WAN Routing Configuration Examples for the Secure Services Gateway Family

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "WAN Routing Configuration Examples for the Secure Services Gateway Family"

Transcription

1 Application Note WAN Routing Configuration Examples for the Secure Services Gateway Family Chien-shun Chu SPG Technical Marketing November, 2006 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA or 888 JUNIPER Part number:

2 Table of Contents Scenario Topology: Single Point-to-Point WAN Connection - No VPN 3 Using QoS 4 Using Cisco HDLC WAN encapsulation 5 Using PPP WAN encapsulation 5 Using Frame Relay WAN encapsulation 5 Configuration Commands: HDLC, MLPPP, MLFR 5 Cisco HDLC Configuration Commands: 5 PPP Configuration Commands: 6 Frame Relay Configuration Commands 6 OSPF Configuration Commands: 6 QoS Configuration Commands: 6 Scenario Topology: Single point-to-point WAN Connection -- VPN 6 Using QoS 7 Using HDLC, PPP, or Frame Relay WAN encapsulations 8 HDLC, PPP and Frame Relay Configuration Commands: 8 VPN Tunnel Interface Configuration Commands: 8 OSPF and Static Route Configuration Commands 8 QoS Configuration Commands: 8 Scenario Topology: Dual T1 Interfaces Across Private Lines 9 Using QoS in the Configuration 9 Configuration Commands: Dual T1 With Private Lines 9 HDLC, PPP and Frame Relay Configuration Commands: 9 OSPF and Static Route Configuration Commands: 10 QoS configuration commands: 10 Scenario Topology: Dual T1 With ISP Redundancy 10 HDLC, PPP and Frame Relay Configuration Commands: 11 OSPF and Static Route Configuration Commands: 11 QoS configuration commands: 11 Using MLPPP (RFC1990) in a Dual T1 Configuration 11 Using MLFR in a Dual T1 Configuration 12 Configuration Commands: Dual T1 With ISP Redundancy 12 MLPPP Configuration Commands: 12 MLFR Configuration Commands: 13 VPN Configuration Commands: 13 OSPF Configuration Commands: 13 QoS Configuration Commands: 13 Scenario Topology: Mix-and-match WAN interfaces 14 Configuration Commands: Mix and Match WAN Interfaces 14 Interface Configuration Commands: 14 VPN Configuration Commands: 15 OSPF Configuration Commands: 15 QoS Configuration Commands: 15 Appendix 1: Troubleshooting and Debug commands 16 2 Copyright 2006, Juniper Networks, Inc

3 Executive Summary The Juniper Networks Secure Services Gateway (SSG) Family of purpose-built security appliances delivers a perfect mix of performance, security and LAN/WAN connectivity for branch office deployments of all sizes. Network traffic is protected by proven ScreenOS functionality that includes a complete set of Unified Threat Management (UTM) security features (Stateful firewall, IPSec VPN, IPS, Antivirus, Anti-Spam, and Web Filtering). Complementing the powerful UTM security features is a robust routing engine that allows the SSG Family to be deployed as a traditional branch office router or as a combination firewall and routing device to reduce capital and operational expenses. The ScreenOS routing engine supports a wide range of routing protocols (OSPF, BGP, RIPv1/2) and WAN encapsulations (PPP, MLPPP, FR, MLFR, HDLC, ADSL and MLADSL). This document outlines a series of routing deployment scenarios and configuration examples starting with a basic T1 connection using OSPF and advancing to more elaborate configurations using MLPPP and MLFR. The Configuration Commands required to implement the deployment scenarios on any one of the SSG Family platforms are included in each scenario. Scenario Topology: Single Point-to-Point WAN Connection - No VPN In this scenario, a single WAN interface is used to establish a clear text (no VPN) point-to-point connection over a T1 interface. Any one of the three WAN encapsulations can be used HDLC, PPP or Frame Relay. The WAN interfaces are configured in the untrust zone while the LAN / Ethernet interfaces are configured in trust zone. PC-2 FW-1 HQ LAN (OSPF Area 55) Router w// T1 interface HQ WAN (OSPF Area 0) T1 in various protocols Cisco HDLC, PPP or Frame Relay SSG-1 Remote Office (OSPF Area 55) 56) PC-1 3 Copyright 2006, Juniper Networks, Inc

4 Using QoS Like most traditional branch office routers, the SSG Family supports QoS, allowing administrators to apply traffic shaping policies to traffic flowing in and out of the branch office, thereby ensuring that key applications are not starved of required bandwidth. There are four primary mechanisms for applying QoS on the SSG family. Traffic Shaping applies guaranteed bandwidth, policied bandwidth and maximum bandwidth to all traffic crossing an interface, to specific applications or to both. When enabled at the policy level, QoS ensures that the application receives its guaranteed bandwidth. There are three different traffic shaping options available for each policy: Guaranteed bandwidth (gbw), means that regardless of what else happens in the device, this rate would be guaranteed to the appropriate traffic Policied bandwidth (pbw), means that the application within the policy receives the allocated bandwidth. Maximum bandwidth (mbw), means that appropriate traffic can never exceed this rate. Priority queuing is a feature that allows all your users and applications to have access to available bandwidth as they need it, while ensuring that important traffic can get through, if necessary at the expense of less important traffic. Priority queuing (eight levels) can be enabled in conjunction with guaranteed bandwidth or in a stand alone manner. Up to 8 separate traffic queues for different priority of traffics. Enforced via QoS traffic hierarchy. That is; bandwidth requirement highest priority queue will be satisfied before lower priority queues. Ingress / egress policing is traffic control at the ingress and egress side of the security device. By constraining the flow of traffic at the point of ingress, traffic exceeding your bandwidth setting is treated with minimal processing, conserving system resources. Drop packets if rate exceeds the configured max bandwidth per interface. Useful to prevent attacks or floods, as well as to budget bandwidth among interfaces. DSCP (DiffServ Codepoint Marking) aka DiffServ marking/stamping, governs how traffic is processed by down stream devices (routers). DSCP can be enabled in conjunction with traffic shaping or independently. By default, overwrite IP Precedence bits based on priority and leave the rest of the bits intact. Useful in classifying and marking different types of traffic, e.g., VoIP, http for the downstream device to perform QoS tasks. 4 Copyright 2006, Juniper Networks, Inc

5 In the example below, policy ID X has configuration of gbw 128, meaning that 128KBs bandwidth is guaranteed for VoIP (SIP) traffic in the egress direction (from trust zone to untrust zone). Policy Y is deployed to use leftover bandwidth from policy X. set policy id X from "Trust" to "Untrust" "Subnet 1" "Subnet 2" "SIP" permit traffic gbw 128 priority 1 set policy id Y from "Trust" to "Untrust" "Any" "Any" "ANY" permit The sequence of the policies are important. That is, policy X has to be the first policy, followed by Y as the SSG platform will perform first match on all ingress packets. Specific tasks should be placed in top of the policies list in order to be matched ahead of the other policies. Note that QoS can be applied in the following WAN scenarios on an interface or per policy basis: T1, E1, ISDN BRI S/T, DS3 or ADSL 2+ interface running PPP or HDLC T1, E1, ISDN BRI S/T, DS3 or ADSL 2+ interfaces running MLPPP Serial running PPP (assuming fixed bandwidth) The variable nature of Frame relay and Multilink Frame relay dictates that ScreenOS QoS cannot be applied when those encapsulations are in use. Using Cisco HDLC WAN encapsulation Using PPP WAN encapsulation HDLC is the default WAN interface encapsulation protocol on Cisco routers. Through its HDLC support, the SSG Family can fully interoperate with Cisco routers. In this scenario, OSPF is running on the WAN interface as well as Ethernet interface of the SSG. Whereas Cisco HDLC is a proprietary extension from the ISO standard HDLC and is not universally supported while interfacing with a non Cisco router, PPP (Point-to-Point Protocol) is a standard defined by IETF RFC It is supported by all vendors (including Cisco) and as such, can interoperate with a wider range of 3 rd party network appliances. The configuration on the SSG to support PPP is fairly straightforward. A PPP profile is defined (via set ppp profile command) to outline key PPP related parameters (e.g., authentication and addressing method). Other configuration tasks such as QoS and OSPF (if needed) are identical to the HDLC configuration. Using Frame Relay WAN encapsulation Frame Relay, like PPP is a common and widely supported WAN protocol. There is very little difference between Frame Relay and PPP in terms of configuration. See configuration commands below. Configuration Commands: HDLC, MLPPP, MLFR Cisco HDLC Configuration Commands: set interface "ethernet0/0" zone "Trust" set interface "serial1/0" zone "Trust" 5 Copyright 2006, Juniper Networks, Inc

6 set interface "serial1/1" zone "Untrust" set interface "serial1/0" encap cisco-hdlc set interface serial1/0 ip /24 PPP Configuration Commands: set interface "ethernet0/0" zone "Trust" set interface "serial1/0" zone " Untrust" set interface "serial1/0" encap ppp set interface serial1/0 ip /24 set ppp profile "PPP1" set ppp profile "PPP1" netmask set ppp profile "PPP1" static-ip set interface "serial1/0" ppp profile PPP1 Frame Relay Configuration Commands set interface "serial1/0" zone "Untrust" set interface "serial1/0.10" zone "Untrust" set interface "serial1/0" encap frame-relay set interface serial1/0.10 ip /24 set interface "serial1/0.10" frame-relay dlci 100 set interface "serial1/0.10" frame-relay inverse-arp OSPF Configuration Commands: set interface serial1/0 protocol ospf area set interface serial1/0 protocol ospf enable set interface serial1/0 protocol ospf retransmit-interval 5 set interface serial1/0 protocol ospf cost 64 set interface ethernet0/1 protocol ospf area set interface ethernet0/1 protocol ospf enable set interface ethernet0/1 protocol ospf retransmit-interval 5 set interface ethernet0/1 protocol ospf cost 10 QoS Configuration Commands: set policy id 1 name "SIP" from "Trust" to "Untrust" "Any" "Any" "SIP" permit traffic gbw 128 priority 7 set policy id 1 set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 2 Scenario Topology: Single point-to-point WAN Connection -- VPN Adding a VPN tunnel to the previous example is a very simple process of inserting the necessary VPN tunnel configuration commands. The protocol used can be Cisco HDLC, PPP or Frame Relay. The SSG-1 will have a static route to the ISP router (default gateway) for all the traffic generated from the branch office IPsec VPN, web, ftp, etc. The IPSec VPN traffic will be transported via the Internet and reach FW-1 at headquarters. ScreenOS provides two different mechanisms for building an IPSec VPN routebased VPN or policy-based VPN. Route based VPN allows tunnel interface to act as IPSec VPN tunnels while a policy based VPN will utilize other policies within ScreenOS to trigger IPSec VPN connections. In cases where there are many branch offices, scalability can be addressed by using route based VPNs with routing protocols, for example OSPF on all of the VPN tunnels. OSPF leverages the dynamic routing function while minimizing operational and administrative tasks. 6 Copyright 2006, Juniper Networks, Inc

7 A route based VPN tunnel interface as well as the serial interface on SSG-1 are placed in the untrust zone while Ethernet interface at branch offices are defined as trust zone. System administrator can build policies for different types of traffic between trust to untrust zone. Those traffic utilizes tunnel interface will be encrypted into IPSec VPN while others can be transmitted in plain text to a PC-2 Headquarter Headquarter FW-1 PC-2 FW-1 Router w// T1 interface OSPF Area 0 On VPN tunnels Internet SSG-1 T1 in various protocols Cisco HDLC, PPP or Frame Relay Branch Office PC-1 Branch Offices Branch Office PC-1 destination on the Internet. The picture on the left shows how this solution is implemented. The picture on the top right shows logical topology of this solution -- VPN tunnels from all branch offices are placed into OSPF area 0. Thus; FW-1 will be able to map the traffic to proper tunnel interface and reach the remote branch offices. Using QoS In this QoS example, three different types of traffic are used: Voice: Reserve 128Kbs for SIP over VPN on SSG-1 via set policy id X from "Trust" to "Untrust" "PC-1 Subnet" "PC-2 Subnet" "SIP" permit traffic gbw 128 priority 1 VPN: Assign priority on VPN traffic over plain-text traffic via set policy id Y from "Trust" to "Untrust" " PC1 Subnet" " PC1 Subnet "ANY" permit priority 2 Non-VPN Traffic: leftover from previous policies via set policy id Z from "Trust" to "Untrust" "Any" "Any" "ANY" permit The key difference between policy X, Y and Z is the source and destination of packets. Packets matching PC-1 subnet as source and PC-2 subnet as destination will use the tunnel interface as defined via static route. All packets that are routed over the tunnel interface will be encrypted. VoIP calls will match policy X and have 128KBs reserved on the IPSec VPN tunnel. There has no bandwidth guaranteed via policy Y, however; all packets match policy Y will be placed into queue with priority of 2. Those packets will have a lower priority over VoIP packets (defined in policy X) but would have higher priority over packets in policy Z (non-encrypted packets). Packets that do 7 Copyright 2006, Juniper Networks, Inc

8 not match either policy X or Y web, ping, etc to the Internet- will utilize remaining bandwidth on the WAN interface over policy Z. Using HDLC, PPP, or Frame Relay WAN encapsulations As in the previous example, the SSG Family can support Cisco HDLC, PPP and frame Relay thereby ensuring interoperability with other networking components. Please refer to the previous example for appropriate HDLC, PPP and Frame Relay configuration commands. HDLC, PPP and Frame Relay Configuration Commands: Please refer to the previous example for appropriate OSPF, HDLC, PPP and Frame Relay configuration commands. VPN Tunnel Interface Configuration Commands: set ike gateway "VPN to HQ" address x.x.x.x Main outgoinginterface "serial1/0.10" preshare "xxx sec-level standard set interface "tunnel.1" zone "Untrust" set interface tunnel.1 ip /24 set vpn "VPN to SSG-550" gateway "VPN to HQ" no-replay tunnel idletime 0 sec-level standard set vpn "VPN to SSG-550" id 1 bind interface tunnel.1 OSPF and Static Route Configuration Commands set route PC-2_subnet interface tunnel.1 preference 20 set route /0 interface serial1/0 gateway preference 20 set interface tunnel.1 protocol ospf area set interface tunnel.1 protocol ospf enable set interface tunnel.1 protocol ospf cost 10 QoS Configuration Commands: set policy id 1 name "SIP via VPN" from "Trust" to "Untrust" "Any" "Any" "SIP" permit traffic gbw 128 priority 1 set policy id 1 set policy id 2 from "Trust" to "Untrust" " PC1 Subnet" " PC1 Subnet "ANY" permit gbw 0 priority 2 set policy id 2 set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 3 8 Copyright 2006, Juniper Networks, Inc

9 Scenario Topology: Dual T1 Interfaces Across Private Lines In this scenario, two T1 interfaces are configured to provide redundancy at the WAN interface level using OSPF routing protocol over private lines. Both T1s from SSG-1 are active with SSG-1 making traffic decisions over the T1s via OSPF in order to make best use of both links. ECMP should be enabled ( set max-ecmp-routes ) in order to use both T1s as valid OSPF routes and PC-2 FW-1 HQ LAN (OSPF Area 55) 2 x Routers w// T1 interface HQ WAN (OSPF Area 0) 2 x T1s SSG-1 Remote Office (OSPF Area 55) 56) PC-1 Using QoS in the Configuration perform load balancing across the interfaces. The policies are defined on the Ethernet interface of SSG-1 as trust zone and both T1 interfaces as untrust zone. Two types of traffics are defined in the policy setting of SSG-1: Voice: reserve 128Kb/s on SSG-1 for SIP packets: via set policy id X from "Trust" to "Untrust" "PC-1 Subnet" "PC-2 Subnet" "SIP" permit traffic gbw 128 priority 1 Data (other packets): leftover from VoIP via set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit Please refer to previous examples of QoS configurations for detailed explanations of these two policies. Configuration Commands: Dual T1 With Private Lines Listed below are the key configuration components that can be added to the SSG Family configurations when using dual T1 interfaces over private lines. As in the previous example, the SSG Family can support Cisco HDLC, PPP and frame Relay thereby ensuring interoperability with other networking components. Please refer to the previous example for appropriate HDLC, PPP and Frame Relay configuration commands. HDLC, PPP and Frame Relay Configuration Commands: 9 Copyright 2006, Juniper Networks, Inc

10 Please refer to the previous example for appropriate OSPF, HDLC, PPP and Frame Relay configuration commands. OSPF and Static Route Configuration Commands: set route /0 interface serial1/0 gateway set route /0 interface serial1/1 gateway set interface serial1/0 protocol ospf area set interface serial1/0 protocol ospf enable set interface serial1/0 protocol ospf retransmit-interval 5 set interface serial1/0 protocol ospf cost 64 set interface serial1/1 protocol ospf area set interface serial1/1 protocol ospf enable set interface serial1/1 protocol ospf retransmit-interval 5 set interface serial1/1 protocol ospf cost 64 set interface ethernet0/1 protocol ospf area set interface ethernet0/1 protocol ospf enable set interface ethernet0/1 protocol ospf retransmit-interval 5 set interface ethernet0/1 protocol ospf cost 1 QoS configuration commands: set policy id 1 name "SIP " from "Trust" to "Untrust" "Any" "Any" "SIP" permit traffic gbw 128 priority 1 set policy id 1 set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 3 Scenario Topology: Dual T1 With ISP Redundancy This scenario expands upon the previous example, using VPN tunnels across dual T1s, each of which is connecting to a separate ISP. Utilizing the ISP infrastructure as opposed to private lines allows enterprise customers to utilize inexpensive WAN links to establish secure and low-cost connectivity solution. The T1 interfaces in SSG-1 are classified into the untrust zone. Two static routes were defined on the SSG-1 pointing to routers owned by the ISP as default gateway to reach hosts on the Internet (e.g., google.com) as well as headquarters. ECMP is used in order for the SSG to take advantage of both T1 links. Using the Internet provides fully meshed connectivity between both SSG since there are possibilities where one T1 on SSG is down but still reachable via the 2 nd T1. A Loopback interface will serve as the anchor for the VPN so that VPN can be routed over either one of T1 connections. OSPF would be the recommended protocol on the IPSec VPN (tunnel) interfaces as stated in the single T1 scenario. This will ease the management of large scale IPSec VPN tunnel roll-out because OSPF will discover redundant VPN routes automatically in the event that one ISP connection fails. 10 Copyright 2006, Juniper Networks, Inc

11 PC-2 FW-1 Headquarter 2 x Routers w/ T1 interface ISP Networks / Internet SSG-1 w/ 2 x T1s Remote Office PC-1 A route-based VPN is used in this application as a policy-based VPN does not allow multiple policies (VoIP over VPN and regular VPN) to be built between same source and destination. Tunnels are required for route-based VPN; with tunnel interfaces assigned on the untrust zone. QoS commands can be applied from previous section if QoS is desired. HDLC, PPP and Frame Relay Configuration Commands: Please refer to the previous example for appropriate OSPF, HDLC, PPP and Frame Relay configuration commands. OSPF and Static Route Configuration Commands: set route /24 interface serial1/0 gateway set route /24 interface serial1/1 gateway set route /24 interface tunnel.1 set interface tunnel.1 protocol ospf area set interface tunnel.1 protocol ospf enable set interface tunnel.1 protocol ospf retransmit-interval 5 set interface tunnel.1 protocol ospf cost 10 QoS configuration commands: set policy id 1 name "SIP " from "Trust" to "Untrust" "Any" "Any" "SIP" permit traffic gbw 128 priority 1 set policy id 1 set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 3 Using MLPPP (RFC1990) in a Dual T1 Configuration Multilink PPP (MLPPP) is a method of enabling one or more physical (PPP) interfaces to be aggregated into a bundle. Packet sessions can be spilt, recombined and re-sequenced across the MLPPP bundle, thereby improving 11 Copyright 2006, Juniper Networks, Inc

12 resiliency of the connection. Note that all PPP links in the MLPPP bundle cannot be split across multiple devices - the MLPPP bundle must be on the same source and or destination device. In the event that interface failover (T1 primary to T1 secondary) occurs, sessions and connections that were in process during the failover are maintained when using MLPPP. PC-2 FW-1 HQ LAN (OSPF Area 55) Router-1 HQ WAN (OSPF Area 0) 2 x T1s in MLPPP Bundle SSG-1 Remote Office (OSPF Area 55) 56) PC-1 In cases where the SSG is connecting to a non-ssg platform, it is important to note that ScreenOS on the SSG Family do not support PPP, TCP or UDP compression over MLPPP. To ensure interoperability MLPPP compression will need to be disabled on those (non-ssg Family) devices supporting compression. Route based VPN were used for the VPN application of MLPPP in order to provide QoS via policies for different traffic SIP or regular data packets. ip unnumbered was used on the Tunnel interfaces in order to conserve the IP address. QoS commands are the same as those used in the previous configuration example. Using MLFR in a Dual T1 Configuration Multilink Frame Relay (MLFR) in ScreenOS is based on the Frame Relay Forum FRF.16, Multilink Frame Relay UNI/Network-to-Network Interface (NNI) Implementation Agreement. Like MLPPP, this feature provides a cost-effective way to increase bandwidth and resiliency for particular applications by enabling multiple serial links to be aggregated into a single bundle of bandwidth. Like MLPPP, MLFR requires PVCs to be sourced and terminated on the same chassis. Configuration Commands: Dual T1 With ISP Redundancy MLPPP Configuration Commands: set interface "ethernet0/1" zone "Trust" set interface "serial1/0" zone "Untrust" set interface "serial1/1" zone "Untrust" set interface "ml1" zone "Untrust" set interface "tunnel.1" zone "Trust" 12 Copyright 2006, Juniper Networks, Inc

13 set interface "ml1" encap mlppp set interface ethernet0/1 ip /24 set interface ml1 ip /24 set interface tunnel.1 ip /24 set ppp profile "MLPPP1" set ppp profile "MLPPP1" netmask set ppp profile "MLPPP1" static-ip set interface "ml1" ppp profile MLPPP1 set interface serial1/0 bundle ml1 set interface serial1/1 bundle ml1 MLFR Configuration Commands: set interface "ethernet0/1" zone "Trust" set interface "serial1/0" zone "Untrust" set interface "serial1/1" zone "Untrust" set interface "ml2" zone "Untrust" set interface "ml2.1" zone "Untrust" set interface "tunnel.1" zone "Untrust" set interface "ml2" encap mlfr-uni-nni set interface ethernet0/1 ip /24 set interface ml2.1 ip /24 set interface tunnel.1 ip unnumbered interface ethernet0/1 set interface serial1/0 bundle ml2 set interface serial1/1 bundle ml2 set interface "ml2.1" frame-relay dlci 100 set interface "ml2.1" frame-relay inverse-arp VPN Configuration Commands: set ike gateway "VPN to 56" address Main outgoinginterface "ml1" preshare "bxp4jazbnmajresxw6cn6earhqnoft8tdq==" sec-level standard set vpn "VPN to 56" gateway "VPN to 56" no-replay tunnel idletime 0 sec-level standard set vpn "VPN to 56" id 4 bind interface tunnel.1 OSPF Configuration Commands: set interface ethernet0/1 protocol ospf area set interface ethernet0/1 protocol ospf enable set interface ethernet0/1 protocol ospf retransmit-interval 5 set interface ethernet0/1 protocol ospf cost 1 set interface ml1 protocol ospf area set interface ml1 protocol ospf enable set interface ml1 protocol ospf retransmit-interval 5 set interface ml1 protocol ospf cost 10 QoS Configuration Commands: Please refer to the previous example for appropriate QoS configuration commands. 13 Copyright 2006, Juniper Networks, Inc

14 Scenario Topology: Mix-and-match WAN interfaces In this final scenario, the SSG device uses an Ethernet interface connected to an external cable or xdsl modem as the primary WAN interface and a leased line (fractional T1/E1) as the backup. The SSG is configured to utilize bandwidth across both cable/xdsl modem and leased line under normal operations. PC-2 FW-1 HQ LAN OSPF Area 55 PC-2 Headquarter Router-1 FW-1 Ethernet Interface net Serial Interface HQ WAN OSPF Area 0 VPN over Ethernet / xdsl VPN over Serial Interface Remote Office SSG-1 PC-1 Remote Office OSPF Area 55 SSG-1 PC-1 The left hand diagram illustrates the physical connection at the remote site. SSG-1 employs a dual connection one xdsl/cable connection (via Ethernet to SSG-1) and one point-to-point leased line to corporate headquarters. Under normal conditions, all unencrypted traffic is transmitted via the xdsl/cable; serial interface would provide IPSec tunnel back to headquarters. Traffic will be moved to the survival link if either xdsl/cable or leased line is down. The right hand diagram illustrates the logical connections with two VPN tunnels between SSG-1 and FW-1. VPN over serial interface carries a manually assigned lower cost and will be selected by OSPF as the preferred route between PC-1 and PC-2. VPN over xdsl/cable will be selected if the connection over the serial interface is broken. Unencrypted traffic will use xdsl/cable as the primary connection. In the event of xdsl/cable unavailable, a default route / Internet connection from headquarters is advertised via OSPF to SSG-1. In this scenario, SSG-1 can use the serial interface to reach the Internet. QoS commands are the same as those used in the previous configuration examples. Configuration Commands: Mix and Match WAN Interfaces Interface Configuration Commands: set interface "ethernet0/1" zone "Trust" set interface "serial1/0" zone "Untrust" set interface "serial1/1" zone "Untrust" set interface "tunnel.1" zone "Untrust" set interface "tunnel.2" zone "Untrust" set interface "serial1/0" encap ppp set interface ethernet0/1 ip /24 set interface serial1/0 ip /24 14 Copyright 2006, Juniper Networks, Inc

15 set interface tunnel.1 ip /24 set interface tunnel.2 ip /24 set ppp profile "PPP1" set ppp profile "PPP1" netmask set ppp profile "PPP1" static-ip set interface "serial1/0" ppp profile PPP1 VPN Configuration Commands: set ike gateway "gw56" address Main outgoing-interface "serial1/0" preshare "9OE1rfbwNP00C2soGcCy7MskJ0nn6Vf6Bw==" seclevel standard set ike gateway "gw56-1" address Main outgoing-interface "ethernet0/2" preshare "lktbhdo4nwnjfosaxtc7nvlcxrn96exfra==" seclevel standard set ike respond-bad-spi 1 set vpn "vpn56" gateway "gw56" no-replay tunnel idletime 0 seclevel standard set vpn "vpn56" monitor set vpn "vpn56" id 1 bind interface tunnel.1 set vpn "vpn56-1" gateway "gw56-1" no-replay tunnel idletime 0 sec-level standard set vpn "vpn56-1" monitor set vpn "vpn56-1" id 2 bind interface tunnel.2 OSPF Configuration Commands: set route /0 interface ethernet0/2 gateway preference 20 set interface ethernet0/1 protocol ospf area set interface ethernet0/1 protocol ospf enable set interface tunnel.1 protocol ospf area set interface tunnel.1 protocol ospf enable set interface tunnel.2 protocol ospf area set interface tunnel.2 protocol ospf enable set interface tunnel.2 protocol ospf cost 20 QoS Configuration Commands: Please refer to the previous example for appropriate QoS configuration commands. 15 Copyright 2006, Juniper Networks, Inc

16 Appendix 1: Troubleshooting and Debug commands Single Point-to-Point WAN Connection, No VPN All WAN connection protocol o Use get interface serial a/b to obtain link, link protocol and physical status of serial interface. o Check T1/E1 related configuration, e.g., framing, encoding and number of time slot information from get interface serial a/b. Cisco HDLC o Ensure HDLC keep-alive setting identical on both SSG-1 and other device o Use debug hdlc all to see the HDLC handshake status. PPP o Ensure PPP keep-alive setting identical on both SSG-1 and other device o Use debug ppp all to see the HDLC handshake status. Frame Relay o Ensure Frame Relay LMI /DLCI agrees with the setting provided by the service provider. o Use debug frame all to see the Frame Relay messages. Pay special attention to LMI related messages. Single Point-to-Point WAN Connection, VPN Use WAN interface related commands to establish WAN connectivity get event include 536 to observe VPN related messages get sa active and get ike cookies to observe VPN Phase 1 & 2 related information set ffilter ip-proto 1, debug flow basic and fire a ping packet between source and destination of the VPN tunnel then review the packet flow via get db stream to review how the packet was processed. Multi-link (MLPPP and MLFR) WAN Connections o Break the multi-link bundle to make sure each physical T1/E1 interface can properly establish link o Perform WAN protocol (PPP or Frame Relay) related commands to troubleshoot any connectivity related problems, if necessary. o Use debug ml ppp or debug ml fr or to troubleshoot MLPPP or MLFR related problems. 16 Copyright 2006, Juniper Networks, Inc

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products Application Note Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products Version 1.0 January 2008 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089

More information

Configure ISDN Backup and VPN Connection

Configure ISDN Backup and VPN Connection Case Study 2 Configure ISDN Backup and VPN Connection Cisco Networking Academy Program CCNP 2: Remote Access v3.1 Objectives In this case study, the following concepts are covered: AAA authentication Multipoint

More information

Configuring Serial Interface WAN and LAN for SSG Firewall/VPN Products

Configuring Serial Interface WAN and LAN for SSG Firewall/VPN Products Application Note Configuring Serial Interface WAN and LAN for SSG Firewall/VPN Products Version 1.0 Richard Kim Advanced JTAC Tier 3 Customer Support Engineer Juniper Networks, Inc. 1194 North Mathilda

More information

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1 Smart Tips Enabling WAN Load Balancing Overview Many small businesses today use broadband links such as DSL or Cable, favoring them over the traditional link such as T1/E1 or leased lines because of the

More information

WAN Failover Scenarios Using Digi Wireless WAN Routers

WAN Failover Scenarios Using Digi Wireless WAN Routers WAN Failover Scenarios Using Digi Wireless WAN Routers This document discusses several methods for using a Digi wireless WAN gateway to provide WAN failover for IP connections in conjunction with another

More information

WAN Traffic Management with PowerLink Pro100

WAN Traffic Management with PowerLink Pro100 Whitepaper WAN Traffic Management with PowerLink Pro100 Overview In today s Internet marketplace, optimizing online presence is crucial for business success. Wan/ISP link failover and traffic management

More information

Configuration Example

Configuration Example Configuration Example Use a Branch Office VPN for Failover From a Private Network Link Example configuration files created with WSM v11.10.1 Revised 7/22/2015 Use Case In this configuration example, an

More information

Introduction. Technology background

Introduction. Technology background White paper: Redundant IP-VPN networks Introduction IP VPN solutions based on the IPsec protocol are already available since a number of years. The main driver for these kinds of solutions is of course

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

Configuring T1 and E1 WAN Interfaces

Configuring T1 and E1 WAN Interfaces Configuration Guide 5991-3823 December 2005 Configuring T1 and E1 WAN Interfaces This configuration guide explains the processes for configuring your Secure Router Operating System (SROS) T1/E1 product

More information

Interconnecting Cisco Networking Devices Part 2

Interconnecting Cisco Networking Devices Part 2 Interconnecting Cisco Networking Devices Part 2 Course Number: ICND2 Length: 5 Day(s) Certification Exam This course will help you prepare for the following exam: 640 816: ICND2 Course Overview This course

More information

WAN OPTIMIZATION AND IPSEC FOR THE BRANCH OFFICE

WAN OPTIMIZATION AND IPSEC FOR THE BRANCH OFFICE IMPLEMENTATION GUIDE WAN OPTIMIZATION AND IPSEC FOR THE BRANCH OFFICE Although Juniper Networks has attempted to provide accurate information in this guide, Juniper Networks does not warrant or guarantee

More information

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. www.juniper.net 1

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. www.juniper.net 1 IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. www.juniper.net 1 Copyright 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2 The Traditional Extended Enterprise Fixed

More information

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Product Overview Cisco Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable

More information

! encor en etworks TM

! encor en etworks TM ! encor en etworks TM Version A, March 2010 2013 Encore Networks, Inc. All rights reserved. Configuring the BANDIT III s T1 E1 Card for a PCM Voice Network The T1 E1 card fits into the expansion slot on

More information

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification Remote Connectivity for mysap.com Solutions over the Technical Specification June 2009 Remote Connectivity for mysap.com Solutions over the page 2 1 Introduction SAP has embarked on a project to enable

More information

Firewall Defaults and Some Basic Rules

Firewall Defaults and Some Basic Rules Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

NetVanta Series (with T1/FT1 or T1/FT1 + DSX-1 Network Interface Module)

NetVanta Series (with T1/FT1 or T1/FT1 + DSX-1 Network Interface Module) VPN WAN LAN PWR STAT TD RD TD RD TD RD VPN WAN LAN PWR STAT TD RD TD RD TD RD NetVanta 3200 NetVanta 3200 NetVanta Series (with T1/FT1 or T1/FT1 + DSX-1 Network Interface Module) Quick Configuration Guide

More information

Cisco Router and Security Device Manager (SDM)

Cisco Router and Security Device Manager (SDM) Cisco Router and Security Device Manager (SDM) Session Number 1 Cisco SDM: Combining Ease Of Use & Application Intelligence Cisco SDM is an intuitive, web-based tool for Easy and Reliable Deployment and

More information

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions Find your network example: 1. Basic network with and 2 WAN lines - click here 2. Add a web server to the LAN - click here 3. Add a web,

More information

640-816: Interconnecting Cisco Networking Devices Part 2 v1.1

640-816: Interconnecting Cisco Networking Devices Part 2 v1.1 640-816: Interconnecting Cisco Networking Devices Part 2 v1.1 Course Introduction Course Introduction Chapter 01 - Small Network Implementation Introducing the Review Lab Cisco IOS User Interface Functions

More information

Multi-Homing Security Gateway

Multi-Homing Security Gateway Multi-Homing Security Gateway MH-5000 Quick Installation Guide 1 Before You Begin It s best to use a computer with an Ethernet adapter for configuring the MH-5000. The default IP address for the MH-5000

More information

Internet Router. Enhance your Internet surfing experience with various connection types

Internet Router. Enhance your Internet surfing experience with various connection types Router Enhance your surfing experience with various connection types Bene ted by the growth of technology, combining cutting-edge router with switch technology, PLANET broadband router series (XRT, VRT),

More information

This chapter covers four comprehensive scenarios that draw on several design topics covered in this book:

This chapter covers four comprehensive scenarios that draw on several design topics covered in this book: This chapter covers four comprehensive scenarios that draw on several design topics covered in this book: Scenario One: Pearland Hospital Scenario Two: Big Oil and Gas Scenario Three: Beauty Things Store

More information

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering Introduction Digi Connect Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering The Digi Connect supports five features which provide security and IP traffic forwarding when using incoming

More information

Enterprise Edge Communications Manager. Data Capabilities

Enterprise Edge Communications Manager. Data Capabilities Enterprise Edge Communications Manager Data Capabilities Data Module Objectives After the completion of this module you will be able to describe the following Data components of the Enterprise Edge Communications

More information

Configuring a Lan-to-Lan VPN with SSG5 and Check Point Appliance Safe@Office 500

Configuring a Lan-to-Lan VPN with SSG5 and Check Point Appliance Safe@Office 500 Application Note Configuring a Lan-to-Lan VPN with SSG5 and Check Point Appliance Safe@Office 500 Version 1.0 January 2008 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408

More information

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access. Solutions Guide Secure Remote Access Allied Telesis provides comprehensive solutions for secure remote access. Introduction The world is generating electronic data at an astonishing rate, and that data

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Barracuda Link Balancer

Barracuda Link Balancer Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.2 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.2-110503-01-0503

More information

Evaluating Bandwidth Optimization Technologies: Bonded Internet

Evaluating Bandwidth Optimization Technologies: Bonded Internet Evaluating Bandwidth Optimization Technologies: Bonded Internet Contents Channel Bonding and MLPPP Load Balancing and BGP Configuring Tunnels Traditional Bonding MetTel s Bonded Internet Service 3 4 5

More information

Interconnecting Cisco Networking Devices: Accelerated Course CCNAX v2.0; 5 Days, Instructor-led

Interconnecting Cisco Networking Devices: Accelerated Course CCNAX v2.0; 5 Days, Instructor-led Interconnecting Cisco Networking Devices: Accelerated Course CCNAX v2.0; 5 Days, Instructor-led Course Description Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v2.0 is a 60-hour instructor-led

More information

Network Configuration Example

Network Configuration Example Network Configuration Example Configuring a Single SRX Series Device in a Branch Office Published: 2014-01-10 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000

More information

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0 Avaya Solution & Interoperability Test Lab Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0 Abstract These Application Notes describe the steps for

More information

Chapter 2 - The TCP/IP and OSI Networking Models

Chapter 2 - The TCP/IP and OSI Networking Models Chapter 2 - The TCP/IP and OSI Networking Models TCP/IP : Transmission Control Protocol/Internet Protocol OSI : Open System Interconnection RFC Request for Comments TCP/IP Architecture Layers Application

More information

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router print email Article ID: 4938 Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router Objective Virtual Private

More information

UIP1868P User Interface Guide

UIP1868P User Interface Guide UIP1868P User Interface Guide (Firmware version 0.13.4 and later) V1.1 Monday, July 8, 2005 Table of Contents Opening the UIP1868P's Configuration Utility... 3 Connecting to Your Broadband Modem... 4 Setting

More information

Table of Contents. Introduction

Table of Contents. Introduction viii Table of Contents Introduction xvii Chapter 1 All About the Cisco Certified Security Professional 3 How This Book Can Help You Pass the CCSP Cisco Secure VPN Exam 5 Overview of CCSP Certification

More information

IPv6 over IPv4/MPLS Networks: The 6PE approach

IPv6 over IPv4/MPLS Networks: The 6PE approach IPv6 over IPv4/MPLS Networks: The 6PE approach Athanassios Liakopoulos Network Operation & Support Manager (aliako@grnet.gr) Greek Research & Technology Network (GRNET) III Global IPv6 Summit Moscow, 25

More information

ewon-vpn - User Guide Virtual Private Network by ewons

ewon-vpn - User Guide Virtual Private Network by ewons VPN : what is it? A virtual private network (VPN) is a private communications network usually used within a company, or by several different companies or organizations, to communicate over a public network

More information

"Charting the Course...

Charting the Course... Description "Charting the Course... Course Summary Interconnecting Cisco Networking Devices: Accelerated (CCNAX), is a course consisting of ICND1 and ICND2 content in its entirety, but with the content

More information

Cisco Which VPN Solution is Right for You?

Cisco Which VPN Solution is Right for You? Table of Contents Which VPN Solution is Right for You?...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 NAT...2 Generic Routing Encapsulation Tunneling...2

More information

Quick Note 20. Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information. (GRE over IPSec with BGP)

Quick Note 20. Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information. (GRE over IPSec with BGP) Quick Note 20 Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information. (GRE over IPSec with BGP) Appendix A GRE over IPSec with Static routes UK Support August 2012

More information

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0 AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0 Introduction...2 Overview...2 1. Technology Background...2 2. MPLS PNT Offer Models...3

More information

Connecting Remote Offices by Setting Up VPN Tunnels

Connecting Remote Offices by Setting Up VPN Tunnels Connecting Remote Offices by Setting Up VPN Tunnels Cisco RV0xx Series Routers Overview As your business expands to additional sites, you need to ensure that all employees have access to the network resources

More information

VPN. VPN For BIPAC 741/743GE

VPN. VPN For BIPAC 741/743GE VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,

More information

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview Configuration Guide How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall Overview This document describes how to implement IPSec with pre-shared secrets establishing

More information

Verizon Wireless White Paper. Verizon Wireless Broadband Network Connectivity and Data Transport Solutions

Verizon Wireless White Paper. Verizon Wireless Broadband Network Connectivity and Data Transport Solutions Verizon Wireless White Paper Verizon Wireless Broadband Network Connectivity and Data Transport Solutions Verizon Wireless White Paper Verizon Wireless Broadband Network Connectivity and Data Transport

More information

PREPARED FOR ABC CORPORATION

PREPARED FOR ABC CORPORATION NETWORK DESIGN PROPOSAL PREPARED FOR ABC CORPORATION Prepared by Crystal Technologies PROPRIETARY AND CO NF IDE NTIAL Network Design Proposal PREPARED FOR ABC CORPORATION INC. ARTICLE I. OVERVIEW/HISTORY

More information

MPLS in Private Networks Is It a Good Idea?

MPLS in Private Networks Is It a Good Idea? MPLS in Private Networks Is It a Good Idea? Jim Metzler Vice President Ashton, Metzler & Associates March 2005 Introduction The wide area network (WAN) brings indisputable value to organizations of all

More information

Case Studies. Static p2p GRE over IPsec with a Branch Dynamic Public IP Address Case Study. Overview CHAPTER

Case Studies. Static p2p GRE over IPsec with a Branch Dynamic Public IP Address Case Study. Overview CHAPTER CHAPTER 5 The following two case studies are provided as reference material for implementing p2p GRE over IPsec designs. Static p2p GRE over IPsec with a Branch Dynamic Public IP Address Case Study This

More information

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0 COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.

More information

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks April 2014 www.liveaction.com Contents 1. Introduction... 1 2. WAN Networks... 2 3. Using LiveAction

More information

Cisco Configuring Basic MPLS Using OSPF

Cisco Configuring Basic MPLS Using OSPF Table of Contents Configuring Basic MPLS Using OSPF...1 Introduction...1 Mechanism...1 Hardware and Software Versions...2 Network Diagram...2 Configurations...2 Quick Configuration Guide...2 Configuration

More information

PRODUCT CATEGORY BROCHURE. Juniper Networks Integrated

PRODUCT CATEGORY BROCHURE. Juniper Networks Integrated PRODUCT CATEGORY BROCHURE Juniper Networks Integrated Firewall/VPN Platforms Strong Security for Access Control, User Authentication, and Attack Protection at the Network and Application Level As threats

More information

MLPPP Deployment Using the PA-MC-T3-EC and PA-MC-2T3-EC

MLPPP Deployment Using the PA-MC-T3-EC and PA-MC-2T3-EC MLPPP Deployment Using the PA-MC-T3-EC and PA-MC-2T3-EC Overview Summary The new enhanced-capability port adapters are targeted to replace the following Cisco port adapters: 1-port T3 Serial Port Adapter

More information

Nationwide WAN + VoIP connectivity

Nationwide WAN + VoIP connectivity Nationwide WAN + VoIP connectivity Client: Multi-state network of universities based in a Southern state. Customer's requirement: The customer wanted to establish WAN connectivity between the Head office

More information

PRODUCT CATEGORY BROCHURE INTEGRATED FIREWALL/ VPN PLATFORMS

PRODUCT CATEGORY BROCHURE INTEGRATED FIREWALL/ VPN PLATFORMS PRODUCT CATEGORY BROCHURE INTEGRATED FIREWALL/ VPN PLATFORMS Strong Security for Access Control, User Authentication, and Attack Protection at the Network and Application Level As threats to the network

More information

Configuring an efficient QoS Map

Configuring an efficient QoS Map Configuring an efficient QoS Map This document assumes the reader has experience configuring quality of service (QoS) maps and working with traffic prioritization. Before reading this document, it is advisable

More information

PRODUCT CATEGORY BROCHURE. Juniper Networks Integrated

PRODUCT CATEGORY BROCHURE. Juniper Networks Integrated PRODUCT CATEGORY BROCHURE Juniper Networks Integrated Firewall/VPN Platforms Strong Security for Access Control, User Authentication, and Attack Protection at the Network and Application Level As threats

More information

November 2013. Defining the Value of MPLS VPNs

November 2013. Defining the Value of MPLS VPNs November 2013 S P E C I A L R E P O R T Defining the Value of MPLS VPNs Table of Contents Introduction... 3 What Are VPNs?... 4 What Are MPLS VPNs?... 5 What Are the Benefits of MPLS VPNs?... 8 How Do

More information

VoIP Bandwidth Considerations - design decisions

VoIP Bandwidth Considerations - design decisions VoIP Bandwidth Considerations - design decisions When calculating the bandwidth requirements for a VoIP implementation the two main protocols are: a signalling protocol such as SIP, H.323, SCCP, IAX or

More information

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers SOLUTION BRIEF Enterprise Data Center Interconnectivity Increase Simplicity and Improve Reliability with VPLS on the Routers Challenge As enterprises improve business continuity by enabling resource allocation

More information

Voice over IP Basics for IT Technicians

Voice over IP Basics for IT Technicians Voice over IP Basics for IT Technicians White Paper Executive summary The IP phone is coming or has arrived on desk near you. The IP phone is not a PC, but does have a number of hardware and software elements

More information

IP Router QUICK START GUIDE

IP Router QUICK START GUIDE IP Router QUICK START GUIDE Part Number: 002-0118-0210 Product Release: 2.97 August 2009 Copyright 2009 Force10 Networks Inc. All rights reserved. Force10 Networks reserves the right to change, modify,

More information

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. CHAPTER 5 OBJECTIVES Configure a router with an initial configuration. Use the

More information

Industry s First QoS- Enhanced MPLS TE Solution

Industry s First QoS- Enhanced MPLS TE Solution Industry s First QoS- Enhanced MPLS TE Solution Azhar Sayeed Manager, IOS Product Management, asayeed@cisco.com Contact Info: Kim Gibbons, kgibbons@cisco.com,, 408-525 525-4909 1 Agenda MPLS Traffic Engineering

More information

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining

More information

Configuring Bonder for Load Balancing and Aggregation

Configuring Bonder for Load Balancing and Aggregation Configuring Bonder for Load Balancing and Aggregation Version: 2587 Copyright 2007-2010 ImageStream Internet Solutions, Inc., All rights Reserved. Table of Contents Router Installation and Configuration

More information

NetVanta Series (with Octal T1/E1 Wide Module)

NetVanta Series (with Octal T1/E1 Wide Module) NET 1 LAN 1 NET 2 LAN 2 WIDE SLOT 1 ACTIVITY TEST NET 1 NET 1 LAN 1 LAN 2 WIDE SLOT 1 NET 2 ACTIVITY TEST LAN 1 NET 2 LAN 2 NET 1 WIDE SLOT 1 ACTIVITY TEST LAN 1 NET 2 LAN 2 WIDE SLOT 1 ACTIVITY TEST NetVanta

More information

CS419: Computer Networks. Lecture 9: Mar 30, 2005 VPNs

CS419: Computer Networks. Lecture 9: Mar 30, 2005 VPNs : Computer Networks Lecture 9: Mar 30, 2005 VPNs VPN Taxonomy VPN Client Network Provider-based Customer-based Provider-based Customer-based Compulsory Voluntary L2 L3 Secure Non-secure ATM Frame Relay

More information

IOS NAT Load Balancing for Two ISP Connections

IOS NAT Load Balancing for Two ISP Connections IOS NAT Load Balancing for Two ISP Connections Document ID: 100658 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot

More information

White Paper. McAfee Multi-Link. Always-on connectivity with significant savings

White Paper. McAfee Multi-Link. Always-on connectivity with significant savings McAfee Multi-Link Always-on connectivity with significant savings Table of Contents Executive Summary...3 How McAfee Multi-Link Works...4 Outbound traffic...4 Load balancing...4 Standby links for high

More information

IP Routing Configuring RIP, OSPF, BGP, and PBR

IP Routing Configuring RIP, OSPF, BGP, and PBR 13 IP Routing Configuring RIP, OSPF, BGP, and PBR Contents Overview..................................................... 13-6 Routing Protocols.......................................... 13-6 Dynamic Routing

More information

BroadCloud Adtran Total Access Quick Start Guide

BroadCloud Adtran Total Access Quick Start Guide BroadCloud Adtran Total Access Quick Start Guide Specification Document Version 2.0 1009 Pruitt Road The Woodlands, TX 77380 Tel +1 281.465.3320 WWW.BROADSOFT.COM BroadCloud Adtran NetVanta QSG Copyright

More information

RFC 2547bis: BGP/MPLS VPN Fundamentals

RFC 2547bis: BGP/MPLS VPN Fundamentals White Paper RFC 2547bis: BGP/MPLS VPN Fundamentals Chuck Semeria Marketing Engineer Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2001 or 888 JUNIPER www.juniper.net

More information

This chapter describes how to set up and manage VPN service in Mac OS X Server.

This chapter describes how to set up and manage VPN service in Mac OS X Server. 6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure

More information

Route Based Virtual Private Network

Route Based Virtual Private Network Route Based Virtual Private Network Document Scope This solutions document provides details about Route Based Virtual Private Network (VPN) Technology, its advantages, and procedures to configure a Route

More information

Secure Network Foundation 1.1 Design Guide for Single Site Deployments

Secure Network Foundation 1.1 Design Guide for Single Site Deployments Secure Network Foundation 1.1 Design Guide for Single Site Deployments This document provides a simple vision for a smart and secure business where everyday communications are made easier, faster, and

More information

Benefit from our Hard-Learned Lessons: Evaluating Bandwidth Optimization Technologies

Benefit from our Hard-Learned Lessons: Evaluating Bandwidth Optimization Technologies Benefit from our Hard-Learned Lessons: Evaluating Bandwidth Optimization Technologies This whitepaper outlines the existing technologies we examined before we developed our BONDED INTERNET service. We

More information

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1 Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1 This document describes how to configure an IPSec tunnel between a WatchGuard Firebox Vclass appliance (Vcontroller version

More information

ISG50 Application Note Version 1.0 June, 2011

ISG50 Application Note Version 1.0 June, 2011 ISG50 Application Note Version 1.0 June, 2011 Scenario 1 - ISG50 is placed behind an existing ZyWALL 1.1 Application Scenario For companies with existing network infrastructures and demanding VoIP requirements,

More information

SonicOS Enhanced 5.7.0.2 Release Notes

SonicOS Enhanced 5.7.0.2 Release Notes SonicOS Contents Platform Compatibility... 1 Key Features... 2 Known Issues... 3 Resolved Issues... 4 Upgrading SonicOS Enhanced Image Procedures... 6 Related Technical Documentation... 11 Platform Compatibility

More information

Technology Overview. Class of Service Overview. Published: 2014-01-10. Copyright 2014, Juniper Networks, Inc.

Technology Overview. Class of Service Overview. Published: 2014-01-10. Copyright 2014, Juniper Networks, Inc. Technology Overview Class of Service Overview Published: 2014-01-10 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, Junos,

More information

LAB TESTING SUMMARY REPORT

LAB TESTING SUMMARY REPORT Key findings and conclusions: Cisco Nonstop Forwarding with Stateful Switchover drastically reduces mean time to repair (MTTR) Delivered zero route flaps with BGP, OSPF, IS-IS and static routes during

More information

Juniper Solutions for Managed Security Services

Juniper Solutions for Managed Security Services SOLUTION BROCHURE Juniper Solutions for Managed Security Services Best Practices for Managed Service Providers Enterprise Security Solution Overview In today s operating business environment, barely a

More information

Configuring a BANDIT Product for Virtual Private Networks

Configuring a BANDIT Product for Virtual Private Networks encor! enetworks TM Version A, March 2008 2013 Encore Networks, Inc. All rights reserved. Configuring a BANDIT Product for Virtual Private Networks O ne of the principal features in the BANDIT family of

More information

Magnum Network Software DX

Magnum Network Software DX Magnum Network Software DX Software Release Notes Software Revision 3.0.1 RC5, Inc. www..com www..com/techsupport email: support@.com This document contains Confidential information or Trade Secrets, or

More information

End-to-End QoS Network Design

End-to-End QoS Network Design End-to-End QoS Network Design Tim Szigeti, CCIE No. 9794, and Christina Hattingh Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Table of Contents Introduction xxii Part I Introduction

More information

M!DGE/MG102i. Application notes. www.racom.eu

M!DGE/MG102i. Application notes. www.racom.eu Application notes. M!DGE/MG102i. version 2.1 4/11/2014 RACOM s.r.o. Mirova1283 59231 Nove MestonaMorave CzechRepublic Tel.: +420565659 511 Fax: +420565659 512 E-mail: racom@racom.eu www.racom.eu Table

More information

Demonstrating the high performance and feature richness of the compact MX Series

Demonstrating the high performance and feature richness of the compact MX Series WHITE PAPER Midrange MX Series 3D Universal Edge Routers Evaluation Report Demonstrating the high performance and feature richness of the compact MX Series Copyright 2011, Juniper Networks, Inc. 1 Table

More information

SSVP SIP School VoIP Professional Certification

SSVP SIP School VoIP Professional Certification SSVP SIP School VoIP Professional Certification Exam Objectives The SSVP exam is designed to test your skills and knowledge on the basics of Networking and Voice over IP. Everything that you need to cover

More information

Managed Services: Taking Advantage of Managed Services in the High-End Enterprise

Managed Services: Taking Advantage of Managed Services in the High-End Enterprise Managed Services: Taking Advantage of Managed Services in the High-End Enterprise What You Will Learn This document explores the challenges and solutions for high-end enterprises using managed services.

More information

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols

More information

Security Solutions Portfolio

Security Solutions Portfolio Fixed Telecommuter or Small Medium Office Regional Office SSG 520M SSG 550M Security Solutions Portfolio Integrated Firewall/VPN Solutions SSG 140 Branch Office... SSG 320M... SSG 350M... SSG 5 SSG 20...

More information

UAG715 Support Note. Revision 1.00. August, 2012. Written by CSO

UAG715 Support Note. Revision 1.00. August, 2012. Written by CSO UAG715 Support Note Revision 1.00 August, 2012 Written by CSO Scenario 1 - Trunk Interface (Dual WAN) Application Scenario The Internet has become an integral part of our lives; therefore, a smooth Internet

More information

Virtual Leased Line (VLL) for Enterprise to Branch Office Communications

Virtual Leased Line (VLL) for Enterprise to Branch Office Communications Virtual Leased Line (VLL) for Enterprise to Branch Office Communications Reliable high throughput data connections with low-cost & diverse transport technologies Executive Summary: The Truffle Broadband

More information

Security Solutions Portfolio

Security Solutions Portfolio Fixed Telecommuter or Small Medium Office Regional Office SSG 520M SSG 550M Branch Office Security Solutions Portfolio Integrated Firewall/VPN Solutions SSG 140 SSG 350M... SSG 320M... 5GT SSG 5 SSG 20.........

More information