Add an On-Premise Spoke Site with Next-Generation Firewall and LAN Capabilities
You can add a next-generation firewall site with LAN capabilities to manage an SRX device that is configured as a firewall device along with an EX series switch that is configured for the LAN network.
The following image shows a simple network topology for an on-premise spoke site with next-generation firewall and LAN capabilities.
Complete the connections as shown in the topology diagram and power up the devices.
This task assumes that the firewall device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.
When you configure the SRX device, ensure that you configure
either the first port (
ge-0/0/0) or the
last port (
ge-0/0/15 based on the SRX model) for Internet connectivity.
For more information about connecting the cables and connecting a console to the device, see the documentation for the firewall device. Links to the hardware documentation for the supported models are provided in Table 1.
Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions in a release, see the Release Notes for that release.
SRX3xx devices and SRX550M
- From the Sites page (Resources > Site
Management) of the CSO portal, click Add and select On-Premise Spoke Site.
The Add Site wizard appears.
- Complete the configuration as explained in Table 2.
- Click OK to add the site.
If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.
This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.
Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.
The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.
If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.
To manually configure the stage-1 configuration:
- On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
- Click the Click to copy stage-1 configuration link.
The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.
- Copy the stage-1 configuration and log in to the console of the EX Series switch.
- Enter the configuration mode, paste, and commit the configuration.
After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.
CSO then provisions the switch.
When the site is successfully created, the Site Status in the Sites page changes to Provisioned.
Table 2: SD-WAN On-Premise Spoke Site Settings
Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters.
Select Next Gen Firewall.
Enter the serial number of the device.
Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.
Zero Touch Provisioning
Zero Touch Provisioning is enabled by default. When Zero Touch Provisioning is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. Note that the SRX device must support phone home client for ZTP to work. If the device does not support phone home client, disable Zero Touch Provisioning and manually copy-paste the stage-1 configuration from the device CLI.
In Band Management
Use the same port that you have configured for Internet
connectivity for in-band management. Based on the SRX device, the
port can be the first port (
Enter a unique name for the device.
Select the type of the device.
Select at least two trunk ports on the CPE device to connect with the switch.
Switch Management Subnet
Specify the subnet that the DHCP can use to assign IP addresses.
Enter the serial number of the device.
If the selected device supports ZTP, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added.
The Activation Code field appears if the selected device template does not support ZTP or if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.
After you add the site, you can complete the following tasks as required:
The device must be activated before you install licenses or signatures, or deploy policies.
If the EX Series switch has Mist access points associated with that, you could integrate the Mist access points with CSO. For more information about integrating Mist access points with CSO, see Enabling Integration with Mist Access Points.
Upload and install licenses. For example, Administration > Licenses.
Install signatures. For example, Administration > Signature Database.
Add, modify, and deploy firewall policies. For example, Configuration > Firewall Policy .
Create and generate reports. For example, Reports > Report Definitions > .
For more information about these tasks, see the Contrail Service Orchestration documentation at https://www.juniper.net/ documentation/product/en_US/contrail-service-orchestration.