SlideShare ist ein Scribd-Unternehmen logo

Highavailability designs-for-juniper-netscreen-firewalls3740

Saurav Aich
Saurav Aich
Technologie
1 von 33
Downloaden Sie, um offline zu lesen
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 High-Availability Designs for Juniper NetScreen Firewalls Dan Backman Senior Systems Engineer dbackman@juniper.net
2Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Routing and Firewall Functions Merging New JUNOS Routing platforms (J / M) and AS PIC • Stateful firewall, IPsec and NAT services in JUNOS Expanded Routing functionality in NetScreen platforms New solutions possible: • Stateful Firewall, NAT, IPsec VPN termination and Dynamic Routing + !+ =
3Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Routing and Firewall Functions Merging Traditional uses of dynamic routing in firewalls: • Dynamically advertise reachability of connected services • Statically routed VPNs advertised into IGP/iBGP • Dynamic path calculation • Firewalls participate in routing (usually RIP) • Limited control plane impacts • Relatively few prefixes • Limited policy/redistribution Today: • Deployments require: • Interchangable routing / firewall features • Juniper delivering integrated feature sets • AS PIC / J Series SFW/IPsec • Increasing routing functionality in ScreenOS
4Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net JUNOS / ScreenOS Routing Strengths Virtualization • Native support for multiple routing tables • Multiple VRF and Logical routers in JUNOS • At least two Virtual Routerss in all ScreenOS platforms – Allows simple split tunneling at edge • Hundreds of VRs in NetScreen Systems • Multiple instances of routing protocols in JUNOS and ScreenOS Scalable, standards-based routing protocols (OSPF/BGP/RIPv2) PIM-SM and IGMP Proxy for dynamic multicast forwarding Dynamic route-based VPNs • Support for policy and route-based VPNs in ScreenOS and JUNOS
5Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net ScreenOS Dynamic Routing ScreenOS is designed for integrated Firewall / Routing • Security platform from the ground-up • Integrated static and dynamic routing support • Multiple virtual IPv4 routing tables / Multiple routing instances Security Features • Screen function • DoS, IP spoofing, L3/L4 protocol anomaly detection • Flexible security zone model for all policy • Network interfaces bound to security zones • Sessions / flows bound to zones ,not interfaces • Allows real-time next-hop changes to existing flows • Critical to support dynamic routing in a firewall
6Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net High Availability Scenarios Firewalls integral part of routing topology – need redundancy solutions • Border protection (Screen/Policy) • Inline to forwarding path at network border • Logical progression for integrated IDP – Add IDP into forwarding path with fewer headaches VPN Routing Edge • Redundant VPN termination at site • Stateful failover without dynamic routing impact
7Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Stateful Failover True security boundaries require stateful inspection • Firewalls track individual network flows • Provide stateful enforcement of policies and DoS protection Redundancy requires stateful awareness • Firewall Cluster must support state synchronization Failover without state sync: • Results in loss of existing TCP/UDP sessions • Users must restart existing protocol connections Traditional firewall state sync does not account for dynamic routing
8Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Classic Firewall HA Scenario “Ten-Pack” of routers, switches, firewalls, switches and routers • HSRP/VRRP/NSRP virtual addresses for next-hop • Static routing Pros: • Simple. No dynamic routing • No asymmetric state • Supports all firewall features/functions Cons: • May require redundant interfaces • No dynamic routing through firewalls • Requires additional devices (L2 switches) S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link UNTRUST TRUST Master Backup
9Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Dynamic Routing / Firewall HA Scenario
10Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Firewalls in a Dynamic Routing Topology: Why? Customer desire to integrate firewalls into existing network topology • Must support dynamic failover based on OSPF • Contiguous OSPF area • Full Link State in network edge • Advertise prefixes between internal network and external routers • Must support PIM-SM for multicast routing (ScreenOS 5.1) Interop eNet Design • NSRP VSD-less clusters originally designed for this topology 2 years ago
11Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NetScreen Redundancy Protocol Originally designed to support stateful failover • Never intended to support asymmetric state VSD – Virtual Security Device • Logical failover domain within firewall • Master / Backup state machine per VSD VSI – Virtual Security Interface • Shared interface (Virtual IP/MAC pair) • Maps traffic into VSD RTO Mirror – Real Time Object Mirroring • State sync in NSRP cluster
12Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP: Traditional (L3) Design Virtual addressing • NSRP VSI and VRRP or HSRP on routers • All virtual MAC addresses as next-hop between routers and firewall cluster • Static routes throughout topology Single VSD for all traffic All firewall interfaces are virtual interfaces (VIP/MAC) • Easy to add additional zones/interfaces (DMZ) • No asymmetric state S T A T U S P O W E R 5 20 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 20 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link UNTRUST TRUST NSRP Backup NSRP Master VRRP Backup VRRP Master VRRP Backup VRRP Master Virtual Address Static Routes Virtual Address Default Route Virtual Address Static Routes Virtual Address Default Route
13Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP: Traditional (L2) Design Firewall operates as logical L2 learning bridge • Backup is in L2 blocking state • Must permit IGP adjacencies through firewall • No asymmetric state Topologies • Support for proprietary IGPs • “drop-in” / transparent firewalls S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
14Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Transparent Mode NSRP (L2) Operation Operate as logical L2 bridge • MAC learning and forwarding • Policy engine and forwarding still based on 5-tuple Must carefully engineer DMZ topology • ICMP redirect cannot force traffic across zone boundary Limited support for VLANs • VLAN tags preserved, but single inspection domain • No current support for VLAN tag rewrite • Enhancement coming in next major ScreenOS release
15Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP Real-Time Object Sync What is synchronized? • Sessions / IPsec SA / Crypto and VSD Configs • Master Backup replication in VSD • Bi-Directional replication in VSD-less cluster What is not synchronized? • Screens (pre-flow processing counters) • Application Level Gateways • TCP Setup / Inspection S T A T U S P O W E R 52 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 52 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link(s) UNTRUST TRUST NSRP Backup NSRP Master RTO Mirror Master Backup Normal Traffic Traffic on Failover
16Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP Operation Master/Backup state machine run per VSD • Priority and tracking (weight-based) determines master eligibility • Tracking: interface / IP reachability (ping) / Zone Master assumes virtual IP/MAC addresses for VSI • Physical interfaces in VSD 0 • Additional VSI (eg: eth2/1:1) Master synchronizes state to Backup device Backup blocks ports in L2/Transparent mode
17Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP State Control: Tracking NSRP can track various factors to determine master eligibility • Applies per VSD • Administrative weight per tracked object • Failover threshold per VSD Track: • Multiple IP addresses • Weight per address • Interfaces • Zones • Behaves like VLAN on L3 switch • any one interface with link == zone up
18Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net OSPF and NSRP (The Wrong Way) VERY slow failover (40-60 sec) when using OSPF and NSRP Does support NSRP RTO mirror for session sync • NSRP backup has “down” interfaces in VSD id 0 • OSPF adjacency is “down” when in backup state • On failover: 1. Interface up 2. Reestablish OSPF adj. (must wait OSPF Dead Interval) 3. Database exchange 4. SPF calc 5. Populate routes • THEN, can begin forwarding traffic S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
19Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Dynamic Routing Clusters (1): Justification Desire to integrate firewall into IGP • Multiple egress paths, integrate into IGP routing • Control advertisement of default or external routes into IGP based on exterior connectivity • Continuity of IGP routing across firewalls • OSPF-based dynamic route selection • Simplified topology (no L2 switching required) ScreenOS modified (early 5.0x) to abstract sessions from interface to zone. • Allows route update to new next-hop without invalidating existing sessions New NSRP mode needed to keep routing adjacencies up
20Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Dynamic Routing Clusters (2): Operation Dual Masters in VSD id 0 Bi-directional RTO mirroring between cluster members • All physical interfaces remain active and can support active routing protocol adjacencies • All devices in cluster can actively forward traffic Same as running OSPF on non-clustered devices, but adds session sync Config: • Must manually “unset vsd id 0” • “set nsrp rto-mirror session non-vsi”
21Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Primary limitations: • VERY susceptible to asymmetric state issues • Require more complex config (mixed mode) for NAT support • Policy-based VPNs also require • In both cases, traffic must return to a single address which may be resident on both devices Cannot use Data-Path Forwarding as a band-aid • Both nodes are Master: only backup node can perform data-path forwarding Must use “Mixed-mode” NSRP to address these issues • Unset VSD id 0 • Virtual interfaces in VSD id 1 (loopback for VPN, NAT Pool) Dynamic Routing Clusters (3): Caveats
22Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net HA Considerations: Stateful forwarding Real Stateful Inspection requires bidirectional forwarding • Traditional routing protocols do not guarantee symmetric bidirectional traffic flows • ECMP nearly guarantees asymmetric state • True stateful load balancing requires reverse hash for returning microflows • NetScreen firewalls use session/flow state for all forwarding paths • Required for stateful policy inspection • J/M/T/E series use stateless forwarding • LPM / J-Tree lookup per-packet on forwarding and firewall filters
23Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net ScreenOS – Session State All forwarded traffic must have a session • Contains bidirectional flow information • Route lookup determines egress zone • Policy lookup from ingress to egress zone • NetScreen Systems forward traffic like L3/L4 switches 5200-17(M)-> get session slot 1: sw alloc 3/max 1000064, alloc failed 0, mcast alloc 0, di alloc failed 0 slot 2: hw0 alloc 1/max 1048576 slot 2: hw1 alloc 1/max 1048576 id 7267/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0 11(0601):10.2.4.2/1->224.0.0.5/1,89,000000000000,15,vlan 0,tun 0,vsd 0,route 0 3(0010):10.2.4.2/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0 id 7268/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0 7(0601):10.1.4.1/1->224.0.0.5/1,89,000000000000,14,vlan 0,tun 0,vsd 0,route 0 3(0010):10.1.4.1/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0 id 7269/s01,vsys 0,flag 10200440/0000/03,policy 1,time 1440, dip 0 11(0801):10.2.2.2/11033->10.1.255.1/23,6,00a0c96cce14,15,vlan 0,tun 0,vsd 0,route 74 7(4800):10.2.2.2/11033<-10.1.255.1/23,6,00a0c92490e4,14,vlan 0,tun 0,vsd 0,route 44 Total 3 sessions shown
24Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Asymmetric State: Symptoms “Split-state” environment may appear to work in the lab • BUT: TCP handshake never completed through same device • Half-open sessions: User sees TCP sessions establish but freeze (short-lived TCP sessions) • Can “disable syn checking” but lose effective TCP inspection and protection • ALG cannot fully inspect control channels • Deep Inspection will fail • Integrated IDP will fail • “pinholes” may not open correctly • Some screening functions may depend on bidirectional traffic S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
25Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IGP Costing Exercise (1) Predictable forwarding path • Ensure bidirectional path through firewalls • Must not allow transit through multiple firewalls • If ABRs directly connected to firewalls, make sure there is a valid Intra-Area route between ABRs in firewall area IGP costing is unidirectional • Must be careful to set IGP costing bidirectionally (must configure both sides of a link to the same cost) • Do NOT rely on automatic costing (varies between vendors and equipment types) S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
26Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IGP Costing Exercise (2) Predictable failover • Control traffic paths in the event of a link-down event • This design preseves state through a firewall in a single link-break Fast IGP failover: • No split link • Can use aggregated interfaces between devices • Use /30 p2p links to skip dead timer / DR election on link-up S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
27Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IGP Costing Exercise (3) IGP Costing Dangers: • Routed DMZ Network • Do not allow transit between firewalls • Carefully control costs within the OSPF area • Watch out for asymmetric costs • Use separate VR for DMZ network if necessary • Carefully test all iterations in a failover topology S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 External Router-A External Router-B Internal Router-A Internal Router-B DMZ Router
28Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP: Data-Path Forwarding NSRP can correct asymmetric state in some situations • 2) BACKUP device receives packet that matches session from master • 3) packet is exception- forwarded (CPU forwarded) to master over HA link • 4) MASTER forwards packet to end node Do not rely on this behavior • Serious performance impact for large amounts of forwarded traffic S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
29Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Mixed-Mode NSRP (Simple) Medium-sized enterprise • Upstream OSPF to routers • Downstream (Trust) • Firewall cluster is first-hop router for internal network • Virtual IP/MAC in Trust VSI • VSI exported to OSPF Pro: • Simple integration of OSPF and Firewalls • No Asymmetric State Cons: • Requires both VSD-less (untrust) and VSD/VSI (trust) S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link VSI: Shared Address OSPF (VSD-less) UNTRUST OSPF Area X TRUST (L2)
30Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Mixed-Mode NSRP (VSD-less + DMZ) Add DMZ network to existing VSD-less NSRP cluster Pros: • Allows for DMZ network connected to OSPF meshed network Cons: • Must control asymmetric state with OSPF costing • Requires both VSD-less and VSD/VSI support S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link UNTRUST OSPF Area X TRUST OSPF Area X DMZ VSI OSPF Passive
31Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Mixed-mode NSRP Complications Must link NSRP and OSPF failover in mixed mode • OSPF makes path calculations based on link state information from routers • NSRP elects master based on tracking information and priority • Unidirectional feedback • Add VSI as OSPF passive interface • Recommend adding NSRP zone tracking or IP ping tracking to control NSRP failover S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link UNTRUST OSPF Area X TRUST OSPF Area X DMZ VSI OSPF Passive OSPF Trust-Untrust Transit Path VSD 1 Backup lo0 VSD 1 Master lo0 X OSPF Untrust-DMZ Transit Path NAT from loopback1:1
32Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Questions?
33Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Thank You

Empfohlen

Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Bruno Teixeira
 
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Bruno Teixeira
 
Navigating the YANGscape of network automation
Navigating the YANGscape of network automationNavigating the YANGscape of network automation
Navigating the YANGscape of network automationRoman Dodin
 
An Optics Life
An Optics LifeAn Optics Life
An Optics LifeThomas Weible
 
Segment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business ModelsSegment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business ModelsCisco Service Provider
 
CEI-56G - Testing Considerations
CEI-56G - Testing Considerations CEI-56G - Testing Considerations
CEI-56G - Testing Considerations Deborah Porchivina
 
Vsat 2011 gilat_ka band
Vsat 2011 gilat_ka bandVsat 2011 gilat_ka band
Vsat 2011 gilat_ka bandSSPI Brasil
 
RIFT A New Approach to Building DC Fabrics
RIFT A New Approach to Building DC FabricsRIFT A New Approach to Building DC Fabrics
RIFT A New Approach to Building DC FabricsMyNOG
 

Empfohlen

Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Bruno Teixeira
 
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Bruno Teixeira
 
Navigating the YANGscape of network automation
Navigating the YANGscape of network automationNavigating the YANGscape of network automation
Navigating the YANGscape of network automationRoman Dodin
 
An Optics Life
An Optics LifeAn Optics Life
An Optics LifeThomas Weible
 
Segment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business ModelsSegment Routing: Prepare Your Network For New Business Models
Segment Routing: Prepare Your Network For New Business ModelsCisco Service Provider
 
CEI-56G - Testing Considerations
CEI-56G - Testing Considerations CEI-56G - Testing Considerations
CEI-56G - Testing Considerations Deborah Porchivina
 
Vsat 2011 gilat_ka band
Vsat 2011 gilat_ka bandVsat 2011 gilat_ka band
Vsat 2011 gilat_ka bandSSPI Brasil
 
RIFT A New Approach to Building DC Fabrics
RIFT A New Approach to Building DC FabricsRIFT A New Approach to Building DC Fabrics
RIFT A New Approach to Building DC FabricsMyNOG
 
Campus
CampusCampus
CampusMarketingArrowECS_CZ
 
Catalyst Backbone and Instant Access Technologies
Catalyst Backbone and Instant Access TechnologiesCatalyst Backbone and Instant Access Technologies
Catalyst Backbone and Instant Access TechnologiesCisco Russia
 
CEI-56G - Signal Integrity to the Forefront
CEI-56G - Signal Integrity to the ForefrontCEI-56G - Signal Integrity to the Forefront
CEI-56G - Signal Integrity to the ForefrontDeborah Porchivina
 
SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases APNIC
 
Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+Wahyu Nasution
 
Places in the network (featuring policy)
Places in the network (featuring policy)Places in the network (featuring policy)
Places in the network (featuring policy)Jeff Green
 
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...PROFIBUS and PROFINET InternationaI - PI UK
 
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...Cisco Enterprise Networks
 
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Cisco Russia
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)Motonori Shindo
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKDPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKLagopus SDN/OpenFlow switch
 
OpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallOpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallPaloSanto Solutions
 
Dn 7112 pdf
Dn 7112 pdfDn 7112 pdf
Dn 7112 pdfBharath Kumar
 
Introducing the OSA 5335 PTP Grandmaster
Introducing the OSA 5335 PTP GrandmasterIntroducing the OSA 5335 PTP Grandmaster
Introducing the OSA 5335 PTP GrandmasterADVA
 
C3 profibus profiles, steffen ochsenreither
C3 profibus profiles, steffen ochsenreitherC3 profibus profiles, steffen ochsenreither
C3 profibus profiles, steffen ochsenreitherPROFIBUS and PROFINET InternationaI - PI UK
 
SELTA Access Network Portfolio
SELTA Access Network PortfolioSELTA Access Network Portfolio
SELTA Access Network PortfolioSELTA
 
Mits 5G brief solution 2021
Mits 5G brief solution 2021Mits 5G brief solution 2021
Mits 5G brief solution 2021MITS Component & System Corp.
 
Segment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesSegment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesCisco Canada
 
OIF 112G Panel at DesignCon 2017
OIF 112G Panel at DesignCon 2017OIF 112G Panel at DesignCon 2017
OIF 112G Panel at DesignCon 2017Deborah Porchivina
 
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225Saurav Aich
 
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)Saurav Aich
 

Weitere ähnliche Inhalte

Was ist angesagt?

Catalyst Backbone and Instant Access Technologies
Catalyst Backbone and Instant Access TechnologiesCatalyst Backbone and Instant Access Technologies
Catalyst Backbone and Instant Access TechnologiesCisco Russia
 
CEI-56G - Signal Integrity to the Forefront
CEI-56G - Signal Integrity to the ForefrontCEI-56G - Signal Integrity to the Forefront
CEI-56G - Signal Integrity to the ForefrontDeborah Porchivina
 
SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases APNIC
 
Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+Wahyu Nasution
 
Places in the network (featuring policy)
Places in the network (featuring policy)Places in the network (featuring policy)
Places in the network (featuring policy)Jeff Green
 
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...PROFIBUS and PROFINET InternationaI - PI UK
 
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...Cisco Enterprise Networks
 
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Cisco Russia
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)Motonori Shindo
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKDPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKLagopus SDN/OpenFlow switch
 
OpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallOpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallPaloSanto Solutions
 
Introducing the OSA 5335 PTP Grandmaster
Introducing the OSA 5335 PTP GrandmasterIntroducing the OSA 5335 PTP Grandmaster
Introducing the OSA 5335 PTP GrandmasterADVA
 
SELTA Access Network Portfolio
SELTA Access Network PortfolioSELTA Access Network Portfolio
SELTA Access Network PortfolioSELTA
 
Segment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesSegment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesCisco Canada
 
OIF 112G Panel at DesignCon 2017
OIF 112G Panel at DesignCon 2017OIF 112G Panel at DesignCon 2017
OIF 112G Panel at DesignCon 2017Deborah Porchivina
 

Was ist angesagt? (20)

Campus
CampusCampus
Campus
 
Catalyst Backbone and Instant Access Technologies
Catalyst Backbone and Instant Access TechnologiesCatalyst Backbone and Instant Access Technologies
Catalyst Backbone and Instant Access Technologies
 
CEI-56G - Signal Integrity to the Forefront
CEI-56G - Signal Integrity to the ForefrontCEI-56G - Signal Integrity to the Forefront
CEI-56G - Signal Integrity to the Forefront
 
SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases
 
Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+
 
Places in the network (featuring policy)
Places in the network (featuring policy)Places in the network (featuring policy)
Places in the network (featuring policy)
 
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...
C04 – Avoiding pitfalls in Profinet RT and IRT node implementation - Hans Der...
 
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...
Future Proofing Your Network with the New Cisco Catalyst 3850 10G Aggregation...
 
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
 
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKDPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
 
OpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallOpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or Small
 
Dn 7112 pdf
Dn 7112 pdfDn 7112 pdf
Dn 7112 pdf
 
Introducing the OSA 5335 PTP Grandmaster
Introducing the OSA 5335 PTP GrandmasterIntroducing the OSA 5335 PTP Grandmaster
Introducing the OSA 5335 PTP Grandmaster
 
C3 profibus profiles, steffen ochsenreither
C3 profibus profiles, steffen ochsenreitherC3 profibus profiles, steffen ochsenreither
C3 profibus profiles, steffen ochsenreither
 
SELTA Access Network Portfolio
SELTA Access Network PortfolioSELTA Access Network Portfolio
SELTA Access Network Portfolio
 
Mits 5G brief solution 2021
Mits 5G brief solution 2021Mits 5G brief solution 2021
Mits 5G brief solution 2021
 
Segment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesSegment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use Cases
 
OIF 112G Panel at DesignCon 2017
OIF 112G Panel at DesignCon 2017OIF 112G Panel at DesignCon 2017
OIF 112G Panel at DesignCon 2017
 

Andere mochten auch

Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225Saurav Aich
 
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)Saurav Aich
 
Bc product overview_v2c
Bc product overview_v2cBc product overview_v2c
Bc product overview_v2cSaurav Aich
 
Nsremote vpn-client-85-installation-guide784
Nsremote vpn-client-85-installation-guide784Nsremote vpn-client-85-installation-guide784
Nsremote vpn-client-85-installation-guide784Saurav Aich
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 

Andere mochten auch (6)

Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225
 
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)
Juniper networks-integrated-firewall-and-ipsec-vpn-evaluators4225 (1)
 
Bc product overview_v2c
Bc product overview_v2cBc product overview_v2c
Bc product overview_v2c
 
Nsremote vpn-client-85-installation-guide784
Nsremote vpn-client-85-installation-guide784Nsremote vpn-client-85-installation-guide784
Nsremote vpn-client-85-installation-guide784
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Networking ppt
Networking ppt Networking ppt
Networking ppt
 

Ähnlich wie Highavailability designs-for-juniper-netscreen-firewalls3740

Service Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleService Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleMarketingArrowECS_CZ
 
Routing to SDN Era
Routing to SDN Era Routing to SDN Era
Routing to SDN Era APNIC
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USAJose Liste
 
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewAmeen Wayok
 
PLNOG 13: Nicolai van der Smagt: SDN
PLNOG 13: Nicolai van der Smagt: SDNPLNOG 13: Nicolai van der Smagt: SDN
PLNOG 13: Nicolai van der Smagt: SDNPROIDEA
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment RoutingMyNOG
 
Contrail Deep-dive - Cloud Network Services at Scale
Contrail Deep-dive - Cloud Network Services at ScaleContrail Deep-dive - Cloud Network Services at Scale
Contrail Deep-dive - Cloud Network Services at ScaleMarketingArrowECS_CZ
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfNelAlv1
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
18-20180514_SRv6_RIPE.pdf
18-20180514_SRv6_RIPE.pdf18-20180514_SRv6_RIPE.pdf
18-20180514_SRv6_RIPE.pdfYunLiu75
 
Logical_Routing_NSX_T_2.4.pptx.pptx
Logical_Routing_NSX_T_2.4.pptx.pptxLogical_Routing_NSX_T_2.4.pptx.pptx
Logical_Routing_NSX_T_2.4.pptx.pptxAnwarAnsari40
 
Gilat accent presentation_2012
Gilat accent presentation_2012Gilat accent presentation_2012
Gilat accent presentation_2012SSPI Brasil
 
NFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesNFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesCumulus Networks
 
Technical introduction to MidoNet
Technical introduction to MidoNetTechnical introduction to MidoNet
Technical introduction to MidoNetMidoNet
 
Summit 16: Open-O Mini-Summit - Architecture & Technology
Summit 16: Open-O Mini-Summit - Architecture & TechnologySummit 16: Open-O Mini-Summit - Architecture & Technology
Summit 16: Open-O Mini-Summit - Architecture & TechnologyOPNFV
 
Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсет...
Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсет...Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсет...
Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсет...TechExpert
 
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Power Systems, Inc.
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?Steve Simlo
 

Ähnlich wie Highavailability designs-for-juniper-netscreen-firewalls3740 (20)

Service Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleService Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at Scale
 
Routing to SDN Era
Routing to SDN Era Routing to SDN Era
Routing to SDN Era
 
LTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GPLTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GP
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
 
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
 
PLNOG 13: Nicolai van der Smagt: SDN
PLNOG 13: Nicolai van der Smagt: SDNPLNOG 13: Nicolai van der Smagt: SDN
PLNOG 13: Nicolai van der Smagt: SDN
 
Opencontrail network virtualization
Opencontrail network virtualizationOpencontrail network virtualization
Opencontrail network virtualization
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment Routing
 
Contrail Deep-dive - Cloud Network Services at Scale
Contrail Deep-dive - Cloud Network Services at ScaleContrail Deep-dive - Cloud Network Services at Scale
Contrail Deep-dive - Cloud Network Services at Scale
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdf
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
18-20180514_SRv6_RIPE.pdf
18-20180514_SRv6_RIPE.pdf18-20180514_SRv6_RIPE.pdf
18-20180514_SRv6_RIPE.pdf
 
Logical_Routing_NSX_T_2.4.pptx.pptx
Logical_Routing_NSX_T_2.4.pptx.pptxLogical_Routing_NSX_T_2.4.pptx.pptx
Logical_Routing_NSX_T_2.4.pptx.pptx
 
Gilat accent presentation_2012
Gilat accent presentation_2012Gilat accent presentation_2012
Gilat accent presentation_2012
 
NFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesNFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center Architectures
 
Technical introduction to MidoNet
Technical introduction to MidoNetTechnical introduction to MidoNet
Technical introduction to MidoNet
 
Summit 16: Open-O Mini-Summit - Architecture & Technology
Summit 16: Open-O Mini-Summit - Architecture & TechnologySummit 16: Open-O Mini-Summit - Architecture & Technology
Summit 16: Open-O Mini-Summit - Architecture & Technology
 
Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсет...
Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсет...Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсет...
Обеспечение сетевой безопасности с помощью многоцелевого адаптируемого межсет...
 
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?
 

Kürzlich hochgeladen

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Kürzlich hochgeladen (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Highavailability designs-for-juniper-netscreen-firewalls3740

  • 1. Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 High-Availability Designs for Juniper NetScreen Firewalls Dan Backman Senior Systems Engineer dbackman@juniper.net
  • 2. 2Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Routing and Firewall Functions Merging New JUNOS Routing platforms (J / M) and AS PIC • Stateful firewall, IPsec and NAT services in JUNOS Expanded Routing functionality in NetScreen platforms New solutions possible: • Stateful Firewall, NAT, IPsec VPN termination and Dynamic Routing + !+ =
  • 3. 3Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Routing and Firewall Functions Merging Traditional uses of dynamic routing in firewalls: • Dynamically advertise reachability of connected services • Statically routed VPNs advertised into IGP/iBGP • Dynamic path calculation • Firewalls participate in routing (usually RIP) • Limited control plane impacts • Relatively few prefixes • Limited policy/redistribution Today: • Deployments require: • Interchangable routing / firewall features • Juniper delivering integrated feature sets • AS PIC / J Series SFW/IPsec • Increasing routing functionality in ScreenOS
  • 4. 4Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net JUNOS / ScreenOS Routing Strengths Virtualization • Native support for multiple routing tables • Multiple VRF and Logical routers in JUNOS • At least two Virtual Routerss in all ScreenOS platforms – Allows simple split tunneling at edge • Hundreds of VRs in NetScreen Systems • Multiple instances of routing protocols in JUNOS and ScreenOS Scalable, standards-based routing protocols (OSPF/BGP/RIPv2) PIM-SM and IGMP Proxy for dynamic multicast forwarding Dynamic route-based VPNs • Support for policy and route-based VPNs in ScreenOS and JUNOS
  • 5. 5Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net ScreenOS Dynamic Routing ScreenOS is designed for integrated Firewall / Routing • Security platform from the ground-up • Integrated static and dynamic routing support • Multiple virtual IPv4 routing tables / Multiple routing instances Security Features • Screen function • DoS, IP spoofing, L3/L4 protocol anomaly detection • Flexible security zone model for all policy • Network interfaces bound to security zones • Sessions / flows bound to zones ,not interfaces • Allows real-time next-hop changes to existing flows • Critical to support dynamic routing in a firewall
  • 6. 6Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net High Availability Scenarios Firewalls integral part of routing topology – need redundancy solutions • Border protection (Screen/Policy) • Inline to forwarding path at network border • Logical progression for integrated IDP – Add IDP into forwarding path with fewer headaches VPN Routing Edge • Redundant VPN termination at site • Stateful failover without dynamic routing impact
  • 7. 7Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Stateful Failover True security boundaries require stateful inspection • Firewalls track individual network flows • Provide stateful enforcement of policies and DoS protection Redundancy requires stateful awareness • Firewall Cluster must support state synchronization Failover without state sync: • Results in loss of existing TCP/UDP sessions • Users must restart existing protocol connections Traditional firewall state sync does not account for dynamic routing
  • 8. 8Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Classic Firewall HA Scenario “Ten-Pack” of routers, switches, firewalls, switches and routers • HSRP/VRRP/NSRP virtual addresses for next-hop • Static routing Pros: • Simple. No dynamic routing • No asymmetric state • Supports all firewall features/functions Cons: • May require redundant interfaces • No dynamic routing through firewalls • Requires additional devices (L2 switches) S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link UNTRUST TRUST Master Backup
  • 9. 9Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Dynamic Routing / Firewall HA Scenario
  • 10. 10Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Firewalls in a Dynamic Routing Topology: Why? Customer desire to integrate firewalls into existing network topology • Must support dynamic failover based on OSPF • Contiguous OSPF area • Full Link State in network edge • Advertise prefixes between internal network and external routers • Must support PIM-SM for multicast routing (ScreenOS 5.1) Interop eNet Design • NSRP VSD-less clusters originally designed for this topology 2 years ago
  • 11. 11Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NetScreen Redundancy Protocol Originally designed to support stateful failover • Never intended to support asymmetric state VSD – Virtual Security Device • Logical failover domain within firewall • Master / Backup state machine per VSD VSI – Virtual Security Interface • Shared interface (Virtual IP/MAC pair) • Maps traffic into VSD RTO Mirror – Real Time Object Mirroring • State sync in NSRP cluster
  • 12. 12Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP: Traditional (L3) Design Virtual addressing • NSRP VSI and VRRP or HSRP on routers • All virtual MAC addresses as next-hop between routers and firewall cluster • Static routes throughout topology Single VSD for all traffic All firewall interfaces are virtual interfaces (VIP/MAC) • Easy to add additional zones/interfaces (DMZ) • No asymmetric state S T A T U S P O W E R 5 20 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 20 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link UNTRUST TRUST NSRP Backup NSRP Master VRRP Backup VRRP Master VRRP Backup VRRP Master Virtual Address Static Routes Virtual Address Default Route Virtual Address Static Routes Virtual Address Default Route
  • 13. 13Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP: Traditional (L2) Design Firewall operates as logical L2 learning bridge • Backup is in L2 blocking state • Must permit IGP adjacencies through firewall • No asymmetric state Topologies • Support for proprietary IGPs • “drop-in” / transparent firewalls S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
  • 14. 14Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Transparent Mode NSRP (L2) Operation Operate as logical L2 bridge • MAC learning and forwarding • Policy engine and forwarding still based on 5-tuple Must carefully engineer DMZ topology • ICMP redirect cannot force traffic across zone boundary Limited support for VLANs • VLAN tags preserved, but single inspection domain • No current support for VLAN tag rewrite • Enhancement coming in next major ScreenOS release
  • 15. 15Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP Real-Time Object Sync What is synchronized? • Sessions / IPsec SA / Crypto and VSD Configs • Master Backup replication in VSD • Bi-Directional replication in VSD-less cluster What is not synchronized? • Screens (pre-flow processing counters) • Application Level Gateways • TCP Setup / Inspection S T A T U S P O W E R 52 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 52 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link(s) UNTRUST TRUST NSRP Backup NSRP Master RTO Mirror Master Backup Normal Traffic Traffic on Failover
  • 16. 16Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP Operation Master/Backup state machine run per VSD • Priority and tracking (weight-based) determines master eligibility • Tracking: interface / IP reachability (ping) / Zone Master assumes virtual IP/MAC addresses for VSI • Physical interfaces in VSD 0 • Additional VSI (eg: eth2/1:1) Master synchronizes state to Backup device Backup blocks ports in L2/Transparent mode
  • 17. 17Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP State Control: Tracking NSRP can track various factors to determine master eligibility • Applies per VSD • Administrative weight per tracked object • Failover threshold per VSD Track: • Multiple IP addresses • Weight per address • Interfaces • Zones • Behaves like VLAN on L3 switch • any one interface with link == zone up
  • 18. 18Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net OSPF and NSRP (The Wrong Way) VERY slow failover (40-60 sec) when using OSPF and NSRP Does support NSRP RTO mirror for session sync • NSRP backup has “down” interfaces in VSD id 0 • OSPF adjacency is “down” when in backup state • On failover: 1. Interface up 2. Reestablish OSPF adj. (must wait OSPF Dead Interval) 3. Database exchange 4. SPF calc 5. Populate routes • THEN, can begin forwarding traffic S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
  • 19. 19Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Dynamic Routing Clusters (1): Justification Desire to integrate firewall into IGP • Multiple egress paths, integrate into IGP routing • Control advertisement of default or external routes into IGP based on exterior connectivity • Continuity of IGP routing across firewalls • OSPF-based dynamic route selection • Simplified topology (no L2 switching required) ScreenOS modified (early 5.0x) to abstract sessions from interface to zone. • Allows route update to new next-hop without invalidating existing sessions New NSRP mode needed to keep routing adjacencies up
  • 20. 20Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Dynamic Routing Clusters (2): Operation Dual Masters in VSD id 0 Bi-directional RTO mirroring between cluster members • All physical interfaces remain active and can support active routing protocol adjacencies • All devices in cluster can actively forward traffic Same as running OSPF on non-clustered devices, but adds session sync Config: • Must manually “unset vsd id 0” • “set nsrp rto-mirror session non-vsi”
  • 21. 21Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Primary limitations: • VERY susceptible to asymmetric state issues • Require more complex config (mixed mode) for NAT support • Policy-based VPNs also require • In both cases, traffic must return to a single address which may be resident on both devices Cannot use Data-Path Forwarding as a band-aid • Both nodes are Master: only backup node can perform data-path forwarding Must use “Mixed-mode” NSRP to address these issues • Unset VSD id 0 • Virtual interfaces in VSD id 1 (loopback for VPN, NAT Pool) Dynamic Routing Clusters (3): Caveats
  • 22. 22Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net HA Considerations: Stateful forwarding Real Stateful Inspection requires bidirectional forwarding • Traditional routing protocols do not guarantee symmetric bidirectional traffic flows • ECMP nearly guarantees asymmetric state • True stateful load balancing requires reverse hash for returning microflows • NetScreen firewalls use session/flow state for all forwarding paths • Required for stateful policy inspection • J/M/T/E series use stateless forwarding • LPM / J-Tree lookup per-packet on forwarding and firewall filters
  • 23. 23Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net ScreenOS – Session State All forwarded traffic must have a session • Contains bidirectional flow information • Route lookup determines egress zone • Policy lookup from ingress to egress zone • NetScreen Systems forward traffic like L3/L4 switches 5200-17(M)-> get session slot 1: sw alloc 3/max 1000064, alloc failed 0, mcast alloc 0, di alloc failed 0 slot 2: hw0 alloc 1/max 1048576 slot 2: hw1 alloc 1/max 1048576 id 7267/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0 11(0601):10.2.4.2/1->224.0.0.5/1,89,000000000000,15,vlan 0,tun 0,vsd 0,route 0 3(0010):10.2.4.2/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0 id 7268/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0 7(0601):10.1.4.1/1->224.0.0.5/1,89,000000000000,14,vlan 0,tun 0,vsd 0,route 0 3(0010):10.1.4.1/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0 id 7269/s01,vsys 0,flag 10200440/0000/03,policy 1,time 1440, dip 0 11(0801):10.2.2.2/11033->10.1.255.1/23,6,00a0c96cce14,15,vlan 0,tun 0,vsd 0,route 74 7(4800):10.2.2.2/11033<-10.1.255.1/23,6,00a0c92490e4,14,vlan 0,tun 0,vsd 0,route 44 Total 3 sessions shown
  • 24. 24Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Asymmetric State: Symptoms “Split-state” environment may appear to work in the lab • BUT: TCP handshake never completed through same device • Half-open sessions: User sees TCP sessions establish but freeze (short-lived TCP sessions) • Can “disable syn checking” but lose effective TCP inspection and protection • ALG cannot fully inspect control channels • Deep Inspection will fail • Integrated IDP will fail • “pinholes” may not open correctly • Some screening functions may depend on bidirectional traffic S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
  • 25. 25Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IGP Costing Exercise (1) Predictable forwarding path • Ensure bidirectional path through firewalls • Must not allow transit through multiple firewalls • If ABRs directly connected to firewalls, make sure there is a valid Intra-Area route between ABRs in firewall area IGP costing is unidirectional • Must be careful to set IGP costing bidirectionally (must configure both sides of a link to the same cost) • Do NOT rely on automatic costing (varies between vendors and equipment types) S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
  • 26. 26Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IGP Costing Exercise (2) Predictable failover • Control traffic paths in the event of a link-down event • This design preseves state through a firewall in a single link-break Fast IGP failover: • No split link • Can use aggregated interfaces between devices • Use /30 p2p links to skip dead timer / DR election on link-up S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
  • 27. 27Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IGP Costing Exercise (3) IGP Costing Dangers: • Routed DMZ Network • Do not allow transit between firewalls • Carefully control costs within the OSPF area • Watch out for asymmetric costs • Use separate VR for DMZ network if necessary • Carefully test all iterations in a failover topology S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 External Router-A External Router-B Internal Router-A Internal Router-B DMZ Router
  • 28. 28Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net NSRP: Data-Path Forwarding NSRP can correct asymmetric state in some situations • 2) BACKUP device receives packet that matches session from master • 3) packet is exception- forwarded (CPU forwarded) to master over HA link • 4) MASTER forwards packet to end node Do not rely on this behavior • Serious performance impact for large amounts of forwarded traffic S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2
  • 29. 29Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Mixed-Mode NSRP (Simple) Medium-sized enterprise • Upstream OSPF to routers • Downstream (Trust) • Firewall cluster is first-hop router for internal network • Virtual IP/MAC in Trust VSI • VSI exported to OSPF Pro: • Simple integration of OSPF and Firewalls • No Asymmetric State Cons: • Requires both VSD-less (untrust) and VSD/VSI (trust) S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH A S E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link VSI: Shared Address OSPF (VSD-less) UNTRUST OSPF Area X TRUST (L2)
  • 30. 30Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Mixed-Mode NSRP (VSD-less + DMZ) Add DMZ network to existing VSD-less NSRP cluster Pros: • Allows for DMZ network connected to OSPF meshed network Cons: • Must control asymmetric state with OSPF costing • Requires both VSD-less and VSD/VSI support S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link UNTRUST OSPF Area X TRUST OSPF Area X DMZ VSI OSPF Passive
  • 31. 31Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Mixed-mode NSRP Complications Must link NSRP and OSPF failover in mixed mode • OSPF makes path calculations based on link state information from routers • NSRP elects master based on tracking information and priority • Unidirectional feedback • Add VSI as OSPF passive interface • Recommend adding NSRP zone tracking or IP ping tracking to control NSRP failover S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 S T A T U S P O W E R 5 2 0 0 C O M P A C T F L A S H 1T X / R XL I N K 1 0 / 1 0 0 A L A R MS T A T U SH AS E S S I O NF L A S H C O N S O L EM O D E M 5 0 0 0 - M G T 5 0 0 0 - 8 G 1 2 HA Link UNTRUST OSPF Area X TRUST OSPF Area X DMZ VSI OSPF Passive OSPF Trust-Untrust Transit Path VSD 1 Backup lo0 VSD 1 Master lo0 X OSPF Untrust-DMZ Transit Path NAT from loopback1:1
  • 32. 32Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Questions?
  • 33. 33Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Thank You