Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Your First SD-WAN Deployment

 

This document describes the steps required in order to create your first SD-WAN deployment. Figure 1 shows an overview of the steps that will be covered in this deployment example.

Figure 1: SD-WAN Deployment Workflow
SD-WAN Deployment
Workflow

Before You Begin

  • Purchase an Advanced Policy-based Routing license for a vSRX. You must purchase a license that includes the appid-sig feature.

  • Download the required vSRX KVM appliance software image to your workstation. You can find the URLs for CSO-related software downloads in the Contrail Service Orchestration Release Notes. For CSO Release 5.0.0, the required version for vSRX is 15.1X49-D172 and you can download the image here: vSRX Software for KVM - Junos OS 15.1X49-D172. You’ll need this software image to bring up a vSRX VNF on the NFX device later in the deployment.

Note

Make note of the physical interfaces that you select for use throughout this deployment example. These interfaces need to be connected to form the underlay networks over which the data and management traffic will travel.

Download Application Signatures

This section details how to download application signatures from Juniper onto your CSO installation. Downloading the signature database makes the application signatures available to install on your CPE device after it has been activated in a later step. These signatures are used for application identification within CSO.

From this point on in this deployment example, we assume that you are logged in to CSO as an OpCo administrator. The user name part of your credentials is an e-mail address that was used when your CSO account was set up. When an account is initially setup, CSO sends an e-mail to that address with a link that includes a one-time activation code. Clicking the link takes you to the CSO login page which then prompts you to set a password. This is a one-time activity. Subsequent logins to the Administration Portal use the email address as the username and your newly-set password.

  1. Enter the login credentials for the Administration Portal.
  2. Navigate to the Administration > Signature Database page.

    On this page, there is a list of available database versions, their publish dates, update summaries, and detector versions. The newest database is at the top of the list.

  3. Click the Full Download link under the Actions column.

    A pop-up window appears that shows the progress of the download. You can watch the progress here or dismiss the window by clicking OK. If you dismiss the progress window before the job completes, you can still access the job information by looking in Monitor > Jobs. The download job appears at the top of the list.

Once the download completes successfully, the new database version number appears in the Active Database portion of the page. The new signature database is available to all of your tenants and their sites. To see the signatures included in the database, navigate to Configuration > Shared Objects > Application Signatures.

Starting with CSO Release 5.0.2, you can define your own custom application signatures for use in SD-WAN policy. For more information regarding this optional step see Contrail Service Orchestration Administration Portal User Guide.

Upload Licenses

The licenses that you upload using this procedure are available to be pushed to your tenant devices during the ZTP process.

To upload the license for your vSRX gateway router (GWR) device:

  1. Navigate to the Administration > Licenses > Device Licenses page.

    On this page is a list of all available device licenses. Since you have not installed any licenses yet, the list is empty. This brings up a window in which you click the Browse button to locate the license file that you purchased for the vSRX.

  2. Click the + button at the top-right part of the list to add a license.

    The Add License window appears

  3. Click the Browse button.

    This lets you locate the license file on your computer

  4. Select a tenant or All Tenants from the Tenant pull-down menu.

    This associates the license file with a particular tenant or all tenants. If the license is associated with a particular tenant, then it can only be applied to devices that belong to that tenant.

  5. (Optional) Enter a description of the license file if desired.

You can repeat this procedure to upload as many licenses as you have.

Create and Configure a New Tenant

In this section we use the Administrator Portal to add a tenant to CSO.

  1. Select Tenants from the left-nav panel
  2. Click the Add Tenant button

    If there are no tenants created an Add Tenant is displayed on the center of the page. If there are tenants, click the “+” to create a new tenant.

  3. In the Add Tenant window that appears:
    • Enter a name for your tenant such as Tenant1

    • Fill in the Admin User information

      The e-mail address

    • Select the check-boxes next to both Roles in the Available section and click the arrow link to move them to the Selected section

    • The password expiration defaults to 180 days.

      You can set any value between 1 and 365.

    • Click Next

    • In the Deployment Info window, select the SD-WAN icon.

      Depending on how your tenant was configured, you may see one or more of the following in addition to the SD-WAN icon: Hybrid WAN, Next Gen Firewall, and LAN. For this example, select only SD-WAN.

      This activates the SD-WAN Mode section of the window.

    • Select the Realtime Optimized radio button

      Selecting Bandwidth Optimized allows for hub-and-spoke deployments. Selecting Real-time Optimized allows for dynamic mesh deployments as well as hub-and-spoke.

    • Click Next

      The window advances to the Tenant Properties section. For this example, browse the Tenant properties but do not make any changes

    • Click Next

      The window advances to the Summary section. Review the summary.

    • Click OK

      A pop-up message appears that tells you that the Add Tenant job was started. After some time, your new tenant appears in the list of tenants.

    The preceding steps show only one of many possible settings that can be used to create an SD-WAN tenant

View Application Traffic Type Profile

You can customize class-of-service and probe parameters with traffic type profiles. Only profiles with the enabled status can be used in policy intents. The CSO SP administrator can enable and disable existing profiles. They can also create new profiles upon request.

Modify Device Templates

In this section, we modify an existing device template so that it works for this example.

  1. Navigate to Resources > Device Templates
  2. Find the device template named NFX250 as SD-WAN CPE.
  3. Select the check-box next to that template
  4. Click the Clone button

    Since an OpCo administrator cannot

  5. Enter a display name and a name for the cloned template

    CSO shows the display name in various workflow locations but uses the entered name behind the scenes.

  6. Select the check-box next to the cloned template and then select Template Settings from the Edit Device Template pull-down menu.

    A new window titled Template Settings appears

  7. In the Template Settings window, ensure that the following things are set:
    • ACTIVATION_CODE_ENABLED: ON

      By requiring an activation code, a CPE device will not be allowed to communicate with CSO until the tenant has activated a site using the activation code. The value of the activation code will be set later in the process.

    • AUTO_DEPLOY_STAGE2_CONFIG: OFF

      Stage 2 configurations are configurations that can be added to a device after the initial, stage 1, provisioning of the device. This setting prevents the automatic deployment of a stage 2 configuration.

    • OOB_MGMT_ENABLED: OFF

      This setting ensures that the jmgmt0 interface is not enabled on the NFX device. Since this is a managed Internet service and the NFX device will be sitting on the customer’s premise, this might be a useful setting to prevent unwanted login by the tenant.

    • USE_SINGLE_SSH_TO_NFX: ON

    Do not change any other settings.

  8. Select Save when finished.
  9. Find the device template named SRX as SDWAN Hub and select the check-box next to its name.
  10. Click the Clone button
  11. Enter a display name and a name for the cloned template

    The template name is what is used in CSO when selecting the template for use.

  12. From the Edit Device Template pull-down menu, select Template Settings
  13. In the Template Settings window that appears, make sure the following options are set:
    • ACTIVATION_CODE_ENABLED: Off

    • ZTP_ENABLED: Off

    • WAN_0: ge-0/0/3

    • WAN_1: ge-0/0/1

    • WAN_2: ge-0/0/0

    • WAN_3: ge-0/0/2

    Leave all the other settings at their default.

  14. Click Save when finished.

Upload Software Image for vSRX

The NFX appliance that you are using as a CPE will be in factory-default state. Therefore it will not have any vSRX images to instantiate. During the zero touch provisioning (ZTP) process, the NFX downloads the GWR (vSRX) image from CSO.

To upload a software image:

  1. Navigate to the Resources > Images page.

    Here you can see the software images that have been uploaded to CSO.

  2. Click the + button to create a new image.

    The Upload Image page that pops up requires that you fill in all of the fields except Description and Supported Platform.

  3. Name the image vsrx-vmdisk-15.1.qcow2
  4. Select VNF Image as the image type.
  5. Click Browse and select the .qcow2 software image that you downloaded previously.
  6. Select Juniper as the Vendor.
  7. Select juniper-vsrx as the Family.
  8. Fill in the Major Version Number, Minor Version Number, and Build Number as 15, 1, and X49-D161, respectively.
  9. Click Upload. CSO displays a progress window as the file is uploaded.

Choose a Point of Presence (POP) for the Hub Site

A POP is a location within the service provider’s cloud in which PE routers and IPSec Concentrators are located. It is a regionally located access point through which customer sites gain access to hub devices that are placed within. The hubs are either data hubs, OAM hubs, or both. SPs often place POPs in their network so that they are geographically close to customer sites.

Note

The SP Administrator is the only one with the privileges to create POPs. In a cloud-hosted CSO deployment, the SP Administrator links your tenant with an appropriate POP.

  1. Navigate to the Resources > POPs page.

    Here you can see a list of POPs available to you.

  2. Make note of the POP name(s) and location(s) so that you can choose the appropriate one when onboarding CPE devices.

Note Your Provider Hub Device

A provider hub device resides in a regional POP within the service provider’s network or cloud. Provider hub devices can be shared amongst multiple tenants through the use of virtual routing and forwarding (VRF) instances configured on the hub itself.

  1. Navigate to the Resources > Cloud Hub Devices page.

    Here you can see a list of all cloud hub devices, their POP, and site associations, status, model, serial number, and OS version.

  2. Make note of the names of the Provider Hub devices available to you.

Create and Configure the Tenant’s Hub Site

In this section, we continue in the Customer Portal for your new tenant to create a provider hub site that will connect with the spoke site that we created in the previous section.

A provider hub site is the site on the SP’s network at which the provider hub device resides. The provider hub site is associated with a POP.

Ensure that you are on the Resources > Site Management page in the Customer Portal of your new tenant.

  1. From the Add pull-down menu on the Sites page, select Provider Hub Site

    A new window, titled Add Provider Hub for <tenant-name>, appears.

  2. Fill in the information requested in this window as follows:
    • In the Configuration section, select the POP and Hub Device Name

      The POP must exist and the hub device must be activated for it to show up in the list. The POP and Hub device are provided by the SP Administrator. In the case of cloud-hosted CSO, this is Juniper Networks.

  3. Click OK when finished

Create and Configure a Spoke Site for the Tenant

In this section, we continue in the Customer Portal for the newly configured tenant in order to create an On-Premise Spoke site.

This procedure begins in the Tenants window of the Administration Portal at the list of tenants.

  1. Click on the name of the tenant that you just created

    This will take you to the Customer Portal for that tenant. The Dashboard is displayed

  2. Select Resources > Site Management link from the left-nav bar
  3. In the Site Management window that appears, click the Add On-premise Spoke Site

    A new window titled Add On-Premise Spoke Site for Tenant appears.

  4. Fill out the information in the Site Information section.
  5. In the Site Capabilities section, select the type of WAN and LAN capabilities you want for this site.

    The available site capabilities are based on the tenant capabilities defined during tenant creation. You can choose one WAN capability in addition to one optional LAN capability.

    For this example, choose only SD-WAN.

  6. In the Configuration section, choose the appropriate Provider Hub from the pull-down menu.
  7. Click Next

    This brings up the WAN section.

  8. Next to Device Series, select NFX 250 from the pull-down menu.

    A horizontal list of device template boxes applicable to the NFX250 series devices appears.

  9. Click the left (<) or right (>) arrow until you see the NFX250 as SD-WAN CPE box. Click on that box.
  10. In the Device Information section:
    • Fill in the Serial Number for the NFX250 device

    • Leave Auto Activate selected

    • For the Boot Image, select the NFX series software image that you previously uploaded to CSO.

      The Boot Image tells CSO whether to update the device with a software image from the image management system or to use the image that exists on the device.

  11. In the WAN Links section, select the Enable button next to Wan_0

    Fill in the following

    • Link Type: MPLS

    • Access Type: Ethernet

    • Egress Bandwidth: 1000 Mbps

    • Click the > button next to Advanced Settings and fill in the following information:

    • Provider: MPLS-Service-Provider

      This can be any provider name, but it is a required field.

    • Cost/Month: 1000

      Use a realistic value for this cost per month. This number is used in SD-WAN link-switch calculations.

    • Local Breakout: Off

    For this example, leave the other settings at their default.

  12. Select the Enable button next to Wan_1

    Fill in the following

    • Type: Internet

    • Access Type: Ethernet

    • Egress Bandwidth: 25 Mbps

      Use the appropriate bandwidth number for your network. 25 is simply an example.

    • Click the > button next to Advanced Settings and fill in the following information:

    • Provider: Internet-Service-ProviderA

      This can be any provider name, but is a required field.

    • Cost/Month: 100

      Use a realistic value for this cost per month. This number is used in SD-WAN link-switch calculations.

    • Local Breakout: Off

    For this example, leave the other settings at their default.

  13. Click Next when finished

    The window advances to the LAN section.

  14. (Optional) Click the Add LAN Segment button

    A new window appears titled Add LAN Segment

    Fill in the following information in this window:

    • Name: LAN2

      This can be any name that makes sense in your deployment.

    • VLAN ID: <Leave blank>

      Enter a VLAN ID if required at the remote site. For this example, leave VLAN ID blank.

    • Department: <Leave as Default>

      In CSO, spoke site departments equate to security zones on the GWR. In this example, the Default security zone will be used later when we create security policies. Creating multiple departments for the spoke site creates multiple security zones with the same names on the GWR.

      If you have departments set up already and the proper department is not shown, you can create one by clicking on the Create Department link.

    • Gateway Address/Mask: 10.0.2.1/24

      Specify a unique and valid IPv4 address with subnet mask. This address will be the default gateway for endpoints in this LAN segment

    • DHCP: Off

      The NFX250 can provide DHCP server services for the remote LAN. For this example, leave DHCP set to off.

    • CPE Ports: Select LAN_2 (ge-0/0/2) by clicking the check-box next to it.

    • Click the -> button to move LAN_2 (ge-0/0/2) from the available list to the selected list

  15. Click Save when finished

    The Add LAN Segment window closes

  16. Click Next

    The window advances to the Summary section.

  17. Review the Summary section
  18. Click OK when you’re finished reviewing

    A device activation window pops up and displays the progress of your site deployment.

    Note

    In the event of an error or delay, you can open a read-only SSH session to the device from CSO. This will allow you to troubleshoot connection or other issues.

Install License on Device

To install a license on a device, you use the Administration Portal

  1. Navigate to Administration > Licenses > Device Licenses.

    In the pop-up window that appears,

  2. Click the check box next to the license file that you uploaded in step 3.
  3. Click the Push License button at the upper-right part of the list and select Push.

    The Push License window appears.

  4. Select the name of the tenant that you created previously from the Tenant pull-down menu.

    Your sites and devices appear under Sites and Devices.

  5. Select the check box next to your tenant site to push the license to the CPE device at that site.

Install Application Signature

This step allowsthe CPE device to obtain the signature database needed for application identification.

To install an application signature:

  1. Navigate to Adminstration > Signature Database

    From the signature download you completed previously, you can now see the Active Database section has the number of the downloaded database listed.

  2. Click the Install on Device link under the Actions column.

    In the new window that appears, you can elect to push the signatures to any device listed.

  3. Select the check box next to the NFX250 device
  4. Click OK

Add Firewall and NAT Policies to the Topology

In this section, we use the Customer Portal for your new tenant and create an intent-based firewall policy that blocks icmp-ping traffic.

  1. In the Customer Portal for your tenant, navigate to Configuration > Firewall > Firewall Policy.

    This brings up the Firewall Policy page. Here you can see a list of policies. You will see the Default_FW_Policy which has 1 intent associated with it.

  2. (Optional) Click the Default_FW_Policy link.

    The page changes to show the intents associated with this firewall policy. You can see that the policy allows any traffic originating from any address in the trust zone to any address in the untrust zone. To get back to the list of firewall policies, navigate to Configuration > Firewall > Firewall Policy

  3. Click the Check-box next to Default_FW_Policy
  4. Click the Deploy button

    This brings up a Deploy window. Here you can select to run the policy deployment now or schedule it to run later.

  5. Click Deploy

    Deployment progress bars appear as CSO deploys the policy. When it finishes, the Total Intents count increases from 0 to 1.

The policy can be implemented at any time for any device within this tenant that works with zone-based firewall policies.

Add SD-WAN SLA-Based Steering Profiles and Policy

In this section, we use the Customer Portal to select an Path-Based Steering Profile and apply it to the SD-WAN Policy to specify that Microsoft Outlook traffic should pass over the WAN_0 overlay link rather than the default link, WAN_1.

  1. Navigate to Configuration > SD-WAN > Path-Based Steering Profiles
  2. Click the + to create a new profile

    This brings up a Add PathProfile window.

    In the new window, fill in the following information

    • Name: <Enter a name for the profile, such as: Internet-Path

    • Traffic Type Profile: INTERNET

    • Path Preference: Internet

      Priority value 1 is the highest priority. Higher priority profiles (lower numbers) take precedence over lower priority ones during SD-WAN events.

  3. Click OK

    This causes the window to close. The new policy shows in the list.

  4. Navigate to Configuration > SD-WAN > SD-WAN Policy

    This brings up the SD-WAN policy page which includes a list of all SD-WAN policies.

  5. Click the + at the upper right part of the list to create a new policy

    This brings up a policy builder with the Source section activated.

    The Source defaults to All Sites.

    The Application section defaults to Any.

    Leave the source field at its default.

  6. Click the + Select Destination
  7. Type YouTube at the text-insertion point

    This brings up a list of available applications.

  8. Select YouTube from the list.
  9. Click + Select Profile

    This brings up a list of available profiles.

  10. Select Internet-Path from the Path-Based Profiles [SLA] section of the list.
  11. Click Save

    This closes the builder window and shows the list of SD-WAN Policies.

  12. Click the Deploy button

    This brings up a Deploy window. Here you can select to run the policy deployment now or schedule it to run later.

  13. Click Deploy

    Deployment progress bars appear as CSO deploys the policy. When it finishes, the Total Intents count increases from 0 to 1.

Release History Table
Release
Description
Starting with CSO Release 5.0.2, you can define your own custom application signatures for use in SD-WAN policy. For more information regarding this optional step see Contrail Service Orchestration Administration Portal User Guide.