manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
6 Copyright © 2010, Juniper Networks, Inc.
APPLICATION NOTE - Branch Office Connectivity Guide
Using RIP with On-Demand Circuits Extensions (Advantages and Disadvantages)
RIP is easier to provision and administer. When using RIP, each branch advertises the range of directly connected
networks to each data center, using different metrics. Data centers advertise an aggregate of the network together
with a more specific route to the networks that directly attach to the data center.
To reduce the amount of processing and traffic needs, demand circuit extensions should be enabled. With these
extensions, route advertisements over a point-to-point connection (as in the case of the IPsec tunnels) are
acknowledged and do not need to be periodically retransmitted, unless the network topology changes.
The main disadvantage of demand extensions is that they are not commonly used, and therefore are not supported
by many routing vendors (including Junos OS-based routers). Integration with non-ScreenOS
®
-based devices might
be difficult. However, a hybrid approach can be employed where non-conformant devices connect using standard RIP.
The advantages for using RIP with demand circuit extensions for a medium-sized network include:
• Low protocol overhead - Routing information is only exchanged in the event of failures or topology changes.
• Relatively fast convergence - VPN monitoring provides efficient and quick detection of end-to-end connectivity
problems between two IPsec tunnel endpoints.
• Versatility - The routing path can be easily modified by using different metrics.
• Limited flooding of information - A link state database protocol, such as IS-IS or OSPF requires the flooding
of routing information to all the devices in a single area (or level). This results in the constant redistribution of
protocol information whenever a single device (or group of devices) fails. Because the network can have as many
as 1,000 devices, many situations can occur where some of the IPsec tunnels could flap due to poor network
conditions. In such cases, even when partitioning the network in several areas, the routing instabilities would be
propagated throughout the network.
• Protocol simplicity and ease of operation - Many enterprise networks already use RIP as their preferred.
• IGP protocol.
Traffic Load Balancing for Type B and Type C Branch Deployments
Traffic should be balanced across more than one link when implementing Type B and Type C branch office
topologies. Except for special cases, 1 10 Mbps link tends to be more expensive than 10 1 Mbps DSL lines. For
reliability reasons, it is common practice to provide redundant links. Even when the driving force is to install an extra
link because a backup connection is required—and because in North America customers generally pay a flat fee per
link, independently of the traffic carried—it is desirable to use the extra capacity efficiently.
Solving traffic balancing at the data center is different when compared to the remote branches. Due to the large
number of tunnels terminating at each data center, traffic can be balanced by splitting the tunnels and routing each
group through a different link. If the traffic pattern is relatively dispersed among the different tunnels, this strategy
provides excellent usage for every data center link.
However, at remote branches, it is not always possible to balance traffic in this manner. If the characteristics of the
customer traffic were such that traffic could be easily distributed across multiple data centers, then simply routing
the IPsec tunnels—going to the central offices through different links—would suffice.
When most of the traffic is directed to a single data center, traffic symmetry must be preserved. As with any traffic
inspection device, the firewalls inspecting traffic (located at each head-end of the tunnels) must inspect traffic in
both directions. Accordingly, for any particular connection, traffic going in and out of a particular data center must go
through the same firewall.