manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
Copyright © 2010, Juniper Networks, Inc. 27
APPLICATION NOTE - Branch Office Connectivity Guide
The firewall policy that is deployed on the firewalls allows for minimal amount of access through the firewall. The
firewall is configured to secure monitoring traffic as it enters and exits the NOC. It allows traffic from the Internet
to access the two configured MIPs. These MIPs support the remote branch firewalls and allow them to be managed
via NSM. The firewall also allows traffic to exit the data center for a minimal amount of services. MIPs are primarily
for update services for the servers in the data center. This outbound traffic is NATed through a Dynamic Internet
Protocol (DIP) located on the loopback VSI.
The Internet firewalls are configured with screening to reduce the threat from network-based floods. In testing the
screen configuration, it was able to easily ward off a 100 pps SYN flood attack with minimal performance impact. For
a listing of the firewall policy configuration parameters, see Implementing HA at the Enterprise Data Center to Connect
to a Large Number of Branch Offices.
VPN Firewalls
The VPN firewalls need to provide many different high-end tasks for this solution. They must do the following:
• Support a minimum of 2,000 IPsec VPNs
• Redistribute at least one route from up to 1,000 branches
• Run both RIP and OSPF
• Secure traffic by providing IPS-level scanning
The ISG Series firewall is the best firewall to do this because it can easily handle all of the aforementioned tasks.
Figure 20 provides a detailed view of the ISG Series VPN firewalls.
The NSRP configuration is similar to the Internet firewalls. The VPN firewalls also are a mix of active/active and
active/passive. In this case, the firewalls need to have several different terminating interfaces for VPNs instead of
just NAT, or as a default gateway. We use a total of seven VSI loopbacks in this design. For the VPN firewalls, VSD
0 was unset, as the firewalls needed to maintain their own OSPF neighbor relationships. Two different VSDs were
created to allow each of the firewalls to handle some of the VPN traffic, effectively load-balancing the traffic. It is
possible to load-balance traffic because of dynamic routing.
The distribution of the seven VSIs provides load balancing in two different ways—across firewalls and across the
two ISP. Each of the two ISPs used allocated several small eight-host networks. These networks were divided into
individual IP addresses by creating a single host subnet. This approach uses 10 full IP addresses because the subnet
IP and broadcast IPs can be used as individual host subnets. For VSD-1, which is designed to be primary on the ISG
Series (E) firewall, it contains four interfaces. The second VSD, VSD-2, has three interfaces and ISG Series (F) is
primary for them. Table 6 illustrates the significance of the IP addresses that are deployed.
Table 6: IP Address Deployment
Interface Name IP Address IP Owner Use Primary Firewall
Loopback.1:1 1.2.0.6 ISP B IP VPN Termination ISG Series (E)
Loopback.2:1 1.3.0.6 ISP C IP VPN Termination ISG Series (E)
Loopback.32 1.2.0.7 ISP B IP VPN Termination ISG Series (F)
Loopback.42 1.3.0.7 ISP C IP VPN Termination ISG Series (F)
Loopback.5:1 172.18.8.162 Private WAN VPN Termination ISG Series (E)
Loopback.6:2 172.18.8.164 Private WAN VPN Termination ISG Series (F)
Loopback.8:1 172.18.8.169 Private WAN NAT for NSM ISG Series (E)
Having multiple VSIs on the same firewall with different ISP IPs balances the traffic across both of the ISPs
automatically. First, the remote sites simply need to be configured in a pattern to ensure that each of the loopbacks
receives the same amount of remote sites bound to them. Second, each VPN firewall has the same ISP address
deployment. Therefore, the second VSD on the second firewall also can have VPNs terminated to it as well, allowing
traffic to be balanced across both ISPs and both firewalls.
If a failover occurs, a VSD from a failed firewall will be passed to the remaining firewall cluster member, with
seamless failover similar to an active/passive cluster. The private WAN loopback interfaces are deployed for
VPN termination as are the Internet VPNs. The difference is that there is one VSI per VSD for the private WAN