Solution Architecture

Underlay Layer

The transport layer of the enterprise WAN network is designed using various protocols and technologies. The transport MPLS underlay layer includes SR-OSPF, SR-LDP mapping, and TI-LFA technologies. The route reflector (RR) uses iBGP, which ensures efficient and optimal use of network resources. Additionally, BFD-triggered FRR offers quick and reliable failover in the event of unexpected outages or disruptions. The BGP Prefix-Independent Convergence (PIC) Edge is enabled on all routing nodes with “routing-options protect core” configuration stanza and provides an active-backup protection for traffic flows of the global routing-instance. Moreover, BGP Multipath technology with allow-protection option (“protocols BGP multipath allow-protection” in the router configuration) enhances network resiliency by providing ECMP with N+1 backup protection, further ensuring efficient and reliable operation of the transport layer. Overall, the transport layer in the enterprise WAN network is designed to facilitate secure and efficient transfer of data across the network while ensuring optimal utilization of network resources and providing reliable failover mechanisms.

Overlay Services Layer

The overlay services layer in the enterprise WAN network comprises three distinct service types. The first is the L2 services, including EVPN LAN and EVPN-VPWS with or without flexible cross connect (FXC). The proposed architecture facilitates the deployment of both single homed and multihomed customer edge (CE) to WAN Edge connectivity for all service types. To ensure service continuity monitoring and control functionality, the connectivity fault management (CFM) protocol can be used alongside the embedded EVPN control plane, to monitor service continuity between WAN Edge nodes per VPN instance.

Overall, the overlay services layer design in the Enterprise WAN network allows for a flexible, reliable, and efficient transfer of data, while ensuring easy access and connectivity management across all service types. The architecture supports various CE to WAN-Edge connectivity scenarios and enables effective monitoring and control of service continuity using the CFM protocol, ensuring optimal network performance. In the suggested network architecture, CFM is used in conjunction with all single homed point-to-point EVPN-VPWS services.

Figure 3 outlines some details of the network services architecture proposed for establishing Layer 3 connectivity over the WAN between CE nodes and the enterprise network.

The traditionally used Layer 3 VPN service for Layer 3 connectivity across WAN infrastructure is replaced in this solution with EVPN type 5 service routes where every WAN Edge node EVPN instance is additionally configured with an integrated routing and bridging (IRB) interface acting as a default gateway for the WAN Edge. Dynamic routing requirements (outside the scope of validation) necessitate the use of an eBGP or IGP protocol to exchange routes between the branch CE routers and adjacent WAN Edge nodes, providing dynamic routing capabilities. For static routing deployments, adjacent pairs of WAN Edge routers are configured with IP Virtual Gateway functions, enabling dual homing for these deployments and replaces VRRP in the scenarios with an L3VPN.

The following snippets show sample configurations used for the IP Virtual Gateway on an MX (Junos OS) router and an ACX (Junos OS Evolved) router.

Configuration example of the IP Virtual Gateway function with EVPN Type 5 routes and IRB on an MX series router (WAN Edge 1, MX304 in the test bed topology of the JVD)	Configuration example of the IP Virtual Gateway function with EVPN Type 5 routes and IRB on an ACX series router (WAN Edge 3, ACX7509 in the test bed topology of the JVD)

Thus, the EVPN protocol serves as a unified mechanism to enable all types of connectivity L2 or L3, point-to-point or multipoint, single/dual homed—over enterprise WAN infrastructure.

Security Layer

The security layer is represented by MACsec and DDoS protection.

The DDoS protection function allows other network security systems to communicate with the WAN Edge nodes using the BGP flow specification (as outlined in RFC-8955) enabling the installation of routing policies into the global routing table of the routing node dynamically. For example, Juniper Networks routers can be integrated as part of the DDoS solution with third-party systems like Corero and Netscout (formerly Arbor).

During the validation effort, the focus is on ensuring that the DDoS function can consistently be used across different flavors of the MX and ACX routers using Junos OS and Junos OS Evolved network operating systems. We don’t go into the specifics of a particular integration in this validation process, but instead focus on ensuring that the DDoS function is integrated accurately and consistently.

The security layer also includes MACsec, providing L2 encryption for traffic traversing the WAN between the CE and WAN Edge nodes. This encryption ensures that the data is protected and secured, preventing unauthorized access.

To demonstrate the effectiveness of the security layer, a simple stateless firewall filter is installed into the MX304 DUT, illustrating the ability of the solution to protect against potential security breaches and other security-related issues. Overall, the security layer is designed to provide a secure, resilient, and scalable solution, ensuring safety and integrity of the data transiting through the WAN infrastructure.

The following snippet shows that the filters are installed with an accept action. The “policer” and “reject” actions are validated as well.

MACsec is used in this topology to encrypt and guarantee data integrity on core links between WAN Edge and P nodes in the topology.