Add and Provision a Switch Overview
A user with tenant administrator privileges can onboard EX Series switches to and use Contrail Service Orchestration (CSO) to provision, deploy, and monitor EX Series switches in branch and campus deployments of enterprise networks.
You can use CSO to manage and configure the following EX Series Switches:
EX2300, EX2300 Virtual Chassis
EX3400, EX3400 Virtual Chassis
EX4300, EX4300 Virtual Chassis
EX4600, EX4600 Virtual Chassis
EX4650, EX4650 Virtual Chassis
You can onboard a switch to CSO in one of the following ways:
By adding a site with the switch and connecting it to an Internet gateway device (standalone switch).
By adding a site with a CPE and the switch connected to the CPE.
By adding a site with a next-generation firewall and the switch connected to the next-generation firewall.
By adding the switch to a site that already has one or more switches connected to an Internet gateway and connecting the switch to the Internet gateway.
By adding the switch to a CPE or next-generation firewall that is already provisioned and managed by CSO.
You can add multiple switches to a site that has a CPE or a next-generation firewall; However, in this implementation, you must manage the connectivity and configuration between the switches and the CPE or next-generation firewall either by using configuration templates in CSO or manually.
Switch Behind an Internet Gateway Overview
Figure 1 shows a site with a switch, managed by CSO, connected to an Internet gateway. The gateway can be a device from a manufacturer other than Juniper Networks. You can also add multiple switches behind the Internet gateway to be managed by CSO.
You can provision the switches by either using ZTP (if the EX Series switch supports Phone-Home client) or manually configure the stage-1 configuration on the switch. SeeAdd a Switch Behind an Internet Gateway for details.
Only EX Series switches running 18.4R2.7 or 18.4R3.3 Junos OS support ZTP.
EX4300 MP, EX4600, and EX4650 switches do not support Phone-Home client. You must disable ZTP and manually configure the stage-1 configuration on the switches.
Switch Behind a CPE or Next-Generation Firewall Overview
Figure 2 shows an example of a site with a CPE and a switch connected to the CPE.
In Figure 2, the switch is connected to two LAN segments (LAN1 and LAN2) and the CPE. The CPE is connected to a LAN segment (LAN3) and to the EX Series switch. The switch can also be connected to a next-generation firewall as shown in Figure 3.
CSO does not provide an option to configure LAN segments while configuring a site with a next-generation firewall. You can add a LAN segment to the next-generation firewall by using configuration templates.
The switch and the CPE or firewall can be connected through a trunk port. However, you can use two trunk ports to connect the CPE and the switch and combine them to form a Link Aggregation Group (LAG) for higher throughput and redundancy. Traffic from LAN segments connected to the switch are routed to the CPE or firewall through the trunk ports for further routing into WAN.
You can also use the trunk ports to carry the management traffic for the switch, in addition to data (in-band management).
The ae0 port of the SRX Series device is configured as the trunk port for communication with the switch.
The DHCP server, configured on the CPE or firewall:
Allocates unique IP addresses to the access devices connected to the switch.
Provides management connectivity to the switch.
During ZTP of a site with both WAN and LAN capabilities, the switch is provisioned after the CPE or firewall is provisioned.
When you add a switch to an already provisioned site, CSO redeploys the stage-2 configuration on the CPE or firewall to configure DHCP and LAG. The DHCP configuration enables management connectivity to the switch and allows CSO to discover and provision the switch.
For details about adding a switch behind a CPE, see Add a Switch Behind a CPE and for details about adding a switch behind a next-generation firewall, see Add a Switch Behind a Next-Generation Firewall.