Adding a Site Template
You can add a site template for an on-premise spoke site. A site template can be added with one WAN capability (SD-WAN, or Hybrid WAN, or Next Gen Firewall), LAN capability, or both WAN and LAN capabilities.
If you select the WAN capability as Hybrid WAN you cannot select the LAN capability.
To add a site template:
- Select Resources > Templates > Site Templates.
The Site Templates page appears.
- Click the plus icon (+).
The Add Site Template page appears.
- Complete the configuration according to the guidelines
in Table 1.
The fields that are displayed in the Add Site Template page are based on the LAN and WAN capabilities that you choose. The last column of Table 1 indicates the capabilities for which a field is applicable.
Fields marked with * are mandatory.
- Click OK.
The site template is added and listed in the Site Templates page. You can use the site template to add multiple on-premise spoke sites.
Table 1: Fields on the Add Site Template Page
Specify a unique name for the site template that can contain alphanumeric characters and hyphens (-); the maximum length is 32 characters.
Enter a description for the site template; the maximum length is 512 characters.
Select a site group to which you want to assign the template. Example: sdwan-spoke
Select one of the following WAN capabilities to include LAN capabilities for the site template:
Select LAN to include LAN capabilities for the site template.
This field is disabled if the WAN capability is Hybrid WAN.
Primary Provider Hub
Select the provide hub site (or primary provider hub site in case of multihoming) to which the spoke site must connect.
Secondary Provider Hub
Select the secondary provider hub site to which this site must connect.
This site connects to the secondary provider hub site when the primary provider hub is down.
Primary Enterprise Hub
Select the primary enterprise hub with which you want to connect the spoke site. If you specify a enterprise hub, then the initial site-to-site traffic as well as the central breakout (backhaul) traffic (if applicable) is sent through the enterprise hub instead of the hub site.
Secondary Enterprise Hub
Select the secondary enterprise hub for this spoke site.
The spoke site connects with secondary enterprise hub when the primary enterprise hub is down.
Enter the maximum number of sessions closed between the connected sites in a duration of two minutes at which full mesh is created between the two sites.
The default value is 5.
For example, if you specify the number of sessions as 5, dynamic mesh tunnels are created if the number of sessions closed between two spoke sites in 2 minutes exceeds 5.
Enter the number of sessions closed between the connected sites in a duration of 15 minutes below which full mesh is deleted between the two sites.
The default value is 2.
For example, if you specify the number of sessions closed as 2, dynamic mesh tunnels are deleted if the number of sessions closed is lesser than or equal to 2.
Address and Contact Information
Enter the street address of the site.
Enter the city where the site is located.
Select the state or province where the site is located.
Enter the postal code for the site.
Select the country where the site is located. Click the Validate button to verify the address. The site address verification successful message is displayed if the address is correct. You can click the View location on a map link to see the address location.
If you enter the wrong address and click the Validate button to verify the address, the Site address could not be validated message is displayed .
Enter the name of the contact person at the site.
Enter the e-mail address of the contact person at the site.
Enter the phone number for the site.
Name Server IP List
Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on..
DNS servers are used to resolve hostnames into IP addresses.
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers.
The site must have DNS reachability to resolve the FQDN during site configuration.
Select the time zone in which the site is located from the drop-down list.
Select the device series to which the CPE belongs (SRX, NFX150, or NFX250) and select a device template for the selected device series.
The device template contains information for configuring a device.
For NFX150 devices, select a device model from the list. Device models are listed based on the connection plan that you select.
Click the toggle button to enable or disable automatic activation of the CPE when the CPE is detected by CSO ( management status of the device is Device_Detected).
When you enable this field, zero-touch provisioning of the device is automatically triggered after the site with the CPE is added to CSO.
Click the toggle button to use the preconfigured settings for the firewall device. The preconfigured settings are as follows:
Next Gen Firewall
Select the boot image from the drop-down list if you want to upgrade the image for the CPE device.
The boot image is the latest build image uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process.
If the boot image is not provided, then the device skips the procedure to upgrade the device image. The boot image (NFX or SRX) is populated based on the device template that you have selected while adding a site. See Uploading a Device Image.
In-band Management Port
Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces.
Next Gen Firewall
Select the firewall policy that you want to deploy. The firewall policy list is populated from the Configuration > Firewall > Firewall Policy page.
Select the NAT policy that you want to deploy to the standalone firewall site. The NAT policy list is populated from the Configuration > NAT > NAT Policies page.
CPE AS Number
Specify the autonomous system (AS) number for the CPE device on the site.
Specify the router name.
Router AS Number
Specify the AS number for the router in the point of presence (POP).
Click the toggle button to enable or disable this WAN link. By default, the WAN_0 link is enabled.
When you enable a WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.
Select the underlay network type (MPLS or Internet) of the WAN link that is connected to the on-premise spoke site.
Enter the maximum bandwidth (in mega bits per second [Mbps]) to be allowed for the WAN link. Range: 1 through 10,000
Select the method for IP address assignment. The options available are:
Enter the name of the service provider who is responsible for providing the WAN link.
Enter the cost per month (in the specified currency) of the subscribed bandwidth.
Range: 1 through 10,000
Enable Local Breakout
Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled.
Use For Fullmesh
Click the toggle button to specify that the WAN link is part of a fullmesh topology.
Connects To Hubs
Click the toggle button to specify that the WAN link of the site connects to a hub.
Select a backup link through which traffic can be routed when the primary (other) links are unavailable.
Select one or more links to be used for routing traffic in the absence of matching SD-WAN policy intents.
Data VLAN Id
Enter the VLAN ID that is associated with the data link. A data VLAN identifier is an integer.
Range: 0 through 65,535
Specify the identifier for the Layer 2 VLAN for the CPE device.
Click the toggle button to enable or disable this WAN link. By default, the WAN 1 link is disabled.
Refer to the fields described for WAN 0 for an explanation of the fields.
Click the toggle button to enable or disable this WAN link. By default, the WAN 2 link is disabled.
Refer to the fields described for WAN 0 for an explanation of the fields
Click the toggle button to enable or disable this WAN link. By default, the WAN 3 link is disabled.
Refer to the fields described for WAN 0 for an explanation of the fields
Select the type of switch—EX2300, EX3400, EX4300, EX4600, and EX4650.
Select the model for the switch that you chose in the Device Type.
Displays the LAN segment on the switch.
To add a LAN segment, click the + icon on the top, right corner of the grid. The Add LAN Segment page appears. See Table 2.
Auto Activate Switch
Click the toggle button to enable or disable automatic activation of the switch when the switch is detected by CSO (that is, management status of the device is Device_Detected).
When you enable this field, zero-touch provisioning of the switch is automatically triggered after the site with the switch is added to CSO.
Note: The device template that you select determines whether this option is enabled or disabled by default.
Table 2: Fields on the Add LAN Segment Page
Add LAN Segment
Enter a name for the LAN segment.
The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters.
Enter the VLAN ID for the LAN segment.
Range: 2 through 4093.
Select a department to which the LAN segment is to be assigned.
Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Adding a Department for details.
You group LAN segments as departments for ease of management and for applying policies at the department-level.
Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24.
For directly connected LAN segments, click the toggle button to enable DHCP. DHCP is disabled by default.
You enable DHCP if you want to assign IP addresses by using a DHCP sever. You disable DHCP if you want to assign a static IP address to the LAN segment.
Note: If you enable DHCP, fields related to DHCP-related parameters appear and must be configured.
Address Range Low
Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Address Range High
Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Maximum Lease Time
Specify the maximum duration (in seconds) for which a client can request for and hold a lease on a DHCP server.
Range: 0 through 4,294,967,295.
Specify or select one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.
Click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment:
If you exclude the CPE from the LAN segment, you must specify the switch ports that connect with the LAN in the Switch Ports field. CSO automatically assigns LAN ports on the CPE device and creates the same LAN segment on the CPE device.
Note: You can select only one port if the CPE is an SRX Series device.
If you disable the CPE ports field, select ports on the switch that will be part of the LAN segment.
Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.