Setting Up an SD-WAN Deployment
About This SD-WAN Deployment
This walkthrough highlights the steps, or workflows, that you need to complete in order to deploy an SD-WAN solution using the hub-and-spoke topology with the hub device located in the service provider’s cloud. We use an NFX Series device as the CPE. We indicate where, in the CSO GUI, you need to go to complete each step. The document also provides some explanation of the choices that you need to make at each step. It assumes that this is the first deployment you are attempting.
Additional information about using the GUI for any of the steps below can be found in the Contrail Service Orchestration User Guide.
Setting Up an SD-WAN Deployment
Provision your VMs according to the steps discussed in Contrail Service Orchestration Install and Upgrade Guide
If you are provisioning your VMs on a KVM-based hypervisor, you must complete the steps in Creating a Data Interface for a Distributed Deployment prior to provisioning. This step creates a required bridge interface for the VMs to communicate with the CPE devices.
Complete the CSO installation as per the CSO Install and Upgrade Guide.
Purchase an Advanced Policy-based Routing license for a vSRX. You must purchase a license that includes the
Download the required vSRX KVM appliance software image from the Juniper Networks Software Download site. For CSO Release 4.0.0, the required version is
15.1X49-D143. Other hardware and software versions can be found in Hardware and Software Used in Contrail Service Orchestration Solution Deployments.
To set up an SD-WAN deployment:
- Access the Administration Portal by logging
into Contrail Service Orchestration (CSO) with the Administrator login.
See Accessing the Contrail Services Orchestration GUIs for details.
- Download Application Signatures
To download the application signatures, navigate to the Administration > Signature Database page.
On this page, there is a list of available database versions, their publish dates, update summaries, and detector versions. The newest database is at the top of the list. Downloading the signature database makes the application signatures available to install on your CPE device after it has been activated in a later step.
Click the Full Download link under the Actions column. A pop-up window appears that shows the progress of the download. You can watch the progress here or dismiss the window by clicking OK. If you dismiss the progress window before the job completes, you can still access the job information by looking in Monitor > Jobs. The download job appears at the top of the list.
- Upload License
To upload the license for your vSRX gateway router (GWR) device, navigate to the Administration > Licenses page.
On this page is a list of all available device licenses. Since you have not installed any licenses yet, the list is empty. Click the + icon at the top-right part of the list to add a license. This brings up a window in which you click the Browse button to locate the license file that you purchased for the vSRX.
License files are associated with specific tenants because the devices that they install on are exclusive to the tenant. If you had already created tenants, you could specify to which tenant this license file belonged. Since you don’t have any, leave the tenant field blank. You assign the tenant in a later step when you push the license to the device.
(Optional) Enter a description of the license file if desired.
- Create Tenant
To create a CSO tenant, or customer, navigate to the Tenants page.
On this page, you can view a list of information about all installed tenants. Since you don’t have any tenants the list is empty. Click the + icon at the top-right part of the list to add a tenant. This brings up a window in which you fill out information regarding the new tenant including its name, information about the tenant administrator, and the roles that the administrator will have. All of the information is required. Service providers (SPs) in an enterprise environment may want to name the tenants after branch office locations or retail store locations. Name the tenant something that makes sense for your deployment. Assign roles to the tenant admin as needed by selecting the check box next to the role and then clicking the > button to move the role from available to selected. For this example, select all of the roles. Detailed information about the different roles can be found in the Contrail Service Orchestration User Guide.
Click Next. This changes the window to display the available topologies for deployment. The tenant can have a Hybrid WAN deployment, an SD-WAN deployment, or both. Leaving either of the boxes unchecked restricts this tenant from ever building a deployment based on the unchecked deployment type. Un-check the box next to Hybrid WAN since you are only deploying SD-WAN in this example. With an SD-WAN deployment, you have two topology options: Full Mesh and Hub-and-Spoke. You can only select one topology per deployment. For this example, click the Hub-and-Spoke topology.
Click Next. This changes the window to display available tenant properties, each with a brief description of what they do. Clicking the > icon to the left of each property expands it to show what information is needed for that property. For this example, click the > next to SD-WAN Mode. This shows two radio buttons that allow the SD-WAN mode to be set as Bandwidth Optimized or Real-time Optimized. The Compare link below the radio buttons brings up information regarding what can and cannot be done with each mode.
For this example, select the Bandwidth Optimized radio button.
Click Next. This changes the window to the summary page. Review what you have input and click Ok. A pop-up display indicates a job has been created. Another pop-up will display when the job completes. Then the list of tenants refreshes.
When the tenant is created, an email is sent to the tenant administrator’s email address that you entered. This email contains the username (email address) and password (auto-generated) for the tenant.
- Enable Application Traffic Type Profile
You can customize class-of-service and probe parameters with traffic type profiles. All traffic type profiles are disabled by default A maximum of six traffic type profiles can be enabled at one time.
To enable application traffic type profiles, navigate to the Configuration > Application Traffic Type Profiles page. Here you can see the built-in application traffic type profiles.
Click the check box next to Internet, then click the Pencil icon at the upper right part of the list to edit the profile.
In the new window that appears, you can see the parameters that make up this profile. Click the Toggle Switch next to Status. This enables the profile for use in an Application SLA Profile that you create later.
- Choose a Device Template for the CPE Device
To choose the proper device template, navigate to the Resources > Device Templates page. Here you can see the pre-installed device templates in CSO. Scroll through the list and click the check box next to the appropriate template for your CPE device. For example, if you are using an NFX250 as the CPE device in your SD-WAN deployment, you would click:
NFX250 as SD-WAN CPE. At the top-right part of the list select the drop-down menu Edit Device Template and select Template Settings.
A pop up window appears in which all of the settings for the selected template are pre-populated. Make note of the exact name in the field GWR_VSRX_IMAGE_CNAME_IN_CSO. This is the name of the software image that the CPE device need in order to instantiate the vSRX GWR. In the case of the vSRX GWR in an NFX250, it is
vsrx-vmdisk-15.1.qcow2. Feel free to check out the other available settings, but for this example, do not make any changes. Click Cancel.
- Upload Software image for vSRX
To upload a software image, navigate to the Resources > Images page. Here you can see the software images that have been uploaded to CSO.
The NFX appliance that you are using as a CPE will be in factory-default state. Therefore it will not have any vSRX images to instantiate. During the zero touch provisioning (ZTP) process, the NFX downloads the GWR (vSRX) image from CSO.
In the top-right part of the list, click the + icon to create a new image. The page that pops up requires that you fill in all of the fields except Description and Supported Platform.
Name the image
VNF Imageas the image type.
Click Browse and select the
.qcow2software image that you downloaded previously.
Juniperas the Vendor.
juniper-vsrxas the Family.
Fill in the Major Version Number, Minor Version Number, and Build Number as
Click Upload. CSO displays a progress window as the file is uploaded.
- Create Point of Presence (POP) for Cloud
A POP is a location within the service provider’s cloud in which PE routers and IPSec Concentrators are located. It is a regionally located access point through which customers gain access to the CSO Portals and cloud hub devices that are placed within. SPs often place POPs in their network so that they are geographically close to customer sites.
To create a POP, navigate to the Resources > POPs page. Here you can see a list of POPs. Since you have not created any POPs, the list is empty.
At the top-right part of the list, click the + icon to create a new POP.
A pop-up window appears that requires you to enter basic information about the POP such as POP name and Address Information.
In CSO Release 4.0.0, all POPs are regional.
Give the POP a name that makes sense, like
bay-area-pop, and enter the appropriate address information. CSO uses this information to place the POP on a map in certain monitoring screens.
Click Next. The workflow window changes to allow you to add optional device information. The lower portion of the window allows you to create a device to put in the POP during this workflow, but for this example just click Next on this and the next two pages. At the summary page, click Enter.
- Create Cloud Hub Device
A cloud hub device resides in a regional POP within the service provider’s network or cloud. To create a Cloud Hub, navigate to the Resources > Cloud Hub Devices page. Here you can see a list of all cloud hub devices, their POP, and site associations, status, model, serial number, and OS version.
At the top-right part of the list, click the + icon to add a cloud hub device. A pop-up workflow window appears in which you define the cloud hub device.
Name the hub something that makes sense, like
srx-1500-1. Cloud hub devices can be shared amongst multiple tenants through the use of virtual routing and forwarding (VRF) instances configured on the hub itself.
regionalis the only choice for Management Region.
Pull down the list of POPs and select the POP that you just created.
DATA_AND_OAMfor Capability. This allows both operation, administration, and maintenance (OAM) and user data to traverse this device. It ensures that CSO can manage on-premises CPE devices through this hub device.
SRX as SDWAN Hubfor Device Template. Other options for the hub device also populate the list. The list is built from the Device Templates list that you looked at in step 6. Multiple tenants can share this hub. There is usually one hub per POP.
In the Configuration section on the Connectivity tab, fill in the Management Connectivity section.
Enter a 32-bit IP address prefix such as
10.10.10.123/32as the Loopback IP Prefix for the CPE device. Be sure to use an address that works within your network. This address is used for BGP peering. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network.
Select an appropriate interface, such as
ge-0/0/3as the OAM Interface of the CPE device.
The device template that was selected in step 6, contained interface assignments for WAN_0 and WAN_1 interfaces. You must choose an unused
Leave the OAM VLAN ID blank
You can enter a VLAN ID if one is needed in your network. If you specify an OAM VLAN ID, then all in-band OAM traffic reaches the site through the selected OAM interface. The range is 0 through 65535
Enter an IP address prefix, such as
10.100.100.11/32, for the OAM IP Prefix. The OAM IP Prefix must be unique across the entire management network.
For NFX Series services gateways like we are using in this example, specify the IP address prefix as /32 if
USE_SINGLE_SSHis set on the NFX. If
USE_SINGLE_SSHis not set, then use a
/29or higher prefix. For SRX series CPE devices, always use a
Enter an IP address, such as
10.100.100.1, for the OAM Gateway. This is the IP address of the next-hop on the management network through which CSO connectivity must be established.
Click the check box under the WAN_0 section to enable the WAN_0 interface of the CPE device. The physical device interface is already chosen from the value in the device template and cannot be altered here.
Leave the Link Type as MPLS.
Internet is the other available link type. Since there is usually only one MPLS connection to any given service provider, any other WAN connections that you set up will likely have the link type set to Internet.
Staticfor the Address Assignment.
Enter an IP address prefix, such as
172.21.22.1/29, for the Static IP Prefix. This represents the hub-side address of the hub-to-cpe network connection.
Enter an IP address, such as
172.21.22.2, for the Gateway IP Address. This is the IP address of the GWR on the NFX250 at the customer site.
Select the Devices tab. Under Device Details, Enter the serial number of the hub device and the name of the boot image that you uploaded previously.
When you have finished, click OK and a pop-up message telsl you that the device is being added. When the add completes, the list refreshes and shows the new cloud hub device in
EXPECTEDstate under Management Status.
Enable the other WAN interfaces for your CPE device as appropriate.
- Activate Cloud Hub Device
To activate the cloud hub device, navigate to the Resources > Cloud Hub Devices page. Click the Activate Device button at the top-right of the list. A new window appears that shows the stages of activation. The stages should flow from EXPECTED to DEVICE_DETECTED to Stage-one configuration applied to Bootstrap successful to Device Active.
Click Ok. The Activate Device window closes and your device is listed as PROVISIONED in the Management Status column. Once your cloud hub device is in the PROVISIONED state, you can proceed to the next step.
- Create Site for Cloud Hub
To add a site for the cloud hub you assume the role of the tenant administrator. To do this, navigate to the Global menu and select the tenant that you created in step 5.
Navigate to the Sites > Site Management page. Here you see an empty list of sites.
Click the Add button at the top-right of the list. Select
Cloud Hubfrom the list.
The only required fields in the new window that pops up are Site Name, Service POP, and Hub Device Name. You can fill in the other fields as appropriate.
Give the site a name that makes sense, such as naming it after the POP that its in, like
Select your previously created POP from the Service POP list.
Select your previously created hub device from the Hub Device Name list.
Click OK. A pop-up message tells you that the add site job has been created. When it finishes, the list refreshes and shows the new site.
- Configure Spoke Site
A CSO spoke site is needed to contain the CPE device that gets shipped the customer site. To do this, click the Add button and select
In the workflow window that appears, fill in the name of the on-premise site such as
Site1and click Next.
In Connectivity Requirements, select the appropriate connection plan for your CPE device, such as NFX250 as SD-WAN CPE for an NFX250. The WAN Underlay Links appear below the Connection Plan.
Click the check box next to WAN_0 to enable this link.
Leave the Connection Type as MPLS.
Leave the Access Type as Ethernet for an MPLS connection. You can select ADSL, Ethernet, LTE, or VDSL as appropriate when using an Internet Connection Type.
Set the Subscribed Bandwidth to the appropriate setting for this link, such as
Enter the Provider name as the name of the service provider, like
Enter the Cost/Month as the cost per month for using this link. This number is used in SD-WAN link-switch calculations.
Click the check box next to WAN_1 to enable this link.
Set the Connection Type as Internet.
Set the Access Type to the appropriate type: ADSL, Ethernet, LTE, or VDSL
Set the Subscribed Bandwidth to the appropriate value for this link.
Enter the Provider name as the name of the service provider, like
Enter the Cost/Month as
Click Next. The workflow proceeds to Additional Requirements. Here you select the default and backup links for the connection.
Set Default Link to whichever link
Set Backup Link to
Click Next. The workflow proceeds to LAN Segments. Here you must add at least one LAN segment for the on-premise site.
Additional LAN segments can be added. CSO provides the ability to set up multiple LAN segments for the customer based on departments. In this case, each department gets its own IPSec VPN in order to keep traffic separated.
Name the LAN segment to something that makes sense, like
Assign one or more Ports to be used on the CPE device for this LAN segment, like
Set the IP Address Prefix to something that meets the requirements of the customer LAN, such as
172.20.13.0/24or whatever is required at the site.
Leave the Department as
Default. In case you have set up multiple departments during the tenant creation phase, you can choose the appropriate
If you toggle the DHCP switch, you can have the NFX provide DHCP Services for the site on that LAN segment.
Click Save, then click Next.
The workflow proceeds to Summary. Review the summary and click OK. A pop up message appears telling you that the Create Site job was created.
- Activate Spoke Site Device
The activate spoke site operation allows you to control when the ZTP of a device can proceed to completion. If a CPE device is powered on at a customer site, and you have not performed this activation procedure, the device continuously tries to start the ZTP process.
To activate your spoke site device, click the check box next to the site name then click the Activate Device button at the top-right part of the list. This brings up a window in which you enter the activation code for the device.
Install License on Device
To install a license on a device, you switch back to the Global Administrator role. Navigate to the pull-down menu Tenant1 on the left side of the grey bar at the top of the GUI, next to CSO Customer Portal, and select Global.
Once back in the Administration Portal, navigate to Administration > Licenses.
Click the check box next to the license file that you uploaded in step 3.
Click the Push License button at the upper-right part of the list and select Push.
In the pop-up window that appears, select name of the tenant that you created in step 4 from the Tenant pull-down menu. Your sites and devices appear under Sites and Devices.
Select the check box next to your tenant site to push the license to the CPE device at that site.
- Install Application Signature
This step allows the CPE device to obtain the signature database needed for application identification.
To install an application signature, navigate to Adminstration > Signature Database in the Administration Portal. From the signature download you completed in step 2, you can now see the Active Database section has the number of the downloaded database listed.
Click the Install on Device link under the Actions column.
In the new window that pops up, you can elect to push the signatures to any device listed.
Select the check box next to the NFX250 device, then click OK.
- Configure Firewall Policy
To configure a firewall policy, you switch again to the tenant administrator role. To do this, navigate to the Global pull-down menu and select
Tenant1that you created in step 4.
Once in the Customer Portal, navigate to Configuration > Firewall > Firewall Policy.
Click the + icon on the right side of the window to add an intent-based firewall policy.
The window changes to reveal a policy builder with the Source area selected. You can select a source address, department, users, or a combination as Source.
Anyand click the icon for Action.
Select Deny from the list of actions, then click in the Destination field.
View More Resultslink from the list of destinations. A slide-out appears on the right of the screen where you can select from many destinations.
Click the > next to Services [SVCS] to expand the list of services. Click the check box next to
icmp-ping. Then hover over the ... icon and click
Add. This adds the
icmp-pingservice to the destination field. Click Save.
The intent policy is listed. Click the Deploy button.
Pop-up messages indicate that the deployment is in progress. When it is finished, the Total Intents counter changes from 0 to 1. This indicates successful deployment of a firewall policy to block the
ICMP-PINGservice. This policy can be implemented at any site.
- Configure SD-WAN Application SLA Profile
To configure an SD-WAN Application SLA Profile, navigate to the Configuration > SD-WAN > Application SLA Profiles page. Here you see a blank list of profiles. Click the + icon at the upper-right part of the list.
The Create SLA Profile workflow window appears.
Name the profile as
In the Priority field, enter 5 for fairly high priority.
From the Traffic Type Profile pull-down menu, select
From the Path Preference pull-down menu, select
Set the Packet Loss slider to
Set the RTT, Jitter, and Throughput fields to
Leave all other settings at their default, and click OK. The profile is listed on the page and is available for use in an SD-WAN policy.
- Configure SD-WAN Policy
To configure and SD-WAN Policy, switch again to the Tenant Administrator role in the Customer Portal. To do this, navigate to the Global pull-down menu and select the tenant that you created in step 4.
Once in the Customer Portal, navigate to the Configuration > SD-WAN > SD-WAN Policy page.
Once your SD-WAN deployment is up and running, a logical next step might be to look into the Contrail Service Orchestration Monitoring and Troubleshooting Guide
This walkthrough has examined the major workflows involved in deploying an SD-WAN solution using a hub-and-spoke topology. As you can see by going through this, there are many other modes of deployment and options available when deploying an SD-WAN solutions. A good resource for proceeding with other SD-WAN solutions is the SD-WAN Design and Architecture Guide.