manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
Copyright © 2010, Juniper Networks, Inc. 33
APPLICATION NOTE - Branch Office Connectivity Guide
Appendix C Products
Product Tables
Product/Technology Type A - Basic Type B - Optimized Type C – Critical
Firewall/VPN with full UTM
features (antivirus, anti-
phishing, anti-spyware, anti-
adware, anti-keylogger, anti-
spam, Web filtering)
Uses integrated
security functionality in
the SSG Series
Uses integrated
security functionality in
the SSG Series
Uses integrated
security functionality in
the SSG Series
Routing Uses integrated routing
functionality in the SSG
Series
Uses integrated routing
functionality in the SSG
Series
Uses J Series
Unified threat management Integrated into
SSG Series
Integrated into
SSG Series
Integrated into
SSG Series
Unified access control Policy enforcement is integrated into the SSG Series firewall. Juniper
Networks IC Series Unified Access Control Appliances are typically deployed
at the data center or headquarters location.
WAN application acceleration — — WX Series/WXC Series
Centralized management NSM for security
Juniper Networks WX Central Management System for WAN application
acceleration
Junos Scope Software for enterprise routers
Centralized reporting
& control
Junos OS
Product Recommendation Based On Branch Office Profile
Small Small-
Medium
Medium Medium-Large Large
10 Users/BB 50 Users/T1-E1 100 Users/
MLPPP-MLFR
250 Users/
MLPP-MLFR
500 Users/DS3
Type A - basic SSG5 SSG20 SSG140 SSG320/350 SSG520 or
ISG1000
Type B - optimized 2 x SSG5 2 x SSG20 2 x SSG140 2 x SSG320/350 2 x SSG520 or
2 x ISG1000
Type C - critical 2 x SSG140 and
2 x J2350
2 x SSG320/350
and 2 x J2350
2 x SSG520 or
2 x ISG1000 and
2 x J4350
Partner Products
Symantec
Juniper Networks has teamed with Symantec Corporation to leverage its market-leading anti-spam solution for
Juniper’s small to medium office platforms to help slow the flood of unwanted email and the potential attacks they
carry. Part of a complete set of UTM features available on Juniper Networks firewall/VPN gateway, the anti-spam
engine filters incoming email for known spam and phishing users to act as a first line of defense. When a known
malicious email arrives, it is blocked and/or flagged so that the email server can take an appropriate action. Anti-
spam is available on the SSG Series as an annually licensed feature.