Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Adding a Single Tenant

 

You can use the Add Tenant page to add tenant data and other objects associated with a tenant, such as tenant user, network details, deployment scenario, service profiles, and custom properties. A single tenant supports SD-WAN deployment and hybrid WAN deployment scenarios.

Tip

A single tenant supports both full mesh or hub-and-spoke topologies.

To connect sites in hub-and-spoke topology,

  • Select the SD-WAN mode as bandwidth-optimized in the Add Tenant page, or

  • Select the SD-WAN mode as real-time optimized, and do not enable the Enable Meshing toggle button in the Configure Site page.

To connect sites in full mesh topology,

  • Select the SD-WAN mode as real-time optimized (or you must have selected both real-time optimized and bandwidth-optimized) in the Add Tenant page, and

  • Select the Enable Meshing toggle button for at least one WAN link in the Configure Site page.

Before you create a tenant you must create all the resources required for the network point of presence (POP).

To add a tenant:

  1. Select Tenants > All Tenants > +.

    The Add Tenant page appears.

  2. Update the tenant information. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to add a tenant. If you want to discard your changes, click Cancel instead.

    If you click OK, the tenant that you configured appears on the Tenants page.

  4. If you use the tenant for a hybrid WAN centralized deployment, access Contrail and add the following rule to the default security group in the Contrail project.

    This rule allows the network to accept traffic from all subnets.

Table 1: Fields on the Add Tenant Page

Field

Description

Tenant Info

Name

Enter the name of the tenant. You can use an unlimited number of alphanumeric characters, including special characters.

The tenant name that you set must be between 6 and 21 characters long, and it must include at least one lowercase letter, one uppercase letter, one special character, and one number.

Example: test-tenant

Admin user

First Name

Enter the first name of the user.

Last Name

Enter the last name of the user.

Username (Email)

Enter the e-mail ID of the user. The e-mail ID is also the username for the user. This field is automatically populated after you enter the tenant name.

Example: test-tenant_admin@test-tenant.com

Roles

Select one or more roles (both predefined and custom roles) that you want to assign to the tenant user.

Note: In the Available column, all tenant scope roles are listed.

Click the right arrow(>) to move the selected role or roles from the Available column to the Selected column. Note that you can use the search icon on the top right of each column to search for role names.

To preview the access privileges assigned to a role, click the role name.

Password Policy

User Password Expires

Select one of the following options:

  • Never—If you select this option, the password never expires.

  • After specified number of days—If you select this option, you must specify a duration in the Password Expiration Days field.

Password Expiration Days

Specify the duration (in days) after which the password expires and must be changed.

The range is from 1 through 365. The default value is 180 days.

Deployment Info

Deployment Type

Select at least one deployment type for the tenant.

  • SD-WAN sites—Select this check box if you want the tenant to create SD-WAN sites only. SD-WAN sites can have up to 4 WAN links, and the tenant can define intent policies to intelligently route different applications through different WAN links.

  • Hybrid WAN sites—Select this check box if you want the tenant to create Hybrid WAN sites only. The Hybrid WAN sites can have a maximum of two WAN links. You cannot apply intent policies for Hybrid WAN sites.

Select both check boxes if you want the tenant to create both SD-WAN site and Hybrid WAN site.

Note: The options listed in Customer Portal > Sites > Add are filtered based on the deployment type that you have selected for a tenant. For example, if you have selected Hybrid WAN sites for a tenant, in Customer portal > Sites > Add, only the following options are listed:

  • Spoke Site

  • Local Service Edge

  • Regional Service Edge

SD-WAN Mode

Note: This field appears only if you selected the SD-WAN sites check box in the Deployment Type field.

Select the SD-WAN mode:

  • Bandwidth-optimized—CSO uses link-level probes to switch traffic from links that do not meet SLA criteria to links that meet SLA. This is selected by default.

    If you select the bandwidth-optimized option, all sites in the tenant are connected to the hub (hub-and-spoke topology).

  • Real time-optimized—CSO monitors application-level traffic and delegates the application-level probes and link switching to CPE. Select this mode if you want to implement AppQoE.

    If you select the real time-optimized option, all sites in the tenant are connected in full mesh or hub-and-spoke topology.

    Note: The Dynamic VPN page and Mesh Tags page appears in the Customer Portal only if you have selected the Real time-optimized option.

Tenant Properties

SSL Settings

Note: This setting is applicable only to the SD-WAN deployment scenario.

Default SSL Forward Proxy Profile

Click the toggle button to enable a default SSL proxy profile for the tenant.

If you enable this option, the following items are created when a tenant is added:

  • A default root certificate with the certificate content specified (in the Root Certificate field)

  • A default SSL proxy profile

  • A default SSL proxy profile intent that references the default profile

This option is disabled by default.

Note: You use this option to create a tenant-wide default profile; enabling or disabling this option does not mean that SSL is enabled or disabled.

If you enable this option, you must add a root certificate.

Root Certificate

You can add a root certificate (X.509 ASCII format) by importing the certificate content from a file or by pasting the certificate content:

  • To import the certificate content directly from a file:

    1. Click Browse.

      The File Upload dialog box appears.

    2. Select a file and click Open.

      The content of the certificate file is displayed in the Root Certificate field.

  • Copy the certificate content from a file and paste it in the text box.

After the tenant is successfully added, a default root certificate, a default SSL proxy profile, and a default SSL proxy profile intent are created.

Note:

  • The root certificate must contain both the certificate content and the private key.

  • For full-fledged certificate operations, such as certificates that need a passphrase, or that have RSA private keys, you must use the Certificates page (Administration > Certificates) to import the certificates and install on one or more sites.

VPN Authentication

Note: This setting is applicable only to the SD-WAN deployment scenario.

Authentication Type

Select the VPN authentication method to establish a secure IPsec tunnel:

  • Preshared Key—Select this option if you want CSO to establish IPsec tunnels using keys.

    Note: Preshared Key is the default VPN authentication method.

  • PKI Certificate—Select this option if you want CSO to establish IPsec tunnels using public key infrastructure (PKI) certificates. Specify the following:

    • CA Server URL—Specify the Certificate Authority (CA) Server URL. For example, http://CA-Server-IP-Address/certsrv/mscep/

      mscep.dll/pkiclient.exe.

      The CA server manages the life cycle of a certificate. The CA server also publishes revoked certificates to the certification revocation list (CRL) server. To obtain trusted CA certificates, CSO communicates with the CA server using the Simple Certificate Enrollment Protocol (SCEP).

    • Password—Specify the password for the CA server. This field is optional.

    • Revocation List Server URL—Specify the CRL server URL. For example, http://Revocation-List-Server-IP-Address/certservices/abc.crl. CSO retrieves the list of revoked certificates from the CRL server.

    • Auto Renew—Click the toggle button to enable automatic renewal of certificates.

      If you enable the Auto Renew toggle button, certificates are automatically renewed for all sites in the tenant.

      By default, the Auto Renew toggle button is disabled. If you disable the Auto Renew toggle button, certificates must be manually renewed.

      Note: If the certificate is expired before the renewal, CSO might not be able to reach the device.

    • Renew before expiry—This field appears only if you have enabled the Auto Renew toggle button.

      Select the number of days, weeks, or months before the expiration date when the certificates get automatically renewed.

      Select one of the following:

      • 3 Days

      • 1 Week

      • 2 Weeks

      • 1 Month

      Note: The default value is 2 weeks. You can also change the duration value in the Customer Portal > Administration > Certificate Management > VPN Authentication page.

Overlay Tunnel Encryption

Note: This is applicable only to the SD-WAN deployment scenario.

Encryption Type

For security reasons, all data that passes through the VPN tunnel must be encrypted. Select the encryption type:

  • 3DES-CBC—Triple Data Encryption Standard with Cipher-Block Chaining (CBC) algorithm.

  • AES-128-CBC—128-bit Advanced Encryption Standard with CBC algorithm.

  • AES-128-GCM—128-bit Advanced Encryption Standard with Galois/Counter Mode (GCM) algorithm.

  • AES-256-CBC— 256-bit Advanced Encryption Standard with CBC algorithm.

  • AES-256-GCM—256-bit Advanced Encryption Standard with GCM algorithm.

The default encryption type is AES-256-GCM.

Note: The MX Series routers do not support encryption types, AES-128-GCM and AES-256-GCM. The default encryption type for MX Series routers is, AES-256-CBC.

Network Segmentation

Network Segmentation

Enable network segmentation on the tenant.

Dynamic VPN Threshold

Note: This is applicable only to the SD-WAN deployment scenario in real-time optimized mode.

Threshold

Select this check box to customize the dynamic VPN threshold value that will override the tenant-level default threshold values.

For more informations about dynamic VPN, see Dynamic VPN Tunnels Overview.

Threshold for Creating a Tunnel

Set a threshold value, above which a tunnel is created between two sites.

Sessions closed

Specify the maximum number of sessions closed (for a time duration of 2 minutes) between two spoke sites.

The dynamic VPN tunnel is created between two spoke sites if the number of sessions closed (for a time duration of 2 minutes) is greater than or equal to the value that you specified.

The default threshold value (the number of sessions for 2 minutes) is 5.

For example, if you specify the number of sessions as 5, dynamic VPN tunnels are created if the number of sessions closed between two spoke sites in 2 minutes exceeds 5.

Threshold for Deleting a Tunnel

Set a threshold value, below which a tunnel is deleted between two sites.

Sessions closed

Specify the minimum number of sessions closed (for a time duration of 15 minutes) between two spoke sites.

The dynamic VPN tunnel is deleted between two spoke sites if the number of sessions closed (for a time duration of 15 minutes) is lesser than or equal to the value that you specified.

The default threshold value (the number of sessions for 15 minutes) is 2.

For example, if you specify the number of sessions as 2, the dynamic VPN tunnels are deleted if the number of sessions closed is lesser than or equal to 2.

Maximum DVPN Tunnels

Max tunnels allowed per CSO

Displays the maximum number of DVPN tunnels that can be created in CSO. The total number of DVPN tunnels that can be created by all tenants in CSO is limited to 125000.

A major alarm is raised if the number of DVPN tunnels created by all tenants reaches seventy percent of the maximum value.

A critical alarm is raised if the number of DVPN tunnels created by all tenants reaches ninety percent of the maximum value.

To view alarms, see Monitor > Alerts & Alarms > Alarms in the Administration Portal.

For more information about alarms, see About the Alarms Page.

Max tunnels allowed per tenant

Specify the maximum number of DVPN tunnels that the tenant can create.

Range: 0 through 125000.

A major alarm is raised if the number of DVPN tunnels created by all sites in a tenant reaches seventy percent of the maximum value.

A critical alarm is raised if the number of DVPN tunnels created by all sites in a tenant reaches ninety percent of the maximum value.

To view alarms, see Monitor > Alerts & Alarms > Alarms in the Customer Portal.

For more information about alarms, see About the Alarms Page.

Service Profiles

VIM Name

If you use a dedicated OpenStack Keystone for Contrail Service Orchestration in a centralized deployment, then select the virtualized infrastructure manager (VIM) for the tenant. A tenant can be associated with multiple VIMs.

Example: test-vim

Service Profile Name

If you use a dedicated OpenStack Keystone for Contrail Service Orchestration in a centralized deployment, then select the service profile that specifies the authentication information for the tenant. You configure the service profile when you create the VIM.

Example: service-profile-for-test-vim

Custom Properties

If you have set up a third-party provider edge (PE) device by using software other than Contrail Service Orchestration, then configure settings on that router by specifying custom parameters and its corresponding values.

Name

Specify any information about the site that you want to pass to a third-party router.

Example: Location

Value

Specify a value for the information about the site that you want to pass to a third-party device.

Example: Boston

Related Documentation