manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture

Copyright © 2010, Juniper Networks, Inc. 31
APPLICATION NOTE - Branch Office Connectivity Guide
WX Design Requirements
Table 8 summarizes the WX Series design requirements. For detailed information pertaining to the WX Series
Application Acceleration Platforms, refer to WX Series/WXC Series WAN Acceleration: Implementing WAN Acceleration
at the Branch Office application note.
Table 8: WX Series Design Requirements
Requirements Description
IPsec termination Branch offices will encrypt all traffic sent to and received from the data centers/regional
offices.
IPsec split tunneling IPsec split tunneling splits the tunnel into two paths. One goes directly to the Internet
or as clear text—the other goes over an encrypted link to the data center or the regional
office.
UTM services Traffic originated and terminated at a particular branch office must be inspected and
processed by the firewall, Deep Inspection, antivirus, and content filtering modules.
Branch-to-branch
communication
Branch-to-Branch communication uses IPsec tunnels (using either manual configuration
or Auto-Connect VPN). However, it is assumed that most of the branch-to-branch traffic
will be used for voice communications and therefore does not need to be optimized.
Traffic classification
and prioritization
Traffic must be classified and prioritized before being sent out to the WAN. See Quality of
Service Implementation Guide for more details.
HA It must be possible to integrate the WX Series devices in environments where high
availability (HA) is required. Refer to Implementing HA at the branch for more information.
Summary
This guide provides Juniper Networks design guidance and recommendations for creating a dynamically and highly
available network extending from the data center to branch locations. It provides direction in designing and deploying
an enterprise network that supports a maximum of 1,000 branch office locations and offers a dynamically available
network solution. For practical application of these concepts, see Implementing a High Availability Enterprise Network
for the Data Center.
Appendix C lists the product tables for the various Juniper Networks and Juniper partner product solutions that
support the design and deployment of high-performance enterprise networks.
Appendix A Related Documents
The following table provides a consolidated list of documents centric to this design.
Document Title
Juniper Networks Enterprise Framework
Branch Office Reference Architecture
Implementing IPsec VPN for Branch Office Connectivity Using RIP
Implementing HA at the Branch Office
Implementing HA at the Enterprise Data Center to Connect to a Large Number of Branch Offices
WX Series/WXC Series WAN Acceleration: Implementing WAN Acceleration at the Branch Office