STARTERS ORDERS: SD-WAN ROADMAP

Enterprises and small businesses alike are experiencing increased market pressures to execute at lightning speed, driving the mandate to innovate and adapt regularly. Making the right technology choices will play a significant role in dictating business outcomes. These drivers are causing businesses of all sizes to reflect on choices with their processes, solutions, and suppliers.

Contents

A 2016 IDC Worldwide SD-WAN Survey states that nearly half of enterprise applications are now accessed using the Internet. These range from human resource applications, collaboration services, sales tools, and marketing cloud services. Access to these cloud services is coming from headquarters, but also an ever-growing number of branch office locations. For an IT manager, non-optimized traffic translates into poor business results and user experiences.

Why is this? Figure 1 demonstrates the current routing of traffic between a branch office that is retrieving services from multiple cloud providers. This scenario shows the inefficiencies experienced when access comes from a branch office user.

3

The Current Enterprise WAN Challenges

The WAN has undergone several technology iterations and MPLS IP VPN hasfor a long time been the de facto standard.

However, the accepted norm for wide area networking now faces a disruptive challenge from Software-Defined WAN (SD-WAN). Two common trends illustrate the challenge and opportunity ahead for WAN consumers.

Trend #1 – The cloud explosion is here to stay

Without Local Breakout

MPLS

Internet

HQ

Branch

Non-optimized backhauled traffic

Figure 1. Traffic flow without SD-WAN

THE IMPACTS:

HIGHER costs All traffic regardless of destination uses the MPLS bandwidth, which comes at a higher cost per bit. This path utilization can triple the bandwidth usage:

• Exit point from the branch (MPLS)

• Entry point into headquarters (MPLS)

• Exit point from headquarters (Internet)

LOWER performance Considering latency-sensitive traffic such as video, this traffic pattern increases end-to-end delay. If the branch is located in San Francisco, headquarters in New York City, and the cloud service in Seattle, the end-to-end traffic would require traversing across the continental United States twice.

LONGER time to revenue If this is a new branch site, a new MPLS circuit will be required which may take 30-45 days, reducing the business efficiency of this new location.

Taking advantage of SD-WAN services delivered through a software-centric delivery model enabled with business policies for optimized routing, can address these issues. IDC states that about 70% of branch offices already have 2 to 3 WAN connections, some being an Internet connection, and most branch offices are equipped to take advantage of SD-WAN now. Figure 2 illustrates a new traffic flow.

In this case, the enterprise benefits from business policies that may direct traffic to the cloud provider across a secure Internet-based route. The results are LOWER costs by using Internet bandwidth, BETTER performance by having a more direct route to the destination, and FASTER activation of new branch locations in minutes managed more simply through self-care portals.

4

Figure 2. Traffic flow with SD-WAN

With Local Breakout

MPLS

Internet

HQ

Optimized local break-out traffic

Branch

Analyzing the traffic patterns of an enterprise shows that bandwidth needs are continually growing with no end in sight. This is being drivenby the shift of workflows to the cloud (e.g., backups, services, etc.), the use of video for multiple purposes (e.g., collaboration, education, etc.), and the growing distribution of the workforce. These trends drive the need for better traffic visibility enforced with business policies to meet service-level agreements (SLAs). Figure 3 illustrates how various traffic types compete for bandwidth even when enabled with quality of service (QoS) on an MPLS connection; at some point only more bandwidth is the solution. And the decision about type of bandwidth and path selection based on business policies is a critical one.

Internet

MPLS

High priority video Low priority update (encrypted)

Figure 3. Path contentions

CONGESTIONAll traffic encounters the congested pipe. QoS helps an oversubscribed link, but at some point, the traffic will be delayed to the degree that certain applications are unusable.

LATENCYLatency reflects how much time it takes for a data packet to get from one designated point to another. It identifies real-time applications where congestion will impact the user experience. For example, longer durations in the egress queue force packets for applications like video conferencing to exceed the allocated latency budget resulting in a poor call experience.

BANDWIDTH COSTThrowing more bandwidth at the MPLS path results in a higher cost structure. The business policy may dictate that not all traffic requires an MPLS connection as long as the path is still secure.

THE IMPACTS:

Building upon trend #1, a hybrid WAN model offers analytics-driven, dynamic path selection based on policy using application performance for steering, as shown in Figure 4. This may offer the right cost

model and agility to best serve the customer. During peak hours of business, a customer finds that the oversubscribed MPLS path has caused business disruption based on analytics. With business policies applied to the hybrid WAN, high-priority traffic can be directed to the MPLS path treated with QoS policies, while the low priority traffic will be securely transported across a more cost-efficient Internet path. An added advantage with this scenario is office integration of an acquisition with company headquarters, which could be achieved with tremendous efficiency and speed.

Trend #2 – Traffic explosion results in bandwidth connection

5

The enterprise achieves the best experience by leveraging an integrated SD-WAN/MPLS solution to get the best business results. After addressing these basic factors with SD-WAN in a hybrid WAN scenario, other criteria begin to surface.

Internet

MPLS

High priority video

Low priority update (encrypted)

Figure 4. Optimal path selections

High Connectivity Charges and CPE Charges When deploying a customer premises equipment (CPE) solution for a managed service, the importance of leveraging an extensible platform for SD-WAN and other managed services makes the most economical sense, as opposed to stacking multiple nonintegrated purpose-built devices or over-the-top (OTT) services. This approach will decrease complexity and improve cost efficiencies.

Migration from Old Provider to New Provider Nondisruptive installation is key to reducing any downtime a customer may experience, and it is best achieved through a platform that has the agility to extend beyond a specific service. A platform must integrate with third-party and legacy services.

Lead Time for Service Delivery A software delivery platform empowered with self-care portals can rapidly deliver SD-WAN and other managed services built upon automation.

Supporting Remote Locations

Scaling to support a global deployment where branch offices are geographically dispersed requires reach and scale. The optionality of a scalable platform can support distributed or centralized models to best meet the needs of new territories and market segments. With scale-out deployments, centralization of some functions such as IPsec termination is the most operationally efficient model.

Security, Reliability, and Backup These factors are top concerns, and they exemplify carrier-class requirements that are proven within managed services delivered by service providers.

THE IDC SD-WAN SURVEY IDENTIFIESADDITIONAL CONSIDERATIONS CRITICALIN THE SELECTION OF SD-WAN:

6

The conclusion

SD-WAN decisions cannot be made in isolation. When each service is delivered in a silo, the rate of complexity increases when trying to harmonize the business solution a customer is looking to achieve.

A platform that can deliver the services of today, and is built for the services of tomorrow, provides the best business promise. The right technology choice translates into business agility at the right cost points to deliver desired outcomes.

7

Whatever the platform, it must excel at the user experience and SD-WAN delivery, but the overall solution must also be integrated with other workflows required by the enterprise. A common question surfaces around the crowded space of pure-play SD-WAN solutions already in the market, what approach will ensure success? Keeping a few key principles in focus is paramount to map out success — namely, addressing the challenges as outlined in the customer section

combined with the challenges for the service provider.

Our priority is to enable the service provider with a platform founded on open, agile, software-driven principles that can deliver an excellent SD-WAN experience, but also adapt and deliver meaningful solutions as the market continues to pivot. Using the Juniper approach, service providers are empowered with flexible options for various technical and Go To Market (GTM) approaches with SD-WAN. Delivering on these principles as outlined through the following options unlocks differentiation.

MPLS Telco Services

Telco Cloud Data Center

INTERNET “Dumb Underlay” Cloud Services

SRX Series NFX Series

SD-WAN (vSRX)

VNF

SD-WAN Augmenting MPLS

Customer Portal

HQ

Branch

MPLS

LTE

INTERNET

SD-WAN Orchestration

Figure 5. SD-WAN integration with MPLS

The Juniper Approach for Service Providers

Requirements of the enterprise are dynamic; and the challenges placed on service providers to deliver against these demands may be even more demanding.

Option 1: Pure-Play SD-WAN Solution

Using a software-defined delivery platform, SD-WAN services are offered to best achieve the customer’s business requirements but also integrate into existing MPLS services and operational models. This approach can be taken to out-of-region markets to deliver OTT SD-WAN services, but it should possess the option for growth in the portfolio. Figure 5 illustrates the orchestration and augmentation with MPLS of the SD-WAN solution.

MPLS Telco Services

Telco Cloud Data Center

INTERNET “Dumb Underlay”

Cloud Services

SRX Series NFX250

vSRX VNF

SD-WAN Augmenting MPLS

Customer Portal

HQ

Branch

MPLS

LTE

INTERNET

SD-WAN Orchestration

8

Hybrid WAN service is “a must” to support the business policies for application routing and achieve the most effective use of network resources, while delivering the best application experience. An integrated solution with existing MPLS services offers the least disruption with current operations.

Best end user experience is supported by the ease of ordering and automated fulfillment using an on-demand, self-care portal. At installation, the customer experience is built for any nontechnical staff to just plug-and-play the equipment and configure it using zero touch provisioning (ZTP). With complete automation, delivering full operations at new offices is fast and simple.

The principles of Juniper’s SD-WAN solution are based on the following fundamental concepts:

Flexibilityneeds to be built-in for the customer to adjust policies to the deployment model that best serves the business. SD-WAN is mainly a distributed application at the customer premise, but there may be scenarios for centralizing in the telco cloud and add-on service chaining requirements to link with additional centralized services.

Securityis at the heart of the solution across the entire experience—an integrated approach as opposed to a bolt-on. Data is encrypted end-to-end for anything traversing the Internet path. Ordering and fulfillment are secure, operations are secure, and the platform is secure.

Operational excellenceis vital to deliver an integrated experience with existing practices and to provide detailed analytics that improve the experience as the network conditions or the application experience changes. Automation across the entire service life cycle will reduce TCO and accelerate time-to-revenue.

Performance and scaleare staples of any service provider offering, and SD-WAN is no exception. Having the diversity of a platform to scale globally in the cloud, or with premise-based deployments, adds a unique value for the provider to enrich the application delivery into greater numbers of enterprise workflows with adaptable performance. Additionally, termination of the secure IPsec tunnel used with the SD-WAN path supports a centralized termination architecture, enabling tremendous scale-out performance compared to a full mesh IP VPN that is complex at global scale.

9

IDC’s survey shows that 50% of a WAN serviceis followed or bundled with some value-added service such as security, WAN optimization, and other elements of managed services. A service provider offering the enterprise a hybrid WAN service, coupled with additional routing and security services, translates to more

stickiness and business relevance. Using the same platform that delivered SD-WAN services in stage 1, Figure 6 illustrates how additional routing and security services can be service-chained for the enterprise using a flexible delivery model (centralized or distributed or both).

Figure 6. Integrated routing and security services

1 Leveraging the analytics from the application tracking of the SD-WAN solution, this data can be used to better serve the customer in other areas.

2 One thing that is an absolute, network conditions change. Using the data, enhanced application experiences can be delivered by adapting to a condition. For example, if the application stats show the Internet is not achieving the SLAs due to a network condition, the hybrid WAN can shift traffic to a QoS-enabled MPLS path, if currently underutilized, and apply the appropriate QoS treatment.

3 Security must adapt and evolve. Using the same agile service delivery platform, the same SD-WAN customer can layer on the right security model —

Option 2: SD-WAN with Integrated Routing and Security

CONSIDERATIONS:

next-generation firewall, intrusion prevention system (IPS), intrusion detection service (IDS), content filter, or unified threat management (UTM). With the same architecture, these security services can be spun up on demand as the threats evolve. Policies can be updated in real time using GeoIP or custom feeds. Through the same pane of glass, customers and operators have visibility into their sites.

4 Integrated security delivers the most comprehensive security for the application and the business. Using an integrated platform gives you granular controls over security policies for the various applications at a specific location.

Service Orchestration Contrail Service Orchestration

Infrastructure Orchestration Contrail Networking + OpenStack = Contrail Cloud

Branch

Service Orchestration (MANO) Infrastructure Orchestration (VIM & VNF Managers)

Internet

Branch

VNFs VNFs VNFs VNFs VNFs

Telco Cloud

SRX Series Foundation Services

Firewall NAT VPN Routing

Management Reporting Analytics Automation

Next Generation Firewall (AppSecure,

IPS) Application Control

& Visibility

User-based Firewall

Unified Threat Management (UTM)

Anti-virus

Intrusion Prevention

Web/Content Filtering

Anti-spam

Threat Intelligence Platform

(Spotlight Secure) Botnets/C&C

GEO-IP

Custom Feeds, APT

Advanced Threat Prevention (Sky ATP)

Sandboxing

Evasive Malware

Rich Reporting & Analytics

10

Sky

ATP

OSS / BSS

ROUTING

vSRX

 

vMX  

SECURITY

vSRX

 

IP T

able

THIRD PARTY PNF MANAGEMENT

PNF

Plug

ins

Cis

co 1

000v

THIN CLIENTS

WAN OPTIMIZATION

TBA

TBA

Plug

ins

for

Oth

er

3rd P

arty

Pl

ugin

s

WIRELESS

Option 3: SD-WAN as an Application Within a Comprehensive Managed Services Catalog

SD-WAN is a relatively new service that has stormed the market. But to put SD-WAN into perspective in the grand scheme of things, it is just another managed service. Tomorrow, what other new service might appear or what additional service might the customer require? To capture the opportunity and stay relevant, a nonintegrated approach is not an option. Using an open and agile platform, the service provider has the ability to “de-risk” against future requirements.

Figure 7. Open Integrations

Figure 7 highlights areas for integrations with virtualized network functions (VNFs), clients, and operations/business support systems (OSS/BSS) that appear as the market or the customer pivots. Need another security solution? Need another service (wireless, optimization, other)? Need a new client? No problem. A platform that is open and standards-based will serve as an enabler for technology evolutions, create operational alignment to manage the service’s life cycle, and most importantly allow service providers to achieve the best business outcomes for their customers.

11

Cloud CPE incorporates the Juniper Networks® Contrail product suite, enabling scale through its modular management and orchestration software stack. It simplifies service creation and automates service delivery.

With Cloud CPE, service providers can host these functions in a centralized cloud, or they can distribute them on the Juniper Networks NFX250 Network Services Platform for a highly customized user experience at a lower cost.

The Juniper solution lays a foundation for upselling new revenue-generating applications.

The Cloud CPE’s open framework means you can avoid vendor lock-in and be assured of standards-based protocols and open data models, with third-party integration through APIs. This modular, extensible framework integrates easily with third-party VNFs for additional services and OSS/BSS for full business logic orchestration.

Cloud CPE — Juniper’s Platform to Deliver SD-WAN and Managed Services

Cloud CPE is Juniper’s solution for an open, software-driven delivery platform of virtualized managed services, such as SD-WAN and security.

NFV Reference Architecture: Juniper SD-WAN Building Blocks

At the heart of delivering SD-WAN with Juniper’s Cloud CPE, the building blocks are aligned with ETSI’s NFV Reference Architecture utilizing a standards-based foundation:

Figure 8. Juniper SD-WAN building blocks12

Contrail Service Orchestration

Juniper Networks Contrail Service Orchestration is a comprehensive management and orchestration platform that delivers virtualized network services built on an open framework.

The Network Service Designer enables product managers to construct service catalogs of SD-WAN and other managed services from a portfolio of Juniper VNFs and third-party VNFs.

The Network Service Controller provides a zero touch delivery for the NFX250 platforms, starting with day-one configuration and detailed administration device management.

The Network Service Orchestrator facilitates delivery and management across the entire VNF life cycle along with facilitating the various deployment models.

These features combine with an administration portal, giving operations an easy monitoring and troubleshooting mechanism to ensure service health and eliminate disruption. The customer portal delivers a user management interface giving customers the freedom to self-select and customize their SD-WAN service.

SD-WAN on vSRX or SRX Series

Juniper Networks SRX Series Services Gateways is the foundational platform that provides a fully dynamic, application-based routing stack to deliver transport-agnostic SD-WAN managed services. With its customizable and programmable features, the SRX Series is the most advanced and efficient security product in the industry. Freedom of choice is made possible for the delivery of SD-WAN on the SRX300 Services Gateway or Virtual SRX (vSRX). With SRX300, customers can leverage a smaller scale platform that delivers SD-WAN and security, while all functions are orchestrated using the Cloud CPE

delivery model. For customers looking to pivot

onto a virtualized platform that supports a VNF delivery model, vSRX is the ideal software that combines features, price, and flexibility.

The SRX Series is making SD-WAN even more deployable. The application-aware QoS enables traffic prioritization, marking, and bandwidth limiting through deep packet inspection (DPI), APPID, and metadata. The user awareness layer integrates with Microsoft Active Directory, while overlays and IPsec are application and subscriber-aware, to enable policy-based routing.

13

NFX250

NFX250 Network Services Platform is a unique point of differentiation for Juniper, a platform that incorporates router, switch, and server in an on-premises device. The NFX250 Network Services Platform is powerful enough to perform all necessary SD-WAN functions, including policing and steering traffic. It efficiently uses links across the enterprise WAN, blending traditional MPLS with other connectivity options and effectively allocating workloads.

Policy-based forwarding capabilities enforce business rules set by the enterprise to steer application traffic towards a predefined path.

This eliminates the operational complexities of deploying multiple types of customer premises equipment (CPE) to meet myriad customer service needs. Service providers can use the NFX250 to deploy flexible, secure, high-performance services on-premise.

The customer software layer can manage multiple VNFs, including third party, while the platform software layer features an open platform for innovation: Linux OS/KVM hypervisor, software switch, and network service activator client.

Agility Through Flexible Deployment Models

Juniper’s Cloud-CPE solution provides three deployment options: distributed out on-premise; centralized in the cloud; or a hybrid of both distributed and centralized models running simultaneously. The operational experience remains consistent and robust across all three.

In the case of SD-WAN, the deployment model may see more application in a distributed model. However, some application steering may involve a centralized model in a telco cloud, leading to a foundation to deploy other VNFs quickly, and potentially a hybrid model to integrate services and provide a complete solution for the customer.

14

Distributed Model

The distributed model consists of the NFX250 Network Services Platform and a high-performance software-driven CPE designed as an open platform for VNF delivery. The NFX250 eliminates operational complexities with zero touch provisioning and automates service deployment, creating a near instantaneous

service delivery experience. The NFX250 embeds the vSRX virtual firewall for perimeter security and virtualized IP routing, supporting always-on application availability. The key advantage is that it is managed through the same infrastructure, enabling faster time-to-revenue, service flexibility, and an improved user experience.

Centralized Model

The centralized model abstracts network services from on-premise equipment and automates service delivery in the telco cloud. New services can be ordered through a customer portal or triggered by an existing BSS on demand. A management and orchestration layer performs

complex virtual network service chaining and life cycle management, where it automatically instantiates VNFs and service chaining with network resources to deliver scalable multitenant services, providing optimum economy of scale and TCO savings.

Contrail Service Orchestration Self-Service Portal

Admin Portal Activation Server

Internet

Branch

VNFs

Branch

VNFs

Branch

VNFs

VNFs VNFs VNFs HQ / Campus

HQ / Campus

Contrail Cloud Platform (Infrastructure Orchestration)

Contrail Service Orchestration Self-Service Portal

Admin Portal

Internet

Branch

Branch

Branch

VNFs VNFs VNFs HQ / Campus

HQ / Campus

Contrail Cloud Platform (Infrastructure Orchestration)

Figure 9. SD-WAN distrubuted model

Figure 10. SD-WAN centralized model 15

Juniper’s Cloud CPE simultaneously supports both centralized and distributed deployment models, enabling service providers to deploy applications centrally or distribute them to customer premises or branch offices. With hybrid Cloud CPE, applications and network services can be dynamically provisioned based on network conditions or application policies and business requirements, to support the extensive private and public cloud-hosted environments demanded by today’s enterprises.

Figure 11. SD-WAN hybrid model

Hybrid Model

Contrail Service Orchestration Self-Service Portal

Admin Portal Activation Server

Internet

Branch

VNFs

Branch

VNFs

Branch

VNFs

HQ / Campus

HQ / Campus

Contrail Cloud Platform (Infrastructure Orchestration)

VNFs VNFs VNFs

16

The Juniper Approach for Service Providers

from assessment of your current offering, to building your business plan, to going to market. Our step-by-step process guides you from today’s reality to a set of solutions that your customers need to be successful, opening up new sources of business opportunity and revenue for your team.

Plan, build, and operate a commercial-ready SD-WAN solution with Juniper.

Juniper Networks’ partnership approach means support at every step, as you implement an SD-WAN offering:

Workshop: Ideation

Juniper’s services development support offerings bridge the gap between good ideas and strong business plans. We work with you in a Service Creation Workshop to bring together your network, product, and DevOps stakeholders, to begin to discover exactly the kind of service you are best placed to provide, and build the required infrastructure around it. This stage includes:

• Service creation advisory workshop

• Services opportunity identification

• Services need/solution alignment

Assessment: Stack and Goals

Juniper supports you in a thorough assessment of your current capabilities, customer base, and business model, to understand exactly where SD-WAN fits in your organization. This professional assessment provides a comprehensive audit, giving insight into where your opportunities exist, through:

• Cloud CPE assessment

• NFV OSS assessment

• Business case assessment

17

Go-to-Market: Viability and Commercial

Finally, Juniper’s go-to-market offerings breathe life into the strong business plan you’ve built, with technology support, cross-functional training, and rollout assistance, including:

• Cross-functional training

• Juniper in-market resources to speed services rollout

• Material development and sales enablement tools

• Training for sales teams

Sandbox: Testing

Going into the proof-of-concept and validation phase, Juniper will virtually replicate your solution and subject it to comprehensive performance testing to establish viability. This phase includes: • Use of OpenLabs to test

technical concepts and process configurations

• VNF compatibility and interoperability validation

• Field trial to implement low-risk deployment and test market value propositions

18

As you start up, spin up, and go to market with your SD-WAN solution, Juniper Networks can support you at every stage of your journey. What’s more, as your business seeks to go further into the enterprise with complementary and broader Cloud CPE, Juniper can be on hand to assist at every step of the way.

Corporate and Sales Headquarters

Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or +1.408.745.2000

Fax: +1.408.745.2100

www.juniper.net

Copyright 2016 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

APAC and EMEA Headquarters

Juniper Networks International B.V.

Boeing Avenue 240

1119 PZ Schiphol-Rijk

Amsterdam, The Netherlands

Phone: +31.0.207.125.700

Fax: +31.0.207.125.701

7400047-001-EN Nov 2016