Add Enterprise Hub Sites

An enterprise hub is an SD-WAN site that is used to carry site-to-site traffic between on-premise spoke sites and to break out backhaul (also called central breakout) traffic from on-premise spoke sites. An enterprise hub typically has a data center department behind it; however, this is not enforced in CSO. Unlike provider hubs, which can be shared by different tenants, an enterprise hub is available only to a single tenant.

For more information, see Enterprise Hubs Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Note

Before you add the enterprise hub site, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the enterprise hub device, as explained in Supported Devices for SD-WAN, and Ports and Protocols to Open.

To add an enterprise hub site:

Click Resources > Site Management in Customer Portal.
The Sites page appears.
Click Add, and select Add Enterprise Hub.
The Add Enterprise Hub wizard appears, displaying the General settings to be configured.
Configure the General settings as explained in Table 1, and click Next.
You are taken to the WAN section of the workflow.
Note
Fields marked with an asterisk (*) are mandatory.
Configure the WAN settings as explained in Table 2, and click Next.
You are taken to the LAN section of the workflow.
Add a LAN segment:
1. Click the Add (+) icon.
  The Create LAN Segment page appears.
2. Configure the LAN segment settings as explained in Table 3
3. Click OK.
  You are returned to the LAN section of the workflow, and the LAN segment that you added is displayed.
Click Next.
You are taken to the Summary section of the workflow.
(Optional) Review the configuration in the Summary section and, if required, modify the settings.
Click Finish.
- If you entered a serial number during activation and automatic activation is enabled, the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Table 4.
  Click OK to close the page.
  Note
  If you don’t want to wait for the site activation to finish, you can close the page and monitor the status of the site activation from the Jobs page (Monitor > Jobs).
  The time taken for site activation varies depending on the device that CSO is activating.
- If you did not enter a serial number or if automatic activation is disabled, you are returned to the Sites page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job.
  After the job is finished, CSO displays a confirmation message with a job link. The status of the site changes to CREATED and an Activate Site link is displayed. You must manually activate the site to finish the process. For more information, see Manually Activate a Site.

Tip

After you provision a site, you can modify (depending on the site status) certain parameters of the site. For more information, see Edit Site Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Table 1: General Information (Add Enterprise Hub)

Field	Guideline
Site Information
Site Name	Enter a unique name for the site. The name can contain alphanumeric characters and hyphens (-), and cannot exceed 32 characters.
Site Group	If you want the site to be part of a site group, select the site group. By default, None is selected, which means that the site doesn’t belong to any site group.
Site Capabilities
WAN Capabilities	Click the SD-WAN card to select SD-WAN as the WAN capability for the enterprise hub site. Because we’re adding an enterprise hub site, which is required only for SD-WAN deployments, only SD-WAN is displayed.
Configuration
Primary Provider Hub	If you previously added provider hub sites (DATA or OAM and DATA capability) for the tenant and want to have a backup for the enterprise hub, select a provider hub site as the primary provider hub.
Secondary Provider Hub	If you previously added provider hub sites (DATA or OAM and DATA capability) for the tenant and want provider hub redundancy, select another provider hub as the secondary provider hub.
On-Demand VPN Threshold
Threshold for Tunnel Creation	Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the enterprise hub site and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the enterprise hub site and the destination site. For example, if you specify a threshold as 7, dynamic mesh tunnels are created if the number of sessions closed (in two minutes) between the enterprise hub site and destination site exceeds 7.
Threshold for Tunnel Deletion	Specify the threshold for the number of sessions closed (in a 15-minute duration) between the enterprise hub site and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the enterprise hub site and destination site is deleted. For example, if you specify the number of sessions closed as 5, dynamic mesh tunnels between the enterprise hub site and destination site are deleted if the number of sessions closed (in a 15-minute duration) is lesser than or equal to 5.
Address and Contact Information	Enter the address and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on a geographical map on the Monitor Overview page.
Advanced Configuration	For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers.
Name Server IP List	If needed, specify the IPv4 addresses of one or more DNS servers.
NTP Server	If needed, specify the IP addresses of one or more NTP servers.
Select Timezone	Select a time zone for the site.

Table 2: WAN Settings (Add Enterprise Hub)

Field	Guideline
Device Series	Displays SRX as the device series (family). You cannot modify this field because only certain SRX Series devices can be configured as enterprise hubs.
[Device Template]	Ensure that you select the correct device template from the carousel; the template depends on the device that you are using as the enterprise hub. For example, for an SRX4100 device, select SRX4x00 as SD-WAN CPE (or a modified version of that template) as the device template.
Device Information	Note: If you selected a dual CPE template, additional fields are displayed. For more information, see Add Enterprise Hubs with SD-WAN Capability in the CSO Customer Portal User Guide (available on the CSO Documentation page).
Serial Number	If you want CSO to proceed with the site activation immediately after you complete the site addition workflow, enter the serial number. If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark. If you want CSO to only model the site, leave this field blank. If you don’t enter a serial number, you must manually activate the site later.
Auto Activate	Click the toggle button to specify whether the site activation requires an activation code or not: Enabled—The site is activated automatically without an activation code. This is the default setting. Disabled—The site activation proceeds only after you enter an activation code. If you choose this setting, enter the activation code (in the Activation Code field) that must be entered to activate the device.
Boot Image	If you want to upgrade the enterprise hub device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the zero touch provisioning (ZTP) process. If you don't specify a boot image, which is the default option (Use Image on Device) in the list, then the CSO skips the procedure to upgrade the device during ZTP.
WAN Links	You can configure a maximum of four WAN links and must configure at least one WAN link.
WAN_0 (`WAN-Interface-Name`)	The first WAN link is enabled by default. Fields marked with an asterisk (*) must be configured to proceed.
Link Type	For the first WAN link, we use the default (Internet) for the underlay network type to ensure reachability to the redirect server.
Egress Bandwidth	Enter the maximum egress bandwidth (in megabits per second [Mbps]) that is allowed for the WAN link.
Address Assignment	Displays the method of assigning an IP address to the WAN link (STATIC). You cannot modify this field. You must provide an IP address prefix and the gateway address for the WAN link.
Static IP Prefix	Enter the IPv4 address prefix of the WAN link; for example, 192.0.2.8/24.
Gateway IP Address	Enter the IP address of the gateway of the WAN link’s service provider.
Public IP Address	Note: You should provide a public IP address only if the static IP prefix is a private IP address and 1:1 NAT is configured. Enter the public IPv4 address for the link, if needed.
Advanced Settings
Provider	Enter the name of the WAN link’s service provider.
Cost/Month	Leave this as the default because this field is currently not used in CSO.
Enable Local Breakout	Click the toggle button to enable the WAN link to be used for local breakout. The toggle button is disabled by default, which means that the WAN link cannot be used for local breakout. Local breakout is an SD-WAN feature that enables Internet links to break out traffic directly from a site. For example, if you want to provide guests who visit your enterprise with Internet access, you can use local breakout to break out guest traffic locally from the site directly to the Internet. Note: If you enable local breakout, this only means that the WAN link can be used for local breakout. To enable traffic to break out from the site, you must also configure a breakout profile, reference that profile in an SD-WAN policy intent, and deploy the SD-WAN policy. If you enable local breakout, additional fields appear.
Breakout Options	This field is displayed only if local breakout is enabled for the WAN link. Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.
Autocreate Source NAT Rule	This field is displayed only if local breakout is enabled for the WAN link. When you enable local breakout on a link, this setting is enabled by default, which triggers automatic creation of source NAT rules for the site. You can click the toggle button to disable the automatic creation of source NAT rules. If you disable this field, then you must manually add a source NAT rule for local breakout and deploy the NAT policy on the site. Note: If NAT is not enforced by a separate device in your network (for example, an Internet gateway firewall), then we recommend that you enable this setting because it allows CSO to automatically create a NAT policy for the site. Table 5 explains how source NAT rules are automatically created on the WAN link. The automatically-created source NAT rules are implicitly defined and applied to the site and is not visible on the NAT Policies page. Note: You can manually override automatically created NAT rules, by creating a NAT rule, which is placed at a higher priority than the automatically created NAT rule
Translation	This field is displayed only if the automatic creation of source NAT rules is enabled for the WAN link. Select the type of NAT to use for the traffic on the WAN link: Interface—Use interface-based NAT, which is the default setting. Pool—Use pool-based NAT. If you select this option, you must specify the IP addresses that are to be used for the NAT pool.
IP Addresses	For pool-based NAT, enter one or more IP addresses, subnets, or an IP address range. Separate multiple IP addresses by using commas and use a hyphen to denote a range; for example, 192.0.2.1-192.0.2.50. Note: No NAT is performed for tenant-owned public IP addresses that were added during the tenant addition workflow.
Preferred Breakout Link	if the WAN link is enabled for local breakout, click the toggle button to enable the WAN link as the most preferred breakout link. If you disable this option, then the breakout link is chosen using ECMP (equal-cost multipath) from the available breakout links.
BGP Underlay Options	Note: BGP underlay routing is typically used by service providers, and can be configured only if local breakout is enabled for the WAN link. Click the toggle button to enable BGP underlay routing. When you enable BGP underlay routing, route advertisements to the primary Provider Edge (PE) node and, if configured, the secondary PE node occur as follows: CSO advertises the WAN interface subnet. If you configured pool-based translation, CSO advertises the NAT address pool. Note: If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route.
Primary Neighbor	Displays the IP address that you entered for the gateway for the WAN link.
Secondary Neighbor	If you want to provide PE resiliency, you can configure a secondary PE node. Enter the IP address of the secondary PE node. Note: If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE.
eBGP Peer-AS-Number	Enter the autonomous system (AS) number for the external (EBGP) peer. Note: If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP).
Local AS Number	Enter the local AS number for the WAN link. When you configure this parameter, the local AS number is used for eBGP peering instead of the global AS number configured for the device.
Authentication	Select the BGP route authentication method to be used: None—Indicates that no authentication should be used. This is the default. Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.
Auth Key	If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.
Advertise Public LAN Prefixes	Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default. If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay. Note: When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet.
Use for Fullmesh	Click the toggle button to enable the WAN link to be part of a full mesh topology. A site can have all WAN links enabled for meshing. Note: You must enable at least one WAN link for full mesh. Configure the two additional fields that appear:
Mesh Overlay Link Type	If the WAN link is enabled for full mesh, select the type of encapsulation to be used for the overlay tunnels in the full mesh topology: Note: For links with public IP addresses, we recommend that you use GRE over IPsec as the mesh overlay link type. GRE_IPSEC—Use GRE over IPsec. GRE—Use GRE. This option is available only for MPLS links.
Mesh Tag	Select one or more mesh tags for the WAN link. Note: The tunnels between the enterprise hub site and the on-premise spoke site are added based on matching mesh tags. So, if you want meshing to take place between a WAN link on the enterprise hub and a WAN link on the on-premise spoke site, the mesh tags must be the same for both sites. For more information about mesh tags, see Mesh Tags Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).
Use for OAM traffic	Click the toggle button to enable the use of the WAN link for Operation, Administration, and Maintenance (OAM) traffic. The WAN link is then used to establish an OAM tunnel for communication between the enterprise hub site and CSO. Note: To ensure redundancy, we recommend that you configure at least two WAN links that can be used for OAM traffic. In addition, for added management redundancy, use two links with different transport paths.
Connects to Hubs	Click the toggle button to specify that the WAN link of the site connects to a hub. Note: For sites with a single CPE, you must enable at least one WAN link to connect to the hub so that OAM traffic can be transmitted. For sites with a dual CPE, you must enable at least one WAN link per device to connect to the hub so that OAM traffic can be transmitted.
VLAN ID	Enter a VLAN ID for the WAN link. Range: 0 through 4049 (4050 to 4094 is reserved by CSO). Note: If you are configuring more than one WAN link on the same physical interface, only one WAN link can be untagged; for the remaining WAN links, you must configure a VLAN ID. A combination of tagged and untagged on the same physical interface is supported only for single CPE devices. To enable the configuration of WAN links as logical interfaces, you must modify the device template and configure the WAN ports as logical interfaces.
Backup Link	Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic. When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.
Default Link	Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site. Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then equal-cost multipath (ECMP) is used to choose the link on which to route traffic.
WAN_1 (`WAN-Interface-Name`)	Click the toggle button to enable or disable (default) the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 (`WAN-Interface-Name`) for an explanation of the fields
WAN_2 (`WAN-Interface-Name`)	Click the toggle button to enable or disable (default) the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 (`WAN-Interface-Name`) for an explanation of the fields
WAN_3 (`WAN-Interface-Name`)	Click the toggle button to enable or disable (default) the WAN link. When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed. Refer to the fields described for WAN_0 (`WAN-Interface-Name`) for an explanation of the fields
Management Connectivity	We recommend that you do not configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO.
Additional Configuration	If you want to deploy additional configuration during the ZTP process, you can select one or more configuration templates and set the parameters for each template.
Configuration Templates List	For each configuration template that you select Select one or more configuration templates from the list that you want to deploy on the device during ZTP. Click Set Parameters. The Device Configurations page appears. The names and configuration parameters of the configuration templates that you selected are displayed in the Configure tab. For each configuration template, enter values for the parameters. (Optional) Click the Summary tab to view the Junos OS configuration commands that will be deployed on the device for the different configuration templates. Click Save. You are returned to the WAN tab. The Junos OS configuration commands will be deployed on the device during the ZTP process.

Table 3: LAN Segment Settings (Enterprise Hub)

Field	Description
Name	Enter a name for the LAN segment. The name can contain alphanumeric characters and underscores. No spaces are allowed and the maximum length is 15 characters.
Type Note: This field is displayed only for LAN segments associated with enterprise hub sites.	Select the type of LAN segment: Directly Connected—Indicates that the LAN segment is directly connected to the site. This is the default setting. Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.
VLAN ID	Enter the VLAN ID for the LAN segment. Range: 2 through 4093.
Department	Select a department to which the LAN segment is assigned. Alternatively, click Create Department to add a new department and configure the fields required to add a department. You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.
Protocol	For dynamically routed LAN segments, select the routing protocol (BGP or OSPF) to be used by the data center department to learn routes from the data center. Depending on your selection, additional fields related to the protocol appear in the BGP Configuration and OSPF Configuration sections of the page respectively.
Advertise LAN Prefix	For dynamically routed LAN segments, click the toggle button to advertise the LAN prefix of the SD-WAN spoke sites to the data center through the data center department associated with the enterprise hub. By default, this field is disabled. Note: Route advertisements from the data center to SD-WAN spoke sites take place irrespective of whether this field is enabled or disabled. You must avoid overlapping IP addresses between the LAN network of the SD-WAN spoke sites and the data center network.
Gateway Address/Mask	Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment. For example: 192.0.2.8/24.
DHCP	For directly connected LAN segments, click the toggle button to enable DHCP (default). You can enable DHCP if you want to assign IP addresses by using a DHCP server or disable DHCP if you want to assign a static IP address to the LAN segment. Note: If you enable DHCP, additional fields appear on the page.
[Additional fields related to DHCP]
Address Range Low	Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Address Range High	Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Maximum Lease Time	Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server. Default: 1440 Range: 0 through 4,294,967,295 seconds.
Name Server	Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address. Note: DNS servers are used to resolve hostnames into IP addresses.
CPE Ports	Select the ports (on the CPE device) that you want to include as part of the LAN segment.
BGP Configuration	This section is displayed only for dynamic routed LAN segments with BGP specified as the protocol.
Authentication	Select the BGP route authentication method to be used: None—Indicates that no authentication should be used. This is the default. Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.
Peer IP Address	Enter the IP address of the BGP neighbor.
Peer AS Number	Enter the autonomous system (AS) number of the BGP neighbor. By default, CSO uses the AS number 64512; the AS number can be modified during the installation of the CSO on-premises version. If the AS number of the data center’s router is different from CSO’s AS number, an external BGP (eBGP) peering session is established. If the AS number is the same, an internal BGP (iBGP) peering session is established.
Auth Key	If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.
OSPF Configuration	This section is displayed only for dynamic routed LAN segments with OSPF specified as the protocol.
OSPF Area ID	Specify the OSPF area identifier to be used for the dynamic route.
Authentication	Select the OSPF route authentication method to be used: Password—Indicates that password-based authentication should be used. If you choose this option, you must specify the password. (This is the default). Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key. None—Indicates that no authentication should be used.
Password	Enter the password to be used to verify the authenticity of OSPF packets.
Confirm Password	Retype the password for confirmation purposes.
MD5 Auth Key ID	If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID. Range: 1 through 255.
Auth Key	If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets.

Table 4: Site Activation Tasks and Troubleshooting

Activation Task	Troubleshooting
`Model Site`—CSO first models the site to begin the activation process. If you didn’t enter a serial number or disabled automatic activation, you must manually activate the site as explained in Manually Activate a Site.
`Prestage Device`—Depending on the type of device used, you might need to copy the configuration that is generated by CSO and commit the configuration on the device. For such devices, CSO can move to the next step (detecting the device) only after the configuration is committed successfully on the device. On the Devices page (Resources > Devices), select the device and click Stage1 Config. The configuration to be copied appears in a separate page. Click Copy to copy the configuration to the clipboard Log in to the device by using SSH and enter Junos OS configuration mode. Paste the configuration that you copied and commit the configuration.	This step typically goes through without problems. However, if you encounter a problem, log in to the device (using a console or a management interface), access the CLI, and verify that the stage-1 configuration was committed on the device.
`Detect Device`—The device reaches out to CSO, and communication with CSO is established. This task typically takes a few minutes. If the status shows as Pending after about 10 minutes, try the troubleshooting steps.	If the device is not detected: Check that the correct interfaces on the device are connected. Log in to the device, and access the CLI. Check the system time that is configured on the device by executing the show system uptime command, and ensure that the system time is accurate. A mismatch in time might mean that the device is unable to connect to the redirect server. Note: This step is applicable only for on-premise spoke sites. Execute the show interfaces terse command. In the command output, verify whether the device received a DHCP IP address. If the device did not receive an IP address, try to reconnect. If the device has a valid IP address, then verify that the device can reach the Internet by using the ping command. For example, ping www.juniper.net. If the ping command executes successfully, this means that the device can reach the Internet, and DNS resolution is working. Verify whether the device has the permissions required for outgoing connections on port 443 by executing the telnet redirect.juniper.net 443 command. If the device has the required permissions, you should see an output similar to the following: Trying 192.0.2.155... Connected to telnet-host.example.com. Escape character is '^]'.
`Bootstrap Device`—This task comprises the following sub-tasks: A secure OAM tunnel (using IPsec) from the device to the OAM hub is established. An outbound SSH connection from the device is established with CSO. An Internal BGP (iBGP) peering between the device and the virtual route reflector (VRR) is established. The device sends a Bootstrap Complete message to CSO, which CSO receives and marks the bootstrap as completed. The device is now managed by CSO. This task typically takes a few minutes to finish. If the status shows as Pending after about 10 minutes, try the troubleshooting steps.	If the bootstrap device task does not finish successfully: Verify whether the stage-1 configuration was deployed on the device by executing the show configuration \| display set \| match outbound-ssh \| match 7804 command. If the resulting output is similar to the following sample output, it means that the stage-1 configuration was deployed successfully. set system services outbound-ssh client CSO-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 192.0.2.100 port 7804 Check if the secure OAM tunnels are up by executing the following commands: show security ike sa command. If the State field in the output doesn't display UP, it means that port 500 is blocked. Ensure that you open 500 and retry the activation job (from the Jobs page). show security ipsec sa command. If the State field in the output doesn't display UP, it means that port 4500 is blocked. Open port 4500, and retry the activation job (from the Jobs page). Verify whether the device has established BGP peering with the VRR by executing the show bgp summary command. If the State field in the output displays Establ, it means that BGP peering is established successfully. Verify whether the secure OAM session is established by executing the show security flow session destination-port 7804 command. If the resulting output is similar to the following output, it means that the secure OAM session was established successfully. Session ID: 430000098, Policy name: default-policy-00/2, Timeout: 1778, Valid In: 192.0.2.10/15190 --> 192.0.2.20/23;tcp, If: ge-7/1/0.0, Pkts: 109, Bytes: 5874, CP Session ID: 430000093 Out: 192.0.2.20/23 --> 192.0.2.10/15190;tcp, If: ge-7/1/1.0, Pkts: 64, Bytes: 4015, CP Session ID: 430000093 Total sessions: 1
`Provision Device`—The final task in the site activation process is that CSO applies the provisioning configuration on the device. After this task is completed, the device is ready for use. The time taken for this task depends on the type of device. If the status is showing Pending after about 20 minutes, try the troubleshooting steps.	Go to the Jobs page (Monitor > Jobs), search for the ZTP job, and check the status. Click the `job-name` link to view the tasks associated with the job and their status. You can drill down further by clicking the `task-name` link. If the status of the job or task is In Progress, wait until the job or task finishes. If the job failed, you can retry the job by selecting the job, and clicking the Retry Job button.

Table 5: Automatic Creation of Source NAT Rules

Autocreate Source NAT Rule	Translation	NAT Rules Creation
Disabled	Not applicable (No NAT)	None.
Enabled	Interface-Based (Default)—CSO creates interface-based NAT rules.	Source NAT rules are automatically created, with each rule from a department zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set. For example, the following department zone to (WAN link) W1 interface rule-set might be created: Dept-Zone1 --> W1: Translation=Interface Dept-Zone2 --> W1: Translation=Interface Dept-Zone3 --> W1: Translation=Interface When traffic from a spoke site breaks out at an enterprise hub, a source NAT rule is automatically created at the enterprise hub from the department routing group (also referred to as VRF group) to the WAN interface. Dept-vrf-group --> W1: Translation=Interface
Enabled	Pool-Based—CSO automatically creates pool-based NAT rules.	Source NAT rules are automatically created, with each rule from a department zone to the WAN NAT pool with a translation of type pool. For example, a source NAT rule from department zone to NAT pool might be created: Dept-Zone1 --> W1 : Translation=Pool-1 Dept-Zone2 --> W1 : Translation=Pool-1 When traffic from a spoke site breaks out at an enterprise hub, a source NAT rule is automatically created at the enterprise hub from the department routing group to the WAN pool. Dept-vrf-group --> W1: Translation=Pool

Autocreate Source NAT Rule

Translation

NAT Rules Creation

Disabled

Not applicable (No NAT)

None.

Enabled

Interface-Based (Default)—CSO creates interface-based NAT rules.

Source NAT rules are automatically created, with each rule from a department zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set.

For example, the following department zone to (WAN link) W1 interface rule-set might be created:

Dept-Zone1 --> W1: Translation=Interface

Dept-Zone2 --> W1: Translation=Interface

Dept-Zone3 --> W1: Translation=Interface

When traffic from a spoke site breaks out at an enterprise hub, a source NAT rule is automatically created at the enterprise hub from the department routing group (also referred to as VRF group) to the WAN interface.

Dept-vrf-group --> W1: Translation=Interface

Enabled

Pool-Based—CSO automatically creates pool-based NAT rules.

Source NAT rules are automatically created, with each rule from a department zone to the WAN NAT pool with a translation of type pool.

For example, a source NAT rule from department zone to NAT pool might be created:

Dept-Zone1 --> W1 : Translation=Pool-1

Dept-Zone2 --> W1 : Translation=Pool-1

When traffic from a spoke site breaks out at an enterprise hub, a source NAT rule is automatically created at the enterprise hub from the department routing group to the WAN pool.

Dept-vrf-group --> W1: Translation=Pool

WHAT'S NEXT

After the site is provisioned, you must perform Post-Provisioning Tasks for Enterprise Hub and SD-WAN Spoke Sites.