Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Solution Architecture

JVDE document is built upon the 3-Stage Data Center Design with Juniper Apstra (JVD). This JVDE covers the basic architecture and components along with deployment of the 3-Stage data center fabric. The 3-stage data center design is based on the ERB architecture where the Spine switches are lean spine, and the server leaf switches are the VXLAN tunnel endpoint (VTEPs) connected to the hosts.

In this JVDE, the reference architecture includes two SRX4600 devices connected to the Spine switches in a (MNHA cluster. For more information refer the Multi-Node High availability services guide. The two SRX4600 firewall devices are connected to Spine switches using the revenue interfaces and are configured to be active-active MNHA mode and decision to send traffic to the SRX would be determined on the routing done through the fabric. The nodes communicate with each other using an inter-chassis link (ICL) which is logical link. It is recommended to bind the ICL to the loopback interface and have more than one physical link (LAG/LACP) to ensure path diversity for the highest resiliency. The nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure.

Note:

This JVDE specifies a deployment model in which the SRX4600 is connected directly to the spine switches, representing one supported method of integrating the firewall into the data center fabric. Alternatively, connecting SRX4600 to the leaf switch is also a valid design, however this is not covered in this JVD. Both architectures are fully supported and considered equally viable design options. Connecting the SRX4600 to the spine keeps the design as an Edge Routed Bridging (ERB) architecture because the VTEPs are not terminated on the SRX4600 devices.

Below set of baseline features that have been validated and advanced features that are supported with this integration with the SRX firewalls in MNHA.

  • EVPN Type 5 route signaling
  • VXLAN encapsulation and decapsulation
  • Firewall policy inspection
  • Unified policy

Advanced features

  • Application Security:
    • Application Identification
    • Application Based Routing
  • Content Security
    • Web Filtering
    • Antivirus
    • Content Filtering
    • Anti-Spam
  • IDP
  • SSL Inspection
  • Advance Threat Prevention
    • Security intelligence
    • Advance Anti Malware
    • Adaptive Threat Profiling
  • DNS Security
  • Encrypted Traffic Insights
  • User/Device Authentication

Juniper Hardware and Software Components

The Juniper products and software versions are listed below. The design documented in this JVDE is considered the baseline representation for the validated solution.

Juniper Hardware Components

Table 1 through Table 2 lists the platforms tested for this JVDE during initial qualification. For more details on all supported platforms and OS versions, see the Validated Platforms and Software section in the JVDE document.

Table 1: Supported Devices and Positioning

Supported Devices and Positioning

Solution: Secure Data Center Fabric with Juniper SRX
DC Server Leaf QFX5120-48Y-8C
DC ESI Leaf QFX5120-48YM-8C
Spine QFX5220-32CD
DC Border Leaf QFX5130-32CD
External Firewalls SRX4600/SRX4700
Table 2: Juniper Software Version
Juniper Software
Juniper Products Software or Image Version
Junos OS Evolved & Junos OS images 23.4R2
Juniper Apstra 6.0

Validated Functionality

The Secure Data Center Fabric with SRX4600 was validated using the following parameters in its configuration:

  • This JVDE consists of a 3-stage CLOS with an ERB network architecture using EVPN-VXLAN.
  • Servers will be connected and tested both in single-homed and multi-homed configurations.
  • In the case of multihomed ESI servers, LACP is enabled between the servers and the leaf switches.
  • Both the overlay and underlay of the fabric are built using eBGP.
  • Learn and advertise EVPN Type 5 routes.
  • SRX4600 in MNHA cluster.
  • SRX4600 is peering with Spine1 and Spine2 underlay and overlay.
  • SRX4600 creates a new Route Distinguisher and pushes the routes back to the fabric to attract the traffic.
  • VRF to VRF traffic(East to West) and VRF to internet traffic are inspected (North-South).
  • SRX is part of the EVPN VXLAN fabric performing security inspection of user traffic.