Data Center LAN Migration Guide - Juniper Networks

More documents

Recommendations

Info

Data Center LAN Migration Guide Best Practices: Designing the Upgraded Aggregation/Core Layer The insertion point for an enterprise seeking to initially retain its existing three-tier design may be at the current design’s aggregation layer. In this case, the recommended Juniper aggregation switch, typically an EX8200 line or MX Series platform, should be provisioned in anticipation of it eventually becoming the collapsed core/aggregation layer switch. If the upgrade is focused on the aggregation layer in a three-tier design (to approach transformation of the data center network architecture in an incremental way, as just described), the most typical scenario is for the aggregation switches to be installed as part of the L2 topology of the data center network, extending the size of the L2 domains within the data center and interfacing them to the organization’s L3 routed infrastructure that typically begins at the core tier, one tier “up“in the design from the aggregation tier. In this case, the key design considerations for the upgraded aggregation tier include: • Ensuring sufficient link capacity for the necessary uplinks from the access tier, resiliency between nodes in the aggregation tier, and any required uplinks between the aggregation and core tiers in the network • Supporting the appropriate VLAN, LAG, and STP configurations within the L2 domains • Incorporating the correct configurations for access to the L3 routed infrastructure at the core tier, especially for knowledge of the default gateway in a VRRP (Virtual Router Redundancy Protocol) environment • Ensuring continuity in QoS and policy filter configurations appropriate to the applications and user groups supported At a later point of evolution (or perhaps at the initial installation, depending on your requirements), it may be that these nodes perform an integrated core and aggregation function in a two-tier network design. This would be the case if it suited the organization’s economic and operational needs, and could be accomplished in a well managed insertion/upgrade. In such a case, the new “consolidated core” of the network would most typically perform both L2 and L3 functions. The L2 portions would, at a minimum, include the functions described above. They could also extend or “stretch” the L2 domains in certain cases to accommodate functions like application mirroring or live migration of workloads in a virtual server operation between parts of the installation in other areas of the data center or even in other data centers. We describe design considerations for this later in this guide. In addition to L2 functions, this consolidated core will provide L3 routing capabilities in most cases. As a baseline, the L3 routing capabilities to be included are: • Delivering a resilient interface of the routed infrastructure to the L2 access portion of the data center network. This is likely to include VRRP default gateway capabilities. It is also likely to include one form or another of an integrated routing/bridging interface in the nodes such as routed VLAN interfaces (RVIs), or integrated routing and bridging interfaces (IRBs), to provide transition points between the L2 and L3 forwarding domains within the nodes. • Resilient, HA interfaces to adjacent routing nodes, typically at the edge of the data center network. Such high availability functions can include nonstop active routing (NSR), GRES, Bidirectional Forwarding Detection (BFD), and even MPLS fast reroute depending on the functionality and configuration of the routing services in the site. For definitions of these terms, please refer to the section on Node-Link Resiliency. MPLS fast reroute is a local restoration network resiliency mechanism where each path in MPLS is protected by a backup path which originates at the node immediately upstream. • Incorporation of the appropriate policy filters at the core tier for enforcement of QoS, routing area optimization, and security objectives for the organization. On the QoS level, this may involve the use of matching Differentiated Services code points (DSCPs) and MPLS traffic engineering designs with the rest of the routed infrastructure to which the core is adjacent at the edge, as well as matching priorities with the 802.1p settings being used in the L2 infrastructure in the access tier. On the security side, it may include stateless filters that forward selected traffic to security devices such as firewall/IDP platforms at the core of the data center to enforce appropriate protections for the applications and user groups supported by the data center (see the next section of the core tier best practices for a complementary discussion of the firewall/IDP part of the design). In some cases, the core design may include use of VPN technology—most likely VPLS and MPLS—to provide differentiated handling of traffic belonging to different applications and user communities, as well as to provide special networking functions between various data center areas, and between data centers and other parts of the organization’s network. 40 Copyright © 2012, Juniper Networks, Inc.
Data Center LAN Migration Guide The most common case will be use of VPLS to provide “stretched” VLANs between areas of a large data center network, or between multiple distant data centers using VPLS (over MPLS) to create a transparent extension of the LAN to support nonstop application services (transparent failovers), transaction mirroring, data base backups, and dynamic management of virtual server workloads across multiple data center sites. In these cases, the core nodes will include VPLS instances matching the L2 topology and VLAN configurations required by the applications, as well as the appropriate implementation of MPLS between the core nodes and the rest of the organization’s routed IP/MPLS network. This design will include ensuring high availability and resilient access of the L2 access tier into the “elastic” L2 infrastructure enabled by VPLS in the core; use of appropriate traffic engineering, and HA features of MPLS to enable the proper QoS and degree of availability for the traffic being supported in the transparent VLAN network. Details on these design points are included in the section of the Migration Guide on incorporating multiple sites into the data center network design using MPLS in the Six Process Steps for Ensuring MPLS Migration section. Best Practices: Upgraded Security Services in the Core Frequently a data center consolidation requires consolidating previously separate and siloed security appliances into a more efficient security tier integrated into the L2 and L3 infrastructures at the core network layer. Here we describe design considerations for accomplishing that integration of security services in the core. • All security appliances should be consolidated and virtualized into a single pool of security services with a platform such as the SRX Series Services Gateways. • To connect to and protect all core data center network domains, the virtual appliance tier should optimally participate in the interior gateway routing protocols within the data center network. • Security zones should be defined to apply granular and logically precise protection for network partitions and virtualized resources within the network wherever they reside, above and beyond the granularity of traditional perimeter defenses. • The security tier should support the performance required by the data center’s applications and be able to inspect information up to L7 at line rate. A powerful application decoder is necessary on top of the forwarding, firewall filtering, and IDP signature detection also applied to the designated traffic streams. Including this range of logic modularly in a high-performance security architecture for the core helps reduce the number of devices in the network and increase overall efficiency. • Scalable, strong access controls for remote access devices and universal access control should be employed to ensure that only those with an organizational need can access resources at the appropriate level. Integration of secure access with unified policies and automation using coordinated threat control not only improves security strength but also increases efficiency and productivity of applications within the data center. • Finally, incorporation of virtual appliances such as virtual firewalls and endpoint verification servers into the data center’s security design in a way that integrates protection for the virtual servers, desktops, and related network transports provides an extension of the common security fabric into all of the resources the IT team needs to protect. Aggregation/Core Insertion Point Installation Tasks Preinstallation Tasks The tasks described in this section pertain to a consolidation within an existing data center that has the required space and power to support consolidation. Alternatively, a consolidation may take place in a new facility, sometimes referred to as a “greenfield” installation. That scenario would follow the best practices outlined in Juniper’s Cloud-Ready Data Center Reference Architecture: www.juniper.net/us/en/solutions/enterprise/data-center/simplify/#literature. The steps outlined here also apply to a case in which the organization wants to stay with its existing three-tier design, at least for the initial steps in the process. In such a case, deployment and provisioning should be done leaving flexibility to move to a two-tier design at some future date. Copyright © 2012, Juniper Networks, Inc. 41
Page 1 and 2: DATA CENTER LAN MIGRATION GUIDE
Page 3 and 4: Data Center LAN Migration Guide Cha
Page 5 and 6: Copyright © 2010, Juniper Networks
Page 7 and 8: 3-TIER LEGACY NETWORK Ethernet Figu
Page 9 and 10: Why Migrate? Data Center LAN Migrat
Page 11 and 12: The Case for a High Performing, Sim
Page 13 and 14: Why Juniper? Data Center LAN Migrat
Page 17 and 18: Junos Pulse SRX5000 Line SRX3000 Li
Page 19 and 20: Data Center LAN Migration Guide A k
Page 21 and 22: Data Center LAN Migration Guide For
Page 23 and 24: MPLS/VPLS for Data Center Interconn
Page 25 and 26: Junos Space applications include: D
Page 29 and 30: Data Center LAN Migration Guide Add
Page 31 and 32: TRIGGER EVENT NETWORK INSERTION LAy
Page 33 and 34: Data Center LAN Migration Guide •
Page 35 and 36: For more detailed information on NI
Page 37 and 38: PoC lab could include: - Interface
Page 39: Data Center LAN Migration Guide Sig
Page 43 and 44: Installation Tasks Refer to Figure
Page 45 and 46: Data Center LAN Migration Guide In
Page 47 and 48: Data Center LAN Migration Guide •
Page 49 and 50: Data Center LAN Migration Guide At
Page 51 and 52: Data Center LAN Migration Guide Ste
Page 53 and 54: Juniper Professional Services Data
Page 57 and 58: Hardware Data Center LAN Migration
Page 59 and 60: OSI Layer 3: Network Troubleshootin
Page 61 and 62: The commands presented in this sect
Page 65 and 66: Data Center LAN Migration Guide 3.
Page 67 and 68: Data Center LAN Migration Guide Cop

Data Center LAN Migration Guide - Juniper Networks

Create successful ePaper yourself

Delete template?

Save as template?