ADMINISTRATION PORTAL
Help Center User GuideGetting StartedFAQsRelease Notes
 
X
User Guide
Getting Started
FAQs
Release Notes
Contents  

Add Enterprise Hubs with SD-WAN Capability or SD-WAN and LAN Capabilities

An enterprise hub site is an SD-WAN site that is used to carry site-to-site traffic between on-premise spoke sites and to break out backhaul (central breakout) traffic from on-premise spoke sites. An enterprise hub typically has a data center department behind it; however, this is not enforced in Contrail Service Orchestration (CSO). The following device templates are supported for enterprise hubs:

Procedure

To add an enterprise hub site:

Note You can add enterprise hub sites only for tenants with real-time optimized SD-WAN mode.

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click Add and select Add Enterprise Hub.

    The Add Enterprise Hub for Tenant-Name page appears.

  3. Do one of the following:
    • To add an enterprise hub with only SD-WAN capability, complete configuration settings according to guidelines provided in Table 20.

    • To add an enterprise hub with both SD-WAN and LAN capabilities, complete configuration settings according to guidelines provided in Table 20 for the SD-WAN capability and Table 22 for LAN capability.

    Note Fields marked with an asterisk (*) are mandatory.

  4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
  5. Click OK.

    The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the enterprise hub and the switch (when LAN capability is selected). The enterprise hub is activated first and then the process to activate the switch is initiated.

    If you selected LAN capability for the enterprise hub site, go to step 6..

    • If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.

      This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.

      Note Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.

      The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.

    • If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.

      Procedure

      To manually configure the stage-1 configuration:

      1. On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
      2. Click the Click to copy stage-1 configuration link.

        The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.

      3. Copy the stage-1 configuration and log in to the console of the EX Series switch.
      4. Enter the configuration mode, paste, and commit the configuration.

        After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.

        CSO then provisions the switch.

Table 20: Add Enterprise Hub for <Tenant-Name> Settings (WAN Capability)

Field

Description

General

Site Information

Site Name

Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

Site Group

Select a site group to which you want to assign the site.

Site Capabilities

WAN Capabilities

SD-WAN capability is selected by default. You cannot clear the selection.

LAN Capabilities

Select LAN if you want to include LAN capability in the enterprise hub site.

Configuration

Primary Provider Hub

Select the provider hub site (or primary provider hub site in case of multihoming) to which you want to connect the enterprise hub site.

If you do not specify a provider hub site, then the enterprise hub site can connect only to the on-premise spoke sites that are associated with the enterprise hub site.

If you specify a provider hub site, then the enterprise hub site can also connect to the on-premise spoke sites to which that provider hub site is associated.

Secondary Provider Hub

Select the secondary provider hub site (in case of multihoming) to which you want to connect the enterprise hub site.

When the primary provider hub is down, the enterprise hub connects to the secondary provider hub and the on-premise spoke sites to which that provider hub site is associated.

On-Demand Mesh Threshold

Threshold for Tunnel Creation

Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the enterprise hub and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the enterprise hub and the destination site.

The default value is 5.

For example, if you specify the Create Threshold as 5, dynamic mesh tunnels are created if the number of sessions closed between the enterprise hub and destination site exceeds 5 in 2 minutes.

Threshold for Tunnel Deletion

Specify the threshold for the number of sessions closed (in a 15-minute duration) between the enterprise hub and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the enterprise hub and destination site is deleted.

The default value is 2.

For example, if you specify the number of sessions closed as 2, dynamic mesh tunnels between the enterprise hub and destination site are deleted if the number of sessions closed is lesser than or equal to 2.

Address and Contact Information

Street Address

Enter the street address of the site.

City

Enter the name of the city where the site is located.

State/Province

Select the state or province where the site is located.

ZIP/Postal Code

Enter the postal code for the site.

Country

Select the country where the site is located.

You can click the Validate button to verify the address that you specified:

  • The site address verification successful message is displayed if the address can be verified. You can click the View location on a map link to see the address location.

  • If the address cannot be verified, the Site address could not be validated message is displayed .

Contact Name

Enter the name of the contact person for the site.

Email

Enter the e-mail address of the contact person for the site.

Phone

Enter the phone number of the contact person for the site.

Click Next to continue.

Advanced Configuration

Name Server IP List

Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on..

DNS servers are used to resolve hostnames into IP addresses.

NTP Server

Specify the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers.

Example: ntp.example.net

The site must have DNS reachability to resolve the FQDN during site configuration.

Select Timezone

Select the time zone of the site.

WAN

Device Template

Device Template

Select a device template, which contains information for configuring a device.

Device Information

Note: Some fields in this section are displayed only if you select a dual CPE device template.

Serial Number

For a single CPE device, enter the serial number of the CPE device. Serial numbers are case-sensitive.

Device Redundancy

For dual CPE device templates, displays Enabled indicating that redundancy is enabled. You cannot modify this field.

Primary Serial Number

For a dual CPE device, enter the serial number of the primary CPE device. The serial number is case sensitive.

Secondary Serial Number

For a dual CPE device, enter the serial number of the secondary CPE device. The serial number is case sensitive.

Auto Activate

Click the toggle button to enable (default) or disable automatic activation of the CPE device.

When you enable this field, zero-touch provisioning (ZTP) of the CPE device is automatically triggered after the site is added to CSO.

The device template that you select determines whether this option is enabled or disabled by default.

Activation Code

For a single CPE device, if the automatic activation of the device is disabled, enter the activation code to manually activate the device.

Primary Activation Code

For a dual CPE device, if the automatic activation of the device is disabled, enter the activation code to manually activate the primary CPE device.

Secondary Activation Code

For a dual CPE device, if the automatic activation of the device is disabled, enter the activation code to manually activate the secondary CPE device.

Boot image

Select the boot image from the drop-down list if you want to upgrade the image for the CPE device.

The boot image is the latest build image uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process.

If the boot image is not provided, then the device skips the procedure to upgrade the device image. The boot image is populated based on the device template that you have selected while creating a site. See Uploading a Device Image.

WAN Links

WAN_0 (WAN-Interface-Name)

This field is enabled by default.

Enter parameters related to the WAN_0 (WAN-Interface-Name) link. Fields marked with an asterisk (*) must be configured to proceed.

Link Type

Select whether the link would be an MPLS link or Internet link.

Egress Bandwidth

Enter the maximum bandwidth (in Mbps) that the CPE allows towards the WAN link.

Range: 1 through 10,000.

Address Assignment

Displays the method of assigning an IP address to the WAN link (STATIC).

You must provide the IP address prefix and the gateway address for the WAN link.

Static IP Prefix

Enter the IP address prefix of the WAN link.

Gateway IP Address

Enter the IP address of the gateway of the WAN service provider.

Public IP Address

Enter the public IPv4 address for the link.

Note: This IP address should be provided only if the static IP prefix is a private IP address and 1:1 NAT is configured.

WAN Link (Primary or Secondary)

For dual CPE device templates, displays whether the WAN link is a primary link or a secondary link. You cannot modify this field.

Advanced Settings

Provider

Enter the name of the service provider providing the WAN service.

Cost/Month

Enter the cost for using the WAN link per month and select the currency in which the cost is indicated from the adjacent drop-down list.

Range: 1 through 10,000.

In bandwidth-optimized SD-WAN, CSO uses this information to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters.

Enable Local Breakout

Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled.

Note:

  • If you enable this option, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.

  • If you do not enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan, then local breakout is disabled for the site.

Breakout Options

When the Enable Local Breakout field is enabled, select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

Autocreate Source NAT Rule

Click the toggle button to enable or disable the automatic creation of source NAT rules. By default, this field is enabled when local breakout is enabled on the WAN link.

Table 21 explains how source NAT rules are automatically created on the WAN link. The automatically-created source NAT rules are implicitly defined and applied to the site and is not visible on the NAT Policies page.

Note: You can manually override automatically created NAT rules, by creating a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant department zone and WAN interface as the source and destination. For example:

Dept-Zone1 --> W1 : Translation=Pool-2

The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule.

You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example:

Dept-Zone1, Port 56578 --> W1: Translation=Pool-2

Translation

Select the type of NAT to use for the traffic on the WAN link:

  • Interface—Use interface-based NAT, which is the default.

  • Pool—Use pool-based NAT. If you select this option, you must specify the IP addresses that are to be used for the NAT pool.

    Note: No NAT is performed for tenant-owned public IP addresses that were added during the tenant addition workflow.

IP Addresses

For pool-based NAT, enter one or more IP addresses, subnets, or an IP address range. Separate multiple IP addresses by using commas and use a hyphen to denote a range; for example, 192.0.2.1-192.0.2.50.

Preferred Breakout Link

Click the toggle button to enable the WAN link as the most preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP from the available breakout links.

BGP Underlay Options

Note: This setting can be configured only if the address assignment is static and local breakout is enabled.

Click the toggle button to enable BGP underlay routing.

When you enable BGP underlay routing, route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:

  • CSO advertises the WAN interface subnet.

  • If you configured pool-based translation, CSO advertises the NAT address pool.

Note: If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route.

Primary Neighbor

Displays the IP address that you entered for the gateway for the WAN link.

Secondary Neighbor

If you want to provide PE resiliency, you can configure a secondary PE node.

Enter the IP address of the secondary PE node.

Note: If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE.

eBGP Peer-AS-Number

Enter the autonomous system (AS) number for the external (EBGP) peer.

Note: If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP).

Local AS Number

Enter the local AS number for the WAN link. When you configure this parameter, the local AS number is used for eBGP peering instead of the global AS number configured for the device.

Note: The local AS number must be different from the global AS and eBGP peer AS numbers.

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

Advertise Public LAN Prefixes

Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default.

If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay.

Note: When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet. If a site has two versions of the route installed for the same LAN prefix in the overlay and underlay, the overlay routes are always preferred over underlay.

Use For Fullmesh

Click the toggle button to specify whether the WAN link can be a part of a full mesh topology.

A site can have all WAN links enabled for meshing.

Note: You must enable at least one WAN link for full mesh.

Mesh Overlay Link Type

When Use for Fullmesh field is enabled, select the type of mesh overlay link—GRE and GRE_IPSEC.

  • If the link type is Internet, the value for mesh overlay link type is GRE_IPSEC.

  • If the link type is MPLS, select one of the following options:

    • GRE-IPSEC

    • GRE

Mesh Tag

When the Use for Fullmesh field is enabled, select one or more mesh tags to be associated with the WAN link for creating tunnels.

Matching mesh tags is one of the criteria used to form tunnels between sites that support meshing.

For more information about mesh tags, see Mesh Tags Overview“.

Connects to Hubs

Click the toggle button to specify that the WAN link of the site connects to a hub.

Note:

  • For sites with a single CPE, you must enable at least one WAN link to connect to the hub so that OAM traffic can be transmitted.

  • For sites with a dual CPE, you must enable at least one WAN link per device to connect to the hub so that OAM traffic can be transmitted.

Use for OAM Traffic

If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link.

This WAN link is then used to establish the OAM tunnel.

Overlay Peer Device

This field is displayed when the Connects to Hubs field is enabled and only a one provider hub (primary) is specified.

Displays the peer hub device to which the site is connected.

Overlay Peer Interface

This field is displayed when the Connects to Hubs field is enabled and only a one provider hub (primary) is specified.

Select the interface name of the hub device to which the WAN link of the site is connected.

Overlay Tunnel Type 1

This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified.

Select the mesh overlay tunnel type (GRE and GRE_IPSEC) for the tunnel to the primary hub.

MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

Overlay Peer Device 1

This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified.

Displays the primary peer hub device to which the site is connected.

Overlay Peer Interface 1

This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified.

Select the interface name of the primary hub device to which the WAN link of the site is connected.

Overlay Tunnel Type 2

This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified.

Select the mesh overlay tunnel type (GRE and GRE_IPSEC) for the tunnel to the secondary hub.

MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

Overlay Peer Device 2

This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified.

Displays the secondary peer hub device to which the site is connected.

Overlay Peer Interface 2

This field is displayed when the Connects to Hubs field is enabled and both primary and secondary hubs are specified.

Select the interface name of the secondary hub device to which the WAN link of the site is connected.

Backup Link

Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.

Default Link

Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site.

Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then equal-cost multipath (ECMP) is used to choose the link on which to route traffic.

Data VLAN ID

Enter a VLAN ID for the WAN link.

Range: 0 through 4049 (4050 to 4094 is reserved by CSO).

Note:

  • If you are configuring more than one WAN link on the same physical interface, only one WAN link can be untagged; for the remaining WAN links, you must configure a VLAN ID.

  • A combination of tagged and untagged on the same physical interface is supported only for single CPE devices.

To enable the configuration of WAN links as logical interfaces in on-premise SD-WAN spoke sites, the SP Administrator user must modify the device template and configure the WAN ports as logical interfaces.

WAN_1 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_2 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_3 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

Management Connectivity

 

IP Prefix

Enter an IPv4 address prefix for the loopback interface on the CPE device. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network. If you do not specify an IPv4 address prefix, CSO automatically assigns the IP prefix from the reserved pool 100.124.0.0/14.

Additional Configuration

Configuration Templates List

Select one or more configuration templates from the list. This list is filtered based on the device that you select.

Configuration templates are stage-2 templates that are added by your OpCo administrators or SP administrators or Tenant administrators.

Note: You must set the parameters of the configuration templates that you have selected before you move to the LAN section.

Procedure

To set the parameters for the selected configuration templates:

  1. After you select one or more configuration templates, click Set Parameters.

    The Device Configurations page appears. This page consists of two tabs—Configure and Summary

  2. In the Configure tab fill in the attributes for each of the configuration templates.

    (Optional) View the CLI commands in the Summary tab.

  3. Click OK.

    You have added and set the parameters for the configuration templates that are part of the site template that you are creating.

Refer to Table 25 for configuring LAN segments.

Table 21: Automatic Creation of Source NAT Rules

Autocreate Source NAT Rule

Translation

NAT Rules Creation

Disabled

Not applicable (No NAT)

None.

Enabled

Interface-Based (Default)—CSO creates interface-based NAT rules.

Source NAT rules are automatically created, with each rule from a department zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set.

For example, the following department zone to (WAN link) W1 interface rule-set might be created:

Dept-Zone1 --> W1: Translation=Interface
Dept-Zone2 --> W1: Translation=Interface
Dept-Zone3 --> W1: Translation=Interface

Enabled

Pool-Based—CSO automatically creates pool-based NAT rules.

NAT source rules are automatically created, with each rule from a department zone to the WAN NAT pool with a translation of type pool.

For example, a source NAT rule from department zone to NAT pool might be created:

Dept-Zone1 --> W1 : Translation=Pool-1
Dept-Zone2 --> W1 : Translation=Pool-1

Table 22: Add Enterprise Hub for <Tenant-Name> Settings (LAN Capability)

Field

Description

LAN

Note: This tab is enabled only if you select LAN under LAN Capabilities in General Settings.

Switch Devices

Displays the switches that you have added to the site.

  • To add a switch, click the + icon on the top right corner of the Switch Devices table.

    The Add New Switch page appears. See Table 23 for details.

  • To edit details of a switch, select the switch and click the Edit icon on the top right corner of the Switch Devices table. The Edit Switch Details page appears, displaying the same parameters that you configured while adding a switch.

    Modify the parameters as needed and Click OK. The changes that you made for the switch are saved and the updated parameters appear on the Switch Devices table.

  • To delete one or more switches, select the switches and click the Delete icon on the top right corner of the Switch Devices table.

  • To manage the configuration of one or more switches added to the site, select the switches from the list and click Configuration.

    The Switch Configuration page appears. See Table 24 for details.

LAN Segments

Displays the VLANs and their IDs that you configured on the switch.

  • Optional: To add a VLAN, click the + icon on the top, right corner of the LAN Segments table. The Create LAN Segment page appears. See Table 25 for details.

  • To edit details of a VLAN, select the LAN segment and click the Edit icon (pencil) on the top right corner of the LAN Segments table. The Edit LAN Segment page appears, displaying the same fields that are presented when you add a VLAN.

    Modify the parameters as needed and click OK. The changes that you made for the LAN segment are saved and the updated parameters appear on the LAN Segments table.

  • To delete one or more VLANs, select the VLANs and click the Delete icon (trash can) on the top right corner of the LAN Segments table.

Table 23 displays the fields on the Add New Switch Page.

Table 23: Fields on the Add New Switch Page

Field

Description

Device Profile

Device Name

Enter a unique name for the switch.

You can use alphanumeric characters and hyphen (-). The maximum length allowed is 15 characters.

Device Type

Select the type of switch—EX2300, EX3400, EX4300, EX4600, and EX4650.

Device Model

Select the model for the switch you specified in the Device Type field.

The models vary in the number and type of ports the switch contains. For example, If you selected EX3400, select a model such as EX3400-24P, EX3400-48P, EX3400-24T among others.

CPE Settings

Trunk Ports

Select at least two trunk ports on the CPE device to connect with the switch.

The trunk ports are used for carrying the following:

  • LAN traffic between the switch and the CPE.

  • Management traffic for in-band management of the switch.

Switch Management Subnet

Specify the subnet that the DHCP can use to assign IP addresses. The DHCP server runs on the following ports:

  • Trunk ports to provide DHCP information to all devices connected to the switch and to the in-band management port, switch management port, and LAN ports on the CPE.

  • Out-of-band management port on the CPE to provide DHCP information to the management port on the switch.

  • LAN ports on the CPE to provide information to the devices connected to the CPE LAN ports.

Switch Details

Virtual Chassis

This toggle button is disabled for an enterprise hub site with SD-WAN and LAN capability. You can add a Virtual Chassis to a site with only LAN capability.

Serial Number

If you disabled the Virtual Chassis toggle button, specify the serial number of the physical switch.

To obtain the serial number, log in to the CLI of the switch in operational mode and enter show chassis hardware. Alternatively, you can view the serial number on the barcode sticker, which is on the rear-panel of the switch.

The serial number is a case-sensitive, alphanumeric string.

Zero Touch Provisioning

Click the toggle button to enable or disable zero-touch provisioning (ZTP) of the switch through ZTP.

If you disable ZTP, you must manually copy and paste the Stage-1 configuration on the switch during site activation. See Step 5 for details.

Note:

  • Only EX Series switches running 18.4R2.7 or 18.4R3.3 firmware support ZTP.

  • EX4600 and EX4650 switches do not support Phone-Home client. You must disable ZTP and manually configure the stage-1 configuration on the switches.

Boot Image

Select the boot image from the list if you want to upgrade the image for the switch.

The boot image is the latest device image that is uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process.

If the boot image is not provided, then the device skips the automatic upgrade procedure. The boot image is populated based on the device template that you have selected while creating a site.

Note: This option is not available for a Virtual Chassis.

To provision a Virtual Chassis in CSO, you must manually upgrade the image to either JUNOS 18.4R2.7 or 18.4R3.3.

Auto activate

Click the toggle button to enable or disable automatic activation of the switch when the switch is detected by CSO (that is, management status of the device is Device_Detected).

When you enable this field, zero-touch provisioning (ZTP) of the switch is automatically triggered when the device communicates with CSO.

By default, auto activation for the switch is enabled or disabled if it is enabled or disabled for the CPE.

Note: You must physically connect the switch to the CPE and power it on for the switch to be automatically activated when you enable this option.

Activation code

If you disabled the Auto activate field, enter the activation code to be used for manually activating the switch

For information on manually activating a switch, see Manually Activating a Switch.

Table 24 describes the tabs on the Switch Configuration page.

The Access Profiles tab and Port Profiles tab are available only if you have added a physical switch or a preprovisioned Virtual Chassis, and the selected switches are of the same device type and model. If you have added an autoprovisioned Virtual Chassis, only the Configuration Templates tab is available. The Port Profiles tab is unavailable because, in the case of autoprovisioning, port profiles can be configured only after provisioning the Virtual Chassis. The Access Profiles tab is unavailable because the access profile requires a RADIUS authentication server to be added to it. The parameters related to communication between the RADIUS server and the supplicant are defined in the authentication profile , which is, in turn, referenced by the port profile.

Table 24: Tabs on the Switch Configuration page

Tab

Description

Access Profiles

Displays the list of access profiles available in CSO. The list is populated from the Access Profiles page (Configuration > SD-LAN > Access Profiles).

You can also click the Search icon to search for a specific access profile in the list.

For details of the fields displayed on the Access Profiles table, see About the Access Profiles Page.

Optional: You can select an access profile from the list to assign it to the switch.

Port Profiles

Displays the list of interfaces (ports) available in CSO.

You can also click the Search icon to search for a specific port in the list.

Optional: To assign port profiles and VLAN IDs to the ports:

Procedure

  1. Select one or more ports and click Edit Configuration on the top right corner, above the Interface List table.

    The Edit Port Configuration page appears.

  2. From the Port Profile list, select a port profile to be assigned to the port.

    Note: The port profile must already be created from the Port Profiles page (Configuration > SD-LAN > Port Profiles) for it to be listed here.

  3. In the VLAN field, if the port is configured as a trunk port in the port profile, assign multiple VLANs by selecting the VLANs in the Available column and clicking the right-arrow to move them to the Selected column.

    If the port is configured as an access port in the port profile, you can assign only one VLAN.

  4. From the Native VLAN list, select a VLAN that you want to configure as native. This option appears only if you select a Trunk port profile from the Port Profile list.
  5. Click OK to complete the configuration. You are returned to the Add On-Premise Spoke Site page.

Configuration Templates

Displays the list of configuration templates. This list is filtered based on the device that you select.

Configuration templates are predefined stage-2 templates that are added by your OpCo administrators or SP administrators.

Procedure

To add configuration templates and set the parameters for the selected configuration templates:

  1. After you select one or more configuration templates, click Set Parameters.

    The Device Configurations page appears. This page consists of two tabs—Configure and Summary

  2. In the Configure tab fill in the attributes for each of the configuration templates.
  3. (Optional) View the CLI commands in the Summary tab.
  4. Click OK.

    You have added and set the parameters for the configuration templates.

Table 25: Add LAN Segment Settings

Field

Description

Name

Enter a name for the LAN segment.

The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length allowed is 15 characters.

Type

Note: This field is displayed only for LAN segments associated with enterprise hub sites.

Select the type of LAN segment:

  • Directly Connected (default)—Indicates that the LAN segment is directly connected to the site.

  • Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.

VLAN ID

Enter the VLAN ID for the LAN segment.

Range: 2 through 4093.

Department

Select a department to which the LAN segment is assigned.

Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Adding a Department for details.

You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.

Protocol

For dynamically routed LAN segments, select the routing protocol (BGP or OSPF) to be used by the data center department to learn routes from the data center.

Advertise LAN Prefix

For dynamically routed LAN segments, click the toggle button to advertise the LAN prefix of the SD-WAN spoke site to the data center through the data center department associated with the enterprise hub.

By default, the Advertise LAN Prefix field is disabled.

Note: You must avoid overlapping IP addresses between the SD-WAN LAN network and the datacenter network.

Gateway Address/Mask

Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment.

For example: 192.0.2.8/24.

DHCP

For directly connected LAN segments, click the toggle button to enable DHCP (default).

You can enable DHCP if you want to assign IP addresses by using a DHCP server or disable DHCP if you want to assign a static IP address to the LAN segment.

Note: If you enable DHCP, additional fields appear on the page.

Additional fields related to DHCP

Address Range Low

Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Address Range High

Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Maximum Lease Time

Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server.

Default: 1440

Range: 0 through 4,294,967,295 seconds.

Name Server

Specify one or more IPv4 addresses of the DNS server.

To enter more than one DNS server address, type the address, press Enter, and then type the next address.

Note: DNS servers are used to resolve hostnames into IP addresses.

CPE Ports

  • For sites with LAN capability, click the toggle button to include or exclude the CPE in the LAN segment.

    • When you include the CPE in the LAN segment:

      • CPE ports that you can include in the LAN segment are listed.

        Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

      • The Switch Ports field is disabled. CSO automatically assigns LAN ports on the Switch device and creates the same LAN segment on the Switch.

    • If you click to exclude the CPE from the LAN segment, you must specify the switch ports that connect with the LAN in the Switch Ports field.

      CSO automatically assigns LAN ports on the CPE device and creates the same LAN segment on the CPE device.

      Note: You can select only one port if the CPE is a physical SRX Series device.

  • For sites without LAN capability, the CPE Ports field is disabled and the CPE ports that you can include in the LAN segment are listed.

    Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

Switch Ports

Note: This field is displayed only when LAN capability is selected for the enterprise hub.

If you disable the CPE ports field, select ports on the switch to be part of the LAN segment. The Switch ports and CPE ports are mutually exclusive.

Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

BGP Configuration

Note: This section is displayed only for dynamic routed LAN segments with BGP specified as the protocol.

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Peer IP Address

Enter the IP address of the BGP neighbor.

Peer AS Number

Enter the autonomous system (AS) number of the BGP neighbor.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

OSPF Configuration

Note: This section is displayed only for dynamic routed LAN segments with OSPF specified as the protocol.

OSPF Area ID

Specify the OSPF area identifier to be used for the dynamic route.

Authentication

Select the OSPF route authentication method to be used:

  • Password—Indicates that password-based authentication should be used. If you choose this option, you must specify the password. (This is the default).

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

  • None—Indicates that no authentication should be used.

Password

Enter the password to be used to verify the authenticity of OSPF packets.

Confirm Password

Retype the password for confirmation purposes.

MD5 Auth Key ID

If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID.

Range: 1 through 255.

Auth Key

If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit