Contrail Service Orchestration Solutions Overview

CSO offers multiple deployment solutions that benefit both the service providers and their customers. The solutions are split into two overall groups, Cloud CPE solutions and SD-WAN solutions. The Juniper Networks Cloud Customer Premises Equipment (CPE) and the SD-WAN solutions both address the difficulties in traditional CPE deployments like: needing multiple hardware and software platforms to deploy multiple network services, long wait times for service instantiation, network disruption for service instantiation, fixed service offerings, and so on.

CSO uses these deployment solutions to transform traditional branch networks, offering opportunities for highly flexible networks, rapid introduction of new services, automation of network administration, and cost savings. The solutions can be implemented by service providers for their customers or by Enterprise IT departments in a campus and branch environment. In this documentation, service providers and Enterprise IT departments are called service providers, the users of their network services are called customers, and solution and deployment are used interchangeably.

The intent of this deployment guide is to provide a comprehensive understanding of the available solutions. In order to do that, we will:

• Briefly discuss each of the available solutions

• Give an overview of the architectures involved in the solutions

• Give an overview of the topologies involved in the solutions

• List and discuss the tasks involved in all of the solutions

Finally, there will be an end-to-end walkthrough of each of the solutions that covers the specifics involved in deploying them.

Juniper Networks Cloud Customer Premises Equipment (CPE) and SD-WAN solutions offer automated service delivery to branch network environments, leading to cost savings over traditional branch networks, while improving network agility and reducing configuration errors.

Traditional branch networks use many dedicated network devices with proprietary software to provide services and require extensive equipment refreshes every 3-5 years to accommodate advances in technology. Both configuration of standard services for multiple sites and customization of services for specific sites are labor-intensive activities. As branch offices rarely employ experienced IT staff on site, companies must carefully plan network modifications and analyze the return on investment of changes to network services.

In contrast, the Cloud CPE solutions enable a branch site to access network services based on Juniper Networks and third-party virtualized network functions (VNFs) that run on commercial off-the-shelf (COTS) servers located in a central office (CO) or on a CPE device located at the site. This approach maximizes the flexibility of the network, enabling use of standard services and policies across sites and enabling dynamic updates to existing services. Customization of network services is fast and easy, offering opportunities for new revenue and quick time to market.

The following list briefly describes each of the available Cloud CPE deployments.

• Cloud CPE Centralized Deployment Model (centralized deployment or vCPE)

  In the centralized deployment, customers access network services remotely from a service provider’s cloud. Sites that access network services in this way are called service edge sites in this documentation. Figure 1 illustrates a simplified centralized deployment.

  Figure 1: Centralized Deployment

  

  The only equipment that needs to be configured in this deployment resides at the service provider’s cloud. This deployment model is useful when few remote sites are accessing services and cost of traffic back to the CO for service delivery is not an issue. The centralized deployment offers a fast migration route and this deployment is the recommended model for sites that can accommodate network services, particularly security services, in the cloud. There are no CPE devices deployed at customer sites in a centralized deployment. All network services are deployed in the service provider’s cloud.

• Cloud CPE Distributed Deployment Model (distributed deployment, Hybrid WAN or uCPE)

  In the distributed deployment, customers access network services from a CPE device, located at the customer’s site. These sites are called on-premises sites in this documentation. In the deployment workflows used in the CSO GUI, this deployment is known as Hybrid WAN. Figure 2 illustrates a simplified distributed deployment.

  Figure 2: Distributed or Hybrid WAN Deployment

  

  Initial configuration of the CPE device at the site is automated through the use of zero touch provisioning (ZTP) that is orchestrated through CSO. CSO also monitors the CPE device and its services, and can push software and configuration updates to the devices remotely, reducing operating expenses. This deployment model is useful in environments where service delivery from the service provider’s cloud is costly.

  In fact, CSO has been designed to require only modest bandwidth, needing as little as 30kbps for probe and OAM traffic over HybridWAN connections where there are only a few sessions active. When AppQoe is involved, the bandwidth requirement increases to somewhere between 105kbps and 2Mbps, depending on the number of sessions. During ZTP operations, if new device images are needed, they can be downloaded as part of the ZTP process, or pre-staged on the device. In those circumstances, the bandwidth requirement increases to a maximum of 5Mbps only when device image download is needed. This makes these solutions applicable even in cases where connection bandwidth is limited or noisy.

  The distributed CPE deployment uses a CPE device such as an NFX Series Network Services platform or SRX Series Services Gateway at the customer site and thus supports private hosting of network services at a site. The distributed deployment can be extended to offer software defined wide area networking (SD-WAN) capabilities.

  Note

  If an SRX Series device is used as the CPE device at the customer site, it can not host VNFs.

• A Combined Centralized and Distributed Deployment

  In this deployment, the network contains both service edge sites and on-premises sites. A customer can access network services from both service edge sites and on-premises sites. However, you cannot use the same network service at both locations. If you require the same network service at both the service edge and on-premises, you must create two identical network services with different names and deploy one at the service edge site and the other at the on-premises site. Figure 3 illustrates a simplified combined deployment.

  Figure 3: Combined Deployment

  

  Implementing a combination deployment in which some sites use the centralized deployment and some sites use the distributed deployment provides flexible access based on customer site capabilities and cost factors.

  Since the combined deployment is simply a combination of the centralized and distributed deployments, this guide does not provide an end-to-end walkthrough of this deployment option.

The SD-WAN solution offers a flexible and automated way to route traffic through the cloud using overlay networks. Similar to a distributed deployment, this solution uses CPE devices located at on-premises sites. At its most basic, an SD-WAN solution needs multiple sites, multiple connections between sites, and a controller as shown in Figure 4.

Figure 4: Basic SD-WAN Concept

The CPE devices, or spokes, have a WAN side and a LAN side. On the WAN side, hub-and-spoke and full mesh topologies are supported. The CPE devices will use at least two and up to four interfaces as connection paths to cloud-based hubs, cloud-based spokes, other on-premises sites, or to the Internet. CSO allows you to give preference to one path over another for any given traffic. Thus, business-critical traffic could be routed through the service provider’s cloud-based hub using MPLS/GRE while non-critical traffic could be routed over the Internet connection through an IPSec tunnel. Each path can have a service level agreement (SLA) profile applied which monitors the path for latency, congestion, and jitter and accounts for path preference. Should the path fail to meet one or more of the required parameters, traffic will be re-routed to another path automatically.

The LAN side of the CPE devices connect to the customer’s LAN segments. Multiple departments at the customer site that occupy different LAN segments can have their traffic securely segregated with the use of dedicated IPSec tunnels. Starting with CSO Release 4.0.0, spoke devices can also provide service chains of network services in addition to the routing flexibility already available.

One CSO installation can support a combined centralized and distributed deployment and an SD-WAN solution simultaneously.

You can use the solutions as turnkey implementations or connect to other operational support and business support systems (OSS/BSS) through northbound Representational State Transfer (REST) APIs.