Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Contrail Service Orchestration (CSO) Solutions Overview

 

Juniper Networks Contrail SD-WAN, SD-LAN, and NGFW management solutions offer automated branch connectivity while improving network service delivery and agility. CSO is a multi-tenant platform that manages physical and virtual network devices, creates and manages Juniper Networks and third-party virtualized network functions (VNFs), and uses those elements to deploy network solutions for both enterprises and service providers (SPs) and their customers. CSO multi-tenancy provides security and tenant isolation that keeps the objects and users belonging to one tenant or operating company (OpCo) from seeing or interacting with those of another tenant or OpCo.

The CSO platform itself can be deployed in one of two ways:

  • As a downloadable, on-premises platform in which you (or your company) become the SP administrator (cspadmin user). In an on-premises deployment, the cspadmin user has complete read-write management access and responsibility for the CSO micro-services platforms, orchestration and management infrastructure, and all underlay networks needed to allow access to CSO and its solutions.

  • As a software-as-a-service (SaaS) platform, hosted in a public cloud, to which tenants and OpCos subscribe. In an SaaS deployment, Juniper Networks manages the necessary microservices infrastructure, the secure orchestration and management (OAM) infrastructure, and underlay networks needed to allow access to CSO and its solutions.

CSO offers multiple network solutions that benefit enterprise customers and service providers and their customers. The solutions are split into two overall groups, WAN solutions and LAN solutions as shown in Figure 1.

Figure 1: WAN and LAN Solutions
WAN and LAN Solutions

These solutions allow CSO to do the following:

  • Provide lifecycle management for devices and services

  • Automate physical and virtual device provisioning

  • Provide Day 0, Day 1, and Day 2 configuration

  • Monitor remote devices

  • Provide full lifecycle management of firewall, NAT, and Internet breakout policies for user traffic

  • Provide high-level reporting about devices and user traffic

Contrail SD-WAN Solution

The Contrail SD-WAN solution offers a flexible and automated way to route traffic through the cloud using overlay networks. It is an overlay network solution that provides enhanced application user experience. It acts as both a data controller and a management orchestrator. At its most basic, an SD-WAN solution encompasses multiple sites, multiple connections between sites, and a WAN controller as shown in Figure 2.

Figure 2: Basic SD-WAN Concept
Basic SD-WAN Concept

The CPE devices in a Contrail SD-WAN solution (also known as on-premises spoke devices) have a WAN side and a LAN side. On the WAN side, hub-and-spoke and dynamic mesh topologies are supported. The CPE devices use at least one, and up to four, WAN interfaces as connection paths to provider hub devices, enterprise hub devices, other spoke devices, and the Internet. The supported hub devices are shown in Table 1:

Table 1: Supported Hub Devices

Hub Device

Used as

vSRX

Enterprise Hub and Provider Hub

SRX1500

Enterprise Hub and Provider Hub

SRX4100

Enterprise Hub and Provider Hub

SRX4200

Enterprise Hub and Provider Hub

The hub devices help to provide the overlay networking needed for the Contrail SD-WAN solution.

CSO allows you to give preference to one WAN path over another for any given traffic through the use of traffic steering and breakout profiles. Thus, business-critical traffic and data can be routed through the provider hub using MPLS/GRE while non-critical traffic can be routed over the Internet connection through an IPsec tunnel. Each path can have a service level agreement (SLA) profile applied. The SLA profile monitors the path for latency, congestion, and jitter while also accounting for path preference. Should the path fail to meet one or more of the required parameters, traffic is re-routed to another path automatically.

The LAN side of the CPE devices connect to the customer’s LAN segments. Multiple departments at the customer site that occupy different LAN segments can have their traffic securely segregated with the use of dedicated IPSec tunnels. NFX Series spoke devices can also provide service chains of network services in addition to the routing flexibility already available.

You can use the solutions as turnkey implementations or connect to other operational support and business support systems (OSS/BSS) through northbound Representational State Transfer (REST) APIs.

Contrail Managed LAN Solution (SD-LAN)

The SD-LAN solution allows CSO to manage and monitor remote LAN devices like certain EX Series LAN switches, Mist WiFi access points, and certain SRX Series next generation firewall (NGFW) devices. This extends the SD-WAN solution to provide visibility into the LANs of remote networks. At its most basic, a managed LAN implementation is as simple as connecting a supported EX switch or SRX firewall at the remote site through an Internet gateway device as shown in Figure 3.

Figure 3: Simple SD-LAN Solution
Simple SD-LAN Solution

While Figure 3 shows a single switch connected behind an Internet gateway device, there are several other deployment options available within the solution. For example, an EX switch can be attached to an existing managed CPE device, or it can be added to CSO as a standalone LAN switch. Similar deployment options are available for the NGFW solution. For more details about switch deployment in a managed LAN solution, see the Adding and Provisioning Switches to Provide LAN Capability to a Site Overview and the CSO Design and Architecture Guide.

Next Generation Firewall (NGFW) Deployment Model

The NGFW deployment focuses on providing remote network security through the use of SRX Series NGFW devices as CPE at the spoke site; unlike the SD-WAN and Hybrid WAN deployments which focus on secure site-to-site connectivity and remote VNF deployment. A high-level view of the spoke site with NGFW is shown in Figure 4.

Figure 4: NGFW Spoke Site
NGFW Spoke Site

An NGFW deployment is carried out in the Customer Portal of CSO as a site deployment. The tenant under which the site is deployed must have the NGFW service available. This service is included in the tenant configuration by the tenant administrator during tenant onboarding. The remainder of this document provides a brief discussion of the architecture, and the steps that you need to perform in order to complete a NGFW deployment in CSO.

Hybrid WAN (Distributed CPE) Deployment Model

In a Hybrid WAN deployment, customers access network services from a CPE device located at the customer’s site. These sites are called on-premises sites or spokes. In the workflows used in the CSO GUI, this deployment style is known as Hybrid WAN. Figure 5 illustrates a simplified Hybrid WAN deployment.

Figure 5: Hybrid WAN Deployment
Hybrid WAN Deployment

Initial configuration of the CPE device at the site can be automated through the use of zero touch provisioning (ZTP) that is orchestrated through CSO. CSO also monitors the CPE device and its services, and can push software and configuration updates to the devices remotely, reducing operating expenses. This deployment model is useful in environments where service delivery from the service provider’s cloud is costly.

In fact, CSO has been designed to require only modest bandwidth, needing as little as 30 kbps for probe and secure OAM traffic over Hybrid WAN connections where there are only a few sessions active. When AppQoE is involved, the bandwidth requirement increases to somewhere between 105 kbps and 2 Mbps, depending on the number of sessions. During ZTP operations, if new device images are needed, they can be downloaded as part of the ZTP process, or pre-staged on the device. In those circumstances, the bandwidth requirement increases to a maximum of 5 Mbps only when device image download is needed. This makes these solutions applicable even in cases where connection bandwidth is limited or noisy.

The Hybrid WAN deployment uses a CPE device such as an NFX Series Network Services platform or SRX Series Services Gateway at the customer site and thus supports private hosting of network services at a site. The distributed deployment can be extended to offer SD-WAN capabilities.

Note

If an SRX Series device is used as the CPE device at the customer site, it cannot host VNFs.