The Juniper Networks Cloud Customer premises equipment (CPE) and SD-WAN solutions use the Contrail Service Orchestration (CSO) to transform traditional branch networks, offering opportunities for high flexibility of the network, rapid introduction of new services, automation of network administration, and cost savings. The solutions can be implemented by service providers for their customers or by Enterprise IT departments in a campus and branch environment. In this documentation, service providers and Enterprise IT departments are called service providers, and the consumers of their services are called customers. The Cloud CPE solution supports both Juniper Networks and third-party virtualized network functions (VNFs) that network providers use to create network services. The following deployment models are available:

• Cloud CPE Centralized Deployment Model (centralized deployment). In the centralized deployment, customers access network services in a service provider’s cloud. Sites that access network services in this way are called service edge sites in this documentation.
• Cloud CPE Distributed Deployment Model (distributed deployment), also known as a hybrid WAN deployment. In the distributed deployment, customers access network services on a CPE device, located at a customer’s site. These sites are called on-premise sites in this documentation.
• A combined centralized and distributed deployment. In this deployment, the network contains both service edge sites and on-premise sites. A customer can have both cloud sites and tenant sites; however, you cannot share a network service between the centralized and distributed deployments. If you require the same network service for the centralized deployment and the distributed deployment, you must create two identical network services with different names.

You must consider several issues when choosing whether to employ one or both types of deployment. The centralized deployment offers a fast migration route and this deployment is the recommended model for sites that can accommodate network services—particularly security services—in the cloud. In contrast, the distributed deployment supports private hosting of network services on a CPE device at a customer’s site and can be extended to offer software-defined wide area networking (SD-WAN) capabilities. Implementing a combination network in which some sites use the centralized deployment and some sites use the distributed deployment provides appropriate access for different sites. The SD-WAN solution offers a flexible and automated way to route traffic through the cloud. Similar to a distributed deployment, this implementation uses CPE devices located at on-premise sites to connect to the LAN segments. Hub-and-spoke and full mesh topologies are supported. The CSO software uses SD-WAN policies and service-level agreement measurements to differentiate and route traffic for different applications. One CSO installation can support a combined centralized and distributed deployment and an SD-WAN solution simultaneously. The same set of CPE devices can be used for the distributed deployment and the SD-WAN solution. Alternatively, you can implement only the deployments that you need. You can either use the solutions as turnkey implementations or connect to other operational support and business support systems (OSS/BSS) through northbound Representational State Transfer (REST) APIs.

Virtualized, full-featured, carrier-grade router is ideal for NFV environments, rapid service introduction, and cost-effective service scale-out.

virtual MX (vMX)

Виртуализированный полнофункциональный маршрутизатор операторского уровня идеально подходит для сред NFV, быстрого внедрения услуг и экономически эффективного масштабирования услуг.

MX5

Compact 40 Gbps router is software-upgradable through 160 Gbps of system capacity; ideal for enterprise applications as well as space- and power-constrained service provider facilities.

MX10

Compact 80 Gbps router is software-upgradable through 160 Gbps of system capacity; ideal for enterprise applications as well as space- and power-constrained service provider facilities.

MX40

Compact 120 Gbps router is software-upgradable through 160 Gbps of system capacity; ideal for enterprise applications as well as space- and power-constrained service provider facilities.

MX80

Compact 160 Gbps router is ideal for enterprise applications as well as space- and power-constrained service provider facilities.

MX104

Versatile 160 Gbps router offers a high level of redundancy; optimized for mobile backhaul, metro Ethernet, aggregation, and enterprise WAN applications.

MX150

The compact MX150 is a high-performance, feature-rich edge router that is ideally suited for lower bandwidth service provider and enterprise applications.

MX204

A compact multiservices router, the MX204 delivers ultra-high density in a 1 U power-efficient form factor to address the widest variety of service provider, mobile, data center, and cloud applications.

MX240

Modular router offers up to 3 Tbps of system capacity and embedded MACsec and IPsec encryption in a compact form factor; optimized for cloud, campus, enterprise, data center, service provider edge, cable, and mobile service core deployments.

MX480

Modular router delivers up to 9 Tbps of system capacity and embedded MACsec and IPsec encryption for cloud, campus, enterprise, data center, service provider edge, cable, and mobile service core deployments.

MX960

Modular router delivers up to 12 Tbps of system capacity and embedded MACsec and IPsec encryption for large cloud, data center, service provider, cable, and mobile service core deployments.

MX2008

40-Tbps modular, space-optimized carrier-grade router that provides ultra-high-density 10GbE, 40GbE, and 100GbE interfaces to help network operators efficiently address edge and core applications.

MX2010

40-Tbps modular carrier-grade router that provides ultra-high-density 10GbE, 40GbE, and 100GbE interfaces to help network operators efficiently address edge and core applications.

MX2020

80-Tbps carrier-grade router that provides ultra-high-density 10GbE, 40GbE, and 100GbE interfaces to help network operators efficiently address edge and core applications.

MX10003

Compact universal routing platform with ultra-high system capacity and interface density for long-term investment protection.

MX10008 и MX10016

Space- and power-optimized routing platforms with innovative universal chassis design deliver superior performance, versatility, and capacity.

 

Features:

Service Agility

Supports broadest range of business, residential, infrastructure, and enterprise applications and services.

Best-in-Class Architecture

A highly redundant platform powered by Junos OS, the MX Series offers always-on reliability and high performance at massive scale.

SDN Enabled

Seamless integration with standard-based SDN controllers such as the Contrail Cloud Platform makes the MX Series platform an SDN gateway between physical and virtual network elements.

Service Integration

Integrates a wide set of services—including carrier-grade NAT (CGNAT), stateful firewall, and deep packet inspection (DPI)—to address the widest range of applications and support network and service consolidation.

Physical and Virtual, with No Compromise

Consistent feature set across physical and virtual MX Series platforms ensures operational and service consistency.

Long-Term Investment Protection

Offers future-proof scale for long-term growth as well as investment protecting upgrade paths for existing MX Series customers.

Juniper MX2020 — универсальная платформа маршрутизации с поддержкой SDN. Обеспечивается общая пропускная способность системы на уровне 80 Тбит/с. Поддерживается до 800 интерфейсов 100GbE, 320 портов 200GbE или 160 — 400GbE в одном шасси при использовании с линейной картой Modular Port Concentrator 11E (MPC11E). Высокая производительность и плотность делают MX2020 подходящим решением для широкого спектра задач, включая работу любых корпоративных приложений, построение виртуальных частных сетей или SDN-сетей. Подходит для использования в крупных дата-центрах и сетях операторов связи. MX2020 поддерживает сложные функции синхронизации и виртуализации, которые соответствуют строгим требованиям мобильных сервисов. MX2020 обеспечивает высочайший уровень доступности сети и полный набор функций отказоустойчивости, которые включают в себя резервирование фабрики коммутации, модуля уровня управления, источников питания и т.д. Кроме того, технология виртуального шасси поддерживает резервирование на уровне целой платформы, позволяя управлять двумя маршрутизаторами как одним устройством. Характеристики:
Класс - Операторский
Высота шасси - 45U
Кол-во линейных карт - 20
Производительность сетевых интерфейсов, Гбит/с - 1-400
Максимальная производительность системы, Тбит/с - 80
Резервирование основных компонент - Фабрика коммутации, процессор, источники питания
Гарантия от производителя (макс.) - 3 года

Stateful signature The IDP rulebase attack object signatures are bound to protocol context. As a result, this detection method produces few false positives. Protocol anomaly The IDP rulebase attack objects detect protocol usages that violate published RFCs. This method protects your network from undiscovered vulnerabilities. Traffic anomaly The Traffic Anomalies rulebase uses heuristic rules to detect unexpected traffic patterns that might indicate reconnaissance or attacks. This method blocks distributed denial-of-service (DDoS) attacks and prevents reconnaissance activities. Backdoor The Backdoor rulebase uses heuristic-based anomalous traffic patterns and packet analysis to detect Trojans and rootkits. These methods prevent proliferation of malware in case other security measures have been compromised. IP spoofing The IDP appliance checks the validity of allowed addresses inside and outside the network, permitting only authentic traffic and blocking traffic with a disguised source. Layer 2 attacks The IDP appliance prevents Layer 2 attacks using rules for Address Resolution Protocol (ARP) tables, fragment handling, connection timeouts, and byte/length thresholds for packets. These methods prevent a compromised host from polluting an internal network using methods such as ARP cache poisoning. Denial of service (DoS) The SYN Protector rulebase provides two, alternative methods to prevent SYN-flood attacks. Network honeypot The IDP appliance impersonates vulnerable ports so you can track attacker reconnaissance activity.

The Juniper Networks JSA7500 Secure Analytics Appliance is an essential weapon in battling cyber crime on a global scale. It’s an enterprise- and carrier-class appliance that collects and correlates events and flows, providing a scalable SIEM solution for large, globally deployed organizations. It consolidates security events collected from the thousands of network devices, endpoints, and applications distributed throughout your network. Through big data analysis, it distills that information into an actionable list of offenses that helps to detect anomalies, uncover advanced threats, and prioritize security incidents. The JSA7500 can process up to 35,000 events per second (eps) and 1.2 million flows per minute, enabling security analysts to understand in real time what’s occurring in their globally distributed IT infrastructure and helping to thwart malicious activities before they can cause damage.

• End-to-End Visibility and Detection. Detects an end-host’s visit to a potentially malicious site that correlates with a potential indicator of an upcoming cyber attack.
• Incidence Response and Forensics. Effectively discovers, monitors, tracks, and distills security incidents to stop cyber attacks before they occur.
• Regulatory Compliance. Provides collection, correlation, and reporting on compliance-related activity to meet strict regulatory mandates.
• Dashboard Reporting. Provides graph and dashboard reporting on event data.
• Flow Detection. Enables taking proactive action(s) against security threats with flow detection.
• Powerful Analytics Engine. Uses analytics engine to detect violations and anomalies.
• High Capacity. Supports up to 35,000 eps per event processor.
• Event Processor Support. Supports up to 250 event processors per console.

Available on all SRX platforms, our security services reduce the attack surface in real-time and stop cyber criminals before they can breach your organization’s defenses. Identifying Application Risks Juniper AppSecure, an NFGW Services component, is a suite of services that provides deep application visibility and control in your network:

• AppTrack identifies applications on the network to assess their security risk and address user behavior. Contextual information helps you gain insight into which applications are permitted and the risk they may pose.
• AppFW provides policy-based enforcement and control, blocking access to high-risk applications and enforcing user-defined policies. Reports on application bandwidth usage deliver further insight, and you can throttle any application traffic not sanctioned by the enterprise.

Protection from Network Borne Attacks Juniper Intrusion Prevention System (IPS) and Sky Advanced Threat Prevention (ATP) work together to provide comprehensive threat detection and protection against known and unknown threats that use the network as an attack vector. The capabilities provide immediate protection from malicious malware. Continual monitoring for new exploits and vulnerabilities keeps protection up to date. The system immediately blocks threats on client and server systems inline before damage can take place. Safeguards Against Malware Although modern cyber criminals favor today’s sophisticated, turnkey techniques, they have not abandoned the tried and true approach of tucking malware into signature-based viruses and volume-based email. Integrated with our SRX platforms, Sophos Live Protection combines cloud-based reputation intelligence with on-box horsepower to deliver lightweight and fast security. Web Browsing Defense The Web is full of deception designed to get unsuspecting users to click on malicious links that might install advanced malware. Attackers regularly compromise websites by tricking users into providing their user credentials. Juniper has partnered with Forcepoint to provide URL filtering that fights such attacks. The service is constantly and globally updated in real time to provide an always-current worldwide database of malicious URLs that protect against user compromise. Avoiding Unauthorized Access and Use Every user in an enterprise must be able to access certain applications to perform specific tasks. But allowing users unlimited access to corporate resources outside their sphere of responsibility can enable the proliferation of insider threats. Our User Firewall service restricts application usage on a per-user basis by tightly integrating with Microsoft Active Directory (AD) and the Lightweight Directory Access Protocol (LDAP). As a result, you gain visibility and control of application and network use segmented by user-defined roles, enabling secure access to authorized applications. Features Advanced Application Visibility and Control You can identify applications running on your network regardless of port, protocol, and encryption. This visibility lets you immediately block evasive applications inline at the SRX firewall. Nested Application Support You can accurately identify applications embedded in common network protocols such as HTTP or HTTPS traffic. This capability also provides visibility into and granular control over applications hidden inside encrypted SSL traffic. User and Role-Based Policies Tight integration with Microsoft AD and LDAP allow you to set and enforce user- and role-based security policies. Policy setting becomes simpler and more secure, because you reduce the number of policies needed to account for user location, IP address, and so on. SSL Inspection Inline decryption and inspection of inbound and outbound Secure Sockets Layer (SSL) connections at the SRX firewall provide visibility and protection against threats embedded in SSL encrypted traffic. Junos OS Integration Integration with Juniper’s operating system consolidates and optimizes services on SRX devices for maximum scale.

QFX5100 The QFX5100 Switches are low-latency, high-performance 10GbE/40GbE switches that act as a flexible building block for multiple data center fabric architectures. QFX5200 QFX5200 fixed-configuration switches offer flexible connectivity options, from 10GbE to 100GbE, making them ideally suited for leaf deployments in next-generation IP data center fabrics. QFX10000 The QFX10000 Switches are highly scalable, high-density platforms that support a variety of 10GbE/40GbE/100GbE deployments, providing a robust foundation for the most demanding data centers. High performance, low latency With throughput of up to 6 Tbps per slot, QFX Series switches deliver sustained wire-speed switching with low latency and jitter for virtualized data center environments. Highly available Redundant fabrics, power and cooling, combined with separate control and data planes, ensure maximum system availability. Data center fabric building blocks QFX Series switches provide the universal building blocks for multiple data center fabric architectures, including Junos Fusion, QFabric System, Virtual Chassis and Virtual Chassis Fabric. Standards-based Standards-based bridging, routing, VMware NSX Layer 2 gateway, and Fibre Channel technology enable interoperability and easy integration.

The QFabric® System is composed of multiple components working together as a single switch. It flattens the network to a single tier to provide high-performance, any-to-any connectivity and management simplicity, making it the ideal network foundation for cloud-ready, virtualized data centers. The QFabric System is composed of multiple components working together as a single switch to provide high-performance, any-to-any connectivity and management simplicity in the data center. The QFabric System flattens the entire data center network to a single tier where all access points are equal, eliminating the effects of network locality and making it the ideal network foundation for cloud-ready, virtualized data centers. QFabric is a highly scalable system that improves application performance with low latency and converged services in a non-blocking, lossless architecture that supports Layer 2, Layer 3, and Fibre Channel over Ethernet capabilities. Distributed switch composed of three components: QFX3500/QFX3600/QFX5100 QFabric Node QFX3600-I/QFX3008-I QFabric Interconnect QFX3100 QFabric Director Features Scales to 40 Tbps to deliver unprecedented capacity beyond 10GbE at the access layer. Ultra-low Deterministic Latency is ideal for supporting latency-sensitive applications, east-west traffic flows, virtualization, cloud, and other high-performance data center initiatives. Single-Switch Management greatly simplifies data center operations with less complexity and lower power, space, cooling, and operational costs. Carrier-Class Solution requires no downtime for reconfiguration or maintenance. Scales to Thousands of Ports within a single-tier network in a "pay-as-you-grow" model. Incremental Design allows conversion of QFX Series switches from top-of-rack to QFabric devices. QFabric System Models QFX3000-M  QFX3000-G