Overview of the Cloud Managed Midsize Branch Office

This Network Configuration Example (NCE) describes how to set up the networking and security infrastructure for a midsize branch office. Our solution combines a security gateway, switches, and access points to meet all the requirements for resilient WAN, LAN, and Wireless LAN (WLAN). The solution includes connectivity, network security, and other services in the branch office.

This NCE provides step-by-step configuration for the initial onboarding and to provision basic services like DHCP and traffic isolation based on virtual local area networks (VLANs).

The NCE shows you how to configure and to manage an EX series switch and Mist AP through the Juniper Mist cloud. The NCE concludes with coverage of advanced SD-WAN features to provide policy-based routing (APBR) and Application Quality of Experience (AppQoE).

The proliferation of 4G LTE cellular networks along with the decreased form factor and affordability of LTE-capable devices are contributing to the rapid deployment of new branch offices. LTE networks provide broadband access to the Internet and help you to avoid the cost of building redundant physical infrastructure at remote office sites. You can also leverage the connectivity of 4G cellular networks as a backup connection for locations that already have wired Internet connectivity.

Enterprise networks respond to IT innovations and show their business agility by quickly adopting the software-defined WAN (SD-WAN) technology. The financial benefits of SD-WAN include automated provisioning to improve operational efficiency, lower WAN operational expenditures (OpEx), and lower capital expenditures (CapEx). You can use SD-WAN to optimize application experiences and network performance by prioritizing business-critical applications on the network links that guarantee Quality-of-service (QoS).

Juniper Networks solutions satisfy the following business needs for branch site deployments:

• A solid and cost-effective business continuity plan ensures continuous business operations even when WAN connectivity is interrupted.

• Protection of data integrity and confidentiality.

• Segregated networks for guest and for internal users.

• Basic wireless—with a site survey, you can determine the quantity and placement of wireless access points throughout the office to ensure adequate wireless coverage.

• PoE+ support for desk phones, smart cameras, and wireless access points

• Support up to 50 active client (guests and employees) devices at any given time.

• Manage the connectivity for guest and for employee devices. Employees can have multiple devices, i.e, a desk phone, laptop, and smartphone.

The EX family of switches offers a versatile platform that satisfies the demands of an enterprise's campus or branch locations. EX switches support IEEE 802.3af Power over Ethernet (PoE) and IEEE 802.3af PoE+ ports up to 30W. You can interconnect switches as a single logical device in a virtual chassis to add Ethernet ports as needed, while keeping the simplicity of managing a single switch. The platform delivers a cost-effective solution for 1GbE or mixed 1GbE/10GbE/40GbE environments to fit the specific demands of each location.

MIST access points provide the wireless network of tomorrow today. The built-in AI capabilities enable a self-driving wireless network, which continuously evaluates the state of the network and proactively resolves issues that might jeopardize the user experience.

The SRX Series device brings the next-generation firewall capabilities, 4G LTE, and advanced SD-WAN capabilities. With Junos OS, you can manage all the wired networking equipment using one CLI. Furthermore, Junos OS supports AppQoE, the industry-leading application that monitors primary and secondary wired links on an SRX Series Services Gateway in the branch. If traffic performance for the primary link falls below the acceptable SLA levels the traffic automatically switches to the secondary link. For added reliability, you can also configure an additional backup cellular wireless LTE connection to the Internet. The resulting on demand connectivity ensures business continuity if both the primary and secondary links fail.

Figure 1 shows a typical branch office setup with connections to corporate headquarters starting from an SRX Series Services Gateway and going over the internet to the headquarters.

Figure 1: Branch Office with Redundant Internet Connectivity

A typical branch office has three independent connections to the Internet.

• Wired connection to the corporate headquarters, typically with stringent QoS parameters for loss and delay. The WAN link can take many forms, ranging from private line, MPLS, or a Layer 2/3 VPN service.

• Local broadband Internet access.

• Wireless connection with 2G, 3G, or 4G LTE.

The connections to the branch terminate on an SRX Series Services Gateway. The SRX Series Services Gateways provide next-generation firewall (next-generation firewall) capability that includes:

• SD-WAN driven access to the Internet

• Next-generation firewall protection

• Antivirus protection

• Enhanced web filtering

• Intrusion prevention

• Advanced application visibility and control

The throughput capacity of the three Internet links is not equal. The private WAN link provides a lower throughput, but with a guaranteed quality of service (QoS) compared to the broadband Internet link. The LTE link delivers lower throughput when compared to the broadband Internet connection, and it does not have the guaranteed QoS of the private WAN link.

Business-critical applications have priority over all other traffic. These applications should use the WAN link when its available due to the higher QoS guarantees. The noncritical applications use the secondary link when its operational. You configure LTE as a backup link that becomes active only when both primary and secondary links are down.