Managing LAN Segments on a Tenant Site

A network on a tenant site is divided into multiple LAN segments to improve traffic management and security. A LAN segment is a small portion of a LAN that is used by a work group. A grouping of multiple LAN segments form a department. LAN segments are separated by a bridge, router, or a switch.

You can view and manage LAN segments from the LAN tab of the Site Name page.

These topics describe how to manage LAN segments on a site.

Adding LAN Segments

You add LAN segments from the Site Name page.

Procedure

To add a LAN segment:

Click Resources > Site Management.
The Sites page appears.
Click the site for which you want to add the LAN segment.
The Site-Name page appears.
Click the add icon (+) on the LAN tab.
The Add LAN Segment page appears.
Complete the configuration settings according to the guidelines provided in Table 76.
Note Fields marked with an asterisk (*) are mandatory.
Click OK.
You are returned to the Site-Name page, where the LAN segment that you added is displayed.

Table 76: Add LAN Segment Settings

Field	Description
Name	Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters.
Type Note: This field is displayed only for LAN segments associated with enterprise hub sites.	Select the type of LAN segment: Directly Connected (default)—Indicates that the LAN segment is directly connected to the site. Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.
VLAN ID	Enter the VLAN ID for the LAN segment. Range: 2 through 4093.
Department	Select a department to which the LAN segment is assigned. Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Adding a Department for details. You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.
Protocol	For dynamically routed LAN segments, select the routing protocol (BGP or OSPF) to be used by the data center department to learn routes from the data center.
Advertise LAN Prefix	For dynamically routed LAN segments, click the toggle button to advertise the LAN prefix of the SD-WAN spoke site to the data center through the data center department associated with the enterprise hub. By default, the advertise LAN prefix field is disabled. Note: You must avoid overlapping IP addresses between the SD-WAN LAN network and the datacenter network.
Gateway Address/Mask	Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment. For example: 192.0.2.8/24.
DHCP	For directly connected LAN segments, click the toggle button to enable DHCP (default). You can enable DHCP if you want to assign IP addresses by using a DHCP server or disable DHCP if you want to assign a static IP address to the LAN segment. Note: If you enable DHCP, additional fields appear on the page.
Additional fields related to DHCP
Address Range Low	Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Address Range High	Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Maximum Lease Time	Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server. Default: 1440 Range: 0 through 4,294,967,295 seconds.
Name Server	Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address. Note: DNS servers are used to resolve hostnames into IP addresses.
CPE Ports	For sites with LAN capability, click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment: CPE ports that you can include in the LAN segment are listed. Select the ports from the Available column and click the right-arrow to move the ports to the Selected column. The Switch Ports field is disabled. CSO automatically assigns LAN ports on the Switch device and creates the same LAN segment on the Switch. If you click to exclude the CPE from the LAN segment, you must specify the switch ports that connect with the LAN in the Switch Ports field. CSO automatically assigns LAN ports on the CPE device and creates the same LAN segment on the CPE device. Note: You can select only one port if the CPE is a physical SRX Series device. For sites without LAN capability, the CPE Ports field is disabled and the CPE ports that you can include in the LAN segment are listed. Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.
Switch Ports Note: This field is displayed only when LAN capability is selected for the enterprise hub.	If you disable the CPE ports field, select ports on the switch to be part of the LAN segment. The Switch ports and CPE ports are mutually exclusive. Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.
BGP Configuration Note: This section is displayed only for dynamic routed LAN segments with BGP specified as the protocol.
Authentication	Select the BGP route authentication method to be used: None—Indicates that no authentication should be used. This is the default. Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.
Peer IP Address	Enter the IP address of the BGP neighbor.
Peer AS Number	Enter the autonomous system (AS) number BGP neighbor.
Auth Key	If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.
OSPF Configuration Note: This section is displayed only for dynamic routed LAN segments with OSPFspecified as the protocol.
OSPF Area ID	Specify the OSPF area identifier to be used for the dynamic route.
Authentication	Select the OSPF route authentication method to be used: Password—Indicates that password-based authentication should be used. If you choose this option, you must specify the password. (This is the default). Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key. None—Indicates that no authentication should be used.
Password	Enter the password to be used to verify the authenticity of OSPF packets.
Confirm Password	Retype the password for confirmation purposes.
MD5 Auth Key ID	If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID. Range: 1 through 255.
Auth Key	If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets.

Deploying LAN Segments

After you create a LAN segment and assign it to a department, you must deploy the LAN segment. You can deploy LAN segments from the Site Name page.

Procedure

To deploy one or more LAN segments:

Click the LAN tab.
Select one or more LAN segments that you want to deploy and click Deploy.
A Deploy LAN Segment job is created.
Note If a Deploy LAN Segment job is in progress for a site, wait for the job to finish before triggering another Deploy LAN Segment job.
If you attempt to trigger a Deploy LAN segment job when another one is running, the job fails with a message indicating that the previous LAN segment deployment job is in progress.
Click More > Deploy History to view job status and deployment history of the LAN segment.
The Deploy LAN Segment History page displayed.
Alternatively, you can verify the status of the job from the Monitor > Jobs page.

Reassigning a Department to a LAN Segment

You can reassign the department assigned to a LAN segment from the Site Name page. .

Note Departments are not applicable for SD-LAN sites.

Procedure

To reassign a department:

Click the LAN tab.
Select a LAN segment and click Re-assign Department.
The Re-assign Department page appears.
Note You cannot reassign a LAN segment that is already assigned to a department and is deployed.
Select the department to which the LAN segment is to be assigned.
Click Deploy.
The success message Re-assign department succeeded. is displayed.
Click OK.
The LAN segment with the newly assigned department is displayed on the tenant site page.

Deleting LAN Segments

You can delete a LAN segments from the Site Name page.

Procedure

To delete a LAN segment:

Select a LAN segment and click the delete icon (X) icon on the LAN tab.
The Delete LAN Segment page appears.
Click OK to confirm deletion.
The LAN segment is deleted.

Help us to improve. Rate this article.

Feedback Received. Thank You!

Add Switches to an Existing SD-LAN Site

Activate a Device