Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


The Juniper Networks Enterprise WAN Solution


The Juniper Networks enterprise WAN solution is built on the following modular building blocks:

  • WAN Aggregation and backbone

  • Internet gateway

  • Secure overlay (IPsec VPN)

  • Services

The target markets for this solution include any organization that has a wide base of hub sites with a high degree of interconnectivity demands. Large enterprises that operate as pseudo-carriers are the key target of the use cases provided in this solution. Government agencies, universities, financial and health care organizations, and large technology companies are most likely to benefit from the deployment scenarios in the enterprise WAN solution.

Large enterprises are the most likely to establish private aggregation points of presence, enabling them to consolidate WAN connections prior to backhaul to the headquarters or data center sites. This approach provides a central point of control for regional hub sites, enabling cost savings on backhaul—a single aggregation router is connected via high-speed backhaul to the carrier or private MPLS cloud as well as to the Internet edge—and management. In the aggregation model, a single point of presence provides all enterprise transport services to the regional hubs. This minimizes configuration points and enables more robust resiliency and performance to those hub sites.

The next section covers each of the modular components of the WAN aggregation solution.

WAN Aggregation and Backbone

There are several modular configuration options for the WAN backbone. Using the WAN aggregation model (Table 1), the solution features configurations for three deployment scenarios—dual router with dual circuit, single router with single connection, and single router with dual connection.

Table 1: Enterprise WAN Remote Site Type

Deployment Scenario




Head End Router

Dual Router Dual Circuit



L3VPN/L2VPN/IP Tunnels

WAN backbone


VPN, WAN backbone

Single Router Single Connection






Private WAN

WAN backbone



VPN, WAN backbone

Single Router Dual Connection




VPN, WAN backbone

Private WAN

WAN backbone


WAN backbone

The WAN backbone configurations include uplinks directly to the Internet, mixed connection profiles with both MPLS and Internet connections from a hub site, and a complete MPLS connection model with the sites connected into MPLS for all three deployment scenarios as shown in the following figure.

Figure 8: Enterprise WAN deployment scenarios
Enterprise WAN deployment scenarios

Internet Gateway

The Internet gateway is a foundation of the WAN aggregation deployment scenario. The Internet and mixed aggregation scenarios require Internet gateway functionality to properly provision WAN aggregation. The Internet gateway provides Internet access to hub site users, or more commonly, provides a public transit for IPsec VPN connection back to the headquarters or data center.

In many cases, hub Internet traffic is backhauled to the company headquarters to enable security services such as URL filtering, antispam and antivirus, and intrusion detection and prevention (IDP). By backhauling traffic to a headquarters site, the enterprise can manage and maintain security between its users and the Internet in a central location. By sacrificing some speed and performance, the enterprise can ensure the security of its user base in this scenario.

Figure 9: The Internet gateway
The Internet gateway

The Internet edge module of the larger WAN aggregation solution provides cloud-grade routing and security to regional enterprise sites that require local Internet access. The local access either provides direct Internet connection to the remote sites, or it provides a transit network to allow intra-enterprise IPsec VPN connectivity.

The aggregation hub providing Internet edge services is services ready and can be easily configured with services that enhance the security of the enterprise remote sites. Services such as dynamic NAT, access lists to whitelist or blacklist-specific destinations, stateful firewall and IDP services, and active/active load balancing to multiple ISPs are all key components of the solution.

Secure Overlay

Secure overlay lets home users or branches with limited MPLS provider options to access the enterprise. The branch office or home user obtains Internet access from whatever local provider is available (via cable, fiber, or satellite). The enterprise then provides a managed, configured device with IPsec services to the branch or home user. Another access method is a secure client on the home user’s computer that allows software-encrypted access to the enterprise. This access can be built within the data center using a VPN gateway or software VPN termination device, or it can be hosted in the cloud closer to the Internet edge.


The enterprise WAN solution is services ready, but what services might an enterprise want to bring into the network? The solution supports Web Cache Communication Protocol (WCCP) to enable WAN acceleration devices to enhance the user experience. Inline, network-driven security services, such as stateful firewalls and deep packet inspection, are also supported.

When the enterprise hosts sensitive data or is likely to be the target of intrusion or attack, control plane protection and denial-of-service protection (DoS and DDoS) are integrated into the solution architecture.

For enterprises that use real-time or recorded video content (such as financial streams to banking centers or video lectures in the education sector), the solution supports content caching. This service is adopted through enhancements to the network’s handling of multicast traffic and by the routing hardware ability to redirect specific flows to secondary devices or virtual appliances that locally cache and serve content to remote sites. The enterprise WAN can add these services in line with little to no disruption of the user experience.

Modernize Your Mission Critical Enterprise WAN Infrastructure

Juniper enterprise WAN solution empowers customers to transition smoothly to a modernized architecture that is flexible, automated, secure, and resilient.

  • A Flexible WAN - Juniper provides the agility to adapt to the unknown with flexible chipsets, consistent Junos operating system across the entire portfolio, modular platforms that are backward compatible, future-proof protocols (IPv6, segment routing, MPLS), and a flexible consumption model supporting pay-as-you grow or software subscriptions for features and services.

  • An Automated WAN - Juniper offers closed-loop automation that translates business intent into service performance, assuring customers receive a differentiated service experience. Open and standard APIs, customizable DIY tools and visual workflows for visibility, AI, and real-time telemetry streaming allow automation of the entire network operations lifecycle that improves operational efficiency while reducing complexity.

  • A Secure WAN – To defend your WAN, Juniper Connected Security extends threat intelligence to Juniper MX Series routing infrastructure. You can block command and control (C&C) traffic discovered by Juniper Advanced Threat Prevention, Juniper Threat Labs, and custom blacklists at the network hardware level. Juniper Connected Security turns your WAN connectivity layers into automated defense layers.

  • A Resilient WAN - For maximized uptime and mission critical Quality of Experiences (QoE), Juniper delivers multi-layer resiliency to ensure uptime, reliability, business continuality, and user satisfaction. At the product and OS level Juniper offers redundant hardware and resilient software features that support graceful RE switchover (GRES), nonstop active routing (NSR), and unified in-service software upgrade (unified ISSU). Juniper offers high-availability architecture features, including multi-homing capabilities, IPVPN, L2VPNs, EVPN, multicast, segment routing with TI-LFA, and others. Additionally, with software-defined management and control, you gain the network visibility to monitor, manage, and diagnose with the latest AI and ML techniques and integrate them into your network operations.