Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

LAN Sites

 

You can add an on-premise spoke site to provision, manage, and monitor EX Series switches by using CSO. You can either add an on-premise spoke site to manage a standalone EX Series switch or add an EX Series switch along with a CPE, a next-generation firewall device, or an enterprise hub. The EX Series switch can be added when you create an on-premise spoke site or enterprise hub. Alternatively, you can add the switch to an existing SD-WAN site, a next-generation firewall site, or an enterprise hub.

You can create one or more of the following sites to manage EX series switches:

Alternatively, you can also add an EX Series switch to one of the existing sites as explained in the Add LAN Capabilities to an Existing Site by Using a Switch topic.

If the EX Series switch has Mist access points associated with that, you could integrate the Mist access points with CSO. For more information about integrating Mist access points with CSO, see Enabling Integration with Mist Access Points.

Add an On-Premise Spoke Site for LAN

Adding an on-premise spoke site for LAN enables you to provision, manage, and monitor EX Series switches (physical and Virtual Chassis) by using CSO. The following image illustrates a simple topology of LAN for branch networks.

Connect the devices as shown in the topology diagram and power on the devices.

Note

This task assumes that the device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.

Note

Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see Release Notes for that Release.

For information about connecting the device and connecting a console to the device, see the hardware documentation for your LAN device; refer to Table 1 for the hardware documentation.

Ensure that the ports listed in Table 1 are open.

Device Model

NAT/Firewall

Hardware Documentation

EX Series Devices (EX2300, EX3400, EX4300, EX4600, EX4650)

443

7804

EX2300

EX3400

EX4300

EX4600

EX4650

To add an on-premise spoke site for LAN:

  1. From the Sites page (Resources > Site Management) of the CSO portal, click Add and select On-Premise Spoke Site.

    The Add On-premise Spoke Site for Tenant-Name page appears.

  2. Complete the configuration as explained in Table 2.Note

    Fields marked with an asterisk (*) are mandatory.

  3. Review the configuration from the Summary tab.

    (Optional) Click the Edit links within the summary to go directly to a specific page of the wizard and modify the configured settings.

  4. Click OK to add the site.

    The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the switch.

    • If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.

      This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.

      Note

      Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.

      The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.

    • If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.

      To manually configure the stage-1 configuration:

      1. On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
      2. Click the Click to copy stage-1 configuration link.

        The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.

      3. Copy the stage-1 configuration and log in to the console of the EX Series switch.
      4. Enter the configuration mode, paste, and commit the configuration.

        After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.

        CSO then provisions the switch.

When the site is successfully created, the Site Status in the Sites page changes to Provisioned.

Table 2: Settings for an On-Premise Spoke Site with LAN Capabilities

Field

Description

General

Site Name

Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

Site Capabilities

Select LAN.

LAN

Switch Devices

Displays the switches that you have added to the site.

To add a switch, click the + icon on the top right corner of the Switch Devices table. You can add multiple switches only to an SD-LAN site.

The Add New Switch page appears. See Table 3 for details.

Table 3 describes the fields on the Add New Switch Page.

Table 3: Fields on the Add New Switch Page

Field

Description

Device Name

Enter a unique name for the device.

Device Type

Select the type of switch—EX2300, EX3400, EX4300, EX4600, and EX4650.

Device Model

Select the model for the switch you specified in the Device Type field.

The models vary in the number and type of ports the switch contains. For example, If you selected EX3400, select a model such as EX3400-24P, EX3400-48P, EX3400-24T among others.

Virtual Chassis

Click the toggle button to enable or disable (default) adding the switch as a Virtual Chassis.

If you enable this toggle button, you must select the method of provisioning the Virtual Chassis.

  • Before you add a Virtual Chassis in CSO, ensure that the Virtual Chassis is setup. See Step-by-Step Procedure for details about setting up a Virtual Chassis. In addition, click the View Prerequisite Configurations link to view the requirements for adding a Virtual Chassis in CSO.

  • Currently, you cannot add a new member or change the roles assigned to the members after you onboard a Virtual Chassis. To change the roles, you must delete the Virtual Chassis, form a new Virtual Chassis, and then onboard the new Virtual Chassis.

Method

Select the method of provisioning the Virtual Chassis:

  • Auto Provisioning: The Virtual Chassis automatically determines the roles (master, backup, and line card) of the member devices.

    If you select this option, you must enter only the serial number of the master device in the Master Serial Number field that appears.

  • Pre Provisioning: You can determine the roles (master, backup, and line card) of the member devices in the Virtual Chassis.

    If you select this option, you must provide the serial number, device model, device type, and role of all the member devices of the Virtual Chassis in the fields that appear.

    Note: In the case of preprovisioning, the Master device must always be designated as Member 0.

For both these methods, ensure that:

  • The devices in the Virtual Chassis are fully installed and ready to be configured in the site. In addition, all members must be powered on.

    This means that the output of the show virtual-chassis status command must display all the member devices of the Virtual Chassis and the devices must be in Present (Prsnt) state.

    Note: If you do not have access to the serial console port for preprovisioning, only the master device must be powered on first.

  • The master and backup member devices have internet access to the Juniper redirect server and CSO.

  • All members in the Virtual Chassis are running the same firmware (either JUNOS 18.4R2.7 or 18.4R3.3).

  • For EX3400 and EX4300 devices to act as a Virtual Chassis, all the corresponding member devices are interconnected through Virtual Chassis ports (VCPs).

    For EX2300, EX4600, and EX4650 devices to act as a Virtual Chassis, the uplink Ethernet ports are configured as VCPs manually and the member devices are interconnected.

Master Serial Number

If you selected Auto Provisioning, enter the serial number of the Master (from the fully-formed Virtual Chassis).

To obtain the serial number, log in to the CLI of any device that is part of the fully-formed Virtual Chassis, in operational mode, and enter show virtual-chassis.

The list of the member devices in the Virtual Chassis, along with the serial number and role appear. The master device is indicated as Master under Role.

Alternatively, you can view the serial number on the barcode sticker, which is on the rear-panel of the switch.

Member <member-number>

If you selected Pre Provisioning, enter the serial numbers of all the devices (from the fully-formed Virtual Chassis or based on what roles you decide to assign each Virtual Chassis member), and also select the device type and model from the list.

Note:

  • If you enable ZTP, you must enter the serial number of the Master device only in the Member 0 field.

  • If you do not have access to the serial console port of the virtual chassis, the first member that is powered on is considered the master. Enter the serial number of this device in the Member 0 field.

Click the Add (+) icon to add a member or the Remove (-) icon to remove a member. For information on the number of devices that can be added, see Table 4.

Note: The Routing Engine check box corresponding to Member 0 is always selected, indicating that Member 0 always acts as the master.

To select a member as backup, click the Routing Engine check box corresponding to that member; the remaining members act as line cards.

Serial Number

If you disabled the Virtual Chassis toggle button, specify the serial number of the physical switch.

To obtain the serial number, log in to the CLI of the switch in operational mode and enter show chassis hardware. Alternatively, you can view the serial number on the barcode sticker, which is on the rear-panel of the switch.

The serial number is a case-sensitive, alphanumeric string.

Zero Touch Provisioning

Click the toggle button to enable or disable zero-touch provisioning (ZTP) of the switch through ZTP.

If you disable ZTP, you must manually copy and paste the Stage-1 configuration on the switch during site activation. See Step 4 for details.

Note:

  • Only EX Series switches running 18.4R2.7 or 18.4R3.3 firmware support ZTP.

  • EX4600 and EX4650 switches do not support Phone-Home client. You must disable ZTP and manually configure the stage-1 configuration on the switches.

Auto Activate

Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.

Table 4 lists the supported device types, combinations in the non-mixed mode, and the total number of members, supported by each device type, in a Virtual Chassis.

Table 4: Supported Device Types, Modes, and Number of Members Allowed in a Virtual Chassis

Device Type

Non-mixed Virtual Chassis Support

Number of Members Allowed in the Virtual Chassis

EX2300

Combination of the same or different models of EX2300 switches.

Up to 4 members.

EX3400

Combination of the same or different models of EX3400 switches.

Up to 10 members.

EX4300

Combination of the same or different models of EX4300 switches.

Up to 10 members.

EX4600

Combination of the same or different models of EX4600 switches.

Up to 10 members.

EX4650

Combination of the same or different models of EX4650 switches.

Up to 2 members.

Before you autoprovision or preprovision a Virtual Chassis in CSO, ensure that the Virtual Chassis is setup.

  • To setup a Virtual Chassis for autoprovisioning:

    1. Decide the number of member devices in the Virtual Chassis.
    2. If you’ve added EX3400 or EX4300 devices as Virtual Chassis, interconnect all the corresponding member devices through Virtual Chassis ports (VCPs).

      If you’ve added EX2300, EX4600, or EX4650 devices as Virtual Chassis, configure the 10-Gbps Ethernet ports as VCPs manually (through CLI) and interconnect the member devices.

      Note

      At this point, do not power on any member devices in the Virtual Chassis.

    3. Decide which member device acts as the master and power on only this device first.Note
      • Remember the serial number of the master device in the Virtual Chassis. This serial number is required during the site activation workflow to add this Virtual Chassis in CSO.

      • For ZTP to be successful, the master device should always be designated as Member 0. You must specify the same serial number in the Member 0 field in CSO.

    4. Wait until the master device completes booting.

      After booting is complete, the LCD panel on this device displays a menu that includes the JUNOS OS version loaded on the device, status of VCPs, status of power supplies, and so on.

    5. Power on the remaining member devices one after the other.
    6. Wait until all the member devices complete booting.

      After booting is complete, you can confirm that the Virtual Chassis is fully formed when all the LEDs on the VCPs are ON.

    7. Connect the master and backup device to the Internet through the management port or uplink port.
    8. Verify the connectivity from the master device to CSO or to any host on the Internet by using ping or telnet to Juniper redirect server on port 443.
  • To setup a Virtual Chassis for preprovisioning:

    1. Decide the number of member devices in the Virtual Chassis.
    2. If you’ve added EX3400 or EX4300 devices as Virtual Chassis, interconnect all the corresponding member devices through Virtual Chassis ports (VCPs).

      If you’ve added EX2300, EX4600, or EX4650 devices as Virtual Chassis, configure the uplink Ethernet ports as VCPs manually and interconnect the member devices.

      Note

      At this point, do not power on any member devices in the Virtual Chassis.

    3. Decide which member device acts as the master and which member device acts as the backup.
    4. Of the two devices, power on the device that you want to select as the master (Member 0), and wait until it completes booting.

      After booting is complete, the LCD panel on this device displays a menu that includes the JUNOS OS version loaded on the device, status of VCPs, status of power supplies, and so on.

      Note
      • Remember the serial numbers of all the devices in the Virtual Chassis. These serial numbers will be needed in the site activation workflow to add this Virtual Chassis in CSO.

      • For ZTP to be successful, the master should always be designated as Member 0. You must specify the same serial number in the Member 0 field in CSO.

    5. Power on the device that you want to select as the backup and wait until it completes booting.

      After booting is complete, the LCD panel on this device displays a menu that includes the JUNOS OS version loaded on the device, status of VCPs, status of power supplies, and so on.

    6. Power on the remaining member devices one after the other.
    7. Wait until all the member devices complete booting.

      After booting is complete, you can confirm that the Virtual Chassis is fully formed when all the LEDs on the VCPs are ON.

    8. Connect the master and backup device to the Internet through the management port or uplink port.
    9. Verify the connectivity from the master device to CSO or to any host on the Internet by using ping or telnet to Juniper redirect server on port 443

Now that the Virtual Chassis is setup, proceed to add the Virtual Chassis in CSO. See the LAN section in Table 2 for details.

After you add the site, you can complete the following tasks as required:

Note

The device must be activated before you install licenses or signatures, or deploy policies.

  • Monitor alerts, alarms, and jobs. For example, Monitor > Jobs.

For more information about these tasks, see the Contrail Service Orchestration documentation at https://www.juniper.net/ documentation/product/en_US/contrail-service-orchestration.

Add an Enterprise Hub Site with SD-WAN and LAN Capabilities

An enterprise hub is an SD-WAN site that is used to carry site-to-site traffic between on-premise spoke sites and to break out backhaul (central breakout) traffic from on-premise spoke sites. You can add an EX Series switch for branch network as part of the enterprise hub site. The following illustration shows a simple topology that contains an enterprise hub and an EX Series switch.

To add an enterprise hub:

  1. On the Sites page (Resources > Site Management) of the CSO portal, click Add, and select Enterprise Hub.

    The Add enterprise hub for Tenant-Name page appears.

  2. Complete the configuration settings according to the guidelines provided in Table 5.
  3. Click OK.

    The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the devices in the site.

    • If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.

      This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.

      Note

      Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.

      The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.

    • If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.

      To manually configure the stage-1 configuration:

      1. On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
      2. Click the Click to copy stage-1 configuration link.

        The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.

      3. Copy the stage-1 configuration and log in to the console of the EX Series switch.
      4. Enter the configuration mode, paste, and commit the configuration.

        After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.

        CSO then provisions the switch.

When the site is successfully created, the Site Status on the Sites page changes to Provisioned.

Table 5: Enterprise Hub Site Settings

Field

Description

General

Site Name

Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

Site Capabilities

SD-WAN capability is selected by default. You cannot clear the selection. If you want to include LAN capabilities in the enterprise hub site, select LAN.

WAN

Device Series

Select the device series to which the CPE device belongs—SRX, NFX150, or NFX250.

Device Template

Select a device template for the selected device series.

The device template contains information for configuring a device.

Serial Number

Enter the serial number of the CPE device.

Auto Activate

If the selected device template supports auto authorization, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added.

The Activation Code field appears if the selected device template does not support auto authorization or if you disable the Auto Activate option.

In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.

Note:

IP Prefix

Enter the IPv4 prefix to be used for the management network. This IP address must be unique across the entire management network.

  • For NFX150 and NFX250 devices, if the USE_SINGLE_SSH_TO_NFX parameter is disabled in the device template, then enter the IP address prefix as /29 or lower based on the number of VNFs.

  • For all other devices, enter the IP address prefix as /32.

WAN Links

WAN_0

This field is enabled by default.

You can configure up to 4 WAN links as required.

Link Type

Select whether the link would be an MPLS link or Internet link.

Egress Bandwidth

Enter the maximum bandwidth, in Mbps, allowed on the WAN link.

Range: 1 through 10,000.

Address Assignment

Select the method of assigning an IP address to the WAN link—DHCP or STATIC.

If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.

Static IP Prefix

If you configured the address assignment method as STATIC, enter the IP address prefix of the WAN link.

Gateway IP Address

If you configured the address assignment method as STATIC, enter the IP address of the gateway of the WAN service provider.

Advanced Settings

Use For Fullmesh

Click the toggle button to specify whether the WAN link can be a part of a full mesh topology.

A site can have a maximum of three links enabled for meshing.

LAN

Note: This tab is enabled only if you select LAN from the Site Capabilities options in General Settings.

Switch Devices

Displays the switches that you have added to the site.

To add a switch, click the + icon on the top right corner of the Switch Devices table. You can add multiple switches only to an SD-LAN site.

The Add New Switch page appears. See Table 6 for details.

Table 6 describes the fields on the Add New Switch Page.

Table 6: Fields on the Add New Switch Page

Field

Description

Device Profile

Device Name

Enter a name for the switch. You can use alphanumeric characters and hyphen (-). The maximum length allowed is 15 characters.

Device Type

Select the type of switch—EX2300, EX3400, or EX4300

When you change the default device type, a carousel for device template appears.

Device Model

Select the model for the switch you specified in the Device Type.

The models vary in the number and type of ports the switch contains. For example, If you selected EX3400, select a model such as EX3400-24P, EX3400-48P, EX3400-24T among others.

CPE Settings

Trunk Ports

Select at least two trunk ports on the CPE device to connect with the switch.

The trunk ports are used for carrying the following:

  • LAN traffic between the switch and the CPE

  • Management traffic for in-band management of the switch.

Switch Management Subnet

Specify the subnet that the DHCP can use to assign IP addresses to the switch and the access devices connected to the switch.

Switch Details

Serial Number

Specify the serial number of the switch.

Auto Activate

Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.

Note: You must physically connect the switch to the CPE and power it on for the switch to be automatically activated when the auto activate option is enabled.

Add LAN Capabilities to an Existing Site by Using a Switch

You can add a switch to an existing SD-WAN site, next-generation firewall site, or an enterprise hub site.

Before you add a switch to an existing site, ensure that you connect the switch to the network as shown in the topology diagrams provided in the following topics. After you connect the switch to the network as required, power on the device.

To add a switch to an existing site, follow these steps:

  1. From the Sites page (Resources > Site Management) of the CSO portal, select the site to which you want to add the switch, click Add, and select Add Switch.

    The Add Switch page appears.

  2. Complete the following configuration:
    • Device Name - specify a unique name for the device.

    • Device Type - select the type of device from the Device Type drop-down list.

    • Device Model - select a device model for the switch.

    • Trunk Ports - specify the CPE trunk ports.

    • Switch Management Subnet - specify the subnet that the DHCP can use to assign IP addresses to the switch and the access devices connected to the switch.

    • Serial Number - specify the serial number of the switch.

    Note

    Based on the device template you selected, the Auto Activate Switch toggle button is enabled or disabled by default. You can click to enable or disable this option. When Auto Activate Switch is enabled, zero-touch provisioning of the switch is automatically triggered when the site is created.

    If you choose to disable the Auto Activate Switch option, you must specify the activation code of the device to manually activate a device.

  3. Click Save.

    The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the devices in the site.

    • If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.

      This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.

      Note

      Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.

      The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.

    • If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.

      To manually configure the stage-1 configuration:

      1. On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
      2. Click the Click to copy stage-1 configuration link.

        The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.

      3. Copy the stage-1 configuration and log in to the console of the EX Series switch.
      4. Enter the configuration mode, paste, and commit the configuration.

        After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.

        CSO then provisions the switch.