Add an On-Premise Spoke Site with Next Generation Firewall and LAN Capabilities

Before You Begin

You can add an on-premise spoke site with both firewall and LAN capabilities.

Procedure

To add a site with both next generation firewall and LAN capabilities at the same time:

Select Resources > Site Management.
The Sites page appears.
Click Add and select Add On-Premise Spoke (Manual).
The Add On-Premise Spoke Site for Tenant-Name page appears.
Complete the configuration settings according to the guidelines provided in Table 90.
Note Fields marked with an asterisk (*) are mandatory.
Click Next.
A summary page is displayed.
Review the configuration and modify the settings, if needed, from the Summary tab.
Click OK to add the site.
The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the firewall device and the switch (when LAN capability is selected). The firewall device is activated first and then the process to activate the switch is initiated.
- If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.
  This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.
  Note Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.
  The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.
- If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.
  Procedure
  To manually configure the stage-1 configuration:
  1. On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
  2. Click the Click to copy stage-1 configuration link.
    The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.
  3. Copy the stage-1 configuration and log in to the console of the EX Series switch.
  4. Enter the configuration mode, paste, and commit the configuration.
    After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.
    CSO then provisions the switch.

Note You can also add a site with LAN and next generation firewall capabilities using the site templates. For more information, see Add On-Premise Spoke Sites by Using a Site Template.

Table 90: Fields on the Add On-Premise Spoke Site for Tenant-Name Page (Firewall and LAN)

Field	Description
General
Site Information
Site Name	Enter a unique name for the firewall site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.
Site Group	Select a site group to which you want to assign the site.
Site Capabilities
WAN Capabilities	Select the WAN capabilities as Next Gen Firewall for the site.
LAN Capabilities	Select the LAN capability as LAN for the site.
Address and Contact Information
Street Address	Enter the street address of the site.
City	Enter the name of the city where the site is located.
State/Province	Select the state or province where the site is located.
ZIP/Postal Code	Enter the postal code for the site.
Country	Select the country where the site is located. You can click the Validate button to verify the address that you specified: The site address verification successful message is displayed if the address can be verified. You can click the View location on a map link to see the address location. If the address cannot be verified, the Site address could not be validated message is displayed .
Contact Name	Enter the name of the contact person for the site.
Email	Enter the e-mail address of the contact person for the site.
Phone	Enter the phone number of the contact person for the site. Click Next to continue.
Advanced Configuration
Name Server IP List	Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.
NTP Server	Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration.
Select Timezone	Select the time zone for the site.
WAN
Device Information
Serial Number	Enter the serial number of the firewall device. Note that the serial numbers are case-sensitive.
Auto Activate	Click the toggle button to enable or disable automatic activation of the device. This option is enabled by default.
Activation Code	If the Auto Activate feature is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.
Zero Touch Provisioning	Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default. If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image. If ZTP is disabled, you must manually copy (by using CLI), the Stage-1 configuration on to the firewall device.
Boot Image	When the Zero Touch Provisioning field is enabled, select the boot image from the drop-down list to upgrade the image on the firewall device to a version that supports Phone-Home client. The boot image is the device image that was previously uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure. The boot image is populated based on the device template that you have selected while creating a site. By default, the Use Image on Device option is selected.
In-band Management Port	Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces. This field is applicable only when a switch is behind a CPE (SD-WAN or a next generation firewall device).
Firewall Policies	Select the firewall policy that you want to deploy to the standalone firewall site. The firewall policy list is populated from the Configuration > Firewall > Firewall Policy page. Default: Factory_Default_Fw_Policy
NAT Policies	Select the NAT policy that you want to deploy to the standalone firewall site. The NAT policy list is populated from the Configuration > NAT > NAT Policies page. Default: Factory_Default_NAT_Policy
Import Configuration	Click the toggle button to automatically import firewall policies and NAT policies from a next generation firewall device to CSO. By default, this field is disabled. Note: This field is available only when Zero Touch Provisioning is disabled.
Additional Configuration
Configuration Templates List	Select one or more configuration templates from the list. This list is filtered based on the device that you select. Configuration templates are stage-2 templates that are added by your OpCo administrators or SP administrators or Tenant administrators. Note: You must set the parameters of the configuration templates that you have selected before you move to the LAN section. Procedure To set the parameters for the selected configuration templates: After you select one or more configuration templates, click Set Parameters. The Device Configurations page appears. This page consists of two tabs—Configure and Summary In the Configure tab fill in the attributes for each of the configuration templates. (Optional) View the CLI commands in the Summary tab. Click OK. You have added and set the parameters for the configuration templates that are part of the site template that you are creating.
LAN
Switch Devices	Displays the switches that you have added to the site. To add a switch, click the + icon on the top right corner of the Switch Devices table. You can add multiple switches only to an SD-LAN site. The Add New Switch page appears. See Table 60 for details. To edit details of a switch, select the switch and click the Edit icon on the top right corner of the Switch Devices table. The Edit Switch Details page appears, displaying the same parameters that you configured while adding a switch. Modify the parameters as needed and Click OK. The changes that you made for the switch are saved and the updated parameters appear on the Switch Devices table. To delete one or more switches, select the switches and click the Delete icon on the top right corner of the Switch Devices table. To manage the configuration of one or more switches added to the site, select the switches from the list and click Configuration. The Switch Configuration page appears. See Table 62 for details.
LAN Segments	Displays the VLANs and their IDs that you configured on the switch. Optional: To add a VLAN, click the + icon on the top, right corner of the LAN Segments table. The Create LAN Segment page appears. See Table 93 for details. Fields marked * are mandatory. Note: The same LAN segment is created on the CPE device (firewall) if the switch is connected to the CPE device (firewall) that is managed by CSO. To edit details of a VLAN, select the LAN segment and click the Edit icon (pencil) on the top right corner of the LAN Segments table. The Edit LAN Segment page appears, displaying the same fields that are presented when you add a VLAN. Modify the parameters as needed and click OK. The changes that you made for the LAN segment are saved and the updated parameters appear on the LAN Segments table. To delete one or more VLANs, select the VLANs and click the Delete icon (trash can) on the top right corner of the LAN Segments table.

Table 60 describes the fields on the Add New Switch page.

Table 91: Fields on the Add New Switch Page

Field	Description
Device Profile
Device Name	Enter a unique name for the switch. You can use alphanumeric characters and hyphen (-). The maximum length allowed is 15 characters.
Device Type	Select the type of switch—EX2300, EX3400, EX4300, EX4600, and EX4650.
Device Model	Select the model for the switch you specified in the Device Type field. The models vary in the number and type of ports the switch contains. For example, If you selected EX3400, select a model such as EX3400-24P, EX3400-48P, EX3400-24T among others.
CPE Settings
Trunk Ports	Select at least two trunk ports on the CPE device to connect with the switch. The trunk ports are used for the following: LAN traffic between the switch and the CPE Management traffic for in-band management of the switch.
Switch Management Subnet	Specify the subnet that the DHCP can use to assign IP addresses. The DHCP server runs on the following ports: Trunk ports to provide DHCP information to all devices connected to the switch and to the in-band management port, switch management port, and LAN ports on the CPE. Out-of-band management port on the CPE to provide DHCP information to the management port on the switch. LAN ports on the CPE to provide information to the devices connected to the CPE LAN ports. Example: 192.0.2.0/24
Switch Details
Virtual Chassis	This toggle button is disabled for a site with NGFW and LAN capabilities. You can add a Virtual Chassis only to an SD-LAN site.
Serial Number	Specify the serial number of the switch The serial number is a 12-digit number present on the rear panel of the switch.
Auto Activate	Click the toggle button to enable or disable automatic activation of the switch. When you enable this field, zero-touch provisioning of the switch is automatically triggered when the device communicates with CSO. Note: You must physically connect the switch to the CPE device (firewall) and power it on for the switch to be automatically activated when you enable this option.
Activation code	When the Auto activate field is disabled, enter the activation code to be used for manually activating the switch. For information, see Manually Activating a Switch.
Zero Touch Provisioning	Click the toggle button to enable or disable zero-touch provisioning (ZTP) of the switch through ZTP. If you disable ZTP, you must manually copy and paste the Stage-1 configuration on the switch during site activation. See Step-by-Step Procedure for details. Note: Only EX Series switches running 18.4R2.7 or 18.4R3.3 firmware support ZTP. EX4600 and EX4650 switches do not support Phone-Home client. You must disable ZTP and manually configure the stage-1 configuration on the switches.

Table 62 describes the tabs on the Switch Configuration page.

The Access Profiles tab and Port Profiles tab are available only if you have added a physical switch or a preprovisioned Virtual Chassis, and the selected switches are of the same device type and model. If you have added an autoprovisioned Virtual Chassis, only the Configuration Templates tab is available. The Port Profiles tab is unavailable because, in the case of autoprovisioning, port profiles can be configured only after provisioning the Virtual Chassis. The Access Profiles tab is unavailable because the access profile requires a RADIUS authentication server to be added to it. The parameters related to communication between the RADIUS server and the supplicant are defined in the authentication profile , which is, in turn, referenced by the port profile.

Table 92: Tabs on the Switch Configuration page

Tab	Description
Access Profiles	Displays the list of access profiles available in CSO. The list is populated from the Access Profiles page (Configuration > SD-LAN > Access Profiles). You can also click the Search icon to search for a specific access profile in the list. For details of the fields displayed on the Access Profiles table, see About the Access Profiles Page. Optional: You can select an access profile from the list to assign it to the switch.
Port Profiles	Displays the list of interfaces (ports) available in CSO. You can also click the Search icon to search for a specific port in the list. Optional: To assign port profiles and VLAN IDs to the ports: Procedure Select one or more ports and click Edit Configuration on the top right corner, above the Interface List table. The Edit Port Configuration page appears. From the Port Profile list, select a port profile to be assigned to the port. Note: The port profile must already be created from the Port Profiles page (Configuration > SD-LAN > Port Profiles) for it to be listed here. In the VLAN field, if the port is configured as a trunk port in the port profile, assign multiple VLANs by selecting the VLANs in the Available column and clicking the right-arrow to move them to the Selected column. If the port is configured as an access port in the port profile, you can assign only one VLAN. From the Native VLAN list, select a VLAN that you want to configure as native. This option appears only if you select a Trunk port profile from the Port Profile list. Click OK to complete the configuration. You are returned to the Add On-Premise Spoke Site page.
Configuration Templates	Displays the list of configuration templates. This list is filtered based on the device that you select. Configuration templates are predefined stage-2 templates that are added by your OpCo administrators or SP administrators. Procedure To add configuration templates and set the parameters for the selected configuration templates: After you select one or more configuration templates, click Set Parameters. The Device Configurations page appears. This page consists of two tabs—Configure and Summary In the Configure tab fill in the attributes for each of the configuration templates. (Optional) View the CLI commands in the Summary tab. Click OK. You have added and set the parameters for the configuration templates.

Tab

Description

Access Profiles

Displays the list of access profiles available in CSO. The list is populated from the Access Profiles page (Configuration > SD-LAN > Access Profiles).

You can also click the Search icon to search for a specific access profile in the list.

For details of the fields displayed on the Access Profiles table, see About the Access Profiles Page.

Optional: You can select an access profile from the list to assign it to the switch.

Port Profiles

Displays the list of interfaces (ports) available in CSO.

You can also click the Search icon to search for a specific port in the list.

Optional: To assign port profiles and VLAN IDs to the ports:

Procedure

Select one or more ports and click Edit Configuration on the top right corner, above the Interface List table.
The Edit Port Configuration page appears.
From the Port Profile list, select a port profile to be assigned to the port.
Note: The port profile must already be created from the Port Profiles page (Configuration > SD-LAN > Port Profiles) for it to be listed here.
In the VLAN field, if the port is configured as a trunk port in the port profile, assign multiple VLANs by selecting the VLANs in the Available column and clicking the right-arrow to move them to the Selected column.
If the port is configured as an access port in the port profile, you can assign only one VLAN.
From the Native VLAN list, select a VLAN that you want to configure as native. This option appears only if you select a Trunk port profile from the Port Profile list.
Click OK to complete the configuration. You are returned to the Add On-Premise Spoke Site page.

Configuration Templates

Displays the list of configuration templates. This list is filtered based on the device that you select.

Configuration templates are predefined stage-2 templates that are added by your OpCo administrators or SP administrators.

Procedure

To add configuration templates and set the parameters for the selected configuration templates:

After you select one or more configuration templates, click Set Parameters.
The Device Configurations page appears. This page consists of two tabs—Configure and Summary
In the Configure tab fill in the attributes for each of the configuration templates.
(Optional) View the CLI commands in the Summary tab.
Click OK.
You have added and set the parameters for the configuration templates.

Table 93: Fields on the Add LAN Segment Page when Adding a Switch along with Next-Generation Firewall

Field	Description
Add LAN Segment
Name	Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters.
VLAN ID	Enter the VLAN ID for the LAN segment. Range: 2 through 4093
Gateway Address/Mask	Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24.
DHCP	For directly connected LAN segments, click the toggle button to enable DHCP. DHCP is disabled by default. You enable DHCP if you want to assign IP addresses by using a DHCP server. You disable DHCP if you want to assign a static IP address to the LAN segment. Note: If you enable DHCP, fields related to DHCP-related parameters appear and must be configured.
[DHCP-Related Fields]
Address Range Low	Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Address Range High	Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Maximum Lease Time	Specify the maximum duration (in seconds) for which a client can request for and hold a lease on a DHCP server. Range: 0 through 4,294,967,295.
Name Server	Specify or select one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.

Add an On-Premise Spoke Site with Next Generation Firewall and LAN Capabilities

Before You Begin

Procedure

Procedure

Procedure

Procedure

Procedure

Related Documentation

Help us to improve. Rate this article.