Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Contrail Service Orchestration (CSO) Solutions Overview


Juniper Networks Contrail SD-WAN, SD-LAN, and NGFW management solutions offer automated branch connectivity while improving network service delivery and agility. CSO is a multi-tenant platform that manages physical and virtual network devices, creates and manages Juniper Networks and third-party virtualized network functions (VNFs), and uses those elements to deploy network solutions for both enterprises and service providers (SPs) and their customers. CSO multi-tenancy provides security and tenant isolation that keeps the objects and users belonging to one tenant or operating company (OpCo) from seeing or interacting with those of another tenant or OpCo.

The CSO platform itself can be deployed in one of two ways:

  • As a downloadable, on-premise platform in which you (or your company) become the SP administrator (cspadmin user). In an on-premise deployment, the cspadmin user has complete read-write management access and responsibility for the CSO micro-services platforms, orchestration and management infrastructure, and all underlay networks needed to allow access to CSO and its solutions.

  • As a software as a service (SaaS) platform, hosted in a public cloud, to which tenants and OpCos subscribe. In an SaaS deployment, Juniper Networks manages the necessary micro-services infrastructure, the secure orchestration and management (OAM) infrastructure, and underlay networks needed to allow access to CSO and its solutions.

CSO offers multiple network solutions that benefit enterprise customers and service providers and their customers. The solutions are split into two overall groups, WAN solutions and LAN solutions as shown in Figure 1.

Figure 1: WAN and LAN Solutions
WAN and LAN Solutions

These solutions allow CSO to provide lifecycle management for devices and services and to:

  • automate physical and virtual device provisioning

  • provide day-0, 1, and 2 configuration

  • monitor remote devices

  • provide full lifecycle management of firewall, NAT, and Internet breakout policies for user traffic

  • provide high-level reporting about devices and user traffic

The following list briefly describes each of the available CSO solutions, or use cases.

Contrail SD-WAN Solution

  • The Contrail SD-WAN solution offers a flexible and automated way to route traffic through the cloud using overlay networks. It is an overlay network solution that provides enhanced application user experience. It acts as both a data controller and a management orchestrator. At its most basic, an SD-WAN solution encompasses multiple sites, multiple connections between sites, and a WAN controller as shown in Figure 2.

    Figure 2: Basic SD-WAN Concept
    Basic SD-WAN Concept

    The CPE devices, or spokes used in a Contrail SD-WAN solution, have a WAN side and a LAN side. On the WAN side, hub-and-spoke and dynamic mesh topologies are supported. The CPE devices use at least one, and up to four, WAN interfaces as connection paths to provider hub devices, enterprise hub devices, other spoke devices, and the Internet. The supported hub devices are shown in Table 1:

    Table 1: Supported Hub Devices

    Hub Device

    Used as


    Enterprise Hub and Provider Hub


    Provider Hub


    Enterprise Hub and Provider Hub


    Enterprise Hub and Provider Hub

    MX Series Devices with Services Line Cards

    Provider Hub

    The hub devices help to provide the overlay networking needed for the Contrail SD-WAN solution.

    CSO allows you to give preference to one WAN path over another for any given traffic through the use of traffic steering and breakout profiles. Thus, business-critical traffic (data) can be routed through the provider hub using MPLS/GRE while non-critical traffic can be routed over the Internet connection through an IPsec tunnel. Each path can have a service level agreement (SLA) profile applied. The SLA profile monitors the path for latency, congestion, and jitter while also accounting for path preference. Should the path fail to meet one or more of the required parameters, traffic is re-routed to another path automatically.

    The LAN side of the CPE devices connect to the customer’s LAN segments. Multiple departments at the customer site that occupy different LAN segments can have their traffic securely segregated with the use of dedicated IPSec tunnels. Starting with CSO Release 4.0.0, NFX Series spoke devices can also provide service chains of network services in addition to the routing flexibility already available.

    You can use the solutions as turnkey implementations or connect to other operational support and business support systems (OSS/BSS) through northbound Representational State Transfer (REST) APIs.

    Contrail Managed LAN Solution (SD-LAN)

  • The SD-LAN solution allows CSO to manage and monitor remote LAN devices like certain EX Series LAN switches and Virtual Chassis (VCs), as well as Mist WiFi access points.. This extends the SD-WAN solution to provide visibility into the LANs of remote networks. At its most basic, a managed LAN implementation is as simple as connecting a supported EX switch or SRX firewall at the remote site through an Internet gateway device as shown in Figure 3.

    Figure 3: Simple SD-LAN Solution
    Simple SD-LAN Solution

    While Figure 3 shows a single switch connected behind an Internet gateway device, there are several other deployment options available within the solution. For example, an EX switch, or VC, can be attached to an existing managed CPE device, or it can be added to CSO as a standalone LAN switch. Similar deployment options are available for the NGFW solution. For more details about switch deployment in a managed LAN solution, see the CSO User Guide and the CSO Design and Architecture Guide.

  • Hybrid WAN (Distributed CPE) Deployment Model

    In a Hybrid WAN deployment, customers access network services from a CPE device, located at the customer’s site. These sites are called on-premise sites or spokes in this documentation. In the workflows used in the CSO GUI, this deployment is known as Hybrid WAN. Figure 4 illustrates a simplified Hybrid WAN deployment.

    Figure 4: Hybrid WAN Deployment
    Hybrid WAN Deployment

    Initial configuration of the CPE device at the site can be automated through the use of zero touch provisioning (ZTP) that is orchestrated through CSO. CSO also monitors the CPE device and its services, and can push software and configuration updates to the devices remotely, reducing operating expenses. This deployment model is useful in environments where service delivery from the service provider’s cloud is costly.

    In fact, CSO has been designed to require only modest bandwidth, needing as little as 30kbps for probe and secure OAM traffic over Hybrid WAN connections where there are only a few sessions active. When AppQoe is involved, the bandwidth requirement increases to somewhere between 105kbps and 2Mbps, depending on the number of sessions. During ZTP operations, if new device images are needed, they can be downloaded as part of the ZTP process, or pre-staged on the device. In those circumstances, the bandwidth requirement increases to a maximum of 5Mbps only when device image download is needed. This makes these solutions applicable even in cases where connection bandwidth is limited or noisy.

    The Hybrid WAN deployment uses a CPE device such as an NFX Series Network Services platform or SRX Series Services Gateway at the customer site and thus supports private hosting of network services at a site. The distributed deployment can be extended to offer SD-WAN capabilities.


    If an SRX Series device is used as the CPE device at the customer site, it can not host VNFs.