manual
Table Of Contents
- Introduction
- Scope
- Design Considerations—Connectivity at the Branch Office
- Branch-Office Connectivity over IPsec VPN
- Design Recommendations
- Routing Information Protocol
- Traffic Load Balancing for Type B and Type C Branch Deployments
- Using Border Gateway Protocol for Large Networks
- Using OSPF for Small Number of Branch Offices
- Using Auto Connect VPN to Create Branch-to-Branch IPsec Tunnels
- High Availability for the Branch Office
- High Availability Requirement Levels (Link, Device, Device, and Link Levels)
- High Availability Functionalities
- High Availability for Branch Office Type A
- VPN Security Zone Configuration for Type A
- High Availability for Branch Office Type B
- Using Secure Services Gateway for Type B
- High Availabilty for Branch Office Type C
- Connectivity at the Data Center
- Implementing a High Availability Enterprise Network at the Data Center
- Quality of Service Design Requirements
- WX Design Requirements
- Summary
- Appendix A Related Documents
- Appendix B Naming Conventions
- Appendix C Products
- About Juniper Networks
- Figure 1: Connecting branch offices, campus locations, and data centers over a single converged network
- Figure 2: Branch office reference architecture
- Figure 3: Multi-tiered/layered network architecture
- Figure 4: Two-tier network design for data centers
- Figure 5: Branch with dual internet connections (load balancing using ECMP)
- Figure 6: BGP routing design
- Figure 7: Star topology – connecting branches to central hub
- Figure 8: AC VPN provisioned tunnels between branches in the same region
- Figure 9: Multi-tier topology
- Figure 10: HA configuration for Type A
- Figure 11: VPN security zone configuration for Type A
- Figure 12: Type B optimized – HA configuration
- Figure 13: Type B – security zones
- Figure 14: Type C – HA configuration
- Figure 15: Intra-branch using OSPF
- Figure 16: Branch Type C – security zones
- Figure 17: Enterprise network for the data center
- Figure 18: M Series Multiservice Edge Routers
- Figure 19: Internet firewalls
- Figure 20: VPN firewalls
- Figure 21: VPN firewall IPS policy
- Figure 2: Branch office reference architecture
Copyright © 2010, Juniper Networks, Inc. 3
APPLICATION NOTE - Branch Office Connectivity Guide
Table 1: Functionality, Features, and Capabilities of the Branch Office Types
Functionality Feature Capability Type A Type B Type C
Security
Unified Threat
Management
(UTM)
Deep Inspection • • •
Antivirus • • •
Web Filtering • • •
Firewall • • •
Connectivity WAN T1/E1 – • •
MPLS – – •
Broadband • • •
LAN Wired • • •
Wireless Optional Optional •
High availability Device
Redundancy
– • • •
Link
Redundancy
Optional Optional Optional •
Performance
optimization
WAN Acceleratiion WAN Acceleration
and Optimization
– – •
Manageability Juniper Networks
Junos
®
operating
system
Single OS
Site-wide Visibility
and Control
• • •
Branch Office Connectivity over IPsec VPN
As a best practice, Juniper Networks recommends using an IPsec VPN implementation to provide branch office
connectivity for the following major reasons:
• Satisfies standards-based compliance requirements with real-time and historical forensics and reporting
• Ensures network security at the branch office by deploying the same security solution that is at headquarters,
optimized for the branch
• Offers data confidentiality and integrity via unparallel availability, agility, security, and manageability
The recommended solution for connecting large numbers of branch offices onto the enterprise network is employed
through an IPsec-based VPN as a tunneling mechanism.
Design Recommendations
The following list summarizes the major design recommendations and their relationship to the branch types. Unless
otherwise stated, these recommendations employ the following functionalities for the three branch office types:
• Scalability: The routing design should be scalable. A medium-sized number of sites (100 to 1,000 sites) must be
deployable without significantly impacting the CPU resources or memory of the VPN devices.
• Redundancy: When redundant links are used, no single point of failure should exist. As depicted in the reference
architecture, head and regional offices have more than one connection to the public and private networks. In the
case of Type B and Type C branch offices, redundant paths must be provided to use all branch links to extend to
the external networks.
• Route Summarization: Address summarization should be performed whenever possible, as a large number of
remote sites are needed. Route summarization is important to reduce both the routing traffic and the memory
consumed in the routers.
• Network Address Translation (NAT): Remote sites can be connected behind NAT devices. Some small branches
and remote users share the Internet connectivity with other users, and in such cases, the IP addresses assigned
to them can be private.
• Load Balancing: Load balancing of customer traffic should be achieved. Remote sites with dual-homing
connections to the Internet are common. In those cases, optimum usage of both links is desirable while still
providing a backup path whenever a link goes down.