Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add SD-WAN On-Premise Spoke Sites

 

An on-premise spoke represents an endpoint, like the customer premises equipment (CPE) device at a physical location, such as a branch office. Typically, these sites are connected using overlay connections to hub sites.

Note

Before you add the SD-WAN spoke sites, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the SD-WAN CPE device. For details, see Supported Devices for SD-WAN, and Ports and Protocols to Open.

To add on-premise spoke sites with SD-WAN capability:

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click Add, and select Add On-Premise Spoke (Manual).

    The Add On-Premise Spoke Site wizard appears, displaying the General settings to be configured.

    Note

    Fields marked with an asterisk (*) are mandatory.

  3. Configure the General settings as explained in Table 1, and click Next.

    You are taken to the WAN section of the workflow.

  4. Configure the WAN settings as explained in Table 3, and click Next.

    You are taken to the LAN section of the workflow.

  5. You can add LAN segments when you’re adding the site or after a site is provisioned. To add a LAN segment during the site addition workflow:
    1. Click the add (+) icon.

      The Create LAN Segment page appears.

    2. Configure the LAN segment settings as explained in Table 4.
    3. Click OK.

      You are returned to the LAN section of the workflow and the LAN segment that you added is displayed.

  6. Click Next.

    You are taken to the Summary section of the workflow.

  7. Review the configuration in the Summary section and, if required, modify the settings.
  8. Click Finish.
    • If you entered a serial number during activation and automatic activation is enabled, the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Site Activation Tasks and Troubleshooting.

      Click OK to close the Site Activation Progress page.

      Note

      If you don’t want to wait for the site activation to finish, you can close the Site Activation Progress page and monitor the status of the site activation from the Jobs page (Monitor > Jobs).

      The time taken for site activation varies depending on the device that CSO is activating.

    • If you did not enter a serial number or if automatic activation is disabled, you are returned to the Sites page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job.

      After the job is finished, CSO displays a confirmation message with a job link. The status of the site changes to CREATED and an Activate Site link is displayed. You must manually activate the site to finish the process. For more information, see Manually Activate a Site.

Tip

After you add a site, you can modify (depending on the site status) certain parameters of the site. For more information, see Edit Site Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Table 1: General Information (Add [SD-WAN] On-Premise Spoke)

Field

Guideline

Site Information

 

Site Name

Enter a unique name for the site. The name can contain alphanumeric characters, and hyphens (-) and cannot exceed 32 characters.

Site Group

If you want the site to be part of a site group, select the site group. By default, None is selected, which means that the site doesn’t belong to any site group.

Site Capabilities

 

WAN Capabilities

Because we’re configuring an SD-WAN spoke site, click the SD-WAN card to select SD-WAN as the WAN capability.

Configuration

You must specify at least one hub to which the on-premise spoke site must connect (in the Primary Provider Hub, Secondary Provider Hub,Primary Enterprise Hub, and Secondary Enterprise Hub fields). The combinations supported are listed in Table 2.

On-Demand VPN Threshold

 

Threshold for Tunnel Creation

Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the spoke site and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the spoke site and the destination site.

For example, if you specify a threshold of as 7, dynamic mesh tunnels are created if the number of sessions closed (in two minutes) between the spoke site and destination site exceeds 7.

Threshold for Tunnel Deletion

Specify the threshold for the number of sessions closed (in a 15-minute duration) between the spoke site and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the spoke site and destination site is deleted.

For example, if you specify the number of sessions closed as 5, dynamic mesh tunnels between the spoke site and destination site are deleted if the number of sessions closed (in a 15-minute duration) is lesser than or equal to 5.

Address and Contact Information

Enter the address of the on-premise spoke site and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on the geographical map on the Monitor Overview page.

Advanced Configuration

For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers.

Domain Name Server (DNS)

Specify the IPv4 addresses of one or more DNS servers.

NTP Server

If needed, specify the IP addresses of one or more NTP servers.

Select Timezone

Select a time zone for the site.

Table 2: Supported Combinations of Provider and Enterprise Hubs

Provider Hubs Specified

Enterprise Hubs Specified

Primary

None

Primary

Primary

Primary

Primary and Secondary

Primary and Secondary

None

Primary and Secondary

Primary

Primary and Secondary

Primary and Secondary

None

Primary

None

Primary and Secondary

Table 3: WAN Settings (Add On-Premise Spoke)

Field

Guideline

Device Series

Select the device series of the CPE device; for example, SRX.

Based on the device series that you selected, the supported device templates are displayed.

Ensure that you select the correct device template from the carousel.

For example, for an SRX300 device, select SRX as SD-WAN CPE (or a modified version of that template) as the device template.

Device Information

Note: If you selected a dual CPE template, additional fields are displayed. For more information, see Add an On-Premises Spoke Site with SD-WAN Capability in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Serial Number

If you want CSO to proceed with the site activation immediately after you complete the site addition workflow, enter the serial number. If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark.

If you want CSO to only model the site, leave this field blank. If you don’t enter a serial number, you must manually activate the site later.

Auto Activate

Click the toggle button to specify whether the site activation requires an activation code or not:

  • Enabled—The site is activated automatically without an activation code. This is the default setting.

  • Disabled—The site activation proceeds only after you enter an activation code. If you choose this setting, enter the activation code (in the Activation Code field) that must be entered to activate the device.

Boot Image

If you want to upgrade the on-premise spoke device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the ZTP process.

If you don't specify a boot image, which is the default selection (Use Image on Device) in the list, then CSO skips the procedure to upgrade the device during ZTP.

WAN Links

You can configure a maximum of four WAN links and must configure at least one WAN link.

WAN_0 (WAN-Interface-Name)

The first WAN link is enabled by default.

Note: Fields marked with an asterisk (*) must be configured to proceed.

Link Type

Select the type of link (MPLS or Internet) for the WAN link.

For the first WAN link, we recommend that you use the default (Internet) for the underlay network type to ensure reachability to the redirect server.

Access Type

Select the access type for the underlay link:

  • For Internet links, you can select Ethernet (default setting), LTE, ADSL, or VDSL as the access type.

  • For MPLS links, you can select Ethernet (default) or LTE as the access type.

Note:

  • You can select the LTE, ADSL, or VDSL access type only for one WAN link.

  • You cannot configure LTE, ADSL, or VDSL as the access type if you are using the Dual SRX and Dual NFX device templates; Ethernet is configured as the access type for the underlay link.

  • SRX300 does not support LTE and ADSL access types.

  • On SRX300 Series devices (except SRX300 devices) and NFX150 devices, the LTE WAN link is supported through a SIM card that is inserted in the SIM slot of the Mini-Physical Interface Module (Mini-PIM).

    On NFX250 devices, the LTE WAN link is supported through a USB dongle (Vodafone K5160 dongle) that is plugged into the USB port of the CPE device.

PPPoE/PPP

This field is displayed only for Internet links with Ethernet, ADSL, or VDSL access type, and for MPLS links with Ethernet or LTE access types.

Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol [PPP] over Ethernet) or PPP. By default, this toggle button is disabled.

PPPoE works with Ethernet, ADSL, and VDSL access types while PPP works with the LTE access type.

If you’ve enabled this toggle button, you must specify the authentication parameters in the PPPoE/PPP Settings section of the page.

Egress Bandwidth

This field is not available when you configure LTE as the access type.

Enter the maximum egress bandwidth (in Mbps) allowed for the WAN link.

Address Assignment

This field is not available if you’ve enabled PPPoE/PPP. For LTE access type, only DHCP is available as the address assignment method.

Select the method for assigning an IP address to the WAN link:

  • If you select DHCP, the IP address is provided by using the DHCP server of the WAN link’s service provider.

  • If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.

    • Static IP Prefix—Enter the IPv4 address prefix of the WAN link; for example, 192.0.2.8/24.

    • Gateway IP Address—Enter the IP address of the gateway of the WAN link’s service provider.

Access Point Name (APN)

This field can be configured only for MPLS links with LTE access type and PPPoE/PPP enabled. For MPLS links with LTE as the access type and PPPoE/PPP disabled, CSO uses the default APN settings that the CPE device is shipped with.

The access point name (APN) determines the Packet Data Network Gateway (P-GW) that the CPE device must use to connect to the Packet Data Network (PDN) such as Internet. All CPE devices are shipped with default APN settings. However, if you choose to use a private APN with the current LTE service provider or to use a different LTE service provider, enter the APN for the CPE device (as specified by the service provider) in this field.

Advanced Settings

 

Provider

Enter the name of the WAN link’s service provider.

Cost/Month

Leave this as the default because this field is currently not used in CSO.

Enable Local Breakout

Click the toggle button to enable the WAN link to be used for local breakout. The toggle button is disabled by default, which means that the WAN link cannot be used for local breakout.

Local breakout is an SD-WAN feature that enables Internet links to break out traffic directly from a site. For example, if you want to provide guests who visit your enterprise with Internet access, you can use local breakout to break out guest traffic locally from the site directly to the Internet.

Note:

  • If you enable local breakout, this only means that the WAN link can be used for local breakout. To enable traffic to break out from the site, you must also configure a breakout profile, reference that profile in an SD-WAN policy intent, and deploy the SD-WAN policy.

  • If you do not enable local breakout on at least one WAN link for a single CPE site and at least two WAN links for a dual CPE site, then local breakout is disabled for the site.

If you enable local breakout, additional fields appear.

Breakout Options

This field is displayed only if local breakout is enabled for the WAN link.

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

Autocreate Source NAT Rule

This field is displayed only if local breakout is enabled for the WAN link.

When you enable local breakout on a link, this setting is enabled by default, which triggers automatic creation of source NAT rules for the site.

You can click the toggle button to disable the automatic creation of source NAT rules. If you disable this field, then you must manually add a source NAT rule for local breakout and deploy the NAT policy on the site.

Note: If NAT is not enforced by a separate device in your network (for example, an Internet gateway firewall), then we recommend that you enable this setting because it allows CSO to automatically create a NAT policy for the site.

Translation

This field is displayed only if the automatic creation of source NAT rules is enabled for the WAN link.

Select the type of NAT to use for the traffic on the WAN link:

  • Interface—Use interface-based NAT, which is the default setting.

  • Pool—Use pool-based NAT. If you select this option, you must specify the IP addresses that are to be used for the NAT pool.

IP Addresses

For pool-based NAT, enter one or more IP addresses, subnets, or an IP address range. Separate multiple IP addresses by using commas and use a hyphen to denote a range; for example, 192.0.2.1-192.0.2.50.

Note: No NAT is performed for tenant-owned public IP addresses that were added during the tenant addition workflow.

Preferred Breakout Link

if the WAN link is enabled for local breakout, click the toggle button to enable the WAN link as the most preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP (equal-cost multipath) from the available breakout links.

BGP Underlay Options

Note: BGP underlay routing is typically used by service providers, and can be configured only if local breakout is enabled for the WAN link.

Click the toggle button to enable BGP underlay routing.

When you enable BGP underlay routing, route advertisements to the primary Provider Edge (PE) node and, if configured, the secondary PE node occur as follows:

  • CSO advertises the WAN interface subnet.

  • If you configured pool-based translation, CSO advertises the NAT address pool.

Note: If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route.

Primary Neighbor

Displays the IP address that you entered for the gateway for the WAN link.

Secondary Neighbor

If you want to provide PE resiliency, you can configure a secondary PE node.

Enter the IP address of the secondary PE node.

Note: If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE.

eBGP Peer-AS-Number

Enter the autonomous system (AS) number for the external (EBGP) peer.

Note: If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP).

Local AS Number

Enter the local AS number for the WAN link. When you configure this parameter, the local AS number is used for eBGP peering instead of the global AS number configured for the device.

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

Advertise Public LAN Prefixes

Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default.

If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay.

Note: When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet.

Use for Fullmesh

Click the toggle button to enable the WAN link to be part of a full mesh topology.

Configure the two additional fields that appear:

Mesh Overlay Link Type

If the WAN link is enabled for full mesh, select the type of encapsulation to be used for the overlay tunnels in the full mesh topology:

Note: For links with public IP addresses, we recommend that you use GRE over IPsec as the mesh overlay link type.

  • GRE_IPSEC—Use GRE over IPsec.

  • GRE—Use GRE. This option is available only for MPLS links.

Mesh Tag

If the WAN link is enabled for full mesh, select the mesh tag for the WAN link.

Note: The tunnels between two on-premise spoke sites or an on-premise spoke site and an enterprise hub site are added based on matching mesh tags. So, if you want meshing to take place between such sites, the mesh tags must be the same for both sites.

For more information about mesh tags, see Mesh Tags Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Use for OAM traffic

Click the toggle button to enable the use of the WAN link for OAM traffic. The WAN link is then used to establish an OAM tunnel for communication between the enterprise hub site and CSO.

You must configure at least one WAN link to be used for OAM traffic. To ensure redundancy, we recommend that you configure at least two WAN links that can be used for OAM traffic. In addition, for added management redundancy, use two links with different transport paths.

Backup Link

Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.

Default Link

Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site.

Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then ECMP is used to choose the link on which to route traffic.

Data VLAN ID

Enter a VLAN ID for the WAN link.

Range: 0 through 4049 (4050 to 4094 is reserved by CSO).

Note:

  • If you are configuring more than one WAN link on the same physical interface, only one WAN link can be untagged; for the remaining WAN links, you must configure a VLAN ID.

  • A combination of tagged and untagged on the same physical interface is supported only for single CPE devices.

WAN_1 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_2 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_3 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

Management Connectivity

We recommend that you don’t configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO.

Additional Configuration

If you want to deploy additional configuration during the ZTP process, you can select one or more configuration templates and set the parameters for each template.

Configuration Templates List

For each configuration template that you select

  1. Select one or more configuration templates from the list that you want to deploy on the device during ZTP.
  2. Click Set Parameters.

    The Device Configurations page appears. The names and configuration parameters of the configuration templates that you selected are displayed in the Configure tab.

  3. For each configuration template, enter values for the parameters.
  4. (Optional) Click the Summary tab to view the Junos OS configuration commands that will be deployed on the device for the different configuration templates.
  5. Click Save.

    You are returned to the WAN tab. The Junos OS configuration commands will be deployed on the device during the ZTP process.

Table 4: LAN Segment Settings (Add On-Premise Spoke)

Field

Guideline

Name

Enter a unique name for the LAN segment, which can contain alphanumeric characters and underscores (_), and cannot exceed 15 characters.

VLAN ID

Enter the VLAN ID for the LAN segment.

Range: 2 through 4093.

Department

Select a department to which the LAN segment is assigned.

Alternatively, click Create Department to add a new department and configure the fields required to add a department.

You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.

Gateway Address/Mask

Enter a valid gateway IP address and subnet mask for the LAN segment. This address will be the default gateway for the endpoints in this LAN segment.

For example: 192.0.2.8/24.

DHCP

Click the toggle button to enable the DHCP sever running on the CPE device to assign IPv4 addresses to the LAN segment. When you enable DHCP, you must configure the additional fields that appear on the page:

  • Address Range Low—Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

  • Address Range High—Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

  • Maximum Lease Team—Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server.

  • Name Server—Specify one or more IPv4 addresses of the DNS server.

CPE Ports

Select the ports (on the CPE device) that you want to include as part of the LAN segment.