Secure OAM Network Overview
The management and control plane traffic between a customer premises equipment (CPE) device in an SD-WAN on-premise spoke site or enterprise hub and Contrail Service Orchestration (CSO) consists of SSH and HTTPS sessions between the CPE device and CSO, the BGP session between the CPE device and a virtual route reflector (VRR), and system log traffic between the CPE device and CSO. This traffic must be carried across the network through a secure and redundant communication channel. To provide such a secure and redundant communication channel, you must configure a secure Operation, Administration, and Maintenance (OAM) network between the SD-WAN on-premise spoke sites or enterprise hubs and CSO.
This topic provides an overview of the secure OAM network, explains the workflow for configuring a secure OAM network, and benefits of a secure OAM network in an SD-WAN deployment.
Topology of a Secure OAM Network
CSO uses the cloud hub devices as SD-WAN hubs to set up IPsec tunnels and provision site-to-site or site-to-hub traffic. The cloud hub acts as a concentrator for terminating the IPsec tunnels from SD-WAN on-premise spoke sites or enterprise hubs. The cloud hub device is located in the service provider’s point of presence (POP). You can add an SRX Series services gateway, or a vSRX instance as a cloud hub device.
You can add a high-end SRX Series services gateway as an SD-WAN cloud-hub device in a greenfield deployment only.
You can configure a cloud hub with the following capabilities:
Data capability—Used for carrying only data traffic.
OAM capability—Used for carrying only OAM traffic.
Data and OAM capability—Used for carrying both data and OAM traffic.
Figure 1 shows the connections between the SD-WAN on-premise spoke site or enterprise hub, cloud hub, and CSO.
The secure OAM network is built using the dedicated IPsec tunnel (overlay connection) that is established between the CPE device associated with the SD-WAN on-premise spoke site or enterprise hub and a cloud hub with OAM capability. The cloud hub is connected to CSO through a secure private network (underlay connection) that is owned by the service provider.
Because the loopback IP address of the CPE device is used for OAM communication, it is fixed and unique across the entire deployment, and is always reachable from CSO over the IPsec tunnel. Even if the WAN interfaces are behind NAT and are assigned private IP addresses (using DHCP), the OAM connectivity between the SD-WAN on-premise spoke site or enterprise hub and the cloud hub is not impacted. The IPsec tunnel can still be established over the Internet interface including the LTE access type.
The secure OAM network is supported on both hub-and-spoke topology and full-mesh topology. In a hub-and-spoke topology, you must configure each cloud hub with OAM capability. In a full-mesh topology, you must configure at least one cloud hub with OAM capability.
Workflow for Establishing a Secure OAM Network
Use the following workflow to establish a secure OAM network between the SD-WAN on-premise spoke site or enterprise hub and the cloud hub. As the cloud hub is located in the service provider’s POP, it has a private and secure connectivity to CSO. The workflow has the following prerequisites:
The CSO installation is managed by the service provider.
The cloud hub is connected to CSO through the service provider’s private network.
To establish a secure OAM network between SD-WAN on-premise spoke sites or enterprise hubs and the cloud hub:
- Log in to Administration Portal, and
add a cloud hub device with data, OAM, or data and OAM capability.
The first cloud hub device added to the network must be of Data and OAM capability. If you select a cloud hub device with data capability in this step, then you must specify a proxy OAM hub device for OAM traffic. Also, specify the management configuration settings such as loopback IP address prefix, OAM interface, OAM interface IP address prefix, OAM interface VLAN ID, and OAM gateway IP address.
- Log in to Customer Portal, and add a cloud hub site. Associate the cloud hub site with cloud hub device that you created in Step 1 and configure the cloud site.
- In Customer Portal, add an on-premise spoke site or enterprise hub for the CPE device in SD-WAN deployment.
- Configure the site that you created in Step 3. Specify the IP address prefix for the
site and select at least one WAN link for OAM traffic. The WAN link
with the Use for OAM traffic option enabled is used to
set up the secure OAM tunnel to the cloud hub device.
For an NFX250 CPE device, specify at least one WAN link with traffic type as OAM and Data. If device redundancy is enabled, then specify one WAN link for each CPE device with the traffic type as OAM and Data.
If no activation code is needed to activate the device, then the Zero Touch Provisioning (ZTP) workflow is started as soon as device communicates with Contrail Service Orchestration (CSO). If an activation code is needed to activate the device, you must enter an activation code to start the ZTP workflow. For more information, see Activating a CPE Device.
Benefits of Secure OAM Network
IPsec tunnel redundancy—The secure OAM network supports a maximum of two IPsec tunnels between each SD-WAN on-premise spoke site or enterprise hub and the cloud hub, thus providing redundancy and ensuring that OAM traffic is not lost even in the case of WAN link failures.
Hub device redundancy—In case of multihoming at the spoke sites, each CPE device at the site is connected to two cloud hubs, and the IPsec tunnels are established from the SD-WAN on-premise spoke site or enterprise hub to both primary and secondary cloud hub devices. This hub device redundancy ensures that the OAM traffic is not lost even if a hub fails.