Add an On-Premise Spoke Site with Next-Generation Firewall and LAN Capabilities
You can add a next-generation firewall site with LAN capabilities to manage an SRX device that is configured as a firewall device along with an EX series switch that is configured for the LAN network.
The following image shows a simple network topology for an on-premise spoke site with next-generation firewall and LAN capabilities.
Complete the connections as shown in the topology diagram and power up the devices.
This task assumes that the firewall device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.
When you configure the SRX device, ensure that you configure
either the first port (
ge-0/0/0) or the
last port (
ge-0/0/15 based on the SRX model) for Internet connectivity.
For more information about connecting the cables and connecting a console to the device, see the documentation for the firewall device. Links to the hardware documentation for the supported models are provided in Table 1.
Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for Contrail Service Orchestration Release 5.0.0.
SRX3xx devices and SRX550M
- From the Sites page (Resources > Site
Management) of the CSO portal, click Add and select On-Premise Spoke Site.
The Add Site wizard appears.
- Complete the configuration as explained in Table 2.
- Click OK to add the site.
To activate the switch, you must manually configure the stage-1 configuration on the switch.
- On the Site Activation page, after the Prestage Device step completes successfully for the switch, the View Stage-1 Configuration link appears next to the Prestage Device step.
- Click the View Stage-1 Configuration link.
The Stage-1 Configuration page appears displaying the stage-1 configuration.
- Copy the stage-1 configuration and log in to the CLI of the EX Series switch.
- Enter the configuration mode, paste, and commit the configuration.
After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO. CSO then executes the bootstrap and provisioning processes on the switch and completes provisioning the switch.
When the site is successfully created, the Site Status in the Sites page changes to Provisioned.
Table 2: SD-WAN On-Premise Spoke Site Settings
Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters.
Select Next Gen Firewall.
Enter the serial number of the device.
Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.
Zero Touch Provisioning
Zero Touch Provisioning is enabled by default. When Zero Touch Provisioning is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. Note that the SRX device must support phone home client for ZTP to work. If the device does not support phone home client, disable Zero Touch Provisioning and manually copy-paste the stage-1 configuration from the device CLI.
In Band Management
Use the same port that you have configured for Internet
connectivity for in-band management. Based on the SRX device, the
port can be the first port (
Enter a unique name for the device.
Select the type of the device.
Select at least two trunk ports on the CPE device to connect with the switch.
Switch Management Subnet
Specify the subnet that the DHCP can use to assign IP addresses.
Enter the serial number of the device.
If the selected device supports ZTP, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added.
The Activation Code field appears if the selected device template does not support ZTP or if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.
After you add the site, you can complete the following tasks as required:
The device must be activated before you install licenses or signatures, or deploy policies.
If the EX Series switch has Mist access points associated with that, you could integrate the Mist access points with CSO. For more information about integrating Mist access points with CSO, see Enabling Integration with Mist Access Points.
Upload and install licenses. For example, Administration > Licenses.
Install signatures. For example, Administration > Signature Database.
Add, modify, and deploy firewall policies. For example, Configuration > Firewall Policy .
Create and generate reports. For example, Reports > Report Definitions > .
For more information about these tasks, see the Contrail Service Orchestration documentation at https://www.juniper.net/ documentation/product/en_US/contrail-service-orchestration.