Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Adding On-Premise Spoke Sites for SD-WAN Deployment

 

An on-premise spoke represents an endpoint that is part of customer premise equipment (CPE) at some physical location such as branch office or point of sale location. Typically, these points are connected using overlay connections to hub sites. You add an on-premise spoke site from the Sites page. The following device templates are supported for on-premise spoke sites:

  • NFX150 as SD-WAN CPE

  • NFX250 as SD-WAN CPE

  • Dual NFX250 as SD-WAN CPEs

  • SRX as SD-WAN CPE

  • Dual SRX as SD-WAN CPEs

  • SRX4x00 as SD-WAN CPE

  • Dual SRX4x00 as SD-WAN CPEs

To add an on-premise spoke site:

  1. Click Add and select On-Premise Spoke Site.

    The Add Site for Tenant-Name page appears.

  2. Complete the configuration settings according to the guidelines provided inTable 1.
  3. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
  4. Click OK.

    You are returned to the Sites page and a message indicating that the site creation job was triggered is displayed. You can click the job ID link to view the progress of the job. After the job is completed successfully, a confirmation message is displayed and the site that you added is displayed on the Sites page.

    After you add the site, you must configure the site parameters, and then activate the on-premise site.

Table 1: Add Site for <Tenant-Name> Settings

Field

Description

General

Site Information

 

Site Name

Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 15 characters.

Site Type

Displays the site type (hub or spoke). This field cannot be modified.

SDWAN Mode

Displays the SD-WAN mode for the tenant. This field cannot be modified.

Site Group

Select a site group to which you want to assign the site.

Address

 

Street Address

Enter the street address of the site.

City

Enter the name of the city where the site is located.

State/Province

Select the state or province where the site is located.

ZIP/Postal Code

Enter the postal code for the site.

Country

Select the country where the site is located.

You can click the Validate button to verify the address that you specified:

  • The site address verification successful message is displayed if the address can be verified. You can click the View location on a map link to see the address location.

  • If the address cannot be verified, the Site address could not be validated message is displayed .

Contact Information

 

Contact Name

Enter the name of the contact person for the site.

Email

Enter the e-mail address of the contact person for the site.

Phone

Enter the phone number of the contact person for the site.

Click Next to continue.

Connectivity Requirements

Connection Plan

The list of available connection plans is displayed in a carousel. You can use the left arrow and right arrow icons to view the different connection plans.

Click a connection plan to select the plan for the site.

Note: After you select a connection plan, the WAN links that can be configured are displayed:

  • For single CPE connection plans, you must enable at least one WAN link.

  • For dual CPE connection plans, you must enable one primary WAN link and one secondary WAN link.

Connectivity Requirements for the Selected Plan

 

WAN Underlay Links

 

WAN_0

Select the check box to enable this WAN link.

When you enable a WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Type

Select the underlay network type (MPLS or Internet) of the WAN link that is connected to the on-premise spoke site.

Access Type

Select the access type for the underlay link:

  • Ethernet—Supports WAN connectivity through Ethernet.

  • LTE—Supports LTE USB dongle for WAN connectivity.

  • ADSL—Supports asymmetric digital subscriber line (ADSL) for WAN connectivity.

  • VDSL—Supports very-high-bit-rate digital subscriber line (VDSL) for WAN connectivity

Note:

  • LTE, ADSL, and VDSL access types are:

    • Applicable only to NFX150 and NFX250 device templates.

    • Supported only for Internet links.

    • Not supported when a dual CPE connection plan (device template) is used.

  • You can configure only one WAN link with either LTE, ADSL, or VDSL access type.

PPPoE

This field is displayed only if you specify ADSL or VDSL as the access type.

Click the toggle button to enable Point-to-Point Protocol over Ethernet (PPPoE) for a WAN link. By default, PPPoE is disabled.

PPPoE connects multiple hosts on an Ethernet LAN to a remote site through a single customer premises equipment (CPE) device.

Note:

  • If you enable PPPoE, you must specify the PPPoE parameters while configuring the site.

  • PPPoE is not supported when a dual CPE connection plan (device template) is used.

Subscribed Bandwidth

Enter the maximum bandwidth (in mega bits per second [Mbps]) to be allowed for the WAN link.

Range: 1 through 10,000

Note: If you specify LTE as the access type, you cannot configure the subscribed bandwidth.

Provider

Enter the name of the service provider who is responsible for providing the WAN link.

Cost/Month

Enter the cost per month (in the specified currency) of the subscribed bandwidth.

Range: 1 through 10,000

In bandwidth-optimized SD-WAN, CSO uses this information to identify the least-expensive link to route traffic if multiple WAN links meet SLA profile parameters. For more information, see Cost-Based Link Switching.

Enable Local Breakout

Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled.

Note:

  • If you enable local breakout on a WAN link, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.

  • If you do not enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan, then local breakout is disabled for the site.

Breakout Options

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

WAN Link (Primary or Secondary)

For dual CPE connection plans, displays whether the WAN link is for the primary device or for the secondary device. This field cannot be modified.

WAN_1

Select the check box to enable this WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 for an explanation of the fields

WAN_2

Select the check box to enable this WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 for an explanation of the fields

WAN_3

Select the check box to enable this WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 for an explanation of the fields

Click Next to continue.

Additional Requirements

Site Type

Displays the type of site being added (spoke or hub). This field cannot be modified.

Default Link

Select one or more links to be used for routing traffic in the absence of matching SD-WAN policy intents.

Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then equal-cost multipath (ECMP) is used to choose the link on which to route traffic.

Backup Link

Select a backup link through which traffic can be routed when the primary (other) links are unavailable.

You can select any link other than the default links or links that are configured exclusively for local breakout traffic as the backup link.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.

Preferred Breakout Link

Select the preferred link for local breakout. If no link is selected, then the breakout link is chosen using ECMP from the available links.

Dynamic VPN Thresholds 

Threshold

Select the Set Custom Threshold check box to specify a custom threshold values for the creation and deletion of dynamic VPN tunnels from the on-premise spoke site to a destination site.

Note: The threshold value that you specify overrides the threshold value specified for the tenant.

Threshold for Creating a Tunnel

 

Sessions Closed

Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the on-premise spoke site and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the on-premise spoke site and the destination site.

Threshold for Deleting a Tunnel

 

Sessions Closed

Specify the threshold for the number of sessions closed (in a 15-minute duration) between the on-premise spoke site and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the on-premise spoke site and destination site is deleted.

Enable Hub Multihoming

Click the toggle button to enable multihoming on the site. Multihoming is the ability of a spoke site to connect to multiple hub sites, thereby providing redundancy.

Device Redundancy

For an SD-WAN site, displays whether device redundancy is enabled (true) or disabled (false) on the on-premise spoke site.

Device redundancy is enabled only when you select a dual CPE NFX or a dual CPE SRX connection plan. In device redundancy, two CPE devices (either NFX devices or SRX devices) are used to protect the site against device failures. If the primary device fails, the secondary device takes over the traffic processing. This field cannot be modified.

Click Next to continue.

LAN Segments

You must add at least one LAN segment for the on-premise site. To add a LAN segment:

  1. Click the + icon.

    The Add LAN Segment page appears.

  2. Complete the configuration settings according to the guidelines provided inTable 2.
  3. Click Save.

    The LAN segment is added and you are returned to the Add Site for Tenant-Name page.

Click Next to continue to the Summary tab.

Table 2: Fields on the Add LAN Segment page

Field

Description

Name

Enter a unique string of alphanumeric characters. No spaces are allowed and the maximum length is 15 characters.

Type

Select the type of LAN segment:

  • Directly Connected—Indicates that the LAN segment is directly connected to the site. This is the default.

  • Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.

    Note: You can configure dynamically routed LAN segments only for gateway sites.

Ports

Select one or more port numbers from the list depending on the connection plan that you previously specified.

VLAN ID

Enter the VLAN ID for the LAN segment.

Range: 1 through 4094.

IP Address Prefix

Enter the IP address prefix for the LAN segment; for example, 192.0.2.8/24.

Department

Select a department to which the LAN segment is to be assigned. You group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.

Alternatively, click Create Department to create a new department and assign the LAN segment to it. See Adding a Department.

DHCP

For directly connected LAN segments, click the toggle button to enable DHCP. DHCP is disabled by default.

You enable DHCP if you want to assign IP addresses by using a DHCP sever. You disable DHCP if you want to assign a static IP address to the LAN segment.

Note: If you enable DHCP, fields related to DHCP-related parameters appear and must be configured.

[DHCP-Related Fields]

IP Address Prefix

(for DHCP)

Enter the IP prefix of the DHCP IP address pool. For example: 192.0.2.10/24.

Address Range Low

Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Address Range High

Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Maximum Lease Time

Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server.

Range: 0 through 4,294,967,295 seconds.

Name Server

Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.

Protocol

For dynamically routed LAN segments, select the routing protocol (BGP or OSPF) to be used by the data center department to learn routes from the data center.

BGP Configuration

 

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Peer IP Address

Enter the IP address of the BGP neighbor.

Peer AS Number

Enter the autonomous system (AS) number BGP neighbor.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

OSPF Configuration

 

OSPF Area ID

Specify the OSPF area identifier to be used for the dynamic route.

Authentication

Select the OSPF route authentication method to be used:

  • Password—Indicates that password-based authentication should be used. If you choose this option, you must specify the password. (This is the default).

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

  • None—Indicates that no authentication should be used.

Password

Enter the password to be used to verify the authenticity of OSPF packets.

Confirm Password

Retype the password for confirmation purposes.

MD5 Auth Key ID

If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID.

Range: 1 through 255.

Auth Key

If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets.

Related Documentation