manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
28 Copyright © 2010, Juniper Networks, Inc.
APPLICATION NOTE - Branch Office Connectivity Guide
because there is only one private WAN provider. The last loopback interface, Loopback 8:1, is used for NAT in the
same manner as the Internet firewalls. Juniper configures NAT for both NSM device servers to allow for direct
communication over the private WAN.
NSRP ensures stateful failover (for active user traffic, and services between VPNs) by continuously synchronizing
Real-Time Objects (RTOs) and configuration information between firewalls in a cluster. This information is sent
across the HA links between firewalls.
NSRP failover monitoring is simple, and because there is no DMZ, complex monitoring scenarios do not exist. All
of the interfaces participate in OSPF. The only terminating interfaces are loopbacks that exist inside the firewall,
and they are not bound to a specific physical interface. Device monitoring is accomplished by ensuring that all three
of the needed zones are available. If all of the interfaces bound to a specific zone fail, then the device will fail over.
Because the firewall does not pass a default route from the Internet edge routers to the shared services core, the
firewalls will not fail in alignment with the routing protocols. If a VSI is not available, then the remote site’s tunnels
fail and the backup tunnel for another VSI takes over.
The VPN firewalls use a total of eight physical interfaces. Table 7 lists the VPN firewall connectivity and interfaces.
Because of the design of the ISG firewall, all but one of the interfaces is card-based. The Management Interface
is an onboard interface that connects to the out-of-band management network using a 10/100 Ethernet interface.
Two interfaces in slot four are dedicated as HA ports for NSRP. Slot four contains a four-port 10/00 card. A 10/100
interface has sufficient bandwidth to support state sync for NSRP. For a description of the conventions used for
Juniper Networks devices and links, see Appendix B.
The two Gigabit Ethernet ports provide the connection to the Internet edge routers. Both of these ports are on the
same card in slot one. Each port connects to a separate router and is weighted in OSPF. In this manner, one link
is preferred over another and ensures that traffic will flow as expected. The WAN links operate the same as the
Internet links on the Internet firewalls. They are in OSPF area 1 and are a standalone OSPF area.
The VPN firewalls block traffic from the shared services core to the untrust network. The only routes that are
imported from the untrust virtual router to the trust virtual router are the individual loopback interfaces used for
network monitoring. These routes are distributed via OSPF to the shared services core so that the NOC systems can
determine how to access the loopbacks. There are no firewall policies in place that otherwise allow traffic to leave
the data center through the VPN firewalls.
Table 7: VPN Firewall Connectivity and Interfaces
Function SSG Series (A) SSG Series (B)
Edge router connectivity
M Series (A)
Gigabit Ethernet (ethernet1/1) Gigabit Ethernet ethernet1/2
Edge router-connectivity
M Series (B)
Gigabit Ethernet ethernet1/1 Gigabit Ethernet ethernet1/2
Shared services connectivity
Switch (A)
10/100 ethernet2/1 10/100 ethernet2/2
Shared services connectivity
Switch (B)
10/100 ethernet2/1 10/100 ethernet2/2
WAN router connectivity
J Series (A)
10/100 ethernet3/1 10/100 ethernet3/1
Router-router HA interfaces 10/100 ethernet2/2 – HA
10/100 ethernet2/3 – HA
10/100 ethernet2/2 – HA
10/100 ethernet2/3 – HA
A second card is deployed in slot two using two Gigabit Ethernet ports. These two ports are configured as individual
Ethernet ports in a full mesh to the two switches in the shared services core. The two links have different costs to
ensure that a specific link is preferred. Similar to the Internet interfaces, each of the interfaces is weighted so that
one is preferred over the other. These interfaces participate in OSPF area 0 inside of the shared services core. Figure
20 illustrates the port configuration as well as the OSPF costs relationships assigned to the links.
The private WAN is deployed from the VPN firewalls to ensure that any traffic from the private WAN terminates
only to these firewalls, thereby securing the traffic. Besides using VPN, the firewalls also have integrated IPS to
secure traffic inside of the VPN. This approach reduces the possibility of any threats entering the data center or from