manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
30 Copyright © 2010, Juniper Networks, Inc.
APPLICATION NOTE - Branch Office Connectivity Guide
Shared Services Core
The shared services core is the section of the network where all of the network components converge. The shared
services core consists of two shared services core switches, which are configured for both routing and switching. All
of the interfaces connected to the firewall are routed interfaces that participate with the firewalls in OSPF area 0.
Several networks exist on the shared services switches. The switches offer a terminating interface for the servers
by using a Hot Standby Routing Protocol (HSRP) interface. This interface is available if a switch fails. The server
networks are distributed into OSPF to allow all of the devices in the network to reach the servers. If a switch fails,
then the backup switch continues to notify the network to locate the servers.
High Availability Design of Firewalls
The high availability design of the firewalls incorporates two important design elements:
• A strong integration with dynamic routing - This allows the firewalls to integrate as a router where needed in the
design. It gives each firewall unique IP-addressed interfaces for interacting, using the OPSF protocol.
• The use of VSI where needed - The VSI is used as a shared interface between the two firewalls, allowing a single
interface to represent the cluster. Because the clusters are using a mix of VSI and non-VSI interfaces, it is called
a mixed-mode cluster.
Dynamic routing determines the flow of the traffic path in this solution. The design provides a dynamically available
environment. Each tier is deployed as a fully meshed solution. This provides redundant paths on each redundant
device. If a link fails, a single device is not lost, thereby increasing the opportunity for uptime in the environment and
avoiding removal of a viable path.
In case of a failure, the network requires a minimum of one additional redundant path to route around the failure.
While this design offers HA, adding a second data center further enhances HA because you could lose an entire data
center, yet still have network operability.
Quality of Service Design Requirements
The following are the quality-of-service (QoS) design requirements associated with this implementation:
• When more than one service provider is used, each provider may require a different Differentiated Services code
point (DSCP) value for each class of service. In this case, interfaces connecting to different service providers
should be assigned to different zones (Untrust1 and Untrust2). This way, you can configure different policies for
traffic designated to each of the different providers so different DSCP values can be used, depending on the
destination zone (and therefore the destination provider).
• Virtual channels are supported only on J Series platforms. Regional offices/data centers using M Series or
T Series routers cannot provide per-branch queuing/shaping.
• When using Juniper Networks WX Series Application Acceleration Platforms, QoS is enforced by WX OS. This
effectively replaces virtual channels at the regional offices as the WAN accelerators enforce a maximum
bandwidth on a per-tunnel basis.
• Traffic marking currently is not supported on AC VPN tunnels.