SD-WAN Sites
A typical SD-WAN site topology includes an on-premise spoke site and a hub site. A hub site can be an enterprise hub site, which is an SD-WAN site that is used to carry site-to-site traffic between on-premise spoke sites and to break out backhaul (central breakout) traffic from on-premise spoke sites.
An on-premise spoke site represents an endpoint that is part of a customer premise equipment (CPE) at some physical location such as a branch office or a point-of-sale (PoS) location. Typically, these points are connected using overlay connections to hub sites.
CSO supports SD-WAN sites that contain an EX Series switch for the branch network along with the CPE device.
You can Add an Enterprise Hub Site for SD-WAN Deployments and one or more of the following on-premise spoke sites for SD-WAN:
Add an Enterprise Hub Site for SD-WAN Deployments
An enterprise hub is an SD-WAN site that is used to carry site-to-site traffic between on-premise spoke sites and to break out backhaul (central breakout) traffic from on-premise spoke sites.
To add an enterprise hub:
- On the Sites page (Resources > Site Management) of the CSO portal, click Add, and select Enterprise
Hub.
The Add enterprise hub for Tenant-Name page appears.
- Complete the configuration settings according to the guidelines provided in Table 1.
- Click OK.
When the site is successfully created, the Site Status on the Sites page changes to Provisioned.
Table 1: Enterprise Hub Site Settings
Field | Description |
|---|---|
| General | |
Site Name | Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters. |
Site Capabilities | SD-WAN capability is selected by default. You cannot clear the selection. |
| WAN | |
Device Series | Select the device series to which the CPE device belongs—SRX, NFX150, or NFX250. |
Device Template | Select a device template for the selected device series. The device template contains information for configuring a device. |
Serial Number | Enter the serial number of the CPE device. |
Auto Activate | If the selected device template supports auto authorization, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. The Activation Code field appears if the selected device template does not support auto authorization or if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device. Note: |
IP Prefix | Enter the IPv4 prefix to be used for the management network. This IP address must be unique across the entire management network.
|
WAN Links | |
WAN_0 | This field is enabled by default. You can configure up to 4 WAN links as required. |
Link Type | Select whether the link would be an MPLS link or Internet link. Note: If the enterprise hub and the SD-WAN branch site are not in the same network, that is if these devices are not directly reachable, select one link as Internet and assign a public IP to the Internet-type link. |
Egress Bandwidth | Enter the maximum bandwidth, in Mbps, allowed on the WAN link. Range: 1 through 10,000. |
Address Assignment | Select the method of assigning an IP address to the WAN link—DHCP or STATIC. If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link. |
Static IP Prefix | If you configured the address assignment method as STATIC, enter the IP address prefix of the WAN link. Note: If the enterprise hub and the SD-WAN branch site are not in the same network, assign a public IP to the Internet-type link |
Gateway IP Address | If you configured the address assignment method as STATIC, enter the IP address of the gateway of the WAN service provider. |
Advanced Settings | |
Use For Fullmesh | Click the toggle button to specify whether the WAN link can be a part of a full mesh topology. A site can have a maximum of three links enabled for meshing. |
Add LAN Segment | |
Name | Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters. |
Type | Select the type of LAN segment:
|
Department | Select a department to which the LAN segment is to be assigned. Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Adding a Department for details. You group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department. |
Gateway Address/Mask | Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24. |
CPE Ports | Select the ports from the Available column and click the right-arrow to move the ports to the Selected column. |
See also
Add an Enterprise Hub Site with SD-WAN and LAN Capabilities
An enterprise hub is an SD-WAN site that is used to carry site-to-site
traffic between on-premise spoke sites and to break out backhaul (central
breakout) traffic from on-premise spoke sites. You can add an EX Series
switch for branch network as part of the enterprise hub site. The
following illustration shows a simple topology that contains an enterprise
hub and an EX Series switch.
To add an enterprise hub:
- On the Sites page (Resources > Site Management) of the CSO portal, click Add, and select Enterprise
Hub.
The Add enterprise hub for Tenant-Name page appears.
- Complete the configuration settings according to the guidelines provided in Table 2.
- Click OK.
The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the devices in the site.
If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.
This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.
Note Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.
The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.
If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.
To manually configure the stage-1 configuration:
- On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
- Click the Click to copy stage-1 configuration link.
The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.
- Copy the stage-1 configuration and log in to the console of the EX Series switch.
- Enter the configuration mode, paste, and commit the configuration.
After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.
CSO then provisions the switch.
When the site is successfully created, the Site Status on the Sites page changes to Provisioned.
Table 2: Enterprise Hub Site Settings
Field | Description |
|---|---|
| General | |
Site Name | Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters. |
Site Capabilities | SD-WAN capability is selected by default. You cannot clear the selection. If you want to include LAN capabilities in the enterprise hub site, select LAN. |
| WAN | |
Device Series | Select the device series to which the CPE device belongs—SRX, NFX150, or NFX250. |
Device Template | Select a device template for the selected device series. The device template contains information for configuring a device. |
Serial Number | Enter the serial number of the CPE device. |
Auto Activate | If the selected device template supports auto authorization, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. The Activation Code field appears if the selected device template does not support auto authorization or if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device. Note: |
IP Prefix | Enter the IPv4 prefix to be used for the management network. This IP address must be unique across the entire management network.
|
WAN Links | |
WAN_0 | This field is enabled by default. You can configure up to 4 WAN links as required. |
Link Type | Select whether the link would be an MPLS link or Internet link. |
Egress Bandwidth | Enter the maximum bandwidth, in Mbps, allowed on the WAN link. Range: 1 through 10,000. |
Address Assignment | Select the method of assigning an IP address to the WAN link—DHCP or STATIC. If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link. |
Static IP Prefix | If you configured the address assignment method as STATIC, enter the IP address prefix of the WAN link. |
Gateway IP Address | If you configured the address assignment method as STATIC, enter the IP address of the gateway of the WAN service provider. |
Advanced Settings | |
Use For Fullmesh | Click the toggle button to specify whether the WAN link can be a part of a full mesh topology. A site can have a maximum of three links enabled for meshing. |
| LAN Note: This tab is enabled only if you select LAN from the Site Capabilities options in General Settings. | |
Switch Devices | Displays the switches that you have added to the site. To add a switch, click the + icon on the top right corner of the Switch Devices table. You can add multiple switches only to an SD-LAN site. The Add New Switch page appears. See Table 3 for details. |
Table 3 describes the fields on the Add New Switch Page.
Table 3: Fields on the Add New Switch Page
Field | Description |
|---|---|
Device Profile | |
Device Name | Enter a name for the switch. You can use alphanumeric characters and hyphen (-). The maximum length allowed is 15 characters. |
Device Type | Select the type of switch—EX2300, EX3400, or EX4300 When you change the default device type, a carousel for device template appears. |
Device Model | Select the model for the switch you specified in the Device Type. The models vary in the number and type of ports the switch contains. For example, If you selected EX3400, select a model such as EX3400-24P, EX3400-48P, EX3400-24T among others. |
CPE Settings | |
Trunk Ports | Select at least two trunk ports on the CPE device to connect with the switch. The trunk ports are used for carrying the following:
|
Switch Management Subnet | Specify the subnet that the DHCP can use to assign IP addresses to the switch and the access devices connected to the switch. |
Switch Details | |
Serial Number | Specify the serial number of the switch. |
Auto Activate | Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device. Note: You must physically connect the switch to the CPE and power it on for the switch to be automatically activated when the auto activate option is enabled. |
Add an SD-WAN On-Premise Spoke Site
The following illustration shows a simple SD-WAN topology.
Before you add an on-premise spoke site:
Add an enterprise hub site.
Connect cables to the device according to your network design and power on the device.
Note This task assumes that the device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.
For more information about connecting the cables and connecting the device to a console, see the documentation for the CPE device as listed in Table 4.
Ensure that ESP protocol traffic is allowed on the network.
Ensure that the ports listed in Table 4 are open on the network.
Note Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that release.
Table 4: CPE Devices, Port Information, and Documentation Links
Device Model
NAT/Firewall Ports
CPE WAN Link Ports
Hardware Documentation
SRX4x000 devices
50
51
443
500
4500
8060
xe-0/0/0xe-0/0/1xe-0/0/2xe-0/0/3SRX4100
SRX4200
SRX3xx devices, SRX550M, and vSRX devices
50
51
443
500
4500
8060
ge-0/0/0ge-0/0/1ge-0/0/2ge-0/0/3SRX300
SRX320
SRX340
SRX345
SRX550M
NFX250
50
51
443
500
4500
7804
8060
ge-0/0/10ge-0/0/11xe-0/0/12xe-0/0/13NFX250
NFX150
50
51
443
500
4500
8060
heth4heth5heth2heth3NFX150
If you are using a GRE-only overlay between an SRX CPE and a hub device, ensure that GRE Traffic is enabled between CPE and the hub device.
To add an on-premise spoke site for SD-WAN:
- From the Sites page (Resources > Site
Management) of the CSO portal, click Add and select On-Premise Spoke Site.
The Add Site wizard appears.
- Complete the settings as explained in Table 5.
- Click OK to add the site.
When the site is successfully created, the Site Status in the Sites page changes to Provisioned.
Table 5: SD-WAN On-Premise Spoke Site Settings
Field
Description
General Site Name
Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters.
Site Capabilities
Select SD-WAN.
Primary Hub
Select an enterprise hub site as the primary hub from the list of available hub sites. If there is only one hub site available, that one is selected by default.
WAN Device Series
Select the CPE device.
Device Template
Select a device template for the CPE device.
Serial Number
Enter the serial number of the CPE device.
Auto Activate
If the selected device template supports ZTP, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added.
The Activation Code field appears if the selected device template does not support ZTP or if you disable the Auto Activate option.
In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.
Link Type
Specify whether the link is an Internet link or an MPLS link.
If you select Internet as the Link Type, select the Access Type. The access type options available for Internet link are: Ethernet, LTE, ADSL, and VDSL.
If you select Ethernet, ADSL or VDSL as the access type, you can enable Point-to-Point Protocol over Ethernet (PPPoE) for the SD-WAN link by clicking PPPoE toggle button. If you have enabled PPPoE, you must specify the PPPoE parameters (username, password, and authentication protocol) in the PPPoE Settings.
Egress Bandwidth
Specify the maximum bandwidth allocated for the WAN link.
Address Assignment
Specify whether to use DHCP or Static addresses.
If you select Static, specify a Static IP Prefix and Gateway IP Prefix.
Service Provider
Enter the name of the service provider.
Cost per month
Enter the per month cost of the link. This information is used to identify the least expensive link when link switch occurs.
LAN Segment Add LAN Segment
Click to add a LAN segment.
Name
Enter a unique name for the LAN segment.
Gateway Address/Mask
Enter a valid gateway IP address andmask for the LAN segment; for example, 192.0.2.8/24.
Department
Select a department from the list; if no department is available, click Create Department and add one.
A department is a grouping of LAN segments within a site. You use departments to apply specific policies to LAN segments that are members of a department.
CPE Port
Select at least one CPE port.
After the site is provisioned, you can complete the following tasks as required:
Upload and install licenses. For example, Administration > Licenses.
Install signatures. For example, Administration > Signature Database.
Add, edit, and deploy an SD-WAN policy. For example, Configuration > SD-WAN Policy .
Create and generate reports. For example, Reports > Report Definitions > SD-WAN.
Monitor alerts and alarms, SLA performance of tenants, and jobs. For example, Monitor > Jobs.
For more information about these tasks, see the Contrail Service Orchestration user guide at https://www.juniper.net/ documentation/product/en_US/contrail-service-orchestration.
Add an SD-WAN On-Premise Spoke Site with LAN for Branch Networks
The following image illustrates a simple network topology that contains a CPE and an EX Switch. The CPE can be an SRX Series device or an NFX250 device.
After you connect the devices as shown in the topology diagrams and power on the devices, log into the CSO portal and add an SD-WAN site.
Before you add an on-premise spoke site:
Add an enterprise hub site.
Connect cables to the device according to your network design and power on the device.
Note This task assumes that the CPE device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.
For more information about connecting the cables and connecting to the device console, see the documentation for the CPE device. The port numbers including the WAN link ports for each of the supported CPE device models and the NAT and firewall ports that need to be enabled and links to the hardware documentation for the supported models are provided in Table 6.
Ensure that ESP protocol traffic is allowed on the network.
Ensure that the ports listed in Table 6 are open.
Note Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that Release 5.2.0...
Table 6: CPE Devices, Port Information, and Documentation Links
Device Model
NAT/Firewall Ports
CPE WAN Link Ports
Hardware Documentation
SRX4x00 devices
50
51
443
500
4500
8060
xe-0/0/0xe-0/0/1xe-0/0/2xe-0/0/3SRX4100
SRX4200
SRX3xx devices, SRX550M, and vSRX devices
50
51
443
500
4500
8060
ge-0/0/0ge-0/0/1ge-0/0/2ge-0/0/3SRX300
SRX320
SRX340
SRX345
SRX550M
NFX250
50
51
443
500
4500
7804
8060
ge-0/0/10ge-0/0/11xe-0/0/12xe-0/0/13NFX250
LAN Switches EX Series Devices (EX2300, EX3400, EX4300, EX4600, EX4650)
443
7804
—
EX3400
—
—
EX4300
—
—
Note Only EX Series devices running 18.4R2.7 firmware support ZTP.
EX4600 and EX4650 switches do not support Phone-Home client. You must disable ZTP and manually configure the stage-1 configuration on the switches.
If you are using a GRE-only overlay between an SRX CPE and a hub device, ensure that GRE Traffic is enabled between CPE and the hub device.
To add an SD-WAN site with a CPE device and a LAN device:
- From the Sites page (Resources > Site
Management) of the CSO portal, click Add and select Add On-Premise Spoke
(Manual).
The Add On-premise Spoke Site for Tenant-Name page appears.
- Complete the configuration according to the guidelines provided
in Table 7.
Note Fields marked with an asterisk (*) are mandatory.
- Review the configuration from the Summary tab and click OK.
(Optional) click the Edit links within the summary to go directly to a specific page of the wizard and modify the configured settings.
After you click OK, site activation is initiated and the Site Activation: Site-Name page appears.
If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.
This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.
Note Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.
The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.
If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.
To manually configure the stage-1 configuration:
- On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
- Click the Click to copy stage-1 configuration link.
The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.
- Copy the stage-1 configuration and log in to the console of the EX Series switch.
- Enter the configuration mode, paste, and commit the configuration.
After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.
CSO then provisions the switch.
Table 7: SD-WAN On-Premise Spoke Site Settings
Field | Description |
|---|---|
| General | |
Site Name | Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters. |
Site Capabilities | Select SD-WAN and LAN. |
Primary Hub | Select an enterprise hub site as the primary hub from the list of available hub sites. If there is only one hub site available, that one is selected by default. |
| WAN | |
Device Series | Select the CPE device. |
Device Template | Select a device template for the CPE device. |
Device Name | Enter a unique name for the CPE device. |
Serial Number | Enter the serial number of the CPE device. |
Auto Activate | If the selected device template supports ZTP, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. The Activation Code field appears if the selected device template does not support ZTP or if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device. |
Link Type | Specify whether the link is an Internet link or an MPLS link. If you select Internet as the Link Type, select the Access Type. The access type options available for Internet link are: Ethernet, LTE, ADSL, and VDSL. If you select Ethernet, ADSL or VDSL as the access type, you can enable Point-to-Point Protocol over Ethernet (PPPoE) for the SD-WAN link by clicking PPPoE toggle button. If you have enabled PPPoE, you must specify the PPPoE parameters (username, password, and authentication protocol) in the PPPoE Settings. |
Egress Bandwidth | Specify the maximum bandwidth allocated for the WAN link. |
Address Assignment | Specify whether to use DHCP or static addresses. |
Service Provider | Enter the name of the service provider. |
Cost per month | Enter the per month cost of the link. This information is used to identify the least expensive link when link switch occurs. |
| LAN | |
Switch Devices | Displays the switches that you have added to the site. To add a switch, click the + icon on the top right corner of the Switch Devices table. You can add multiple switches only to an SD-LAN site. The Add New Switch page appears. See Table 8 for details. |
Table 8 describes the fields on the Add New Switch Page.
Table 8: Fields on the Add New Switch Page
Field | Description |
|---|---|
Device Name | Enter a unique name for the device. |
Device Type | Select the type of the device. |
Serial Number | Specify the serial number of the switch. |
Auto Activate | Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device. |
After you add the site, you can complete the following tasks as required:
If Auto Activate is not enabled for the devices, ensure that device is activated before you install licenses or signatures, or deploy policies.
If the EX Series switch has Mist access points associated with that, you could integrate the Mist access points with CSO. For more information about integrating Mist access points with CSO, see Enabling Integration with Mist Access Points.
Upload and install licenses. For example, Administration > Licenses.
Add, edit, and deploy an SD-WAN policy. For example, Configuration > SD-WAN Policy.
Create and generate reports. For example, Reports > Report Definitions > SD-WAN.
Monitor alerts and alarms, SLA performance of tenants, and jobs. For example, Monitor > Jobs.
For more information about these tasks, see the Contrail Service Orchestration documentation at https://www.juniper.net/ documentation/product/en_US/contrail-service-orchestration.