Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Contrail SD-WAN Hardware and Software Requirements

 

This topic gives a high level view of the SD-WAN architecture, and then provides specific hardware and software requirements for SD-WAN devices. For more details on the architecture, see the Contrail SD-WAN Deployment Architectures section of the CSO SD-WAN and SD-LAN - Design and Architecture Guide.

Contrail SD-WAN Reference Architecture

Juniper Networks Contrail SD–WAN solution architecture, shown in Figure 1 uses a hub–and–spoke topology , with on-premises spoke devices located at customer branch sites. On the local side of the site, the on-premises spoke devices connect to LAN segments and participate in dynamic routing protocols with other LAN devices. On the WAN side, the on-premises spoke devices connect across two or more links to a provider hub device. Because the SD-WAN model uses a hub–and–spoke topology, traffic travels from site to site through the provider hub. By default, traffic going to the Internet also flows through the provider hub device.

Figure 1: Contrail SD-WAN Reference Architecture
Contrail SD-WAN
Reference Architecture

You can also deploy an enterprise hub device, a special type of spoke device with hub-like properties that can offer Internet breakout services and connect spoke sites to each other over dynamic tunnels.

The SD-WAN orchestrator and controller functions are implemented through Juniper Networks Contrail Service Orchestration (CSO) software. The CSO platform uses policies and SLA parameters to differentiate and direct traffic flows across the available paths as desired.

The following sections describe the hardware and software requirements for devices used in an SD-WAN environment.

Spoke Devices

The CPE device at an enterprise customer’s branch site acts as a spoke device in the SD-WAN model. The device also acts as a gateway router, providing connectivity from the branch site to other sites in the tenant network and to the Internet. There are two types of spoke devices: on-premises spoke and cloud spoke.

On-Premises Spoke Devices

On–premises spoke devices can be either NFX Series devices or specific SRX Series devices, as shown in Figure 2.

Figure 2: On-Premises Spoke Devices
On-Premises Spoke Devices

NFX Series Network Services Platform

The NFX Series Network Services Platform used as an on-premises spoke device differentiates from traditional CPE devices in that it can host a range of multivendor VNFs and support service chaining, managed by orchestration software in the cloud. NFX Series devices eliminate the operational complexities of deploying multiple physical network devices at a customer site.

A key VNF supported on the NFX Series platform is the vSRX Virtual Firewall. In the Contrail SD–WAN solution, the vSRX instance performs the gateway router function, given its routing and switching capabilities. It also provides the same feature-rich security services found on a standard SRX series devices. Table 1 shows the supported NFX hardware and required Junos OS software release version for each supported model.

Note

The NFX150 features a built–in SRX firewall in place of the vSRX functionality found on other NFX Series devices.

Table 1: NFX Hardware and Software Matrix for On-Premises Spoke Devices

Platform

Models Supported

Junos OS Software Release Versions

NFX150 Network Services Platform

  • NFX150–S1

  • NFX150–S1E

  • NFX150–C–S1

  • NFX150–C–S1–AE/AA

  • NFX150–C–S1E–AE/AA

18.2X85–D12

19.3R2-S3

19.3R2-S4

NFX250 Network Services Platform

  • NFX250–LS1

  • NFX250–S1

  • NFX250–S2

15.1X53–D497

18.4R3-S3

Note: When onboarding a new site, ensure your devices at the new site are running the latest specified release version from the above lists. The older release versions listed above are supported for existing devices at existing sites only.

SRX Series Devices and vSRX Virtual Firewalls

A physical SRX device can be used in place of the NFX platform to provide the gateway router function, as can a vSRX instance installed on a server. Table 2 shows the supported SRX hardware, vSRX virtual firewalls, and required Junos OS software release versions.

Table 2: SRX Hardware and Software Matrix for On-Premises Spoke Devices

Platform

Models Supported

Junos OS Software Release Versions

SRX Series

  • SRX4200

  • SRX4100

  • SRX550M

  • SRX345

  • SRX340

  • SRX320

  • SRX300

15.1X49–D172

19.3R2-S3

19.3R2-S4

SRX1500

19.3R2-S3

19.3R2-S4

vSRX Virtual Firewalls

vSRX (standalone)

15.1X49-D172

19.3R2-S3

19.3R2-S4

vSRX (installed in NFX250)

15.1X49-D172 with NFX running 15.1X53-D497

19.3R2-S3 with NFX running 18.4R3-S3

19.3R2-S4 with NFX running 18.4R3-S3

vSRX 3.0 (standalone)

19.3R2-S3

19.3R2-S4

Note: When onboarding a new site, ensure your devices at the new site are running the latest specified release version from the above lists. The older release versions listed above are supported for existing devices at existing sites only.

Note

For the most up to date information on hardware and software support for CSO, see the Contrail Service Orchestration Release Notes.

Cloud Spoke Devices

A Contrail SD–WAN cloud spoke device, in the form of a vSRX, can be located in an AWS VPC. The vSRX serves as a spoke device in the cloud; once the endpoint comes online, it acts like any other spoke device.

Spoke Redundancy

Two redundant CPE devices can be used at spoke sites to protect against device and link failures. For more detail, see the Resiliency and High Availability section of the CSO Design and Architecture Guide.

Provider Hub Devices

The Contrail SD–WAN solution supports two deployment topologies: dynamic mesh and hub-and-spoke. In a dynamic mesh deployment, each site has a CPE device that connects to the other sites and the enterprise hub device. In a hub-and-spoke deployment, there is at least one provider hub device and one or more spoke devices.

The provider hub device terminates both MPLS/GRE and IPsec tunnels from spoke devices.

Provider Hubs

In a service provider (SP) environment, the service provider hosts a provider hub device in their network. The provider hub device acts as a point of presence (POP) or connection point. It is typically a shared device, providing hub functionality to multiple customers (tenants) through the use of virtual routing and forwarding instances (VRF). The SP administrator and the OpCo administrator can both manage the provider hub device.

In the cloud-hosted deployment of CSO, the SP administrator role is performed by Juniper Networks as the cspadmin user (or equivalent). The OpCo administrator role can be assigned to a user by the SP administrator, but the OpCo administrator does not have SP administrator privileges.

Figure 3 and Table 3 show the provider hub devices supported in a CSO SD-WAN environment.

Figure 3: SD-WAN Provider Hub Devices
SD-WAN Provider Hub Devices

Table 3: Provider Hub Devices and Supported Software

Role

Supported Device Types

Required Junos OS Software Version

Provider Hub

  • SRX4200

  • SRX4100

  • SRX1500

15.1X49–D172

19.3R2-S3

19.3R2-S4

 

vSRX

15.1X49–D172

19.3R2-S3

19.3R2-S4

vSRX 3.0

19.3R2-S3

19.3R2-S4

Note: When onboarding a new site, ensure your devices at the new site are running the latest specified release version from the above lists. The older release versions listed above are supported for existing devices at existing sites only.

Note

For the most up to date information on hardware and software support for CSO, see the Contrail Service Orchestration Release Notes.

Provider Hub Redundancy

Two redundant provider hub devices can be used at one POP to protect against device and link failures, and to provide upstream multi-homing for spoke sites. For more detail, see the Resiliency and High Availability section of the CSO SD-WAN and SD-LAN - Design and Architecture Guide.

Enterprise Hub Sites and Devices

A special type of spoke device, called an enterprise hub device, can be deployed as the CPE at an on-premises spoke site. SRX1500, SRX4100, and SRX4200 devices can serve this function. The spoke site that functions this way, must be configured as an enterprise hub site during site creation. Creating an enterprise hub site opens additional functionality for the site:

  • Can act as the anchor point for site–to–site communications on the customer’s network.

  • Can act as the central breakout node for the customer’s network.

  • Offers a specialized department called the data–center department.

  • Supports dynamic LAN segments with BGP and OSPF route imports, including default routes, from the LAN–side L3 device.

  • Allows for intent-based breakout profiles to create granular breakout behavior based on department, application, site, and so on.

In an enterprise environment, the enterprise hub is owned by the customer (tenant) and usually resides within an enterprise data center. Only the customer’s spoke sites can connect to the enterprise hub device. OpCo administrators and tenant administrators can manage the enterprise hub. Figure 4 and Table 4 show the enterprise hub devices supported in a CSO SD-WAN environment.

Figure 4: SD-WAN Enterprise Hub Devices
SD-WAN Enterprise Hub Devices

Table 4: Enterprise Hub Devices and Supported Software

Role

Supported Device Types

Required Junos OS Software Versions

Enterprise Hub

  • SRX4200

  • SRX4100

15.1X49–D172

19.3R2-S3

19.3R2-S4

 

SRX1500

19.3R2-S3

19.3R2-S4

vSRX

15.1X49–D172

19.3R2-S3

19.3R2-S4

vSRX 3.0

19.3R2-S3

19.3R2-S4

Note: When onboarding a new site, ensure your devices at the new site are running the latest specified release version from the above lists. The older release versions listed above are supported for existing devices at existing sites only.

Note

For the most up to date information on hardware and software support for CSO, see the Contrail Service Orchestration Release Notes.