Запись презентации с партнерского саммита Juniper Networks от 21.04.2015.

1. Juniper Mobile
Backhaul Solution
and Mobile Security
Juniper Partner Summit, Moscow, April 21, 2015
Denis Zotov
EMEA CoE

2. LSP
Services
Mobile
Backbone
Datacenters
IP/Internet
Universal
Edge
Universal
Access
Universal Access extends the intelligence
from edge to access, creating a seamless
end-to-end service delivery system, with
scale and financial viability.
Single OS
Single control plane
Seamless end-to-end service
Operational simplicity and
scale
Residential
Broadband
Edge
Introducing Universal Access
Business
Edge
Mobile
Edge
ACX
Service providers have traditionally
deployed separate networks for
business, residential and mobile
customers
Business
Universal
Edge
MX 3D
JUNOS SPACE
End-to-end Service Provisioning, Troubleshooting, Performance Management
Access and
Aggregation
Network

3. 3 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS’ SOLUTION
FOR UNIVERSAL ACCESS, AGGREGATION, EDGE
Pre-Aggregation
MX960
MX480
10GE
Access
ACX 4000
ACX 2x00
MX104
ACX500
Aggregation
MX2010
MX2020
Edge
TCA8x00
TCA6x00
SEAMLESS MPLS
NETWORK TIMING
100GE
MX240
MX80
ACX5048
ACX5096
ACX 1x00
vMX

4. ACX2100
ACX-series
ACX2000
ACX1100
ACX1000
ACX4000
ACX5048
ACX5096
 Juniper’s Universal Access router for mobile backhaul (LTE, 2G/3G),
business Ethernet services and residential access
 Complements Universal Edge
 Fixed and modular platforms all running JUNOS
 Integrated precision timing for highest QoE (IEEE1588v2, SyncE)
 Embedded SLA packet generator (RFC 2544)
 Hardened fan-less design
 Support for POE++ (up to 65 W)
 10 Gig interfaces for converged access
 Seamless MPLS provides most flexible service architecture
 Extensive end-to-end network monitoring: Latency, jitter, OAM
 Open system for innovation (JUNOS SDK and JVAE)
 Satellite Node to MX/MX104 (Junos Node Unifier)
THE NEW BENCHMARK FOR ACCESS NETWORKS
ACX500 indoor
ACX500 outdoor
ACX2200

5. ACX500

6. Introducing the ACX500 family of Routers
Highlights
• Specifically designed to meet the SmallCell
market deployment needs
• Support Carrier Ethernet and MPLS Access
• MEF CE2.0 Compliant
• Line Rate on all ports
• Scalable H-QoS support
• IPSec support for secure transport over non-
trusted backhaul
• Built-in DHCP Server for Small Cells
• Zero Touch Provisioning
• Automated Configuration / Image download
using Junos Space
• Supports convergence of Wireline and
Mobile Networks
• Low Power consumption
• Multiple product variants including support
for POE/POE++
ACX500 Indoor
ACX500 Outdoor

7. ACX500
•2x 1GE (SFP) + 4x 1GE (Combo, 3x PoE+ support)
•Temp. Hardened (-40 to +65 C), Passive cooling
•10.7 in. (W) x 1.75 in. (H) x 11 in. (D) (TBD)
•Advanced Timing – GPS receiver integration, GM capability
•Advanced Security – IPSec, NAT, MacSec and TPM
•Advanced SLA management – RFC2544, Y.1564, TWAMP
• 3x 1GE (SFP) + 3x 1GE (Cu, PoE+ support)
• IP65 compliant, Passive cooling, Power Budget: 45W
• 9.47 in. (W) x 15.8 in. (H) x 5.6 in. (D) (TBD)
• Advanced Timing - GPS receiver integration, GM capability
• Advanced Security – IPSec, NAT, MacSec and TPM
• Advanced SLA management – RFC2544, Y.1564, TWAMP
ACX500 – INDOOR SKU
ACX500-O & ACX500-O-POE - OUTDOOR SKUs

8. ACX500 Indoor and Outdoor Variants / Licensing
Variants Indoor (Avail Today) Outdoor (Avail-3Q15)
AC - ACX500-O-AC
DC - ACX500-O-DC
AC with POE* ACX500-AC ACX500-O-POE-AC
DC with POE* ACX500-DC ACX500-O-POE-DC
Services Licensing Indoor
ACX500-LIC-GPS ACX500 License for GPS Receiver
ACX500-LIC-SEC ACX500 License for IPSec and NAT features
Note: * 3 ports capable of supporting POE / POE++, max 80 Watts power across 1 or 3 ports combined

9. ACX 500 Use Case - Smallcell Backhaul
NAPT for
Smallcell
Traffic
DHCP
Server
IPSec
1588v2
Grand
Master
WAN IP
Static or
DHCP
ACX1100
EX2200c
L2/L3
switch with
PoE
TCA6500 Timing client
with Integrated GPS
receiver
GPS
POE
capable
SmallCell
Device
Management
IPSec Tunnel
SmallCell Traffic
with or without
IPSec enabled
POE
capable
NAPT for
Smallcell
Traffic
DHCP
Server
IPSec
1588v2
Grand
Master
WAN IP
Static or
DHCP
Integrated
GPS
GPS
ACX500-O-POE
(Outdoor)
ACX500 (Indoor)
Junos Space
+ Config Server
OSS/BSS
1588v2 GM
GPS
Aggregation NW
SEG (SmallCell)
SEG (Dev Mgmt)
Core Network
CE
PreAgg
Avail.
today
Avail.
1H2015

10. Field Area Network (FAN)
• ACX500 is certified for the
following standards required
for utilities and railways
• NEBS GR 3108
• IEEE 1613
• IEC 61850-3
• EN 50121
Substation
NOC
ACX500
IP/MPLS
Network
CTP150
Junos Space
Juniper Routers:
M Series
MX Series
SRX Series
WLA632
Rugged
Outdoor
Wireless AP
IED
Surveillance
Camera
RTU
PLC
RTU
PLC
IED
Private WAN
T1/E1
T1/E1
Ethernet
MPLS Edge
Devices

11. ACX5000

12. ACX5000 series
ACX5048
 48 x 1/10GbE SFP+
 6 x 40GbE QSFP uplinks
 1.44 Tbps throughput
 1U fixed form factor
ACX5096
 96 x 1/10GbE SFP+
 8 x 40GbE QSFP uplinks
 2.56 Tbps throughput
 2U fixed form factor
E-LINE, E-LAN with full E-OAM, Comprehensive L2 Multicast Solution over IP/MPLS Infrastructure
IP-VPN Services
Reliable Networking: ISSU, MC-LAG, Flexible Virtual Chassis Deployments
Sync: 1588 TC

13. Introducing the ACX5000 family of Routers
Highlights
• Specifically designed to meet the Pre-Aggregation /
CRAN market deployment needs
• Support Carrier Ethernet and MPLS Access
• MEF CE2.0 Compliant
• Line Rate on all ports
• Low Latency ~.6us
• IPsec support for management
• Supports convergence of Wireline and Mobile
Networks
• Built-in x86 processor supports Service Virtualization
on a KVM-compliant Virtual Machine
• High-Availability features like ISSU, MC-LAG, Virtual
Chassis
• Low Power consumption
• 1588v2 Transparent Clock*
ACX5048
ACX5096

14. ACX5K VALUE PROPOSITION
1GE to 10GE Network
and Service
Migration
High density
& capacity
1GE/10GE
Platform
Graceful
Migration
From 1GE
to 10GE
Flexible Service Offerings
Low
Latency
(Finance,
Front-
haul)
MEF Services (ELINE,
ELAN, E-Tree, ENNI)
Ethernet OAM
802.3ah,
802.1ag,
Y.1731 PM
RFC2544
IP-VPN
VM
Architecture
Added Value
Applications –
Firewall,
Analytics, User
Defined Apps)
Flexible Network
Deployment
Ethernet IP/MPLS
High Availability and Scalable
Networking
JUNOS for building highly reliable and
scalable networks
G.8032, RSVP
1:1, FRR, BFD,
IP LFA, PWE
Red., VRRP
ISSU,
Virtual
Chassis,
MC-LAG
Seamless
MPLS
Networking
Solution

15. ACX5000
APPLICATIONS – METROEAGGREGATION (BUSINESS)
MetroE Aggregation (No Residential access)
E-OAM, E-LINE/E-LAN (Ethernet and MPLS)
High Capacity, IP-VPN/IP Support
SP Market
MSO

16. ACX5000
APPLICATIONS – METROE CPE (BUSINESS)
High Capacity CLE/CPE – EAD Device
E-OAM, E-LINE/E-LAN (Ethernet and MPLS)
High Capacity, IP-VPN/IP Support
SP Market
MSO

17. Connectivity Services
Director & Cross Platform
Provisioning

18. Service Lifecycle Management
Service Design &
Provisioning
• Templates for service
design and rapid
provisioning
Validation &
Troubleshooting
• Network performance
and SLA assurance
Service
Decommissioning
• Decommission and
release service
resources
Resource
Management
• Maintain service
inventory and resources
Transport Provisioning - Design, provisioning,
and deployment of static and dynamic P2P and
P2MP and full mesh LSPs
Network Service Provisioning - Provisioning,
validation and troubleshooting of MPLS, L2/L3VPN,
MEF and TDM/ATM services
QoS Provisioning - Provisioning of QoS profiles for
bandwidth management, traffic shaping and
congestion management
Sync Management - Configuration and
management of PTP, SyncE and hybrid
synchronization modes across the network
Troubleshooting and Performance
Monitoring – Service fault and performance
management using Y.1731, CFM, LFM, BFD
Key Requirements
Service
Lifecycle
Management

19. Evolution to Connectivity Services Director
Junos Space
Services
Activation
• Released in 2011
• Currently shipping R14.1
• Used in both, SP and Enterprise
networks
• Several live deployments in Tier-1
and Tier-2 networks
• Common UI, no discrete apps
• Usability improvements
• Flexible Services
• Service Troubleshooting
• Service Performance monitoring
• Graphical topology views
• Chassis viewer
• Path computation through Northstar
• FRS – Q2 2015
Connectivity
Services Director
• Customer and Partner inputs
• Cross BU collaboration
• Code reuse
• Agile development

20. Multiple views or
perspectives

21. Services Types
Easy access to
customer list
Service-specific tasks
Overall status of services
Improved search
Services List
Alarm summary

22. Port-specific information
Logical interfaces
and details
Port specific
configlets

23. CPP - High Level Architecture
ALU
5620 SAM
Junos Space EMS
CPP
Service Activation 1.0
E-LINE / E-LAN / L3VPN / IPTV L3VPN Services
Carrier Ethernet
Network
REST API
SOAP
Webservices
(SAM-O)
Junos Space Platform
Alcatel Lucent
Hardware
Juniper
Hardware
 Enhancements to Services Activation
Director (Network Activate) to deploy and
manage services in Space & ALU 5620
SAM
 Uses Flex Services framework to design
and provision services on Juniper and ALU
devices
 Uses SOAP API to manage ALU 5620 SAM
services
 Provides a script-driven approach to
service template design for provisioning
new services
 Leverages Space platform features such as
clustering, redundancy, etc.
Solution Highlights
Flex Services

24. Device and Service Lifecycle Management
CPP
Modify operations
(Device, Service)
Bulk Service Changes
(Device, Service)
Service Migration
(Port x to Port y)
MODIFICATION
Device Discovery
Service Discovery
DISCOVERY
Golden template on device
using device Configlets
Service Provisioning
ELINE, ELAN, L3VPN,
Network Peering
PROVISIONING
Device Validation Scripts
Device Troubleshooting
OpScripts
Service Troubleshooting
OpScripts
TROUBLESHOOTING
2
4
3
1

25. Mobile Backhaul Security

26. What is Mobile Sec GW
• What is Mobile Sec GW
• Mobile Security GW is introduced to protect the availability and integrity of the mobile
network;
• Protect the EPC by permitting the sessions from the certified mobile base stations
• Protect the data integrity through transport network.
• Securing the management plane traffic of the backhaul devices
• What are the key functions
• IKE/IPsec VPN termination (HA in some case) from eNB directly to Mobile core (main)
• Firewall, SCTP rate limiting, IPS, DDoS, etc. (optional)
EPC

27. Where are the threats
Backhaul Network
-
UEs
• Signalling storms (not directly malicious)
• Signalling plane attacks
• Access to EPC nodes
• Participation in botnets
• Access to exploitable carrier services such as DNS or NTP
• Insecure physical locations giving easy access to backhaul network
• Visibility of user information
• IP access to backhaul nodes and EPC
• Ethernet access could allow standard attack devices and tools to be used
• Possible access to carrier services, e.g. DNS, NTP
• Commonly shared or leased – not under operator control and
inherently insecure
• Risk of insertion points directly or via access to non-isolated
backhaul
• Clear avenue to EPC and rest of mobile network for attack

28. Physical Deployment options
MPLS
2G GSM /CDMA, 3G
UMTS,4G LTE
TDM, ATM/TDM,
IP/Ethernet
Small Cells
SCG
AAA PCRF
Leased
Sec-GW
Sec-GW
Sec-GW
EPC
Sec-GW
• Many options to deploy Sec GW in a network; can be in 1 or multiple type of
locations.
• Candidate platforms from Juniper: SRX and MX
• Two common terms:- ‘Centralised’ and ‘Distributed’ Security Gateway
‘Distributed’ SeGW ‘Centralised’ SeGW

29. Variable SeGW functionality
MME
SGW/PGW
eNodeB
Different set of
security functions can
be enabled
depending on where
the Sec GW is located

30. Other considerations:- centralised vs distributed
• Concentration of HW
• Reduced HW Capex
• Fewer nodes and sites
• Competence concentration
• Concentration of complexity
• Easier to grow/match capacity without
geographical aspects
Centralized
• Supports high traffic volume
• Reducing transmission cost
• Enables efficient X2 transport
(Latency-critical functions)
• Enables CPG distribution
• Minimize affect of node failure
• Less number of users per node
• Less need of high capacity SeGWs
• Integrate SeGWs with IP router nodes
• Similarities to fixed broadband network
architectures
Distributed
Access Sites
Aggregation Sites
Core Sites

31. SRX5800
SRX5400SRX5600
Key Benefit:
• Very mature and stable turnkey solution for end-to-end
backhaul security in conjunction with NSN or Ericsson
• Dynamic scaling provides pay-as-you-grow model up to 80Gbps
(SRX5800) IMIX IPsec & stateful firewall
• Stateful High Availability (HA) synchronises IPSec SAs, meaning
minimal downtime in the event of a SeGW failure
• Stateful SCTP inspection can be enabled to protect signalling
plane
• Full stateful firewall
• Complete IPv6 support across IPSec, firewall, routing, and more
• In-Service Software/Hardware upgrades (ISSU/ISHU)
• JUNOS heritage functions (routing, QoS, commit confirmed,
rollback)
• Single RAN security (2G/3G/4G IP protection)
Positioning SRX as SEGW

32. MX104 as distributed Security gateway (MS-MIC)
Key Benefit:
• Satisfy X2 latency and performance requirements by
pushing security functions into access layer
• Use router-integrated SeGW concept to reduce
CAPEX/OPEX
• Reduced impact for node loss
• Co-located access layer routing functions
• Excellent IPSec performance (~3.5-4.5Gbps IPSec IMIX) in
a small form factor unit
• Additional security functions on MS-MIC if required (e.g.
stateful firewall)

33. Centralised MX as Security gateway (MS-MPC)
MX960
MX480
MX240
Key Benefit:
• Great performance for IPSec on MS-MPC (~27G for IPSec
IMIX)
• Leverage existing MXs within transport network to provide
a transparent
• Significantly reduced TCO
• Router integrated solution allows flexibility in where to
deploy across the backhaul network
• Distributed BFD provides a super-fast inter-site failover
design for dual tunnel topologies (becoming increasingly
common) – negates the need for intra-site HA

34. Use case - LTE-A deployment
 There are stringent requirements for X2
latency for reliable LTE-A deployment
 Solution: Deploy IPsec termination on the
Aggr router or Pre-aggr router
• Case-1: Only X2 communication being
terminated the traffic at the edge of the network
for latency reason, S1 will be sent back to central
EPC
• Case-2: all S1 and X2 terminated at the D-Sec-
GW in a secured location
 Allow communication from macro cell to EPC
from certified eNBs, provide data integrity
from eNBs to a secured location;
Pre-aggregation
Aggregation/SecGW
Core/C-SecGW
MME SGW/PGW
CSR
CSR
CSR
eNB
eNB
eNB
HSS

35. Use case - Small Cell deployment
Small Cell
Small Cell
Small Cell
MME
SGW/PGW
eNodeB
Small Cell Home GW
X2
S1
S1u
S1
S1
X2
H
Macro
Backhaul
S1c
Signaling, OAM, Data
Small/Pico/Femto
Backhaul
Sec-GW
Sec-GW(optional)
Session termination at the same location of small cell GW
to
• Reduce IPsec over head to the central site
• To achieve low X2 latency
• Better network level IPsec Scale If encryption is required from SmallCell GW site to EPC, then all traffic
can be aggregated and transferred to EPC. Benefit:
• Improve overall network level tunnel scale
H
H
H

36. Summary - Router-integrated Mobile Sec GW
– Security is the integral part of the Mobile Backhaul solution, and MX is a critical
element of Juniper’s Mobile Backhaul solution offering;
– Router-integrated SecGW simplifies the Mobile Backhaul solution also gives
great flexibility in Sec GW deployment; Can be deployed in Any part of the
Mobile Backhaul network with Any MX platform with add-on services and IPsec
security
– CAPEX saving: Allow the provider to leverage the current MX platforms in the
network, or getting new Mobile Backhaul infra with add-on SecGW function;
– Non-intrusive security introduction plan: with no requirements for any change in
the current network design
– A small step into the big future: IPsec security is the first step of the distributed
Mobile service vision
– Router-integrated solution also completes the toolkit (in addition to what
Juniper’s winning product SRX can offer) which operator needs to secure the
Mobile network;

37. Juniper Mobile Backhaul Value Proposition
End-to-End
Solution
Cell site to core
routing
Embedded
timing and
synchronization
Strategic
Partnerships
Operationally
Efficient
Zero-touch
Junos Space
Seamless MPLS
Performance
and Flexibility
Industry leading
throughput
1/10/40/100 GE,
TDM interfaces
POE++
Resilient
Enviromentally
hardened
Fanless design
Carrier-grade
Junos operating
system
Evolving
SDN enabled
NFV
Integrated
Security Gateway
capabilities

38. Thank you