Escolar Documentos
Profissional Documentos
Cultura Documentos
Chien-shun Chu
SPG Technical Marketing
November, 2006
Table of Contents
Scenario Topology: Single Point-to-Point WAN Connection - No VPN
Using QoS
5
6
6
6
6
Using QoS
8
8
8
8
9
10
10
10
11
11
11
11
12
12
12
13
13
13
13
14
14
14
15
15
15
16
Executive Summary
The Juniper Networks Secure Services Gateway (SSG) Family of purpose-built
security appliances delivers a perfect mix of performance, security and
LAN/WAN connectivity for branch office deployments of all sizes. Network traffic
is protected by proven ScreenOS functionality that includes a complete set of
Unified Threat Management (UTM) security features (Stateful firewall, IPSec
VPN, IPS, Antivirus, Anti-Spam, and Web Filtering).
Complementing the powerful UTM security features is a robust routing engine
that allows the SSG Family to be deployed as a traditional branch office router or
as a combination firewall and routing device to reduce capital and operational
expenses. The ScreenOS routing engine supports a wide range of routing
protocols (OSPF, BGP, RIPv1/2) and WAN encapsulations (PPP, MLPPP, FR,
MLFR, HDLC, ADSL and MLADSL).
This document outlines a series of routing deployment scenarios and
configuration examples starting with a basic T1 connection using OSPF and
advancing to more elaborate configurations using MLPPP and MLFR. The
Configuration Commands required to implement the deployment scenarios on
any one of the SSG Family platforms are included in each scenario.
PC-2
FW-1
HQ LAN
(OSPF Area 55)
HQ WAN
(OSPF Area 0)
Router
w// T1 interface
T1 in various protocols
Cisco HDLC,
PPP or Frame Relay
SSG-1
Remote Office
(OSPF Area 56)
55)
PC-1
Using QoS
Like most traditional branch office routers, the SSG Family supports QoS,
allowing administrators to apply traffic shaping policies to traffic flowing in and out
of the branch office, thereby ensuring that key applications are not starved of
required bandwidth. There are four primary mechanisms for applying QoS on the
SSG family.
Traffic Shaping applies guaranteed bandwidth, policied bandwidth and
maximum bandwidth to all traffic crossing an interface, to specific applications or
to both. When enabled at the policy level, QoS ensures that the application
receives its guaranteed bandwidth. There are three different traffic shaping
options available for each policy:
Policied bandwidth (pbw), means that the application within the policy
receives the allocated bandwidth.
Maximum bandwidth (mbw), means that appropriate traffic can never exceed
this rate.
Priority queuing is a feature that allows all your users and applications to have
access to available bandwidth as they need it, while ensuring that important
traffic can get through, if necessary at the expense of less important traffic.
Priority queuing (eight levels) can be enabled in conjunction with guaranteed
bandwidth or in a stand alone manner.
Enforced via QoS traffic hierarchy. That is; bandwidth requirement highest
priority queue will be satisfied before lower priority queues.
Ingress / egress policing is traffic control at the ingress and egress side of the
security device. By constraining the flow of traffic at the point of ingress, traffic
exceeding your bandwidth setting is treated with minimal processing, conserving
system resources.
Drop packets if rate exceeds the configured max bandwidth per interface.
Useful in classifying and marking different types of traffic, e.g., VoIP, http for
the downstream device to perform QoS tasks.
In the example below, policy ID X has configuration of gbw 128, meaning that
128KBs bandwidth is guaranteed for VoIP (SIP) traffic in the egress direction
(from trust zone to untrust zone). Policy Y is deployed to use leftover bandwidth
from policy X.
set policy id X from "Trust" to "Untrust" "Subnet 1" "Subnet 2" "SIP" permit
traffic gbw 128 priority 1
The sequence of the policies are important. That is, policy X has to be the first
policy, followed by Y as the SSG platform will perform first match on all ingress
packets. Specific tasks should be placed in top of the policies list in order to be
matched ahead of the other policies.
Note that QoS can be applied in the following WAN scenarios on an interface or
per policy basis:
T1, E1, ISDN BRI S/T, DS3 or ADSL 2+ interface running PPP or HDLC
T1, E1, ISDN BRI S/T, DS3 or ADSL 2+ interfaces running MLPPP
The variable nature of Frame relay and Multilink Frame relay dictates that
ScreenOS QoS cannot be applied when those encapsulations are in use.
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
A route based VPN tunnel interface as well as the serial interface on SSG-1 are
placed in the untrust zone while Ethernet interface at branch offices are defined
as trust zone. System administrator can build policies for different types of
traffic between trust to untrust zone. Those traffic utilizes tunnel interface will
be encrypted into IPSec VPN while others can be transmitted in plain text to a
PC-2
PC
Headquarter
FW-1
-
Headquarter
PC-2
FW-1
Router
w// T1 interface
OSPF Area 0
On VPN tunnels
Internet
SSG-1
Branch
Office
T1 in various protocols
Cisco HDLC,
PPP or Frame Relay
Branch
Office
PC-1
Branch
Offices
PC-1
PC
1
destination on the Internet. The picture on the left shows how this solution is
implemented. The picture on the top right shows logical topology of this solution
-- VPN tunnels from all branch offices are placed into OSPF area 0. Thus; FW-1
will be able to map the traffic to proper tunnel interface and reach the remote
branch offices.
Using QoS
In this QoS example, three different types of traffic are used:
not match either policy X or Y web, ping, etc to the Internet- will utilize
remaining bandwidth on the WAN interface over policy Z.
FW-1
HQ LAN
(OSPF Area 55)
2 x Routers
w// T1 interface
2 x T1s
HQ WAN
(OSPF Area 0)
SSG-1
Remote Office
(OSPF Area 56)
55)
PC-1
Please refer to the previous example for appropriate OSPF, HDLC, PPP and
Frame Relay configuration commands.
OSPF and Static Route Configuration Commands:
set
set
set
set
set
set
set
set
set
set
set
set
set
set
10
PC-2
FW-1
2 x Routers
w/ T1 interface
Headquarter
ISP Networks
/ Internet
SSG-1
w/ 2 x T1s
Remote Office
PC-1
11
resiliency of the connection. Note that all PPP links in the MLPPP bundle cannot
be split across multiple devices - the MLPPP bundle must be on the same source
and or destination device.
In the event that interface failover (T1 primary to T1 secondary) occurs, sessions
and connections that were in process during the failover are maintained when
using MLPPP.
PC-2
FW-1
HQ LAN
(OSPF Area 55)
HQ WAN
(OSPF Area 0)
Router-1
2 x T1s in
MLPPP Bundle
SSG-1
Remote Office
(OSPF Area 56)
55)
PC-1
12
interface
interface
interface
interface
interface
set
set
set
set
set
set
set
set
set
set
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
interface
13
PC-2
FW-1
HQ LAN
OSPF Area 55
Headquarter
FW-1
Router-1
net
Serial
Interface
HQ WAN
OSPF Area 0
VPN over
Ethernet / xDSL
Ethernet
Interface
Remote Office
SSG-1
-1
SSG-1
PC-1
VPN over
Serial Interface
Remote Office
OSPF Area 55
PC-1
The left hand diagram illustrates the physical connection at the remote site.
SSG-1 employs a dual connection one xDSL/Cable connection (via Ethernet to
SSG-1) and one point-to-point leased line to corporate headquarters. Under
normal conditions, all unencrypted traffic is transmitted via the xDSL/Cable; serial
interface would provide IPSec tunnel back to headquarters. Traffic will be moved
to the survival link if either xDSL/Cable or leased line is down.
The right hand diagram illustrates the logical connections with two VPN tunnels
between SSG-1 and FW-1. VPN over serial interface carries a manually
assigned lower cost and will be selected by OSPF as the preferred route
between PC-1 and PC-2. VPN over xDSL/Cable will be selected if the
connection over the serial interface is broken.
Unencrypted traffic will use xDSL/Cable as the primary connection. In the event
of xDSL/Cable unavailable, a default route / Internet connection from
headquarters is advertised via OSPF to SSG-1. In this scenario, SSG-1 can use
the serial interface to reach the Internet. QoS commands are the same as those
used in the previous configuration examples.
14
interface
interface
interface
interface
interface
interface
interface
interface
set
set
set
set
set
set
15
Frame Relay
o Ensure Frame Relay LMI /DLCI agrees with the setting provided by the service
provider.
o Use debug frame all to see the Frame Relay messages. Pay special attention to
LMI related messages.
16