Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

CSDS Architecture

Read this topic to learn about the Juniper’s Connected Security Distributed Services (CSDS) Architecture and benefits.

Juniper’s Connected Security Distributed Services (CSDS) Architecture provides a scalable, distributed security architecture design that decouples the forwarding and security services layers. The distributed framework enables existing Juniper Networks® MX Series routers to operate as intelligent forwarding engines and load balancers with path redundancy capability.

Benefits

  • Scalability: Scale the topology horizontally and elastically as needed, without being constrained by chassis limitations. All distributed firewalls function together as a fabric, enabling automated resiliency with multipath redundancy. If one of the devices fail, others automatically load-balance the service.
  • Simplicity: Manage all distributed firewall engines as a single logical element, regardless of the firewall count. Deployment is simple and similar to adding virtual service cards to a chassis, allowing for easy integration at each site.
  • Flexibility: Decouple forwarding and services layers, enabling the two layers to scale independently. With this modular approach, you can adjust the size of the security solution depending on your deployment and combine different form factors. Additionally, you can continue to use the existing SRX Series Firewalls in the new architecture, ensuring that the processes and policies remain intact.

CSDS Architecture

  • Forwarding layer—The forwarding layer includes MX Series routers that receive and return traffic of the underlying network and distribute upwards to the different services layer devices. The MX Series routers in this layer serve as the single pane of glass responsible for synchronizing and distributing the configuration to the devices in the service layer. You can deploy the MX Series routers in 1:1 redundancy.
  • Services layer—The services layer includes SRX Series Firewalls and provides security services. The layer supports different SRX Series Firewalls but a group of identical firewall models together offer a security service such as carrier-grade NAT (CGNAT), IPsec VPN. Note that multiple groups, each hosting a different security service can also co-exist. The guide covers configuration examples with one group of SRX Series Firewalls.
  • Distribution layer (Optional)—The distribution layer is placed between the forwarding layer and the services layer. The devices in this layer primarily provide additional port count, if needed, when enough ports are not available on the devices in the forwarding and the services layers. The devices can also offer different port speeds and port types that are not built in into the devices in the forwarding or services layer. These devices serve as a switch fabric that interconnects all the different devices in the architecture. You can use QFX Series devices in this layer for large-scale deployments.
  • Management layer—The management layer provides a management platform for the entire CSDS solution and connects to the forwarding layer as a single pane of glass. The management layer includes the capability to monitor the utilization of the services layer devices. In the management layer, you can optionally use EX Series switches for the device management.

Figure 1 depicts the high-level architecture of the CSDS solution.

Figure 1: CSDS Architecture Network architecture diagram with Juniper Networks devices: SRX Series in MNHA mode for security and routing in Services Layer; MX Series routers in 1:1 redundancy in Forwarding Layer; connected via ECMP, CHASH, CSDS-TO, BGP, BFD protocols; managed by Junos OS CLI.