Académique Documents
Professionnel Documents
Culture Documents
Table of Contents
executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Junipers Six-Step Approach to Architecting the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Analyze Application workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Simplify and Centralize the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Improve Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Monitor Network Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 enhance Network resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 enable user redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
List of Figures
Figure 1: Disaster recovery heat map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Figure 2: Centralized security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Figure 3: Local compute cluster and geo cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Figure 4: using MAg Series Junos Pulse gateways to redirect users securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Executive Summary
If your It organization has been thinking about the need to update their Business Continuity and Disaster recovery (BCDr) plan, then you are not alone. According to recent research by 451 research1, disaster recovery planning is top of mind for enterprises, and data replication ranks as a top two-storage initiative for It organizations. It is no wonder that BCDr planning is receiving more attention. Proof is in the outages and financial losses that have occurred from recent disastersfrom floods, tornadoes, hurricanes, and snowstorms, to Japans tsunami. Statistics provide a warning: Seventy-five percent of businesses that do not have continuity plans fail within three years of a disaster, and 43% of that 75% never reopen.2 In addition, government regulations have increased disaster recovery and compliance requirements significantly. these situations have raised awareness of the need to maintain productivity within a company, sustain value chain relationships, and deliver continued services to customers and partnersall of which can be difficult when forced to migrate applications and user connections to a new data center location in real time. the goal of a BCDr plan is often focused on how to continuously access applications and protect data. Data replication and active/active data center planning are often at the heart of BCDr planning. however, a constructive BCDr plan also should consider user connectivity, network availability, and security. A worthwhile plan must extend further than data replication and active/active data centers. this paper explores the key components/building blocks of a comprehensive and robust BCDr solution. this includes how to protect application resources, how to ensure secure user access, how to protect data, and how to keep applications accessible 24/7. In addition, it is important to understand how to maintain availability of applications, how to ensure that users reach those applications, and how to simplify and tune the network to ensure application performance.
Introduction
today, most organizations realize that they must pay attention to BCDr. however, organizations find themselves facing a number of BCDr challenges, ranging from infrastructure sprawl resulting from poor service-level agreement (SLA) definition to infrastructure built without clearly identifying application requirements. Many customers have deployed infrastructure in an ad hoc manner without consistent management or security policies. the result of these practices has been the creation of multiple failure points, difficulty managing the network and provisioning it, and poor utilization of links, many of which are frequently idle. In addition, many organizations also have a distributed authentication, authorization, and enforcement infrastructure leading to complex firewall policies that prevent user-specific enforcement and deployments based on local data center It policies rather than on global policies. these inconsistent policies for users and application access result in security gaps. Since some organizations do not have automated backup systems, they are forced to enable manual backup and configuration synchronization systems. this results in inconsistent states, which affect the user experience, since policies are out of sync due to the time delay in restoring them. Also, legacy applications often are impacted because they cannot always be replicated and established in new locations due to their hard-coded IP addresses. And data flows from different locations can vary greatly causing congestion during link failure, while traffic may not be prioritized based on application relevance, causing lesser priority applications to impact the performance of critical applications.
451 research Bruce t. Blythe, A Managers guide to Catastrophic Incidents in the workplace, August 2002.
APPLICATION NAME
AD/LDAP
CUSTOMER EXPERIENCE
REVENUE IMPACT
RESTRICTIONS
Legacy Application
Hardcoded IP Addresses
VoIP
Customers can then begin consolidating security to shared firewall solutions, such as Juniper Networks SrX Series Services gateways, attached to the data center edge router. this connection provides flexibility to take advantage of virtual contexts on the firewall to handle multiple security policies and traffic types on the same equipment. Figure 2 depicts a centralized security policy, and enforcement is distributed to provide consistency across data centers. As a result, network administrators can move the network connections behind existing standalone firewalls to the new, shared firewall and eliminate the tiers of firewall appliances.
Au
e th
tic
at o
io
n tio n
AAA
Au
th
a riz
Firewall Policies
Firewall Policies
the next step is to eliminate unnecessary router tiers and consolidate routing to the high-performance Juniper Networks MX Series 3D universal edge routers. this design is then fully normalized across all infrastructure pods connecting them to the core router. the final step is to connect data centers, and separate traffic and security by application. It organizations can satisfy the traffic requirements and save costs by deploying fewer links using MPLS virtualization technology over shared links. MPLS running on Juniper routers has been proven in the most demanding service provider networks and is available from most major service providers. to decouple from data center-specific It policies and to ensure consistency, It should migrate to a centralized policy administration system such as the Juniper Networks MAg Series Junos Pulse gateways. using distributed enforcement points is suitable for distributing loads and improving resiliency of the authentication and authorization system. the keys to this approach are centralizing policy enforcement, eliminating site-specific It policies, and deploying simplified firewall policies that are centrally managed, thereby enabling dynamic, consistent policy enforcement. the key benefits of the simplification process are: reduction in the number of devices, which reduces the number of points of potential failure Simplification, which reduces the number of provisioned devices while ensuring that centralized control and consistent policies are administered across data centers Improved security to centralize and virtualize security, which enables easy and consistent policy administration
the benefits of network monitoring solutions are: Junipers router-integrated solution eliminates single purpose devices, thereby reducing Capex and opex. Juniper provides a wide variety of third-party tools that can be integrated using Junos SDk. Proactive monitoring helps prioritize business critical applications. Performance monitoring provides visibility that allows administrators to estimate network usage and proactively provision for network growth.
Compute Cluster
Compute Cluster
Disk 2
PRIVATE NETWORK
PRIVATE NETWORK
PRIVATE NETWORK
Figure 3: Local compute cluster and geo cluster Cluster networking requires network reliability and resiliency to ensure that any heartbeat signals, data synchronization, and communication are reliably communicated within the cluster. In addition, cluster networking requires deterministic latency, where the upper bounds of latency are known and fixed to ensure that any delays in heartbeat communication are not perceived as a failure. In addition, real-time state replication requires deterministic latency to ensure state synchronization. Administrators should consider several points when building comprehensive resiliency from server to wAN. Administrators must configure the switches for rapid link recovery if a device fails. Junipers virtual Chassis configuration (where several physical devices are combined into one logical switch) achieves this result. Access layer links connect to the core using several 10gbe connections through mesh connectivity that is enabled using link aggregation group (LAg) technology. the MX Series routers in the core and wAN have multichassis link aggregation group (MC-LAg) enabled for resiliency. the SrX Series firewall has cluster mode enabled for improved resiliency. the MPLS cloud has link level resiliency by using the MPLS fast reroute capability. In this configuration, wAN links are fully redundant and connectivity is ensured.
to enable resiliency in the wAN that provides the data center interconnect, Juniper recommends deploying a topology with traffic engineered paths and QoS guarantees. Fast reroute protects the critical paths, which enables 50 ms recovery time and is comparable to the highest standards set by the telecommunications industry SoNet deployments. Junipers MPLS-enabled routers achieve this level of performance. In addition, the MPLS cloud enables privacy between different application traffic using logical separation. this allows network traffic segmentation and isolation, especially when different organizations or applications share the links. the benefits of enhancing network resiliency are: this comprehensive resiliency model minimizes data loss that would result from internal and external data center failures. traffic between data centers must be routed optimally through the least congested paths to ensure minimal delay. Any link failures result in rapid convergence using MPLS. As a result, application access is impacted minimally.
MAG Series
Emergency Demand
Normal Demand
Unplanned Event
Time
Figure 4: Using MAG Series Junos Pulse Gateways to redirect users securely
one of the biggest challenges for organizations is the host of legacy applications that use hard-coded IP addresses to communicate between its components. these applications are configured so that they cannot use Domain Name System (DNS) services. to solve this issue, Juniper has developed a solution using BgP Anycast addressing and route health Injection (rhI) enabled by an integrated application delivery controller (ADC). In this solution, both the primary and backup data centers, after evaluating L4 to L7 application health, can advertise the virtual IP instances on the ADC that store the legacy applications. the gateway advertises the host address or virtual IP (vIP) address to see if the endpoint is healthy. then, traffic is directed to the nearest data center based on the BgP routing metric that it advertises. If failure occurs, the data center that experienced the failure stops advertising the routes of the failed servers, and as a result, traffic is redirected to the alternate data center. the Anycast address enables a client endpoint to connect to the nearest router. this enables the clients to establish persistence with a given router and enables clients to reach the destination by eliminating a DNS lookup. A challenge to application access is that in the event of failure and redirection, a significant number of users are directed to the data recovery site. what if that number of remote access users suddenly increased 5 or 10 times during a disaster? then consider that local users require access to the data center authentication infrastructure, and we immediately observe a considerable spike in utilization. to enable the needed scalability, Junipers secure access solution, In Case of emergency (ICe) licensing, provides the capability to continuously deliver authentication services in the event of a user rollover during a disaster. ICe utilizes Junipers proven SSL vPN technology to provide remote access capabilities for sudden peak loads in connection requests from remote employees, partners, and customers. to connect mobile users, the It organization requires a solution that not only enables secure connectivity but also enables collaboration with employees and partners. Such a solution should not rely on a dedicated meeting server based in the data center. Juniper Networks Junos Pulse collaboration tool can enable combined secure access and collaboration in a single platform. Junos Pulse also integrates with Microsoft outlook for improved convenience in sharing applications. technological benefits to redirect users are: Anycast and rhI ensure that legacy software can be moved. router-integrated solutions deliver faster route convergence and lower total cost of ownership (tCo). remote users and partners can connect securely with minimal delays even during peak loads (ICe solution). the Junos Pulse platform enables mobile connectivity to the data center, enabling collaboration even when primary meeting resources are not available.
Conclusion
Juniper Networks can summarize its recipe for a successful Business Continuity Disaster recovery solution in three words: simplicity, security, and agility. Simplicity means eliminating redundant architecture, improving utilization, and consolidating services in fewer links. organizations can conveniently centralize control and benefit from consistent policy administration as well as fewer points of failure. Security ensures that all layers of the network are protected. Security must transcend from the traditional security perimeters to the extended boundary of the network. using a combination of device virtualization and end-to-end security, from the mobile device to the hypervisor, Juniper uniquely enables a more secure network. the result of effectively combining simplicity and security is improved agility, which means change without disruption. Juniper uniquely enables an infrastructure that supports change with control.
Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 uSA Phone: 888.JuNIPer (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net
APAC Headquarters Juniper Networks (hong kong) 26/F, Cityplaza one 1111 kings road taikoo Shing, hong kong Phone: 852.2332.3636 Fax: 852.2574.7803
EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 eMeA Sales: 00800.4586.4737 Fax: 35.31.8903.601
to purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.
Copyright 2012 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenoS are registered trademarks of Juniper Networks, Inc. in the united States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
2000496-001-eN
oct 2012
10