{"id":236,"date":"2017-08-13T16:47:01","date_gmt":"2017-08-13T20:47:01","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=236"},"modified":"2017-08-13T16:47:01","modified_gmt":"2017-08-13T20:47:01","slug":"branch-office-vpn-with-wan-accelerator","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/screenos\/branch-office-vpn-with-wan-accelerator\/","title":{"rendered":"Branch Office VPN with WAN Accelerator"},"content":{"rendered":"

Products<\/strong>: WXC WAN Accelerator any model & SSG Firewall any Model
\nVersion<\/strong>:\u00a0 Tested with ScreenOS 6.1 & 6.2 & WXC 5.7<\/p>\n

Network Topology:<\/h2>\n

Network diagram:<\/strong>
\n\"\"<\/a>
\nSSG5 is the sample design<\/p>\n

eth0\/0 – WAN
\neth0\/1 – WXC Remote
\neth0\/2 – WXC Local
\nbgroup0 – layer 2 local LAN ports eth0\/2-0\/6<\/p><\/blockquote>\n

Description:<\/h2>\n

The WXC WAN Accelerator product can operate in-line or off-path mode.\u00a0 The in-line mode is simplest to setup where all traffic from the site passes through the device.\u00a0 Acceleration tunnels are created between the branch office device and the data center device.<\/p>\n

This in-line deploy on a branch firewall requires that all ports for the branch LAN be on the local port side of the WXC device.\u00a0 Generally this means only one port on the firewall will be used for the remote connection of the WXC and all local devices are then connected to switch(es) on the local interface side of the WXC.<\/p>\n

This design uses the ScreenOS ability to create layer2 groups of interfaces in order to isolate all available ports on the firewall and keep them on the local connection of the WXC.\u00a0 Thus all firewall ports are usable again.\u00a0 This also prevents the accidental connection of local computers or network devices on the incorrect side of the WXC and excluding them from the WXC acceleration tunnel.<\/p>\n

This configuration allows an IPSEC VPN site then to participate in the WXC mesh while preserving the use of all available ethernet ports on the firewall.<\/p>\n

When configuring interfaces on a WXC mesh be sure to select fixed speed and duplex whenever possible.\u00a0 For the SSG series this will be 100 full on the interfaces connected.\u00a0 This will avoid potential throughput problems that can occur when auto-negociation falls back to half-duplex.<\/p>\n

SSG configuration steps<\/strong>
\n\u2022 \u00a0\u00a0\u00a0 Remove ip address and convert bgroup0 to layer 2 mode
\nunset interface bgroup0 ip
\n\u2022 \u00a0\u00a0\u00a0 Set fixed link speed and duplex to 100 full on local port eth0\/2
\nset interface eth0\/2 phy full 100mb
\n\u2022 \u00a0\u00a0\u00a0 Configure eth0\/1 with LAN ip address
\nset interface eth0\/1 ip 192.168.1.1\/24
\n\u2022 \u00a0\u00a0\u00a0 Configure trust zone on eth0\/1
\nset interface eth0\/1 zone trust
\n\u2022 \u00a0\u00a0 Configure management options for eth0\/1
\nset interface eth0\/1 manage ssl
\nset interface eth0\/1 manage ssh
\nset interface eth0\/1 manage telnet
\nset interface eth0\/1 manage web
\n\u2022 \u00a0\u00a0 Set fixed link speed and duplex to 100 full on remote port eth0\/2
\nset interface eth0\/1 phy full 100mb
\n\u2022 \u00a0\u00a0\u00a0 Configure normal WAN & VPN settings on firewall for the site<\/p>\n

WXC Configuration steps<\/strong>
\n\u2022 \u00a0\u00a0\u00a0 Configure link speed and duplex to 100 full on remote & local ports
\nconfig interface set speed-duplex local 100-full
\nconfig interface set speed-duplex remote 100-full
\n\u2022 \u00a0\u00a0 Configure ip information for local LAN
\nconfig ip set ip-address 192.168.1.254
\nconfig ip set default-gateway 192.168.1.1
\nconfig ip set subnet-mask 255.255.255.0
\n\u2022 \u00a0\u00a0 Configure matching policy load for the WXC mesh for your network<\/p>\n

Verification:<\/h2>\n

SSG Interface checks<\/strong>
\nVerify the speed\/duplex, ip address and zone assignment of the interface.<\/p>\n

get interface eth0\/1
\nInterface ethernet0\/1:
\ndescription ethernet0\/1
\nnumber 5, if_info 440, if_index 0, mode nat
\nlink up, phy-link up\/full-duplex
\nstatus change:3, last change:10\/24\/2001 21:00:20
\nvsys Root, zone Trust, vr trust-vr <\/p><\/blockquote>\n

WXC Interface checks<\/strong>
\nOn the CLI:<\/p>\n

show interface
\nSettings for local interface
\nLink state: up
\nSpeed\/duplex: 100-full
\nHardware address: 00:30:48:9c:56:28
\nMedia type: copper
\nSettings for remote interface
\nLink state: up
\nSpeed\/duplex: 100-full
\nHardware address: 00:30:48:9c:56:29
\nMedia type: copper<\/p><\/blockquote>\n

Log into the web interface on the WXC<\/p>\n

Menu: Device Setup – Interfaces
\n“Test Settings” button
\nSelect “remote” and the ip address of SSG eth0\/1 (192.168.1.1)
\nsubmit
\nThe interface test will confirm the remote port is correctly connected to eth0\/1 on the firewall
\nRepeat with an ip address active on the LAN for the “local” port.<\/p><\/blockquote>\n

References:<\/h2>\n

ScreenOS Concepts & Examples Guides<\/strong>
\nhttp:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html<\/a>
\nVolume 2: Fundamentals – Chapter 3 Interfaces<\/p>\n

WXOS 5.7 Operator’s Guide<\/strong>
\nhttp:\/\/www.juniper.net\/techpubs\/hardware\/wx\/<\/a>
\nChapter 3 – Configuring Interface Settings<\/p>\n

Originally Posted October 16, 2010
\nLast Revised on November 27, 2010<\/p>\n","protected":false},"excerpt":{"rendered":"

Products: WXC WAN Accelerator any model & SSG Firewall any Model Version:\u00a0 Tested with ScreenOS 6.1 & 6.2 & WXC 5.7 Network Topology: Network diagram: SSG5 is the sample design eth0\/0 – WAN eth0\/1 – […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-236","post","type-post","status-publish","format-standard","hentry","category-screenos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=236"}],"version-history":[{"count":1,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/236\/revisions"}],"predecessor-version":[{"id":238,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/236\/revisions\/238"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=236"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}