manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
Copyright © 2010, Juniper Networks, Inc. 19
APPLICATION NOTE - Branch Office Connectivity Guide
Table 3: Data Center Key Design Considerations
Requirements Description
Internet
connectivity
• The design must employ a minimum of two Internet links.
• The edge-connecting routers must provide redundancy as well as ensure service
accessibility.
• The active/active Internet connection requires two edge routers to provide resilient
Internet connectivity.
• A BGP feed is required from each of the providers to enable failover.
• A rate limiting of traffic to the firewall is needed so that a flood of traffic from the Internet
does not affect the network.
• A stateless inspection or packet filtering must be used.
Private WAN • Private circuits must be either point-to-point connections or connect over a provider-
provisioned MPLS network.
• All traffic that originates from the branch that is destined for the data center must be
encrypted.
• Private WAN is deployed off of the VPN firewalls.
Firewalls • Internet firewalls must host the network operations center (NOC).
• Firewalls must connect to the Internet and receive routing information from the Internet
edge routers.
• IPsec VPN firewalls provide the connectivity hub for all remote sites and they terminate
IPsec VPNs from the Internet as well as from private WANs.
• The IPsec firewalls must terminate VPN tunnels for all of the remote branches over the
private WAN.
• The following must be employed: redundant hardware, dynamic routing protocols (DRP),
and fully meshed links.
• The design must allow for a highly scalable VPN services infrastructure without being
dependent on the availability of Internet firewalls.
Shared services • The Internet firewalls must have a default route (obtained from the Internet edge routers)
into the shared services core.
• The connectivity to the firewalls must be in a mesh deployment.
• The routing on the shared services core must integrate with the firewalls.
High availability • The design must use a meshed solution to provide redundant paths on each redundant
device. Internet connectivity.
• The design must employ a minimum of two Internet links.
• The edge-connecting routers must provide redundancy as well as ensure service
accessibility.
• The active/active Internet connection requires two edge routers to provide resilient
Internet connectivity.
• A BGP feed is required from each of the providers to enable failover.
• A rate limiting of traffic to the firewall is needed so that a flood of traffic from the Internet
does not affect the network.
• A stateless inspection or packet filtering must be used.