High-Availability Designs for Juniper NetScreen Firewalls
Upcoming SlideShare
Loading in...5
×
 

High-Availability Designs for Juniper NetScreen Firewalls

on

  • 2,914 views

 

Statistics

Views

Total Views
2,914
Slideshare-icon Views on SlideShare
2,895
Embed Views
19

Actions

Likes
0
Downloads
122
Comments
0

3 Embeds 19

http://www.slideshare.net 10
http://rg443blog.wordpress.com 8
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    High-Availability Designs for Juniper NetScreen Firewalls High-Availability Designs for Juniper NetScreen Firewalls Presentation Transcript

    • High-Availability Designs for Juniper NetScreen Firewalls Dan Backman Senior Systems Engineer dbackman@juniper.net Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
    • Routing and Firewall Functions Merging New JUNOS Routing platforms (J / M) and AS PIC • Stateful firewall, IPsec and NAT services in JUNOS Expanded Routing functionality in NetScreen platforms New solutions possible: • Stateful Firewall, NAT, IPsec VPN termination and Dynamic Routing + + != Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2
    • Routing and Firewall Functions Merging Traditional uses of dynamic routing in firewalls: • Dynamically advertise reachability of connected services • Statically routed VPNs advertised into IGP/iBGP • Dynamic path calculation • Firewalls participate in routing (usually RIP) • Limited control plane impacts • Relatively few prefixes • Limited policy/redistribution Today: • Deployments require: • Interchangable routing / firewall features • Juniper delivering integrated feature sets • AS PIC / J Series SFW/IPsec • Increasing routing functionality in ScreenOS Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3
    • JUNOS / ScreenOS Routing Strengths Virtualization • Native support for multiple routing tables • Multiple VRF and Logical routers in JUNOS • At least two Virtual Routerss in all ScreenOS platforms – Allows simple split tunneling at edge • Hundreds of VRs in NetScreen Systems • Multiple instances of routing protocols in JUNOS and ScreenOS Scalable, standards-based routing protocols (OSPF/BGP/RIPv2) PIM-SM and IGMP Proxy for dynamic multicast forwarding Dynamic route-based VPNs • Support for policy and route-based VPNs in ScreenOS and JUNOS Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4
    • ScreenOS Dynamic Routing ScreenOS is designed for integrated Firewall / Routing • Security platform from the ground-up • Integrated static and dynamic routing support • Multiple virtual IPv4 routing tables / Multiple routing instances Security Features • Screen function • DoS, IP spoofing, L3/L4 protocol anomaly detection • Flexible security zone model for all policy • Network interfaces bound to security zones • Sessions / flows bound to zones ,not interfaces • Allows real-time next-hop changes to existing flows • Critical to support dynamic routing in a firewall Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5
    • High Availability Scenarios Firewalls integral part of routing topology – need redundancy solutions • Border protection (Screen/Policy) • Inline to forwarding path at network border • Logical progression for integrated IDP – Add IDP into forwarding path with fewer headaches VPN Routing Edge • Redundant VPN termination at site • Stateful failover without dynamic routing impact Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6
    • Stateful Failover True security boundaries require stateful inspection • Firewalls track individual network flows • Provide stateful enforcement of policies and DoS protection Redundancy requires stateful awareness • Firewall Cluster must support state synchronization Failover without state sync: • Results in loss of existing TCP/UDP sessions • Users must restart existing protocol connections Traditional firewall state sync does not account for dynamic routing Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7
    • Classic Firewall HA Scenario “Ten-Pack” of routers, switches, firewalls, switches and routers UNTRUST • HSRP/VRRP/NSRP virtual addresses for next-hop • Static routing Pros: • Simple. No dynamic routing Master 5 0 0 0 - M G T 5 0 0 0 - M G T • No asymmetric state 1 C O M P CA OC T N S F O LM A L SO E HT D X 1E / LM I X N R K 1 C O M P CA OC T N S F O LM A L SO E HT D X 1E / LM I X N R K 5 200 5 200 A L S A T R A M H TAS U E S FS LS A I S O H N A L S A T R A M H TAS U E S FS LS A I S O H N HA Link 1 0 / 1 0 0 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G S T A T U S S T A T U S 2 2 P O W E R P O W E R Backup • Supports all firewall features/functions Cons: • May require redundant interfaces • No dynamic routing through firewalls • Requires additional devices (L2 switches) TRUST Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8
    • Dynamic Routing / Firewall HA Scenario Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9
    • Firewalls in a Dynamic Routing Topology: Why? Customer desire to integrate firewalls into existing network topology • Must support dynamic failover based on OSPF • Contiguous OSPF area • Full Link State in network edge • Advertise prefixes between internal network and external routers • Must support PIM-SM for multicast routing (ScreenOS 5.1) Interop eNet Design • NSRP VSD-less clusters originally designed for this topology 2 years ago Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10
    • NetScreen Redundancy Protocol Originally designed to support stateful failover • Never intended to support asymmetric state VSD – Virtual Security Device • Logical failover domain within firewall • Master / Backup state machine per VSD VSI – Virtual Security Interface • Shared interface (Virtual IP/MAC pair) • Maps traffic into VSD RTO Mirror – Real Time Object Mirroring • State sync in NSRP cluster Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11
    • NSRP: Traditional (L3) Design Virtual addressing • NSRP VSI and VRRP or HSRP on UNTRUST routers • All virtual MAC addresses as next-hop between routers and Virtual Address VRRP Master VRRP Backup firewall cluster Static Routes • Static routes throughout topology Virtual Address Default Route NSRP 5 0 0 0 - M G T 5 0 0 0 - M G T 1 1E 1 1E NSRP Master C O M P C A OC T N S F O LM A L SO E H T D X / L M I X N R K C O M P C A OC T N S F O LM A L SO E H T D X / L M I X N R K 5 20 0 5 20 0 A L S A T R AH M TAS U E S F S LS A I S O H N A L S A T R AH M TAS U E S F S LS A I S O H N Single VSD for all traffic HA Link 1 0 / 1 0 0 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G Backup S T A T U S S T A T U S 2 2 P O W E R P O W E R Virtual Address Static Routes All firewall interfaces are virtual interfaces (VIP/MAC) Virtual Address Default Route VRRP Master VRRP Backup • Easy to add additional zones/interfaces (DMZ) TRUST • No asymmetric state Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12
    • NSRP: Traditional (L2) Design Firewall operates as logical L2 learning bridge • Backup is in L2 blocking state • Must permit IGP adjacencies through firewall • No asymmetric state Topologies 5 0 0 0 - M G T 5 0 0 0 - M G T 1 C O M P CA OC T N SF OLM A L S E HT O D X 1E / L M I X N R K 1 C O M P CA OC T N S F O LM A L SO E H T D X 1E / LM I R X N K 5200 5200 A L S A T R AH M T S A U E S F S L S A I S O H N A L S A T R AH M TA S UE SF S L S A I S O H N 1 0 / 1 0 0 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G S T A T U S S T A T U S 2 2 P O W E R P O W E R • Support for proprietary IGPs • “drop-in” / transparent firewalls Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13
    • Transparent Mode NSRP (L2) Operation Operate as logical L2 bridge • MAC learning and forwarding • Policy engine and forwarding still based on 5-tuple Must carefully engineer DMZ topology • ICMP redirect cannot force traffic across zone boundary Limited support for VLANs • VLAN tags preserved, but single inspection domain • No current support for VLAN tag rewrite • Enhancement coming in next major ScreenOS release Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14
    • NSRP Real-Time Object Sync What is synchronized? UNTRUST • Sessions / IPsec SA / Crypto and VSD Configs • Master Backup replication in VSD • Bi-Directional replication in VSD-less cluster 52 0 0 1 NSRP Master A L S A T R A M H TA S U E SF S L S A I S O H N C O M P CA OC T N SF O LM A L SO E H T D X 1 1E 0 / L M I X N / R 1 0 K 0 5 0 5 0 0 0 0 - 0 M - 8 G G T HA Link(s) 52 0 0 1 A L NSRP S A T R AHM TAS U E S FS L S A I S O H N C O M P C A OC T N S F O LM A L SO E H T D X 1 1E/ 0 L M I / R X N 1 0 K 0 5 0 5 0 0 0 0 - 0 M - 8 G G T Backup S T A T U S S T A T U S 2 2 P O W E R P O W E R What is not RTO Mirror Master Backup synchronized? • Screens (pre-flow processing counters) • Application Level Gateways TRUST • TCP Setup / Inspection Normal Traffic Traffic on Failover Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15
    • NSRP Operation Master/Backup state machine run per VSD • Priority and tracking (weight-based) determines master eligibility • Tracking: interface / IP reachability (ping) / Zone Master assumes virtual IP/MAC addresses for VSI • Physical interfaces in VSD 0 • Additional VSI (eg: eth2/1:1) Master synchronizes state to Backup device Backup blocks ports in L2/Transparent mode Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16
    • NSRP State Control: Tracking NSRP can track various factors to determine master eligibility • Applies per VSD • Administrative weight per tracked object • Failover threshold per VSD Track: • Multiple IP addresses • Weight per address • Interfaces • Zones • Behaves like VLAN on L3 switch • any one interface with link == zone up Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17
    • OSPF and NSRP (The Wrong Way) VERY slow failover (40-60 sec) when using OSPF and NSRP Does support NSRP RTO mirror for session sync • NSRP backup has “down” interfaces in VSD id 0 • OSPF adjacency is “down” when in backup state S P T O 5 20 0 A T W U S E R 1 2 A L S A T R AH M TA S U E S F S L S A I S O H N C O M P CA OC T N S F O LM A L SO E H T D X 1 1E 0 / LM I / R X N 1 0 K 0 5 0 5 0 0 0 0 - 0 M - 8 G G T S P T O 5 200 A T W U S E R 1 2 A L S A T R A M H TA S U E S F S L S AI S O H N C O M P CA OC T N S F O LM A L S E HT O D X 1 1E 0 / LM I X N / R 1 0 K 0 5 0 5 0 0 0 0 - 0 M - 8 G G T • On failover: 1. Interface up 2. Reestablish OSPF adj. (must wait OSPF Dead Interval) 3. Database exchange 4. SPF calc 5. Populate routes • THEN, can begin forwarding traffic Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18
    • Dynamic Routing Clusters (1): Justification Desire to integrate firewall into IGP • Multiple egress paths, integrate into IGP routing • Control advertisement of default or external routes into IGP based on exterior connectivity • Continuity of IGP routing across firewalls • OSPF-based dynamic route selection • Simplified topology (no L2 switching required) ScreenOS modified (early 5.0x) to abstract sessions from interface to zone. • Allows route update to new next-hop without invalidating existing sessions New NSRP mode needed to keep routing adjacencies up Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19
    • Dynamic Routing Clusters (2): Operation Dual Masters in VSD id 0 Bi-directional RTO mirroring between cluster members • All physical interfaces remain active and can support active routing protocol adjacencies • All devices in cluster can actively forward traffic Same as running OSPF on non-clustered devices, but adds session sync Config: • Must manually “unset vsd id 0” • “set nsrp rto-mirror session non-vsi” Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20
    • Dynamic Routing Clusters (3): Caveats Primary limitations: • VERY susceptible to asymmetric state issues • Require more complex config (mixed mode) for NAT support • Policy-based VPNs also require • In both cases, traffic must return to a single address which may be resident on both devices Cannot use Data-Path Forwarding as a band-aid • Both nodes are Master: only backup node can perform data-path forwarding Must use “Mixed-mode” NSRP to address these issues • Unset VSD id 0 • Virtual interfaces in VSD id 1 (loopback for VPN, NAT Pool) Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 21
    • HA Considerations: Stateful forwarding Real Stateful Inspection requires bidirectional forwarding • Traditional routing protocols do not guarantee symmetric bidirectional traffic flows • ECMP nearly guarantees asymmetric state • True stateful load balancing requires reverse hash for returning microflows • NetScreen firewalls use session/flow state for all forwarding paths • Required for stateful policy inspection • J/M/T/E series use stateless forwarding • LPM / J-Tree lookup per-packet on forwarding and firewall filters Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 22
    • ScreenOS – Session State All forwarded traffic must have a session • Contains bidirectional flow information • Route lookup determines egress zone • Policy lookup from ingress to egress zone • NetScreen Systems forward traffic like L3/L4 switches 5200-17(M)-> get session slot 1: sw alloc 3/max 1000064, alloc failed 0, mcast alloc 0, di alloc failed 0 slot 2: hw0 alloc 1/max 1048576 slot 2: hw1 alloc 1/max 1048576 id 7267/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0 11(0601):10.2.4.2/1->224.0.0.5/1,89,000000000000,15,vlan 0,tun 0,vsd 0,route 0 3(0010):10.2.4.2/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0 id 7268/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0 7(0601):10.1.4.1/1->224.0.0.5/1,89,000000000000,14,vlan 0,tun 0,vsd 0,route 0 3(0010):10.1.4.1/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0 id 7269/s01,vsys 0,flag 10200440/0000/03,policy 1,time 1440, dip 0 11(0801):10.2.2.2/11033->10.1.255.1/23,6,00a0c96cce14,15,vlan 0,tun 0,vsd 0,route 74 7(4800):10.2.2.2/11033<-10.1.255.1/23,6,00a0c92490e4,14,vlan 0,tun 0,vsd 0,route 44 Total 3 sessions shown Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23
    • Asymmetric State: Symptoms “Split-state” environment may appear to work in the lab • BUT: TCP handshake never completed through same device • Half-open sessions: User sees TCP sessions establish but freeze (short-lived TCP sessions) • Can “disable syn checking” but lose 5 200 1 A L S A T R AH M TA S U E SF S L S A I S O H N C O M P CA OC T N SF O LM A L SOE H T D X 1E / L M I R X N K 5 0 0 0 - M G T 5 200 1 A L S A T R AH M TA S U E SF S LS AI S O H N C O M P CA OC T N SF O LM A L SO E H T D X 1E/ L M I X N R K 5 0 0 0 - M G T effective TCP inspection and protection 1 0 / 1 0 0 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G S T A T U S S T A T U S 2 2 P O W E R P O W E R • ALG cannot fully inspect control channels • Deep Inspection will fail • Integrated IDP will fail • “pinholes” may not open correctly • Some screening functions may depend on bidirectional traffic Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 24
    • IGP Costing Exercise (1) Predictable forwarding path • Ensure bidirectional path through firewalls • Must not allow transit through multiple firewalls • If ABRs directly connected to firewalls, make sure there is a valid Intra-Area route between ABRs in firewall area 5 0 0 0 - M G T 5 0 0 0 - M G T 1 C O M P C A OC T N S F O LM A L SO E HT D X 1E / LM I R X N K 1 C O M P CA OC T N SF O LM A L SO E H T DX 1E/ LM I R X N K 5200 5200 A L S A T R A M H T S A U E SF S L S A I S O H N A L S A T R AHM TAS U E S FS LS AI SO H N 1 0 / 1 0 0 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G S T A T U S S T A T U S 2 2 P O W E R P O W E R IGP costing is unidirectional • Must be careful to set IGP costing bidirectionally (must configure both sides of a link to the same cost) • Do NOT rely on automatic costing (varies between vendors and equipment types) Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 25
    • IGP Costing Exercise (2) Predictable failover • Control traffic paths in the event of a link-down event • This design preseves state through a firewall in a single link-break 5 0 0 0 - M G T 5 0 0 0 - M G T Fast IGP failover: 1 C O M P CA OC T N S F O LM A L SO E HT DX 1E / LM I R X N K 1 C O M P CA OC T N SF O LM A L SO E H T D X 1E / LM I R X N K 5 200 5 200 A L S A T R A M H TA S U E SF S LS A I S O H N A L S A T R A M H TAS U E S F S L S AI S O H N 1 0 / 1 0 0 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G S T A T U S S T A T U S 2 2 P O W E R P O W E R • No split link • Can use aggregated interfaces between devices • Use /30 p2p links to skip dead timer / DR election on link-up Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 26
    • IGP Costing Exercise (3) IGP Costing Dangers: External External Router-A Router-B • Routed DMZ Network • Do not allow transit between firewalls • Carefully control costs within the OSPF area 5 0 0 0 - M G T 5 0 0 0 - M G T 1 C O M P CA OC T N S F OL M A L S O E HT D X 1E/ LM I R X N K 1 C O M P CA OC T N SF O LM A L SO E HT D X 1E / LM I X N R K 5 20 0 A L S A T R A M H TA S U E S F S LS A I SO H N 1 0 / 1 0 0 5 2 00 A L S A T R A M H T S A U E SF S L S AI S O H N 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G S T A T U S 2 P O W E R S T A T U S 2 P O W E R • Watch out for asymmetric costs DMZ Router • Use separate VR for DMZ network if necessary • Carefully test all iterations in a Internal Internal failover topology Router-A Router-B Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 27
    • NSRP: Data-Path Forwarding NSRP can correct asymmetric state in some situations • 2) BACKUP device receives packet that matches session from master • 3) packet is exception- forwarded (CPU forwarded) 5 0 0 0 - M G T 5 0 0 0 - M G T 1 C O M P C A OC T N SF O LM A L SO E H T D X 1E / LM I X N R K 1 C O M P CA OC T N S F O LM A L SOE H T D X 1E/ LM I X N R K A L S A T R AH M T S A U E SF S LS A I S O H N A L S A T R AH M TAS U E SF S L S A I S O H N 52 00 1 0 / 1 0 0 52 00 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G S T A T U S S T A T U S 2 2 P O W E R P O W E R to master over HA link • 4) MASTER forwards packet to end node Do not rely on this behavior • Serious performance impact for large amounts of forwarded traffic Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 28
    • Mixed-Mode NSRP (Simple) Medium-sized enterprise UNTRUST • Upstream OSPF to routers OSPF Area X • Downstream (Trust) • Firewall cluster is first-hop router for internal network • Virtual IP/MAC in Trust VSI • VSI exported to OSPF OSPF (VSD-less) Pro: S P T O 5 200 A T W U S E R 1 2 A L S A T R AH M TA S U E S F S L S A I S O H N C O M P CA OC T N S F O LM A L SO E H T D X 1 1E 0 / LM I R / X N 1 0 K 0 5 0 5 0 0 0 0 - 0 M - 8 G G T HA Link S P T O 5 200 A T W U S E R 1 2 A L S A T R A M H TAS U E S FS LS A I S O H N C O M P CA OC T N S F O LM A L SO E HT D X 1 1E 0 / LM I X N / R 1 0 K 0 5 0 5 0 0 0 0 - 0 M - 8 G G T • Simple integration of OSPF and VSI: Shared Address Firewalls • No Asymmetric State Cons: • Requires both VSD-less (untrust) and VSD/VSI (trust) TRUST (L2) Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 29
    • Mixed-Mode NSRP (VSD-less + DMZ) Add DMZ network to existing UNTRUST VSD-less NSRP cluster OSPF Area X Pros: • Allows for DMZ network connected to OSPF meshed network 5 0 0 0 - M G T 5 0 0 0 - M G T 1 C O M P CA OC T N S F O LM A L SO E HT D X 1E / LM I X N R K 1 C O M P CA OC T N S F O LM A L SO E HT D X 1E / LM I X N R K 5 200 5 200 A L S A T R A M H TAS U E S FS LS A I S O H N A L S A T R A M H TAS U E S FS LS A I S O H N HA Link 1 0 / 1 0 0 1 0 / 1 0 0 5 0 0 0 - 8 G 5 0 0 0 - 8 G S T A T U S S T A T U S 2 2 P O W E R P O W E R Cons: • Must control asymmetric state DMZ VSI with OSPF costing OSPF Passive • Requires both VSD-less and VSD/VSI support TRUST OSPF Area X Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 30
    • Mixed-mode NSRP Complications Must link NSRP and OSPF failover in mixed mode OSPF Untrust-DMZ Transit Path UNTRUST OSPF Area X • OSPF makes path calculations based on link state information from routers NAT from loopback1:1 • NSRP elects master based on S T 520 0 A T U S 1 2 VSD 1 Master A lo0 L S A T R A M H TAS U E SF S L S A I S O H N C O M P CA OC T N SF O LM A L SO E H T D X 1 1E 0 / L M I X N / R 1 0 K 0 5 0 5 0 0 0 0 - 0 M - 8 G G T HA Link S T 520 0 A T U S 1 2 VSD 1 Backup A lo0 L S A T R A M H TAS U E SF S L S A I S O H N C O M P CA OC T N SF O LM A L SO E H T D X 1 1E 0 / L M I X N / R 1 0 K 0 5 0 5 0 0 0 0 - 0 M - 8 G G T tracking information and priority P O W E R P O W E R • Unidirectional feedback DMZ X • Add VSI as OSPF VSI OSPF Passive passive interface • Recommend adding NSRP zone tracking or IP ping tracking to control NSRP failover TRUST OSPF Area X OSPF Trust-Untrust Transit Path Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 31
    • Questions? Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 32
    • Thank You Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 33