APPLICATION NOTE BRANCH OFFICE CONNECTIVITY GUIDE Juniper Networks Design Practices for Connecting Branch Offices to Data Centers over a Single Converged Network Copyright © 2010, Juniper Networks, Inc.
APPLICATION NOTE - Branch Office Connectivity Guide Table of Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPLICATION NOTE - Branch Office Connectivity Guide VPN Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Shared Services Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 High Availability Design of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPLICATION NOTE - Branch Office Connectivity Guide Table of Figures Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network. . . . . . . . 1 Figure 2: Branch office reference architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Figure 3: Multi-tiered/layered network architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPLICATION NOTE - Branch Office Connectivity Guide Introduction Designing and scaling an enterprise network for assured network connectivity between branch offices and data centers is a challenge that faces every high-performance organization. This guide can assist organizations to design and implement a secure and reliable enterprise network infrastructure.
APPLICATION NOTE - Branch Office Connectivity Guide Design Considerations—Connectivity at the Branch Office In this section, design guidance for the following major topics is presented: • Implementing branch office connectivity using an IPsec VPN overlay • Using RIP as the preferred routing protocol for the solution • Employing address traffic load balancing • Considering additional routing protocols other than RIP for the same design model After defining the basic design for branch office connectivity, gu
APPLICATION NOTE - Branch Office Connectivity Guide Table 1: Functionality, Features, and Capabilities of the Branch Office Types Functionality Feature Capability Type A Type B Type C Security Unified Threat Management (UTM) Deep Inspection • • • Antivirus • • • Web Filtering • • • Firewall • • • T1/E1 – • • MPLS – – • Broadband • • • Wired • • • Wireless Optional Optional • Device Redundancy – • • • Link Redundancy Optional Optional Optional • Performa
APPLICATION NOTE - Branch Office Connectivity Guide • Configuration Simplicity: Provisioning is easy. When the number of sites is large, it is important to reduce the complexity of the configuration on a per-site basis, where possible. That is, requiring multiple configurations should be as simple as possible. • Link-Failure Detection: Link-failure detection mechanisms are required.
APPLICATION NOTE - Branch Office Connectivity Guide When a device sends traffic to other devices, it sends the traffic to an upper layer router. The process repeats until the traffic arrives at the specified router with visibility to forward the traffic down to a lower layer. Because devices on the top layer are usually fully meshed, they can send the traffic to the appropriate router. The traffic is then forwarded down the layer chain until it reaches its final destination.
APPLICATION NOTE - Branch Office Connectivity Guide Using RIP with On-Demand Circuits Extensions (Advantages and Disadvantages) RIP is easier to provision and administer. When using RIP, each branch advertises the range of directly connected networks to each data center, using different metrics. Data centers advertise an aggregate of the network together with a more specific route to the networks that directly attach to the data center.
APPLICATION NOTE - Branch Office Connectivity Guide Implementing ECMP as an Aid in Load Balancing As shown in Figure 5, it is still possible to use both access links. Creating a pair of tunnels, each routed through a different connection (both originating on the same data center and terminating on the branch), provides the required load balancing. In this way, traffic is split using equal-cost multipath (ECMP) across both access interfaces.
APPLICATION NOTE - Branch Office Connectivity Guide Advertises DC 1 Network DC1 + DC2 Aggregate Network DATA CENTER 1 Advertises CE 1 Network Local Pref 200 IBGP RR1 IBGP CE 1 IBGP IBGP CE N OSPF AREA 0 IBGP IBGP Advertises CE N Network Local Pref 100 RR2 IBGP DATA CENTER 2 Figure 6: BGP routing design The main advantages of this design are that it accommodates multiple devices and scales to a large number of remote offices. Route processing is somewhat distributed by route reflectors.
APPLICATION NOTE - Branch Office Connectivity Guide administrative distances. Whenever the primary tunnel is active, traffic should be forwarded to the data center terminating that tunnel. Because static routes have low administrative distance, traffic forwarded by the backup device always chooses the local tunnel regardless of the metrics used. The return traffic, though, still uses the active tunnel, causing problems on the firewalls.
APPLICATION NOTE - Branch Office Connectivity Guide • Assumptions about the nature of the IPsec tunnels have not been made. Both aggressive and main mode tunnels can be mixed on the presented network. If a failure occurs, when using the aggressive mode with dynamic peers, only the remote peer can initiate a new IPsec tunnel connection. This might result in longer recovery times. • It is important to configure RIP using demand circuit extensions.
APPLICATION NOTE - Branch Office Connectivity Guide Note: The hub also stores a profile with the configuration of the IPsec tunnels that branch offices use to achieve connectivity. This way, the configuration is simplified, as the tunnels only have to be configured on the hub. This configuration is then pushed to the spokes whenever a direct IPsec VPN connection is established.
APPLICATION NOTE - Branch Office Connectivity Guide • The security associations (SAs) and the NHRP caches are not synchronized when active/active NSRP is used. If a failover occurs, a new NHRP registration is performed, and as a result, branch-to-branch tunnels must be reestablished. However, reestablishment of tunnels will not impact the branch-to-branch traffic, as branch traffic still will be routed through the hub.
APPLICATION NOTE - Branch Office Connectivity Guide • A single NHS server only can be configured on a per-client basis. During a complete failure at the hub (either data center or regional office acting as an NHS), branch offices cannot establish shortcuts until connectivity to the hub is restored. • A new registration to the NHS is required when an NSRP failover is triggered. If a failover occurs at one of the hubs, then every branch office has to reregister and the NHRP cache has to be repopulated.
APPLICATION NOTE - Branch Office Connectivity Guide Functionality Description Network Address Translation (NAT) NAT is enabled so that machines in the trusted and guest zones can access the Internet. In the event of a failure, Internet sessions might not be preserved as the translated addresses of that traffic might have to change and different service providers might be used on the Internet links.
APPLICATION NOTE - Branch Office Connectivity Guide is routed through interface Ethernet 0/1, the interface IP address is used to NAT the traffic. In this way, there is no need to propagate the addresses between service providers. In addition, DSL connections are supported because it is not necessary to know the IP address assigned to each of the Internet-connected interfaces in advance. Instead, the Dynamic Host Configuration Protocol (DHCP) is used in this case.
APPLICATION NOTE - Branch Office Connectivity Guide There is no session or configuration synchronization between the SSG Series Secure Services Gateways. Session persistence happens by disabling TCP SYN checks when flows are created inside IPsec tunnels. In this way, when traffic is rerouted to the secondary SSG Series, a new session is created and the traffic is forwarded to the destination.
APPLICATION NOTE - Branch Office Connectivity Guide BRANCH OFFICE loopback 1:1 172.18.1.3/32 loopback 2:1 1.4.17.24/32 e0/9:1 e0/1:1 10.255.1.20 10.255.1.24 172.18.140.2 e0/0 SSG Series J Series 10.255.5.254 PTP NETWORK 172.18.140.1 192.168.10.0/24 1.140.1.0/24 172.18.140.14 e0/2 172.18.140.9 ge-0/0/2 172.18.8.162 10.255.5.20 172.18.140.10 e0/2 1.2.0.6 172.18.140.13 ge-0/0/2 172.18.140.13 ge-0/0/2 e0/9:1 e0/1:1 172.18.140.6 e0/0 SSG Series INTERNET DATA CENTER A 10.255.1.
APPLICATION NOTE - Branch Office Connectivity Guide Pertaining to the other branch offices, the interfaces facing the J Series routers and the loopback interfaces are part of the untrust zone, the tunnel interfaces are part of the VPN zone, and the guest and user-facing interfaces are part of the guest and trust zones, respectively. See Figure 16. Tunnel.1 10.255.1.20 Tunnel.2 10.255.5.20 J Series (A) e0/9:1 SSG Series 172.18.140.2 e0/8:1 e0/1:1 s1/0 HA-link 1.140.1.0/24 1.140.0.
APPLICATION NOTE - Branch Office Connectivity Guide Table 3: Data Center Key Design Considerations Requirements Description Internet connectivity • T he design must employ a minimum of two Internet links. • The edge-connecting routers must provide redundancy as well as ensure service accessibility. • T he active/active Internet connection requires two edge routers to provide resilient Internet connectivity. • A BGP feed is required from each of the providers to enable failover.
APPLICATION NOTE - Branch Office Connectivity Guide Data Center Network Architecture Figure 17 illustrates the data center network architecture. The design employs a redundant network topology so that user traffic continues to be forwarded despite failures of one or more links or nodes in the network.
APPLICATION NOTE - Branch Office Connectivity Guide INTERNET ISP C PROVIDER WAN ISP B 172.18.32.1/30 1.253.0.1/30 1.254.0.1/30 DATA CENTER A AREA 1 M Series (A) Io0.0 172.18.8.40 M Series (B) Io0.0 172.18.8.41 J Series (A) Io0.0 172.18.8.160 1 5 500 10 5 1000 500 10 1000 SSG Series (B) loopback.1 172.18.8.43 SSG Series (A) loopback.1 172.18.8.42 NOC-OBM e2/0:1-192.168.3.135/24 OSPF-Passive 5000 ethernet4/1-HA ethernet4/2-HA ISG Series (E) loopback.10 172.18.8.
APPLICATION NOTE - Branch Office Connectivity Guide Internet Connections Because HA is an integral part of the design, the solution uses two provider links. The active/active Internet connection uses two edge routers, which provides device redundancy and ensures service accessibility. BGP feeds provide failover protection from each of the providers, allowing the Internet to use the best path to the local network in the event of failure. Routing information is passed back to the network core using the IGP.
APPLICATION NOTE - Branch Office Connectivity Guide Table 4: M Series Edge A and B Router Connectivity and Interfaces and Gigabit Ethernet Ratios Function Interfaces M Series (A) Router M Series (B) Router Internet provider interface Gigabit Ethernet (ge-0/1/0.0) SONET OC-12 (so-0/1/0.0) Internet firewall SSG Series (A) Gigabit Ethernet (ge-0/0/0.0) Gigabit Ethernet (ge-0/0/0.0) Internet firewall SSG Series (B) Gigabit Ethernet (ge-0/0/1.0) Gigabit Ethernet (ge-0/0/1.
APPLICATION NOTE - Branch Office Connectivity Guide The first set of firewalls, specifically the Internet firewalls, needs to provide a few specific functions. The Internet firewalls must host the NOC. The NOC is deployed off of the firewalls like a traditional DMZ to ensure that the data it collects is secured and unaltered by attackers. The Internet firewalls also must connect to the Internet and receive routing information from the edge routers.
APPLICATION NOTE - Branch Office Connectivity Guide from accepting upstream routing information, namely the default route. If the firewall were still in the process of accepting the default route, then it would take that route and pass it to the shared services core. This would force all of the traffic through the firewall even though the required VSD is not active on the device. To accomplish this, interface monitoring is enabled.
APPLICATION NOTE - Branch Office Connectivity Guide The NSRP design uses a mix of VSI and non-VSI interfaces. NSRP is designed to make a firewall pair (or cluster) appear to operate as a single device. A master/backup protocol, NSRP, allows two devices to synchronize their configurations and operations. In the event of a failover, the backup device seamlessly picks up where the master device left off, without disrupting transit traffic or VPN services terminating on the device.
APPLICATION NOTE - Branch Office Connectivity Guide The firewall policy that is deployed on the firewalls allows for minimal amount of access through the firewall. The firewall is configured to secure monitoring traffic as it enters and exits the NOC. It allows traffic from the Internet to access the two configured MIPs. These MIPs support the remote branch firewalls and allow them to be managed via NSM. The firewall also allows traffic to exit the data center for a minimal amount of services.
APPLICATION NOTE - Branch Office Connectivity Guide because there is only one private WAN provider. The last loopback interface, Loopback 8:1, is used for NAT in the same manner as the Internet firewalls. Juniper configures NAT for both NSM device servers to allow for direct communication over the private WAN.
APPLICATION NOTE - Branch Office Connectivity Guide access between branches. Many organizations often terminate the private WAN into the shared services core or core network. This method potentially allows attacks or allows unsecured traffic to migrate to the private WAN from the branch offices. Even though the private WAN provides a different type of connectivity than an Internet-based VPN, the traffic should still be treated the same as the Internet traffic. 2 t0/ 0 ne /3 er .26 5 eth 8.8 st2.
APPLICATION NOTE - Branch Office Connectivity Guide Shared Services Core The shared services core is the section of the network where all of the network components converge. The shared services core consists of two shared services core switches, which are configured for both routing and switching. All of the interfaces connected to the firewall are routed interfaces that participate with the firewalls in OSPF area 0. Several networks exist on the shared services switches.
APPLICATION NOTE - Branch Office Connectivity Guide WX Design Requirements Table 8 summarizes the WX Series design requirements. For detailed information pertaining to the WX Series Application Acceleration Platforms, refer to WX Series/WXC Series WAN Acceleration: Implementing WAN Acceleration at the Branch Office application note.
APPLICATION NOTE - Branch Office Connectivity Guide Appendix B Naming Conventions M Series and J Series Interface Naming Conventions The following provides the naming conventions used for all of the interfaces on the M Series and J Series routers.
APPLICATION NOTE - Branch Office Connectivity Guide Appendix C Products Product Tables Product/Technology Type A - Basic Type B - Optimized Type C – Critical Firewall/VPN with full UTM features (antivirus, antiphishing, anti-spyware, antiadware, anti-keylogger, antispam, Web filtering) Uses integrated security functionality in the SSG Series Uses integrated security functionality in the SSG Series Uses integrated security functionality in the SSG Series Routing Uses integrated routing functionalit
APPLICATION NOTE - Branch Office Connectivity Guide Kaspersky By integrating a best-in-class gateway antivirus offering from Kaspersky Lab, Juniper Networks integrated security appliances can protect Web traffic, email, and webmail from file-based viruses, worms, backdoors, trojans, and malware. Using policy-based management, inbound and outbound traffic can be scanned, thereby protecting the network from attacks originating from outside the network, as well as those that originate from inside the network.
APPLICATION NOTE - Branch Office Connectivity Guide The TGM550 module inserts into any slot in the J4350 or J6350 router and delivers a rich telephony feature set to the branch office.
