manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
26 Copyright © 2010, Juniper Networks, Inc.
APPLICATION NOTE - Branch Office Connectivity Guide
The NSRP design uses a mix of VSI and non-VSI interfaces. NSRP is designed to make a firewall pair (or cluster)
appear to operate as a single device. A master/backup protocol, NSRP, allows two devices to synchronize their
configurations and operations. In the event of a failover, the backup device seamlessly picks up where the master
device left off, without disrupting transit traffic or VPN services terminating on the device.
This flexibility allows the cluster to offer terminating interfaces only where needed and integrate with OSPF at
the same time. It is possible to form OSPF neighbor relationships on VSI interfaces. However, if a failover occurs,
excessive traffic loss will happen because the OSPF neighbor relationship must be re-established. In this solution,
four of the interfaces have OSPF neighbors established, including Internet and shared services interfaces. Similar to
the edge routers, these links are also weighted so that one is preferred over the other. Using the routing information
learned over OSPF, the firewalls learn how to access remote networks.
Figure 20 shows the OSPF costs and relationships assigned to each of the links.
The Internet interfaces are in the untrust zone, which is contained in the untrust virtual router. This arrangement
ensures that the edge routers will not learn the routes from the shared services core. All the interfaces and the
untrust virtual router only participate in OSPF area 1. In this case, there is no OSPF area 0 inside of the routing
domain for the untrust virtual router. It is possible to run this as OSPF even if this single zone (area 0) is not an OSPF
designated area. Because area 0 does exist inside of the shared services core, this solution uses a different area to
eliminate any confusion.
The untrust virtual router is configured to share some routes that it learns and export these routes to the trust
virtual router. First, if the firewalls receive a default route from the edge routers, then that default route is sent to the
trust virtual router to notify the firewalls where to send its traffic. Second, the loopback IP addresses of the routers
and the Internet firewalls are passed to the trust virtual router. This is done for monitoring purposes because the
loopback IP addresses are used for monitoring only. The loopbacks from the routers are exported via a route map
that looks for the routes in OSPF. The loopbacks on the firewalls are exported via a route map as a connected route
only. This approach prevents the firewalls from exporting each other’s loopback IP address for monitoring.
If the router redistributes its own loopbacks from OSPF, then the router sends only the loopback from the other
firewall. This results in asymmetric routing because the firewall only sees the other cluster member’s route and
exports it. The traffic would enter the opposite cluster member and then enter the proper cluster member on the
wrong interface. As a result, monitoring fails because the firewall routes the traffic to the wrong interface.
In this deployment, the IP addresses used on all of the physical interfaces are private, non-Internet, routable IP
addresses. This means that no one outside the edge routers has the ability to contact these interfaces. However,
the interface loopback 2:1, a virtual security interface, contains a small subnet with public Internet routable IP
addresses. This interface uses Mapped IPs (MIPs) as static NAT mappings for the Juniper Networks Network and
Security Manager (NSM) servers and the SSL VPN NOC gateway. This interface exists in OSPF as a passive interface
and is in the virtual security device number 1.
This VSI is active on only one device at a time. In this design, VSI is active primarily on the A firewall. Only the firewall
that has the active loopback interface sends the link state acknowledgement (containing the route to the network
contained on the loopback interface). If a failover occurs, the secondary firewall activates the loopback interface and
then broadcasts the LSA for that network. This makes failover quick and reduces traffic loss to only a few seconds.
The shared services core interfaces are in the data center zone, which represents everything within the data center
and exists in the trust virtual router. This area participates in a separate OSPF instance and in OSPF area 0 only. This
configuration separates the routing in the untrust zone from the trust zone and eliminates the private routes from
being sent to the edge routers. Each of the interfaces is assigned a cost in a tiered fashion to ensure predictable
traffic flow. If the untrust virtual router learns the default route and the routes from the loopback interface, they are
then distributed through OSPF to all of the firewall’s neighbors as Type 2 routes. Type 2 external routes are used
because they take the cost of network links into account when calculating distance.
Type 1 external routes do not take metrics into account and they might send traffic to undesirable paths.
The shared services core interfaces are connected directly to the shared services switches. Each interface from the
firewall is directly connected to a routing interface on the switches that have a 30-bit subnet on the interface. This
creates a point-to-point network for the creation of an OSPF neighbor relationship. The interfaces are all configured
as OSPF point-to-point links, which ensures that a designated router does not need to be elected on the interface,
thus speeding up the adjacency process. The Internet firewalls learn all of the routing information from the shared
services core.