Branch in a Box
About this Network Configuration Example
This Network Configuration Example (NCE) describes how to configure a primary wired connection and backup LTE connection on branch SRX Series Services Gateways using active/standby SD-WAN. You can use these connections to provide wired and Wi-Fi Internet and Intranet access to employees at the branch, as well as Wi-Fi Internet access to guests.
Customer Use Case Overview
The proliferation of 4G LTE cellular networks, as well as the decreased form factor and cost of LTE-capable devices, are a springboard for rapid deployment of new branch offices. LTE networks enabled broadband access to the Internet and circumvented the cost of building physical infrastructure to remote office sites. The connectivity through 4G cellular networks can be leveraged as either main lines for Internet access in a mobile office, or backup lines for locations that are already equipped with primary wired connections.
Wifi Internet and Intranet access has become a commodity. Many organizations have shifted from desktops and have provided their employees with laptops, tablets, and smartphones. Wireless connectivity is often the main, if not the only means of connectivity, for those devices.
Similarly, many organizations made the jump to software defined wide area networks (SD-WAN). They adopted the technology for its business agility and responsiveness to keep up with IT innovations. Some of the other financial and operational benefits are lower WAN OpEx and CapEx and automated provisioning.
By combining the capabilities of an access point, firewall, and router with redundant access to the Internet, you can use the Juniper branch SRX Series to build cost-efficient, self-driving networking solutions for remote offices.
Figure 1 shows a typical setup.
A typical branch office has two independent connections to the Internet. One of them is often wired and the other one is wireless, with either 2G, 3G, or 4G LTE. The connections terminate on a Juniper SRX Series in the role of a next-generation firewall (NGFW) security appliance, which provides a plethora of wireline or wireless services to employees on-site, including:
Access to the Internet through NAT
Intrusion detection and prevention services
Moreover, the SRX offers a wireless network that provides Internet access to employees’ personal mobile devices (smartphones and tablets), as well as for visitors’ smartphones and tablets. Additionally, some organizations impose a restriction on the maximum bandwidth allocated to non-critical services, such as Internet access for both corporate and guest users. The latter enables for planning and provisioning of cost-effective backup connectivity.
SD-WAN is an automated, programmatic approach to managing enterprise network connectivity and circuit costs. It extends software-defined networking (SDN) into an application that businesses can use to quickly create a smart hybrid WAN—a WAN that comprises business-grade IP VPN, broadband Internet, and wireless services. Hybrid WAN architectures enable companies to manage their growing number of applications, particularly when using the cloud. Traffic is dynamically forwarded across the most appropriate and efficient WAN path based on network conditions, the security and QoS requirements of the application traffic, and cost of the circuit. The enterprise customer sets the routing policies that determine how traffic is forwarded.
SRX300 Services Gateways Overview
The SRX300 line of services gateways delivers a next-generation security, networking, and SD-WAN solution that helps you support the changing needs of your cloud-enabled enterprise network. Whether you’re rolling out new services and applications across multiple locations, connecting to the cloud, or improving operational efficiency, SRX300 Services Gateways provide scalable, secure, and easy-to-manage connectivity. As your network traffic grows, high-density native Gigabit Ethernet ports available on the SRX300 line provide secure connectivity to help you keep pace. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience.
Wi-Fi Mini Physical Interface Module (PIM) Overview
Wi-Fi Mini-PIM for SRX320, SRX340, SRX345, and SRX550M provides an integrated wireless access point —or wireless LAN—along with routing, switching, and security in a single device. Mini-PIM supports the 802.11ac Wave 2 wireless standards and is backward compatible with 802.11a/b/g/n. You can use the three new models of the Wif-Fi Mini-PIM based on the regional wireless standard requirements;
SRX-MP-WAP-US—Based on USA’s wireless standard.
SRX-MP-WAP-IL—Based on Israel’s wireless standard.
SRX-MP-WAP-WW—Model for other countries.
You cannot change the country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models as they are fixed. The Wi-Fi Mini-PIM can coexist with other Mini-PIMs supported on the SRX Series device.
LTE Mini Physical Interface Module (MPIM) Overview
The LTE Mini-Physical Interface Module (Mini-PIM) provides wireless WAN support on the SRX320, SRX340, SRX345, and SRX550M (High Memory) Services Gateways. The LTE Mini-PIM operates on both 3G and 4G networks.