Adding and Provisioning Switches to Provide LAN Capability to a Site Overview
You can use Contrail Service Orchestration (CSO) to provision, deploy, and monitor EX Series switches in branch deployments of enterprise networks. You can deploy an EX Series switch by connecting to a Customer Premise Equipment (CPE) (SRX Series devices only) functioning as a secure SD-WAN router or next-generation firewall. You can also connect the EX Series switch to a third-party Internet gateway device.
CSO Release 5.1.1 supports only EX2300, EX3400, EX4300, EX4600, and EX4650 switches as both, physical switches and Virtual Chassis.
You can provision a switch on a branch network by using CSO in one of the following ways:
By adding a site with the switch and connecting it to an Internet gateway device.
By adding a site with an SD-WAN CPE and the switch.
By adding a site with a next-generation firewall site and the switch.
By adding a site with an enterprise hub and the switch.
By adding the switch to an SD-WAN CPE that is already provisioned and managed by CSO.
By adding the switch to a next-generation firewall site that is already provisioned and managed by CSO.
By adding the switch to an enterprise hub site that is already provisioned and managed by CSO.
By adding one or more switches to an SD-LAN site that is already provisioned and managed by CSO.
Standalone Switch Overview
Figure 1 shows a site with LAN capability managed by CSO.
In Figure 1, the EX Series switch is connected to CSO through an internet gateway. The gateway can be a device from a manufacturer other than Juniper Networks.
When provisioning a standalone switch (physical or Virtual Chassis), you can use either ZTP (if the EX Series switch supports Phone-Home client) or manually configure the stage-1 configuration on the switch. See Add an On-Premise Spoke Site with LAN Capability for details.
Only EX Series switches running 18.4R2.7 or 18.4R3.3 firmware support ZTP.
EX4600 and EX4650 switches do not support Phone-Home client. You must disable ZTP and manually configure the stage-1 configuration on the switches.
Switch Behind a CPE or Next Generation Firewall Overview
Figure 2 shows a site with SD-WAN and LAN capabilities managed by CSO.
Figure 2 shows an example of a switch configured behind a CPE where the switch is connected to two LAN segments (LAN1 and LAN2) and the CPE. The CPE is connected to a LAN segment (LAN3) and to the EX Series switch. The switch can also be connected to a next-generation firewall as shown in Figure 3.
You cannot add a LAN segment to the next-generation firewall by using CSO.
The switch and the CPE or firewall can be connected through a trunk port. However, you can use two trunk ports to connect the CPE and the switch and combine them to form a Link Aggregation Group (LAG) for higher throughput and redundancy. Traffic from LAN segments connected to the switch are routed to the CPE or firewall through the trunk ports for further routing into WAN.
You can manage the switch by in-band management, where in, the trunk ports carry the management traffic in addition to data.
The ae0 port of the SRX Series device is configured as the trunk port for communication with the switch.
The DHCP server, configured on the CPE or firewall, runs on the trunk ports to:
Allocate unique IP addresses to the access devices connected to the switch.
Provide management connectivity to the switch.
During ZTP of a site with both WAN and LAN capabilities, the switch is provisioned after the CPE or firewall is provisioned.
When you add a switch to an already provisioned site, CSO redeploys the stage-2 configuration on the CPE or firewall to configure DHCP and LAG. The DHCP configuration enables management connectivity to the switch and allows CSO to discover and provision the switch.
Monitoring Switches Overview
You can monitor the following for an EX Series switch on the Device-Name page (Resources > Devices):
Resource utilization (memory and CPU) on the switch for the past one hour, past eight hours, past one day, past one week, and past one month.
Status of ports.
Alerts and alarms generated on the switch for the past one hour, past eight hours, past one day, past one week, and past one month.
Top Ports consuming the maximum bandwidth.
Top Ports with the maximum number of errors.
Top Ports with the maximum packet loss.