Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Your First SD-WAN Deployment

 

This document describes the steps required in order to create your first SD-WAN deployment. Figure 1 shows an overview of the steps that will be covered in this deployment example.

Figure 1: SD-WAN Deployment Workflow
SD-WAN Deployment
Workflow

Before You Begin

  • Provision your VMs and complete CSO installation according to the steps discussed in Contrail Service Orchestration Install and Upgrade Guide and

    Note

    If you are provisioning your VMs on a KVM-based hypervisor, you must complete the steps in Creating a Data Interface for a Distributed Deployment prior to provisioning. This step creates a required bridge interface for the VMs to communicate with the CPE devices.

  • Purchase an Advanced Policy-based Routing license for a vSRX. You must purchase a license that includes the appid-sig feature.

  • Download the required vSRX KVM appliance software image from the Juniper Networks Software Download site. For CSO Release 4.1.0, the required version is 15.1X49-D160.

  • Download the vSRX 15.1X49-D161 qcow2 software image from www.juniper.net/support/downloads to your computer. This software image is needed in order to instantiate the vSRX VNF on the NFX device later in the deployment.

Note

Make note of the physical interfaces that you select for use throughout this deployment example. These interfaces need to be connected to form the underlay networks over which the data and management traffic will travel.

Download Application Signatures

This section details how to download application signatures from Juniper onto your CSO installation. Downloading the signature database makes the application signatures available to install on your CPE device after it has been activated in a later step. These signatures are used for application identification within CSO.

From this point on in this deployment example, we assume that your CSO software is installed at 192.168.101.12 and that you know the login credentials for the cspadmin user of the Administration Portal.

  1. Open your web browser and in the URL field, enter https://192.168.101.12
  2. Enter the login credentials for the Administration Portal.

    By default, the username is cspadmin and the password is randomly generated during installation. If this is the first time logging into the Administration Portal, you must set a new password for the cspadmin user.

  3. Navigate to the Administration > Signature Database page.

    On this page, there is a list of available database versions, their publish dates, update summaries, and detector versions. The newest database is at the top of the list.

  4. Click the Full Download link under the Actions column.

    A pop-up window appears that shows the progress of the download. You can watch the progress here or dismiss the window by clicking OK. If you dismiss the progress window before the job completes, you can still access the job information by looking in Monitor > Jobs. The download job appears at the top of the list.

Once the download completes successfully, the new database version number appears in the Active Database portion of the page.

Upload Licenses

The licenses that you upload using this procedure are available to be pushed to your tenant devices during the ZTP process.

To upload the license for your vSRX gateway router (GWR) device:

  1. Navigate to the Administration > Licenses page.

    On this page is a list of all available device licenses. Since you have not installed any licenses yet, the list is empty. This brings up a window in which you click the Browse button to locate the license file that you purchased for the vSRX.

  2. Click the + button at the top-right part of the list to add a license.

    The Add License window appears

  3. Click the Browse button.

    This lets you locate the license file on your computer

  4. Select a tenant or All Tenants from the Tenant pull-down menu.

    This associates the license file with a particular tenant or all tenants. If the license is associated with a particular tenant, then it can only be applied to devices that belong to that tenant.

  5. (Optional) Enter a description of the license file if desired.

You can repeat this procedure to upload as many licenses as you have.

Create and Configure a New Tenant

In this section we use the Administrator Portal to add a tenant to CSO.

  1. Select Tenants from the left-nav panel
  2. Click the Add Tenant button

    If there are no tenants created yet, Add Tenant will be a button. If there are tenants, click the “+” to create a new tenant.

  3. In the Add Tenant window that appears:
    • Enter a name for your tenant such as Tenant1

    • Fill in the Admin User information

    • Select the check-boxes next to all three Roles in the Available section and click the arrow link to move them to the Selected section

    • Set the User Password to never expire

    • Click Next

    • In the Deployment Type window, select the check-box next to SD-WAN Sites

      This activates the SD-WAN Mode section of the window.

    • Select the Bandwidth Optimized radio button

    • Click Next

      The window advances to the Tenant Properties section. For this example, browse the Tenant properties but do not make any changes

    • Click Next

      The window advances to the Summary section. Review the summary.

    • Click OK

      A pop-up message appears that tells you that the Add Tenant job was started. After some time, your new tenant appears in the list of tenants.

    The preceding steps show only one of many possible settings that can be used to create an SD-WAN tenant

Enable Application Traffic Type Profile

You can customize class-of-service and probe parameters with traffic type profiles. All traffic type profiles are disabled by default. A maximum of six traffic type profiles can be enabled at one time.

To enable application traffic type profiles:

  1. Navigate to the Configuration > Application Traffic Type Profiles page.

    Here you can see the built-in application traffic type profiles.

    Click OK.

  2. Click the check box next to Internet.
  3. Click the Pencil icon at the upper right part of the list.

    In the new window that appears, you can see the parameters that make up this profile.

  4. Click the Enable Toggle Switch next to Status.
  5. Click OK

This enables the profile for use in an Application SLA Profile that you create later.

Modify Device Templates

In this section, we modify an existing device template so that it works for this example.

  1. Navigate to Resources > Device Templates
  2. Find the device template named NFX250 as SD-WAN CPE.
  3. Select the check-box next to the template and then select Template Settings from the Edit Device Template pull-down menu.

    A new window titled Template Settings appears

  4. In the Template Settings window, ensure that the following things are set:
    • ACTIVATION_CODE_ENABLED: ON

      By requiring an activation code, a CPE device will not be allowed to communicate with CSO until the tenant has activated a site using the activation code. The value of the activation code will be set later in the process.

    • AUTO_DEPLOY_STAGE2_CONFIG: OFF

      Stage 2 configurations are configurations that can be added to a device after the initial, stage 1, provisioning of the device. This setting prevents the automatic deployment of a stage 2 configuration.

    • OOB_MGMT_ENABLED: OFF

      This setting ensures that the jmgmt0 interface is not enabled on the NFX device. Since this is a managed Internet service and the NFX device will be sitting on the customer’s premise, this might be a useful setting to prevent unwanted login by the tenant.

    • USE_SINGLE_SSH_TO_NFX: ON

    Do not change any other settings.

  5. Select Save when finished.
  6. Find the device template named SRX as SDWAN Hub and select the check-box next to its name.
  7. From the Edit Device Template pull-down menu, select Template Settings
  8. In the Template Settings window that appears, make sure the following options are set:
    • ACTIVATION_CODE_ENABLED: Off

    • ZTP_ENABLED: Off

    • WAN_0: ge-0/0/3

    • WAN_1: ge-0/0/1

    • WAN_2: ge-0/0/0

    • WAN_3: ge-0/0/2

    Leave all the other settings at their default.

  9. Click Save when finished.

Upload Software Image for vSRX

The NFX appliance that you are using as a CPE will be in factory-default state. Therefore it will not have any vSRX images to instantiate. During the zero touch provisioning (ZTP) process, the NFX downloads the GWR (vSRX) image from CSO.

To upload a software image:

  1. Navigate to the Resources > Images page.

    Here you can see the software images that have been uploaded to CSO.

  2. Click the + button to create a new image.

    The Upload Image page that pops up requires that you fill in all of the fields except Description and Supported Platform.

  3. Name the image vsrx-vmdisk-15.1.qcow2
  4. Select VNF Image as the image type.
  5. Click Browse and select the .qcow2 software image that you downloaded previously.
  6. Select Juniper as the Vendor.
  7. Select juniper-vsrx as the Family.
  8. Fill in the Major Version Number, Minor Version Number, and Build Number as 15, 1, and X49-D161, respectively.
  9. Click Upload. CSO displays a progress window as the file is uploaded.

Create a Point of Presence (POP) for the Hub Site

A POP is a location within the service provider’s cloud in which PE routers and IPSec Concentrators are located. It is a regionally located access point through which customers gain access to the CSO Portals and cloud hub devices that are placed within. SPs often place POPs in their network so that they are geographically close to customer sites.

  1. Navigate to the Resources > POPs page.

    Here you can see a list of POPs. If you have not created any POPs, the list is empty.

  2. At the top-right part of the list, click the + icon to create a new POP.

    A pop-up window appears that requires you to enter basic information about the POP such as POP name and Address Information.

  3. Give the POP a name that makes sense, like bay-area-pop, and enter the appropriate address information. CSO uses this information to place the POP on a map in certain monitoring screens.
  4. Click Next 4 times to advance through the next 4 screens.

    Since we will not be adding devices, virtual infrastructure management (VIMs), or element management systems (EMS) to this POP, we can just advance through these pages until we arrive at the summary page

Create Cloud Hub Device

A cloud hub device resides in a regional POP within the service provider’s network or cloud. Cloud hub devices can be shared amongst multiple tenants through the use of virtual routing and forwarding (VRF) instances configured on the hub itself.

  1. Navigate to the Resources > Cloud Hub Devices page.

    Here you can see a list of all cloud hub devices, their POP, and site associations, status, model, serial number, and OS version.

  2. At the top-right part of the list, click the + icon to add a cloud hub device.

    A new window appears titled Add Cloud Hub Device.

  3. Fill in the following information in this window:
    • Name the hub something that makes sense, like Cloud-Hub-1

    • Management Region: Regional

      There is currently no other option for this.

    • POP: <Select the POP that you just created from the pull-down menu>

    • Capability: DATA_AND_OAM

      This allows both operation, administration, and maintenance (OAM) and user data to traverse this device. It ensures that CSO can manage on-premises CPE devices through this hub device.

    • Device Template: SRX_as_SDWAN_Hub

      Other options for the hub device template also populate the list. The list is built from the Device Templates on the Resources > Device Templates page. Multiple tenants can share this hub. There is usually one hub per POP.

  4. In the Configuration section, select the Connectivity tab, and fill in the form as follows:
    • Authentication: Pre-shared Key

      You can choose Public Key Infrastructure if you have the proper certificates set up.

    • Loopback IP Prefix: Enter a 32-bit IP address prefix such as 10.10.10.123/32 as the for the CPE device.

      Be sure to use an address that works within your network. This address is used for BGP peering. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network.

    • OAM Interface: Enter ge-0/0/3 as the OAM Interface of the Cloud Hub device.

      Note

      The device template that was modified earlier contained interface assignments for WAN_0 and WAN_1 interfaces. You must choose an unused interface.

    • OAM VLAN ID: <Leave blank>

      Note

      You can enter a VLAN ID if one is needed in your network. If you specify an OAM VLAN ID, then all in-band OAM traffic reaches the site through the selected OAM interface. The range is 0 through 65535

    • OAM IP Prefix: Enter an IP address prefix, such as 10.100.100.11/32

      The OAM IP Prefix must be unique across the entire management network.

      Note

      For SRX Series services gateways like we are using in this example, always use a /32 prefix.

    • OAM Gateway: <Enter an IP address, such as 10.100.100.1>.

      This is the IP address of the next-hop on the management network through which CSO connectivity must be established.

    • Click the check box under the WAN_0 section to enable the WAN_0 interface of the Hub device.

      The physical device interface is already chosen from the value in the device template and cannot be altered here.

    • Link Type: <Leave as MPLS>

      Note

      Internet is the other available link type. Since there is usually only one MPLS connection to any given service provider, any other WAN connections that you set up will likely have the link type set to Internet.

    • Address Assignment: Static

    • Static IP Prefix: <Enter an IP address prefix, such as 172.21.22.1/29>

      This represents the hub-side address of the hub-to-cpe network connection.

    • Gateway IP Address: Enter an IP address, such as 172.21.22.2

      This is the IP address of the GWR on the NFX250 at the customer site.

      Note

      Enable the other WAN interfaces for your Cloud Hub device as appropriate.

    • Select the Devices tab

    • Under Device Details, Enter the serial number of the hub device.

  5. Click OK when you’re finished.

    A pop-up message tells you that the device is being added. When the add completes, the list refreshes and shows the new cloud hub device in EXPECTED state under Management Status.

  6. Select the check-box next to the new cloud hub device
  7. Click the Activate Cloud Hub Device button at the top right of the list

    A new window appears that shows the stages of activation. The stages should flow from EXPECTED to DEVICE_DETECTED to Stage-one configuration applied to Bootstrap successful to Device Active.

  8. Click Ok.

    The Activate Device window closes and your device is listed as PROVISIONED in the Management Status column. Once your cloud hub device is in the PROVISIONED state, you can proceed to the next step.

Create and Configure the Tenant’s Hub Site

In this section, we continue in the Customer Portal for your new tenant to create a cloud hub site that will connect with the spoke site that we created in the previous section.

A cloud hub site is the site on the SP’s network at which the cloud hub device resides. The cloud hub site is associated with a POP.

Ensure that you are on the Sites page in the Customer Portal of your new tenant.

  1. From the Add pull-down menu on the Sites page, select Cloud Hub Site

    A new window, titled Add Cloud Site, appears.

  2. Fill in the information requested in this window as follows:
    • Site Name: <Enter a site name that makes sense for your deployment, such as cloud-hub-site1>.

      Note

      Site name must match hub device name.

    • Cloud Hub Type: Cloud Hub

    • In the Address Section, fill in appropriate address information.

      The fields in this section are optional.

    • In the Contact Information, fill in appropriate contact information.

      The fields in this section are optional.

    • In the Configuration section, select the POP and Hub Device Name

      The POP must exist and the hub device must be activated for it to show up in the list.

  3. Click OK when finished

Create and Configure a Spoke Site for the Tenant

In this section, we move to the Customer Portal for the newly configured tenant in order to create a site.

This procedure begins in the Tenants window of the Administration Portal at the list of tenants.

  1. Click on the name of the tenant that you just created

    This will take you to the Customer Portal for that tenant. The Dashboard is displayed

  2. Select Sites link from the left-nav bar
  3. In the Sites window that appears, click the Add On-premise Spoke Site

    A new window titled Add Site for <Tenant> appears.

  4. Fill out the information in the Site Information section.

    The only required information in this window is the site name.

  5. Click Next

    This brings up the Connectivity Requirements section.

  6. Under Connection Plan, click the left (<) or right (>) arrow until you see the NFX250 as SD-WAN CPE box. Click on that box.

    This activates the Connectivity Requirements for the Selected Plan section.

  7. Select the Enable check-box next to Wan_0

    Fill in the following connectivity requirements

    • Type: MPLS

    • Access Type: Ethernet

    • Subscribed Bandwidth: 2Mbps

    • Provider: MPLS-Service-Provider

    • Cost/Month: 1000

      This number is used in SD-WAN link-switch calculations.

    • Local Breakout: Off

  8. Select the Enable check-box next to Wan_1

    Fill in the following connectivity requirements

    • Type: MPLS

    • Access Type: Ethernet

    • Subscribed Bandwidth: 25Mbps

    • Provider: Internet-Service-ProviderA

    • Cost/Month: 100

      This number is used in SD-WAN link-switch calculations.

    • Local Breakout: Off

  9. Click Next when finished

    The window advances to the Additional Requirements Section

  10. Select Wan_1 in the Default Links field

    This setting sets the default forwarding path of all traffic. All traffic leaving the spoke will traverse the WAN_1 link. WAN_0 should go mostly unused until SD-WAN policies are created that will cause mission critical data to be sent over the WAN_0 link.

    Note

    If you accidentally select the wrong link as the default, you can remove it from the list by clicking the small ’x’ on the left of the link name in the field. You can add the proper link before or after removing the improper one.

  11. Click Next when finished

    The window advances to the LAN Segments section

    A notification appears in this section indicating that you must create at least one LAN segment.

  12. Click the Add LAN Segment button

    A new window appears titled Add LAN Segment

    Fill in the following information in this window:

    • Name: LAN2

    • Type: Directly Connected

    • Ports: LAN_2 (ge-0/0/2)

    • VLAN ID: <Leave blank>

    • IP Address Prefix: 172.40.1.2/24

      The address shown is just an example. When deploying, us an address prefix that makes sense for the site you are creating.

    • Department: <Leave as Default>

      In CSO, spoke site departments equate to security zones on the GWR. In this example, the Default security zone will be used later when we create security policies. Creating multiple departments for the spoke site creates multiple security zones with the same names on the GWR.

    • DHCP: Off

  13. Click Save when finished

    The Add LAN Segment window closes

  14. Click Next

    The window advances to the Summary section.

  15. Review the Summary section
  16. Click OK when you’re finished reviewing

    You will see pop-up messages appear for site creation job start and site creation job finished.

We create the spoke site first so that we can establish the departments (security zones) that will be used by the tenant. We cannot create a hub site until this is determined. If you attempt to create a hub site before creating a spoke site, CSO displays an error.

Likewise, one of the steps in configuring the spoke site is to associate it with a hub. Therefore, we cannot configure the site until after the hub has been created.

Install License on Device

To install a license on a device, you use the Administration Portal

  1. Navigate to Administration > Licenses.

    In the pop-up window that appears,

  2. Click the check box next to the license file that you uploaded in step 3.
  3. Click the Push License button at the upper-right part of the list and select Push.

    The Push License window appears.

  4. Select the name of the tenant that you created previously from the Tenant pull-down menu.

    Your sites and devices appear under Sites and Devices.

  5. Select the check box next to your tenant site to push the license to the CPE device at that site.

Install Application Signature

This step allows the CPE device to obtain the signature database needed for application identification.

To install an application signature:

  1. Navigate to Adminstration > Signature Database

    From the signature download you completed previously, you can now see the Active Database section has the number of the downloaded database listed.

  2. Click the Install on Device link under the Actions column.

    In the new window that appears, you can elect to push the signatures to any device listed.

  3. Select the check box next to the NFX250 device
  4. Click OK

Add Firewall and NAT Policies to the Topology

In this section, we use the Customer Portal for your new tenant and create an intent-based firewall policy that blocks icmp-ping traffic.

  1. In the Customer Portal for your tenant, navigate to Configuration > Firewall > Firewall Policy.

    This brings up the Firewall Policy page. Here you can see a list of policies. If this is the first time looking at the page, the list is empty.

  2. Click the + to create a new firewall policy.

    This brings up a policy builder window with the Select Source area active.

  3. Select Any from the ADDR section of the list.
  4. Click the Action circle

    This brings up a list of actions: Allow, Deny, and Reject.

  5. Select Deny from the list

    This changes the action circle to match the icon for the Deny action.

  6. Click the + in the Select Destination section

    This brings up a list of destinations.

  7. Click the View More Results link at the bottom of the list

    This causes the a slide-out panel to appear on the right side of the screen.

  8. Enter icmp-ping in the field at the top of the panel

    This filters all of the list sections below the field. The numbers to the right of each collapsed section adjust to show the count of icmp-ping contained in each section.

  9. Click the > next to the Services [SVCS] section

    This shows the icmp-ping item within the services section.

  10. Click the check-box next to icmp-ping

    This activates the Check Mark button at the top of the panel.

  11. Click the Check Mark

    This adds the icmp-ping service to the destination list.

  12. Click Save

    This closes the policy builder and shows the new policy in the list.

  13. Click the Deploy button

    This brings up a Deploy window. Here you can select to run the policy deployment now or schedule it to run later.

  14. Click Deploy

    Deployment progress bars appear as CSO deploys the policy. When it finishes, the Total Intents count increases from 0 to 1.

The policy can be implemented at any time for any site within this tenant.

Create SD-WAN SLA Profiles and Policies

In this section, we use the Customer Portal to configure an SD-WAN Application SLA Profile and SD-WAN Policy to specify that Microsoft Outlook traffic should pass over the WAN_0 overlay link rather than the default link, WAN_1.

  1. Navigate to Configuration > SD-WAN > Application SLA Profile
  2. Click the + to create a new profile

    This brings up a Create SLA Profile window.

    In the new window, fill in the following information

    • Name: <Enter a name for the profile, such as: Internet-SLA

    • Priority: 5

      Priority value 1 is the highest priority. Higher priority profiles (lower numbers) take precedence over lower priority ones during SD-WAN events.

    • Traffic Type Profile: INTERNET

    • Path Preference: Internet

    • Packet Loss: Drag the slider to 20%

    • RTT: 20

    • Jitter: 10

    • Throughput: 5

  3. Click OK

    This causes the window to close. The new policy shows in the list.

  4. Navigate to Configuration > SD-WAN > SD-WAN Policy

    This brings up the SD-WAN policy page which includes a list of all SD-WAN policies.

  5. Click the + at the upper right part of the list to create a new policy

    This brings up a policy builder with the Source section activated.

    The Source defaults to All Sites. The Application section defaults to Any.

    Leave these at their default.

  6. Click + Select SLA Profile

    This brings up a list of available profiles.

  7. Select Internet-SLA from the list.
  8. Click Save

    This closes the builder window and shows the list of SD-WAN Policies.

  9. Click the Deploy button

    This brings up a Deploy window. Here you can select to run the policy deployment now or schedule it to run later.

  10. Click Deploy

    Deployment progress bars appear as CSO deploys the policy. When it finishes, the Total Intents count increases from 0 to 1.