Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

New and Changed Features in Contrail Service Orchestration Release 5.1.0

 

You can view the features that are available in the previous CSO releases in the following links:

This section describes the new features or enhancements to existing features in Contrail Service Orchestration (CSO) Release 5.1.0.

SD-WAN

  • Support for full mesh on an LTE WAN link—From CSO Release 5.1.0 onward, you can use LTE WAN links on a spoke site to connect the spoke site to enterprise hubs by enabling full mesh on the LTE WAN link and configuring a matching mesh-tag with the WAN link on the enterprise hubs.

  • Support for multiple WAN links on the same physical interface—From CSO Release 5.1.0 onward, for on-premise SD-WAN spoke sites, you can configure more than one WAN link on the same physical interface. The WAN links are connected from the same physical interface to the provider edge (PE) nodes through logical subinterfaces with VLAN separation.

  • Support for OAM and data capability for OpCo provider hub—From CSO Release 5.1.0 onward, Operating Companies (OpCos) can add provider hubs with OAM (Operation, Administration, and Maintenance) and data capability. In CSO releases before Release 5.1.0, OpCos can add provider hubs with only data capability.

  • Enhancements to cloud breakout settings—From Release 5.1.0 onward, CSO supports the following:

    • Generic routing encapsulation (GRE) tunnels (with public IP addresses for the WAN links) for cloud breakout traffic.

    • IPsec phase 1 parameters, phase 2 parameters, and domain name while adding cloud breakout settings.

    • IP address or hostname validation for cloud breakout nodes.

    • Auto-populate FQDN, preshared key, WAN links, and an option to change the respective values.

    • High availability between the WAN links of an SD-WAN spoke site and the cloud breakout node.

    • WAN link modes as active/active or active/backup for creating the tunnels.

    Note
    • For cloud breakout with GRE tunnels, CSO does not support CPE devices behind NAT.

    • Maximum of two WAN links are supported between SD-WAN spoke site and the cloud breakout node.

  • Support for pool-based NAT for local breakout—From CSO Release 5.1.0 onward, for on-premise SD-WAN spoke sites, on a WAN link with local breakout enabled, you can specify that pool-based NAT be used instead of interface-based NAT, which is the default.

  • Enhancements to certificate authority (CA) configuration—From Release 5.1.0 onward:

    • CSO supports the configuration of CA servers of up to five tiers.

    • As a tenant administrator, you can edit the CA server URL and password from Customer Portal.

  • SD-WAN support for CPE devices behind NAT in full mesh topology—From Release 5.1.0 onward, CSO supports site-to-site tunnels for WAN links of CPE devices behind NAT in full mesh topology. You can now provide private IP addresses for WAN links behind NAT and create the tunnels to enterprise hub or spoke sites. In releases before Release 5.1.0, CSO supports private IP addresses for WAN links behind NAT only for the WAN links that are not selected for meshing, and such WAN links can establish the tunnels only to provider hubs.

    The support for CPE devices behind NAT in full mesh topology is applicable only for spoke devices. The OAM hubs, data hubs, and enterprise hubs or on-premise gateways require static public IP addresses for their WAN interfaces.

    The supported NAT types are listed in Table 2.

    Table 2: CPE Behind NAT in Full Mesh Topology

    WAN IP Address

    NAT Type

    Spoke-to-Hub Tunnel

    Spoke-to-Spoke Tunnel

    Public IP address

    No NAT

    Supported

    Supported

    Private IP address

    Full cone NAT

    Supported

    Supported

    Private IP address

    Restricted NAT

    Supported

    Supported

    Private IP address

    Symmetric NAT

    Supported

    Not supported

    Note

    This feature is present in the application but has not yet been fully qualified by Juniper Networks.

  • Support for provider edge resiliency—From Release 5.1.0 onward, for on-premise SD-WAN spoke sites, you can connect a WAN link to primary and secondary PE nodes, thereby providing PE resiliency on the underlay. CSO establishes a BGP peering relationship between the customer premises equipment (CPE) device and the PE nodes. PE resiliency is supported only when local breakout is enabled.

  • Support for BGP underlay route advertisements—From CSO Release 5.1.0 onward, for on-premise SD-WAN spoke sites with local breakout enabled, you can enable BGP underlay routing. Route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:

    • CSO advertises the WAN interface subnet.

    • If you specify a tenant public IP address pool and enable the option to advertise public LAN prefixes, for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN segment subnet.

    • If you configure pool-based translation, CSO advertises the NAT address pool.

  • Support for flexible (mixed) VLAN tagging—From CSO Release 5.1.0 onward, when the same physical interface is used for multiple WAN links, CSO supports simultaneous tagged and untagged WAN links for single CPE devices with the condition that only one WAN link can be untagged.

  • Support for class of service at the logical interface level—From CSO Release 5.1.0 onward, when the same physical interface is used for multiple WAN links, CSO supports class of service (CoS) provisioning of the shaping rate at the logical interface level. In CSO releases before Release 5.1.0, CSO supports CoS provisioning of the shaping rate only at the physical interface level.

  • Edit support for site properties—From CSO Release 5.1.0 onward, you (as a tenant administrator) can edit the following properties configured for a site from the Sites page:

    • Address and Contact Information—Street Address, City, State/Province, ZIP/Postal Code, Country, Contact Name, Email, and Phone Number.

    • Advanced Configuration—Name Server IP List, NTP Server, and Time zone.

    • In-band Management Port (available only for sites with next-generation firewall capability).

  • Edit support for tenant properties—From CSO Release 5.1.0 onward, you can edit the following parameters configured for a tenant, from Administration Portal and Customer Portal:

    • Common tenant parameters—Password Expiration Days, Services (applicable only for SP administrators or OpCo administrators).

    • Parameters for tenants with SD-WAN capability:

      • Parameters that you can modify only before sites are added for the tenant: SSL Settings, VPN Authentication, Network Segmentation, and Overlay Tunnel Encryption.

      • Parameters that you can modify before or after sites are added for the tenant: Threshold for Creating a Tunnel, Threshold for Deleting a Tunnel, Cloud Breakout Settings, Tenant-specific Attributes.

      • Parameters for tenants with Hybrid WAN, Next-generation Firewall, or LAN capabilities: Tenant-specific Attributes.

SD-LAN

  • Deploy SD-LAN using EX4600 and EX4650 switches—: From CSO Release 5.1.0, you can manage EX4600 and EX4650 devices for SD-LAN in enterprise networks.

    Note

    CSO Release 5.1.0 does not support EX4600 and EX4650 virtual chassis.

  • Support for EX Series Virtual Chassis—From Release 5.1.0 onward, you can add a Virtual Chassis with EX2300, EX3400, and EX4300 devices as members. However, you cannot add a Virtual Chassis with EX4600 and EX4650 devices as members.

    All the devices in the Virtual Chassis must be of the same device type and model.

    You can add the following number of devices in a Virtual Chassis, based on the device type:

    • EX2300: 4 member devices

    • EX3400: 10 member devices

    • EX4300: 10 member devices

    Note

    In Release 5.1.0, the Virtual Chassis is autoprovisioned, that is, CSO discovers the members from the fully-formed Virtual Chassis, during provisioning.

  • Image upgrade for Virtual Chassis members—From Release 5.1.0 onward, CSO supports the upgrade of images for an EX Series Virtual Chassis:

    Images for each member of the Virtual Chassis are upgraded one after the other in the order – Linecard, Backup, and Primary.

  • RMA support for EX Series switches—From CSO Release 5.1.0 onward, you can initiate the Return Material Authorization (RMA) workflow for a defective EX Series switch (physical standalone switch) when the switch is behind an SRX Series device acting as an SD-WAN CPE, next-generation firewall, or internet gateway.

    CSO Release 5.1.0 supports RMA for an EX Virtual Chassis member when the Virtual Chassis is deployed as a standalone switch (that is, behind an internet gateway).

    Note

    RMA support for an EX Series switch (physical standalone switch) behind a next-generation firewall is present in the application, but has not yet been fully qualified by Juniper Networks.

  • Configure and monitor the ports of an EX Series switch—From Release 5.1.0, you can use CSO to configure and monitor the ports of an EX Series switch. You can either configure the ports by accessing each port individually or by using a port profile, from the Ports tab of the Devices page in the Customer Portal UI.

    You can configure and deploy port authentication profiles to implement network access control (NAC), and firewall filters to enforce security on the switch ports. After you configure the switch ports, you can monitor the ports from the Devices page.

    Note

    You can add port profile to CSO and configure one or more switch ports by using a port profile. However, the addition of a port profile to CSO and configuring a port by using a port profile has not yet been fully qualified by Juniper Networks.

  • Firewall configurations for EX Series switches—From CSO Release 5.1.0 onward, you can configure firewall filters for EX Series switches. A firewall filter defines the rules to permit or deny packets that are transiting a switch port. You can assign the firewall filter as an ingress filter or egress filter to a switch port either while manually configuring the port or through port profiles.

    Note
    • On EX2300 devices, the egress filters support only MAC addresses as source and destination endpoints.

    • This feature is present in the application but has not yet been fully qualified by Juniper Networks.

Next-Generation Firewall

  • Support for custom application signatures in firewall policies—From Release 5.1.0 onward, CSO supports custom application signatures in firewall policies, in addition to its existing support in SD-WAN policies.

  • Support for customized IPS signatures, static groups, and dynamic groups—From CSO Release 5.1.0 onward, you can create, modify, or delete customized intrusion prevention system (IPS) signatures, IPS signature static groups, and IPS signature dynamic groups. In addition, you can clone predefined or customized IPS signatures, static groups, and dynamic groups. You can then use the IPS signatures, static groups, and dynamic groups in an IPS profile that can contain one or more IPS or exempt rules.

  • Support for importing policy configurations—From Release 5.1.0 onward, CSO supports importing policy configurations from next-generation firewall devices. The following features are supported:

    • Manage next-generation firewall sites for enterprise customers with brownfield deployments.

    • Discover existing policy configuration while onboarding next-generation firewall device (without enabling ZTP).

    • Import policy configurations from Firewall and NAT policy pages.

    • Deploy policies after importing them to CSO.

Miscellaneous

  • Support for configuration templates—From CSO Release 5.1.0 onward, you can view, create, modify, clone, and delete configuration templates from Administration Portal and Customer Portal. In addition, you can assign a configuration template to one or more device templates and deploy configuration templates on one or more devices. You can use the preview and render workflow to validate a configuration template.

    Note

    In CSO releases before Release 5.1.0, configuration templates are called stage-2 configuration templates.

  • Predefined configuration templates—From CSO Release 5.1.0 onward, the following predefined configuration templates are added:

    • LACP—Use this template to bundle several physical interfaces to form one logical interface and link monitoring.

    • SNMP—Use this template to configure the minimum requirements for SNMP, including community, client list, trap group, and trap options.

    • COS/QoS—Use this template to divide traffic into classes and offer various levels of throughput and packet loss when congestion occurs.

    • IGMP Snooping—Use this template to configure Internet Group Management Protocol.

    • RSTP—Use this template to configure switching ports.

  • Retry failed bootstrap jobs—From CSO Release 5.1.0 onward, you can retry the bootstrap jobs that did not complete successfully on your devices.

  • Enhancements to CSO licenses—From CSO Release 5.1.0 onward, users with the SP Administrator role can edit and delete CSO licenses in Administration Portal.

  • Introducing Quick Help in Administration Portal and Customer Portal—From CSO Release 5.1.0 onward, you can access the help documentation within Administration Portal and Customer Portal user interfaces.

    You can launch Quick Help from Help Menu (?) > Quick Help. Alternatively, you can use the More… hyperlinks on the user interface to access Quick Help. You no longer need to switch between windows to get help. Now, get quick help on all topics or the most popular ones, and also FAQs, in a tabbed interface.