manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
20 Copyright © 2010, Juniper Networks, Inc.
APPLICATION NOTE - Branch Office Connectivity Guide
Data Center Network Architecture
Figure 17 illustrates the data center network architecture. The design employs a redundant network topology
so that user traffic continues to be forwarded despite failures of one or more links or nodes in the network. This
implementation includes the following key features:
• Provides dynamic routing protocols
• Offers a fully meshed interface deployment
• Contains stateful failover
The architecture is derived from a working and tested example of the configuration and provides the basis for the
design practices and information presented in this guide.
At the WAN edge, network architects have often used L2 switches to form a hierarchical mesh so that the multitude
of links provides fault protection in case of failure. The design presented in this section employs Juniper Networks M
Series Multiservice Edge Routers and SSG Series firewalls, and leverages the routing functionality of the SSG Series
to provide a routed connectivity solution instead of a traditional switched mesh. Using this design places failure
detection and correction into a domain that is solely routed, providing more effective and intelligent uses of network
resources. The direct protocol interaction between the routers (without intervening switches) eliminates the typical
layer of Ethernet switches commonly used at the edge.
The design uses OSPF as the interior gateway protocol between the security gateways and edge routers and uses a
mixed mode NSRP to ensure that hosts can always reach the routers. The firewalls are seamlessly integrated into
the routing domain because if there is a topology change, OSPF dynamically changes the forwarding path from the
primary to the secondary firewall. OSPF link costs control routing paths in a deterministic manner, which eliminates
the possibility of asymmetric routing. OSPF manages path calculation through the network topology and advertises
routes between the WAN routers and the internal network.
Because the design uses fewer nodes, it reduces troubleshooting errors and the number of potential failure points.
This design moves the security devices closer to the provider edge and decreases the number of devices that can be
compromised due to hacking.
The details of the design are discussed as follows:
• Internet Connectivity
• Firewalls (Internet and VPN)
• Shared Services (Core)
• High Availability