Download presentation
Presentation is loading. Please wait.
Published byAlaina Wilkerson Modified over 9 years ago
1
THE SOLUTION FOR DISTRIBUTED ENTERPRISE SERVICES WITHOUT BOUNDARIES
May 2009 Presentation for Technical Decision Makers 1
2
Agenda What’s Happening and Juniper’s Vision
Distributed Enterprise Reference Architecture Consistent Functionality Across All Locations HA, AdTM, and UC Solution Use Cases Juniper Advantages – Competitive Analysis 2 2
3
What’s happening to the enterprise
Enterprises are more distributed than ever before 62% – increasing the amount of branch offices 89% – support virtual workers 30% – workers are virtual Top applications for distributed workers – Telephony, and access to business applications Source: Nemertes 8/08 | Copyright © 2009 Juniper Networks, Inc. | 3
4
Trends with the distributed enterprise What is the problem?
Corporate Office Remote Office Data Center Retail ATM Government Home Office Branch Office Kiosk Manufacture Bank Locations Devices Explosion in number of devices. By 2010, more than 7.3 billion new devices, such as mobile phones, PDAs, intelligent machines and variations of tablets and notebooks, will be capable of connecting to enterprise systems” Gartner 10/07 Trends: Decreasing IT staff Cost avoidance Voice, video and data migrating to Ethernet Data loss, cybercrime protection Regulatory compliance Server centralization, SaaS Partner, guest access Managing costs “32% percent of large enterprise IT time is spent maintaining a reliable IT and networking environment. During a recession, IT departments should quantify their time spent empowering the business as well as facilitating cost avoidance.” Yankee,08 “Only 24 percent of IT time is spent developing new services and applications.” Yankee,08 Customers Guest Partners Vendors Suppliers Contractors Off-shore Outsourced Employees SOA SAAS Web 2.0 Users Applications Supporting more applications, more devices and more locations for more users and diverse audiences… with decreasing IT budgets.
5
Juniper’s distributed enterprise vision
User Productivity Switching, Routing and Application Acceleration for delivering converged applications Enterprise-wide access control, Adaptive Threat Management and integrated multi-function products Lower TCO Connect Secure Client Satisfaction Customer Retention Speed innovation by improving employee relationships and productivity with secured collaboration and communications services Enhance client satisfaction and trust with high-quality access to essential data and applications Increase revenue by attracting and retaining customers with trusted and available network-enabled services Value Proposition (Solution) It lowers cost and complexity by delivering consistent high-performance connectivity, security, and management services across all workforce centers regardless of size or location. Connect: JUNOS-based switching and routing solutions right-sized for all sites. Open platform for unified communications. WAN optimization. Integrated 3G wireless. Secure: JUNOS-based security policy, enterprise-wide access control, and adaptive threat management extended to remote sites. Integrated multi-function security right-sized for all sites. Manage: JUNOS software ensure consistent functionality and administration. Centralized management application for connectivity and security as well as threat response management. Advance insight services across all solutions for full range of sites. Manage Consistent functionality, centralized administration and proactive services IT SERVICES WITHOUT BOUNDARIES
6
Typical solution element placements
SRX Series EX Series IC Series FW/VPN IDP Series WX/WXC MX Series J Series Routing & Switching Security Management NSM Express STRM Series 6
7
Agenda What’s Happening and Juniper’s Vision
Distributed Enterprise Reference Architecture Consistent Functionality Across All Locations HA, AdTM, and UC Solution Use Cases Juniper Advantages – Competitive Analysis 7 7
8
Enterprise network reference architecture
Virtual Desktops LAN Access Control Unified Comms SaaS Collaboration SOA Server Virtualization Network Administration Interface SRX 3000 Line MX Series Enterprise own Core EX8200 Video Server M Series Employee EX8200 SA Series EX4200 Finance Server SRX Series HQ/Campus IC Series WX Series / WXC Series SRX 5000 Line Guest M Series Private WAN (Managed Service) Web Server WX Series / WXC Series SRX Series The highest level architecture in a distributed enterprise – the network is a utility that needs to support delivery of applications utilizing a wide variety of technologies. These technologies are listed on top of the NAI. Supporting and delivering the applications requires experience assurance, predictability and complete logical isolation (and Integrity). The challenge for the network is to connect a diverse set of user communities (purple blocks) from a variety of locations (Campus, Branch, Remote) over WAN Networks (Enterprise Core, Private WAN, Public WAN) into application concentrations (DC hosted or Public/Partner hosted application server models). The network should seamlessly support introduction of new applications (utilizing any new technology) and deliver a good experience with high quality and security. The introduction of new applications should be simple and straight forward, in which provisions to enable the application define the network requirements by the application in terms of security isolation, and end to end network resource allocation. WX Series / WXC Series IDP Series Customer EX4200 Intranet Server Branch Datacenter EX Series WAN MX Series Public WAN (Internet) Access Server EX4200 Partner MX Series M Series SRX 5000 WX/WXC Video Server Remote Managed/Hosted Datacenter Color Code Legend: Enterprise Loc. Hosted / Mgd Svc WAN Access 8 8 8
9
Enterprise connectivity – 1,000 mile view
DATACENTERS DATACENTERS Enterprise own Core HEADQUARTER / CAMPUS DATACENTER NOC BRANCH OFFICE Public WAN (Internet) This slide shows a connectivity architecture from 1000 mile view, which includes various enterprise locations. REMOTE OFFICE 3G wireless Private WAN (Managed Services) MANAGED/HOSTED DATACENTER SOHO OFFICE 9
10
Enterprise connectivity with key components
IC Series WX Series / WXC Series DATACENTERS SA Series DATACENTERS EX4200 STRM Series NOC NSM Express EX8200 HQ/CAMPUS SRX 3000 Line MX Series Enterprise own Core WX Series / WXC Series M Series SA Series IC Series SRX Series EX4200 VC WX Series / WXC Series BRANCH OFFICE Public WAN (Internet) EX Series SRX Series EX2200/3200 This slide shows a very high level connectivity architecture with key components, which includes various enterprise locations. SRX 5000 Line MX Series DATACENTER REMOTE OFFICE Private WAN (Managed Services) M Series EX Series SRX Series 3G wireless SRX 5000 Line SOHO OFFICE MX Series MANAGED/HOSTED DATACENTER 10
11
Agenda What’s Happening and Juniper’s Vision
Distributed Enterprise Reference Architecture Consistent Functionality Across All Locations HA, AdTM, and UC Solution Use Cases Juniper Advantages – Competitive Analysis 11 11
12
Services without boundaries
Consistent functionality and high performance across all locations Redundancy HQ/Campus Branch Office Remote Office This slides shows that juniper provides consistent functionality and capabilities regardless of the location. The complexity of the architecture and product used in each profile varies as per user size and survivability/HA requirements for the location. Scaling based on User Size and Survivability Integrated and scalable connectivity, Security, and Management SOHO Mobile Worker Integration > Size 12
13
Branch office architecture – small office home office (SOHO)
CONNECTIVITY SECURITY MANAGEMENT MANAGED/HOSTED DATACENTER HEADQUARTER / CAMPUS DATACENTER NOC DATACENTERS Enterprise own Core SOHO OFFICE 3G wireless REMOTE OFFICE BRANCH OFFICE Private WAN (Managed Services) Public WAN (Internet) Integrated Secure Router – FW, VPN PoE and PSTN interfaces Standard-based Group Encryption VPN Integrated 3G Wireless Connection WAN interfaces and QoS Support IPSec Tunnels to DC with Tunnel HA OSPF, BGP and RIP v1/v2 Routing Network Segmentation WAN Acceleration Adaptive Threat Management Full UAC IE Support L4 Policy IPSec VPN secure VoIP traffic Stateful FW to mitigate threats at source Full UTM features, Anti-Virus, IDP Personal Firewall – Odyssey Access Client (OAC) NSM, STRM, J-Web and CLI Management One box Convenience JUNOS Software STRM NOC NSM Express DATA CENTER Private WAN (Managed Services) SRX Series PSTN This shows SOHO architecture with security, connectivity and management capabilities in one box configuration Please review Branch Office Reference Architecture Guide for more details. Customer Example: 7-Eleven 3G wireless WX Series Client
14
Branch office architecture – remote office
CONNECTIVITY SECURITY MANAGEMENT MANAGED/HOSTED DATACENTER HEADQUARTER / CAMPUS DATACENTER NOC DATACENTERS Enterprise own Core SOHO OFFICE 3G wireless REMOTE OFFICE BRANCH OFFICE Private WAN (Managed Services) Public WAN (Internet) Local switch with integrated PoE Granular QoS, 802.1p/DSCP/Phone Marking Standard-based Group Encryption VPN Voice Vlan and 802.1P auto-sense for VoIP Phone or PC attached to phone Integrated 3G or commodity Internet backup IPSec Tunnels to DC with Tunnel HA with Split Tunneling capability WAN Acceleration Adaptive Threat Management Full UAC IE Support L4 Policy UAC Agent with 802.1X supplicant Full UTM features, Anti-Virus & IDP Personal Firewall – Odyssey Access Client (OAC) NSM, STRM, J-Web and CLI mgmt JUNOS Software Unified Open Management STRM NOC NSM Express DATA CENTER EX2200/ EX3200 Access Point POE 3G wireless Private WAN (Managed Services Local Printer A SRX branch services gateway plus a local switch branch is designed for remote offices that need local switching and sophisticated function, which offer the following key features: Comprehensive security appliance that offers WAN connectivity and routing. Unified Threat Management (UTM) security features including stateful firewall, IPS, anti-virus (anti-spyware, anti-phishing, anti-adware), anti-spam, and Web filtering. Local switching offers PoE for VoIP phones and WiFi access points. Granular QoS is fully supported to provide best-of-class 802.1p or DSCP marking. See Branch Office Reference Architecture for more details. Customer Example: SWIFT SRX DC PSTN POE WX Client 14
15
Branch office architecture – medium to large branch office
CONNECTIVITY SECURITY MANAGEMENT MANAGED/HOSTED DATACENTER HEADQUARTER / CAMPUS DATACENTER NOC DATACENTERS Enterprise own Core SOHO OFFICE 3G wireless REMOTE OFFICE BRANCH OFFICE Private WAN (Managed Services) Public WAN (Internet) Virtual Chassis technology Full local switch with up to 10x48 PoE Ports Redundant Power Supply Standard-based Group Encryption VPN Adaptive Threat Management for malicious web-conferencing, file- sharing between OCS clients Full UTM features, AntiVirus & IDP Full UAC IE Support L4 Policy UAC Agent with 802.1X supplicant Personal Firewall – Odyssey Access Client (OAC) NSM, STRM, J-Web and CLI mgmt JUNOS Software Unified Open Management STRM NOC NSM Express DATA CENTER Access Point POE Private WAN Local Printer SRX The medium to large branch office solution consists of two branch services gateway devices and EX4200 Virtual Chassis. WAN connectivity to DC utilizes both private WAN and Internet connections. This profile supports medium to large-size branch offices and offers seamless and stateful integration of both link and device level High Availability, with Juniper Networks innovative Chassis Cluster (a.k.a. JSRP) for SRX services gateways and Virtual Chassis technology for EX4200 Ethernet switches. The medium to large branch offers the following key features: High availability from both link and device perspective Comprehensive security appliance that offers redundant WAN connectivity and routing in active/active mode with JSRP. Virtual Chassis technology enables up to 10 EX4200 switches to create a single chassis-like platform that can be monitored and managed as a single device. See Branch Office Reference Architecture for more details. Customer example: PriceWaterhouseCooper Virtual Chassis EX4200 Internet SRX DC POE PSTN WX Client 15
16
MANAGED/HOSTED DATACENTER
Branch office architecture – branch office with WXC Series capabilities CONNECTIVITY SECURITY MANAGEMENT MANAGED/HOSTED DATACENTER HEADQUARTER / CAMPUS DATACENTER NOC DATACENTERS Enterprise own Core SOHO OFFICE 3G wireless REMOTE OFFICE BRANCH OFFICE Private WAN (Managed Services) Public WAN (Internet) MPLS L2/L3 Tunnels to DC Integrated WX Module Card in J Series Integrated 3g wireless End-to-end QoS including CoS, cRTP, LFI for xDSL Integrated Avaya VoIP GW with PSTN interfaces VoIP phone and terminal auto-sense Adaptive Threat Management for malicious web-conferencing, file-sharing between OCS clients Integrated Security/VPN/WX & VoIP services IPS, UAC & UTM Full UAC IE Support as 802.1X Enforcer Personal Firewall NSM, STRM, J-Web & CLI Mgmt JUNOS Software STRM NOC NSM Express DATA CENTER Access Point J Series WXC Private WAN POE SRX Local Printer The branch profile with WXC capabilities consists of two edge routers, two security gateways, and two or more Ethernet switches. They are interconnected via a fully-meshed topology as the figure describes. WAN connections to the DC use both Internet and private WAN connectivity. This profile provides higher level of performance and availability and is designed to support diverse requirements for services such as VoIP, video, etc. Also, some of these types of branch office may directly be on the MPLS network as well. In addition to network segmentation and/or separate networks, these branch offices may host some local servers and services which drive the need to create a separate server LAN network. Pls see Branch Office Reference Architecture Guide for more details. Virtual Chassis Internet J Series SRX POE DC Avaya PSTN WX Client 16
17
HQ/Campus architecture – 2 tier
CONNECTIVITY SECURITY MANAGEMENT MANAGED/HOSTED DATACENTER HEADQUARTER / CAMPUS DATACENTER NOC DATACENTERS Enterprise own Core SOHO OFFICE 3G wireless REMOTE OFFICE BRANCH OFFICE Private WAN (Managed Services) Public WAN (Internet) Access Switches with Virtual Chassis LLDP-Med for Auto Phone Detection L3 to the Edge or L2 STP/RTP GbE uplinks & 10 GbE Upgradable GVRP auto vlan pruning Local WAN Acceleration Adaptive Threat Mgmt Full UAC supplicant Standalone IDP Web-Filtering, Anti-Virus, Anti-Spam ALG for VoIP security NSM, STRM, J-Web & CLI Mgmt Unified Open Mgmt CORE TIER ACCESS TIER STRM NOC NSM Express Access Point Local Printer SRX3000 POE WX Private WAN EX4200 Virtual Chassis POE DATA CENTER The 2-tier campus profile consists of multiple floors/buildings in a location and includes two edge routers, two security gateways, and two or more Ethernet switch virtual chassis to form a campus access/core topology. The core Ethernet switches, security gateways and edge routers are interconnected via a fully-meshed topology. WAN connections to the DC use both Internet and private WAN connectivity. This profile provides the highest level of performance and availability and is designed to support diverse requirements for services such as VoIP, video, etc. Also, most of these types of campus may directly be on the MPLS network. In addition to network segmentation and/or separate networks, these campus deployment may host some local servers and services which drive the need to create a separate server LAN network. Customer Example: Typically Campus/HQ of a smaller enterprise such as Darden Restaurant (parent company for Red Lobster) SRX EX8200 or MX Series M Series POE Internet BUILDING 1 IDP SRX Local Printer EX8200 or MX Series M Series EX4200 Intranet Controller Core POE Local Servers SA Series Virtual Chassis POE BUILDING 2 17
18
Distributed switch architecture for multi-building campus
GbE/10GbE VC ring deployed in a campus or within a building Deployment example Utilize the same MM fiber One-switch LAN 1 to manage 1 to upgrade 1 software version No L2 Loop/No STP required High Availability Redundant Pwr/Cooling Redundant Switch Fabric Sub-second Convergence in case of device/link failure Integrated Access Security Integrated QoS for Voice/Video/Data MX Series Admin Bldg 1 WAN 1GbE uplink EX4200 Virtual Chassis MX Series 1GbE uplink Lab Bldg 2 Recreation Bldg 5 EX4200 Virtual Chassis One Virtual Chassis to Manage for the entire campus GbE/10GbE VCP EX4200 Virtual Chassis This is a ring topology for deploying distributed switch architecture in multiple building HQ/campus environment. It provides both the link and device redundancy in case of failure, improves perform by eliminating L2 loop as well as STP, and simplifies the management with Juniper Networks EX4200 line Virtual Chassis technology. GbE/10GbE VCP Classroom Bldg 3 Classroom Bldg 4 EX4200 Virtual Chassis EX4200 Virtual Chassis GbE/10GbE VCP GbE/10GbE VCP
19
Typical campus 3 tier LAN connectivity
VoIP VoIP VoIP Oversubscription common PoE Layer 2/3 NAC/UAC Access Security Auto detect/config QoS boundary EX4200 Virtual Chassis EX4200 Virtual Chassis EX4200 Virtual Chassis EX4200 Virtual Chassis 10/100/1000BASE-T GbE GbE GbE LAG 10 GbE LAN Access EX4200 EX8200 No Oversubscription Redundant power/cooling Redundant Control Plane & fabric Layer 3 QoS enforcement Collapsed or 2-tier MX* - for Advanced routing features such as MPLS/VPLS, low latency multicast, etc. EX4200 EX8200 LAN Aggregation/Core MX Series MX Series LAN connectivity for a typical 3-Tier campus architecture. Typically EX8200 is used in the LAN aggregation layer but in case MPLS or VPLS functionality is required then MX Series would be a preferred choice. ISG/IDP SBR SBR Remote DC(s) HQ DC STRM500 WAN STRM500 IC Series ISG/IDP IC Series NSM Xpress M Series NSM Xpress 19
20
Distributed enterprise architecture – HQ/campus (2-tier) and DC co-located
BRANCH OFFICE REMOTE OFFICE SOHO CONNECTIVITY Access Point Access Point Local Printer Virtual Chassis EX2200/3200 SECURITY POE Local Printer POE EX4200 SRX SRX SRX MANAGEMENT PSTN PSTN Local Server SRX Private WAN (MPLS, ATM) CORE/AGGREGATION TIER ACCESS TIER DC Access Point Media PSTN Local Printer Internet Enterprise Own Core SRX3000 POE Virtual Chassis EX F POE DATA CENTER M Series M Series POE EX F POE CORE/AGGREGATION TIER POE WX Series /WXC Series This is a reference architecture for 2-Tier campus. In medium size enterprises, a typical campus has around 400 connections (PC, VoIP phone, etc.) per building and possibly a couple of buildings. This type of campus network is normally located in the same physical location as the Data Center, and the north bound traffic can be backhauled from the enterprise Core backbone network to the DC and critical branches. ISG/IDP BUILDING 1 SA Series Security Camera IC Series ISG/IDP Local Printer EX8200 or MX Series SRX5800 POE Local Servers EX F POE EX8200 or MX Series EX8200 or MX Series BUILDING N Virtual Chassis ACCESS TIER EX4200 Series CAMPUS PSTN Communications Mgr OCS and Servers NSM STRM 20
21
Distributed enterprise architecture – HQ/campus (3-tier) and DC separated
BRANCH OFFICE REMOTE OFFICE SOHO CONNECTIVITY Access Point Access Point Local Printer Virtual Chassis EX2200 / EX3200 SECURITY POE Local Printer VLAN Trunk POE EX4200 SRX SRX MANAGEMENT PSTN Local Server SRX Local Server PSTN Private WAN (MPLS, ATM) AGGREGATION TIER ACCESS TIER DC CORE TIER Media DMZ ZONE SRX3000 PSTN Access Point Internet Local Printer WX/WXC POE EX F Virtual Chassis POE SRX DATA CENTER M Series M Series M Series POE POE IDP BUILDING 1 CORE/AGGREGATION TIER Security Camera WX Series/WXC Series This is a reference architecture for 3-Tier campus. This type of campus network is normally located in a separate physical location as the Data Center, with its own edge routers and perimeter FWs. The internet traffic can be using the split tunneling. See the following HA use cases for more details about split tunneling. SRX EX F Local Printer SA Series M Series Intranet Controller ISG/IDP EX8200 IC Series POE SA Series Virtual Chassis POE BUILDING N Local Servers SRX5800 CAMPUS EX8200 or MX Series EX8200 or MX Series Virtual Chassis ACCESS TIER EX4200 Line PSTN Communications Mgr OCS and Servers NSMCM STRM 21
22
Agenda What’s Happening and Juniper’s Vision
Distributed Enterprise Reference Architecture Consistent Functionality Across All Locations HA, AdTM, and UC Solution Use Cases Juniper Advantages – Competitive Analysis 22 22
23
HA use case 1 – internet backhaul only
Products: SRX210, M Series, ISG/SRX, MX Series, Virtual Chassis All traffic sent from the branch office pass through WAN to DC in IPSec tunnel 1 SRX SOHO The Internet traffic is back-hauled into DC and then flows to Internet from DC 2 EX4200 SRX Series M Series WAN SRX Series Virtual Chassis SRX Series BRANCH OFFICE HQ/CAMPUS IPSec tunnel that connects branch and DC can be on top of a leased line, or MPLS L3 or L2 VPN 3 Internet M Series In the following 3 HA use case slides, we explain how branch offices relate to the following specific use cases. Internet/PTP/WAN (Backhaul Only) In this configuration, traffic sent from the branch office passes through the WAN to headquarters before being sent to its final destination, the Internet. This scenario is an example of one of the most traditional methods of branch office communication in which all traffic is backhauled into headquarters starting from the branch office and moving to its final destination, the Internet. Technical Recommendations Integrated VPN and routing capabilities in the devices are critical in this use case because traffic that is leaving the branch goes over IPSec through the Internet and into the VPN head end and out to the Internet. The device should be capable of not blocking any traffic to the Internet in case of a VPN tunnel failure. Additionally, in this circumstance the device should be able to make different routing decisions based on the availability of different links. This approach can be applied to all branch types where saving costs is paramount. See Implementing High Availability at the Branch Office for more details. This SOHO office or retail store profile only has an Internet or managed services link to increase revenue 4 NSM Series SA Series ISG Series STRM Series NOC IC Series IDP Series This use case primarily applies to branches where saving costs is paramount 5 DATA CENTER
24
HA use case 2 – internet as backup
Traffic from branch office takes the primary route to DC through P-WAN over IPSec VPN Tunnel 1 Products: EX Series, SRX210, M Series, ISG/SRX, MX Series, Virtual Chassis SRX Series SOHO Internet traffic to DC goes through primary route and then flows to Internet from DC 2 EX4200 SRX Series M Series WAN SRX Series Virtual Chassis SRX Series IPSec tunnels that connect branch and DC primarily on leased line or MPLS VPN 3 BRANCH OFFICE HQ/CAMPUS Internet Secondary goes through Internet over IPSec to DC 4 M Series PTP/WAN and Internet Backup In a PTP/WAN and Internet backup configuration, traffic flows to the headquarters through either the primary (1) or secondary (2) route. The primary route goes to headquarters through the private WAN over IPSec into headquarters and onto its final destination, the Internet. The secondary route goes through the Internet over IPSec to the headquarters/corporate server to the Internet. Technical Recommendations Integrated VPN and routing capabilities in the devices are critical in this use case because traffic that is leaving the branch goes over IPSec through the Internet and into the VPN headend and out to the Internet. The device should be capable of not blocking any traffic to the Internet in case of a VPN tunnel failure. Additionally, in this circumstance the device should be able to make different routing decisions based on the availability of different links. This scenario is most relevant where cost effectiveness and security are critical. See Implementing High Availability at the Branch Office for more details. NSM Series Security in ISDN or xDSL with integrated VPN and routing capabilities 5 SA Series ISG Series STRM Series NOC IC Series IDP Series Most relevant use case where cost effectiveness and security are both critical 6 DATA CENTER
25
HA use case 3 – internet and PTP split tunnel
Products: EX4200, EX8200, SRX, M Series, ISG/SRX, MX Series, Virtual Chassis Traffic from distributed HQ / campus to DC through primary route P- WAN over IPSec 1 SRX Series SOHO Internet traffic in this case is backhauled via DC to Internet 2 SRX Series M Series EX4200 WAN SRX Series Virtual Chassis SRX Series Traffic to DC through secondary route Internet over IPSec 3 BRANCH OFFICE HQ/CAMPUS Internet Internet traffic flows directly to the Internet 4 M Series Internet and PTP Split Tunnel In this configuration, traffic can flow on the primary or secondary route (and then be backhauled) or directly to the Internet.The following steps describe the flow options in this scenario in detail. Traffic can flow from the branch office directly to the Internet and then onto headquarters through the secondary route. Traffic in this case is backhauled and flows from the branch office through the PWAN (T1) over IPSec to headquarters and then onto the Internet (the second form of Internet access). Traffic flows from the branch office directly to the Internet. An example is employees who might be forced to access their Gmail account (Internet) because the headquarters server is down. Technical Recommendations Integrated VPN and routing capabilities in the devices are critical in this use case because traffic that is • leaving with the VPN headend network as a destination travels through IPSec over the Internet into the VPN head. Application-level gateways are critically important at this point. Unified Threat Management functionality should be implemented because this branch is practically an entry point into the enterprise. Hence, any traffic that enters the branch perimeter will effectively enter the enterprise network. This is the most comprehensive scenario in which the branch office must take advantage of best-in-class security and connectivity technologies. All branch offices can appropriately utilize this scenario because of cost effectiveness and business functionality, for example stock and bank transactions. IPSec tunnels that connect branch and DC primarily on DS3 or MPLS L2/L3 VPN, secondary on T1 etc. 5 NSM Series SA Series ISG Series STRM Series NOC IC Series IDP Series Most comprehensive scenario where best-in-class security and connectivity are required 6 DATA CENTER
26
AdTM use case 1 – adaptive protection for insider threat (Branch user)
Products: UAC, IDP, EX4200, SRX, M Series, SRX, STRM, NSM Your computer has been quarantined… Benefits Real-time, enterprise-wide threat mitigation Proactively quarantines malicious user or host Adaptive protection from Day Zero attacks Streamlines compliance An Employee at a branch logs in and logs into the IC 1 REMOTE USER Internet IC Series Employee launches a attack on the FTP server 2 SRX Series SRX 5000 Line EX4200 Series BRANCH OFFICE IDP in DC detects and signals the IC 3 HQ/CAMPUS IC changes the access policy on the branch SRX (L3) /EX (L2) 4 M Series IDP can identify network threats and signal IC IC can narrow threat to specific user or device IC then executes a configurable policy action Quarantine user or device by VLAN Change roles to deny access Terminate user session Disable user session until re-enabled by administrator Log only Ties access control to actual traffic in addition to user identity and endpoint integrity 1) User logs into the IC and passes end-point assessment and is placed in compliant role and placed in the appropriate enterprise VLAN 2) Now the user turns malicious and launches a “format string” attack on the FTP server in the data center. The FTP server is a protected entity and is being monitored by the IDP 3) The IDP detects the attack and signals the IC via the CTC and the IC changes the policy on the SRX/EX (Which ever is designated as the infranet enforcer) 4) The user is placed in a remediation VLAN 5) All this activity is logged to the STRM and the information is correlated as a offense and the integration between the IC and the EX are carried out through the NSM NSM Express Policy is applied at branch office 5 ISG Series SA Series STRM Series NOC Infranet Controller User is contacted for remediation 6 IDP Series Infranet Enforcers: SRX(L3 enforcement) or EX (L2 enforcement )switches DATA CENTER 26
27
AdTM use case 2 – adaptive protection for insider threat (Campus user)
Products: UAC, IDP, EX4200, SRX, M Series, SRX, STRM, NSM Products: UAC, IDP, EX4200, SRX/SSG, M Series, SRX, STRM and NSM Benefits Real-time, enterprise-wide threat mitigation Proactively quarantines malicious user or host Adaptive protection from Day Zero attacks Streamlines compliance Campus User connects through IC in campus 1 REMOTE USER Internet IC Series Attack is launched 2 SRX Series SRX 5000 Line EX4200 Series BRANCH OFFICE IDP detects attack 3 HQ/CAMPUS Your computer has been quarantined… IDP communicates to IC & STRM 4 M Series 1) User logs into the IC and passes end-point assessment and is placed in compliant role and assigned to enterprise VLAN 2) Now the user turns malicious and launches a “format string” attack on the FTP server in the data center. The FTP server is a protected entity and is being monitored by the IDP 3) The IDP detects the attack and signals the IC via the CTC and the IC changes the policy on the SRX/EX (Which ever is designated as the infranet enforcer) 4) The user is placed in a remediation VLAN 5) All this activity is logged to the STRM and the information is correlated as a offense and the integration between the IC and the EX are carried out through the NSM NSM Express User is quarantined 5 ISG Series SA Series STRM Series NOC Infranet Controller IDP Series STRM reports attack 6 Infranet Enforcers: SRX 3000 or EX Series DATA CENTER 27
28
AdTM use case guest access/insider threat protection
Ensure only the "right" people can access your network, and your sensitive applications and data Verify the identity and role of individuals before allowing them to access your network, applications, and data Limit guest user access For example, establish that guest users may only access the Internet Prevent infected devices from accessing and contaminating your network Detect anomalous or malicious network behavior on your network and take fast, explicit action against these threats – before they propagate STRM – Log and report on who is accessing specific applications, and when NSM – Manage the entire solution via NSM 28
29
Dynamic threat management – leverage IDP for dynamic user quarantine
IDP can identify network threats and signal IC IC can narrow threat to specific user or device IC then executes a configurable policy action Quarantine user or device by VLAN Change roles to deny access Terminate user session Disable user session until re-enabled by administrator Log only Ties access control to actual traffic in addition to user identity and endpoint integrity
30
Juniper UTM in the distributed enterprise
Secure against Internet threats (inbound) Secure the Internet against threats in the branch (outbound) Secure the enterprise WAN/VPN from the branch (outbound and inbound) Enterprise Branch Internet Head-End Head-End Anti-Virus Web Filtering/ Web Security Intrusion Detection & Prevention Content Filtering Head-End Enterprise HQ Head-End The security solution at the branch office must not only stop attacks at each layer network, application and content, but they also need to stop both inbound and outbound threats. UTM security features should come as an integrated function in the branch services gateway equipment, and enables a business to protect itself from worms, spyware, trojans and malware. This can be done by implementing a comprehensive set of security features that include antivirus (anti-spyware, anti-adware, anti-phishing), anti-spam, Web filtering, deep inspection, as well as intrusion detection/prevention (IDP). Anti-Virus Web Filtering/ Web Security Intrusion Detection & Prevention Content Filtering Anti-Spam Data Center
31
UTM on JUNOS Anti-Virus – Kaspersky
Protect against viruses in (SMTP, POP, IMAP protocols), webmail (HTTP) and FTP traffic Integrated AV engines and virus signature databases – updated periodically, available via AV subscription license Express AV (SRX only, not J Series) – packet-based, high speed AV solution (HW acceleration) – NEW Full AV – file-based, high detection AV solution Web Filtering – Websense / SurfControl Control (allow/deny) access to websites based on URL category Off-box (in-the-cloud or on-premise) URL servers/ databases Integrated WF – hosted 40-category SurfControl solution, available via WF subscription Redirect WF – on-premise Websense solution with web security; purchase direct from Websense 31
32
UTM on JUNOS (cont ...) Anti-Spam – Symantec Content Filtering – NEW
Stop spam based on IP address / reputation of sender Off-box spam blacklist database – Symantec SBL / RBL (Spam / Real- time Block List) – that is available via AS subscription license Content Filtering – NEW Provides basic DLP (Data Loss Prevention) functionality – filters traffic based on file/MIME type, file extension and protocol commands; keyword matching expected in the future Intrusion Detection and Prevention (IDP) Fully integrated, comprehensive signature and anomaly-based solution that matches stand-alone IDP solution Hardware scanning and acceleration (SRX only, not J Series) Service is available via IDP subscription license 32
33
Unified communications enablement in the distributed enterprise
Products: Microsoft OCS 2007, IP hones, SRX 210, UAC, IDP, M Series, X4200/EX8200, J Series, MX Series REMOTE USER Internet WX/ Series WXC Series SRX 3000 SRX 210 WX/ Series WXC Series VoIP VoIP EX2200/3200 PoE for VoIP Phones 1 EX Series BRANCH OFFICE Media HQ/CAMPUS End to End QoS 2 PSTN cRTP, LFI for RTP voice packets 3 M Series Slide demonstrates that the Distributed Enterprise Network able to support any UC solution in a secure environment. It also shows: 1). General VoIP/UC deployment in the distributed enterprise network. 2). Call control (Microsoft OCS) is placed in the secure Data center environment. 3). EX Series provides the access level QoS and PoE. 4). End-to-end QoS along with compression on the WAN router is supported 5). All juniper devices are JUNOS based. Review UC implementation guide in the DE for additional details on this use case. Security for VoIP applications 4 Media ISG Series SA Series IDP Series JUNOS software 5 WX/WXC EX4200 IC Series Microsoft OCS and Other Servers DATA CENTER
34
Key functions and components for UC enablement
UC Functions Connectivity – branch, data center and Campus LAN WAN Access – MPLS/VPLS for end to end QoS Network Access Control (PCs, IP Phones etc.) Firewall/VPN Security for UC SSL/VPN for Remote/Mobile user access to voice/video communications Convergence Components EX Series (PoE and Enforcer) MX Series (MPLS, QoS, HA) M Series (QoS, HA) J Series (cRTP, QoS, LFI) ISG and NS Firewalls/VPN SSG IDP SSL IC
35
UC use cases with Microsoft OCS
Components Auto-sense Configuration EX2200/3200/4200 (Full or Partial PoE ports) End-to-End QoS EX-2200/3200/4200 (QoS) J Series (cRTP, QoS, LFI) MX (QoS, MPLS Traffic Engineering) M Series (QoS) VoIP Security Deep Inspection with IDP IPSec/FW, VLAN for voice IDP, SSG, SRX Details about UC use case w/Microsoft OCS 2007 R2 version. 35
36
Partners and Contractors
Use case: WAN acceleration deployment with WX/WXC in the distributed enterprise Branch Office Intranet/Extranet SRX Series J Series Internet WXC WX Series WX Series CMS Mobile Employees SA Series Data Center Partners and Contractors WX client in small to medium branch office or remote user WXC module in medium to large branch office WX appliance in the HQ/Campus or Data Center Remote WX Client WX Client
37
Agenda What’s Happening and Juniper’s Vision
Distributed Enterprise Reference Architecture Consistent Functionality Across All Locations HA, AdTM, and UC Solution Use Cases Juniper Advantages – Competitive Analysis 37 37
38
Juniper distributed enterprise value proposition
IT Services without boundaries at lower TCO Connect Secure Lower TCO Manage We are consistent, efficient and Open in our Architecture, implementation and Operations. This gives tremendous TCO advantages by operational simplicity while preserving the freedom of choice and the flexibility for the customer. Plus we have the comprehensive portfolio at lower TCO. NEW NEW Comprehensive Portfolio Virtual Chassis WX Series / WXC Series SRX Series NSMXpress STRM Series EX8200 Series IC Series ISG/IDP SSL VPN MX Series
39
Distributed ROI highlights to be used…
Connect 44% savings from optimized network design (VC, DS) 30% savings by offering Layer3 in base licenses 38x improvement in per hop latency 27% reduction in network downtime (Forrester report) 41% increase in network stability/reliability (Forrester report) Secure 7x flow sources accepted (STRM) 2x+ devices supported (STRM) 80% data reduction of logs (STRM) 4x anomaly detection accuracy (STRM) 3x application awareness (STRM) 3x forensics (STRM) 3x reporting capabilities (STRM) Manage 41% savings with JUNOS (Forrester report) 40% decrease in time to resolution (Forrester report) 25% reduction in cost to deploy (Forrester report)
40
Using highlights on previous slide – savings
One Headquarters, 1800 users Three regional offices, 500 users each Seven district offices, 100 users each Fifty small offices of 10 users Typical Configuration Savings $$ Total List Price $2.35M $3.62M Up to 35% CAPEX Maintenance and Support Costs $53.7k $105.4k Up to 49% Support Operating Systems (time to manage) JUNOS IOS Up to 25% OPEX JNPR CSCO JNPR savings users 1 Campus 1800 users $986,800 $1,503, % 3 remote 500 users Router/ea $15,000 $22,895 LAN/ea $224,800 $434,250 total/ea $239,800 $457,145 all sites $719,400 $1,371, % 7 remote sites at 100 users Router/ea $5,000 $5,395 LAN/ea $30,800 $33,190 total/ea $35,800 $38,585 all sites $250,600 $270, % 50 remote sites at 10 users $5,050 $3,795 all sites $252,500 $189, % AdTM #DIV/0! total $2,209,300 $3,334, % 4500 Juniper Solution Cisco Solution EX Series Switches UAC NSM STRM AIS JUNOS Catalyst Switches ISR NAC CSM SCH IOS + + Source: Publicly available data sheets, price lists, Lake Partner study Source: publicly available data sheets, price lists, Lake Partner study
41
JUNOS simplifies distributed enterprise network
Services without Boundaries – Connect Secure Manage Switch Router Security Management L2 Switch L2 Switch Product Catalyst ASR ISR / 7200 ASA 55xx FWSM /VPNSM IPS CW, CSM DM, MC Manage IOS Devices Manage CatOS, IPS OS IOS-SX, IOS-mainline IOS-XE, CAT-OS IOS-XE IOS -mainline PIX-OS 8.x PIX-OS 7.x Linux Number of Release Trains Too many, inconsistent Too many, inconsistent Too many, inconsistent Too many, inconsistent Router, switch, FW, Network Management, and OS comparison EX Series MX / M Series NSM / STRM JUNOS Manage All Elements Product Number of Release Trains OS SRX 1
42
Branch competitive analysis – Juniper vs. Cisco
Juniper’s Advantages Integrated Functionality Fewer devices, Simplified deployment Virtual Chassis in the large branch Unified network management and monitoring Fewer OS to learn/maintain UTM features managed with NSM/STRM Network topology and provisioning support Lower TCO JUNOS: Single OS, Highly reliable UC Competitive: Freedom of Choice Support for 8 QOS queues on EX3200/4200 verses 4 in Catalyst 3560E Support standard power over full clustering on all POE ports concurrently POE support on all model including T-model Redundant Power supply in EX switch for PoE Juniper Network Management ( NSM and STRM) Cisco Network Management ( CiscoWorks IPS MC + CatOS DM + CSM Suit + MARS + separate UTM TrendMicro AV server) Many disparate pieces to manage branches NOC STRM NOC NSM Express DATA CENTER EX Series SRX Series How Juniper’s Distributed Enterprise solution solves the problems that enterprises are facing comparing with the Cisco deployment. SRX Series Juniper Small Branch: SRX branch service gateway (Integrated FW/VPN services with Full IPS capability) Juniper Remote Office: J Series/SRX + EX4200 Virtual Chassis Cisco Small Branch: ASA or FW software + ISR + VPN Module + IPS Module Cisco Remote Site: ASA + ISR + VPN Module + IPS Module + Catalyst switches
43
Campus competitive analysis – Juniper vs. Cisco
Juniper Campus solution: SRX + M Series + EX EX4200 Virtual Chassis DMZ Cisco Campus: ASA Catalyst core + aggregation + access switches + FW module + VPN module + IPS module SRX 3000 PoE Virtual Chassis Juniper Advantage: Simplified Campus Core Fewer Devices with higher performance Simplified Operation JUNOS: Single OS, Highly reliable Unified Management High Performance Services Enablement of Services without performance degradation Lower latency Robust features Lower TCO Access PoE M Series EX8200 or MX Series Core/Aggregation Juniper Networks Campus solution simplifies Campus core network, and consequently simplifies operations with high performance services as below: Enablement of Services without performance degradation Lower latency Robust features SRX Series SRX Series EX Series Local Servers Local Servers Juniper Small Branch: SRX service gateway (Integrated FW/VPN services with Full IPS capability) Juniper Remote Office: SRX + EX4200 Virtual Chassis Cisco Small Branch: ASA or FW software + ISR + VPN Module + IPS Module Cisco Remote Site: ASA + ISR + VPN Module + IPS Module + Catalyst switches
44
One box convenience – more functionality in a box
SRX less CAPEX $ less OPEX $/mo = FW VPN IPS AV Anti Spam Spy Web Filter WAN NAC L3 NAC L2 802.1x WiFi 802.11 abg Policy issue on ASA Copy of ACL is installed on every new interface that is activated on the device + + more CAPEX $ more OPEX $/mo = ASA ASA ISR
45
Competitive comparison: EX4200 vs. Cisco Catalyst 3750 / 3750E
= Roadmap EX4200 VC Cat stackable Cat 3750E stackable Backplane capacity 128Gbps 32Gbps 64Gbps* Virtual Chassis extension (via 10GbE) Dedicated Master & Standby Route Engine ** Graceful Route Engine Switchover (GRES) Non-stop routing (NSR) In-service software upgrade (ISSU) Field-swappable PSU Redundant & hot-swappable internal PSUs Field-serviceable fan tray w/ redundant fans MPLS & GRE tunnel PFE hardware support LCD device management interface Uses chassis module config & numbering *Combined stack of 3750 and 3750E reduces bandwidth to 32 Gbps **Master and Backup RE on Cat 3750E syncs only MAC and IP addresses and NOT L2/L3 protocols database as well as states 45
46
Juniper EX8200 vs. Cisco Cat 6500 Features / Products EX8208 Cat 6509
Switching Capacity 6.2 Tbps 720 Gbps I/O slots with redundant RE / SF 8 7 Max PPS throughput per System 952 Mpps 450 Mpps ($$$, requires DFC3) Maximum throughput per line card 120 Mpps 60 Mpps ($$$ requires DFC3) 64 bytes throughput per line card 120 Mpps 44 Mpps ($$$ requires DFC3) 10 GbE ports wire rate per system 64 32 10 GbE ports wire rate per slot 8 4 GbE ports wire rate per system 384 284 GbE Line Rate ports / slot 48 40 GbE Oversubscribed ports / slot N/A 48
47
1 to 8 depending on the line card
Juniper EX8200 vs. Cisco Cat 6500 Features / Products EX8208 Cat 6509 MAC addresses 256K 96K VLANs 4K 4K IPv4 unicast routes 512K 1M IPv4 multicast routes 16K 256K Link Aggregation Groups 255 128 Max member ports per LAG 12 8 Number of queues per port 8 1 to 8 depending on the line card
48
Juniper MX960 vs. Cisco 7600 Services Router
System Capacity MX960 (12 slots) Cisco 7600 (9 slots) Total fabric capacity 960 Gbps (480 full duplex) 720 Gbps (360 full duplex) (280 Gbps useable full duplex) Redundant fabric capacity 720 Gbps (360 full duplex) Maximum packets/second throughput per system 720 Mpps 400 Mpps (with DFC3) 10 GbE packets/second IPv4 / IPv6 720 Mpps / 720 Mpps 400 Mpps / 200 Mpps (with distributed forwarding card 3) Line Card Capacity Fabric data-rate/slot 40 Gbps 32 Gbps (40 Gbps advertized) I/O slots with redundant RE/SF 12 (11 with redundant SF) 7 (With Redundant SF) 10 GbE packets/second IPv4 60 Mpps 44 Mpps 10 GbE packets/second IPv6 22 Mpps Line rate for all packet sizes Yes No For More Information EABU Portals Competitive Intelligence: Cisco Launch/Product Updates: Cisco Test Reports: Cisco J-Learns:
49
Juniper MX960 vs. Cisco 7600 – continued
Features / Products MX960 (12 slots) Cisco 7600 (9 Slots) MAC address 1 million 96K VLANs 4K/interface & 64K/system 4K IPv4 unicast/multicast routes 1 mil/286K 1 mil/256K (with 3BXL) Security ACLs 250K+ 32K (2K for extended ACL) MPLS Yes Number of LAGs supported 480 128 Maximum member ports/LAG 16 8 Number of 802.1s instances 200 65 Hardware queues per port 8/16K 1 to 8, depending on line card Rate limiting/policing 256K (1 mil future) Yes, both directions Power per GbE/10GbE 115 watts/10 GbE (75 watts/10 GbE actual) 260 – 860 Watts/10 GbE (H/W configuration dependent) GRES/hitless forwarding Yes (for all supported L2/L3 protocols & services) Hitless L2/3 forwarding during management module failover NSR Yes (for all protocols) No support ISSU Yes, based on NSR Yes with NSF, no with NSR BFD Contacts Muralidhar Devarasetty: EABU Competitive Intelligence team:
50
Virtual Chassis technology cost benefits
Configuration Catalyst 4500 Virtual Chassis Savings Campus Wiring Closet 144 10/100/1000 ports All ports Class 3 PoE capable 4 1000Base-SX uplinks Redundant power Space Requirements 10 Rack Units 3 RU 70% Power Requirements 876 W* 632 W* 28% Qty Model Description List total RU RU total Power (no PoE) Pwr total Cooling (no PoE) Cooling total 3 EX P EX4200, 48-port 10/100/1000BaseT PoE + 930W AC PS, includes 50cm VC cable $37, 3 EX-PWR-930-AC EX4200 and EX W AC Power Supply (power cord needs to be ordered separately) $4, 1 EX-UM-4SFP EX4200 and EX Port 1G SFP Uplink Module (optics sold separately) $ 4 EX-SFP-1GE-SX Small Form Factor Pluggable 1000Base-SX Gigabit Ethernet Optics $2, $44, 28.67% % % % Per DD, more realistic, high MTBF on Sup V $ 1 WS-C4506-E Cat4500 E Series 6-Slot Chassis, fan, no ps $4, 2 PWR-C ACV Catalyst W AC dual input Power Supply (Data + PoE) $7, 1 WS-X GE Catalyst 4500 Supervisor V-10GE, 2x10GE (X2) and 4x1GE (SFP) $18, 3 WS-X4648-RJ45V-E Catalyst 4500 E Series 48-Port PoE 802.3af 10/100/1000(RJ45) $28, WS-X4548-GB-RJ45V Catalyst 4500 PoE 802.3af 10/100/1000, 48-Ports (RJ45) $ 0 S45ESK SG Cisco CAT4500 IOS ENTERPRISE SERVICES SSH $ 4 WS-G BASE-SX Short Wavelength GBIC (Multimode only) $2, $61, Spares- 1x P $12, SUP V $18,495 1x uplink $ $9495 1x power $ fan $495 1x SFP $ power $3995, 1x fan $ SFP $500 Total $15, Total $32,980 Cooling Requirements 2982 BTU/hr* 1775 BTU/hr* 40% Deployment Cost $61,965 $44,200 29% Sparing Cost $32,980 $15,150 54% * Base system power and cooling, PoE additional
51
Virtual Chassis technology cost benefits
Configuration Catalyst 6500 Virtual Chassis Savings Campus Wiring Closet 144 10/100/1000 ports All ports Class 3 PoE capable 4 1000Base-SX uplinks Redundant power Space Requirements 12 Rack Units 3 RU 75% Power Requirements 787 W* 632 W* 20% Qty Model Description List total RU total Pwr total Cooling total 3 EX P EX4200, 48-port 10/100/1000BaseT PoE + 930W AC PS, includes 50cm VC cable $37, 3 EX-PWR-930-AC EX4200 and EX W AC Power Supply (power cord needs to be ordered separately) $4, 1 EX-UM-4SFP EX4200 and EX Port 1G SFP Uplink Module (optics sold separately) $ 4 EX-SFP-1GE-SX Small Form Factor Pluggable 1000Base-SX Gigabit Ethernet Optics $2, $44, 20.36% 75.00% 19.76% 33.95% $ 1 WS-C6506-E Catalyst 6500 Enhanced 6-slot chassis,12RU,no PS,no Fan Tray $5, 2 WS-CAC-3000W Catalyst W AC power supply $6, 1 WS-SUP32-GE-3B Catalyst 6500 Supervisor 32 with 8 GE uplinks and PFC3B $15, 3 WS-X6148A-GE-45AF Cat Port PoE 802.3af & ePoE 10/100/1000 w/Jumbo Frame $27, 1 S323IBK9L-12233SXH Cisco CAT6000-SUP32 IOS IP BASE SSH LAN ONLY $ 4 WS-G BASE-SX Short Wavelength GBIC (Multimode only) $2, $55, 1x uplink $ $9000 1x P $12, SUP $15000 Spares- 1x fan $ SFP $500 1x SFP $ power $3000 1x power $ fan $495 Total $15, Total $27,995 Cooling Requirements 2688 BTU/hr* 1775 BTU/hr* 34% Deployment Cost $55,500 $44,200 20% Sparing Cost $27,995 $15,150 46% * Base system power and cooling, PoE additional
52
Cisco enhanced PoE (ePoE)
Cisco enhanced PoE (ePoE) is proprietary Capable of provisioning up to 20 Watts* to the end point Available on Catalyst 6500, 4500E, 3560E, 3750E switches Major Caveats ePoE is a Cisco proprietary feature on Catalyst Switches End point must support proprietary Cisco Discovery Protocol (CDP) to draw ePoE Catalyst 4500 E Series premium PoE line card needed Will Support ePoE with a future sw upgrade Catalyst 3750 E and 3560 E support ePoE on existing PoE models with a sw upgrade NOT all the ports may be ePoE capable Future standards based PoE+ (802.3at) support on Catalyst switches requires forklift upgrade Cisco proprietary ePoE not compatible with draft PoE+ standards *Press release says 18.5 W, datasheet says 20 W
53
Security solutions competitive analysis – Juniper UAC vs. Cisco NAC
Juniper UAC Advantages - Open, flexible and integral Features flexible enforcement Enables seamless integration with existing enterprise infrastructure Utilizes open specification from TNC to leverage diverse endpoint technologies Offers security without compromise on performance or complexity Has ability to provide admission control via X, as well as granular access control Provides report and log management as a part of the UAC solution IC Series This slide shows how Juniper UAC solution provides distributed enterprises with Open, flexibility and integrity. Juniper UAC Agent Juniper EX Series Switches Juniper Intrusion Detection and Prevention Juniper Firewalls * Application Servers * SRX support 9.5
54
Juniper UAC vs. Cisco NAC – differences at a glance
Feature Juniper Unified Access Control (UAC) Cisco Network Admission Control (NAC) Ease of Deployment UAC features flexible enforcement models, including the user of any vendor’s 802.1X switches or access point, using firewalls, or both Requires upgrade or replacement to switch and router infrastructure. The solution is very complex. The agent has to be pre-installed on all clients. Integration with existing Infrastructure Enabled seamless integration with existing enterprise authentication infrastructure Limited integration with only RADIUS,LDAP, AD and Kerberos. Proprietary AAA server Quality of endpoint assessment Utilizes open specification from the Trusted Computing Group’s Trusted Network Connect (TNC) to leverage diverse endpoint technologies Endpoint checks are written by 3rd party vendors. They cannot be created simply by the administrator. No 802.1x support for Linux. Security Policy Enforcement Security without compromise on performance or complexity Ability to bind network based protection with endpoint To add actual enforcement capabilities, the customer must also deploy the Cisco Security Agent (CSA), which adds further cost and complexity Managing Access controls on LAN Ability to provide admission control via 802.1X, as well as very granular access control No way to provide granular access for clients that do not have the CTA installed. Management and Reporting Report and log management are a part of the UAC solution. Requires a separate logging and management server. This slide shows Juniper UAC solution is different and superior than NAC in details. *The problem with Cisco NAC is the fact that its implementation requires all Cisco proprietary gears and that the solution increases overall complexity and cost of the deployment, while Juniper ‘s UAC is open to all vendor’s.
55
Cisco Network Element Managers Separate IPS Management
Network management competitive analysis – Juniper vs. Cisco Cisco CSM Suite NSM Xpress STRM SSG Series ISG Series IDP Series NS SSL VPN J Series EX3200 EX4200 EX8200 Series M Series MX Series IC Series Cisco Devices Cisco IOS Cisco ASA Cisco FWSM Cisco IPS Juniper Advantages - Full Device and UTM support NSM One console manages the entire Juniper infrastructure Centralized policy management STRM Correlates logs to show a single view for the entire network Cisco Network Element Managers Cisco SDM Cisco ADSM Cisco PDM Cisco IPS MC This slides shows CiscoWorks Security Manager solution is complex and needs many disparate components to make it work with most network and security devices, while Juniper’s unified network and security manager solution provides full device and UTM support. + + Cisco ACS Server Cisco RME 4.04 + Separate IPS Management + + Logs Device Manager 6500/7600 Cisco CSM 3.01 Server Cisco MARS Server CSM console
56
WAN acceleration competitive analysis – Juniper vs. Cisco
Branch Office Intranet/Extranet SRX Series J Series Internet WXC Series WX Series WXCMS SA Series Mobile Employees Juniper Advantages Consistent, High-performance, Secure Provides dedicated appliance or integrated module/software solutions Solution scales without hardware replacement (simply license upgrade) Solution validated by main application vendors (Oracle, SAP, Microsoft) WX supports the largest amount of concurrent flows => end-users WX supports thousands of locations all accelerated WX Series Client Remote Data Center Cisco WAAS overview: Standalone appliances that compete with Juniper WXC platforms ISR branch router modules that compete with Juniper ISM modules for J Series PC-Client solution that will compete with Juniper WX Client The WAAS appliances and modules run on the release 4 with a limited number of features. Cisco PC-Client solution is a complete different solution. It’s an OEM (from ICT) and doesn’t share the same code and technology as the appliances and modules. Juniper WX/WXC overview: Juniper Solution in place at more than 4,000 customers Best scalability support WX supports the largest amount of concurrent flows => largest amount of concurrent end-users accelerated WX supports thousands of locations all accelerated Juniper WX: WX/WXC Appliance/Module/Client Cisco WAAS: • standalone appliances that compete with Juniper WXC platforms • ISR branch router modules that compete with Juniper ISM modules for J Series • PC-Client solution that will compete with Juniper WX Client
57
Juniper’s advantage – WX Series vs. WAAS
Juniper WX Series A simple high-performance secured solution for customers Gartner latest Magic Quadrant Leader addresses overall customer needs with clear vision & execution Comprehensive and consistent in stand-alone appliances, integrated modules, and coming WX Series Client fully compatible with SSL-VPN PC-Client. WAN Optimization appliances and modules run the same code and can all be centrally managed. Each WXC Series appliance and module scales to different levels with a simple license upgrade that doesn’t even require a reboot. Provides the highest scalability in concurrent flows and end users accelerated. Cisco WAAS Complex Solution - WAAS installation normally is a day long task. Unclear strategy/solution - Cisco doesn’t fully own its WAN Optimization solution. Its PC-Client solution is based on an OEM product (ICT). New recent enhancements good on datasheet, but far from useful for customers Weak scalability - Cisco doesn’t have a low-end appliance solution. Their first appliance starts at 20Mbps. Inconsistent capacity - while the Cisco appliances appear to have high bandwidth capacity numbers, it is inconsistent and corresponding TCP flow capabilities are very low. Cisco WAAS is a Complex Solution - WAAS installation requires a day long configuration steps. For instance, the CIFS acceleration setup requires 27 pages, where with Juniper is 2 checkboxes. Unclear strategy/solution - Cisco doesn’t fully own its WAN Optimization solution. Its PC-Client solution is based on an OEM product (ICT). New recent enhancements good on datasheet, but far from useful for customers Virtual Blade (service hosted on the WAAS) The goal is to provide for small branches with no or limited IT; some services locally such as print servers or DNS directly without a server at the branch, but directly on the Cisco WAAS. The 4.1 release provides this ability, but only on one appliance: the WAE 674; an appliance far too expensive (more than $20k) for small branches; in addition to high space, power and noise requirements difficult to match in small branches. PC-Client All remote users in the enterprise have different clients installed on their computer/laptop to reach the company, such as IPsec clients, SSL-CPN clients and firewalls. The WAN Optimization client has to integrate flawlessly with the existing environment. Cisco doesn’t provide an integrated solution with its own PC-Clients.
58
THANK YOU | Copyright © 2009 Juniper Networks, Inc. | 58 58
59
Faster solution – high performance core/access Juniper vs. Cisco
Latency (Microsecond) Latency in different frame size - Cisco Catalyst 4500 & 6500 vs. Juniper EX4200 & EX8200 solution. Frame size: 64bytes, 256bytes, 768 bytes, 1518 bytes Back-to-back Lab setup Cisco setup included: Catalyst 4506 access switch with Sup V 10GE (WS-X GE) & 48 port 10/100/1000BaseT (WS-X4548-GB-RJ45) module, and Catalyst 6509 as core switch with Sup720 (WS-SUP720-BASE) with CEF720 4 port 10-Gigabit Ethernet (WS-X GE) as core tier on IOS 12.2 Cisco: CEF feature was enabled. Juniper solution included: EX4200 (ex t) and EX8200 (RE-EX8208) with EX8208-8XS on JUNOS 9.4 IXIA Test tool was used to inject 5 million packets per each frame size Line rates: 90% of Gigabit Ethernet (802.3z that is 1.25Gbps) Objective: Compare campus LAN solution between Juniper (EX Series) and Cisco (Catalyst series) Finding: Juniper EX Series solution is clearly faster than Cisco in every aspect Juniper EX Series solution is 70% faster in MTU 1518 bytes than that of competing Cisco Catalysts with CEF (Cisco Express Forwarding) feature turned on. Conclusion: Juniper EX8200 / EX4200 solution has much lower latency that provides better performance for real-time applications such as voice, video services and also helps reduce TCP timeouts.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.