Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Initial SD-WAN Deployment

 

This document describes the steps required to create a basic SD-WAN deployment. Figure 1 shows an overview of the steps that will be covered in this deployment example.

Figure 1: Basic SD-WAN Deployment Workflow
Basic SD-WAN Deployment
Workflow

Before You Begin

This example uses hardware-based SRX devices in the roles of provider and enterprise hub and on-premises spoke devices. The vSRX Series of devices could be used in place of either the hub or spoke devices. NFX series devices could also be used for the spoke devices.

CSO makes use of advanced features of the devices used in SD-WAN deployments. In order to use features such as link-switching based on application identification, or remote access IPsec VPNs on vSRX Series devices, you must purchase the required licenses. However, the underlay and overlay networks, and thus SD-WAN connectivity can be established without special licensing.

Download Intrusion Protection System (IPS) and Application Signatures

This section details how to download the IPS and application firewall signature databases from Juniper Networks onto your CSO installation. Downloading the signature databases makes the IPS and application firewall signatures available to install on your hub and CPE device after it has been activated.

From this point on in this deployment example, we assume that you are logged in to CSO as an OpCo administrator.

The user name part of your credentials is the e-mail address that was used when your CSO account was set up. When an account is initially setup, CSO sends an e-mail to that address with a link that includes a one-time activation code. Clicking the link takes you to the CSO login page which then prompts you to set a password. This is a one-time activity. Subsequent logins to the Administration Portal use the e-mail address and your newly-set password as your login credentials.

Note

If you are working with an on-premises installation of CSO, you can login as the cspadmin user (or equivalent) to perform all of these steps.

  1. Enter the login credentials for the Administration Portal.
  2. Navigate to the Administration > Signature Database page.

    On this page, there is a list of available database versions, their publish dates, update summaries, and detector versions. The active database (if there is one) is in its own section at the top of the list. There is a list of available signature databases is in the section below and it is sorted from newest (at the top) to oldest.

  3. Click the Signature Download Settings button in the upper right corner of the window.

    The Signature Download Settings window appears as shown in Figure 2.

    Figure 2: Signature Download Settings
    Signature Download Settings

    The Download URL field is pre-populated with Juniper’s signature download URL. If you have previously downloaded the desired signature pack to another location (URL), enter that URL here.

  4. If you are downloading the signature database from a location other than https://signatures.juniper.net, then you must enter the signature version that you want to download. If you are downloading from https://signatures.juniper,net, then you can leave this field empty.
  5. Select whether to download the signatures now, or at a later time.
  6. Click OK.

    A notification will appear at the top of the screen indicating whether the job has been scheduled or is running immediately.

Once the download completes successfully, the new database version number appears in the Active Database portion of the page. The new signature database is available to all of your tenants and their sites. To see the application signatures included in the database, navigate to Configuration > Shared Objects > Application Signatures.

Starting with CSO Release 5.0.2, you can define your own custom application signatures for use in SD-WAN policy. For more information regarding this optional step, see Contrail Service Orchestration Administration Portal User Guide.

Upload Licenses

The licenses that you upload to CSO using this procedure are available to be pushed to your tenant devices during the ZTP process or after they are provisioned. You need to install licenses on the hub and spoke SRX devices (physical and virtual) that you use in SD-WAN solutions. The licenses allow access to virtual network services such as application-based routing, application monitoring, and vSRX security features.

To upload the license for your devices:

  1. Navigate to the Administration > Licenses > Device Licenses page.

    On this page is a list of all available device licenses. Since you have not installed any licenses yet, the list is empty.

  2. Click the Add icon (+) button at the top-right part of the list to add a license.

    The Add License window appears.

  3. Click the Browse button.

    This lets you locate the license file on your computer.

  4. Select a tenant or All Tenants from the Tenant pull-down menu.

    This associates the license file with a particular tenant or all tenants. If the license is associated with a particular tenant, then the licenses can only be applied to devices that belong to that tenant.

  5. (Optional) Enter a description of the license file if desired.

You can repeat this procedure to upload as many licenses as you have.

Add a New Tenant

In this section we use the Administration Portal to add a tenant to CSO. OpCo administrators in on-premises or cloud-hosted CSO installations and SP administrators in an on-premises CSO installation can add tenants.

  1. Select Tenants from the left-navigation panel.
  2. If there are no existing tenants, the Add Tenant button is displayed on the center of the page.

    Click the Add Tenant button, if it is available, to add a new tenant.

    If there are existing tenants, click the Add icon (+) at the upper right portion of the window to add a new tenant.
  3. In the Add Tenant window that appears:
    • Enter a name for your tenant such as Tenant1.

    • Fill in the Admin User information.

      The e-mail address is used as the login name (username) for this user.

    • Select the checkbox next to the Tenant AdminRole Name in the Available list.

    • Click the Right Arrow button between the Available and Selected lists to move the Tenant Admin to the Selected list.

      If you want to see the access and permissions of the available roles, click the Tenant Admin or Tenant Operator names.

    • The password expiration default is 180 days.

      You can set any value between 1 and 365.

    • Click Next.

      The window advances to the Deployment Info tab.

    • In the Deployment Info window, select the SD-WAN card in the Services section.

      Depending on how your tenant was configured, you may see one or more of the following in addition to the SD-WAN card: Hybrid-WAN, Next Gen Firewall, and LAN. For this example, select only SD-WAN.

      This activates the SD-WAN Mode section of the window.

    • The Realtime Optimized radio button is selected by default with the SD-WAN service.

      You cannot change this selection.

    • Click Next.

      The window advances to the Tenant Properties tab. For this example, browse the tenant properties but do not make any changes.

      See the CSO Administration Portal User Guide for more information about the settings on the Tenant Properties tab.

    • Click Next.

      The window advances to the Summary section. Review the summary.

    • Click OK.

      A pop-up message appears that tells you that the Add Tenant job was started. After some time, your new tenant appears in the list of tenants.

Modify Device Templates

In this section, we examine device templates that we use for this example.

For the SRX in the Enterprise Hub Role

  1. Navigate to Resources > Device Templates.
  2. Find the device template named SRX as SDWAN Hub.
  3. Select the checkbox next to that template.
  4. Click the Clone button.
  5. Enter a Display Name and a Name for the cloned template.

    CSO shows the Display Name in various workflow locations but uses the Name behind the scenes.

    For this example, we name the template SRX_as_SD-WAN_Hub.

  6. Click OK.
  7. Select the checkbox next to the cloned template and then select Template Settings from the Edit Device Template pull-down menu.

    A new window titled Template Settings for Display Name appears as shown in Figure 3. You must scroll down to see these particular settings in the template.

    Figure 3: Partial Template Settings for SRX as SD-WAN Hub
    Partial Template
Settings for SRX as SD-WAN Hub

    Note the device port names (ge-0/0/0, etc) for the WAN and OAM ports. If your hub device is not cabled to match, then adjust the port names in the template as needed.

  8. Select Save when finished.

    For the SRX in the CPE device role

  9. Find the device template named SRX as SD-WAN CPE and select the checkbox next to its name.
  10. Click the Clone button.
  11. Enter a Display Name and a Name for the cloned template.

    The Display Name is whatCSO uses when selecting the template for use.

  12. From the Edit Device Template pull-down menu, select Template Settings.

    The Template Settings for <Display Name> window appears as shown in Figure 4. You must scroll down to see these particular settings in the template.

    Figure 4: Partial Template Settings for SRX as SD-WAN CPE
    Partial Template
Settings for SRX as SD-WAN CPE

    Note the device port names (ge-0/0/0, etc) for the WAN and OAM ports. If your CPE device is not cabled to match, then adjust the port names in the template as needed.

  13. Click Save when finished.

The templates will be used later when you deploy the enterprise hub and CPE spoke devices.

Choose a Point of Presence (POP) for the Hub

A POP is a location within the service provider’s cloud in which PE routers and IPSec Concentrators are located. It is a regionally located access point through which customer sites gain access to provider hub devices that are placed within. The hubs are either DATA_ONLY, OAM_ONLY, or OAM_AND_DATA hubs. SPs often place POPs in their network so that they are geographically close to customer sites.

Note

The SP administrator is the only administrator with the privileges to create POPs. In a cloud-hosted CSO deployment, tenants choose the appropriate POP from a list of available POPs created by the SP administrator. In an on-premises CSO deployment, you (as the cspadmin user) create the POP in which the hub device resides.

To choose or add a POP (for cloud-hosted CSO):

  1. Navigate to the Resources > POPs page.

    Here you can see a list of POPs available to you.

  2. Make note of the POP name(s) and location(s) so that you can choose the appropriate one when adding your devices.

To add a POP (for on-premises CSO):

  1. Navigate to the Resources > POPs page as the SP administrator.

    Here you can see a list of existing POPs.

  2. Click on the Add icon (+) to add a POP and fill in the information in the Add POP window that appears.

    Currently, all POPs are regional.

    Give the POP a name and, optionally, address information so that its location can be displayed on CSO monitoring maps.

Add a Provider Hub Device to Your Tenant

A provider hub device resides in a regional POP within the service provider network. Provider hub devices are shared amongst multiple tenants through the use of virtual routing and forwarding (VRF) instances configured on the provider hub itself. They allow site-to-site traffic to flow in hub-and-spoke deployments, serve as OAM gateway devices for management traffic between CSO and CPE devices, and serve as backup data hubs when an enterprise hub device is used in a tenant.

Provider hubs come in three varieties: OAM_ONLY, DATA_ONLY, or OAM_AND_DATA. As their names imply, they have different capabilities. At least one of the provider hubs in each tenant must have OAM capabilities. Adding multiple OAM-capable provider hubs helps to balance OAM traffic loads in large CSO deployments. In cloud-hosted versions of CSO, the OAM-capable hubs are clearly labeled.

Best Practice

It is recommended that all provider hubs be clearly named for their data and OAM capabilities.

The following two procedures describe how to add provider hub devices to your CSO installation and tenant. The first procedure describes adding a provider hub device to an on-premises version of CSO. It can only be done by an SP administrator. In cloud-hosted CSO, the addition of the hub devices to the system is carried out by Juniper Networks.

The second procedure is carried out at the OpCo or tenant level in both on-premises and cloud-hosted CSO versions. It makes the provider hubs added in the first procedure available for use by tenants.

Add Provider Hubs for On-Premises CSO

  1. Navigate to the Resources > Provider Hub Devices page as the SP administrator user (cspadmin or equivalent).
  2. At the top-right part of the page, click the Add icon (+).

    A new window appears titled Add Provider Hub Device.

  3. Fill in the Site Information section as follows:
    • Name: Name the provider hub something that makes sense, like PH-OAM-DATA-1.

    • Management Region: Regional

      There is currently no other option for this.

    • Site Capability: DATA_AND_OAM

      This allows both operation, administration, and maintenance (OAM) and user data to traverse this device. It ensures that CSO can manage CPE devices through this provider hub device.

    • POP: Select the POP that you just created from the pull-down menu.

    • Authentication Type: Pre Shared Key

      You can choose Public Key Infrastructure if you have the proper certificates set up.

      CSO supports single and multi-level PKI certificates.

    • (Optional) Advanced Configuration: Change the information in this section as appropriate for your network.

  4. Click Next.

    The window advances to the WAN tab.

  5. In the Device Template Section, select SRX as the Device Series from the pull-down menu.
  6. Select SRX_as_SDWAN_Hub from the carousel of available device templates (cards).
  7. In the Device Information section, enter the device serial number.
  8. Leave the Auto Activate button active (blue).
  9. (Optional) If you want to upgrade the device image for your SRX Series device, select the new boot image from the list. The boot image is the device image that was previously uploaded to the image management system in CSO. The boot image is used to upgrade the device during the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure and uses the image that is present on the device.
  10. In the Management Connectivity section fill in the form as follows:
    • Leave the Loopback IP Prefix blank.

      CSO automatically configures the proper loopback IP during the ZTP process, based on information contained in the device template and CSO databases.

    • OAM Interface: Enter the appropriate interface, such as ge-0/0/0 as the OAM Interface of the provider hub.

      The interface selected must match the device template and your network cabling.

    • OAM VLAN: Leave this field blank.

      Note

      You can enter a VLAN ID if one is needed in your network. If you specify an OAM VLAN ID, then all in-band OAM traffic reaches the site through the selected OAM interface. The range is 0 through 65535.

    • OAM IP Prefix: Enter an IP address prefix, such as 10.100.100.11/32.

      This is the IP address prefix for the OAM network. Secure OAM traffic is passed across this network in IPsec tunnels. The OAM IP Prefix must be unique across the entire management network.

      Note

      For SRX Series services gateways like we are using in this example, always use a /32 prefix.

    • OAM Gateway: Enter an IP address, such as 10.100.100.1.

      This is the IP address of the next-hop on the management network through which CSO connectivity is established.

    • EBGP Peer-AS: Leave this field blank.

      This is the external BGP peer autonomous system number. It is used to peer with a PE router in the SP network (if any).

      Enter a value here if needed in your network.

  11. In the WAN Links section, fill in the information as follows:
    • Leave the WAN_0 (ge-0/0/0) slider button enabled.

      The physical device interface is already chosen from the value in the device template and cannot be altered here.

    • Link Type: Select MPLS.

    • Address Assignment: Enter Static.

    • Static IP Prefix: Enter an IP address prefix, such as 172.21.22.2/29.

      This represents the provider hub address of the hub-to-CPE network connection.

    • Gateway IP Address: Enter an IP address, such as 172.21.22.1.

      This is the IP address of the spoke (SRX or NFX CPE device) at the customer site.

    • Enable the WAN_1 (ge-0/0/1) slider button.

      The physical device interface is already chosen from the value in the device template and cannot be changed here.

    • Link Type: Select Internet.

    • Address Assignment: Enter Static.

    • Static IP Prefix: Enter an IP address prefix, such as 192.0.2.2/29.

      This represents the provider hub address of the hub-to-CPE network connection.

    • Gateway IP Address: Enter an IP address, such as 192.0.2.1.

      This is the IP address of the spoke (SRX or NFX CPE device) at the customer site.

      Note

      Enable the other WAN interfaces for your provider hub device as appropriate.

  12. Click OK when you’re finished.

    The Activate Device window pops up.

    The device shows up in the in the Provisioned state when this window shows the operation completed successfully.

    You can dismiss this window by clicking OK before the operation is complete. To track the progress, navigate to Monitor > Jobs and click on the job name.

Add a Provider Hub to Your Tenant

  1. Navigate to the Resources > Provider Hub Devices page.

    Here you can see a list of all cloud hub devices, their assigned POP, site associations, status, model, serial number, and OS version.

  2. Make note of the names of the Provider Hub devices available to you.
  3. Navigate to the Resources > Site Management page.
  4. From the Add menu, select Add Provider Hub.

    The Add Provider Hub for Tenant Name window appears.

  5. Select a Service POP from the pull-down menu.
  6. Select a Hub Device Name from the pull-down menu.

    As mentioned previously, the you must add at least one provider hub with OAM capabilities.

    You can repeat this process to add as many provider hubs as you want from this POP to your tenant.

  7. Click OK.

    The provider hub device is added to the list.

Add an Enterprise Hub to Your Tenant

Unlike a provider hub which is shared amongst multiple tenants, an enterprise hub acts as the primary hub device for spoke sites belonging to a single tenant. Tenants that have an enterprise hub installed can use it for site-to-site VPNs between spoke sites. In this case, the provider hub becomes a backup hub for the same VPNs. The site-to-site VPNs initially created through the enterprise hub can be dynamically switched to direct site-to-site VPNs based on the (user configurable) dynamic VPN threshold settings for the tenant.

An enterprise hub is added to a tenant by a tenant administrator using the Customer Portal in CSO.

To add an enterprise hub to your new tenant:

  1. Enter the Customer Portal for your tenant.

    SP and OpCo administrators access the Customer Portal by navigating to Tenants and clicking the tenant name from the list. This puts these administrators into the tenant administrator role for that tenant.

    Tenant administrators are automatically placed in their Customer Portal upon successful login.

  2. Navigate to Resources > Site Management.

    The Sites page appears.

  3. From the Add pull-down menu, select Enterprise Hub.

    The Add Enterprise Hub for Site Name window appears.

  4. In the Site Information section, enter a name that makes sense for your site.

    Choose site names carefully because they cannot be changed after the site is added.

  5. In the Site Capabilities section, select the SD-WAN card from the WAN Capabilities area.
  6. In the configuration section, the Primary Provider Hub pull-down menu should already be populated with the name of the provider hub added earlier.

    The On-demand VPN Threshold, Address and Contact Information, and Advanced Configuration sections are all optional.

    Note

    Most settings made while creating sites cannot be changed once the site is provisioned. The exceptions are: Address and Contact Information and the NTP settings available in the Advanced Configuration Settings section.

  7. Click Next.

    The page advances to the WAN tab.

  8. Click the left arrow (<) or right arrow (>) until you see the SRX as SD-WAN CPE card. Click on that card.
  9. In the Device Information section, enter the device serial number.
  10. Leave the Auto Activate button active (blue).
  11. (Optional) If you want to upgrade the device image for your SRX Series device, select the new boot image from the list. The boot image is the device image that was previously uploaded to the image management system in CSO. The boot image is used to upgrade the device during the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure and uses the image that is present on the device.
  12. In the Management Connectivity section fill in the form as follows:
    • Leave the Loopback IP Prefix blank.

      CSO automatically configures the proper loopback IP during the ZTP process, based on information contained in the device template and CSO databases.

    • OAM Interface: Enter the appropriate interface, such as ge-0/0/0 as the OAM Interface of the provider hub.

      The interface selected must match the device template and your network cabling.

    • OAM VLAN: Leave this field blank.

      Note

      You can enter a VLAN ID if one is needed in your network. If you specify an OAM VLAN ID, then all in-band OAM traffic reaches the site through the selected OAM interface. The range is 0 through 65535.

    • OAM IP Prefix: Enter an IP address prefix, such as 10.100.100.11/32.

      This is the IP address prefix for the OAM network. Secure OAM traffic is passed across this network in IPsec tunnels. The OAM IP Prefix must be unique across the entire management network.

      Note

      For SRX Series services gateways like we are using in this example, always use a /32 prefix.

    • OAM Gateway: Enter an IP address, such as 10.100.100.1.

      This is the IP address of the next-hop on the management network through which CSO connectivity is established.

    • EBGP Peer-AS: Leave this field blank.

      This is the external BGP peer autonomous system number. It is used to peer with a PE router in the SP network (if any).

      Enter a value here if needed in your network.

  13. In the WAN Links section, fill in the information as follows:
    • Leave the WAN_0 (ge-0/0/0) slider button enabled.

      The physical device interface is already chosen from the value in the device template and cannot be changed here.

    • Link Type: Select MPLS.

    • Address Assignment: Enter Static.

    • Static IP Prefix: Enter an IP address prefix.

      This represents the hub-side address of the hub-to-CPE network connection.

    • Gateway IP Address: Enter an IP address.

      This is the IP address of the spoke (SRX or NFX CPE device) at the customer site.

    • Enable the WAN_1 (ge-0/0/1) slider button.

      The physical device interface is already chosen from the value in the device template and cannot be changed here.

    • Link Type: Select Internet.

    • Address Assignment: Enter Static.

    • Static IP Prefix: Enter an IP address prefix.

      This represents the hub-side address of the hub-to-CPE network connection.

    • Gateway IP Address: Enter an IP address.

      This is the IP address of the spoke (SRX or NFX CPE device) at the customer site.

      Note

      Enable the other WAN interfaces for your provider hub device as appropriate.

  14. Expand the Advanced Settings section by clicking on the right arrow > icon.
  15. Enable the Use for Full Mesh slider button (set to blue).
  16. Select the Internet mesh tag from the Mesh Tag pull-down menu.
  17. Ensure that the proper Overlay Peer Interface is selected.

    This is the interface on the provider hub that this enterprise hub will use as a BGP peer interface.

  18. Click Next.

    The page advances to the LAN tab.

  19. Click the Add LAN Segment button.

    The Add LAN Segment window appears.

  20. Enter a Name for the LAN segment.
  21. Ensure that the Department pull-down menu has Default selected.
  22. Enter a valid Gateway Address/Mask.

    This value is used as the gateway address for devices deployed on this LAN segment.

  23. Select and move the appropriate port(s) from the Available list to the Selected list.

    Click the blue arrow to the right of a port name to move it from one list to the other.

  24. Click Save.

    The new LAN segment is listed in the LAN tab of the Add Enterprise Hub for Site Name window.

  25. Click Next.

    The page advances to the Summary tab.

  26. Click OK when you’re finished reviewing the summary tab information.

The Activate Device window pops up.

The device shows up in the in the Provisioned state when this window shows the operation completed successfully.

You can dismiss this window by clicking OK before the operation is complete. To track the progress, navigate to Monitor > Jobs and click on the job name.

Add an On-Premises Spoke for the Tenant

In this section, we continue in the Customer Portal for the newly configured tenant to create an on-premises spoke with an SRX CPE device.

This procedure begins in the Tenants window of the Administration Portal at the list of tenants.

  1. Click on the name of the tenant that you created.

    This will take you to the Customer Portal for that tenant.

  2. Navigate to the Resources > Site Management page.
  3. In the Site Management window that appears, select Add On-Premise Spoke Site (Manual) from the Add pull-down menu.

    The Add On-Premise Spoke Site for Tenant page appears.

  4. In the Site Information section, enter a name that makes sense for your site

    Choose site names carefully because they cannot be changed after the site is added.

  5. In the Site Capabilities section, select the type of WAN and LAN capabilities you want for this site.

    The available site capabilities are based on the tenant capabilities defined during tenant creation. You can choose one WAN capability in addition to one optional LAN capability.

    For this example, choose only SD-WAN.

  6. In the Configuration section, the Provider Hub and Enterprise Hub pull-down menus are already populated with the previously added hub devices.

    The On-demand VPN Threshold, Address and Contact Information, and Advanced Configuration Settings sections are all optional.

    Note

    Most settings made while creating sites cannot be changed once the site is provisioned. The exceptions are: Address and Contact Information and the NTP settings available in the Advanced Configuration section.

  7. Click Next.

    The page advances to the WAN tab.

  8. Next to Device Series, select SRX from the pull-down menu.

    A horizontal list of device template cards applicable to SRX Series devices is shown.

  9. Click the left arrow (<) or right arrow (>) until you see the SRX as SD-WAN CPE card. Click on that card.
  10. In the Device Information section, enter the device serial number.
  11. Leave the Auto Activate button active (blue).
  12. (Optional) If you want to upgrade the device image for your SRX Series device, select the new boot image from the list. The boot image is the device image that was previously uploaded to the image management system in CSO. The boot image is used to upgrade the device during the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure and uses the image that is present on the device.
  13. In the WAN Links section, fill in the information as follows:
    • Leave the WAN_0 (ge-0/0/0) slider button enabled.

      The physical device interface is already chosen from the value in the device template and cannot be changed here.

    • Link Type: Select MPLS.

    • Address Assignment: Enter Static.

    • Static IP Prefix: Enter an IP address prefix.

      This represents the hub-side address of the hub-to-CPE network connection.

    • Gateway IP Address: Enter an IP address.

      This is the IP address of the spoke (SRX or NFX CPE device) at the customer site.

    • Enable the WAN_1 (ge-0/0/1) slider button.

      The physical device interface is already chosen from the value in the device template and cannot be changed here.

    • Link Type: Select MPLS.

    • Address Assignment: Enter Static.

    • Static IP Prefix: Enter an IP address prefix.

      This represents the hub-side address of the hub-to-CPE network connection.

    • Gateway IP Address: Enter an IP address.

      This is the IP address of the spoke (SRX or NFX CPE device) at the customer site.

      Note

      Enable the other WAN interfaces for your provider hub device as appropriate.

  14. Expand the Advanced Settings section by clicking on the right arrow > icon.
  15. Enable the Use for Full Mesh slider button (set to blue).
  16. Select the MPLS mesh tag from the Mesh Tag pull-down menu.
  17. Enable the Use for OAM Traffic slider button (set to blue).

    Figure 5 below shows an example of the settings described above.

    Figure 5: WAN_0 Configuration Example
    WAN_0 Configuration Example
  18. Select the Enable button next to Wan_1.

    The physical device interface is already chosen from the value in the device template and cannot be changed here.

    • Link Type: Select Internet.

    • Address Assignment: Enter Static.

    • Static IP Prefix: Enter an IP address prefix.

      This represents the hub-side address of the hub-to-CPE network connection.

      Note

      Enable the other WAN interfaces for your provider hub device as appropriate.

  19. Expand the Advanced Settings section by clicking on the right arrow > icon.
  20. Enable the Enable Local Breakout button (set to blue).

    Leave the Breakout Options pull-down menu set to Use for breakout and WAN traffic.

  21. Enable the Autocreate Source NAT Rule button (set to blue).

    Leave the Translation pull-down menu set to Interface.

  22. Enable the Use for Full Mesh slider button (set to blue).
  23. Select the Internet mesh tag from the Mesh Tag pull-down menu.
  24. Enable the Use For OAM Traffic slider button (set to blue).
  25. The Overlay Peer Device is automatically set to the provider hub device.

    Ensure that the Overlay Peer Interface pull-down menu is set to the proper interface.

    Figure 6 below shows an example of the WAN_1 configuration as described above.

    Figure 6: WAN_1 Configuration Example
    WAN_1 Configuration Example
  26. Click Next when finished.

    The window advances to the LAN section.

  27. Click the Add LAN Segment button.

    A new window appears titled Add LAN Segment.

    Fill in the following information in this window:

    • Name: LAN2

      Note

      This can be any name that makes sense in your deployment.

    • VLAN ID: Leave this field blank.

      Note

      Enter a VLAN ID if required at the remote site.

    • Department: Leave this field as Default.

      In CSO, spoke site departments equate to security zones on the CPE device. In this example, the Default security zone will be used later when we create security policies. Creating multiple departments for the spoke site creates multiple security zones with the same names on the CPE device.

      If you have departments set up already and the proper department is not shown, you can create one by clicking on the Create Department link.

    • Gateway Address/Mask: Enter an IP address and mask.

      Specify a unique and valid IPv4 address with subnet mask. This address is the default gateway for endpoints in this LAN segment.

    • DHCP: Off

      The An SRX Series device can provide DHCP server services for the remote LAN. For this example, leave DHCP set to off.

    • CPE Ports: Select LAN_2 (ge-0/0/2) by clicking the checkbox next to it.

    • Click the right arrow > icon to move LAN_2 (ge-0/0/2) from the available list to the selected list.

  28. Click Save when finished.

    The Add LAN Segment window closes.

  29. Click Next.

    The window advances to the Summary section.

  30. Review the Summary section.
  31. Click OK when you’re finished reviewing this section.

    A device activation window pops up and displays the progress of your site deployment.

Install a License on a Device

To install a license on a device, use the Administration Portal.

  1. Navigate to Administration > Licenses > Device Licenses.

    In the pop-up window that appears,

  2. Click the checkbox next to the license file that you uploaded in Step 3.
  3. Click the Push License button at the upper-right part of the list and select Push.

    The Push License window appears.

  4. Select the name of the tenant that you created previously from the Tenant pull-down menu.

    Your sites and devices appear under Sites and Devices.

  5. Select the checkbox next to your tenant site to push the license to the CPE device at that site.

Install an Application Signature on a Device

This step allows the CPE device to obtain the signature database needed for application identification.

To install an application signature:

  1. Navigate to Adminstration > Signature Database.

    From the signature download you completed previously, you can now see the Active Database section has the number of the downloaded database listed.

  2. Click the Install on Device link under the Actions column.

    In the new window that appears, you can elect to push the signatures to any device listed.

  3. Select the checkbox next to the NFX250 device.
  4. Click OK.

Add Firewall and NAT Policies to the Topology

In this section, we use the Customer Portal to add and deploy an intent-based firewall policy that allows the CPE-side LAN segments to pass traffic between each other and to the Internet. This requires adding two intents to the policy. One for department–to–department, and one for department–to–any address.

  1. In the Customer Portal for your tenant, navigate to Configuration > Firewall > Firewall Policy.

    This brings up the Firewall Policy page with a list of existing policies.

  2. Click the Add icon (+) to add a new policy.

    The Add Firewall Policy page appears.

  3. Give the policy a name that makes sense, like FirstFirewallPolicy.

  4. Click the checkbox to enable the policy for all sites.

    The new policy is added to the list.

  5. Click on the policy name in the list to bring up the Intents for that policy.

    It shows that there are no Enterprise Intenets or Zone-based Intents for this policy.

    Allow Site-to-Site Traffic

  6. Click the Add icon (+) to add a new intent.

    The window changes to reveal the intent editor page.

  7. Click the Add icon (+) in the Select Source field.

    A list of possible sources appears.

  8. Select Default from the Departments [DEPT] section of the list.

    Your choice is added to the source section.

  9. Click the Add icon (+) labeled Select Action.

    A list containing available actions is shown. Select Allow from that list.

  10. Your action choice is added between the source and destination sections.
  11. Click the Add icon (+) in the Destination section.

    A list of possible destinations appears.

  12. Select Default from the Departments [DEPT] section of the list.

    Your choice is added to the destination section.

  13. (Optional) Enable the Logging slider switch (turns blue).

    We recommend that you log all deny or drop actions within firewall intents. Turning logging on for an accept action creates a lot of logs.

  14. Click the Save button.

    The new intent is shown under the policy.

    Allow Outgoing Site Traffic

  15. Click the Add icon (+) to add a second intent to the policy.

    The window changes to reveal the intent editor page.

  16. Click the Add icon (+) in the Select Source field.

    A list of possible sources appears.

  17. Select Default from the Departments [DEPT] section of the list.

    Your choice is added to the source section.

  18. Click the Add icon (+) labeled Select Action.

    A list containing available actions is shown. Select Allow from that list.

  19. Your action choice is added between the source and destination sections.
  20. Click the Add icon (+) in the Destination section.

    A list of possible destinations appears.

  21. Select Any from the Addresses [ADDR] section of the list.

    Your choice is added to the destination section.

  22. (Optional) Enable the Logging slider switch (turns blue).

    It is recommended to log all deny or drop actions within firewall intents. Turning logging on for an accept action creates a lot of logs.

  23. Click the Save button.
  24. Click the Deploy button.

    This brings up a Deploy window. Here you can select to run the policy deployment now or schedule it to run later.

  25. Click Deploy.

    Deployment progress bars appear as CSO deploys the policy.

Add SD-WAN SLA-Based Steering Profiles and Policy

In this section, we use the Customer Portal to select a path-based steering profile and apply it to the SD-WAN Policy to specify that You Tube traffic should pass over the WAN_1 overlay link rather than the default link, WAN_0.

  1. Navigate to Configuration > SD-WAN > Path-Based Steering Profiles.
  2. Click the Add icon (+) to create a new profile.

    This brings up a Add PathProfile window.

    In the new window, fill in the following information.

    • Name: Enter a name for the profile, such as Internet-Path.

    • Traffic Type Profile: Select INTERNET.

    • Path Preference: Enter Internet.

      Priority value 1 is the highest priority. Higher priority profiles (lower numbers) take precedence over lower priority ones during SD-WAN events.

  3. Click OK.

    The window closes and the new policy appears in the list.

  4. Navigate to Configuration > SD-WAN > SD-WAN Policy.

    This brings up the SD-WAN policy page which includes a list of all SD-WAN policies.

  5. Click the Add icon (+) at the upper right part of the list to create a new policy.

    The policy builder screen appears with the Source section activated.

    The default value for Source is All Sites.

    The default value for Application is Any.

    Use the default values for these fields.

  6. Click the + Select Destination field.
  7. Type YouTube at the text-insertion point.

    This brings up a list of available applications.

  8. Select YouTube from the list.
  9. Click + Select Profile.

    This brings up a list of available profiles.

  10. Select Internet-Path from the Path-Based Profiles [SLA] section of the list.
  11. Click Save.

    This closes the builder window and shows the list of SD-WAN Policies.

  12. Click the Deploy button.

    This brings up a Deploy window. Here you can select to run the policy deployment now or schedule it to run later.

  13. Click Deploy.

    Deployment progress bars appear as CSO deploys the policy. When it finishes, the Total Intents count increases from 0 to 1.