manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
34 Copyright © 2010, Juniper Networks, Inc.
APPLICATION NOTE - Branch Office Connectivity Guide
Kaspersky
By integrating a best-in-class gateway antivirus offering from Kaspersky Lab, Juniper Networks integrated security
appliances can protect Web traffic, email, and webmail from file-based viruses, worms, backdoors, trojans, and
malware. Using policy-based management, inbound and outbound traffic can be scanned, thereby protecting
the network from attacks originating from outside the network, as well as those that originate from inside the
network. Unlike other integrated antivirus solutions that are packet or network signature-based, the Juniper and
Kaspersky solution deconstructs the payload and files of all types—evaluating them for potential viruses—and then
reconstructs them, sending them on their way.
The Juniper and Kaspersky solution detects and protects against over 100,000 viruses, worms, malicious backdoors,
dialers, keyboard loggers, password stealers, trojans, and other malicious code. Included in the joint solution is
a best-in-class detection of spyware, adware, and other malware-related programs. Unlike some solutions that
use multiple non-file-based scanners to detect different types of malware, this solution is based upon one unified,
comprehensive best-of-breed scanner, database, and update routine to protect against all malicious and malware-
related programs. Antivirus is available on the NetScreen-HSC, NetScreen-5GT Series, and the SSG Series as an
annually licensed feature.
SurfControl and Websense
All Internet content that is read, sent, or received carries inherent risks. Employee access to the Internet continues
to introduce new dangers and content that can negatively impact your company in four fundamental ways:
• Security Threats: Viruses, spyware, and other malware can all enter your network through web-based email, file
downloads, instant messaging, PTP applications, and other non-work-related sites.
• Legal Threats: Inappropriate content can lead to gender, minority, or religious harassment and discrimination.
Illegal downloading and distribution of copyrighted or illegal material over your network has legal liability issues
as well.
• Productivity Threats: The temptations of non-work-related Web destinations are endless. Just 20 minutes of
recreational surfing a day can cost a company with 500 employees over $8,000 per week (at $50/hour/employee).
• Network Threats: An employee can crash your network just by logging into the wrong website. Other activities,
such as recreational surfing and downloading MP3 files, can divert valuable bandwidth from critical business
needs.
To regulate inappropriate Web usage, Juniper Networks has teamed with both SurfControl and Websense to provide
either an integrated (on-box) or redirect (two boxes) web-filtering solution.
• Integrated Web filtering: This leverages an “in the cloud” architecture hosted by SurfControl’s certified hosting
partner. It allows enterprises to build Web access policies from the largest URL database (over 6 million pages)
spread across more than 40 categories. From the WebUI or Network and Security Manager, an administrator can
assemble firewall policies that incorporate and enforce Web access rights. Integrated Web filtering is available on
the NetScreen-HSC, NetScreen-5GT Series, NetScreen-25/50, and the SSG Series as an annually licensed feature.
• Redirect solution with SurfControl or Websense: Traffic is redirected from any of the firewall/VPN appliances to
a customer-hosted server running the web-filtering software where Web access grant/deny decisions are made
and executed. The customer is responsible for the server, the software, and the associated management of the
solution. Redirect Web filtering is supported across the entire product line.
Avaya IG550
The Avaya IG550 Integrated Gateway provides an additional choice in the Avaya line of Media Gateways. Enterprises
can now consolidate the number of devices that they deploy and manage in their branch offices. By embedding
Avaya Media Gateway functionality in Juniper Networks J4350 and J6350 Services Routers, Avaya and Juniper can
offer enterprises a one-box telephony, routing, and security solution. This solution provides high-sustained network
performance when under load, integrated voice and data security, and multilevel business continuity options. This
best-in-class solution is available through Avaya direct channel and certified Avaya and Juniper resellers.
The Avaya IG550 Integrated Gateway consists of two primary components: a Telephony Gateway Module (TGM) and
Telephony Interface Modules (TIMs).