SD-WAN

 View Only
last person joined: 3 days ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).
  • 1.  Feature Friday: Secure Edge Connectors

     
    Posted 02-08-2023 10:06

    HAPPPPPPPYYYYY FRIDAY EVERYONE!!!

    I hope you have all been doing well these last couple of weeks. I'm currently sitting in my office in Massachusetts freezing my butt off with how cold it is. We are supposed to get temperatures as low as -15°F. Last year, I spoke to you about the things I am grateful for and weather like this reminds me how grateful I am for having the security of a nice warm shelter to bunker down in. 

    Speaking of security…that's going to be the topic of this week's Feature Friday! Specifically, we are going to look at the new Secure Edge Connectors for Session Smart Routers. 
     

    SASE

    You may remember from last October that I did a post about the IDP features getting enabled in the SSR. In that post, I mentioned the SD-Branch vs SASE approach. If you don't recall, SASE stands for Secure Access Service Edge and it is a security framework that Gartner conceived to help businesses come to terms with that fact that they will have workers located in many spots (at home, in the office, at the beach) trying to access applications hosted in many spots (HQ, Data Centers, in the cloud, at the beach…). This opens a whole slew of attack vectors for bad actors to try to get into your network and get your confidential information or hold your devices for ransom. By implementing the following major components of SASE, one should be able to feel secure about their network:

    • Software-defined WAN (SD-WAN)
    • Cloud Access Security Broker (CASB)
    • NGFW and Firewall-as-a-Service (FWaaS)
    • Zero Trust Network Access (ZTNA) 
    • Secure Web Gateways (SWG)


    SSE

    Here's an interesting thing though, if you remove the SD-WAN component from your SASE deployment, what you have is SSE or Security Service Edge. Basically, if you think of SASE as a marriage of networking and security, the SSE is the security portion of SASE. 

    One of the big things we like to say at Juniper with our SASE deployment is that we can meet you at any step of your SASE journey. If you already have SD-WAN, we can provide you SSE with the Juniper Secure Edge. If you already have SSE, then we can provide your SD-WAN with the Juniper Session Smart Router. If you have some of the SASE components and not others, well, Juniper's solution is modular so you can just purchase the pieces you need. 

    You might be saying to yourself, "Justin, I thought this was a Feature Friday, not a 'Let's Talk About Everything But Features Friday.'" You are correct, so let's get into the feature. 

    Secure Edge Connectors

    The features we are discussing this week are new connectors that we have put into the Session Smart Router that allow you to easily connect to your SSE. They just ask for some very minimal information about your SSE and then the SSR connects to that SSE using IPSec or GRE. 
     

    We have 2 connector types that are pre-built for you:

    • Juniper Secure Edge
    • Zscaler


    If you have a Juniper Secure Edge or Zscaler deployment and you want to offload traffic from your SSR to these deployments, all you have to do is select Add Provider under Secure Edge Connectors in the Mist Cloud and then input information such as pre-shared key and hostname/IP address. You will need to log into your Secure Edge or Zscaler and put similar information to allow your SSR to make secure connections with your SSE. This step will create your secure connection to your SSE so all you have to do is configure which traffic you want to send to your Secure Edge or Zscaler using the Traffic Steering and Application Policies you already use. 

    If you have an SSE that is not Juniper Secure Edge or Zscaler, you can still use an easy to build Secure Edge Connector, you will just choose the custom option and input a little more information. 

    So those are the Secure Edge Connectors. If you put "complete my SASE deployment" as one of your 2023 New Year's resolutions, then these will help you accomplish that goal much quicker. 

    I hope everything I said makes sense. This feature literally came out just a couple of weeks ago. Give it a try and see if you like it. 

    Now, here's my questions to you:

    • Are you interested in SASE at all?
    • Where are you in your SASE journey?
    • What SSE products are you using?
    • Are you currently experiencing cold or hot weather right now?
    • Any advice on how to stay warm?


    It was so great chatting with you and I hope you have a great couple of weeks. I look forward to talking with you again soon. Stay warm or cool depending on where you live. I guess more than that, stay safe. 

    #FeatureFridays #Security #SASE #SSE #SSR #SessionSmartRouter #SecureEdge #Mist

    ​​​​​​​​​

    ------------------------------
    Justin Melloni
    ------------------------------


  • 2.  RE: Feature Friday: Secure Edge Connectors

    This message was posted by a user wishing to remain anonymous
    Posted 02-09-2023 18:27
    This message was posted by a user wishing to remain anonymous

    Hi Justin, I really enjoy these Feature Fridays! 

    I have a couple questions:

    1. Are we using Hardware queues?
    2. Our queues/traffic class are weighted ( using percentage ) does the High queue/traffic class is a Priority Queue?

    Hope you were able to stay warm over the weekend! 




  • 3.  RE: Feature Friday: Secure Edge Connectors

     
    Posted 02-10-2023 11:47

    Thank you so much!

    I definitely did manage to stay warm. No burst pipes for me! I know a lot of people that did experience that though, so I am lucky. 

    1. Are we using Hardware queues?
      • The SSR queuing and scheduling comes from DPDK, so technically they are software queues. But they function fast like hardware, but with the programmability of software.
    2. Our queues/traffic class are weighted ( using percentage ) does the High queue/traffic class is a Priority Queue?
      • The high queue is not a priority queue. So it is important that you set your Traffic Profiles correctly. Remember though that the way the queues work is that the percentage you set will be reserved for that type of traffic and if it needs more than that percentage it will eat into any of the percentages that are not filled. So I have seen deployments where they do something like:

        • High - 90%
        • Medium - 8%
        • Low - 1%
        • Best Effort - 1%
      • With this, the high will always have 90% of the bandwidth available to it, and the Medium will have 8% and the Low and Best Effort will each have 1%. However, if the High isn't using all it's bandwidth, then the Medium, Low, and Best Effort can borrow it, until it is needed.
      • One other thing I just learned was our default settings, say for example you don't set a Traffic Profile:
        • High - 80%
        • Medium - 10%
        • Low - 9%
        • Best Effort - 1%

    I hope this makes sense! Thank you for reading and commenting! Let me know if you have any other questions I can answer.

    Thank you,

    Justin



    ------------------------------
    Justin Melloni
    ------------------------------