Page 1

Application Note

Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability A Juniper Networks Best Practices Paper

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net

Part Number: 350099-001 January 2007


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

Table of Contents Executive Overview................................................................................................3 Introduction...........................................................................................................3 Design Layers.........................................................................................................3

Internet Layer...................................................................................................3

Firewall Layer...................................................................................................4

Core Connection Layer.....................................................................................5

Active/Active Design...............................................................................................6

Internet Connectivity........................................................................................6

Edge Routers....................................................................................................7

Edge Firewalls................................................................................................13

Core Connecting Routers................................................................................15

Failure Cases........................................................................................................16

Internet Connectivity Failover.........................................................................16

Six-Pack Failover.............................................................................................19

Backup Path Monitoring................................................................................. 21

Summary.............................................................................................................22 Appendix 1: STOAN Hardware Parts List..............................................................23

Edge Routers..................................................................................................23

Edge Firewalls................................................................................................23

Core Connecting Routers................................................................................23

Appendix 2: Glossary ..........................................................................................24



Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

Executive Overview The goal of the active/active high availability (HA) network design is to provide the robust security and features that are needed by many enterprises, universities, and large organizations. This document reviews those requirements and then shows a specific high availability design to give administrators a better idea about the meaning of high availability in real-world terms. It is best not to make assumptions, as this is a complex topic to take on. By the end of this application note, the process that was used to create the active/active network design will be clear, along with the significant business benefits it provides.

Introduction Active/active high availability can be defined as a solution where all devices within it are active and capable of passing network traffic. Designing a highly available network provides many challenges to administrators and organizations alike, and its creation can be a difficult task. The construction of such a network requires a symphony of collaboration and synchronization, with a successful plan as the most critical component during the design phase. The focus of this design is twofold. First is a level of availability that goes beyond just redundancy in links and hardware. Second is the assurance that the network will continue to pass traffic in the case of an overwhelming network flood. Whether the flood is intentional or not it must be controlled to ensure that it does not overtake all of the devices in the network. The active/active design needs to meet many different criteria to be successful. This application note will review these criteria and the choices that are behind them.

Design Layers When designing a robust solution to connect the core of an organization’s network to the Internet, there are three distinct layers to take into consideration. These layers are the Internet layer, the firewall or security layer, and the core connection layer. Each layer works together to provide a symbiotic network design. This section reviews each of the layers at an abstract level to provide some of the requirements that are needed in the construction of such a design.

Internet Layer The Internet layer is a services layer that provides Internet access to the rest of the network. This layer consists of two components: the Internet connectivity and the edge routers. The Internet connectivity is the service that will be provided to the rest of the network via this solution. Because the solution is one where high availability is a key design goal, the best suggestion is to use a minimum of two links. This will provide redundancy in case of a link loss. Since this solution is designed to provide Internet connectivity as a service, ensuring its accessibility is key. The edge connecting routers need to provide redundancy as well as ensure service accessibility. The active/active Internet connection requires two edge routers to again provide resilient Internet connectivity. To provide failover for the solution, a BGP feed is required from each of the providers. This allows the Internet to know the best path to the local network in the event of a failure. Routing information is passed back into the core of the network via an interior gateway protocol. The Internet layer also will overlap with the firewall layer by providing some security functions. This is implemented by rate limiting traffic to the firewall so that a flood from the Internet does not overwhelm it, if the Internet connection is larger than the network’s firewalls can handle and the routers need to prevent a Denial of Service to both the firewalls and the core network itself. Routers typically provide stateless inspection of traffic.

Copyright Š2007, Juniper Networks, Inc




Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability When using a policy enforcement device that evaluates traffic on per packet decision, it is using stateless inspection. Stateless inspection or packet filtering is the oldest form of network policy enforcement. It works by making simple matches on a per-packet basis. As long as the policy statement matches the specific packet, then the action will be performed. This type of traffic enforcement is fairly unintelligent and is not as sophisticated as stateful inspection. However, it should still be used in the active/active design because that allows the filtering out of traffic that is not wanted on the network, and it helps organizations save the precious resources of their stateful devices for valid traffic. Stateless inspection allows for the filtering of traffic asymmetrically. This means that traffic does not need to follow a specific path for ingress and egress traffic. This flexibility is required in places like the Internet where there is no guarantee of routing symmetry. Today routers can provide very advanced inspection at a stateless level. In the past, routers could match only source or destination IP addressing. As the technology has evolved, the matching can now be much more specific right down to options set within specific protocols. If an administrator wants to drop packets of the protocol TCP with both the FIN and SYN flags set, this is possible. In Juniper’s routers, all of this processing is done on specific ASICs. This allows an enormous number of Access Control Lists (ACLs) to operate at line rate. Today the focus of any sort of firewall filtering is typically based upon stateful inspection. However, stateful inspection is extremely resource intensive and in high speed networks where the goal is to remove unwanted traffic types, a router can do this extremely well. Secondly the Internet routers are also able to provide counting functions to give an administrator visibility into the network. This empowers the staff to identify any irregular traffic flows on the network. To do this, however, the administrator must first ensure that a solid baseline is established. The delta between the two will give visibility to any possible trouble on the network.

Firewall Layer The primary task of the firewall layer is to provide security functions between the core network and the Internet. The firewalls provide stateful inspection of the traffic going through the network. Stateful inspection allows a firewall to follow the state of communications of a session. A session consists of two separate flows. Each flow is made up of a host talking in a unidirectional fashion to another host. Stateful inspection allows the state of the entire communication to be monitored, rather than just determining on a packet-per-packet basis if the traffic should be allowed. Many different protocols do not function in ways that enable a stateless device to work effectively. One example of this is the File Transfer Protocol (FTP) that randomly chooses a return port on which to talk back to the client. In a stateless environment, it is nearly impossible to write an effective ACL to ensure that the return traffic will be allowed back to the host securely. A stateful firewall watches the state of the communications and notices which port is negotiated and allows for that connectivity to occur back to the original host. The challenge with stateful firewalls versus a stateless firewall is that communication through the stateful firewall needs to be symmetrical. All data must come back through the firewall in a specified order and equal packets must be sent and received. If in the middle of a conversation several packets are not seen by the stateful firewall, the communication can be considered broken and this will break the connection. Here lies the problem as we begin to look at stateful high availability. The high availability (HA) design must allow for symmetrical flows to occur through a single firewall. If it doesn’t, communications could possibly break and kill all active sessions.



Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability To ensure symmetrical flows through the firewall layer, both the edge routers, firewalls, and core connecting routers need to work together using an IGP for path selection. A single path is chosen though the IGP’s algorithm and allows for symmetrical flows through the solution. This is another example of the three layers working in concert as one. Beyond the traditional inspection done in a firewall, there is a way to look into the actual state inside of the application data transfer. Specialized firewall devices have the capability to run full Intrusion Prevention System (IPS) capabilities. These devices can look for attacks inside the data stream, going beyond just looking at state and port/protocol information. The ability to do this extends the firewall’s capability greatly. It can prevent attacks before they come into the network at the locations where the firewalls are located or before they leave the network.

Core Connection Layer Connecting the network to the core infrastructure requires solid connectivity. This is the point where the existing infrastructure will be connected into the new solution. The important task to complete is providing separation between the core and the edge, yet still provide connectivity between the two. This is the location where a border is provided with the existing IGP and where the default route of the network needs to point to Internet access. The core connecting layer may, however, have more connection points than are on the Internet edge routers. The core connection routers may provide termination for both WAN and LAN connections alike. Using an IGP, the network accessibility information from the core can be passed up into the active/active solution and shared. The task of the core connecting router is also to prevent the firewalls from being overwhelmed with useless traffic floods. However, the job here will be more difficult as the connection into the core most likely will be faster then the Internet connection. Understanding the typical traffic pattern is crucial to being able to determine an anomalous pattern. This again can be done if a baseline is established on the network first.

Copyright Š2007, Juniper Networks, Inc




Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

Active/Active Design The core network design for this solution is called the six-pack design. It represents a very typical design for both the educational institution and enterprise alike. The network is depicted below in Figure 1. LANE B Internet B

LANE A AS 65000

Internet A

M7i-B

M7i-A ge-0/1/0

OSPF Area 1

eth2/2 eth1/7

eth2/2 eth1/7

ISG2000-B

ISG2000-A eth1/8

eth1/8

eth2/1

eth2/1

ge-0/3/0

ge-0/3/0 ge-1/2/0

M10i-B

ge-1/2/0

ge-0/2/0

M10i-A ge-0/2/0

OSPF Area 0

Figure 1 Active/Active Design There are three tiers to this design: Internet edge routers, edge firewalls, and core connecting routers. Each tier is designed to complement the others and complete a specific task. The core connecting routers are the first tier that connects into both the core and the edge. This is designed as the routing gateway from the core to the Internet. The second tier is the firewall tier. This tier is designed to provide both traditional stateful firewall functions and attack protection via an integrated IPS function. It also is integrated in the routing design in a very limited way. The last tier is the edge routing tier. This tier directly connects to the Internet providers and provides the routing edge between it and the core. When looking at this design, it is possible to quickly identify a few components that are a part of the high availability design. Each component was chosen for a specific reason to meet a specific need required to provide the best design for availability. The different architectural components selected are requirements of any network needing to provide access. The level of redundancy of each of the components is the critical decision factor. In this section, we will look at the redundant systems and the design chosen for each of them.

Internet Connectivity The connectivity to the Internet is a critical decision, as this is the service that is being provided through the solution to the rest of the network. For the solution being discussed, it is best to use two different Internet Service Providers (ISPs) and a Dynamic Routing Protocol (DRP). This gives the design two distinct provider networks for redundancy. Secondly, the choice of a dynamic routing protocol gives the network the dynamic path selection needed to make the two providers automatically fail between each other. In this design for the Internet, load balancing or load sharing was not a design consideration. This topic will be covered in a future revision of this paper.



Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability This design utilizes the connectivity with two separate providers and allows for a connection to two completely separate networks. Each is diverse and provides a different peering design on the Internet. This provides a fairly redundant connectivity base on the Internet. It is possible to provide more then two different providers and this decision is up to the organization when choosing this part of the design. The more connections that are provided potentially increase the availability. However, the second part of the equation is the required capacity. The requirement for the network was to provide a one Gigabit per second throughput. The connectivity chosen was two gigabit fiber Ethernet drops in order to provide the N+1 redundancy needed in this component of the design. Because load sharing was not a requirement, this met the capacity component of this design as well. However, if an organization wants to create an Internet connectivity design that increases capacity and still provides redundancy, it will need to increase the speed of the links or increase the amount of links to share the load.

Edge Routers In the STOAN solution, the edge routers deployed were Juniper Networks M7is. These were selected for two primary reasons: interface capacity and throughput. The STOAN network is comprised of Gigabit fiber connections. As you can see in Figure 2 below, each router uses three total links. This allows the solution to add additional interface cards, if needed. This could be an additional Internet link or an additional cross connection to create a full mesh solution. Secondly, the M7i is capable of up to 7Gbps half duplex or 3.5Gbps full duplex, which is much more than what is required for the solution here. A possible upgrade would be to choose the M10i router. The benefit gained would be intra-chassis redundancy by having two routing engines. LANE B Internet B

LANE A AS 65000

Internet A

M7i-B

M7i-A

ge-0/1/0

Figure 2 M7i Edge Routers So far the connectivity to the Internet for this design has been reviewed. However, there are two other links represented in Figure 2. Before these links are discussed, it is important to understand the concept of the lanes. The active/active six-pack is broken up into two different lanes or paths. These are labeled as Lane A and Lane B. Lane A is the preferred path and Lane B is the secondary or backup path. Each of the two edge routers is linked to the other via a single gigabit Ethernet link. This link provides a transit path around the less preferred or failed path. It provides continuity to the Internet so both Internet connections can be used for the best possible path to the remote networks, and also in case a packet is asymmetrically routed over the Internet and returns over the less preferred link. In the case that this link is lost, one could enter into a possible state where packets exit via the primary lanes network link and then return via the secondary, less preferred link. The firewalls will be able to compensate for this if it is an occasional packet. However, this is not the desired solution. The best option would be to have a fully meshed design. This design is scheduled to be tested for future releases of this paper.

Copyright Š2007, Juniper Networks, Inc




Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability The link between these two routers is monitored with bidirectional forwarding detection or BFD. BFD is a draft protocol that allows for sub second detection of link failure. This integrates with the routing protocol and tells it when the peer is down, allowing for extremely quick convergence on a network where it is used. In this scenario, it will remove this path from the routing protocol within 900ms. Without BFD, this typically takes up to forty seconds. It is considered best practice to use BFD where available. Each one of the edge routers has a single connection to the firewall below it, as seen in Figure 2. This connection is weighted differently in the routing protocol Open Shortest Path First (OSPF ) based upon the lane used. In the primary Lane A, the link is weighted as 10. On Lane B, the weight is 1000. This will ensure that this path will always be the highest cost path out of the network. The weight 1000 will be more than the combined sum on any link outside of the rest of the HA solution and this is why such a high metric is used. Below in Figure 3, the weight of the interfaces is outlined. LANE B Internet B

LANE A AS 65000

Internet A

Cost 10

M7i-B

M7i-A

ge-0/1/0

Cost 1000

Cost 10 OSPF Area 1

eth2/2 eth1/7

eth1/7

eth1/8

eth1/8

eth2/2

ISG2000-A

ISG2000-B eth2/1

Cost 1000

eth2/1

Cost 10

ge-0/3/0

ge-0/3/0 ge-1/2/0

M10i-B

Cost 10

ge-0/2/0

Cost 25

ge-1/2/0

M10i-A

ge-0/2/0

OSPF Area 0

Cost 10

Figure 3 OSPF weights The configuration of the routing protocols is particularity important on the routers. It is critical that they are properly configured to ensure that the correct routing occurs throughout the solution. Below is the configuration of the routing protocols for both of the edge routers. In Example 1, the routing configuration for M7i-A is displayed. With the M7i-A router being the preferred path, the metrics are configured for this to be selected as the best path.



Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

admin@M7iA> show configuration protocols bgp { group internal { type internal; local-address 198.19.0.15; peer-as 65000; neighbor 198.19.0.17; } group external { type external; export localetwork; neighbor 192.168.129.1 { local-address 192.168.129.2; peer-as 65001; } } } ospf { export [ defaultAggregate exportLocal ]; area 0.0.0.1 { interface ge-0/1/0.0 { interface-type p2p; metric 10; authentication { simple-password “$9$VXsgJikP36AGD6Ap0hcbs2”; ## SECRET-DATA } } interface ge-0/2/0.0 { interface-type p2p; passive; metric 10; } interface ge-1/3/0.0 { interface-type p2p; metric 10; bfd-liveness-detection { version 1; minimum-interval 300; multiplier 3; } } } } admin@M7iA> show configuration policy-options policy-statement EbgpNeigh { term neighborAccept { from { protocol bgp; neighbor 192.168.129.1; route-filter 198.18.0.0/16 orlonger; } then accept; } term reject { then reject; } } policy-statement defaultAggregate { term defaultRoute { from { protocol aggregate; route-filter 0.0.0.0/0 exact; } then accept; } }

Copyright ©2007, Juniper Networks, Inc




Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability policy-statement exportLocal { term export-l0 { from { route-filter 198.19.0.15/32 exact; } then accept; } term exportLocalExtern { from { protocol direct; route-filter 192.168.129.0/29 exact; } then accept; } } policy-statement fromOspf { term accepOspf { from protocol ospf; then accept; } term rejectAll { then reject; } } policy-statement localetwork { term localNet { from { route-filter 198.19.0.0/16 exact; } then accept; } term rejectAll { then reject; } } admin@M7iA>

Example 1 M7i-A Routing Configuration The M7i-B is the less preferred path through the solution. In Example 2 shown below, the routing metrics are configured to ensure that Lane B is used only in case of a failure.

10

Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability admin@M7iB> show configuration protocols bgp { group internal { type internal; local-address 198.19.0.17; family inet { unicast; } peer-as 65000; neighbor 198.19.0.15; } group external { type external; multihop; export localetwork; neighbor 192.168.130.1 { local-address 192.168.130.2; peer-as 65002; } } } ospf { export [ defaultAggregate exportLocal ]; area 0.0.0.1 { interface ge-0/1/0.0 { interface-type p2p; metric 1000; authentication { simple-password “$9$F0vf6CuRhr8X-O1X-VwaJ369”; ## SECRET-DATA } } interface ge-0/2/0.0 { interface-type p2p; passive; metric 25; } interface ge-1/3/0.0 { interface-type p2p; metric 10; bfd-liveness-detection { version 1; minimum-interval 300; multiplier 3; } } } } admin@M7iB> show configuration policy-options policy-statement EbgpNeigh { term neighborAccept { from { protocol bgp; neighbor 192.168.130.1; route-filter 198.18.0.0/16 orlonger; } then accept; } term reject { then reject; } } policy-statement defaultAggregate { term defaultRoute { from { route-filter 0.0.0.0/0 exact; } then accept; } }

Copyright ©2007, Juniper Networks, Inc

11


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability policy-statement exportLocal { term export-l0 { from { route-filter 198.19.0.17/32 exact; } then accept; } term exportLocalExtern { from { protocol direct; route-filter 192.168.130.0/29 exact; } then accept; } } policy-statement fromOspf { term accepOspf { from protocol ospf; then accept; } term rejectAll { then reject; } } policy-statement localetwork { term localNet { from { route-filter 198.19.0.0/16 exact; } then { as-path-prepend 65000; accept; } } term rejectAll { then reject; } } admin@M7iB>

Example 2 M7i-B Routing Configuration

12

Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

Edge Firewalls The two edge firewalls are ISG 2000s, each containing three security modules. The ISG 2000s were chosen for the capability to provide both traditional stateful firewall connectivity and to prevent network attacks with the integrated IPS modules. Each firewall contains fourgigabit Ethernet interfaces. Two of the interfaces are dedicated as HA links. The other two are designated as transit interfaces. Each interface is directly connected into a separate router. One interface connects to an edge router and the other to the core connecting router. This provides a simple ingress/egress design for the network.

OSPF Area 1

eth2/2

eth2/2

eth1/7

eth1/7

eth1/8

eth1/8

ISG2000-B

ISG2000-A

eth2/1

eth2/1

Figure 4 Edge Firewalls The firewalls operate in what is considered an active/active NSRP cluster. An active/passive NSRP cluster only allows one firewall at a time to maintain routing adjacencies. In the event of a failover, the newly active firewall must create its adjacencies and install the newly learned routes in its route table on demand. In this design instance, each firewall is required to operate as an integrated routing device. To do this, each firewall has to have its own unique IP addresses on each interface. This requires the creation of an active/active cluster and deletion of any existing virtual security devices or VSDs. A VSD gives each device a shared IP address amongst the cluster. In this case, each device has its own individual IP address Routing is handled with the use of OSPF so there is no need to share an IP address amongst the firewalls. Below in Example 3 are the commands used to create the NSRP cluster for firewall ISG 2000-A. isg2000a(M)-> get config | inc nsrp set nsrp cluster id 1 set nsrp rto-mirror sync set nsrp rto-mirror session non-vsi unset nsrp vsd-group id 0 set nsrp encrypt password netscreen set nsrp auth password netscreen set nsrp monitor interface ethernet2/2 set nsrp monitor interface ethernet2/1 isg2000a(M)->

Example 3 ISG 2000-A NSRP Configuration The configuration of ISG 2000-B is identical. This is a requirement for the cluster to correctly operate. This is shown below in Example 4. isg2000b(M)-> get config | inc nsrp set nsrp cluster id 1 set nsrp rto-mirror sync set nsrp rto-mirror session non-vsi unset nsrp vsd-group id 0 set nsrp encrypt password netscreen set nsrp auth password netscreen set nsrp monitor interface ethernet2/2 set nsrp monitor interface ethernet2/1 isg2000b(M)->

Example 4 ISG 2000-B NSRP Configuration

Copyright Š2007, Juniper Networks, Inc

13


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability This design takes much of the routing burden off of the firewalls. The firewalls and the edge routers reside exclusively in a separate OSPF area with the core connecting routers being area border routers. In this design, they are in OSPF Area 1 and this reduces the number of link state acknowledgements (LSAs) that are sent to the firewalls and the edge routers. Below in Example 5, the OSPF configuration for ISG 2000-A is shown. As this is the preferred path, the configured metrics on the interfaces are lower. Authentication for OSPF is used between the routers and firewalls. This is to ensure that the firewalls do not receive spoofed OSPF packets. Because the links between the firewalls and the routers are directly connected, they cannot be sniffed and this secures passwords from being cracked. isg2000a(M)-> get config --snip-set vrouter “trust-vr” unset auto-route-export set ignore-subnet-conflict set protocol ospf set enable set area 0.0.0.1 exit --snip— set interface ethernet2/1 protocol ospf area 0.0.0.1 set interface ethernet2/1 protocol ospf link-type p2p set interface ethernet2/1 protocol ospf enable set interface ethernet2/1 protocol ospf cost 10 set interface ethernet2/1 protocol ospf authentication password “juniper” set interface ethernet2/2 protocol ospf area 0.0.0.1 set interface ethernet2/2 protocol ospf link-type p2p set interface ethernet2/2 protocol ospf enable set interface ethernet2/2 protocol ospf cost 10 set interface ethernet2/2 protocol ospf authentication password “juniper” set interface loopback.1 protocol ospf area 0.0.0.1 set interface loopback.1 protocol ospf passive set interface loopback.1 protocol ospf enable --snip-isg2000a(M)->

Example 5 ISG 2000-A OSPF Configuration Because the firewall ISG 2000-B is the less preferred path, it has higher metrics configured on each interface. This can be seen below in Example 6. isg2000b(M)-> get config --snip-set vrouter “trust-vr” unset auto-route-export set ignore-subnet-conflict set protocol ospf set enable set area 0.0.0.1 exit --snip-set interface ethernet2/1 protocol ospf area 0.0.0.1 set interface ethernet2/1 protocol ospf link-type p2p set interface ethernet2/1 protocol ospf enable set interface ethernet2/1 protocol ospf cost 1000 set interface ethernet2/1 protocol ospf authentication password “juniper” set interface ethernet2/2 protocol ospf area 0.0.0.1 set interface ethernet2/2 protocol ospf link-type p2p set interface ethernet2/2 protocol ospf enable set interface ethernet2/2 protocol ospf cost 1000 set interface ethernet2/2 protocol ospf authentication password “juniper” set interface loopback.1 protocol ospf area 0.0.0.1 set interface loopback.1 protocol ospf passive set interface loopback.1 protocol ospf enable isg2000b(M)->

Example 6 ISG 2000-B OSPF Configuration 14

Copyright ©2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability Each of the Ethernet links is monitored on the firewall. If one of the links fails, the firewall moves into a failed state which eliminates it from passing any traffic. The firewalls in this design do not support the use of BFD so in this case it is not configured. The examples for the monitored interfaces are shown above in Example 3 for ISG 2000-A and Example 4 for ISG 2000-B.

Core Connecting Routers The two bottom routers are connected to the core network. They represent the beginning of the edge network. These routers are designed to provide symmetrical routing and connectivity between the core and the edge network. Two Juniper Networks M10i routers are used as the core connecting routers to provide additional connectivity interfaces to the core network. The M10i is capable of using up to eight Physical Interface Cards (PICs) and in addition the M10i’s have intra-chassis redundancy. They contain two routing engines and this allows for redundancy inside of the unit. It is an additional level of fault tolerance. M7i routers can replace the M10i routers in situations where routing engine redundancy and interface capacity aren’t needed.

ge-0/3/0

ge-0/3/0 ge-1/2/0

M10i-B

ge-1/2/0

ge-0/2/0

M10i-A ge-0/2/0

OSPF Area 0

Figure 5 Core Connecting Routers The core network in this design uses OSPF Area 0. The edge network is set up as a separate area, in this case Area 1. This separation reduces the stress on the control plane of the firewall by limiting the number of Link State Acknowledgements (LSAs) in the OSPF database. With this implementation, the administrator can easily add this design to the existing OSPF network. The OSPF configuration for M10i-A is shown below in Example 6. admin@M10i-A> show configuration protocols ospf { export export-lo0; area 0.0.0.1 { interface ge-0/3/0.0 { interface-type p2p; metric 10; authentication { simple-password “$9$p0glOIcKMXbs4yls4aZkquO1”; ## SECRET-DATA } } interface fe-1/3/0.0 { interface-type p2p; } interface ge-1/2/0.0 { interface-type p2p; metric 10; bfd-liveness-detection { version 1; minimum-interval 300; multiplier 3; } } }

Copyright ©2007, Juniper Networks, Inc

15


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability area 0.0.0.0 { area-range 10.100.0.0/16; area-range 10.200.0.0/16; interface ge-0/2/0.0 { metric 10; } } } admin@M10i-A>

Example 6 ISG 2000-B OSPF Configuration Each router utilizes three gigabit Ethernet links for connectivity within the network. The first gigabit Ethernet link connects the core connecting router to a single firewall. The second link interconnects each of the two routers together and the last link connects directly back into the core. The link connecting into the core network is configured into OSPF Area 0 with the other two links in OSPF area 1. BFD has been configured between both of the routers to ensure quick dead-peer detection.

Failure Cases The active/active design allows for some excellent advantages over the Active/Passive NSRP solution. It allows the firewalls to maintain active routing adjacencies amongst all of the peers, and it allows all of the devices to be in an active state. An active/passive design is not able to do this. In an active/passive design, the passive device is unable to pass traffic until it becomes active. This means that a potential problem can only be identified when the device is relied upon to run the network. With the active/active design, only one path is used to pass traffic. This design passes monitoring traffic over the backup link ensuring that the path can pass traffic. This is called the active/backup design. In the active/backup design, the backup path allows for monitoring traffic to go through it while the primary path is passing the active traffic. This ensures that the secondary path works in the event of a failure.

Internet Connectivity Failover For failover between the two providers, this design implements the DRP Border Gateway Protocol or BGP. This allows the network to advertise its routes to both of the ISPs and also give the solution some path preference. On the Internet, path selection is a complex process. One of the most important factors is autonomous system path selection. In Figure 6 below, a diagram that represents the Internet design in the test solution lab is shown.

16

Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability eBgp Full Routing

198.18.0.0/16

M7R-C 192.168.255.3

AS65003 .2

/0

/3

1 e-

eBgp

g

ge .2 -0 /3 /0

172.17.1.0/30 VLAN 202

AS65002

0

3/

/ -0 ge .1

M7R-B 192.168.255.2

eBgp 172.17.2.0/30 VLAN 202 ge -0 /

.2

ge-0/0/0

AS65001

3/

eBgp

172.17.0.0/30 VLAN 200

ge-1/3/0

0

.1

.1

ge-0/0/0

M7R-A 192.168.255.0.1

ge-1/3/0

eBgp

eBgp

192.168.130.0/29

ge-0/2/0

M7i-B 198.19.0.17

192.168.129.0/29

AS65000

ge-0/2/0

192.168.28/31 VLAN90

ge-1/3/0

ge-1/3/0

ge-0/1/0

Receives Full Routing from J6300-B and J6300-A Receives 198.18/16 from VRF109 Injects 0/0 into OSPF

M7i-A 198.19.0.15 ge-0/1/0

192.168.128.6/31 VLAN108

OSPF Area 1

192.168.128.4/31 VLAN107

eth2/2

eth2/2 eth1/7

ISG2000-B 198.19.0.13

eth1/7

VLAN91 VLAN92

eth1/8

ISG2000-A 198.19.0.11

eth1/8

eth2/1

eth2/1

192.168.128.2/31 VLAN103

192.168.128.0/31 VLAN102

ge-0/3/0

ge-0/3/0

M10i-B 198.19.0.12

ge-1/2/0 ge-0/2/0

192.168.128.18/31 VLAN93

ge-1/2/0

OSPF Area 0

192.168.128.134/31 Gi3/24

ge-0/2/0

192.168.128.132/31

M10i-A 198.19.0.10 Receives 198.19/16 from Area 0 Receives 0/0 from Area 1

Gi3/21

VRF 101 198.19.0.1/16

Figure 6 Testing Lab The lab is using an Internet reference design and an active BGP feed from the Internet. This gives the lab the stresses that actually occur on the Internet with constant route flapping and path calculation. The subnets used are propagated to both of Juniper Networks service providers each using a different path. The service provider labeled M7R-A will receive an unchanged AS path from the M7i-A router. However to the less preferred path (M7R-B), the M7i-B sends the core network’s routing information out with a modified path. An additional AS hop is prepended to all of the routes going out this side. When path selection occurs for BGP, it takes into account how many autonomous systems it takes to get to the specified network. When routes are sent out to the upstream peer, we prepend and add an additional hop with our own AS on it. Instead of sending “route 65000”, we send “route 65000 65000” so that when the calculation is done, this link is less preferred than over the connection to ISP A. However, the key statement here is LESS preferred. This is because the massive size of the Internet makes it impossible to exactly control the flow of traffic once it leaves a particular network.

Copyright ©2007, Juniper Networks, Inc

17


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability As again seen in Figure 6, each ISP is directly connected to a distinct separate router. Each router has one external BGP or eBGP session to the directly connected provider. To give the design routing continuity to the Internet, each of these routers then has what is called an internal BGP session to each other. Internal BGP is a session that occurs within an autonomous system whereas eBGP is between two autonomous systems. This will allow the network to choose the best possible path to the remote network. The goal here is not load sharing but is to provide the most efficient path to the remote network. Also it is possible for a packet to exit one Internet link and then return via the other link because of the remote network’s routing policy. This is also accounted for in this design by controlling return traffic using the IGP. The active preferred path will be symmetrical due to the IGP costing. Failover between the links is an automatic process because of the use of BGP. Once a link goes away, the propagation of the routes from the core network will go away as well. This path then is removed from the Internet with the other path left to route all traffic over it. While this process is very straightforward due to the solid design, it is not an instantaneous one. It may take several minutes for this change to propagate through the Internet. However, the failover inside of the design takes just a few minutes. In the testing done, the failover occurred in about two minutes. The traffic flowed using the internal Gateway Protocols provided default route. Once the BGP session has failed, the path of the default route will change. In Example 1 above, the aggregate routing information can be seen. The default route is generated when a router has an active BGP connection. The route is generated locally as an aggregate and as a reject route. Because the edge routers have a complete routing table to the Internet, the reject route will drop any other traffic that is not destined to an active BGP route. This will preserve bandwidth on the links because if the route does not exist in BGP, there is no reason to forward the traffic. If the eBGP peering connection is lost, then the router no longer distributes the default route into the IGP. In Figure 7 below, the example of the default route that is being generated is shown.

18

Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability eBgp Full Routing

198.18.0.0/16

M7R-C 192.168.255.3

AS65003 .2

0

3/

1/

ge

eBgp

ge .2 -0 /3 /0

172.17.1.0/30 VLAN 202

AS65002

0

3/

/ -0 ge .1

M7R-B 192.168.255.2

eBgp 172.17.2.0/30 VLAN 202 ge -0 /

.2

ge-0/0/0

172.17.0.0/30 VLAN 200

192.168.130.0/29

.1

M7R-A 192.168.255.0.1

ge-1/3/0

Default route generated because eBGP adjacency is up AS65000

ge-0/2/0

M7i-B 198.19.0.17

0

.1

ge-0/0/0

ge-1/3/0 eBgp

AS65001

3/

eBgp

ge-1/3/0

192.168.28/31 VLAN90

eBgp 192.168.129.0/29

ge-0/2/0

ge-1/3/0

ge-0/1/0

Receives Full Routing from J6300-B and J6300-A Receives 198.18/16 from VRF109 Injects 0/0 into OSPF

M7i-A 198.19.0.15 ge-0/1/0

192.168.128.6/31 VLAN108

OSPF Area 1

192.168.128.4/31 VLAN107

eth2/2

eth2/2 eth1/7

ISG2000-B 198.19.0.13

eth1/7

VLAN91 VLAN92

eth1/8

ISG2000-A 198.19.0.11

eth1/8

eth2/1

eth2/1

192.168.128.2/31 VLAN103

192.168.128.0/31 VLAN102

ge-0/3/0

ge-0/3/0

M10i-B 198.19.0.12

192.168.128.18/31 VLAN93

ge-1/2/0 ge-0/2/0

ge-1/2/0

OSPF Area 0

192.168.128.134/31 Gi3/24

ge-0/2/0

192.168.128.132/31

M10i-A 198.19.0.10 Receives 198.19/16 from Area 0 Receives 0/0 from Area 1

Gi3/21

VRF 101 198.19.0.1/16

Figure 7 Default Route

Six-Pack Failover The high availability solution is tested to allow for device failure and still maintain an active path between the Internet and the core routing. Each layer of the design has a redundant component to it. It is possible to lose one device from each layer and continue to pass traffic. However, the design is linear which means if one device in Lane A is lost and one device in Lane B is lost in successive layers, then the design will fail. This will be addressed by using a fully meshed design in a future release of this document. However the possibility of this type of failure from a hardware perspective is very small. Below in Figure 8, the typical OSPF route selection is shown.

Copyright Š2007, Juniper Networks, Inc

19


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

LANE B Internet B

LANE A Internet A

AS 65000 Cost 10

M7i-B

M7i-A

ge-0/1/0

Cost 1000

Cost 10 OSPF Area 1

eth2/2

eth2/2

eth1/7

eth1/7

eth1/8

eth1/8

ISG2000-A

ISG2000-B eth2/1

Cost 1000

eth2/1

Cost 10

ge-0/3/0

M10i-B Cost

ge-0/3/0 ge-1/2/0

2000

Cost 10

ge-1/2/0

M10i-A

Cost 30

ge-0/2/0

ge-0/2/0

OSPF Area 0

Cost 25

Cost 10 Chosen Path Cost 20

Figure 8 OSPF Path Selection Inside of the six-pack design the most critical requirement is to control traffic flow and keep it flowing symmetrically. This is done with the use of OSPF weighting. Figure 8 above illustrates how the interfaces are weighted. This design enforces that Lane A is the preferred path through the network when that path is up, as it has a lower metric. To failover to the secondary path, one of the devices or links needs to fail on Lane A. Failover inside of the six-pack will recover typically within a second with this design. This failure scenario is shown in Figure 9 below. LANE B Internet B

LANE A AS 65000

Internet A

Cost 10

M7i-B

M7i-A

ge-0/1/0

Cost 1000

Cost 10 OSPF Area 1

eth2/2

X

eth2/2

eth1/7

eth1/7

eth1/8

eth1/8

ISG2000-B eth2/1

ISG2000-A

eth2/1

Cost 1000

Cost 10

ge-0/3/0

ge-0/3/0 ge-1/2/0

M10i-B

Cost 10

ge-0/2/0

Cost 25

ge-1/2/0

M10i-A

ge-0/2/0

OSPF Area 0

Cost 10

Chosen Path Cost 2000

Figure 9 OSPF Path Selection with failed device

20

Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability The IGP can easily correct for failure in the case of these routers. In the case that the link to the firewall above the router fails, the route received upstream is no longer propagated to its neighbors. Nor are the routes to the core propagated upstream. If the connection between the two routers is severed, then that path no longer becomes available. This is handled by the IGP in the core and traffic is routed out the appropriate lower cost core connecting router. Lastly if the core connection gets severed, it will only send the core routes it learns from the second core connecting router.

Backup Path Monitoring In this design the secondary path is monitored to ensure that the secondary path is capable of passing traffic. To do this requires a second loopback interface on each device. Each device has two loopback IP addresses, the first being its router ID and the second used for monitoring only. The first loopback is injected into the routing protocol as one would typically do for their network. The second loopback address is not, however. This is the address that is used for monitoring only. It will allow the organization to ensure that the path can successfully pass traffic. To do this, static routes are employed. This forces the monitoring traffic down the specified path. Below in Figure 10, an example of the backup monitoring path is shown. LANE B Internet B

LANE A AS 65000

Internet A

Cost 10

M7i-B

M7i-A

ge-0/1/0

Cost 1000

Cost 10 OSPF Area 1

eth2/2

eth1/7

eth1/7

eth1/8

eth1/8

eth2/1

Cost 10

ge-0/3/0

ge-0/3/0

ge-1/2/0

Cost 10

ge-0/2/0

Cost 25

ISG2000-A

eth2/1

Cost 1000

M10i-B

Active Traffic Path

ISG2000-B

Backup Monitor Path

eth2/2

ge-1/2/0

M10i-A

ge-0/2/0

OSPF Area 0

Cost 10

Figure 10 OSPF Path Selection with failed device The testing lab is using additional tools to pass actual data streams through the solution as well. This ensures that besides ping, additional traffic protocols can be passed. This is accomplished by setting up a host on both sides on the solution and then statically routing access to this host through the solution.

Copyright Š2007, Juniper Networks, Inc

21


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

Summary The active/active solution is designed as a highly available secure network edge. The design is robust and provides any organization with a highly available Internet service point. While this application note has focused on using Juniper Networks routers and firewalls, other network components can be used. In this specific instance, outside of the high availability design, Juniper Networks routers provide many other benefits. These include the use of counters and rate limiting access control lists as discussed in this document. While networks are often very different from one another, the many concepts presented here can be broken out and used individually to achieve a more robust network under differing circumstances. Each individual concept can provide additional reliability to a network, and together they create an extremely strong design that any organization would benefit from using. In the future release of this document, several points will be expanded upon. The first will be the specifics of moving this solution to a fully meshed environment. This will increase the possible failure scenarios that the HA solution would be able to recover from. Secondly, the concept of load sharing across the two firewalls is also going to be explored. Implementing load sharing will allow for the use of both paths as active traffic passing lanes.

22

Copyright Š2007, Juniper Networks, Inc


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

Appendix 1: STOAN Hardware Parts List Edge Routers Part Number

Qty

Description

M7i-AC-2GE-ASM-US-B

2

Edge Router Chassis, Services Module, and 2 Gigabit modules

PE-1GE-SFP

2

Third Gigabit fiber module

CF-ADAP-256M-S

2

Compact Flash cards

MEM-RE-256-S

2

Memory upgrade for the routing engine

Part Number

Qty

Description

NS-ISG2000

2

ISG 2000 Chassis

NS-ISG-SX2

4

Four Gigabit fiber ports per chassis

NS-ISG-2000-IKT

2

IDP Upgrade Kit

NS-ISG-SEC

6

Three IDP security modules per chassis

Part Number

Qty

Description

M10i-AC-US-B

2

Core connecting router

PE-1GE-SFP

6

Three Gigabit fiber ports per chassis

PE-AS2

2

Adaptive Services PIC

S-ACCT

2

Adaptive Services Licensing

MEM-RE-256-S

2

Memory upgrade for the routing engine

Edge Firewalls

Core Connecting Routers

Copyright Š2007, Juniper Networks, Inc

23


Using Dynamic Routing with JUNOS and ScreenOS for Active/Active High Availability

Appendix 2: Glossary • Active/active: Multiple available paths are able to pass traffic at any given time. • Active/backup: An active/active design in which one path is designed to pass traffic at a time. The second path is monitored to ensure that it is up while the primary path passes all of the traffic. In the event of a failure condition, the backup path will become the primary path. • Active/passive: A firewall high availability design where one firewall is in an active traffic passing state and the second firewall is in a passive non-passing state. The passive firewall will not take over until the primary device has failed. • Load Balancing: Balancing traffic across two or more devices where the load is equally shared among all of the available devices. • Load Sharing: Balancing traffic across one or more devices where the traffic is shared unequally across all of the available devices. •VSD: Virtual Security Device. A logical firewall that exists and is shared between all of the members of an NSRP cluster. The VSD can only be active on one firewall at a time. • VSD 0: VSD 0 is a special type of Virtual Security Device. It shares the IP address that is configured on the physical or logical interface. • VSI: Virtual Security Interface • OSPF: Open Shortest Path First. An Interior Gateway Protocol designed to calculate the shortest path to a network. Based upon the dykstra algorithm. • IGP: Interior Gateway Protocol. A type of routing protocol that is used inside an autonomous system. • BGP: Border Gateway Protocol. The routing protocol that is used on the Internet to share routing information amongst autonomous systems. • Autonomous System or AS: An autonomous system is a network that is under a single administrative control. • DRP: Dynamic Routing Protocol. A protocol that shares routing information with its peers dynamically.

Copyright 2007, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

24

Copyright ©2007, Juniper Networks, Inc

Junos  

Prova di caricamnto

Read more
Read more
Similar to
Popular now
Just for you