Adding and Provisioning Switches to Provide LAN Capability to a Site Overview
You can use Contrail Service Orchestration (CSO) to provision, deploy, and monitor EX Series switches in branch deployments of enterprise networks. You can deploy an EX Series switch by connecting to a Customer Premise Equipment (CPE) (SRX Series devices only) functioning as a secure SD-WAN router or next-generation firewall. You can also connect the EX Series switch to a third-party Internet gateway device.
CSO Release 5.0.0 supports only EX2300, EX3400, EX4300, Series switches.
You can provision a switch on a branch network by using CSO in one of the following ways:
By adding a site with the switch and connecting it to an Internet gateway device.
By adding a site with an SD-WAN CPE and the switch.
By adding a site with a next-generation firewall site and the switch.
By adding a site with an enterprise hub and the switch.
By adding the switch to an SD-WAN CPE that is already provisioned and managed by CSO.
By adding the switch to a next-generation firewall site that is already provisioned and managed by CSO.
By adding the switch to an enterprise hub site that is already provisioned and managed by CSO.
Standalone Switch Overview
Figure 1 shows a site with LAN capability managed by CSO.
In Figure 1, the EX Series switch is connected to CSO through an internet gateway. The gateway can be a device from a manufacturer other than Juniper Networks.
The EX Series switch does not support Phone-Home client in the CSO 5.0.0 release. When provisioning a standalone switch, you must manually copy the stage-1 configuration to the switch during site activation. CSO then deploys the stage-2 configuration on the switch. See Adding an On-Premise Spoke Site with LAN Capability for details.:
Switch Behind a CPE or Next Generation Firewall Overview
Figure 2 shows a site with SD-WAN and LAN capabilities managed by CSO.
Figure 2 shows an example of a switch configured behind a CPE where the switch is connected to two LAN segments (LAN1 and LAN2) and the CPE. The CPE is connected to a LAN segment (LAN3) and to the EX Series switch. The switch can also be connected to a next-generation firewall as shown in Figure 3.
You cannot add a LAN segment to the next-generation firewall by using CSO.
The switch and the CPE or firewall can be connected through a trunk port. However, you can use two trunk ports to connect the CPE and the switch and combine them to form a Link Aggregation Group (LAG) for higher throughput and redundancy. Traffic from LAN segments connected to the switch are routed to the CPE or firewall through the trunk ports for further routing into WAN.
You can manage the switch by in-band management, where in, the trunk ports carry the management traffic in addition to data.
The ae0 port of the SRX Series device is configured as the trunk port for communication with the switch.
The DHCP server, configured on the CPE or firewall, runs on the trunk ports to:
Allocate unique IP addresses to the access devices connected to the switch.
Provide management connectivity to the switch.
During ZTP of a site with both WAN and LAN capabilities, the switch is provisioned after the CPE or firewall is provisioned.
When you add a switch to an already provisioned site, CSO redeploys the stage-2 configuration on the CPE or firewall to configure DHCP and LAG. The DHCP configuration enables management connectivity to the switch and allows CSO to discover and provision the switch.
Monitoring Switches Overview
You can monitor the following for an EX Series switch on the Device-Name page (Resources > Devices):
Resource utilization (memory and CPU) on the switch for the past one hour, past eight hours, past one day, past one week, and past one month.
Status of ports.
Alerts and alarms generated on the switch for the past one hour, past eight hours, past one day, past one week, and past one month.
Top Ports consuming the maximum bandwidth.
Top Ports with the maximum number of errors.
Top Ports with the maximum packet loss.