Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


SD-LAN Workflow


Before you start the SD-LAN workflow by using CSO, ensure that:

  • The tenant (logical entity representing a customer) to which you want to onboard the switch is configured in CSO.

  • The switch, the CPE or the next-generation firewall are running the correct versions of Junos OS supported by CSO. For information related to Junos OS supported on a switch for a particular CSO release, see the Release Notes for that CSO release at

  • The following ports and protocols are permitted through your network firewall:

    Table 1 lists the ports and protocols that you must enable in your network firewalls for communication of the devices with CSO.

    Table 1: Ports Used for Communication with CSO






    Phone-home client for zero-touch provisioning (ZTP)



    For provisioning the stage-2 configuration on the switch after committing the stage-1 configuration.

  • The devices should be in the factory default state and should be powered on.

  • The devices get DHCP IP address and have Internet connectivity along with DNS resolution when connected to the network.

Figure 1 illustrates the steps to implement Contrail SD-LAN by using CSO.

Figure 1: Contrail SD-LAN Workflow
Contrail SD-LAN Workflow

To implement Contrail SD-LAN solution by using CSO:

  1. Add the following profiles for authentication and access control to CSO.

    1. Authentication profile; see Add Authentication Profiles

    2. Firewall Filters; see Add Firewall Filters and Terms

    3. Port Profile; see Add Port Profiles

    4. RADIUS Server Profile; see Add RADIUS Server Profiles

    5. Access Profile; see Add Access Profiles

  2. Onboard an EX Series switch:

    You can onboard a switch and manage it after you have only a CPE, or a next-generation firewall onboarded to and provisioned by CSO. You can also onboard more than one switch behind an internet gateway; see:

  3. Configure the EX Series switch.

    You can configure the EX Series switch in one of the following ways:

  4. Enable the ports of a switch to allow traffic to flow through the switch; see Enable Ports

  5. Integrate CSO with Mist Portal to monitor access points connected to the switch; see Integrate CSO with Mist Portal .

  6. Discover access points connected to the switch; see Discover Mist Access Points .

  7. Monitor the switch and the connected access points. You can monitor the following components of the switch in CSO:

    • The EX device (number of ports that are up or down, alarms, system users and so on)

    • The device chassis (view details of individual ports, view CPU and memory utilized, view fan details, and so on)

    • The ports on the device (view port details such as port number, admin status, link mode and so on; % of CPU utilized by the port, packet loss, and so on)

    You can launch the Mist Portal from CSO by clicking an access point and monitor the access points in the Mist portal; see the Monitor an EX Series Switch and Connected Access Points chapter in this guide.