An enterprise hub is an SD-WAN site that is used to carry site-to-site traffic between on-premise spoke sites and to break out backhaul (central breakout) traffic from on-premise spoke sites. An enterprise hub typically has a data center department behind it; however, this is not enforced in Contrail Service Orchestration (CSO). The following device templates are supported for enterprise hubs:
SRX as SD-WAN CPE (vSRX only)
Dual SRX as SD-WAN CPEs
SRX4x00 as SD-WAN CPE
Dual SRX4x00 as SD-WAN CPEs
To add an enterprise hub:
Note You can add enterprise hubs only for tenants with real-time optimized SD-WAN mode.
The Sites page appears.
The Add Enterprise Hub for Tenant-Name page appears.
Note Fields marked with an asterisk (*) are mandatory.
To create an enterprise hub with only SD-WAN capability, complete configuration settings according to guidelines provided in Table 56.
To create an enterprise hub with both SD-WAN and LAN capabilities, complete configuration settings according to guidelines provided in Table 56 for the WAN capability and Table 57 for LAN capability.
The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the enterprise hub and the switch (when LAN capability is selected). The enterprise hub is activated first and then the process to activate the switch is initiated.
Go to the next step if you have selected LAN capability for the site.
To activate the switch, you must manually configure the stage-1 configuration on the switch.
The Stage-1 Configuration page appears displaying the stage-1 configuration.
After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO. CSO then executes the bootstrap and provisioning processes on the switch and completes provisioning the switch.
Table 56: Add Enterprise Hub for <Tenant-Name> Settings (WAN Capability)
Field | Description |
|---|---|
| General | |
Site Information | |
Site Name | Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters. |
Site Group | Select a site group to which you want to assign the site. |
Site Capabilities | |
WAN Capabilities | SD-WAN capability is selected by default. You cannot clear the selection. |
LAN Capabilities | Select LAN if you want to include LAN capability in the enterprise hub site. |
Configuration | |
Primary Provider Hub | Select the provider hub site (or primary provider hub site in case of multihoming) to which you want to connect the enterprise hub site. If you do not specify a provider hub site, then the enterprise hub site can connect only to the on-premise spoke sites that are associated with the enterprise hub site. If you specify a provider hub site, then the enterprise hub site can also connect to the on-premise spoke sites to which that provider hub site is associated. |
Secondary Provider Hub | Select the secondary provider hub site (in case of multihoming) to which you want to connect the enterprise hub site. When the primary provider hub is down, the enterprise hub connects to the secondary provider hub and the on-premise spoke sites to which that provider hub site is associated. |
On-Demand VPN Threshold | |
Threshold for Tunnel Creation | Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the enterprise hub and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the enterprise hub and the destination site. The default value is 5. For example, if you specify the Create Threshold as 5, dynamic VPN tunnels are created if the number of sessions closed between the enterprise hub and destination site exceeds 5 in 2 minutes. |
Threshold for Tunnel Deletion | Specify the threshold for the number of sessions closed (in a 15-minute duration) between the enterprise hub and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the enterprise hub and destination site is deleted. The default value is 2. For example, if you specify the number of sessions closed as 2, dynamic VPN tunnels between the enterprise hub and destination site are deleted if the number of sessions closed is lesser than or equal to 2. |
Address and Contact Information | |
Street Address | Enter the street address of the site. |
City | Enter the name of the city where the site is located. |
State/Province | Select the state or province where the site is located. |
ZIP/Postal Code | Enter the postal code for the site. |
Country | Select the country where the site is located. You can click the Validate button to verify the address that you specified:
|
Contact Name | Enter the name of the contact person for the site. |
Enter the e-mail address of the contact person for the site. | |
Phone | Enter the phone number of the contact person for the site. Click Next to continue. |
Advanced Configuration | |
Name Server IP List | Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on.. DNS servers are used to resolve hostnames into IP addresses. |
NTP Server | Specify the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration. |
Select Timezone | Select the time zone of the site. |
| WAN | |
Device Profile | |
Device Series | Select the device series to which the CPE belongs. |
Device Template | Select a device template for the selected device series. The device template contains information for configuring a device. |
Device Information | |
Serial Number Note: Primary Serial Number and Secondary Serial Number fields appear when a template for dual CPE is selected. | Enter the serial number of the CPE device. |
Auto Activate | Click the toggle button to enable (default) or disable automatic activation of the CPE device. When you enable this field, zero-touch provisioning (ZTP) of the CPE device is automatically triggered after the site is added to CSO. The device template that you select determines whether this option is enabled or disabled by default. |
Boot image | Select the boot image from the drop-down list if you want to upgrade the image for the CPE device. The boot image is the latest build image uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the procedure to upgrade the device image. The boot image is populated based on the device template that you have selected while creating a site. See Uploading a Device Image. |
Firewall Policies | Select a firewall policy to be applied on the site. |
WAN Links | |
WAN_0 | This field is enabled by default. Enter parameters related to WAN_0. Fields marked with an asterisk (*) must be configured to proceed. |
Link Type | Select whether the link would be an MPLS link or Internet link. |
Egress Bandwidth | Enter the maximum bandwidth (in Mbps) that the CPE allows towards the WAN link. Range: 1 through 10,000. |
Address Assignment | Select the method of assigning an IP address to the WAN link—DHCP or STATIC. If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link. |
Static IP Prefix | If you configured the address assignment method as STATIC, enter the IP address prefix of the WAN link. |
Gateway IP Address | If you configured the address assignment method as STATIC, enter the IP address of the gateway of the WAN service provider. |
Advanced Settings | |
Provider | Enter the name of the service provider providing the WAN service. |
Cost/Month | Enter the cost for using the WAN link per month and select the currency in which the cost is indicated from the adjacent drop-down list. Range: 1 through 10,000. In bandwidth-optimized SD-WAN, CSO uses this information to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters. |
Enable Local Breakout | Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled. Note:
|
Breakout Options | When the Enable Local Breakout field is enabled, select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic. |
Autocreate Source NAT Rule | If the WAN link is enabled for local breakout, you can click the toggle button to automatically create an interface-based source NAT rule on the WAN link. The automatically-created source NAT rule is implicitly defined and applied to the site and is not visible on the NAT Policies page. By default, this field is disabled. Note: If this option is enabled for a WAN interface W1 during the site addition workflow, a series of NAT source rules are automatically created. Each automatically created NAT rule is from a zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set. For example, the following zone to W1 interface rule-set might be created: Zone1 --> W1: Translation=Interface Zone2 --> W1: Translation=Interface Zone3 --> W1: Translation=Interface To manually override any of these rules, you can create a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant zone and WAN interface as the source and destination. For example: Zone1 --> W1 : Translation=Pool-2 The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule. You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example: Zone1, Port 56578 --> W1: Translation=Pool-2 |
Preferred Breakout Link | Click the toggle button to enable the WAN link as the most preferred breakout link. If you disable this option, then the breakout link is chosen using ECMP from the available breakout links. |
Use For Fullmesh | Click the toggle button to specify whether the WAN link can be a part of a full mesh topology. A site can have a maximum of three links enabled for meshing. |
Mesh Overlay Link Type | When Use for Fullmesh field is enabled, select the type of mesh overlay link—GRE and GRE_IPSEC.
|
Mesh Tag | When the Use for Fullmesh field is enabled, enter the tag to be associated with the WAN link for creating tunnels. You can assign only one tag to the link. Matching mesh tags is one of the criteria used to form tunnels between sites that support meshing.
For more information about mesh tags, see Mesh Tags Overview“. |
Connects to Hubs | Click the toggle button to specify that the WAN link of the site connects to a hub. Note:
|
Use for OAM Traffic | If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link. This WAN link is then used to establish the OAM tunnel. |
Overlay Tunnel Type | Select the mesh overlay tunnel type—GRE and GRE_IPSEC. MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type. |
Overlay Peer Device | Displays the peer hub device to which the site is connected. |
Overlay Peer Interface | Select the interface name of the hub device to which the WAN link of the site is connected. |
Backup Link | Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic. When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link. |
Default Link | Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site. Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then equal-cost multipath (ECMP) is used to choose the link on which to route traffic. |
Data VLAN ID | Enter a VLAN ID for the WAN link. Range: 2 through 4093. |
WAN_1 | Click the toggle button to enable or disable (default) the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 for an explanation of the fields |
WAN_2 | Click the toggle button to enable or disable (default) the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 for an explanation of the fields |
WAN_3 | Click the toggle button to enable or disable (default) the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 for an explanation of the fields |
Management Connectivity | |
IP Prefix | Enter an IPv4 address prefix for the loopback interface on the CPE device. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network. If you do not specify an IPv4 address prefix, CSO automatically assigns the IP prefix from the reserved pool 100.124.0.0/14. |
Refer to Table 58 for configuring LAN segments. | |
Table 57: Add Enterprise Hub for <Tenant-Name> Settings (LAN Capability)
Field | Description |
|---|---|
| LAN Note: This tab is enabled only if you select LAN under LAN Capabilities in General Settings. | |
Device Profile | |
Device Name | Enter a name for the switch. You can use alphanumeric characters and hyphen (-). The maximum length allowed is 15 characters. |
Device Type | Select the type of switch—EX2300, EX3400, and EX4300. |
Device Model | Select the model for the switch you specified in the Device Type. The models vary in the number and type of ports the switch contains. For example, if you selected EX3400, select a model such as EX3400-24P, EX3400-48P, EX3400-24T among others. |
CPE Settings | |
Trunk Ports | Select at least two trunk ports on the CPE device to connect with the switch. The trunk ports are used for carrying the following:
|
Switch Management Subnet | Specify the subnet that the DHCP can use to assign IP addresses. The DHCP server runs on the following ports:
|
Switch Details | |
Serial Number | Specify the serial number of the switch. |
Auto Activate | Click the toggle button to enable or disable automatic activation of the switch when the switch is detected by CSO (that is, management status of the device is Device_Detected). When you enable this field, zero-touch provisioning (ZTP) of the switch is automatically triggered when the device communicates with CSO. By default, auto activation for the switch is enabled or disabled if it is enabled or disabled for the CPE. Note: You must physically connect the switch to the CPE and power it on for the switch to be automatically activated when you enable this option. |
Activation code | When the Auto activate field is disabled, enter the activation code to be used for manually activating the switch. . For information about manually activating a switch, see Manually Activating a Switch. |
Zero Touch Provisioning | ZTP must be disabled for all EX Series switches for the CSO 5.0.0 release. The Stage-1 configuration must be copied and pasted onto the CLI of the switch during site activation. See Step-by-Step Procedure for details. |
LAN Segments | Displays the LAN segment that you configure on the switch. To add a LAN segment, click the + icon on the top, right corner of the LAN table. The Add LAN Segment page appears. See Table 58. |
Table 58: Add LAN Segment Settings
Field | Description |
|---|---|
Name | Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters. |
Type | Select the type of LAN segment:
|
VLAN ID | Enter the VLAN ID for the LAN segment. Range: 2 through 4093. |
Department | Select a department to which the LAN segment is assigned. Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Adding a Department for details. You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department. |
Protocol | For dynamically routed LAN segments, select the routing protocol (BGP or OSPF) to be used by the data center department to learn routes from the data center. |
Gateway Address/Mask | Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment. For example: 192.0.2.8/24. |
DHCP | For directly connected LAN segments, click the toggle button to enable DHCP (default). You can enable DHCP if you want to assign IP addresses by using a DHCP sever or disable DHCP if you want to assign a static IP address to the LAN segment. Note: If you enable DHCP, additional fields appear on the page. |
Additional Fields | |
Address Range Low | Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment. |
Address Range High | Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment. |
Maximum Lease Time | Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server. Default: 1440 Range: 0 through 4,294,967,295 seconds. |
Name Server | Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address. Note: DNS servers are used to resolve hostnames into IP addresses. |
CPE Ports | Click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment:
If you click to exclude the CPE from the LAN segment, you must specify the switch ports that connect with the LAN in the Switch Ports field. CSO automatically assigns LAN ports on the CPE device and creates the same LAN segment on the CPE device. Note: You can select only one port if the CPE is a physical SRX Series device. |
Switch Ports Note: This field is displayed only when LAN capability is selected for the enterprise hub. | If you disable the CPE ports field, select ports on the switch to be part of the LAN segment. The Switch ports and CPE ports are mutually exclusive. Select the ports from the Available column and click the right-arrow to move the ports to the Selected column. |
BGP Configuration | |
Authentication | Select the BGP route authentication method to be used:
|
Peer IP Address | Enter the IP address of the BGP neighbor. |
Peer AS Number | Enter the autonomous system (AS) number BGP neighbor. |
Auth Key | If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets. |
OSPF Configuration | |
OSPF Area ID | Specify the OSPF area identifier to be used for the dynamic route. |
Authentication | Select the OSPF route authentication method to be used:
|
Password | Enter the password to be used to verify the authenticity of OSPF packets. |
Confirm Password | Retype the password for confirmation purposes. |
MD5 Auth Key ID | If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID. Range: 1 through 255. |
Auth Key | If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets. |