Juniper Mist Takes On SD-WAN
Written by: Allyn Crowe, Senior Security Engineer
Connect with Allyn on LinkedIn
Learn more about Nexum and Juniper’s partnership
Nexum, Inc.’s technology partner Juniper recently announced it was adding support for the Session Smart Routing (SSR) product line to its Mist portal. But beyond including another part of the Juniper family in the portal, why is this a big deal? And how does this help clients who may just be getting started with their Mist journey? How does this help clients run their network more quickly in the long run? I’ll try not to get too deep in the technical weeds for this post; however, please reach out to me if you’d like to discuss this further, and we’ll set up a time to dive in.
What Is an SSR?
About a year ago, Juniper acquired a company called 128T, focused on Software-Defined Wide Area Network (SD-WAN) but doing it differently. Rather than being based as many SD-WAN solutions are, 128T is session-based.
Traditional SD-WAN uses tunnels, usually IP security (IPsec) or Generic Routing Encapsulation (GRE), to abstract underlying physical connectivity between locations from the overlay networking. For example, a branch office may have a multiprotocol label switching (MPLS) WAN and an internet WAN link. A tunnel-based SD-WAN solution would build tunnels across those links to other destinations (like your datacenters, other branches, or cloud environments). This allows abstracting the physical links. Instead of forwarding based on next-hop or specific destination addresses, the router will push it into a tunnel based on criteria set by the administrator. These criteria can be link-related (latency, jitter, etc.) or business-related (voice goes over MPLS first).
In contrast, 128T’s session-based approach uses secure vector routing (SVR). SVR is a new routing architecture that allows the network to differentiate how it delivers applications and services. It replaces tunnel-based systems with distributed control, service-focused routing, and in-band session-based signaling. The first packet of a session creates an end-to-end path across the network. This path consists of waypoints that reside on SVR routers with metadata injected in the first packet of the session to signal session details. The first return packet processes similarly to ensure path symmetry. This means (in a little plainer English) that when a new voice call starts, the router tags the first packet with session details and uses SVR to direct the flow to the destination. Each subsequent packet in the session follows the same path to the destination.
Tunnels: The Bad and the Bad
Tunnels seem to make life easier, and most modern SD-WAN solutions adapt to changing network conditions by overcoming some of the previous limitations of tunnel-based routing. And tunnels make things more secure, right?
There are a few issues with tunnels. First, they have overhead. Depending on the type of tunneling, the packet size can increase from 40% to over 100%. While this isn’t a problem if there is sufficient bandwidth, it can cause problems in lower bandwidth or congested links.
The second issue with tunnels is they can cause packet fragmentation. Fragmentation occurs when a packet is too large to transmit across a specific link in a single burst. Fragmentation can be problematic because the receiving router has to reassemble the original packet in the correct order. If one of the fragmented packets is dropped as it traverses the links between the sender and receiver, the entire original packet (meaning all of the individual fragments) must be retransmitted. This can also cause issues with some firewalls if they don’t understand that the fragmented packets are part of the session and drop some subsequent fragments.
Finally, tunnels can be problematic from a scale perspective. If you use a full design (each site connects to every other site), the number of needed tunnels will multiply. For single WAN link unidirectional tunnels (used for more security), n*(n-1) tunnels are required. For bidirectional tunnels, you can cut that number in half. This means a client with 100 sites needs 9,900 tunnels to support a full mesh. Each site would need 99 tunnels to include itself in the mesh. However, if you have 2 WAN links, you double that number. Many systems move to a hub-and-spoke design, where the edge/branch locations (spokes) only connect to specific central locations (hubs). This helps reduce the number of tunnels needed per site but can increase the latency between spokes because they now need to transit up to the hub before going back down to the other spoke. While tunnels can make building out an SD-WAN relatively easy, they have drawbacks, especially at scale.
SVR directly addresses the issues of tunnel-based implementation. You no longer have the overhead of encapsulating the packets because you use native IP behavior. This also removes the higher incidence of packet fragmentation by no longer increasing the packet size with the encapsulation headers. Finally, the scaling issue is non-existent because your routers no longer need to build the tunnels. They are simply forwarding the packets to targeted next-hop SVR routers. By taking a session-oriented perspective, you can provide visibility and control over the end-to-end communication. SVR-based routers can transform a stateless network into one that is session-aware.
An added benefit of SVR is that it can provide more segmentation capabilities than a tunnel-based SD-WAN. Working on a session-level provides hyper-segmentation without the use of overlays. It addresses the authentication, encryption, and routing per session instead of per VLAN or IP address. This is much more granular and simpler to implement, allowing for better utilization of WAN links.
Where Mist Comes In
Juniper’s WAN Assurance has been a part of the Mist portal for a while (mainly in Beta); however, this was focused initially on their SRX devices (adding SSR in Beta later). Juniper called this “WAN Assurance 1.0.” Similar to how they added the EX-series of switches to the Mist portal with the original Wired Assurance, the 1.0 version focused on basic visibility and AI-driven insights of the edge devices. moves this to “WAN Assurance 2.0.” This goes beyond just seeing what is happening with the SRX and SSR devices; it allows for actual control. Currently, the SSR SD-WAN implementation requires the use of the Session Smart C to control the configuration, policy enforcement, and routing definitions. In this next generation of WAN Assurance, you’ll be able to configure many of those pieces directly in the Mist portal, similar to the way you can now configure EX Switches (including Virtual Chassis and even EVPN networks).
This full-stack network gives Juniper a considerable advantage. With the entire network (Wireless, Wired, WAN) feeding data into the Marvis virtual network assistant, it can now correlate events and provide insight into what is happening at a location with complete visibility. This also allows Mist to bring the full power of their AI Engine to the SD-WAN space – allowing for even more automation, visibility, and awareness. In the future, it will allow for automated intervention in network issues and, ultimately, AI-driven predictive interventions to prevent such problems. The system will be able to fix things before they break! The Holy Grail of the networking world.
Juniper is also releasing a hardware platform for the SSR software. While the original SSR implementation can run on any x86 hardware, Juniper is releasing a set of SSR branded appliances to simplify the adoption. These appliances will be “cloud-ready.” Just as you can use Zero Touch Provisioning on other cloud-ready devices (like Mist Access Points and Juniper EX and QFX switches), you’ll be able to scan a QR code on the device to add it to your portal instance to begin configuration. When the device comes online, it will communicate with the Mist cloud and download its configuration. This allows for fewer technical resources required on-site for installations. They also enhance the native zero trust security model by adding URL filtering and intrusion detection/prevention systems (IDS/IPS) capabilities to the platform. Now you can provide even more advanced security without requiring a separate security appliance.
Why Am I So Excited About This?
Well, because now I get to play with even more toys in the lab! But seriously, this enhancement gives Juniper a full-stack network approach from the Mist portal. While they aren’t the only ones, their AI Engine leads the pack. Juniper’s commitment to open standards provides much more flexibility and agility. No longer are you buying “light” versions of the networking hardware to make it accessible through the portal. This is all the strength of Juniper’s networking equipment in an easy, automated, AI-driven experience. And it is just the beginning of what AI is going to bring to networking. As I’ve walked clients through the Mist solution and showed them the difference that Marvis can bring to their use cases, the difference becomes more evident. This isn’t just another web-based management platform with an “AI” branding slapped on. This is the real deal.
If you want to dig a little deeper, check out these links:
- While Others Tunnel, Juniper Looks to the Cloud
- Juniper’s AI-driven SD-WAN Solution Brief
- Juniper presented at Network Field Day 27 with a deep dive and full demos. Be sure to check that out!
Now is a great time to start looking at how Juniper and Mist can help your environment. I’d love to schedule a time to chat about Mist and see how it might be able to help you with your current or future needs. Drop me a line through our Talk With An Expert form here, and let’s see what we can figure out.
Check Out More Resources
Nexum at Red Hat Summit
Nexum’s Peter Scudamore and George Grzyb talk about workshops introducing automation to network engineers and other tools that will help mitigate some of those after-hours calls at Red Hat Summit.
A Business Case for Being a Good Leader
Cybersecurity professionals are facing high rates of burnout. Many feel overworked and undervalued. In this Strategy Series post, Ron Temske makes the case for being a good leader.
SNOCC Quarterly Threat Update Q2 2023
Each quarter, the managed security team at Nexum shares insights from our first*defense SNOCCs. In this post, we discuss detection challenges and the importance of context.