SD-WAN Sites

A typical SD-WAN site topology includes an on-premises spoke site and a hub site. A hub site can be an enterprise hub site, which is an SD-WAN site that is used to carry site-to-site traffic between on-premises spoke sites and to break out backhaul (central breakout) traffic from on-premises spoke sites.

An on-premises spoke site represents an endpoint that is part of a customer premises equipment (CPE) at some physical location such as a branch office or a point-of-sale (PoS) location. Typically, these points are connected using overlay connections to hub sites.

You can Add an Enterprise Hub Site for SD-WAN Deployments and one or more of the following on-premise spoke sites for SD-WAN:

SD-WAN On-Premise Spoke Site

Add an Enterprise Hub Site for SD-WAN Deployments

An enterprise hub is an SD-WAN site that is used to carry site-to-site traffic between on-premise spoke sites and to break out backhaul (central breakout) traffic from on-premise spoke sites.

To add an enterprise hub:

On the Sites page (Resources > Site Management) of the CSO portal, click Add, and select Enterprise Hub.
The Add enterprise hub for Tenant-Name page appears.
Complete the configuration settings according to the guidelines provided in Table 1.
Click OK.
When the site is successfully created, the Site Status on the Sites page changes to Provisioned.

If you did not enter serial number while creating the enterprise hub site, you must manually enter the serial number after adding the enterprise hub site, in order to activate the site. See Add Enterprise Hubs with SD-WAN Capability for more information.

Table 1: Enterprise Hub Site Settings

Field	Description
General
Site Name	Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.
Site Capabilities	SD-WAN capability is selected by default. You cannot clear the selection.
WAN
Device Series	Select the device series to which the CPE device belongs—SRX, NFX150, or NFX250.
Device Template	Select a device template for the selected device series. The device template contains information for configuring a device.
Serial Number	Enter the serial number of the CPE device. You can also add the enterprise hub site but activate the site later. If you do not enter the serial number of the CPE device when creating the enterprise hub site, you must enter it while activating the site, using the Activate Site link. See Add Enterprise Hubs with SD-WAN Capability for more information.
Auto Activate	If the selected device template supports auto authorization, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. The Activation Code field appears if the selected device template does not support auto authorization or if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.
IP Prefix	Enter the IPv4 prefix to be used for the management network. This IP address must be unique across the entire management network. For NFX150 and NFX250 devices, if the `USE_SINGLE_SSH_TO_NFX` parameter is disabled in the device template, then enter the IP address prefix as /29 or lower based on the number of VNFs. For all other devices, enter the IP address prefix as /32.
WAN Links
WAN_0	This field is enabled by default. You can configure up to 4 WAN links as required.
Link Type	Select whether the link would be an MPLS link or Internet link. Note: If the enterprise hub and the SD-WAN branch site are not in the same network, that is if these devices are not directly reachable, select one link as Internet and assign a public IP to the Internet-type link.
Egress Bandwidth	Enter the maximum bandwidth, in Mbps, allowed on the WAN link. Range: 1 through 10,000.
Address Assignment	Select the method of assigning an IP address to the WAN link—DHCP or STATIC. If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.
Static IP Prefix	If you configured the address assignment method as STATIC, enter the IP address prefix of the WAN link. Note: If the enterprise hub and the SD-WAN branch site are not in the same network, assign a public IP to the Internet-type link
Gateway IP Address	If you configured the address assignment method as STATIC, enter the IP address of the gateway of the WAN service provider.
Advanced Settings
Use For Fullmesh	Click the toggle button to specify whether the WAN link can be a part of a full mesh topology. A site can have a maximum of three links enabled for meshing.
Add LAN Segment
Name	Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters.
Type	Select the type of LAN segment: Directly Connected—Indicates that the LAN segment is directly connected to the site. This is the default. Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.
Department	Select a department to which the LAN segment is to be assigned. Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details. You group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.
Gateway Address/Mask	Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24.
CPE Ports	Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

Add an SD-WAN On-Premises Spoke Site

The following illustration shows a simple SD-WAN topology.

Before you add an on-premise spoke site:

Add an enterprise hub site.
Connect cables to the device according to your network design and power on the device.
Note
This task assumes that the device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.
For more information about connecting the cables and connecting the device to a console, see the documentation for the CPE device as listed in Table 2.
Ensure that ESP protocol traffic is allowed on the network.

Ensure that the ports listed in Table 2 are open on the network.

Note

Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that release.

Table 2: CPE Devices, Port Information, and Documentation Links

Device Model	NAT/Firewall Ports	CPE WAN Link Ports	Hardware Documentation
SRX4x000 devices	50 51 53 123 443 500 4500	`xe-0/0/0` `xe-0/0/1` `xe-0/0/2` `xe-0/0/3`	SRX4100 SRX4100 SRX4200 SRX4200
SRX3xx devices, SRX550M, and vSRX devices	50 51 53 123 443 500 4500	`ge-0/0/0` `ge-0/0/1` `ge-0/0/2` `ge-0/0/3`	SRX300 https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/srx300-chassis.html SRX320 https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/srx320-chassis.html SRX340 https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/srx340-chassis.html SRX345 https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/srx345-chassis.html SRX550M https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/srx550-hm-chassis.html
NFX250	50 51 443 500 514 2216 3514 4500 7804	`ge-0/0/10` `ge-0/0/11` `xe-0/0/12` `xe-0/0/13`	NFX250 https://www.juniper.net/documentation/en_US/release-independent/junos/topics/topic-map/nfx250-chassis.html
NFX150	50 51 443 500 4500	`heth4` `heth5` `heth2` `heth3`	NFX150 https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/specifications/chassis-nfx150-physical.html

If you are using a GRE-only overlay between an SRX CPE and a hub device, ensure that GRE Traffic is enabled between CPE and the hub device.

To add an on-premises spoke site for SD-WAN:

From the Sites page (Resources > Site Management) of the CSO portal, click Add and select On-Premises Spoke Site.
The Add Site wizard appears.
Complete the settings as explained in Table 3.

Click OK to add the site.

When the site is successfully created, the Site Status in the Sites page changes to Provisioned.

If you did not enter serial number while creating the on-premises spoke site, you must manually enter the serial number after adding the spoke site, in order to activate the site. See Add an On-Premises Spoke Site with SD-WAN Capability for more information.

Table 3: SD-WAN On-Premises Spoke Site Settings

Field	Description
General
Site Name	Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.
Site Capabilities	Select SD-WAN.
Primary Hub	Select an enterprise hub site as the primary hub from the list of available hub sites. If there is only one hub site available, that one is selected by default.
WAN
Device Series	Select the CPE device.
Device Template	Select a device template for the CPE device.
Serial Number	Enter the serial number of the CPE device. You can also add the on-premises spoke site but activate the site later. If you do not enter the serial number of the CPE device when creating the on-premises spoke site, you must enter it while activating the site, using the Activate Site link. See Add an On-Premises Spoke Site with SD-WAN Capability for more information.
Auto Activate	If the selected device template supports ZTP, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. The Activation Code field appears if the selected device template does not support ZTP or if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.
Link Type	Select whether the link is an MPLS link or Internet link.
Access Type	Select the access type for the underlay link: If you’ve selected Internet as the link type, you can select Ethernet (default), LTE, ADSL, or VDSL as the access type. If you’ve selected MPLS as the link type, you can select Ethernet (default) or LTE as the access type. You can select the LTE, ADSL, or VDSL access type only for one WAN link. Note: You cannot configure LTE, ADSL, or VDSL as the access type if you are using the Dual SRX and Dual NFX device templates; Ethernet is configured as the access type for the underlay link. SRX300 does not support LTE and ADSL access types. On SRX300 line of Services Gateways (except SRX300 devices) and NFX150 devices, the LTE WAN link is supported through a SIM card that is inserted in the SIM slot of the Mini-Physical Interface Module (Mini-PIM). On NFX250 devices, the LTE WAN link is supported through a USB dongle (Vodafone K5160 dongle) that is plugged into the USB port of the CPE device.
PPPoE/PPP	Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet) or PPP (Point-to-Point Protocol). By default, this toggle button is disabled. PPPoE works with Ethernet, ADSL, and VDSL access types while PPP works with the LTE access type. Note: This toggle button is not available for Internet links with LTE as the access type. If you’ve enabled this toggle button, you must specify the PPPoE or PPP parameters (username, password, and authentication protocol) for the PPPoE or PPP server, respectively. The PPPoE or PPP server assigns an IP address to the WAN link after successful authentication. If you’ve disabled this toggle button, select a method (DHCP or STATIC) to assign an IP address to the WAN link from the Address Assignment list.
Access Point Name (APN)	If you choose to use a private APN with the current LTE service provider or to use a different LTE service provider, enter the APN for the CPE device (as specified by the service provider). This field is displayed only if you have enabled PPPoE/PPP for MPLS links with LTE as the access type. If you have disabled PPPoE/PPP for these links, CSO uses the default APN settings.
Egress Bandwidth	Specify the maximum bandwidth allocated for the WAN link. Note: This option is not available for Internet and MPLS links with LTE access type.
Address Assignment	Specify whether to use DHCP or Static addresses. If you select Static, specify a Static IP Prefix and Gateway IP Prefix. This field is displayed only if you have disabled the PPPoE/PPP toggle button.
Service Provider	Enter the name of the service provider.
Cost per month	Enter the per month cost of the link. This information is used to identify the least expensive link when link switch occurs.
LAN Segment
Add LAN Segment	Click to add a LAN segment.
Name	Enter a unique name for the LAN segment.
Gateway Address/Mask	Enter a valid gateway IP address andmask for the LAN segment; for example, 192.0.2.8/24.
Department	Select a department from the list; if no department is available, click Create Department and add one. A department is a grouping of LAN segments within a site. You use departments to apply specific policies to LAN segments that are members of a department.
CPE Port	Select at least one CPE port.

After the site is provisioned, you can complete the following tasks as required:

Upload and install licenses. For example, Administration > Licenses.
Install signatures. For example, Administration > Signature Database.
Add, edit, and deploy an SD-WAN policy. For example, Configuration > SD-WAN Policy .
Create and generate reports. For example, Reports > Report Definitions > SD-WAN.
Monitor alerts and alarms, SLA performance of tenants, and jobs. For example, Monitor > Jobs.

For more information about these tasks, see the Contrail Service Orchestration user guide at https://www.juniper.net/ documentation/product/en_US/contrail-service-orchestration.

SD-WAN Sites

Add an Enterprise Hub Site for SD-WAN Deployments

See also

Add an SD-WAN On-Premises Spoke Site