TBIZ2011 - Juniper. Next Generation Data Center

1. NEXT GENERATION DATA CENTEROctober, 2011

2. AGENDACloud Computing and Cloud InfrastructuresDC infrastructure evolutionSecurity Requirements and Solution2 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 3. THE CHALLENGE OF THE DATA CENTER EXPERIENCEECONOMICS3Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 4. THE APPLICATIONS CHANGEDClient Server Architecture Service Oriented Architecture ClientClient Server Server B Server ServerB A A CC Server DDBServerDDB A fundamental change4in data flows Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 5. THE MULTI-TIER LEGACY NETWORK IS A BARRIER The challenge Multi-tier legacy network Too slowN Unnecessary layersadd hops and latency Too complex Too expensiveUp to 50% of the portsinterconnect switches,not servers or storage W Up to 75% of traffic ESpanning Tree disablesComplexityup to 50% of bandwidthS Scale 5Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 6. THE TYRANNY OF TREES Location matters in aTypical tree tree architecture configuration BubblesOptimal performanceOneVMHop6 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 7. THE TYRANNY OF TREES Location matters in a Typical treetree architectureconfiguration Appliances and VLANsShadows VM7 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 8. COMPLEXITY A FUNCTION OF DEVICES + INTERACTIONS Data CenterOperational Complexity N Number of managed devices Each switch isautonomous 7 managed devices Number of potential interactions Shared protocols 21 potential interactionsN*(N-1) 2 S8 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 9. COMPLEXITY A FUNCTION OF DEVICES + INTERACTIONSDevicesInteractionsToo Complex Solve for the smallest N possible 400 10,000 300 7,500InteractionsComplexityN*(N-1) No. of Interactions = 2 N = No. of managed devices 200 5,000 100 2,500 Managed Devices 0100020003000 4000 50006000 No. of PortsToo Complex9 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 10. CHALLENGES OF EFFICIENCY Up to 50% of the ports interconnect switches, not servers or storage Up to 50% of the bandwidth is disabled by spanning tree Up to 30% of the network spend can be avoided Eliminate $1B of annual spend world wide Too Expensive10 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 11. DATA CENTERS TODAY: 1GBE SERVERS Experience EconomicsVirtual Chassis MXSeries Up to 400 servers in 1 tier (EX4200 with Virtual Chassis) Up to 9,000 servers inEX8216 STP 2 tiers (EX4200 and EX8200 with Virtual SRX5800 Chassis) EX4200Servers NASFC StorageFC SAN11 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 12. DATA CENTERS TODAY: MIXED 1GBE & 10GBESERVERS Experience Economics MXSeries Industrys only X-platform EX4200/EX4500: Managed as a single switchEX8216 SRX5800 EX4200EX4500 10GServers NASFC StorageFC SAN12 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 13. OPEN SYSTEM ARCHITECTURE Operational EfficiencyBusiness Continuity AgilityThird-Party Standards-Any Any Open toManageableBasedDevicePlaceInnovation SNMP Various RFCs Access pointsAccess Junos SDK Netconf/XMLIEEE 802.1at IP phonesAggregation Syslog LLDP Security cameraCore13 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 14. EX SERIES: CAMPUS PRODUCTS EX8208 EX8216EX4500EX4500EX4200 EX8208 EX3200EX3300EX4200EX4200 EX2200EX3300EX6200 EX6200 EX2200-C14Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 15. EX SERIES FIXED PLATFORMS 40 10GbE fiber 28/48 portports 24/48 10/100/ wirespeed Redundant 1000BASE-T10/100/ power and 1000BASE-Tcooling Modular power PoE/PoE+ PoE/PoE+ Small formand cooling Data center factor air flow Flexible uplinks Fixed power Field 10 memberreplaceable 6 member Data center supply and fans air flowVirtualpower and fans Virtual Chassis Chassis12 port 10/100/ 24/48 port Field replaceable 10/100/ 4 port GbE SFP Fixed power Mixed Virtual1000BASE-Tuplink supply and fans power and 1000BASE-Tcooling Chassis withPoE/PoE+ 2 port 10GbE MacSec EX4200 4 SFP uplinks 4 port GbE SFPFan-less XFP uplink External RPS Line rate PoE/PoE+uplink model options External RPS option option 2 port 10GbE 4 portXFP uplink Full Class 3 SFP/SFP+PoEuplinks 10 member Virtual Chassis OSPF, IPmulticast in 128 Gbpsbase license Virtual Chassis backplane EX2200-C EX2200 EX3200 EX3300EX4200EX4500 Roadmap15Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 16. EX4200 LINE OF ETHERNET SWITCHESWITH VIRTUAL CHASSIS TECHNOLOGY 24-48 port copper/fiber access switch PoE+ model option 4-port GbE (SFP) uplink 2-port 10GbE (XFP) uplink Dual-mode 4-port GbE/2-port 10GbE (SFP+) Fully redundant power and cooling External RPS option Virtual Chassis technology 128 Gbps virtual backplane Manage up to 10 switches as a single device Extend over 10GbE or GbE uplinks Full OSPF and IP Multicastin base license LCD window Roadmap16 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 17. EX4500 LINE OF 10GBE SWITCHESWITH VIRTUAL CHASSIS TECHNOLOGY 2U 40-port 10GbE switch Wire-rate performance on all ports 14.88 Mpps per port on all 48 ports at all packet sizes 8 SFP+ uplinks Virtual Chassis technology 128 Gbps virtual backplane Manage up to 10 as a single device Extend over 10GbE or GbE uplinks Virtual Chassis with EX4200 Extensive Layer 2 and Layer 3 features Routing protocols (OSPF) VRRP Redundant power andcooling Large MAC and IPv4/IPv6tables Roadmap17Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 18. EX8200 LINE OF MODULAR ETHERNET SWITCHES 8/16-slot high- performance chassis EX8208: 8 line cards; 960 Mpps EX8216: 16 line cards; 1.92 Bpps 100GbE ready Fully redundant Routing Engines with N+1 redundant switch fabrics Up to 256 wire-speed, non- blocking 10GbE ports in a rack 320 Gbps capacity per line card Virtual Chassis technology Two-member Virtual Chassis External Routing Engine (XRE200) required Fully redundant power 48x1G-ES8x10G40x10G and cooling Redundant, load-sharing PSUs (AC, DC) 48x1G-POE 48x1G-Fiber48x1G-Copper Hot-swappable fan tray with redundant fans18 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 19. SCALING THE DATA PLANE Data Plane1. All ports are directly connected to every other portQF/Interconnect 2. A single full lookup at the ingress QF/Node device QF/Node3. Blazingly fast: Always under 5us 3.71us (short cables) QFabric is faster than any Ethernet chassis switch ever built19Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 20. FABRIC HARDWARE QF/NODE Front ViewQF/Node 1 RU high fixed configuration 48 SFP+/36 SFP ports 12 FC capable (2/4/8G) ports 4 * 40G fabric uplink ports (canRear Viewalso operate in 10G mode) Redundant AC power supply Front to back air flow4 QSFP+ portsWill also operate as a48 SFP+/36 SFPStand Alone Switch ports12 FC Capable portsQFX350020 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 21. RE-DESIGN SECURITY FOUNDATION The Dynamic Services Architecture Scales performance, capacity andservice density Worlds fastest firewall and IPS SRX Services GatewaysHigh-Speed FabricCarrier-ClassTechnologyReliability Expandable chassis Separation of control and Linear scalability data planes Processing and I/O pools The power of oneRedundant everything Industrys top performance operating system, one Proven operating system release train 21 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 22. SRX SERIES FOR THE DATA CENTER COMPARISON CHARTSRX3400SRX3600SRX5600 SRX5800Max FW Throughput 20 Gbps 30 Gbps60 Gbps150 GbpsMax VPN Throughput 6 Gbps 10 Gbps15 Gbps30 GbpsMax IPS Throughput 6 Gbps 10 Gbps15 Gbps30 GbpsMax PPS4 Mpps7 Mpps 10 Mpps 18 MppsMax Sessions 2.25 million 2.25 million 9 million10 millionNew & Sustained CPS 175,000 175,000350,000350,000Interfaces8 10/100/1000 + 4 SFP 8 10/100/1000 + 4 SFP 40 x SFP40 x SFP16 x SFP module 16 x SFP module 4 x 10GbE XFP4 x 10GbE XFP2 x 10GbE module 2 x 10GbE module 16 x TX/SFP FlexIOC16 x TX/SFP FlexIOC4 x 10GbE XFP4 x 10GbE XFPFlexIOCFlexIOCMax I/O Ports 76 x GbE or108 x GbE or 200 x GbE or440 x GbE or 8 x 10GbE12 x 10GbE40 x 10GbE 88 x 10GbE 22Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 23. JUNOS SOFTWARE ENHANCEMENTS In-service software upgradesNew inLow Impact Junos Eliminate downtime when upgrading SRXChassis Upgrades 9.6 Single command to upgrade SRX clustersSECURE Session increase in SRX3000 and SRX5000 lines Performance and SRX3000 line 2.25 million sessionsDensityNew in SRX5600 9 million sessionsJunosImprovements SRX5800 10 million 10.0RELIABLE Identify and mitigate threats and attacksNew in targeting applicationsJunos AppSecure withAppDoS Multi-stage detection methods10.0 Tracks application protocols, users and volumes 23Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 24. SRX5800: FRONT AND REAR VIEWSRX5800 Front View 16 RUControl Modular chassisUpper fanPanel tray Vertical design 12 expansion slotsSwitch Control Modules for flexible I/O andBoards (SCBs) service processing Junos software Massive Scale 40 x GbE Services I/O CardProcessing Up to 350,000 new & sustainedCardconnections per second (CPS) Power supplies Up to 10 million sessions4 x 10GbEFRU High performance I/O CardManagement module Up to 120 Gbps firewall Up to 30 Gbps IPS Up to 30 Gbps IPSec VPN High availability Lower fan tray Redundant managementmodules Redundant switching fabricsAir intake Redundant fans & powersupplies Modular Junos SoftwareExpansion slots (fits any module) SRX5800 Rear View 24Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 25. BREAK THE PERFORMANCE/INTEGRATIONTRADEOFF Services integration via FirewallJunos Limited Services Processing scalability viaSPC Scalability via multipleappliances I/O scalability via IOC Management and Management anddeployment challenges deployment simplicityPerformance Services via dedicated appliances Management and deploymentnightmare RouterFirewallIPSIPsec VPN NAT Service Integration25Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 26. MARKET DRIVERS FOR VIRTUALIZATION Virtualization Server Licenses grew 53% in 08 over prior year IDC Server Virtualization Tracker December 08 Desktop virtualization software technologies are forecast to grow at a 33.6% compound annual growth rate through 2013 Gartner Dataquest Insight January 09 43% of enterprises with 500+ employees and 26% of SMBs 100-499 employees are using server virtualizationYankee July 09 Installed Base Grows 10x VM Penetration of Installed WorkloadsYE 2008 (5.8M) YE 2012 (58M)26 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 27. SECURITY IMPLICATIONS OF VIRTUAL SERVERSPHYSICAL NETWORKVIRTUAL NETWORK VM1 VM2VM3ESX Host HYPERVISOR Firewall/IPS Inspects Physical Security is Blind to All Traffic Between Servers Traffic Between Virtual Machines27 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 28. APPROACHES TO SECURING VIRTUAL SERVERS:THREE METHODS1. VLAN Segmentation 2. Agent-based 3. Kernel-based Firewall Each VM in separate VLANEach VM has a software firewallVMs can securely share VLANs Inter-VM communications mustDrawback: Significant performanceInter-VM traffic always protected route through the firewallimplications; Huge managementHigh-performance from overhead of maintaining software Drawback: Possibly complex VLANimplementing firewall in the kernel and signature on 1000s of VMs networkingMicro-segmenting capabilities VM1VM2 VM3 VM1VM2VM3 VM1VM2 VM3 ESX HostESX Host ESX Host FW as Kernel Module FW as Kernel Module HYPERVISOR HYPERVISORHYPERVISOR FW Agents28 Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY 29. INTRODUCING THE ALTOR VF Hypervisor Kernel Stateful Firewall VM1 VM2VM3 Purpose-built virtual firewall Secure Live-Migration (VMotion)ESX Host Security for each VM by VM IDALTOR VF Fully stateful firewall VMware VMsafe Certified Tight Integration with Virtual Platform Management, e.g. VMware vCenter Fault-Tolerant ArchitectureNSMNetwork STRM Juniper SwitchJuniper SRX29 Copyright 2010 Juniper Networks, Inc.www.juniper.net - INTERNAL ONLY 30. INTEGRATION WITH JUNIPER DATA CENTER SECURITY VM1VM2 VM3ALTOR VM AltorCenter PoliciesAltor Integration PointCentral Policy Management Altor Virtual Firewall Altor Integration PointVMware vSphere Firewall Event Syslogs Netflow for Inter-VM Traffic Inter- Altor Integration Point Traffic Mirroring to IPS STRMNSM NetworkJuniper SwitchJuniper SRX with IPS30Copyright 2010 Juniper Networks, Inc. www.juniper.net - INTERNAL ONLY