Lan Connectivity Guide Juniper 905012

Design Guide
Branch LAN Connectivity Design Guide

Design Considerations for the High-Performance
Branch Office LAN
Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408.745.2000
1.888 JUNIPER
www.juniper.net
Part Number: 905012-001 January 2008

Table of Contents
Executive Summary.................................................................................................4
Introduction.............................................................................................................4
Branch LAN Categories..........................................................................................4
Services Needed in the Branch..............................................................................5
Branch LAN Design Considerations..........................................................................6
Enterprise Computing Trends................................................................................6
Considerations for Different Branch Configurations...............................................7
Branch Architecture Overview.................................................................................8
Layered Approach..................................................................................................8
Benefits...........................................................................................................9
Challenges.......................................................................................................9
A Network Revolution......................................................................................9
Access Layer............................................................................................................9
Services...............................................................................................................10
Design Considerations.........................................................................................10
VLAN and Spanning Tree Protocol (STP).............................................................. 11
Using Layer 2 Versus Layer 3 at the Access Layer.................................................12
Implementing Unified Communications ...............................................................13
Considerations....................................................................................................13
Access Layer Security with IEEE 802.1X and Unified Access Control......................16
IEEE 802.1X........................................................................................................16
UAC.....................................................................................................................16
Access Layer Hardware Configurations...................................................................17
Scalable Configuration with Virtual Chassis Technology.......................................17
Aggregation Layer..................................................................................................19
Services and Considerations................................................................................19
Branch Office Recommendations........................................................................19
WAN Edge Integration . .........................................................................................22
WAN Edge Considerations...................................................................................22
HA.................................................................................................................22
Voice Gateway...............................................................................................22
WAN Acceleration..........................................................................................22
Firewall/VPN..................................................................................................22
WAN Edge Recommendations.............................................................................23
J-series Services Routers ...............................................................................23
Operational Simplicity and Unified Management ..................................................24
Achieving Operational Simplicity with JUNOS Software.......................................25
The Power of JUNOS Software.......................................................................25
Modular Processes.........................................................................................25
Rollback Capability........................................................................................26
Advanced Features........................................................................................26
Benefits.........................................................................................................26
Impact...........................................................................................................26
Unified Management with Juniper Networks NetScreen-Security Manager .........27
Benefits.........................................................................................................27
2 Copyright ©2008, Juniper Networks, Inc.

Remote Configuration and Management with J-Web............................................27

Benefits.........................................................................................................27
Recommended Branch LAN Configurations...........................................................28
Conclusion.............................................................................................................30
About Juniper Networks.........................................................................................30
List of Tables
Table 1: Branch LAN Categories...............................................................................4
Table 2: Highly Available Branch LAN Design Considerations...................................8
Table 3: JUNOS Operating Efficiencies (Lake Partners 2007)..................................26
Table 4: Recommended Branch LAN Configurations..............................................28
List of Figures
Figure 1: Highly Available Branch Office LAN Configurations...................................7
Figure 2: The Layered Approach..............................................................................8
Figure 3: Access Layer at a Highly Available Medium Branch Office LAN..................9
Figure 4: Layer 2 versus Layer 3 at Access Layer....................................................12
Figure 5: IP Phone Connectivity Options................................................................15
Figure 6: Virtual Chassis Technology......................................................................17
Figure 7: Reducing CAPEX and OPEX with Virtual Chassis Technology..................18
Figure 8: Aggregation Layer in a Highly Available Large Branch Office LAN............20
Figure 9: WAN Edge in a Highly Available Large Branch Office LAN.......................22
Figure 10: J-series Services Router in a Highly Available Large Branch
Office LAN...........................................................................................................23
Figure 11: JUNOS – The Three Ones: One Source Code, One Train, and
One Modular Architecture...................................................................................25
Copyright ©2008, Juniper Networks, Inc. 3

Executive Summary
Now more than ever, the corporate network is a strategic tool that businesses rely on to support
day-to-day operations and succeed in the marketplace. The corporate LAN design is also
changing to accommodate an increasingly decentralized workforce as an estimated 89 percent
of employees work outside of headquarters (Nemertes Research 2006) in remote branch offices.
Business productivity increasingly depends upon the critical operations carried out at distributed
branch offices, as enterprises are centralizing applications to simplify operations and reduce
costs. These changes create new infrastructure challenges as branch office users require the same
fast, secure and reliable access to applications and network resources as those at headquarters.
Existing branch office infrastructure solutions cannot meet the requirements needed to provide
secure and high-performance access for branch office users, nor do they provide the centralized
management capabilities critical for reducing costs and streamlining operations.
A new branch office LAN design that meets branch office security, connectivity and performance
challenges while enabling key IT initiatives is needed. It also must scale and flexibly
accommodate new computing trends without an entire redesign. This document introduces
the issues related to changing branch office needs and also presents design considerations and
recommendations for branch LANs of all sizes. In addition, it shows how infrastructure solutions
from Juniper Networks advance the economics of networking, allowing businesses to “change
the rules” with their IT investments, and create a truly innovative and competitive environment
that helps them increase revenue and raise productivity today and into the future.
Introduction
Remote branch facilities typically contain a relatively small amount of computing resources
compared to central facilities or data centers, yet branch office employees have the same resource
needs as their colleagues in company headquarters. As most business processes are carried
out online, any branch LAN downtime or inefficiency has a negative impact on the corporate
bottom line. Secure, high-performance, highly available LAN services are crucial to ensure that
each branch facility is always online so that business productivity and customer satisfaction are
maximized.
Branch LAN Categories

Branch LANs vary greatly in size, from accommodating one or two users to hundreds of
employees, and are categorized as follows for this document:
Table 1: Branch LAN Categories

Branch LAN Category Port Capacity Example
Highly available Micro Branch Office Up to 5-8 ports Gas station / Convenience
store
Highly available Small Branch Office Up to 48 ports Retail bank branch
Highly available Medium Branch Up to 100 ports Regional sales office
Office
Highly available Large Branch Office 100’s of ports Big box retailer /
Department store

Services Needed in the Branch

Regardless of branch office size, the following high-level services are required to optimize
efficient business operations:
• LAN and WAN Connectivity
The branch office infrastructure must provide secure wired and wireless LAN connectivity
for an increasing number of IP devices such as computers, telephones, PDAs, cash
registers, kiosks, inventory scanners and surveillance cameras. In addition, the branch
must be securely and reliably connected to headquarters and data centers for centralized
resources such as file services, data replication and collaboration.
• Internet Access
For optimal Web services performance, branch offices today connect directly to the
Internet rather than backhauling traffic to headquarters. The Internet is also often used
to securely connect to headquarters and data centers via a VPN. Guest Internet access
may also be required for partners and/or customers, introducing a new set of security,
performance, connectivity and reliability challenges.
• High-Performance
Branch application performance must match that found in headquarters and also be
maintained over the WAN when accessing any centralized applications or resources.
• High Availability (HA)
Since branch offices typically lack local IT staff to manage the network, networking
equipment and software that is cost-effective, feature-rich, highly reliable and offers
centralized management capabilities is vital. Robust, reliable connectivity is also
required. In addition, emerging technologies such as unified communications depend
on an optimized and always-on, high-performance network from end-to-end to function
effectively.
• Security
Security is critical to all branch LAN services. Access to networks and applications must
be open and pervasive, yet remain secure and controlled. Today’s networks not only
need to effectively handle unmanaged devices and guest users attempting network
access; they also need to address support for unmanageable devices, post admission
control, and application access control, visibility and monitoring. In addition to standard
Unified Threat Management (UTM) services, security policies supporting demilitarized
zones (DMZs), ensuring Quality of Service (QoS), mitigating Denial of Service (DoS) and
distributed DoS (DDoS) attacks and threats, and ensuring that the organization meets
compliance criteria are needed. All security policies should be centrally managed and
remotely deployed.
Each of these areas is addressed in more detail in this document and, when appropriate,
additional considerations or challenges for a specific service, feature or branch office
category are presented.

Branch LAN Design Considerations

A new branch office LAN design is needed as legacy solutions cannot meet these key requirements,
nor reduce costs and streamline operations. The LAN design must also scale and accommodate
emerging computing trends and additional network services without an entire redesign.
Enterprise Computing Trends

In addition to workforce decentralization and the services previously mentioned, the following
trends must be considered in a branch LAN design:
• The Proliferation of Unified Communications
The adoption of unified communications including voice, video and data services is on
the rise. According to Forrester Research (2006), 46 percent of all companies in North
America have installed IP telephony systems and 39 percent use VoIP to communicate
with their remote users. Such deployments have a direct impact on the high-performance
and HA requirements of a branch LAN. For example, not only must adequate LAN and
WAN bandwidth be provisioned, but QoS rules must identify, classify and prioritize traffic
to deliver effective VoIP communication services.
• Bandwidth Hungry Applications
In addition to the increased bandwidth needed for unified communications, many
popular business applications such as Oracle, SAP and PeopleSoft have introduced Web-
enabled versions that require, in some instances, more than 10 times the bandwidth
of their LAN-based counterparts, seriously impacting performance, reliability and
availability.
• Increasing Focus on Security
FBI/CSI statistics show that 72 percent of all companies surveyed reported at least one
security incident in 2006. Not surprisingly, a 2006 Forrester Research survey found that
57 percent of all firms consider “upgrading security environment” a top priority. As
critical business processes become more distributed and unified communications present
new vulnerabilities, the need for robust security is likely to intensify.
• Branch Servers and Server Consolidation
Forrester also reports that 51 percent of all firms consider server centralization and data
center consolidation key priorities. At the same time, many branches still need local
servers that require extra security, and this requires bandwidth optimization and traffic
prioritization. Companies also demand consolidated, centralized management solutions
that help reduce the time and resources devoted to keeping branch offices online and
operational.

Considerations for Different Branch Configurations

The network infrastructure in today’s branch offices is no longer sufficient to satisfy these
requirements. Instead of adding additional costly layers of legacy equipment and highly skilled
IT resources to support the growing number of devices and services in the branch, enterprises
need a new, more integrated and consolidated branch office solution.
Juniper Networks delivers a proven IP infrastructure for the branch office that meets these
challenges, enabling the performance, scalability, flexibility, security and intelligence needed to
not just meet but increase branch office user productivity. Juniper offers flexible configurations
and price points that meet the needs of all branch offices, regardless of size, while delivering
high-performance throughput with services such as firewall, UTM, VPN, MPLS, IPV6 and
Connectionless Network Service (CLNS)-enabled.
In addition to the security, scalability and performance issues inherent in branch offices of all
sizes, the design considerations in Table 2 should be taken into account when planning for each
highly available branch office configuration:
Highly Available
Large Branch Office
Floor N Floor 1
Virtua Virtua
Chas l Chas l
Virtsi
ua s Virtsi s
POE Chas
Virtsi s
l Chas ua
Virtsi
l POE
Chas ua l ua s
sis Chas l
POE sis
POE
Acce
Pointss
POE POE
Acce
Highly Available
Medium Branch Office
Pointss
Security
Camera Security
Camera
J-seri
Virtua Virtua es EX 4
Chas
sis
l Chas
sis
l Serie200
V ir tus
Chass al
is
POE
POE
POE Acce
Poin ss
J635 J635 t
0 0
Local
Servers Security
Intern Intern Camera
et et
Inter
net/
WAN
Highly Available Intern Intern Highly Available

et et
Micro Branch Office Small Branch Office
J-seri
J-seri es
es V ir tu
Chass al
is
Acce
Data Center POE
Poin ss POE
t
or HQ POE Acce
Poin ss
t
Security
Camera
Local
Servers Security
Camera
Figure 1: Highly Available Branch Office LAN Configurations

Table 2: Highly Available Branch LAN Design Considerations

Design Consideration Micro Branch Small Branch Medium Large Branch
Branch
Secure Connectivity • • • •
Simplicity • • °
HA ° • • •
Power Over Ethernet
(POE)
• • •
High Scalability ° • •
Local Server
Infrastructure ° • •
No circle – not required
° – low priority •– high priority
Branch Architecture Overview

Layered Approach
The typical enterprise network is built upon multiple levels of switches deployed in three general
layers: access, aggregation and LAN core.
Branch Office
Device Connectivity
er - 10/100/1000
Lay BA
SE
e ss -T
cc
A n Layer - GbE
atio L AG
eg F
gr ibe
Ag r
WAN
(Multiple SPs)
Data Center
Co G
re LA
Laye
Ag r - 10GbE
gr er
eg F ib
atio bE
n Layer - 10G
Ac
ce E-T
ss AS
Laye 0B
r - 10/100/100
Data Center Connectivity
Figure 2: The Layered Approach
Providing vital LAN services, these layers exist at various locations throughout the network,
including branch offices, campus buildings and the data center. This document focuses primarily
on the layers deployed in the branch office. Areas outside of that scope are presented when
relevant to the discussion. For example, smaller branch offices may not need the layered approach.

The access layer provides network connectivity to end users in a branch office. The aggregation
layer aggregates connections and traffic flows from multiple access-layer switches to core-
layer switches. And the LAN core layer provides secure connectivity between aggregation-layer
switches and the routers connecting to the WAN and the Internet to enable business-to-business
collaboration.
Benefits
A multilayered architecture facilitates network configuration by providing a modular design that
can rapidly and economically scale. It also creates a flexible network on which new services can
be easily added without redesign. The layered approach also delivers separated traffic, balances
load across devices and simplifies troubleshooting.
Challenges
This three-layered approach traditionally requires additional hardware and is therefore costly
to configure, deploy and administer for all but large branch offices. To account for that, most
micro branch offices collapse all layers and services into the WAN edge layer, and most small and
medium branch offices collapse the aggregation- and access-layer services into the access layer.
Trying to address emerging bandwidth, throughput and port density requirements, networks
in the past have grown bloated with extra layers of ill-suited legacy hardware that not only fails
to meet these needs, but also adds considerable management complexity, reduces network
availability, and drives up capital and operational expenses.
A Network Revolution
As a recent entrant into the evolving switching market, Juniper Networks has factored lessons
learned and experiences into the development of a new portfolio of Ethernet switch products
and network solution designs that address contemporary issues and accommodate future
growth. These new products are designed to eliminate unnecessary network layers while
providing a platform for delivering higher availability, converged communications, integrated
security and higher operational efficiency. With these solutions, Juniper Networks simultaneously
advances the fundamentals and economics of networking by delivering greater value, increasing
simplicity and lowering the total cost of network ownership.
Access Layer
In a branch office, the access layer provides network connectivity to end users by connecting
devices such as PCs, printers, IP phones and CCTV cameras to the corporate LAN via wired or
Wireless LAN (WLAN) access points. Access-layer switches typically reside in wiring closets.
Access Layer
WAN
J-ser
Inter ies EX 4
net Serie200
V ir s
Chastual
sis
POE POE
POE Acc
Poiness
t
Local
Servers Security
Camera
Figure 3: Access Layer at a Highly Available Medium Branch Office LAN

Services
The access layer provides connectivity, Power over Ethernet (PoE), QoS, and security with
authentication services and network access control.
Design Considerations
1. Connectivity: Wired Ports and WLAN Access
Accounting for an adequate number of wired ports for all computers, IP phones, CCTV
cameras and other IP devices is the first step to addressing port requirements. It’s also
important to determine the breadth of WLAN access needed for partners, customers
and employees. The logical segmentation required and the number of logically separate
networks that should share the same LAN must also be determined. These considerations
help establish what type of hardware configuration is needed.
Juniper offers a series of reliable, secure, expandable and scalable hardware
configurations to address any wired port needs. Many commercial solutions are available
for offices that need to provide secure WLAN services. For branches with wireless access
requirements, WLAN solutions from Juniper partners Aruba Networks, Trapeze Networks
and Meru Networks are recommended.
2. PoE
Most highly available branch offices have IP phones, many of which require PoE to
function. Other branch facilities may have PoE security cameras and WLAN devices.
Accounting for the correct number of PoE ports is vital as the system configuration
depends on it. Some access equipment doesn’t provide PoE services, so it’s important to
make sure to use traditional wall-powered IP phones, CCTV cameras and WLAN access
points in those installations.
3. HA in the Branch Network
It’s crucial that branch office networks operate with the same reliability and uptime
as the headquarter network. Depending on the branch network’s needs and available
budget, varying levels of HA may be implemented.
a. Device-Level HA
Most device failures are due to power supply failures or mechanical cooling problems.
It is important to always support business processes with high quality, carrier-class
network devices such as the Juniper Networks J-series or EX-series platforms. Purchasing
equipment with dual power supplies and redundant fans or blowers to minimize
equipment failure is always recommended, and raises the mean time to repair (MTTR).
Additional device-level HA can be provided by doubling up on key devices to assure that
there is a backup device to pick up in the event of a failed device. Not all budgets or
configurations support a full set of backup devices. In that event, purchasing extra key
device components, such as a backup set of field-serviceable or hot-swappable power
supplies or fans, helps mitigate the impact of a device failure.
b. Link-Level HA
Ensuring that business processes maintain vital data flow through internal and external
resources is provided through Link-level HA. At the branch office, Link-level HA requires
that two links operate in an active/backup configuration, such that if one link fails,
the other can take over or reinstate the forwarding of traffic that had been previously
forwarded over the failed link. Based on the budget and HA requirements, a backup
public switched telephone network (PSTN), ISDN or broadband link is provided. In more
complex networks, Link-level HA may also be provided between network switches.


c. Network Software HA
JUNOS™ software is the consistent operating system that powers all of Juniper Networks
switch, router and firewall solutions. It provides carrier-class network software to highly
available branch offices of all sizes. JUNOS software supports features like nonstop
forwarding (NSF), graceful restart, in-service software upgrade (ISSU), Bidirectional
Forwarding Detection (BFD) and other features which together make IP networking as
failure-safe and reliable as telephony networks. The JUNOS software’s modularity and
uniform implementation of all features enables the smallest branch office to benefit
from the same hardened services in their devices running JUNOS software as the largest
service providers.
VLAN and Spanning Tree Protocol (STP)
Branch office LANs use VLANs to logically group any set of users, devices or data, regardless of
location, into logical networks through software configuration instead of physically relocating
devices on the LAN. VLANs help address issues such as scalability, security and network
management.
VLANs are in essence Layer 2 broadcast domains that exist only within a defined set of switches.
Using the IEEE 802.1Q standard as an encapsulation protocol, packets are marked with a unique
VLAN tag. Tagged packets are then forwarded and flooded only to stations in the same VLAN.
Tagged packets must be forwarded through a routing device to reach any station not belonging to
the same VLAN. Any switch or switch port can be dynamically or statically grouped into a VLAN.
Alternately, traffic may be grouped into a VLAN and forwarded through specific ports based on
the specific data protocol being sent over the LAN. For example, VoIP traffic from a soft phone
can be segmented from other traffic and put into a VLAN that gets a higher quality of service.
1. STP
VLANs may create multiple active paths between network nodes, resulting in problematic
bridge loops. Since the same MAC addresses are seen on multiple ports, the switch
forwarding table can fail. Also, broadcast packets may end up being forwarded in an
endless loop between switches, consuming all available bandwidth and CPU resources.
STP, the IEEE 802.1D standard, ensures a loop free topology for any bridged LAN. STP is
designed to leave a single active path between any two network nodes by first creating
a tree within a mesh network of connected LAN switches and then disabling the links
which are not part of that tree. STP thus allows a network design to include redundant
links to provide automatic backup paths if an active link fails, without the danger of
bridge loops, or the need for manual enabling/disabling of these backup links. Each VLAN
can run a separate instance of Spanning Tree Protocol.
2. Issues with STP
Troubleshooting may be challenging with STP due to complicated routing, incorrect
configuration, or mis-cabling. Since every packet must go through the root bridge of the
spanning tree, routing performance with STP can also be non-optimal. STP often creates
underutilized links and lacks a load balancing mechanism as well. In addition, STP has
a slow convergence of up to 30 to 40 seconds after a topology change. To combat this,
Rapid Spanning Tree Protocol (RSTP) was created, providing sub-second convergence, but
only on point-to-point links. Multiple Spanning Tree Protocol (MSTP), the 802.1s standard,
supports multiple instances of STP, but it also increases configuration complexity.

Using Layer 2 Versus Layer 3 at the Access Layer

Access switches are configured to use Layer 2 or Layer 3.
WAN Edge
Layer 3 L2/L
3 Sw
itch
L2/L
3 Sw
itch
L2/L
3 Sw
itch
L2/L
3 Sw
itch
Aggregation Layer Layer 3
L2 Sw L2/L
3 Sw
itch itch
Layer 2 Access Layer

Layer 2
Layer 2 at Access Layer 3 at Access
Figure 4: Layer 2 versus Layer 3 at Access Layer
1. Using Layer 2 at the Access Layer

Using Layer 2 at the access layer is the traditional configuration. This provides plug-and-
play configuration and makes the deployment in smaller networks easier to implement
and manage.
Since this option usually requires Spanning Tree with legacy solutions, troubleshooting
can be more difficult in more complex networks, and convergence in case of a switch or
link failure often takes too long for larger highly available branch office LANs.
2. Using Layer 3 at the Access Layer
Routing is enabled on the switch when using Layer 3 at the access layer, but it still
provides the capability to put users into different VLANs. Layer 3 is more deterministic.
No Layer 2 loops are created in this design. STP can be disabled making it easier to
troubleshoot, which can be an issue in larger networks. Using OSPF or other open-
standard protocols for rapid convergence, sub-second convergence can also be expected.
For larger or more complex networks, this is a low-maintenance solution in comparison
to using Layer 2 at the access layer.
This option is more costly to deploy with legacy network equipment as Layer 3 usually
requires an additional license fee.
3. Recommendation
Unlike competitive products, Juniper Networks solutions provide the ability to deliver
either Layer 2 or Layer 3 at the access layer without any added expense, as Layer 3
features are built into the base platform with no extra license required. Instead of STP,
Juniper solutions also use open-standard protocols such as OSPF for rapid convergence.
LAN designs using the Juniper EX 4200 series with Virtual Chassis™ technology also
benefit from Redundant Trunk Group (RTG) protocol as a built-in, optimized replacement
to STP for sub-second convergence and automatic load balancing. And, according to
an independent 2007 Lake Partners1 study, operating expense with Juniper Networks
solutions can be up to 29 percent lower than competitive solutions. Since cost is not an
issue, LAN size and complexity best determine when each solution is most appropriate.

How Operating Systems Create Network Efficiency - Lake Partners Strategy Consultants, Inc 2007
1

a. Highly available Micro, Small and Medium Branch Offices

Juniper recommends using Layer 2 at the access layer for highly available micro, small
and medium branch offices. Since the micro branch office LAN uses a unified device, the
small branch office LAN uses just one access device and one edge device, and medium
branch office LANs utilize EX 4200 series switches with Virtual Chassis technology, STP
is not required. The resulting designs have fewer devices to manage and eliminate STP,
increasing convergence response while reducing CAPEX and OPEX.
b. Highly Available Large Branch Offices
Since the LAN design for highly available large branch offices has a series of redundant
devices and connections, Juniper recommends using Layer 3 at the access layer, which is
included at no extra cost. In this design, Juniper switches with Virtual Chassis technology
deliver high-performance load balancing and simplified device management. This
equates to lower CAPEX and OPEX compared to competing solutions.
Implementing Unified Communications

Delivering voice, video and data on a single network infrastructure offers many cost savings and
operational simplicity benefits. It lowers communications expense and decreases the overall cost
of network ownership. It also simplifies network administration and maintenance operations.
However, it also presents a number of network challenges including QoS, security and port-
configuration requirements.
Considerations
Unified communications have real-time requirements that are not necessary for most data
applications. VoIP packets, for example, must be efficiently transported throughout the LAN
and WAN to ensure high quality voice communications, even when the network is experiencing
high utilization or congestion. Simply adding more LAN or WAN bandwidth doesn’t make the
network voice-friendly. Latency, jitter and packet loss are common VoIP challenges that must be
accounted for with QoS queuing and scheduling to ensure high quality VoIP communications. In
addition to access-based security measures, addressing port density and PoE requirements for IP
phones are fundamental to a successful design.
1. QoS
a. Classification and Enforcement
Each type of data flow on the LAN has different QoS requirements. Traditional
applications such as Web browsing and email work fine with the best-effort delivery
standard on IP networks. However, additional requirements must be met to ensure
effective delivery of voice, video conferencing and other real-time applications. Unlike
streaming video, for example, real-time voice data can’t be cached nor have lost packets
retransmitted since both would add an unacceptable delay, ruin the quality of the
communication and result in a poor user experience. Voice packets, therefore, must be
given top priority when creating QoS policies.
IP phones and other communication devices are likely to be spread throughout the LAN
in many different physical locations. VLANs, as discussed earlier, can be used to identify
and segment voice, video conferencing and data traffic, regardless of location, into logical
VLANs so that the appropriate QoS parameters can be easily applied to maintain optimal
service for each data flow.
To facilitate QoS, data can be classified by a combination of physical port, device and
protocol. For example, a block of IP phones connected to a specific LAN segment could
be placed in a VLAN designated for voice traffic based on their port numbers. Or Link
Layer Detection Protocol-Media Endpoint (LLDP-MED) could be used to discover an IP
phone and automatically place it on a VLAN using 802.1X. Or traffic from a soft phone

can be analyzed at the protocol level, with voice data given top priority regardless of the
source port. Once the data is classified with the appropriate Differentiated Services Code
Point (DSCP), it needs to be queued and scheduled. Most importantly, the same QoS
rules need to be enforced consistently throughout the LAN and WAN.
b. Built-In Quality of Service
QoS or Class of Service (CoS) features are built into all Juniper infrastructure, security
and application acceleration solutions. JUNOS software comes standard with a full
complement of QoS services; the EX-series supports eight queues per port and offers
a range of policing options from best effort delivery to enhanced delivery to assured
delivery. Since the same JUNOS software is found across all Juniper router and switch
solutions, the same QoS policies can be used throughout the LAN and WAN design for
easy and consistent traffic management. In addition, application-specific integrated
circuits (ASICs) in all Juniper solutions support QoS by processing prioritized data and
minimizing CPU load.
Note: For more on VoIP QoS, read Juniper pub# 351113-001 August 2005 - VoIP on the WAN: It’s
a Matter of Priorities.
2. Security
Implementing unified communications on the data network increases security concerns
that can have serious service impacts. Malicious attacks from outside the network and
inadvertent attacks from within the network must be prevented. New ways of toll fraud
and new security risks like eavesdropping are being discovered at an ever-increasing
rate. Additional points of entry are created; a hacked VoIP system now provides a back
door to the corporate LAN. Security risks range from viruses, worms and DoS attacks to
unauthorized access. Deployment of VoIP solutions, similar to other network appliances,
must account for the security of the device itself, as well as how it can be used to
attack the network as a whole. Juniper Networks Intrusion Detection and Prevention
(IDP) solutions are recommended to thwart VoIP-related attacks in addition to typical
intrusions. An 802.1X solution should be used to authenticate and manage endpoints via
policy-based access. Using the protocol-specific Application Level Gateway (ALG) features
on all firewalls is recommended to dynamically open and close ports for each VoIP call.
3. Port Requirements
Implementing unified communications has a direct impact on port density and PoE
requirements.
a. Port Density
An adequate number of ports must be available to provide LAN connectivity for each
IP phone or other communication device. Juniper EX-series switches support two main
options to connect IP phones to the LAN, each presenting different port requirements.

Daisy Chaining to LAN via IP Phone

Data and Voice VLAN
Vi
Charstual
sis
or
Data VLAN
Voice VLAN
Vi
Charstual
sis
Independent LAN Connections

Data VLAN
Voice VLAN
Vi
Charstual
sis
Figure 5: IP Phone Connectivity Options
- Daisy-Chaining to LAN Via IP Phone

Most IP phones have a 10/100 pass-through LAN port, allowing the PC and IP phone to be
daisy-chained and then connected to the LAN via one LAN port. Data and voice traffic can
be combined in one VLAN, or better yet, segmented into two separate VLANs. Since the
second configuration uses only one physical LAN port and takes advantage of separate
VLANs, it is commonly used in IP phone deployments.
With this option, a broadcast-intensive PC or a broadcast-heavy domain may hamper
real-time communications. Since all data from the PC needs to go through the phone
to get to the LAN or from the LAN through the phone to get to the PC, unexpected data
traffic could potentially overload the phone and ruin effective communication. High-
broadcast environments are therefore strongly discouraged to provide an acceptable user
experience and optimal audio quality. To mitigate this risk, it is recommended that voice
and data be kept on separate VLANs. If voice and data must be mixed, the VLAN should
contain no more than 250 other hosts and have as low a broadcast rate as possible.
The maximum broadcast rate should not surpass 500 per second and have an absolute
maximum of 1,000 per second.
Note: For more details, please read the Avaya IP Telephony Implementation Guide, COMPAS ID
95180.
- Using Independent LAN Connections
Two LAN ports are used in this configuration to provide physical separation of both
the devices and data flow for security and easier VLAN segmentation. Usually used in
10/100BASE-T LANS, this method ensures that the voice data is not mixed with nor
affected by any potential data flooding from or to the PC.

The issue with this option is in not having enough physical ports available, which is
easily addressed with the scalable Juniper EX-series switches presented in the Access
Layer Hardware Configurations section. Depending on the number of phones required,
however, it may be more costly than the first option.
b. PoE
Many IP phones and CCTV devices have neither internal nor external power supplies and
instead obtain their system power from a PoE connection. All devices needing PoE must
be accounted for when compiling port requirements. It’s also important to know the class
of each IP phone and the power draw of each device.
The access layer devices traditionally used by highly available micro branch offices don’t
offer PoE services. Wall-powered IP phones and cameras need to be used when planning
for unified communications in that type of branch LAN.
For branches with IP telephony and unified communications requirements, solutions
from Juniper partners Avaya and Microsoft are recommended.
Access Layer Security with IEEE 802.1X and Unified Access Control
Increasing security threats and risks force branch office LANs to remain secure and controlled
on all fronts, yet also provide open and pervasive access to maintain and increase productivity.
802.1X and Juniper Networks Unified Access Control (UAC) are used to effectively handle
unmanaged devices and guest users attempting network access, as well as to support
unmanageable devices, post admission control, and application access control, visibility and
monitoring.
IEEE 802.1X
The 802.1X standard provides a strong framework for authentication, access control and data
privacy for port-based network access control. An 802.1X access control solution completes
the authentication of network credentials even before a network IP address is assigned, thus
preventing unauthorized access and ensuring that viruses and other threats are halted before
they can spread into an organization. After login, Dynamic Port-Based Role Configuration is used
to then restrict use of specific resources.
UAC
Juniper Networks UAC solution combines identity-based policy and endpoint intelligence to give
enterprises real-time visibility and policy control throughout the network. The UAC solution may
make use of all or some of the following components: an Infranet Controller, which serves as
a centralized policy manager; a UAC Agent, which is dynamically downloadable or agentless
endpoint software, and several different forms of enforcement points that include both firewalls
and vendor-agnostic 802.1X-compliant switches and/or WLAN access points. UAC provides a
cost-effective solution to the problem of unmanaged or ill-managed endpoint security throughout
the LAN. In essence UAC enables the creation of a powerful network perimeter defense via
robust admission controls that ensure that endpoints comply with required OS updates, security
patches, personal firewall requirements, virus signatures, and so on, before being allowed access
the LAN.

Access Layer Hardware Configurations

To meet the access requirements of any sized branch office, Juniper provides a scalable chassis
solution.
Scalable Configuration with Virtual Chassis Technology

A branch office LAN must be able to accommodate growth and adapt to new technologies. This
needs to be done economically from capital expense, network overhead and network operational
expense perspectives. Juniper Networks addresses these requirements with a true innovation: EX
4200 series switches. This solution advances the economics of networking by delivering the High
Availability and high port densities of a modular chassis in a compact, cost-effective, pay-as-you-
grow platform.
1. Features and Benefits
Each compact EX 4200 series switch offers either 24 100BASE-FX/1000BASE-X ports,
24 10/100/1000BASE-T ports or 48 10/100/1000BASE-T ports. The 10/100/1000BASE-T
platforms offer either full or partial PoE options (partial solutions provide PoE on the first
eight ports of the switch; full options provide PoE on all 24 or 48 ports). Each PoE port
delivers up to 15.4 watts of power and is compatible with class 0-3 IP phones. The EX
4200 series switches’ built in LLDEP-MED services help automate and extend the power
management of these PoE endpoints as well as assist with inventory management and
directories.
Each EX 4200 series switch supports optional front-panel uplink modules supporting
either four GbE or two 10 GbE ports for high-speed connections to aggregation or core
switches. These uplinks support online insertion and removal.
EX 4
Serie200
V ir s
Chastual
EX 4 V ir sis
Ser 200 Chastual
EX 4 V iries V ir sis
Serie200 Chastual Chastual
s sis sis
Legacy Aggregation Switch: Virtual Chassis Virtual Chassis Virtual Chassis

12-15 Rack Units (RUs) Switch: 1 RU; Switch: 2 RU; Switch: 4 RU;
48-288 GbE ports + 4 10GbE 24 GbE ports + 2 10GbE 48 GbE ports + 4 10GbE 96 GbE ports + 8 10GbE
Figure 6: Virtual Chassis™ Technology
2. Pay-As-You-Grow Scalability
The Juniper Networks Virtual Chassis technology enables a branch to add as many EX
4200 series switches as needed to meet its connectivity needs. Juniper’s unique pay-
as-you-grow model allows a branch to start with a single EX 4200 series switch (1 RU)
and incrementally add up to nine more switches to the virtual chassis at any time for
a total of 10 switches before starting another virtual chassis. Resiliently interconnected
via a 128 Gbps virtual backplane or 10 GbE uplink module, a fully-loaded Virtual Chassis
configuration supports up to 240 100BASE-FX/1000BASE-X ports, 480 10/100/1000BASE-T
ports, or any combination of the two, plus up to twenty 10 GbE uplink ports. Not only
does Virtual Chassis technology lower capital expenses when compared to traditional
chassis systems, but it dramatically reduces operating expenses by enabling any group of
interconnected switches to appear on the network and be remotely managed as a single
unit. Coupled with the incremental, pay-as-you-grow model, the compact form factor
of the virtual chassis enables the branch to save not only on upfront and recurring rack
space usage but also on costly power and cooling fees.


Small branch offices on a budget may consider the Juniper Networks EX 3200 series
switch, which provides most of the same robust features as the EX 4200 series with the
exception of Virtual Chassis technology.
3. Carrier-Class Reliability
The EX 4200 series switches with Virtual Chassis technology also provide the same
HA features as modular chassis-based systems. Each switch supports redundant, load-
sharing, hot-swappable AC or DC power supplies, as well as a field-replaceable hot-
swappable fan tray with redundant blowers, any of which can fail without affecting
operations.
Virtual Chassis technology provides unparalleled device and link HA utilizing the virtual
backplane protocol and JUNOS software. Each set of interconnected switches with
Virtual Chassis technology automatically takes full advantage of the multiple route
engines present to deliver Graceful Route Engine Switchover (GRES) and non-stop
forwarding to ensure uninterrupted operation in the rare event of any individual switch
failure. For added device and link HA, a virtual chassis can be configured to address any
requirements. For example, a single virtual-chassis configuration of 10 switches could
be configured instead as two five-switch virtual-chassis configurations, or in any other
desired combination.
4. Location Independence
Another key feature of Virtual Chassis technology is that the virtual backplane protocol
can also be extended across the 10 GbE uplink ports to interconnect switches that are
more than a few meters apart; creating a single virtual switch that spans multiple wiring
closets, floors or even data center server racks. Even when separated by long distances,
interconnected switches with Virtual Chassis technology can be managed, monitored,
upgraded and otherwise treated as a single resilient switch, dramatically reducing
recurring management and maintenance costs.
L2/L L2/L
3 Sw 3 Sw
itc h itc h
L2/L L2/L
3 Sw 3 Sw
itc h itc h
L2/L L2/L
3 Sw 3 Sw
West itc h itc h East
Closet Closet
Floor N
L2/L L2/L
3 Sw 3 Sw
itch itch
L2/L L2/L
3 Sw 3 Sw
itch itch
L2/L L2/L
3 Sw 3 Sw
West itc h itc h East
Closet Closet
Floor 1
50% fewer
wiring closets
to manage
V ir tu V ir tu
Chass al Chass al
V ir tuis V ir tuis
Chass al Chass al
West V ir tuis
Chass al
V ir tuis
Chass al
East
Closet is is
Closet
Acce Acce
Pointss Pointss
Floor N
V ir tu V ir tu
Chass al Chass al
V ir tuis V ir tuis
Chass al Chass al
West V ir tuis
Chass al
V ir tuis
Chass al
East
Closet is is
Closet
Acce Acce
Pointss Pointss
Floor 1
Figure 7: Reducing CAPEX and OPEX with Virtual Chassis Technology

5. Reducing CAPEX and OPEX

At one eighth the footprint and less than one third the cost of the most commonly
purchased chassis-based switch offering 48 fiber GbE ports and four 10 GbE wire-speed
ports, the Juniper EX 4200 series with Virtual Chassis technology represents the new
generation of switching.
The Juniper EX 4200 series switches come standard with features that are costly add-ons
in competitive solutions. For example, the EX 4200 series includes Layer 3 in the base
platform, offers built-in 10 GbE uplink capability, delivers partial or full PoE, provides
built-in redundant power supplies and more in a single cost-optimized platform. OPEX
savings include the unified JUNOS software feature set and remote mirroring capability
for full troubleshooting from a central Network Operations Center (NOC), rather than
having to send IT staff onsite for maintenance, upgrades and debugging.
Not only does Juniper Networks lower capital and operational expense by collapsing
layers and therefore reducing the number of devices in the network that need to be
purchased and managed, but Virtual Chassis technology saves on valuable rack space, as
well as recurring power and cooling costs. Delivering greater value while reducing capital
and operational expenses, Virtual Chassis technology frees up precious IT budget dollars
that can be more wisely invested in new technologies that improve business productivity.
Note: For a full set of features, benefits and specifications, please view the Juniper Networks EX
4200 series with Virtual Chassis Technology Data Sheet.
Aggregation Layer
The aggregation layer, sometimes referred to as the distribution layer, aggregates connections
and traffic flows from multiple access layer switches to provide connectivity to LAN core or WAN
edge layer switches.
Services and Considerations

Due to their location in the network, aggregation-layer switches must provide scalability, high-
density, wire-rate ports, and high-availability hardware and software features that deliver carrier-
class reliability and robustness.
The aggregation layer is also a location from which to deploy additional services, such as
Dynamic Host Configuration Protocol (DHCP), a vital service used by networked devices and
clients. DHCP is necessary for the branch office LAN to function at all if WAN connectivity to the
headquarters or data center is lost. Another valuable aggregation layer service is in providing
high- performance connectivity to local application servers in the branch office.
Branch Office Recommendations

1. Highly Available Micro Branch Office
In a micro branch office, all layers, including the aggregation layer, are collapsed into the
WAN edge layer. A Juniper Networks J-series Services Router, covered in more detail in the
WAN Edge section, is used for all services.
2. Highly Available Small and Medium Branch Office
In small and medium branch offices, the aggregation layer is collapsed into the access
layer. The EX 4200 series switches with Virtual Chassis technology not only provide
hardware HA features and pay-as-you-grow scalability with features such as full or
partial PoE, but the EX 4200 series switches’ high throughput capacity and 10 GbE
uplink capacity eliminates the need for aggregation switches in these branch designs.
Additionally, the EX 4200 series switches deliver wire-rate connectivity, high throughput
capacity and industry-leading low latency, making them the ideal platform with which to
connect local servers. This reduces capital expenses and simplifies network operations.

The EX 4200 series switches also run the JUNOS software, providing full network
software HA features and further simplifying network operations. These solutions also
connect to a J-series services router at the WAN edge, which also provides DHCP.
3. Highly Available Large Branch Office
Due to the performance requirements of a highly available large branch office, HA
features and scalability are increased with a LAN design including an aggregation layer.
Floor N
EX 4
Serie200
EX 4s
Serie200
EX 4s
POE Serie200
EX 4s
Serie200 Aggregation
POE s
Layer
Acc
POE
Poiness
t
EX 4
Serie200
EX 4s J-seri
Serie200 es WAN
Security s
Camera
EX 4
Serie200
EX 4s J-seri Intern
Serie200 es et
s
EX 4
Serie200
EX 4s
Serie200
EX 4s
POE Serie200
EX 4s
Serie200
POE s
Acc
POE
Poiness
t
Security
Camera Floor 1
Figure 8: Aggregation Layer in a Highly Available Large Branch Office LAN
In addition to the EX 4200 series switches with Virtual Chassis technology deployed at
the access layer, two more virtual chassis are added as aggregation layer devices between
the access layer switches and the two J-series Services Routers at the WAN edge.
a. HA
Virtual Chassis technology enables fail-safe operations, as each unit is capable of passing
data from one to another in the event of a failure. Redundant links to each WAN edge
device are also provided in the event of a device or link failure. In addition to the device
HA features standard in the EX 4200 series switches, all equipment runs JUNOS software,
providing software HA features such as QoS and GRES, preserving forwarding and routing
operations during device events with non-stop forwarding and automatic load balancing.
b. Scalable Performance
Each EX 4200 series switch with Virtual Chassis technology provides pay-as-you-grow
scalability with features such as no (fiber only), full or partial PoE capability (8/24 or 8/48
ports). Virtual Chassis technology enables seamless scaling by allowing up to 10 EX 4200
series switches to be interconnected via a 128 Gbps backplane or via optional 10 GbE
uplink modules. Virtual Chassis technology simplifies administration as these devices can
be managed as one unit. In addition, multiple 10 GbE uplinks from any of the switches
that are members of the same virtual-chassis configuration, regardless of physical
location, can be link-aggregated for higher bandwidth connections to other aggregation
or core switches. Up to 10 EX 4200 series switches can be connected via Fiber Channel
into a Linked Aggregator Group (LAG) to provide load balancing for increased upstream
performance and further Link-level HA.
If more ports or throughput is required, another virtual chassis of up to 10 EX 4200 series
switches can be created. If extra device and link redundancy is required, as many virtual
chassis as desired can be deployed.

To meet the aggregation demands of even the largest branch office, the top-of-the-line EX
8200 Terabit-chassis switch delivers a powerful, high-density, high-performance solution.
Capable of up to 3.2Tbps throughput, the EX 8200 series Ethernet switches offer up to 64
(eight-slot chassis) or 128 (16-slot chassis) wire-speed 10 GbE ports.
c. CAPEX and OPEX Savings
Typically more than two layers of legacy Layer 3 switches are required to achieve the
wire-speed port densities demanded by today’s high-performance large branch office. The
Juniper Networks EX 4200 series switches, however, meets these needs and also enable
the collapse of the LAN core and aggregation layers, creating a direct positive impact
on the economics of networking. Virtual Chassis technology also simplifies network
operations and lowers operating expense on all fronts, from JUNOS software upgrades
and moves, adds and changes to troubleshooting and problem resolution.
Previously, only expensive chassis-based switches could provide the combination of
high 1000BASE-X fiber port densities and the HA features required to satisfy aggregation
layer requirements. While certainly scalable and highly available, these modular chassis-
based switches are not a very cost-effective solution for such applications. First, they
require a considerable up-front investment for the chassis and common equipment,
even if not fully populated. Second, because of their size, modular chassis require more
space in already crowded racks, taking up valuable real estate. Third, modular chassis
require more power and cooling—recurring costs that increase operational expenses and
contribute to the production of greenhouse gasses that threaten the environment.
The Juniper EX 4200 series switches with Virtual Chassis technology represent the new
generation of aggregation switching. They deliver greater value while reducing capital
and operating expenses, freeing up valuable IT resources to invest in new technologies to
improve business productivity.
Note: For a full set of features, benefits and specifications, please view the Juniper Networks EX
4200 Switches with Virtual Chassis Technology data sheet.

WAN Edge Integration

WAN connectivity provides a vital link from the branch office to centralized services and
resources. Designing and scaling a branch LAN for assured network connectivity and
performance is a challenge that every high-performance organization faces.
Floor N
EX 4
Serie200
EX 4s
Serie200
EX 4s
POE Serie200
EX 4 s
Serie200
POE s
WAN Edge Layer
Acces
POE
Point s
EX 4
Serie200
EX 4s J-ser
Serie200 ies WAN
Security s
Camera
EX 4
Serie200
EX 4s J-ser Inter
Serie200 ies net
s
EX 4
Serie200
EX 4s
Serie200
EX 4s
POE Serie200
EX 4 s
Serie200
POE s
Acces
POE
Point s
Security
Camera Floor 1
Figure 9: WAN Edge in a Highly Available Large Branch Office LAN
WAN Edge Considerations

HA
All WAN edge devices must provide a full complement of HA services to maintain critical WAN
connectivity. The hardware must be robust and ideally offer dual hot-swappable power supplies
and fans, preferably on-board. Based on the budget and HA requirements, key devices should
be paired in active/active routing states. A PSTN link, at minimum, should be provisioned as a
backup or alternate connection to the Internet or WAN.
Voice Gateway
Secure and optimized voice services should be provided at the WAN edge to enable effective
communications across the LAN and WAN. Either an integrated or standalone VoIP gateway may
be implemented.
WAN Acceleration
Adding more bandwidth doesn’t automatically deliver LAN-like performance across the WAN.
Acceleration services are needed to optimize performance of centralized applications across the
WAN at all times, even when bandwidth is constrained.
Firewall/VPN
Security must be provided at the WAN edge, including VPN connections to remote locations and
users as well as integrated firewall services to protect against worms, trojans, viruses and other
malware. Such services should be centrally managed to facilitate rapid deployment and minimize
ongoing operational costs.

WAN Edge Recommendations

A WAN edge routing platform must offer sufficient high-speed Ethernet ports to provide
connectivity between the WAN and the aggregation or access layer. The Juniper Networks J-series
Services Router meets these requirements and more. The J-series runs JUNOS software, providing
advanced carrier-class and field-proven routing features including QoS, and also offers firewall
and VPN services for securing WAN traffic.
Should security be the primary focus at the WAN edge, the Juniper Secure Services Gateway
(SSG) platforms could also be considered.
J-series Services Routers

The J-series is a services router that provides predictably high performance and a modular,
carrier-class interface that delivers secure, reliable and scalable network connectivity. It is used in
all highly available branch office solutions in a number of capacities: as a unified device for micro
branch offices, and as a WAN edge platform for small, medium and large branch offices.
WAN
J-ser
Inter ies
net
Acc
Poiness
t
Figure 10: J-series Services Router in a Highly Available Micro Branch Office LAN
1. Features and Benefits

In addition to providing high-throughput and high-capacity wired ports, all J-series
platforms run the modular JUNOS software, which offers advanced services such as
MPLS, IPv6, QoS and multicast in the base system at no additional license fee or upgrade.
This not only reduces operating expense, but also capital expense, by consolidating
multiple physical networks and providing support for diverse Layer 2 networks over a
common infrastructure.
2. Integrated Services
In addition to a Command Line Interface (CLI), J-Web—built-in JUNOS software—offers
remote Web-based management of all J-series models. Built-in troubleshooting also
minimizes network downtime and decreases operating expenses and revenue losses due
to outages. The J-series also includes integrated voice, WAN acceleration, and firewall and
VPN services.
a. Integrated Voice Gateway
The Avaya IG550 voice-gateway is integrated as a standard feature on some J-series
models, and is available as an option on other models, providing best-in-class IP
telephony. Juniper and Avaya equip branches of all sizes with access to a full suite of
intelligent communications applications in a way that keeps costs under control and

minimizes complexity for local IT staff. In addition, this joint solution offers multiple
levels of business continuity options, designed to enable branches to continue effective
operations under a variety of emergency or network conditions.
b. Application Acceleration with the WXC Integrated Services Module
Included in the J-series, the WXC Integrated Services Module provides distributed
enterprises with an easy-to-use, scalable approach to accelerating application delivery
over the WAN. Based on the integrated WX Framework, the WXC module optimizes
bandwidth use on WAN circuits and accelerates application performance by leveraging a
mix of bandwidth management, compression, caching, path optimization and protocol
acceleration techniques. For example, the WXC module lowers bandwidth requirements
for file sharing and data replication processes by up to 98 percent, and even VoIP
bandwidth can be reduced by up to 30 percent. A broad set of centralized management
tools ensures that remote performance remains on a par with local access, even over
constrained and contentious links.
c. Firewall/VPN
The J-series solutions provide the essential security functions required for securely
connecting sites over the Internet, including integrated firewall and IPSec VPN. The
platform also supports centralized user security policy and enables a unique HA option in
the form of dynamic route-based VPNs. Virtualization technologies allow segmentation of
the network into many separate zones within a single platform for enforcing compliance
to corporate security policies.
3. HA Hardware
The J-series provides dual field-serviceable power supplies and dual field-serviceable fans
standard on some models and optional on others to maximize device-level HA.
4. Expandability
The J-series offers the performance headroom and extensible memory to meet future
demands, providing unmatched reliability, investment protection and value for the
enterprise. Each J-series unit can be enhanced with a variety of optional physical interface
modules (PIMs). Though it offers no PoE capabilities, its port capacity can be easily
expanded from four to 48 10/100/1000BASE-T ports with a series of PIMs.
Note: For a full set of features, benefits and specifications, please see the Juniper Networks
J-series Services Routers Data Sheet.
Operational Simplicity and Unified Management

Network operations form a large portion of any IT budget, and any methods of simplifying
branch LAN operations help reduce operations expense. The four main challenges that
complicate the streamlining of network operations are:
• Inconsistent Feature Set
Most hardware solutions have different operating systems or feature implementations
for each platform. This requires IT to invest considerably in training to master a variety
of interfaces. It also adds a layer of inefficiency and complexity while increasing the
potential for misconfiguration when trying to apply consistent enterprise-wide services
across the branch office LAN and WAN.
• Upgrades and Deployments
Testing and deploying operating system upgrades or patches can be a time-consuming
and ongoing process due to the number of different operating systems found in most
legacy branch LAN solutions and the varying release schedules to which each adheres.

• Unreliable Monolithic Operating Systems

Legacy hardware solutions have operating systems built on a monolithic architecture
with each code function intertwined with the others. If any part of the monolithic
program fails—for example, a bug in Simple Network Management Protocol (SNMP)—
the operating system crashes. Such a fault can cause the line cards to crash or restart,
resulting in hundreds of seconds of downtime.
• Lack of Unified Management
The lack of unified features also impacts all aspects of setting and managing device
configurations, network settings and security policies. Not only do different interfaces
increase the time of each task, but operations costs are further increased as IT needs to
visit remote branch locations to configure devices, apply network settings and set security
policies. What’s needed instead is a set of unified and centralized management tools to
address these types of operations remotely.
Juniper Networks addresses all of these issues and reduces costs by providing JUNOS software,
Juniper Networks NetScreen-Security Manager (NSM), and J-Web.
Achieving Operational Simplicity with JUNOS Software

JUNOS software is the common operating system on all Juniper Networks switches, routers,
firewalls and acceleration solutions. Not only does JUNOS software deliver advanced carrier-class
network services, it provides a consistent feature set, and a centralized management capability
which simplifies planning, speeds implementation, and enables intuitive day-to-day operations
and management of any network.
The Power of JUNOS Software

Fundamental to the value of the JUNOS software are the “three ones”—one source code, one
release train and one modular architecture. By running a common operating system on all
products, Juniper dramatically reduces maintenance and management overhead while ensuring
interoperability and a consistent feature set across all products.
TX
Mat
rix
J-seri
es 8.5 9.0 9.1
— API —
Module
Q407 Q108 Q208
X
One OS One Release One Architecture

Figure 11: JUNOS Software—The Three Ones: One Source Code, One Train and One Modular
Architecture
Modular Processes
The JUNOS software is a completely modular operating system, enabling a functional division
of labor for seamless development and operation of many advanced features and capabilities.
By partitioning the software system, tasks are broken into manageable subsets that interact
infrequently and provide new levels of fault-tolerance. Unlike monolithic operating systems, each
key JUNOS software function executes as an independent process and runs in its own protected
memory space. Loading or executing one doesn’t affect the others. One daemon can restart
independently without disrupting another or forcing a full system crash or restart. A benefit of
this approach is the ability to maintain full control of the switch or router at all times. Because of
the separation of control, forwarding and services, filters can be added in real time to thwart a
DDoS attack.

Rollback Capability
JUNOS software also offers error-resilient configuration that prevents operators from
inadvertently bringing down the network. IT must explicitly commit changes after entering and
reviewing all modifications. If a configuration change causes loss of connectivity to the device
and no follow-up confirmation is provided, the device automatically reverts back to the previous
configuration, restoring connectivity, saving time and ensuring Link-level HA for remotely
operated branch deployments. In addition to automatically checking for errors or incorrectly
constructed configurations that could cause potential problems, JUNOS software provides a
rollback command to quickly restore any of the 50 prior configurations.
Advanced Features
The JUNOS software also provides a broad spectrum of advanced routing and security features
such as stateful firewall, IPSec, MPLS and IPv6 without requiring an additional software license.
In addition, the JUNOS software provides comprehensive QoS functions to classify, prioritize
and schedule traffic for applications such as VoIP. For medium and large branches using Virtual
Chassis technology, the JUNOS software enables bidirectional forwarding detection for early
detection of node or link failures.
Benefits
By running a common operating system, these Juniper solutions dramatically reduce
maintenance and management overhead while ensuring a consistent feature set across all
products, as well as a consistent implementation and management of those features. This
equates to time savings in all categories of operations. In addition to a reduction in training time,
the inherent interoperability across all platforms greatly simplifies new feature deployment,
software upgrades and other network modifications. A single consistent code set also enables
customers to qualify and deploy just one release. For many customers, the testing time of a new
release is cut from what was months down to just a few weeks. JUNOS software also provides
features to facilitate fast restoration of previous configurations.
Impact
In an independent study conducted in 2007, Lake Partners quantified the time savings Juniper
Networks customers experienced using the JUNOS software across a number of common
network operational tasks. The results are presented in Table 3:
Table 3: JUNOS Software Operating Efficiencies (Lake Partners 2007)

Network Operations Task Average JUNOS Efficiency
Adding Infrastructure 29 percent
Upgrading and Planned Events 23 percent
Troubleshooting and Unplanned Events 54 percent
Monitoring and Optimizing 24 percent
Average Time Saved With JUNOS Software 25 percent
This time savings translates to a substantial, tangible cost savings. According to Lake Partners,
an infrastructure of any size running JUNOS software can save up to 29 percent on operational
costs. Seeing that the IT department of a typical enterprise spends 40 to 60 percent of its budget
to maintain and enhance basic IT services (McKinsey & Company 2006), this savings could be
considerable.

Unified Management with Juniper Networks NetScreen-Security Manager

The Juniper Networks NetScreen-Security Manager (NSM) product is a powerful, centralized
management solution that controls the entire device life cycle of firewall/IPSec VPN and
IDP devices, including basic setup and network configuration with local and global security
policy deployment. Unmatched role-based administration allows IT departments to delegate
appropriate levels of administrative access to specific users, thereby minimizing the possibility of
a configuration error that may result in a security hole. NSM can easily scale to meet the needs
of any enterprise with branch offices. A wide range of reporting tools are available, enabling
IT to view and analyze network traffic, device and VPN statistics, system resources and other
administrative information. IT can also customize templates for commonly used reports and
generate these reports on a regularly scheduled basis.
Benefits
NSM lowers operational costs by presenting a Graphical User Interface (GUI) to simplify complex
tasks such as device configuration, supplying device templates to minimize configuration errors,
providing investigative tools for complete visibility into the network, and more.
Remote Configuration and Management with J-Web

In addition to a full-featured CLI, J-Web, a Web-based tool, is available to configure and manage
any JUNOS software powered device.
Benefits
Built on JUNOS software, J-Web offers highly available branch offices of all sizes a GUI for device
management that complements the exciting suite of element and service management products
from Juniper. J-Web provides IT administrators and network operators with simple-to-use tools
to quickly and seamlessly monitor, configure, troubleshoot and manage any switch, router or
firewall.
J-Web allows non-technical users in branch office/small office environments to commission
and bring a switch or router online quickly and easily. It offers seamless GUI access to all of
the features and functions of JUNOS software, reducing timelines for new service deployments.
J-Web can be quickly integrated into existing network management or OSS (Operational Support
System) applications such as Micromuse Netcool Omnibus, Dorado RedCell Manager, IBM
Tivoli and HP Openview, thereby minimizing complexity for the service provider or enterprise
customer. Fast, error-free service changes and upgrades can be made with J-Web’s quick
configuration wizards, and new services can be rapidly created and deployed with the use of
configuration and QoS wizards that allow for real-time changes to service parameters.

Recommended Branch LAN Configurations

With all of these design considerations in mind, Juniper Networks recommends the following
configurations for branch LANs.
Table 4: Recommended Branch LAN Configurations

Branch LAN Design Considerations Branch LAN Design
Category
Highly Available This design is focused on:
t%VBM1PXFS4VQQMJFT
Micro Branch • Secure Connectivity t*OUFHSBUFE"WBZB7PJDF(BUFXBZ
Office t*OUFHSBUFE898"/0QUJNJ[BUJPO
• Simplicity t*OUFHSBUFE4FDVSJUZ71/4FSWJDFT
tQPSU(&61*.
• High Availability t+8FC.BOBHFNFOU
t+6/04
Juniper solutions: WAN
• The J-series Services

Router is used as an all- Inter
net J-seri
in-one solution for access es
connectivity, aggregation,
and WAN edge services such Acce
Poin ss
t
as voice, WAN optimization,

firewall security and VPN.
Security
Camera
t6"$"HFOU
t)PTU$IFDLFS
t1FSTPOBM'JSFXBMM
t&YUFSOBMMZXBMMQPXFSFEQIPOFT
DBNFSBTBOE"1T
Highly Available In addition to the micro

t%VBM1PXFS4VQQMJFT tQPSUGVMMPSQBSUJBM10&
Small Branch branch office considerations, t*OUFHSBUFE"WBZB7PJDF(BUFXBZ t%VBM1PXFS4VQQMJFT
Office this design is focused on: Highly Available t*OUFHSBUFE898"/0QUJNJ[BUJPO t1PXFSPWFS&UIFSOFU
Small Branch Office
t*OUFHSBUFE4FDVSJUZ71/4FSWJDFT t6"$&OGPSDFNFOU1PJOU
• PoE t+8FC.BOBHFNFOU t--%1.FEGPS"VUP1IPOF%FUFDUJPO
t+6/04 t+8FC.BOBHFNFOU
• Increased levels of High 8"/ t+6/04
Availability
• Local Server Infrastructure *OUFSO
+TFSJ
FT
FU &9
Serie
Juniper solutions: s
POE POE
• The EX 3200 series or EX POE Acce
Poin ss
t
4200 series switches are

used as access layer devices
with PoE for IP phones Local
Servers Security
t6"$"HFOU Camera
and WLAN access points, t)PTU$IFDLFS
and HA features. They also t1FSTPOBM'JSFXBMM
provide high throughput

connectivity to local servers.
• The J-series Services Router
is used as a WAN edge
device.

Branch LAN Design Considerations Branch LAN Design

Category
Highly Available In addition to the small
t%VBM1PXFS4VQQMJFT t%VBM1PXFS4VQQMJFT
Medium Branch branch office considerations, t*OUFHSBUFE"WBZB7PJDF(BUFXBZ t1PXFSPWFS&UIFSOFU
Office this design is focused on: t*OUFHSBUFE898"/0QUJNJ[BUJPO t6"$&OGPSDFNFOU1PJOU
t*OUFHSBUFE4FDVSJUZ71/4FSWJDFT t--%1.FEGPS"VUP1IPOF%FUFDUJPO
• Scalability t+8FC.BOBHFNFOU t4JOHMF*NBHF $POmHVSBUJPO BOE
t+6/04 .BOBHFNFOUGPS7JSUVBM$IBTTJT
• High Availability. WAN t+6/04
Juniper solutions:
J-seri
Intern es EX 4
• Two EX 4200 series et Serie200
V ir tus
Chass al
is
switches with Virtual
POE
Chassis technology are used POE
POE Acce
Poin ss
t
as a unified access layer

switch with PoE and HA
features. The unified Virtual Local
Servers Security
t6"$"HFOU
Chassis also provides high t)PTU$IFDLFS
Camera
throughput connectivity to t1FSTPOBM'JSFXBMM
local servers.
• J-series Services Router is
used as a WAN edge device.
Highly Available In addition to the medium

t"DDFTT4XJUDIFT
Large Branch office considerations, this t%VBM1PXFS4VQQMJFT
Floor 1
Office design is focused on: t1PXFSPWFS&UIFSOFU
&9
t6"$&OGPSDFNFOU1PJOU
4FSJF
t--%1.FEGPS"VUP1IPOF%FUFDUJPO
• The Layered Approach POE
&9
&9
T
4FSJF
T
4FSJF t-UPUIF&EHFPS-3451.45
&9 T
4FSJF t7JSUVBM$IBTTJT
• Scalability POE T
t(C&VQMJOLTBOE(C6QHSBEBCMF
"DDF
POE
• High Availability 1PJO TT
U
&9
4FSJF
&9 T +TFSJ
4FSJF FT 8"/
Juniper solutions: Security
Camera
T
• Multiple EX 4200 series &9

4FSJF
&9 T +TFSJ *OUFSO
4FSJF FT FU
switches with Virtual T
Chassis technology are used &9

4FSJF
&9 T
4FSJF
to create two access layer POE
&9 T
4FSJF
&9 T
4FSJF
t%VBM1PXFS4VQQMJFT
t*OUFHSBUFE"WBZB7PJDF(BUFXBZ
switches for scalability and POE T
t'JCFS"HHSFHBUPS DPQQFS
t*OUFHSBUFE898"/0QUJNJ[BUJPO
POE
HA. Two Virtual Chassis "DDF
1PJO TT
U
t%VBM1PXFS4VQQMJFT t*OUFHSBUFE4FDVSJUZ71/4FSWJDFT
t8JSF4QFFE /POCMPDLJOH t+8FC.BOBHFNFOU
deployments are used as Security
t7JSUVBM$IBTTJT t+6/04
Camera Floor N t+8FC.BOBHFNFOU
aggregation-layer switches t+6/04
for high throughput and
local server connectivity.
• Two J-series Services
Routers are used as WAN
edge devices for added
Device and Link-level HA.

Conclusion
The network plays an integral role in today’s business, making it arguably the most valuable
corporate asset. With a trend towards a decentralized workforce, branch LANs are becoming
increasingly critical to overall business success. Legacy solutions cannot meet the growing branch
office LAN needs for security, connectivity, performance and HA. A new branch office LAN
design that meets these needs while enabling key IT initiatives is needed. It must also scale and
flexibly accommodate new computing trends without an entire redesign.
Juniper solutions, including a new family of high-performance Ethernet switches, redefine
the way businesses build branch office networks. Offering high port densities, wire-speed
connectivity and HA in compact, pay-as-you-grow platforms, Juniper switches represent a
powerful yet cost-effective alternative to the aging and expensive solutions pushed by today’s
dominant switch vendors. By offering a smaller footprint in the wiring closet, combined with
lower power and cooling requirements, the Juniper switches represent the efficient and “green”
solutions users are looking for to power their networks of the future. In addition to a full suite
of secure services, Juniper products provide the end-to-end QoS required for sensitive and
bandwidth-hungry applications such as VoIP.
The JUNOS software, a single, consistent operating system, is used across all Juniper switch,
router and firewall products, making the network infrastructure exceedingly easy to deploy,
configure and upgrade, saving considerable time and operating resources that can be reallocated
to further improve business operations and maximize customer satisfaction.
Branch office infrastructure solutions from Juniper Networks advance the economics of
networking, allowing businesses to “change the rules” with their IT investments and create
a truly innovative and competitive environment that helps them increase revenue and raise
productivity today and into the future.
About Juniper Networks

Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a
high-performance network infrastructure that creates a responsive and trusted environment
for accelerating the deployment of services and applications over a single network. This fuels
high-performance businesses. Additional information can be found at www.juniper.net.
CORPORATE HEADQUARTERS EUROPE, MIDDLE EAST, AFRICA EAST COAST OFFICE ASIA PACIFIC REGIONAL SALES HEADQUARTERS
AND SALES HEADQUARTERS FOR REGIONAL SALES HEADQUARTERS Juniper Networks, Inc. Juniper Networks (Hong Kong) Ltd.
NORTH AND SOUTH AMERICA Juniper Networks (UK) Limited 10 Technology Park Drive 26/F, Cityplaza One
Juniper Networks, Inc. Building 1 Westford, MA 01886-3146 USA 1111 King’s Road
1194 North Mathilda Avenue Aviator Park Phone: 978.589.5800 Taikoo Shing, Hong Kong
Sunnyvale, CA 94089 USA Station Road Fax: 978.589.0800 Phone: 852.2332.3636
Phone: 888.JUNIPER (888.586.4737) Addlestone Fax: 852.2574.7803
or 408.745.2000 Surrey, KT15 2PG, U.K.
Fax: 408.745.2100 Phone: 44.(0).1372.385500
www.juniper.net Fax: 44.(0).1372.385501
Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks,
the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks
of Juniper Networks, Inc. in the United States and other countries. JUNOS and To purchase Juniper Networks solutions, please
JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service
marks, registered trademarks, or registered service marks are the property
contact your Juniper Networks sales representative
of their respective owners. Juniper Networks assumes no responsibility for at 1-866-298-6428 or authorized reseller.
any inaccuracies in this document. Juniper Networks reserves the right to
change, modify, transfer, or otherwise revise this publication without notice.

Lan Connectivity Guide Juniper 905012

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lan Connectivity Guide Juniper 905012

Uploaded by

Copyright:

Available Formats

Design Guide

Branch LAN Connectivity Design Guide

Juniper Networks, Inc.

Part Number: 905012-001 January 2008

2 Copyright ©2008, Juniper Networks, Inc.

Remote Configuration and Management with J-Web............................................27

Copyright ©2008, Juniper Networks, Inc. 3

Branch LAN Categories

Table 1: Branch LAN Categories

4 Copyright ©2008, Juniper Networks, Inc.

Services Needed in the Branch

Copyright ©2008, Juniper Networks, Inc. 5

Branch LAN Design Considerations

Enterprise Computing Trends

6 Copyright ©2008, Juniper Networks, Inc.

Considerations for Different Branch Configurations

Highly Available Intern Intern Highly Available

Figure 1: Highly Available Branch Office LAN Configurations

Copyright ©2008, Juniper Networks, Inc. 7

Table 2: Highly Available Branch LAN Design Considerations

Branch Architecture Overview

Data Center Connectivity

Figure 2: The Layered Approach

8 Copyright ©2008, Juniper Networks, Inc.

Figure 3: Access Layer at a Highly Available Medium Branch Office LAN

Copyright ©2008, Juniper Networks, Inc. 9

10 Copyright ©2008, Juniper Networks, Inc.

Copyright ©2008, Juniper Networks, Inc. 11

Using Layer 2 Versus Layer 3 at the Access Layer

Aggregation Layer Layer 3

Layer 2 Access Layer

Layer 2 at Access Layer 3 at Access

Figure 4: Layer 2 versus Layer 3 at Access Layer

1. Using Layer 2 at the Access Layer

12 Copyright ©2008, Juniper Networks, Inc.

a. Highly available Micro, Small and Medium Branch Offices

Implementing Unified Communications

Copyright ©2008, Juniper Networks, Inc. 13

14 Copyright ©2008, Juniper Networks, Inc.

Daisy Chaining to LAN via IP Phone

Independent LAN Connections

Figure 5: IP Phone Connectivity Options

- Daisy-Chaining to LAN Via IP Phone

Copyright ©2008, Juniper Networks, Inc. 15

16 Copyright ©2008, Juniper Networks, Inc.

Access Layer Hardware Configurations

Scalable Configuration with Virtual Chassis Technology

Legacy Aggregation Switch: Virtual Chassis Virtual Chassis Virtual Chassis

Figure 6: Virtual Chassis™ Technology

Copyright ©2008, Juniper Networks, Inc. 17

Figure 7: Reducing CAPEX and OPEX with Virtual Chassis Technology

18 Copyright ©2008, Juniper Networks, Inc.

5. Reducing CAPEX and OPEX

Services and Considerations

Branch Office Recommendations

Copyright ©2008, Juniper Networks, Inc. 19

Figure 8: Aggregation Layer in a Highly Available Large Branch Office LAN

20 Copyright ©2008, Juniper Networks, Inc.

Copyright ©2008, Juniper Networks, Inc. 21

WAN Edge Integration

Figure 9: WAN Edge in a Highly Available Large Branch Office LAN

WAN Edge Considerations

22 Copyright ©2008, Juniper Networks, Inc.

WAN Edge Recommendations

• The J-series Services

• Multiple EX 4200 series &9

Chassis technology are used &9