An on-premise spoke represents an endpoint that is part of customer premise equipment (CPE) at some physical location such as branch office or point of sale location. Typically, these points are connected using overlay connections to hub sites. You add an on-premise spoke site from the Sites page. The following device templates are supported for on-premise spoke sites:
NFX150 as SD-WAN CPE
NFX250 as SD-WAN CPE
Dual NFX250 as SD-WAN CPEs
SRX as SD-WAN CPE
Dual SRX as SD-WAN CPEs
SRX4x00 as SD-WAN CPE
Dual SRX4x00 as SD-WAN CPEs
To add an on-premise spoke site with only SD-WAN capability:
The Sites page appears.
The Add On-Premise Spoke Site for Tenant-Name page appears.
Note Fields marked with an asterisk (*) are mandatory.
You are returned to the Sites page and a message indicating that the site creation job was triggered is displayed. You can click the job ID link to view the progress of the job. After the job is completed successfully, a confirmation message is displayed and the site that you added is displayed on the Sites page.
Table 54: Fields on the Add Site for Tenant-Name Page With only SD-WAN Capability
Field | Description |
|---|---|
| General | |
Site Information | |
Site Name | Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters. |
Site Group | Select a site group to which you want to assign the site. |
Site Capabilities | |
WAN Capabilities | Select SD-WAN to include SD-WAN capability in the on-premise spoke site. |
LAN Capabilities | You need not select this option because you are creating an on-premise spoke site with only SD-WAN capability. |
Configuration | |
Primary Provider Hub | Select the primary hub site to which this spoke site must connect. |
Secondary Provider Hub | Select the secondary hub site to which this site must connect. This site connects to the secondary data hub site when the primary data hub is not reachable. |
Primary Enterprise Hub | Select the enterprise hub with which you want to connect the spoke site. If you specify an enterprise hub, then the initial site-to-site traffic as well as the central breakout (backhaul) traffic (if applicable) is sent through the enterprise hub instead of the hub site. |
Secondary Enterprise Hub | Select the secondary enterprise hub for this spoke site. The spoke site connects with secondary enterprise hub when the primary enterprise hub is not reachable. |
On-Demand Mesh Threshold | |
Threshold for Tunnel Creation | Enter the maximum number of sessions closed between the connected sites in a duration of two minutes at which full mesh is created between the two sites. The default value is 5. For example, if you specify the number of sessions as 5, dynamic mesh tunnels are created if the number of sessions closed between two spoke sites in 2 minutes exceeds 5. |
Threshold for Tunnel Deletion | Enter the number of sessions closed between the connected sites in a duration of 15 minutes below which full mesh is deleted between the two sites. The default value is 8. For example, if you specify the number of sessions closed as 8, dynamic mesh tunnels are deleted if the number of sessions closed is lesser than or equal to 8. |
Address and Contact Information | |
Street Address | Enter the street address of the site. |
City | Enter the city where the site is located. |
State/Province | Select the state or province where the site is located. |
ZIP/Postal Code | Enter the postal code for the site. |
Country | Select the country where the site is located. Click the Validate button to verify the address.
|
Contact Name | Enter the name of the contact person for the site. |
Enter the e-mail address of the contact person for the site. | |
Phone | Enter the phone number of the contact person for the site. |
Advanced Configuration | |
Name Server IP List | Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on.. DNS servers are used to resolve hostnames into IP addresses. |
NTP Server | Specify the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration. |
Select Timezone | Select the time zone of the site. |
| WAN | |
Device Template | |
Device Series | Select the device series to which the CPE belongs—SRX, NFX150, or NFX250. Based on the device series that you select, the supported device templates (containing information for configuring devices) are listed. Select a device template for the selected device series. |
Device Information Note: Some fields in this section are displayed only if you select a dual CPE device template. | |
Device Model | For NFX150 devices, select the device model number. |
Serial Number | For a single CPE device, enter the serial number of the CPE device. Serial numbers are case-sensitive. |
Device Redundancy | For dual CPE device templates, displays Enabled indicating that redundancy is enabled. You cannot modify this field. |
Primary Serial Number | For a dual CPE device, enter the serial number of the primary CPE device. The serial number is case sensitive. |
Secondary Serial Number | For a dual CPE device, enter the serial number of the secondary CPE device. The serial number is case sensitive. |
Auto Activate | Click the toggle button to enable or disable automatic activation of the CPE device. When you enable this field, zero-touch provisioning (ZTP) of the CPE device is automatically triggered after the site is added to CSO. The device template that you select determines whether this option is enabled or disabled by default. |
Activation Code | If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site. |
Primary Activation Code | For a dual CPE device, if the automatic activation of the device is disabled, enter the activation code to manually activate the primary CPE device.. |
Secondary Activation Code | For a dual CPE device, if the automatic activation of the device is disabled, enter the activation code to manually activate the secondary CPE device. |
Boot Image | Select the boot image from the drop-down list if you want to upgrade the image for the CPE device. The boot image is the latest build image uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the procedure to upgrade the device image. The boot image (NFX or SRX) is populated based on the device template that you have selected while creating a site. See Uploading a Device Image. |
WAN Links | |
WAN_0 WAN-Interface-Name | This field is enabled by default. Enter parameters related to WAN_0. Fields marked with an asterisk (*) must be configured to proceed. |
Link Type | Select whether the link would be an MPLS link or Internet link. |
Access Type (NFX150, NFX250. and SRX300 line of Services Gateways) | If you select Internet as the link type, select the access type for the underlay link—Ethernet, LTE, ADSL, or VDSL. You can select the LTE, ADSL, or VDSL access type only for one WAN link. Note:
|
Egress Bandwidth | Enter the maximum bandwidth, in Mbps, allowed on the WAN link. Range: 1 through 10,000. |
Address Assignment | Select the method of assigning an IP address to the WAN link—DHCP or STATIC. If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link. |
Static IP Prefix | If you configured the address assignment method as STATIC, enter the IP address prefix of the WAN link. |
Gateway IP | If you configured the address assignment method as STATIC, enter the IP address of the gateway of the WAN service provider. |
WAN Link (Primary or Secondary) | For dual CPE device templates, displays whether the WAN link is a primary link or a secondary link. You cannot modify this field. |
Advanced Settings | |
Provider | Enter the name of the service provider (SP) providing the WAN service. Only alphanumeric characters and '_', '@', '.', '/', '#', '&', '+' and '-' are allowed. The maximum number of characters allowed in 15. |
Cost/Month | Enter the cost for using the WAN link per month and select the currency in which the cost is indicated from the adjacent drop-down list. Range: 1 through 10,000. In bandwidth-optimized SD-WAN, CSO uses this information to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters. |
Enable Local Breakout | Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled. Note:
|
Breakout Options | Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic. |
Autocreate Source NAT Rule | Click the toggle button to enable or disable the automatic creation of source NAT rules. By default, this field is enabled when local breakout is enabled on the WAN link. Table 55 explains how source NAT rules are automatically created on the WAN link. The automatically-created source NAT rules are implicitly defined and applied to the site and is not visible on the NAT Policies page. Note: You can manually override automatically created NAT rules, by creating a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant department zone and WAN interface as the source and destination. For example: Dept-Zone1 --> W1 : Translation=Pool-2 The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule. You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example: Dept-Zone1, Port 56578 --> W1: Translation=Pool-2 |
Translation | Select the type of NAT to use for the traffic on the WAN link:
|
IP Addresses | For pool-based NAT, enter one or more IP addresses, subnets, or an IP address range. Separate multiple IP addresses by using commas and use a hyphen to denote a range; for example, 192.0.2.1-192.0.2.50. |
Preferred Breakout Link | Click the toggle button to enable the WAN link as the most preferred breakout link. If you disable this option, then the breakout link is chosen using ECMP from the available breakout links. |
BGP Underlay Options | Note: This setting can be configured only if the address assignment is static and local breakout is enabled. Click the toggle button to enable BGP underlay routing. When you enable BGP underlay routing, route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:
Note: If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route. |
Primary Neighbor | Displays the IP address that you entered for the gateway for the WAN link. |
Secondary Neighbor | If you want to provide PE resiliency, you can configure a secondary PE node. Enter the IP address of the secondary PE node. Note: If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE. |
eBGP Peer-AS-Number | Enter the autonomous system (AS) number for the external (EBGP) peer. Note: If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP). |
Authentication | Select the BGP route authentication method to be used:
|
Auth Key | If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets. |
Advertise Public LAN Prefixes | Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default. If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay. Note: When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet. If a site has two versions of the route installed for the same LAN prefix in the overlay and underlay, the overlay routes are always preferred over underlay. |
Use For Fullmesh | Click the toggle button to specify whether the WAN link can be a part of a fullmesh topology. A site can have a maximum of three links enabled for meshing. |
Mesh Overlay Link Type | When Use for Fullmesh field is enabled, select the type of mesh overlay link—GRE and GRE_IPSEC. If the link type is Internet, by default, the value for mesh overlay link type is GRE_IPSEC. If the link type is MPLS, select one of the following options:
|
Mesh Tag | When the Use for Fullmesh field is enabled, enter the tag to be associated with the WAN link for creating tunnels. You can assign only one tag to the link. Matching mesh tags is one of the criteria used to form tunnels between sites that support meshing.
For more information about mesh tags, see Mesh Tags Overview. |
Connects to Hubs | Click the toggle button to specify that the WAN link of the site connects to a hub. Note:
|
Use for OAM Traffic | If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link. This WAN link is then used to establish the OAM tunnel. |
Overlay Tunnel Type | This field is displayed when the Connects to Hubs field is enabled and only a one provider hub (primary) is specified. Select the mesh overlay tunnel type (GRE and GRE_IPSEC) of the tunnel to the hub. MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type. |
Overlay Peer Device | This field is displayed when the Connects to Hubs field is enabled and only a one provider hub (primary) is specified. Displays the peer hub device to which the site is connected. |
Overlay Peer Interface | This field is displayed when the Connects to Hubs field is enabled and only a one provider hub (primary) is specified. Select the interface name of the hub device to which the WAN link of the site is connected. |
Overlay Tunnel Type 1 | This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified. Select the mesh overlay tunnel type (GRE and GRE_IPSEC) for the tunnel to the primary hub. MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type. |
Overlay Peer Device 1 | This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified. Displays the primary peer hub device to which the site is connected. |
Overlay Peer Interface 1 | This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified. Select the interface name of the primary hub device to which the WAN link of the site is connected. |
Overlay Tunnel Type 2 | This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified. Select the mesh overlay tunnel type (GRE and GRE_IPSEC) for the tunnel to the secondary hub. MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type. |
Overlay Peer Device 2 | This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified. Displays the secondary peer hub device to which the site is connected. |
Overlay Peer Interface 2 | This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified. Select the interface name of the secondary hub device to which the WAN link of the site is connected. |
Backup Link | Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic. When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link. |
Default Link | Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site. Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then equal-cost multipath (ECMP) is used to choose the link on which to route traffic. |
Data VLAN ID | Enter a VLAN ID for the WAN link. Range: 2 through 4093. Note:
|
WAN_1 WAN-Interface-Name | Click the toggle button to enable or disable the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 WAN-Interface-Name for an explanation of the fields |
WAN_2 WAN-Interface-Name | Click the toggle button to enable or disable the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 WAN-Interface-Name for an explanation of the fields |
WAN_3 WAN-Interface-Name | Click the toggle button to enable or disable the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 WAN-Interface-Name for an explanation of the fields |
Management Connectivity | |
IP Prefix | Enter an IPv4 address prefix for the loopback interface on the CPE device. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network. If you do not specify an IPv4 address prefix, CSO automatically assigns the IP prefix from the reserved pool 100.124.0.0/14.
|
LAN | |
Add LAN Segment | You must add at least one LAN segment for the on-premise site. To add a LAN segment: Procedure
|
Table 55: Automatic Creation of Source NAT Rules
Autocreate Source NAT Rule | Translation | NAT Rules Creation |
|---|---|---|
Disabled | Not applicable (No NAT) | None. |
Enabled | Interface-Based (Default)—CSO creates interface-based NAT rules. | Source NAT rules are automatically created, with each rule from a department zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set. For example, the following department zone to (WAN link) W1 interface rule-set might be created: Dept-Zone1 --> W1: Translation=Interface Dept-Zone2 --> W1: Translation=Interface Dept-Zone3 --> W1: Translation=Interface |
Enabled | Pool-Based—CSO automatically creates pool-based NAT rules. | NAT source rules are automatically created, with each rule from a department zone to the WAN NAT pool with a translation of type pool. For example, a source NAT rule from department zone to NAT pool might be created: Dept-Zone1 --> W1 : Translation=Pool-1 Dept-Zone2 --> W1 : Translation=Pool-1 |
Table 56: Fields on the Add LAN Segment page
Field | Description |
|---|---|
Name | Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length allowed is 15 characters. |
Type Note: This field is displayed only for LAN segments associated with enterprise hub sites. | Select the type of LAN segment:
|
VLAN ID | Enter the VLAN ID for the LAN segment. Range: 2 through 4093. |
Department | Select a department to which the LAN segment is assigned. Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Adding a Department for details. You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department. |
Protocol | For dynamically routed LAN segments, select the routing protocol (BGP or OSPF) to be used by the data center department to learn routes from the data center. |
Advertise LAN Prefix | For dynamically routed LAN segments, click the toggle button to advertise the LAN prefix of the SD-WAN spoke site to the data center through the data center department associated with the enterprise hub. By default, the Advertise LAN Prefix field is disabled. Note: You must avoid overlapping IP addresses between the SD-WAN LAN network and the datacenter network. |
Gateway Address/Mask | Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment. For example: 192.0.2.8/24. |
DHCP | For directly connected LAN segments, click the toggle button to enable DHCP (default). You can enable DHCP if you want to assign IP addresses by using a DHCP sever or disable DHCP if you want to assign a static IP address to the LAN segment. Note: If you enable DHCP, additional fields appear on the page. |
Additional fields related to DHCP | |
Address Range Low | Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment. |
Address Range High | Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment. |
Maximum Lease Time | Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server. Default: 1440 Range: 0 through 4,294,967,295 seconds. |
Name Server | Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address. Note: DNS servers are used to resolve hostnames into IP addresses. |
CPE Ports |
|
Switch Ports Note: This field is displayed only when LAN capability is selected for the enterprise hub. | If you disable the CPE ports field, select ports on the switch to be part of the LAN segment. The Switch ports and CPE ports are mutually exclusive. Select the ports from the Available column and click the right-arrow to move the ports to the Selected column. |
BGP Configuration Note: This section is displayed only for dynamic routed LAN segments with BGP specified as the protocol. | |
Authentication | Select the BGP route authentication method to be used:
|
Peer IP Address | Enter the IP address of the BGP neighbor. |
Peer AS Number | Enter the autonomous system (AS) number of the BGP neighbor. |
Auth Key | If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets. |
OSPF Configuration Note: This section is displayed only for dynamic routed LAN segments with OSPF specified as the protocol. | |
OSPF Area ID | Specify the OSPF area identifier to be used for the dynamic route. |
Authentication | Select the OSPF route authentication method to be used:
|
Password | Enter the password to be used to verify the authenticity of OSPF packets. |
Confirm Password | Retype the password for confirmation purposes. |
MD5 Auth Key ID | If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID. Range: 1 through 255. |
Auth Key | If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets. |