manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
Copyright © 2010, Juniper Networks, Inc. 23
APPLICATION NOTE - Branch Office Connectivity Guide
Table 4: M Series Edge A and B Router Connectivity and Interfaces and Gigabit Ethernet Ratios
Function Interfaces M Series (A) Router M Series (B) Router
Internet provider interface Gigabit Ethernet (ge-0/1/0.0) SONET OC-12 (so-0/1/0.0)
Internet firewall SSG Series (A) Gigabit Ethernet (ge-0/0/0.0) Gigabit Ethernet (ge-0/0/0.0)
Internet firewall SSG Series (B) Gigabit Ethernet (ge-0/0/1.0) Gigabit Ethernet (ge-0/0/1.0)
IPsec VPN interface ISG Series (E) Gigabit Ethernet (ge-0/0/2.0) Gigabit Ethernet (ge-0/0/2.0)
IPsec VPN Interface ISG Series (F) Gigabit Ethernet (ge-0/0/3.0) Gigabit Ethernet (ge-0/0/3.0)
Router-router interface Gigabit Ethernet (ge-0/1/3.0) Gigabit Ethernet (ge-0/1/3.0)
Each router has a single connection to the Internet. The design uses a Gigabit Ethernet connection to connect the A
router to the Internet, while the B router link uses an OC-12 connection. Connectivity from the edge devices to each
of the four firewalls creates a fully meshed network. Each router employs a single connection to each of the four
firewalls. Both routers use a 4-port Gigabit Ethernet PIC to create the mesh. The PIC is oversubscribed by a 4:1 ratio
and should be adequate for this design, considering that a majority of the traffic is destined for the VPN firewalls. If
oversubscription occurs, a second Gigabit Ethernet PIC can be added if throughput performance is insufficient.
The edge routers are linked to each other through a single Gigabit Ethernet link that provides a transit path around
a less preferred or failed path. The Ethernet link also provides continuity to the Internet so both Internet connections
can be used for the best possible path to the remote networks and in case a packet is asymmetrically routed over
the Internet and returns over the less preferred link. Because the routers provide only a default route to all the
SSG Series firewalls, the SSG Series firewalls will only send traffic to the next best router. The routers then must
determine which of the two Internet links to use. If the router with the less acceptable path receives the traffic, it will
send the traffic to the router that contains the preferred path.
The link connecting the router to the Internet uses a passive interface. An OSPF passive interface allows its network
to be redistributed but no neighbor relationships can be established. The other five links are incorporated into OSPF
and are weighted to ensure that traffic flow occurs in a predetermined, predictable pattern. Doing so simplifies
troubleshooting and ensures that traffic reacts only as intended. Figure 19 shows the OSPF costing relationships
assigned to the links.
Each of the firewall clusters has a primary and a secondary firewall and the links favor the primary firewall. In the
event of a primary firewall failure, the secondary firewall takes over, even though the paths have higher costs. Higher
costs paths are chosen because they are the only paths available. This guarantees that traffic traverses the same
path in both directions. The advantage of using cross links is that traffic remains within the same firewall during a
single link failure.
The OSPF connection between the routers is monitored with Bidirectional Forwarding Detection (BFD). BFD is a draft
protocol that allows for subsecond detection of link failures. It integrates with the routing protocol and notifies the
routing protocol when the peer is unavailable, allowing for quick convergence. In this scenario, BFD removes this
path from the routing protocol within 900 ms. Without BFD, path removal typically takes a maximum of 40 seconds.
Juniper Networks recommends using BFD as best practice where available.
It is critical that the routers are properly configured to ensure correct routing throughout the design. The
configuration schema defines the A router as the preferred path so it is selected as the best path, and the B router
is designated as the less preferred path and is used only in the case of a failure. Refer to the Implementing a High
Availability Enterprise Network for the Data Center application note, which provides the edge router configuration
parameters for both edge routers.
Firewalls—Internet and IPsec
The firewalls in this solution consist of two separate firewall deployments that are configured for separate purposes.
One firewall provides secure access to the Internet. The second firewall exclusively provides a VPN termination point.
Both firewalls use the concept of a mixed mode high availability deployment, which offers a combination of virtual
security interfaces (VSI) and non-VSI interfaces to pass traffic.