Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Hybrid WAN (Distributed) Deployment Architecture


In the Hybrid WAN deployment the Contrail Services Orchestration (CSO) software resides in the service provider’s cloud, and is operated by the service provider in order to provide network services, hosted on CPE devices, at customer sites.

Figure 1 shows a simple diagram of the Hybrid WAN solution. The cloud represents the service provider network to which the customer site is connected.

Figure 1: Hybrid WAN Solution
Hybrid WAN Solution

As mentioned previously, the Hybrid WAN deployment makes use of on-premise CPE devices in order to localize the delivery of network services and provide gateway router (GWR) functionality. In this case, the Juniper Networks NFX Series or SRX Series devices act as the CPE devices.

In the case of NFX as CPE, the GWR function is provided by a built-in vSRX VNF and network services are hosted and provided from within the NFX that is located at the customer site. This makes the network services extremely responsive from the point of view of the customer LAN, while negating the need for customer traffic to traverse the WAN in order to access the services.

In the case of an SRX Series device as the managed CPE device, only services native to the SRX– firewall, NAT, and UTM, can be provisioned and managed at the customer site by CSO. Other services, such as WAN optimization must be provisioned and managed separately from the SRX and cannot be managed by CSO.

In addition to the CPE devices, the Hybrid WAN solution also makes use of a provider edge (PE) router in the service provider cloud. The PE router terminates IPSec tunnels and provides policy-based access to the service provider’s MPLS network. The PE and CPE devices communicate over one or more WAN links and make use of MPLS/GRE or IPSec tunnels for secure transport. Supported device types for a Hybrid WAN deployment are shown in while the device roles and required software versions are shown in Table 1.

Table 1: Hardware and Software Matrix for CPE Devices in a Hybrid WAN Deployment



Models Supported

Junos OS Software Release Version

PE Router and IPsec Concentrator (Hybrid WAN deployment only)

MX Series 3D Universal Edge Router

  • MX960, MX480, or MX240 router with

    a Multiservices MPC line card

  • MX80 or MX104 router with Multiservices MIC line card

  • Other MX Series routers with a Multiservices MPC or Multiservices MIC line card

    See MPCs Supported by MX Series Routers Login required and MICs Supported by MX Series Routers Login required for information about MX Series routers that support Multiservices MPC and MIC line cards.

Junos OS Release 16.1R3.00

CPE device

  • NFX Series Network Services Platforms

  • SRX Series devices

  • vSRX on an x86 server

  • NFX250-LS1 device

  • NFX250-S1 device

  • NFX250-S2 device

  • NFX150-S1 device

  • NFX150-S1E device

  • NFX150-C-S1 device

  • NFX150-C-S1-AE/AA device

  • NFX150-C-S1E-AE/AA device

  • SRX300

  • SRX320

  • SRX340

  • SRX345

  • SRX4100

  • SRX4200

  • vSRX

For NFX250: Junos OS Release 15.1X53-D496

For NFX150: Junos OS Release 18.3X85-D11

For SRX Series: Junos OS Release 15.1X49-D172

For vSRX: Junos OS Release 15.1X49-D172

Selection of services, and some service management capabilities can be allocated to the customer by the service provider using the CSO Administration Portal. The customer would then access the allowed services and management capabilities by using the Customer Portal.

CSO manages the lifecycle of the VNFs hosted on the NFX CPE devices from creation in Network Designer, through instantiation, deployment, and finally through replacement or retirement.


Designer tools such as Network Designer are only available for on-premise deployments of CSO.