aso support granuar poicy contro and the inteigence to meet user- and
appication-specific SlAs.
The Services functiona area comprises two major groups of capabiities: security and appication services. Security
services contro access to resources and protect traffic within the coud. Appication services improve the performance,
scaabiity and agiity of appications and infrastructure and simpify operations.
The foowing section focuses on these types of services.
Security Services
A singe data center can incude many thousands of physica compute and storage arrays that enabe hundreds
of thousands of virtua endpoints used by tens or even hundreds of thousands of cients. The resut is a compex
set of fows between servers and cients (north-south) and among compute and storage systems (east- west).
Comprehensive, effective security must be depoyed to scrutinize a traffic and weed out any traffic that can pose a
risk to traffic fows or data integrity.
Figure 6 shows the major types of traffic fows that must be secured in the virtuaized data center word:
East-west traffic between servers within the data center and between compute and storage systems (server to
server).
North-sout h traffic between servers and end user systems, where the end users can be anywhere in the word,
use virtuay any type of cient device, and obtain access through amost any type of commercia access network
(customer to data center).
Traffic between data centers for fast response to changes in demand and oad conditions (data center to data
center).
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
18/37
18 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Figure 6. Flow types in the new cloud infrastructure
Security services must aso take into account the fact that Web 2.0, UC, and rich media appications ead to
unpredictabe, chaenging traffic patterns. A cient no onger communicates with a server using a singe stream of
data (or TCP session) to compete a request. New appications present more chaenging traffic patterns invoving
communications between mutipe servers over mutipe sessions to fufi a singe user request. A singe appication
interaction now requires much more server-to-server communication and higher eves of modue performance to meet
requirements. Traffic fows invove muti-node appications, server virtuaization and storage over IP. Furthermore,
throughout the process, user and data identity and integrity are at stake.
Utimatey, at the user and operator eves, security of information handing is about trust. The fast evoving word
of virtuaization and the coud has been inhibited partiay in its uptake by the more sowy emerging architectures
designed to ensure trust. By putting appropriatey broad and effective security services in pace, organizations can
increase trust eves among end users and potentia subscribers, and drive increased satisfaction and demand.
Traditiona security patforms, incuding routers, firewas, IPS, VPN, and network access contro (NAC) continue to
be centra to the security of the data center. However, existing use of these eements is not sufficient to meet new
requirements of the coud. To meet security chaenges of the coud, requirements such as security scae, visibiity and
enforcement pay a more significant roe. An extended portfoio of interconnected security services is required, incuding
statefu firewas, IPS, appication and identity awareness, secure remote access, NAC, omain Name System/ynamic
Host Configuration Protoco (NS/HCP) services, and authentication, authorization, and accounting (AAA) services.
We highight the roe of each of these critica technoogies within the security functiona area of the coud in the
foowing sections.
Stateful firewallsata center operators have traditionay depoyed numerous firewas to separate servers by
function or tier in their system designs, for exampe, the database, appication, and Web tiers of a system. Mutipe
firewas were often depoyed at the same eve of the network and inhibited overa performance. In many cases,
firewas were bypassed when concerns about their abiity to pass rea-time traffic were considered paramount and the
desire for performance outweighed security concerns. Concerns about firewa impact on raw bandwidth, connections
per second, and sustained connections caused some data center operators to imit firewa use or even dispense with
firewas in some areas. A of these imitations of prior architectures have resuted in high-risk compromises that are
not sustainabe in the current privacy, compiance and high-performance end user environments.
Server to Server
Data Centers
DC to DC
Customer to DC
Clients Global High-Performance Network
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
19/37
Copyright 2011, Juniper Networks, Inc. 19
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
The chaenge is to move from this existing situation, in which appiances are soution inhibitors, to the coud data
center network, in which firewas are soution enabers. This necessitates the introduction of high-performance,
statefu firewas at the data center core.
High-performance, statefu services are the cornerstone of security in the virtuaized data center. Statefu services
enforce poicies that aign with business and operationa requirements through the identification and cassification
of networks. In addition to being the primary layer 4 access contro system, statefu firewas can support many
additiona security functions such as oS or quota protections, PI on specific appications, and Network Address
Transation (NAT).
With statefu firewas, it is possibe to introduce fine-grained contro over a traffic fow types (intra-data center,
inter-data center, and data center WAN) and to support key security functions such as NAT, Appication layer Gateway
(AlG) services, IPsec VPN services, distributed oS, as we as unified threat management (UTM), which incudes
antivirus, anti-spam, and Web fitering.
Additiona capabiities can be inserted in a moduar manner on top of this foundation. When done in a moduar way per
poicy zone, this approach provides maximum agiity, efficiency and performance.
Securing the virtualized access layerServer Virtuaization changes the way physica devices operate and are
managed in the data center, which has significant security impications. For exampe, virtuaized environments create
a new access ayer, the virtua switch network. Typicay, each physica server hosts a virtua switch that supports
communication between virtua machines on the same host. The virtua network can grow rapidy as new virtua
machines (VMs) are created, resuting in compex networking fows and VlAN management.
IT administrators ose visibiity into, and contro over, some traffic, since communication between coocated VMs is
handed by the hosts virtua switch and never eaves the host. In a traditiona data center environment, appications
and appication components (such as databases and Web interfaces) run on distinct machines that are segregated by
firewas into zones of trust. In a virtuaized environment, these appications may be running in VMs on the same host,
so are abe to communicate without accessing the physica network. Consequenty, they are beyond the visibiity and
contro of traditiona firewas and not bound by zones of trust.
Security is further compicated by VM ive migration technoogies, such as VMware VMotion and RS. Whie these
technoogies ensure that host resources are maximized, aowing virtua machines to be created, moved, and
decommissioned as appication oads change, they essentiay break zones of trust. For exampe, traffic isoation
mechanisms such as VlANs can be circumvented when a VM is migrated to a host on a VlAN that is different from the
origina host. likewise, as VMs move, a server may end up hosting VMs with different trust eves, potentiay resuting in
priviege escaation for some users.
There is a cear need for a hypervisor-neutra soution in todays highy virtuaized data centers. A Virtua Firewa (VF)
that inspects a traffic to and from each VM can eiminate bind spots, and enforce poicies at the goba, group, and
per-VM eve. With a VF, enterprises can granuary define security poicies within zones of trust and precisey contro
whether VMs within the same zone of trust can communicate, ensuring isoation between and within trust eves, and
aowing for precise micro-segmentation. A comprehensive security approach woud incude mechanisms to integrate
the VF poicy on the hypervisor with the physica network firewa poicy above the hypervisor.
Intrusion prevention systemsNetwork and appication eve attacks are an ongoing concern, and the data center
network must be abe to detect and prevent attacks in traffic fows by supporting versatie, high-performance IPS
functionaity as part of the security service. Because appications must be avaiabe to users at ocations that are
not inherenty secure, the risk of misuse or appication oS wi aways be high. Moreover, because appications are
coocated in virtuaized data center infrastructures, a chain effect (in which an appication is affected by the risk towhich another appication is exposed) can be created too easiy.
IPS must be highy accurate in its detection and prevention capabiities, with ow numbers of fase positives and
fase negatives. Effective intrusion detection and prevention requires a mutidimensiona approach invoving protoco
anaysis, anomay detection, and signature anaysis. IPS shoud support mutipe detection modes and accommodate
pacement of sensors in different parts of the network.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
20/37
20 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
As an exampe, sniffer modes invove network taps that passivey observe the fow of traffic and identify potentia threats,
whereas inine systems are depoyed with traffic fows and can potentiay prevent attacks in rea time. Mixed mode
soutions can deiver the benefits of both sniffer and inine methods. Actions that are triggered when an attack is detected
shoud incude the traditiona aow/deny aong with finer grained actions such as rate imiting, setting ifferentiated
Services code point (SCP) marking, cosing cient connections/server connections, and performing TCP resets.
The IPS patforms shoud support the performance and capacities required in data centers of varying sizes and inspect
layer 4 through layer 7 information at ine rates. They shoud coordinate threat responses with other access contro
gateways (SSl VPN and NAC) by sharing attacker information, so attacks can be mitigated cosest to their source.
Because protoco decoders in the IPS deconstruct streams and buid the right context to ook for threats, a powerfu
and rich protoco decoder must be in pace. Finay, network-based security services, incuding intrusion detection,
attack prevention, encryption, and monitoring, shoud be consoidated into highy scaabe, virtuaized security
patforms to reduce security device spraw.
Application visibility and controlHistoricay, attack prevention has focused on identifying and thwarting maicious
activity within aowed traffic, as evidenced by content security technoogies such as antivirus and anti-spyware. These
mechanisms have been a vita part of the network fabric and offer protection by identifying known attack patterns or
behaviors that deviate from the norm.
Unfortunatey, new types of attacks are constanty occurring, and attackers often empoy new ways to expoit and
hide in aowed traffic. This paces organizations in a continua mode of catch-up, trying to make sure that they have
appropriate attack coverage against the atest vunerabiities and threats. rganizations need tighter contro over whatcan and cannot be done within a given appication. In other words, the soution must evove from a reactive approach
to a more proactive security stance.
Juniper has introduced statefu appication fiters such as statefu signatures and detection of protoco anomaies.
These fiters contro the commands that are used within an appication, so that organizations can reduce the
opportunities for expoitation and increase the avaiabiity of information and networking services.
However, with the emergence of new appications, the appication networking and security andscape continues to
change. Athough existing intrusion prevention techniques are sti appicabe, simpy identifying source and destination
addresses and port combinations no onger offers sufficient protection.
Traditiona statefu security devices assume that an appication uses a service that runs over a fixed, predetermined,
and pubicay acknowedged TCP/UP port number, and that the traffic being processed can be identified by ooking
at the first packet in a session. This approach no onger works because the reationship between port numbers and
appications is simpy a convention that may not appy, and because it is necessary to examine subsequent packets to
estabish reiaby the actua appication and specific functions or commands that are being used.
The concept of visibiity and contro is intended to address these evoving security threats. The idea is to go beyond
traditiona security approaches to identify exacty what actions are aowed by specific users in specific appication
instances. Appication visibiity and contro are essentia for appications such as BitTorrent, Skype and ouTube that
are enabed on top of HTTP and use nonstandard ports (or even randomy assigned ports).
Appication contro is aso important to maintain agiity in the data center. If an IT organization wants to shut down
one appication and bring up a new one, it must be abe to do so quicky. If firewas support ony protoco and port
mappings, doing so becomes a time-consuming and tedious task. To enabe agiity, firewa configuration must be
supported at the appication eve with contros that are independent of ports and protocos.
To support appication visibiity and contro, network security patforms such as enforcement gateways, firewas and
monitoring systems must identify appication context and user conversations with thorough and inteigent signature-
based cassification. They must provide visibiity into the appication infrastructure, making it possibe to determine
appication usage profies and other vauabe appication-eve information. It must be possibe to contro appication
and resource access based on user identity, not just source IP address. With a mobie, dynamic workforce that
connects to appication eements that reside on mutipe servers within the coud, organizations can no onger assign
access privieges based on a we-controed and fixed user ocation represented by an IP address. Services must be
appication and identity aware.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
21/37
Copyright 2011, Juniper Networks, Inc. 2
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
Junipers approach to enabing security services in the data center and coud-computing environment enabes a of
these capabiities comprehensivey.
Secure remote accessGiven the trend towards consoidating appications into fewer numbers of data center sites, as
we as the trend towards enabing moduar appications to connect with each other in distributed appication designs
within and between those sites, users must securey access diverse resources from a variety of remote access points.
At the entry points to the coud, a endpoint access must be checked for compiance before access is granted, and the
security status of the endpoint must be monitored throughout the time that a session is in progress. Notification of
security issues must be done in a timey manner. IPsec VPNs are effective for site-to-site connectivity; however, they
are not idea for a remote access situations. For exampe, many empoyees must access corporate resources from
unmanaged devices such as home PCs, pubic kiosks or PAs. By contrast with IPsec, SSl VPNs aow granuar access
from any type of endpoint device (unmanaged or managed) if it compies with the minimum security poicy that is in
pace in the organization. The SSl VPN maintains productivity for empoyees by enabing them to work from anywhere
using any type of device.
Bending secure remote access into a comprehensive, moduar security design is an important goa of Junipers security
services architecture.
NACNAC contros access to a network by way of poicies, incuding pre-admission endpoint security checks and
post-admission contros over where users and devices can go on a network and what they can do. NAC services contro
a users initia access to the network and verify the integrity of the users system. For exampe, NAC services can verify
that the users system has up-to-date antivirus software instaed. NAC services shoud incude support for remotesoftware upgrades, incuding pushing upgrades to the user system (for exampe, to downoad a Windows service pack)
NAC shoud support poicies that determine the types of endpoints or user roes aowed to access designated areas of
the network, and shoud enforce them in switches, routers and firewas. NAC services shoud aso coordinate with IPS
for rea-time detection and prevention of attacks that can originate from sharing within the interna network.
DNS/DHCPThe data center network infrastructure must support fast and reiabe NS and HCP services. Issues
with NS cache refreshes and persistent HCP bindings can be a potentia security issue when customers are using
coud services. NS/HCP services must be configured correcty and run a the time so that poicies that are tied to
IP addresses can be appied quicky and accuratey. NS/HCP services aso are necessary to support VlAN operation
and address poo reservations.
AAAAAA services contro whether users can og into data center systems and they determine which resources each
user is permitted to access. The network security infrastructure shoud be abe to everage existing identity data stores,
incuding Active irectory (A) and lightweight irectory Access Protoco (lAP) servers.
Standard technoogies exist to hep different types of networks exchange identity and priviege information and share
common notions of user identities. Standards incude Security Assertion Markup language (SAMl), eXtensibe Access
Contro Markup language (XACMl), and Interface for Metadata Access Point (IF-MAP). These technoogies make
it easier for network security devices to coordinate and enforce poicies based on identity attributes. Products and
soutions that provide security services shoud support these standards to ensure that identity and access information
is shared among different networks.
To summarize, the integrated and virtuaized security services resident in the network can provide benefits to users and
appications that share the infrastructure. The comprehensive protection provided by these services can secure data
fows into, within and between data centers. A of these servi ces shoud be managed centray and the infrastructure
shoud enabe distributed enforcement through the appication itsef and the supporting identity-aware security poicies.
As a group, security services increase the confidence, trust and agiity with which virtuaized services can be deivered.
Application Services
In some cases, appications running on mutipe hosts can benefit from network-resident services that can be spread
across them efficienty to improve their performance and distribute oads. By incuding such services as part of an
inteigent network infrastructure, the pooed resources of the coud can operate much more efficienty. An important
way to do this is to provide speciaized services from systems ogicay and physicay embedded in the network that
offoad work from other data center servers. These appication services incude appication acceeration, PI and
goba server oad baancing.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
22/37
22 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Application Acceleration
Appication acceeration speeds performance for repetitive actions. For exampe, if a user accesses a document from
a website, the initia downoad might take severa minutes. With appication acceeration, the document is cached
foowing the initia downoad and subsequent requests can be done in seconds. Appication acceeration can be tied
to specific appications. For exampe, an appication acceeration service can be configured to recognize and acceerate
requests from an organizations SAP system.
ata center architects shoud consider depoying a system that supports acceeration for the different appicationtiers, and provides comprehensive capabiities in support of current and emerging appication areas such as Web 2.0,
SA and SaaS. The acceeration soution shoud boost the performance of cient/server, Web-based, and server-to-
server appications, and it shoud speed webpage downoads. In addition, the acceeration soution shoud offoad
CPU-intensive functions such as TCP connection processing and HTTP compression from backend appications and
Web servers. The appication acceeration patform shoud be seamessy expandabe through stacking or custering of
mutipe devices.
Deep Packet Inspection
QoS is impor tant to ensure appication experience over arge networks. QoS eves shoud be assigned and managed to
ensure satisfactory appication performance. PI technoogy heps deiver advanced services by identifying appications
based on key characteristics and by appying poicies appropriate to them. For exampe, a PI-enabed network eement
can appy QoS poicies to an appication to ensure preferred quaity for video streams. Instead of the appication adapting
to network constraints, the network can adapt to appication needs, providing a better user experience.
Global Server Load Balancing
It is important to find ways to scae data center services without a inear increase in the hardware footprint, and
to ensure that the design does not increase operationa compexity. Goba oad baancing adds fexibiity and
adaptabiity to the data center network, so users aways have access to appications and data, even if service to the
primary data center is interrupted. This type of technoogy heps organizations support the technica and business
goas of appication and data avaiabiity without sacrificing performance. Server overoad aso can be reduced by using
SSl offoad and acceeration services.
Integrated Virtual Services
Numerous and diverse services are needed to support the rich, compex network structure at the core of the virtuaized
data center. eivering these services on existing singe or imited purpose patforms can easiy ead to appiance
proiferation in the data center, as more and more patforms are introduced to deiver a richer set of security and
appication services. The resuting dupication of costs, physica space constraints, management overhead and
organizationa compexity can seriousy inhibit growth of a successfu data center or coud. Many of these concerns can
be resoved by introducing high-performance service processing patforms that support mutipe services and stitch
together with a common poicy architecture and management structure.
Junipers Approach
Traditionay, organizations have faced a difficut trade-off between providing network security and deivering
performance for appications. Juniper Networks eiminates this trade-off, making it possibe for data centers to have
the robust network security they require with performance that meets the most demanding appication and user
environments. Going further, Juniper Networks can consoidate network security for the data center into fewer devices
with centraized poicy and visibiity to improve significanty the operationa efficiency of the data center environment.
The Junos operating system is the foundation of Juniper Networks security services. Junos S provides a common
anguage across Junipers routing, switching, and security devices, reducing compexity in high-performance networks,
speeding depoyment, and simpifying provisioning and management. Because a Juniper networking products are
buit on Junos S, data center architects can be confident that services wi be compatibe, and IT staff can draw on a
common set of toos and experience.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
23/37
Copyright 2011, Juniper Networks, Inc. 23
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architectur
Buiding on the Junos S foundation, Juniper offers integrated soutions to meet the major security chaenges in the
coud data center.
SRX Series Services Gateways for Comprehensive Security
Juniper Networks SRX Series Services Gateways serve as the cornerstone of consoidated security within the data
center, providing effective network segmentation, securing fows, deivering IPsec VPN encryption services, and offering
IPS protection, NAT, and AlGs. By consoidating switching, routing and security in a singe device, managers can
economicay deiver new appications, secure connectivity and deiver quaity end user experiences. With its ynamic
Services Architecture, the SRX Series supports new services without sacrificing performance.
vGW Security for Virtualized Environments
Juniper Networks vGW Virtua Gateway (formery Ator Networks), deivers a compete virtuaization security
regimen that enforces granuar access contro down to the individua VM and integrates tighty with existing security
technoogies, incuding Juniper Networks IP Series Intrusion etection and Prevention Appiances, Juniper Networks
STRM Series Security Threat Response Managers, as we as the SRX Series of high-performance security services
gateways for the physica network. With the vGW Virtua Gateway, security poicies are extended from the data
center perimeter to with the hypervisor and down to the individua VM. With this approach, the appication of access
contro is both continuous and comprehensive across physica and virtuaized workoads. HVX innovation aso adds
ayered defenses that are highy virtuaization-aware, enabing rea time detection of VM changes and movement, and
the automatic invocation of security poicies when those changes impact VM security and compiance posture in anegative way.
Unied Access Control to Secure LAN Access and Mitigate Insider Threats
Juniper Networks Unified Access Contro is a standards-based, scaabe soution for adaptive access contro that
reduces threat exposure and mitigates risks. It guards mission critica appications and sensitive data, and it provides
comprehensive contro, visibiity and monitoring.
The UAC approach to adaptive access contro reduces the cost and compexity of deivering and depoying granuar
NAC. It aso addresses chaenges such as insider threats, guest access, outsourcing and off-shoring and reguatory
compiance.
UAC is the industrys first NAC soution to offer fu layer 2 through layer 7 enforcement capabiities. It is based on
industry standards (802.1X, RAIUS, and IPsec) and open standards (Trusted Network Connect), incuding IF-MAP,
which empowers UAC to integrate with third-party network and security devices.
SSL VPN for Secure Remote Access
Juniper Networks SA Series SSl VPN Appiances provide enterprises and service providers with remote access
and sophisticated partner and customer extranet features. SA Series appiances enabe organizations to enforce
differentiated access to resources based on user roes and groups. These appiances are avaiabe with a baseine
software feature set or an advanced feature set that incudes options for more compex depoyments.
WXC Series Application Acceleration Platforms and WXC Client
Juniper Networks WXC Series Appication Acceeration Patforms acceerate mission critica appications over wide
area inks, providing compressed output that ranges from 2 Mbps to 155 Mbps rates. Each patform can support
mutipe remote sites, and mutipe communities of WXC Series devices can be configured to support an unimited
number of ocations.
The WXC Series uses compression and caching to reduce the amount of data actuay fowing across wide area inks. It
does this by eiminating redundant data patterns and boosting connection capacity to accommodate a greater voume
of traffic. It speeds the performance of specific appications and protocos over the WAN, cutting response times and
optimizing traffic fows to deiver a more lAN-ike experience for remote office users. Appications can make the most
efficient use of avaiabe inks and bandwidth to optimize performance and prioritize data traffic.
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
24/37
24 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Juniper Networks WX Cient is Windows-based software for mobie end users that provide lAN-ike performance for
appications. Instaed on the end users aptop, the WX Cient improves appication response times by appying disk-
based caching, compression, and protoco acceeration techniques to WAN data traffic. Enterprises can now enabe
cost-effective, dynamicay provisioned, pervasive appication acceeration regardess of user ocation.
Management, Orchestration, and Automation
With an understanding of the attributes of the three major traffic processing areas of the data center infrastructure
compute/storage, network, and security/appication serviceswe can now turn our attention to the chaenges of
managing the data center coud in the most efficient, fexibe, and scaabe manner. It is a formidabe chaenge to
interconnect and supervise the growing number of physica and virtua devices in the coud in a coherent, efficient
way. Management compexity grows as more devices and users are added. To make data centers and the coud truy
responsive, a components must come together in a we-orchestrated ensembe under the IT organizations contro.
Figure 7 shows the management, orchestration and automation functiona area of the reference framework.
Figure 7. Management, orchestrat ion, and automation
The term orchestration refers to the automated arrangement, coordination and management of components
(compute, storage, network and service) to meet IT and business requirements.
In addition to the automation that is aready an integra part of each component, orchestration requires that
components interoperate with each other, business processes and rues are impemented propery, and end-to-end
services are deivered competey and reiaby. rchestration takes the data center a major step beyond ocaized
automation to encompass fuy coordinated visibiity and contro over the data centers disparate eements.
Because orchestration is compex and depends heaviy on an organizations specific systems, its requirements are
best met by a network orchestration patform that is open and extensibe for integration with diverse appication and
management systems. The network orchestration patform shoud support comprehensive network management
functions and use industry standard APIs to enabe integration with management and appication systems. It shoud
aso provide deveopment toos, incuding a software deveopment kit (SK), so that organizations can extend and
adapt the patform to create their own orchestration environments.
Management andOrchestration
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
25/37
-
7/29/2019 Cloud-ready Datacenter Reference Architecture
26/37
26 Copyright 2011, Juniper Networks, Inc.
REFERENCE ARCHITECTURE - Coud-Ready ata Center Reference Architecture
Support for security services, incuding threat anaysis, protection, and reporting, to identify risks, ensure reiabe