Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Hybrid WAN Deployment Architecture


In the Hybrid WAN deployment, the Contrail Services Orchestration (CSO) software resides in the service provider’s cloud, and is operated by the service provider to provide network services to the CPE devices at customer sites.

Figure 1 shows a simple diagram of the Hybrid WAN solution. The cloud represents the service provider network to which the customer site is connected.

Figure 1: Hybrid WAN Solution
Hybrid WAN Solution

As mentioned previously, the Hybrid WAN deployment makes use of on-premises CPE devices in order to localize the delivery of network services and provide gateway router functionality. In this case, the Juniper Networks NFX Series or SRX Series devices act as the CPE devices.

In the case of an NFX Series device acting as the CPE, the gateway router function is provided by a built-in vSRX VNF and network services are hosted and provided from within an NFX device that is located at the customer site. This makes the network services extremely responsive from the point of view of the customer LAN, while negating the need for customer traffic to traverse the WAN in order to access the services.

In the case of an SRX Series device as the managed CPE device, only services native to the SRX (such as firewall, NAT, and UTM) can be provisioned and managed at the customer site by CSO. Other services(such as WAN optimization) must be provisioned and managed separately from the SRX and cannot be managed by CSO.

In addition to the CPE devices, the Hybrid WAN solution also makes use of a provider edge (PE) router in the service provider cloud. The PE router terminates IPSec tunnels and provides policy-based access to the service provider’s MPLS network. The PE and CPE devices communicate over one or more WAN links and make use of MPLS/GRE or IPSec tunnels for secure transport. Supported device types for a Hybrid WAN deployment and required software versions are shown in Table 1.

Table 1: Hardware and Software Matrix for CPE Devices in a Hybrid WAN Deployment



Models Supported

Junos OS Software Release Versions

CPE device

NFX250 Network Services Platforms

  • NFX250-LS1 device

  • NFX250-S1 device

  • NFX250-S2 device




NFX150 Network Services Platforms

  • NFX150-S1 device

  • NFX150-S1E device

  • NFX150-C-S1 device

  • NFX150-C-S1-AE/AA device

  • NFX150-C-S1E-AE/AA device



SRX Series Services Gateways

  • SRX300

  • SRX320

  • SRX340

  • SRX345

  • SRX4100

  • SRX4200





vSRX on an x86 server





For the most up to date information on hardware and software support for CSO, see the Contrail Service Orchestration Release Notes.

Selection of services, and some service management capabilities can be allocated to the customer by the service provider using the CSO Administration Portal. The customer would then access the allowed services and management capabilities by using the Customer Portal.

CSO manages the lifecycle of the VNFs hosted on the NFX CPE devices from creation in Network Designer, through instantiation, deployment, and finally through replacement or retirement.


Designer tools such as Network Designer are only available for on-premises deployments of CSO.