Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure SD-WAN Branch Sites

 

Explanation of Procedure

The high-level workflow for configuring the SD-WAN branch sites is as follows:

  1. Add two SD-WAN branch sites.
  2. After the two SD-WAN branch sites are provisioned successfully, perform post-provisioning tasks as explained in Post-Provisioning Tasks for the Branch Sites

Add Branch (SD-WAN CPE) Sites

An on-premise spoke (branch) represents an endpoint, like the customer premises equipment (CPE) device at a physical location, such as a branch office. Typically, these sites are connected using overlay connections to hub sites.

Note

Before you add the SD-WAN branch sites, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the SD-WAN CPE device. For details, see Supported Devices, and Ports and Protocols to Open.

In this use case, we have two branches in our topology. So, you need to add two branch sites.

To add branch sites with SD-WAN capability:

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click Add, and select Branch Site (Manual).

    The Add Branch Site wizard appears, displaying the General settings to be configured.

    Note

    Fields marked with an asterisk (*) are mandatory.

  3. Configure the General settings as explained in Table 12, and click Next.

    You are taken to the WAN section of the workflow.

  4. Configure the WAN settings as explained in Table 14, and click Next.

    You are taken to the LAN section of the workflow.

  5. Add a LAN segment:
    1. Click the Add (+) icon.

      The Add LAN Segment page appears.

    2. Configure the LAN segment settings as explained in Table 15.
    3. Click OK.

      You are returned to the LAN section of the workflow and the LAN segment that you added is displayed.

  6. Click Next.

    You are taken to the Summary section of the workflow.

  7. Review the configuration in the Summary section and, if required, modify the settings.
  8. Click Finish.

    The Site Activation: Branch-Site-Name page appears. The activation of the site proceeds through the tasks as previously explained in Table 7.

    Note

    The time taken for site activation varies depending on the device that CSO is activating.

  9. Click OK to close the Site Activation page.Note

    If you don’t want to wait for the site activation tasks to finish, you can close the Site Activation page, and monitor the status of the site activation from the Jobs page.

  10. Repeat the steps starting from Step 2 for the second branch site.

Table 12: General Information (Add Branch Site)

Field

Guideline

Site Information

Site Name

Enter a unique name for the site. The name can contain alphanumeric characters, and hyphens (-) and cannot exceed 10 characters.

Site Group

Use the default setting (None), which indicates that you’re not using site groups.

Site Capabilities

 

Site Capabilities

For this deployment, choose Secure SD-WAN Advanced. The following SD-WAN service types are available:

  • Secure SD-WAN Essentials—(Available for tenants with SD-WAN Essentials service level) Provides basic SD-WAN services. This service is ideal for small enterprises looking for managing simple WAN connectivity with comprehensive NGFW security services at the branch sites, using link-based application steering. The SD-WAN Essentials service allows Internet traffic to breakout locally, and thus avoids the need to backhaul the web traffic over costly VPN or MPLS links. The SD-WAN Essentials service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP.

  • Secure SD-WAN Advanced—(Available for tenants with SD-WAN Advanced service level) Provides complete SD-WAN services. This service is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. You can establish site-to-site connectivity can be established by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels.

Configuration

You must configure at least one hub to which the branch site must connect. The combinations supported are listed in Table 13

Primary Enterprise Hub

Select the enterprise hub site that you previously configured.

Note: Because the SD-WAN enterprise topology includes only one enterprise hub, we’re configuring only the primary enterprise hub for the branch site.

Address and Contact Information

Enter the address of the branch site and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on the geographical map on the Monitor Overview page.

Advanced Configuration

For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers.

Domain Name Server

Specify the IPv4 addresses of one or more DNS servers.

NTP Server

If needed, specify the IP addresses of one or more NTP servers.

Select Timezone

Select a time zone for the site.

Table 13: Supported Combinations of Provider and Enterprise Hubs

Provider Hubs Specified

Enterprise Hubs Specified

Primary

None

Primary

Primary

Primary

Primary and Secondary

Primary and Secondary

None

Primary and Secondary

Primary

Primary and Secondary

Primary and Secondary

None

Primary

None

Primary and Secondary

Note

Secure SD-WAN Essentials service does not support secondary hubs.

Table 14: WAN Settings (Add Branch Site)

Field

Guideline

Device Template

 

Device Series

Select the device series of the CPE device; for example, SRX.

Based on the device series that you selected, the supported device templates are displayed.

Ensure that you select the correct device template from the carousel.

For example, for an SRX300 device, select SRX as SD-WAN CPE (or a modified version of that template) as the device template.

Device Information

 

Serial Number

Enter the serial number of the device.

Auto Activate

This setting is enabled by default in device templates, so verify that automatic activation is enabled.

Boot Image

If you want to upgrade the enterprise hub device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the ZTP process.

If you don't specify a boot image, which is the default selection (Use Image on Device) in the list, then CSO skips the procedure to upgrade the device during ZTP.

WAN Links

You can configure a maximum of four WAN links. In this use case, we’ll configure two WAN links: one Internet and one MPLS.

WAN_0 (WAN-Interface-Name)

The first WAN link is enabled by default.

Note: Fields marked with an asterisk (*) must be configured to proceed.

Only the fields relevant to this use case are documented here; use the default settings for the rest of the fields.

Link Type

Like we did for the enterprise hub site, for the first WAN link, we use the default (Internet) for the underlay network type to ensure reachability to the redirect server.

Access Type

Select Ethernet as the access type.

PPPoE

Use the default setting, which is to disable PPPoE for the WAN link.

Egress Bandwidth

Enter the maximum egress bandwidth (in Mbps) allowed for the WAN link.

Underlay Address Families

IPv4

By default, IPv4 address assignment is enabled for the WAN link.

The WAN link requires an IPv4 address to connect to an IPv4 network.

Address Assignment Method

Select the method for assigning an IP address to the WAN link:

  • If you select DHCP, the IP address is provided by using the DHCP server of the WAN link’s service provider.

  • If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.

    • Static IP Prefix—Enter the IPv4 address prefix of the WAN link; for example, 192.0.2.8/24.

    • Gateway IP Address—Enter the IP address of the gateway of the WAN link’s service provider.

IPv6

Use the default setting, which is to disable IPv6 address assignment for the WAN link.

Advanced Settings

Only the settings that need to be configured for this WAN link are included here.

Address Family (Tunnel Creation)

Displays the underlay address family (IPv4) that is used to establish the overlay tunnel.

Provider

Enter the name of the WAN link’s service provider.

Cost/Month

Leave this as the default because this field is currently not used in CSO.

Enable Local Breakout

Click the toggle button to enable the WAN link to be used for local breakout. Local breakout is an SD-WAN feature that enables Internet links to break out traffic directly from a site. For example, if you want to provide guests who visit your enterprise with Internet access, you can use local breakout to break out guest traffic locally from the site directly to the Internet.

Note: If you enable local breakout, the WAN link can be used for local breakout. To enable traffic to break out from the site, you must also configure a breakout profile, reference that profile in an SD-WAN policy intent, and deploy the SD-WAN policy.

If you enable local breakout, additional fields appear:

  • Breakout Options: Retain the default setting of using the WAN link for both breakout and WAN traffic.

  • Autocreate Source NAT Rule: When you enable local breakout on a link, this setting is enabled. Retain the default setting.

    Enabling this setting triggers automatic creation of source NAT rules for the site.

    If NAT is not enforced by a separate device in your network (for example, an Internet gateway firewall), then we recommend that you enable this setting because it allows CSO to automatically create a NAT policy for the site.

  • Translation: Select the type of NAT to be used on the traffic on the WAN link. For this use case, retain the default setting (Interface).

  • Preferred Breakout Link: Retain the default setting (Disabled).

  • Retain the default settings for the rest of the local breakout parameters.

Use for Fullmesh

Click the toggle button to enable the WAN link to be part of a full mesh topology.

Configure the two additional fields that appear:

  • Mesh Overlay Link Type: Retain the default selection (GRE over IPsec) as the type of encapsulation to be used for the overlay tunnels in the full mesh topology.

    Note: For links with public IP addresses, we recommend that you use GRE over IPsec as the mesh overlay link type.

  • Mesh Tags: Select a mesh tag for the WAN link.

Note: For branch sites, you can select only one mesh tag, so ensure that you select the correct mesh tag.

The tunnels between the enterprise hub and the branch site or between two branch sites are added based on matching mesh tags.

Even if you enable this option, sites with SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.

Use for OAM traffic

Click the toggle button to enable the use of the WAN link for OAM traffic. The WAN link is then used to establish an OAM tunnel for communication between the enterprise hub site and CSO.

Like we did with the enterprise hub site, to ensure redundancy, we recommend that you configure at least two WAN links that can be used for OAM traffic.

WAN_1 (WAN-Interface-Name)

Click the toggle button to configure a second WAN link. Fields related to the WAN link appear.

Note: Only the fields for which the settings are different from the first WAN link are listed here. For the rest of the fields, see the explanations for the first WAN link.

Link Type

For the second WAN link, select MPLS as the link type.

Egress Bandwidth

Configure this field similar to the way that you did for the first WAN link.

Address Assignment Method

Similar to what you configured for the first WAN link, select a method for assigning an IP address to the WAN link.

Advanced Settings

 

Provider

Enter the name of the WAN link’s service provider.

Cost/Month

Leave this as the default because this field is currently not used in CSO.

Enable Local Breakout

Because we’ve already enabled local breakout on the first WAN link, click the toggle button to disable the second WAN link from being used for local breakout.

Use for Fullmesh

Click the toggle button to enable the WAN link to be part of a full mesh topology.

Configure the fields that appear, as explained for the first WAN link.

Use for OAM Traffic

To ensure redundancy for OAM tunnels, click the toggle button to enable the WAN link to be used for sending OAM traffic.

DVPN Threshold for Tunnel Creation

Use the defaults for the on-demand VPN thresholds.

Note: Sites with Secure SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.

DVPN Threshold for Tunnel Deletion

Use the defaults for the on-demand VPN thresholds.

Note: Sites with Secure SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.

OAM IP Prefix

We recommend that you don’t configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO.

Table 15: LAN Segment Settings (Add Branch Site)

Field

Guideline

Name

Enter a unique name for the LAN segment, which can contain alphanumeric characters and underscores (_), and cannot exceed 15 characters.

CPE Port

Note: Applicable to SRX Series devices.

Select the CPE port to be added in the LAN segment.

Department

Select a department to which the LAN segment is assigned.

Alternatively, click Create Department to add a new department.

On the Add Department page appears, enter a name for the department (for example, IT-Dept), and click OK to add the department.

The department is added and the department name is displayed in the Department field.

Gateway Address/Mask

Enter a valid gateway IP address and subnet mask for the LAN segment. This address will be the default gateway for the endpoints in this LAN segment.

For example: 192.0.2.8/24.

DHCP

Click the toggle button to enable the DHCP sever running on the CPE device to assign IPv4 addresses to the LAN segment. When you enable DHCP, you must configure the additional fields that appear on the page:

  • Address Range Low—Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

  • Address Range High—Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

  • Maximum Lease Team—Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server.

  • Name Server—Specify one or more IPv4 addresses of the DNS server.

CPE Ports

Note: Applicable to NFX150 and NFX250 devices.

Select the ports (on the CPE device) that you want to include as part of the LAN segment.

WHAT'S NEXT

After the SD-WAN branch sites are successfully provisioned, you must perform the post-provisioning tasks.

Post-Provisioning Tasks for the Branch Sites

After the two SD-WAN branch sites are successfully provisioned, perform the following post-provisioning tasks:

  1. Upload and install device licenses. See Upload and Install Device Licenses.
  2. Install the signature database. See Install the Signature Database.
  3. Add and deploy a firewall policy. See Add and Deploy Firewall Policy.
  4. Add an SD-WAN breakout profile for local Internet breakout. See Add SD-WAN Breakout Profile.Note

    As explained previously, adding breakout profiles is optional. If you choose not to break out traffic, you don’t need to add a breakout profile. In this use case, we add breakout profiles to show how you can configure local breakout.

  5. Add and deploy an SD-WAN policy intent. See Add and Deploy SD-WAN Policy Intent.

WHAT'S NEXT

After completing the post-provisioning tasks for the two SD-WAN sites, you can monitor the sites and devices; see Monitor Sites and Devices.