This section describes the new features or enhancements to existing features in Contrail Service Orchestration (CSO) Release 4.0.0.
Optimized resource footprint for CSO—From Release 4.0.0 onward, CSO offers additional deployment modes (small and medium) where regional and central components are colocated, thus reducing the required server resources.
CSO installation using GUI—From CSO Release 4.0.0 onward, you can install CSO by using a new GUI installer as well as through the traditional CLI. This feature simplifies the CSO installation process and automatically provisions the VMs. It consists of two components—the downloader and the CSO installer.
Currently, upgrades are not supported through the GUI.
New nomenclature for CSO environments—From CSO Release 4.0.0 onward, the deployment types are referred to as small, medium, and large.
A small deployment is not configured for high availability and is recommended if you need to manage up to 450 sites.
A medium deployment is configured with high availability and is recommended if you need to manage up to 3500 sites.
A large deployment is configured with high availability and is recommended if you need to manage up to 5000 sites.
Support for applying security patches for microservices without needing to reboot—From CSO Release 4.0.0 onward, you can apply in-service patches to CSO microservices without needing to reboot. This feature is applicable to only microservices and is not supported for infrastructure components.
Support for NFX150 as a CPE device—From CSO Release 4.0.0 onward, you can add the following NFX150 device models as CPE devices in SD-WAN and Hybrid WAN deployments:
NFX150-C-S1
NFX150-C-S1-AE/AA
NFX150-C-S1E-AE/AA
NFX150-S1
NFX150-S1E
The following display names (device templates) are supported:
NFX150 as Managed Internet CPE
NFX150 as Hybrid WAN CPE
NFX150 as Secure Internet CPE
NFX150 as SD-WAN CPE
Software features supported on the NFX150 device—From CSO Release 4.0.0 onward, the NFX150 device supports the following features:
Hybrid WAN deployment
NFX150 device as managed Internet CPE device, secured Internet CPE device, and hybrid WAN CPE device.
Stage-2 configuration templates.
Service chaining with third-party VNFs such as Riverbed and Ubuntu.
SD-WAN deployment
NFX150 device as SD-WAN CPE.
Multihoming to MX Series and SRX Series hub devices with Application Quality of Experience (AppQoE), advanced policy-based routing (APBR), application visibility, and real-time performance monitoring (RPM).
Service chaining with third-party VNFs such as Fortinet (VNF in Layer 2 virtual-wire-pair mode), and Ubuntu (single-legged VNF).
Service chaining support without WAN optimization, AppQoE, and APBR.
NFX150 device as a CPE device in hub-and-spoke, and full mesh topologies.
LTE, ADSL, and VDSL access link types for WAN connectivity.
LTE support with RPM and AppQoE.
SD-WAN, firewall, SSL proxy, network address translation (NAT), and unified threat management (UTM) policies.
Application path selection with dynamic service-level agreement (SLA) profile, RPM, and APBR.
Secure Operation, Administration, and Maintenance (OAM) network.
Note The NFX150 device is not supported in device redundancy mode.
Support for pushing licenses to NFX150 devices—From CSO Release 4.0.0 onward, you can push licenses to NFX150 devices.
Support for monitoring threats on NFX150 devices—From CSO Release 4.0.0 onward, on NFX150 devices, you can monitor incoming and outgoing threats between geographic regions on the threats map.
Support for enabling stage-2 configuration templates—From CSO Release 4.0.0 onward, you can enable the stage-2 configuration template for all tenants, specific tenants, an SP administrator, or an OpCo administrator.
Change in device template names—From CSO Release 4.0.0 onward, the device template names and descriptions are modified to provide information about the device family and the deployment model.
To view the changed device template names and descriptions, log in to Administration Portal and select Resources > Device Templates.
Support for bootstrap logs—From CSO Release 4.0.0 onward, bootstrap logs (stage-1 configuration and device availability) are included in Zero Touch Provisioning (ZTP) job logs. You can use the bootstrap logs to monitor the progress of device activation during stage-1 configuration.
Support for secure OAM network—From CSO Release 4.0.0 onward, you can configure a secure Operation, Administration, and Maintenance (OAM) network between SD-WAN sites and CSO. The secure OAM network is built using dedicated IPsec tunnels that are established between each CPE device associated with the SD-WAN site and a cloud hub with OAM capability.
You specify the capability of the cloud hub device as either data, OAM, or data and OAM while adding the cloud hub device.
Support for ADSL and VDSL access types on NFX Series devices—CSO Release 4.0.0 supports asymmetric digital subscriber line (ADSL) and very-high-bit-rate digital subscriber line (VDSL) access links on NFX150 and NX250 devices. You configure ADSL or VDSL access types while creating an on-premise spoke site in an SD-WAN deployment.
Support for service chaining—CSO Release 4.0.0 supports service chaining in SD-WAN deployments for the following third-party VNFs:
Fortinet VNF in Layer 2 virtual wire-pair mode
Ubuntu single-legged VNF
Enhanced support for LTE interface—From CSO Release 4.0.0 onward, you can configure the LTE interface on NFX250 devices as a backup link, a default link, an OAM link, or exclusively for breakout traffic. In CSO Release 3.3.x, the LTE link is selected as the backup link by default.
Note The LTE link is supported only in the hub-and-spoke topology and in the full-mesh topology with a hub.
Support for real-time-optimized SD-WAN on NFX250 dual CPE devices—From Release 4.0.0 onward, CSO supports NFX250 dual CPE devices for real-time-optimized SD-WAN deployments. You can select dual CPE connection plans for sites of tenants that have the SD-WAN mode set to real time-optimized.
Support for dual CPE devices ensures high availability for SD-WAN in real-time-optimized mode.
Support for multihoming in real-time-optimized SD-WAN—From Release 4.0.0 onward, CSO supports multihoming in real-time-optimized SD-WAN deployments; support for multihoming in real-time-optimized SD-WAN enhances the redundancy for AppQoE.
Enhancements to SLA profile-based link switching—From Release 4.0.0 onward, when two or more links meet the SLA profile parameters, CSO chooses the least-expensive link to route the traffic. CSO uses the cost per month (Cost/month) parameter specified for the WAN link to identify the most cost-effective link to route traffic. If a less expensive link comes online and meets the specified SLA parameters, the traffic is switched to the less expensive link.
Note In real-time-optimized SD-WAN deployments, CSO does not consider the cost per month parameter while switching links.
Support for vSRX as SD-WAN hub gateway—From Release 4.0 onward, CSO supports the use of vSRX as an SD-WAN hub gateway in two modes. The first mode is fully orchestrated, where CSO manages the entire life cycle of the vSRX VM. The second mode is partially orchestrated, where a third-party orchestrator starts the vSRX VM, and then hands over the ZTP and service definition tasks to CSO.
Note CSO does not start the vSRX VM in either mode.
Object-based custom roles—From Release 4.0.0 onward, CSO enables you to create object-based custom roles. When you create custom roles, you can select objects (for example, devices, device templates, and images) in the CSO application and assign access privileges (read, create, update, delete, and other actions) for those objects. You can assign one or more roles (both predefined and custom) to a user when you create or edit a user account. If you assign more than one role to a user, then the user will have combined capabilities of those roles.
Support for operating companies—CSO Release 4.0.0 supports operating companies in a service provider environment. A global service provider can create one or more operating companies and share resources (cloud hub devices, device templates, and so on) with operating companies. An operating company (OpCo) is a region-specific service provider that can manage its tenants and provide services to them. Tenants managed by one OpCo are isolated from tenants of another OpCo.
Mapping between CSO-defined and SSO-defined roles—From CSO Release 4.0.0 onward, for the SSO authentication and authorization method, a list of permitted roles (both predefined and custom) must be provided to the SSO server. Only users with permitted roles in the Security Assertion Markup Language (SAML) attribute of the SSO server are allowed to log in to CSO. Roles used in the SSO server (Identity Provider) are different from the roles used in CSO. Therefore, you must map the roles that are defined in CSO with the roles defined in the SSO server.
Support for audit logs—From Release 4.0.0 onward, CSO supports audit logs that contain information about tasks initiated by using the CSO GUI or APIs. In addition to providing information about the resources that were accessed, audit log entries include details about user-initiated tasks, such as the name, role, and IP address of the user who initiated a task, the status of the task, and the date and time of execution. You can export audit logs (up to 30 days) in comma-separated values (CSV) format. Log in to Administration Portal or Customer Portal and select Administration > Audit Logs to view the logs.
Enhancements in license management—From CSO Release 4.0.0 onward, you can push licenses to multiple devices from the Devices page. You can also view the number of devices to which a license is pushed on the License Files page.
Additional options to customize the unified portal—From CSO Release 4.0.0 onward, you have more options to customize the unified Administration and Customer Portal. Customization options include background color of UI elements, change in background color of UI elements, custom color palette for login page, and so on.
Support for SD-WAN and Hybrid WAN sites for the same tenant—From CSO Release 4.0.0 onward, a single tenant can have both SD-WAN and Hybrid WAN sites. While creating a tenant, an SP administrator can specify whether a tenant can create:
Only SD-WAN sites
Only Hybrid WAN sites
Both SD-WAN and Hybrid WAN sites
Support for site upgrade—From CSO Release 4.0.0 onward, you can upgrade one or more sites from the Sites page. The Sites page provides information about sites that must be upgraded and sites for which the upgrade is optional.
Upgrading sites that are created in Release 3.3.0 and Release 3.3.1 is optional. You must upgrade sites that are created in releases earlier than Release 3.3.0.
The CSO Release 4.0.0 documentation describes some features that are present in the application but that have not yet been fully qualified by Juniper Networks. If you use any of these features before they have been fully qualified, it is your responsibility to ensure that the feature operates correctly in your targeted configuration.
The following features are present but unsupported in this release:
IPsec tunnel encryption—From CSO Release 4.0.0 onward, the following IPsec tunnel encryption types are supported for SD-WAN deployments:
3DES-CBC
AES-128-CBC
AES-128-GCM
AES-256-CBC
AES-256-GCM
The default encryption type is AES-256-GCM.
PKI certificates—From CSO Release 4.0.0 onward, CSO supports public key infrastructure (PKI) certificates for IPsec tunneling on NFX250, NFX150, and SRX Series devices for SD-WAN deployments.
OAM-only hub
Data-only hub
ZTP over ADSL or VDSL links
PPPoE over ADSL or VDSL links (because of limitations on NFX150 and NFX250 devices).
Note You can use static IP addresses or DHCP-based IP addresses for link configuration.