Data Center LAN Migration Guide - Juniper Networks
Data Center LAN Migration Guide - Juniper Networks
Data Center LAN Migration Guide - Juniper Networks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Data</strong> <strong>Center</strong> <strong>LAN</strong> <strong>Migration</strong> <strong>Guide</strong><br />
The most common case will be use of VPLS to provide “stretched” V<strong>LAN</strong>s between areas of a large data center<br />
network, or between multiple distant data centers using VPLS (over MPLS) to create a transparent extension of the<br />
<strong>LAN</strong> to support nonstop application services (transparent failovers), transaction mirroring, data base backups, and<br />
dynamic management of virtual server workloads across multiple data center sites.<br />
In these cases, the core nodes will include VPLS instances matching the L2 topology and V<strong>LAN</strong> configurations required<br />
by the applications, as well as the appropriate implementation of MPLS between the core nodes and the rest of the<br />
organization’s routed IP/MPLS network. This design will include ensuring high availability and resilient access of the<br />
L2 access tier into the “elastic” L2 infrastructure enabled by VPLS in the core; use of appropriate traffic engineering,<br />
and HA features of MPLS to enable the proper QoS and degree of availability for the traffic being supported in the<br />
transparent V<strong>LAN</strong> network. Details on these design points are included in the section of the <strong>Migration</strong> <strong>Guide</strong> on<br />
incorporating multiple sites into the data center network design using MPLS in the Six Process Steps for Ensuring<br />
MPLS <strong>Migration</strong> section.<br />
Best Practices: Upgraded Security Services in the Core<br />
Frequently a data center consolidation requires consolidating previously separate and siloed security appliances into<br />
a more efficient security tier integrated into the L2 and L3 infrastructures at the core network layer. Here we describe<br />
design considerations for accomplishing that integration of security services in the core.<br />
• All security appliances should be consolidated and virtualized into a single pool of security services with a platform<br />
such as the SRX Series Services Gateways.<br />
• To connect to and protect all core data center network domains, the virtual appliance tier should optimally<br />
participate in the interior gateway routing protocols within the data center network.<br />
• Security zones should be defined to apply granular and logically precise protection for network partitions and<br />
virtualized resources within the network wherever they reside, above and beyond the granularity of traditional<br />
perimeter defenses.<br />
• The security tier should support the performance required by the data center’s applications and be able to inspect<br />
information up to L7 at line rate. A powerful application decoder is necessary on top of the forwarding, firewall<br />
filtering, and IDP signature detection also applied to the designated traffic streams. Including this range of logic<br />
modularly in a high-performance security architecture for the core helps reduce the number of devices in the network<br />
and increase overall efficiency.<br />
• Scalable, strong access controls for remote access devices and universal access control should be employed to<br />
ensure that only those with an organizational need can access resources at the appropriate level. Integration of<br />
secure access with unified policies and automation using coordinated threat control not only improves security<br />
strength but also increases efficiency and productivity of applications within the data center.<br />
• Finally, incorporation of virtual appliances such as virtual firewalls and endpoint verification servers into the data<br />
center’s security design in a way that integrates protection for the virtual servers, desktops, and related network<br />
transports provides an extension of the common security fabric into all of the resources the IT team needs to protect.<br />
Aggregation/Core Insertion Point Installation Tasks<br />
Preinstallation Tasks<br />
The tasks described in this section pertain to a consolidation within an existing data center that has the required space<br />
and power to support consolidation. Alternatively, a consolidation may take place in a new facility, sometimes referred<br />
to as a “greenfield” installation. That scenario would follow the best practices outlined in <strong>Juniper</strong>’s Cloud-Ready <strong>Data</strong><br />
<strong>Center</strong> Reference Architecture: www.juniper.net/us/en/solutions/enterprise/data-center/simplify/#literature.<br />
The steps outlined here also apply to a case in which the organization wants to stay with its existing three-tier design,<br />
at least for the initial steps in the process. In such a case, deployment and provisioning should be done leaving<br />
flexibility to move to a two-tier design at some future date.<br />
Copyright © 2012, <strong>Juniper</strong> <strong>Networks</strong>, Inc. 41