Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Secure OAM Network Overview

The management and control plane traffic between a customer premises equipment (CPE) device associated with an SD-WAN on-premise spoke site and Contrail Service Orchestration (CSO) consists of the following:

This traffic must be carried across the network through a secure and redundant communication channel. To provide such a secure and redundant communication channel, you must configure a secure Operation, Administration, and Maintenance (OAM) network between the SD-WAN on-premise spoke sites and CSO.

This topic provides an overview of the secure OAM network, explains the workflow for configuring a secure OAM network, and benefits of a secure OAM network in an SD-WAN deployment.

Topology of a Secure OAM Network

CSO uses the provider hub devices as SD-WAN hubs to set up IPsec tunnels and provision site-to-site or site-to-hub traffic. The provider hub acts as a concentrator for terminating the IPsec tunnels from SD-WAN on-premise spoke sites. The provider hub device is located in the service provider’s point of presence (POP). A provider hub device can be a SRX Series services gateway, or a vSRX instance. In CSO Release 5.0, provider hub devices are owned and managed by the Juniper Network team that hosts the cloud-based CSO.

Note In CSO Release 5.0, the OAM hub is instantiated within the CSO. You do not need a provider hub for OAM network.

Figure 3 shows the connections between the SD-WAN on-premise spoke site, provider hub, and CSO.

Figure 3: Secure OAM Network

Secure OAM Network

The secure OAM network is built using a dedicated IPsec tunnel (overlay connection) that is established between the CPE device associated with the SD-WAN on-premise spoke site and a provider hub with OAM capability. The provider hub is connected to CSO through a secure private network (underlay connection) that is owned by the service provider.

Because the loopback IP address of the CPE device is used for OAM communication, it is fixed and unique across the entire deployment, and is always reachable from CSO over the IPsec tunnel. Even if the WAN interfaces are behind NAT and are assigned private IP addresses (by using DHCP), the OAM connectivity between the SD-WAN on-premise spoke site and the provider hub is not impacted. The IPsec tunnel can still be established over the Internet WAN link including the LTE access type.

The secure OAM network is supported on both hub-and-spoke and full-mesh topologies.

Workflow for Establishing a Secure OAM Network

Use the following workflow to establish a secure OAM network between the SD-WAN on-premise spoke site and the provider hub. As the provider hub is located in the service provider’s POP, it has a private and secure connectivity to CSO.

Procedure

To establish a secure OAM network between SD-WAN sites and the provider hub:

  1. Log in to Customer Portal, and add a provider hub site. Associate the provider hub site with one of the available provider hub devices.
  2. In Customer Portal, add an on-premise spoke site for the CPE device in SD-WAN deployment.
  3. When you create the site, specify the IP address prefix for the site and select at least one WAN link for OAM traffic. The WAN link with the Use for OAM traffic option enabled is used to set up the secure OAM tunnel to the provider hub device.

    Note For an NFX250 CPE device, specify at least one WAN link with traffic type as OAM and Data. If device redundancy is enabled, then specify one WAN link for each CPE device with the traffic type as OAM and Data.

    The CPE device is detected and activated. The Zero Touch Provisioning (ZTP) process is triggered over the secure OAM tunnel and the device is moved to provisioned state. The management and control plane traffic is carried across the secure OAM tunnel.

Benefits of Secure OAM Network

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit