Help Center User GuideGetting StartedFAQ
 
X
User Guide
Getting Started
FAQ
Contents  

Adding an On-Premise Spoke Site with SD-WAN and LAN Capabilities

You can add an on-premise spoke site in CSO by provisioning a CPE and a switch behind the CPE to provide SD-WAN and LAN capabilities to the site. See Switch Behind a CPE or Next Generation Firewall Overview for details.

To add a site with SD-WAN and LAN capabilities:

Procedure

  1. Select Resources > Site Management.

    The Sites page appears.

  2. Click Add and select Add On-Premise Spoke (Manual).

    The Add Site for Tenant-Name page appears.

  3. Complete the configuration according to the guidelines provided in Table 52.

    Note Fields marked with an asterisk (*) are mandatory.

  4. Review the configuration and modify the settings, if needed, from the Summary tab.
  5. Click OK to add the site.

    The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the CPE and the switch. The CPE is activated first and then the process to activate the switch is initiated.

  6. Procedure

    To activate the switch, you must manually configure the stage-1 configuration on the switch.

    1. On the Site Activation page, after the Prestage Device step completes successfully for the switch, the View Stage-1 Configuration link appears next to the Prestage Device step.
    2. Click the View Stage-1 Configuration link.

      The Stage-1 Configuration page appears displaying the stage-1 configuration.

    3. Copy the stage-1 configuration and log in to the CLI of the EX Series switch.
    4. Enter the configuration mode, paste, and commit the configuration.

      After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO. CSO then executes the bootstrap and provisioning processes on the switch and completes provisioning the switch.

Table 52: Fields on the Add Site for Tenant-Name Page(SD-WAN and LAN Capabilities)

Field

Description

General

Site Information

Site Name

Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters.

Site Group

Select a site group to which you want to assign the site.

Site Capabilities

WAN Capabilities

Select SD-WAN to include SD-WAN capabilities in the spoke site.

LAN Capabilities

Select LAN to include SD-LAN capability in the spoke site.

Configuration

Primary Provider Hub

Select the hub site (or primary hub site in case of multihoming) to which the spoke site must connect.

Secondary Provider Hub

Select the secondary hub site to which this site must connect.

This site connects to the secondary data hub site when the primary data hub is down.

Primary Enterprise Hub

Select the primary enterprise hub with which you want to connect the spoke site. If you specify a enterprise hub, then the initial site-to-site traffic as well as the central breakout (backhaul) traffic (if applicable) is sent through the enterprise hub instead of the hub site.

Secondary Enterprise Hub

Select the secondary enterprise hub for this spoke site.

The spoke site connects with secondary gateway hub when the primary gateway hub is down.

On-Demand VPN Threshold

Threshold for Tunnel Creation

Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the on-premise spoke site and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the on-premise spoke site and the destination site.

The default value is 5.

For example, if you specify the number of sessions as 5, dynamic VPN tunnels are created if the number of sessions closed between two spoke sites in 2 minutes exceeds 5.

Threshold for Tunnel Deletion

Specify the threshold for the number of sessions closed (in a 15-minute duration) between the on-premise spoke site and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the on-premise spoke site and destination site is deleted.

The default value is 2.

For example, if you specify the number of sessions closed as 2, dynamic VPN tunnels are deleted if the number of sessions closed is lesser than or equal to 2.

Address and Contact Information

Street Address

Enter the street address of the site.

City

Enter the city where the site is located.

State/Province

Select the state or province where the site is located.

ZIP/Postal Code

Enter the postal code for the site.

Country

Select the country where the site is located.

Click the Validate button to verify the address.

  • The site address verification successful message is displayed if the address is verified.

    You can click the View location on a map link to see the address location.

  • If the address cannot be verified, the Site address could not be validated message is displayed .

Contact Name

Enter the name of the contact person for the site.

Email

Enter the e-mail address of the contact person for the site.

Phone

Enter the phone number of the contact person for the site.

Advanced Configuration

Name Server IP List

Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on..

DNS servers are used to resolve hostnames into IP addresses.

NTP Server

Specify the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers.

Example: ntp.example.net

The site must have DNS reachability to resolve the FQDN during site configuration.

Select Timezone

Select the time zone of the site.

WAN

Device Profile

Device Series

Select the device series to which the CPE belongs—SRX. NFX250.

Device Template

Select a device template for the selected device series.

The device template contains information for configuring a device.

Device Information

Serial Number

Enter the serial number of the CPE device.

Auto Activate

Click the toggle button to enable or disable automatic activation of the CPE device.

When you enable this field, zero-touch provisioning (ZTP) of the CPE device is automatically triggered after the site is added to CSO.

The device template that you select determines whether this option is enabled or disabled by default.

Activation Code

If you disable the Auto Activate field, enter the activation code for the CPE or firewall device.

For information about activating a CPE or firewall device, see Activating a CPE Device.

Boot image

Select the boot image from the drop-down list if you want to upgrade the image for the CPE device.

The boot image is the latest build image uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process.

If the boot image is not provided, then the device skips the procedure to upgrade the device image. The boot image is populated based on the device template that you have selected while creating a site. See Uploading a Device Image.

WAN Links

WAN_0

Click the toggle button to enable or disable this WAN link. By default, the WAN_0 link is enabled.

When you enable a WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Link Type

Select the underlay network type (MPLS or Internet) of the WAN link that is connected to the on-premise spoke site.

Access Type (NFX150, NFX250, SRX320, SRX340, and SRX345)

If you select Internet as the link type, select the access type for the underlay link—Ethernet, LTE, ADSL, or VDSL.

You can select the LTE, ADSL, or VDSL access type only for one WAN link.

Note: You cannot configure an access type (LTE, ADSL, and VDSL) if you are using the Dual SRX and Dual NFX device templates. By default, Ethernet is configured as the access type for the underlay link.

Egress Bandwidth

Enter the maximum bandwidth (in Mbps) that the CPE or firewall allows over the WAN link.

Range: 1 through 10,000.

Address Assignment

Select the method of assigning an IP address to the WAN link—DHCP or STATIC.

  • If you select DHCP, the IP address is provided by using the DHCP server of the service provider of the WAN link.

  • If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.

Static IP Prefix

If you configured the address assignment method as STATIC, enter the IP address prefix of the WAN link.

Gateway IP Address

If you configured the address assignment method as STATIC, enter the IP address of the gateway of the WAN service provider.

Advanced Settings

Provider

Enter the name of the service provider who is responsible for providing the WAN link.

Cost/Month

Enter the cost per month (in a specified currency) for the WAN link. Specify the currency from the adjacent drop-down list.

Range: 1 through 10,000.

In bandwidth-optimized SD-WAN, CSO uses this information to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters.

Enable Local Breakout

Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled.

Note:

  • If you enable this option, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.

  • If you do not enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan, then local breakout is disabled for the site.

Breakout Options

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

Autocreate Source NAT Rule

If the WAN link is enabled for local breakout, you can click the toggle button to automatically create an interface-based source NAT rule on the WAN link. The automatically-created source NAT rule is implicitly defined and applied to the site and is not visible on the NAT Policies page.

By default, this field is disabled.

Note: If this option is enabled for a WAN interface W1 during the site addition workflow, a series of NAT source rules are automatically created. Each automatically created NAT rule is from a zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set.

For example, the following zone to W1 interface rule-set might be created:

Zone1 --> W1: Translation=Interface
Zone2 --> W1: Translation=Interface
Zone3 --> W1: Translation=Interface

To manually override any of these rules, you can create a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant zone and WAN interface as the source and destination. For example:

Zone1 --> W1 : Translation=Pool-2

The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule.

You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example:

Zone1, Port 56578 --> W1: Translation=Pool-2

Preferred Breakout Link

Click the toggle button to enable the WAN link as the preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP from the available breakout links.

Use For Fullmesh

Click the toggle button to specify whether the WAN link can be a part of a full mesh topology.

A site can have a maximum of three links enabled for meshing.

Mesh Overlay Link Type

When Use for Fullmesh field is enabled, select the type of mesh overlay link—GRE and GRE_IPSEC:

  • If the link type is Internet, the value for mesh overlay link type is GRE_IPSEC.

  • If the link type is MPLS, select one of the following options:

    • GRE-IPSEC

    • GRE

Mesh Tag

When the Use for Fullmesh field is enabled, enter the tag to be associated with the WAN link for creating tunnels. You can assign only one tag to the link.

Matching mesh tags is one of the criteria used to form tunnels between sites that support meshing.

For more information about mesh tags, see Mesh Tags Overview.

Connects to Hubs

Click the toggle button to specify that the WAN link of the site connects to a hub.

Note:

  • For sites with a single CPE, you must enable at least one WAN link to connect to the hub so that OAM traffic can be transmitted.

  • For sites with a dual CPE, you must enable at least one WAN link per device to connect to the hub so that OAM traffic can be transmitted.

Use for OAM Traffic

If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link.

This WAN link is then used to establish the OAM tunnel.

Overlay Tunnel Type

Select the mesh overlay tunnel type—GRE and GRE_IPSEC.

MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

Overlay Peer Device

Displays the peer hub device to which the site is connected.

Overlay Peer Interface

Select the interface name of the hub device to which the WAN link of the site is connected.

Backup Link

Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.

Default Link

Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site.

Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then equal-cost multipath (ECMP) is used to choose the link on which to route traffic.

Data VLAN ID

Enter a VLAN ID for the WAN link.

Range: 2 through 4093.

WAN_1

Click the toggle button to enable or disable this WAN link. By default, the WAN_1 link is disabled.

Refer to the fields described for WAN_0 for an explanation of the fields.

WAN_2

Click the toggle button to enable or disable this WAN link. By default, the WAN_2 link is disabled.

Refer to the fields described for WAN_0 for an explanation of the fields.

WAN_3

Click the toggle button to enable or disable this WAN link. By default, the WAN_3 link is disabled.

Refer to the fields described for WAN_0 for an explanation of the fields.

Management Connectivity

IP Prefix

Enter an IPv4 address prefix for the loopback interface on the CPE device. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network. If you do not specify an IPv4 address prefix, CSO automatically assigns the IP prefix from the reserved pool 100.124.0.0/14.

LAN

Device Profile

Device Name

Enter a name for the switch. You can use alphanumeric characters and hyphen (-). The maximum length allowed is 15 characters.

Device Type

Select the type of switch—EX2300, EX3400, and EX4300.

Device Model

Select the model for the switch you specified in the Device Type.

The models vary in the number and type of ports the switch contains. For example, If you selected EX3400, select a model such as EX3400-24P, EX3400-48P, EX3400-24T among others.

CPE Settings

Trunk Ports

Select at least two trunk ports on the CPE device to connect with the switch, which are used for the following:

  • LAN traffic between the switch and the CPE

  • Management traffic for in-band management of the switch.

Note: The ae0 LAG interface of the SRX Series devices is used as the trunk port for communication with the switch.

Switch Management Subnet

Specify the subnet that the DHCP server can use to assign IP addresses. The DHCP server runs on the following ports:

  • Trunk ports to provide DHCP information to all devices connected to the switch and to the in-band management port, switch management port, and LAN ports on the CPE.

  • Out-of-band management port on the CPE to provide DHCP information to the management port on the switch.

  • LAN ports on the CPE to provide information to the devices connected to the CPE LAN ports.

Switch Details

Serial Number

Specify the serial number of the switch.

Auto Activate

Click the toggle button to enable or disable automatic activation of the switch when the switch is detected by CSO (that is, management status of the device is Device_Detected).

When you enable this field, zero-touch provisioning (ZTP) of the switch is automatically triggered when the device communicates with CSO.

By default, auto activation for the switch is enabled, if it is enabled for the CPE and vice-versa.

Note: You must physically connect the switch to the CPE and power it on for the switch to be automatically activated when you enable this option.

Activation code

When the Auto activate field is disabled, enter the activation code to be used for manually activating the switch.

For information, see Manually Activating a Switch.

Zero Touch Provisioning

ZTP must be disabled for all EX Series switches for the CSO 5.0.0 release.

The Stage-1 configuration must be copied and pasted onto the CLI of the switch during site activation. See Step-by-Step Procedure for details.

LAN Segment

Displays the LAN segment that you configure on the switch.

To add a LAN segment, click the + icon on the top, right corner of the LAN table. The Add LAN Segment page appears. See Table 53.

Table 53: Fields on the Add LAN Segment Page when Adding a Switch along with CPE

Field

Description

Add LAN Segment

Name

Enter a name for the LAN segment.

The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters.

VLAN ID

Enter the VLAN ID for the LAN segment.

Range: 2 through 4093.

Department

Select a department to which the LAN segment is to be assigned.

Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Adding a Department for details.

You group LAN segments as departments for ease of management and for applying policies at the department-level.

Gateway Address/Mask

Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24.

DHCP

For directly connected LAN segments, click the toggle button to enable DHCP. DHCP is disabled by default.

You enable DHCP if you want to assign IP addresses by using a DHCP sever. You disable DHCP if you want to assign a static IP address to the LAN segment.

Note: If you enable DHCP, fields related to DHCP-related parameters appear and must be configured.

[DHCP-Related Fields]

Address Range Low

Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Address Range High

Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Maximum Lease Time

Specify the maximum duration (in seconds) for which a client can request for and hold a lease on a DHCP server.

Range: 0 through 4,294,967,295.

Name Server

Specify or select one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.

CPE Ports

Click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment:

  • CPE ports that you can include in the LAN segment are listed.

    Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

  • The Switch Ports field is disabled. CSO automatically assigns LAN ports on the switch device and creates the same LAN segment on the switch.

If you exclude the CPE from the LAN segment, you must specify the switch ports that connect with the LAN in the Switch Ports field. CSO automatically assigns LAN ports on the CPE device and creates the same LAN segment on the CPE device.

Note: You can select only one port if the CPE is an SRX Series device.

Switch Ports

If you disable the CPE ports field, select ports on the switch that will be part of the LAN segment.

Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit