Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Hybrid WAN (Distributed) Deployment Architecture


In the distributed CPE deployment the Contrail Services Orchestration (CSO) software resides in the service provider’s cloud, and is operated by the service provider in order to provide network services at customer sites.

Figure 1 shows a simple diagram of the distributed CPE solution. The cloud represents the service provider network to which the customer site is connected.

Figure 1: Distributed CPE
Distributed CPE

As mentioned previously, the distributed Cloud CPE deployment makes use of on-premises CPE devices in order to localize the delivery of network services and provide gateway router (GWR) functionality. In this case, the Juniper Networks NFX Series or SRX Series devices act as the CPE devices. In the case of NFX as CPE, the GWR function is provided by a built-in vSRX VNF and network services are hosted and provided from within the NFX that is located at the customer site. This makes the network services extremely responsive from the point of view of the customer LAN, while negating the need for customer traffic to traverse the WAN in order to access the services. In the case of an SRX Series device as the managed CPE device, only services native to the SRX, firewall, NAT, and UTM, can be provisioned and managed at the customer site by CSO. Other services, such as WAN optimization must be provisioned and managed separately from the SRX and cannot be managed by CSO.

The distributed Cloud CPE deployment also makes use of a provider edge (PE) router in the service provider cloud. The PE router acts as a IPSec concentrator, terminating IPSec tunnels, and a PE router, providing policy-based access to the service provider’s MPLS network. The PE and CPE devices communicate over one or more WAN links and make use of MPLS/GRE or IPSec tunnels.

Table 1: Hardware and Software Matrix for CPE Devices in a Hybrid WAN Deployment



Models Supported

Junos OS Software Release Version

PE Router and IPsec Concentrator (Hybrid WAN deployment only)

MX Series 3D Universal Edge Router

  • MX960, MX480, or MX240 router with

    a Multiservices MPC line card

  • MX80 or MX104 router with Multiservices MIC line card

  • Other MX Series routers with a Multiservices MPC or Multiservices MIC line card

    See MPCs Supported by MX Series Routers Login required and MICs Supported by MX Series Routers Login required for information about MX Series routers that support Multiservices MPC and MIC line cards.

Junos OS Release 16.1R3.00

CPE device (Hybrid WAN deployment) or spoke device (SD-WAN implementation)

  • NFX Series Network Services Platforms

  • SRX Series Services Gateways

  • vSRX on an x86 server

  • NFX250-LS1 device

  • NFX250-S1 device

  • NFX250-S2 device

  • NFX150-S1 device

  • NFX150-S1E device

  • NFX150-C-S1 device

  • NFX150-C-S1-AE/AA device

  • NFX150-C-S1E-AE/AA device

  • SRX300 Services Gateway

  • SRX320 Services Gateway

  • SRX340 Services Gateway

  • SRX345 Services Gateway

  • SRX4100 Services Gateway

  • SRX4200 Services Gateway

  • vSRX

For NFX250: Junos OS Release 15.1X53-D496

For NFX150: Junos OS Release 18.2X85-D11

For SRX Series: Junos OS Release 15.1X49-D161

Selection of services, and some service management capabilities can be allocated to the customer by the service provider using the CSO Administrator Portal. The customer would then access whatever service selection and management capabilities allowed by using the Customer Portal.

CSO manages the lifecycle of the VNFs hosted on the NFX CPE devices from creation in Network Designer, through instantiation, deployment, and finally through replacement or retirement.