Service Provider Transformation
Juniper Employee , Juniper Employee Juniper Employee
Service Provider Transformation
Conquer Your Branch Chaos with uCPE
Mar 23, 2018


Ever wonder why you still have multiple devices at your branch location?


Your typical branch hosts a router, a switch, a firewall, and an app server. We are in 2018 where there are talks of AI taking over humans, and yet many enterprise branch deployments are stuck in the 90s. While branch deployments are rapidly migrating to SD-WAN, they often overlook the fact that most SD-WAN vendors provide yet another router instead of cleaning up the cable-chained chaos that exists behind the branch networking customer premises equipment (CPE).


In general, evolution of branch devices has been somewhat stagnant and simple. If one of the links goes down, it takes a long time for the second link to take over for it, disrupting the user experience. You can imagine this becoming catastrophic when, for example, a store’s point-of-sale application loses connectivity—and revenue. SD-WAN is helping.


Next, take branch security, it’s still mostly inadequate or an afterthought. The most common branch CPEs provide basic secure routing with IPSec VPN. However, with attack vectors ranging from external hackers to malware spreading among users and workloads, IPSec will no longer suffice for security. The need to deploy next-generation firewalls with advanced threat mitigation becomes critical. Recent sophisticated attacks like WannaCry, NotPetya, etc. require advanced zero-day threat mitigation to safeguard you. You might assume that deploying branch firewalls solves some security issues; alas, most NG-firewall vendors don’t offer SD-WAN features.


Add on the journey to multicloud. It has mainly focused on public and private clouds, economies of scale, and applications. Virtualization has long since been a given. Meanwhile in the humble branch, appliance convergence using virtualization is only starting to come out of the shadows with SD-Branch. And too often, it forces SD-WAN and security tradeoffs.


But finally, the ability to put all your services, as virtual instances, on a universal CPE (uCPE) device is here, and without forcing you to choose between SD-Branch, SD-WAN and security. No need to pick. No need to cobble them together. You can have them all.


Before diving into how Juniper is revolutionizing this space, here are some of the most important factors that a next-generation branch device requires:

  •  Ability to run virtual services and virtual network functions (VNFs), consolidating branch deployments
  • Ability to provide integrated security with advanced threat mitigation, enabling end-to-end and branch-to-cloud security
  • Ability to scale, providing a path to add or delete services
  • Ability to provide meaningful high availability with L4-L7 stateful failover
  • Alternative connectivity options: MPLS, broadband, LTE/4G, DSL and T1/E1
  • Complete remote management and orchestration
  • Zero-touch deployment, provisioning devices automatically without assistance from expert IT staff
  • Advanced application-based routing and traffic steering based on various metrics


Customers who switched to Juniper’s SRX Series secure branch CPEs have a router, a switch, and a fully-fledged next-generation firewall solution, consolidating three boxes into one. It’s also an option in our Contrail SD-WAN solution.


Juniper has taken CPE to the next level by introducing the NFX Series Network Services Platform. NFX is a scalable x86-based next-generation branch uCPE. It provides the ability to run custom on-premises applications for complete branch convergence, all using the power of Junos OS. It allows enterprises and service providers alike to automate and accelerate branch connectivity.


The NFX comes in two editions:

  • NFX250 – A next-generation uCPE, proven at the likes of AT&T, Verizon and Telstra.
  • NFX150 – A new kid on the block built to collapse branch appliances and converge connectivity in a more compact form factor, at a lower price point.


Here’s why so many Juniper customers are choosing the NFX: 

Universal CPE (uCPE) platform: NFX Series provides complete VNF orchestration capabilities. Customers can run any KVM-based virtual service, be it a Juniper-qualified VNF or their own custom application server. The NFX Series includes VNF instantiation and management. This eliminates the need for hosting an additional server or multiple other hardware boxes at a customer site, reducing CapEx and OpEx.


Service chaining: The NFX series uses Open vSwitch service chaining, which allows customers to add or delete services in the data path without the need for re-provisioning or interruption. The ability to dynamically service chain multiple virtual instances transforms the branch. When used with Contrail Service Orchestration, VNF lifecycle management is also automated, providing customer ease in managing many services. 


All-inclusive security: From the foundations of the hardware Trusted Platform Module to the reaches of secure end-to-end multicloud communication, the NFX provides comprehensive security. The included Juniper vSRX virtual next-generation firewall provides L2 to L7 security, traffic isolation and multi-tenancy. Multi-tenancy allows for many businesses or departments at a branch site without multiple CPEs. More NFX features complete the security suite: L2 port security; different types of VPN, including IPSec with advanced encryption and authentication mechanisms; built-in application firewalling; application-based routing; and other UTM and IPS services. The NFX also boasts Juniper Sky ATP, protecting users from malware and zero-day attacks. Juniper’s Software Defined Secure Networks (SDSN) allows enterprises to extend security postures to a branch LAN segment. 


Zero-Touch Deployment: Enterprises and service providers can deploy and orchestrate branch deployments at massive scale with simplicity. Upon initial boot up, NFX dials into Juniper’s redirect server, which is configured with information to reach the orchestrator where the device configuration and VNFs are pushed.  


A Cornerstone of Contrail SD-WAN: Contrail Service Orchestration enables NFX devices to function as SD-WAN CPEs. Beyond integrated security, Junos OS provides best in-class routing features to enable branch devices to connect to any network using dynamic routing protocols and services with options to encapsulate user traffic in GRE or IPsec tunnels. NFX can also meet SLAs with ease, using advanced application policy-based routing.


Wireless Connectivity: 3G/4G/LTE can act as a primary or a backup link with dual SIM cards and in-built carrier aggregation capabilities. LTE is available as an integrated option or with an expansion card. NFX can host other flexible expansion modules.


Automation: Junos OS is easily the best networking operating system today to integrate with automation frameworks and DevNetOps pipelines. It provides on-device and remote APIs for automated network operations of all your branch needs.


More… NFX clustering offers the best high availability of any uCPEs in market. We’re also integrating NFX and Contrail SD-WAN with AppFormix to provide simpler operations management and monitoring. Stay tuned for more blogs on these great developments.


As part of Contrail SD-WAN, the NFX provides you many benefits, chief among them: the simplicity of automation and consolidation with the reliability of smarter security and SDN.