Adding and Provisioning Switches to Provide LAN Capability to a Site Overview

You can use Contrail Service Orchestration (CSO) to provision, deploy, and monitor EX Series switches in branch deployments of enterprise networks. You can deploy an EX Series switch by connecting to a Customer Premise Equipment (CPE) (SRX Series devices only) functioning as a secure SD-WAN router or next-generation firewall. You can also connect the EX Series switch to a third-party Internet gateway device.

CSO Release 5.1.0 supports only EX2300, EX3400, EX4300, EX4600, and EX4650 Series as physical switches and only EX2300, EX3400, and EX4300 as virtual chassis (VC).

You can provision a switch on a branch network by using CSO in one of the following ways:

Standalone Switch Overview

Figure 2 shows a site with LAN capability managed by CSO.

Figure 2: Site With LAN Capability (Standalone Switch)

Site With LAN Capability
(Standalone Switch)

In Figure 2, the EX Series switch is connected to CSO through an internet gateway. The gateway can be a device from a manufacturer other than Juniper Networks.

When provisioning a standalone switch (physical or VC), you can use either ZTP (if the EX Series switch supports Phone-Home client) or manually configure the stage-1 configuration on the switch. See Adding an On-Premise Spoke Site with LAN Capability for details.


Switch Behind a CPE or Next Generation Firewall Overview

Figure 3 shows a site with SD-WAN and LAN capabilities managed by CSO.

Figure 3: Site with LAN and SD-WAN Capabilities

Site with LAN and SD-WAN

Figure 3 shows an example of a switch configured behind a CPE where the switch is connected to two LAN segments (LAN1 and LAN2) and the CPE. The CPE is connected to a LAN segment (LAN3) and to the EX Series switch. The switch can also be connected to a next-generation firewall as shown in Figure 4.

Figure 4: Site with LAN and Next-Generation Firewall Capabilities

Site with LAN and Next-Generation
Firewall Capabilities

Note You cannot add a LAN segment to the next-generation firewall by using CSO.

The switch and the CPE or firewall can be connected through a trunk port. However, you can use two trunk ports to connect the CPE and the switch and combine them to form a Link Aggregation Group (LAG) for higher throughput and redundancy. Traffic from LAN segments connected to the switch are routed to the CPE or firewall through the trunk ports for further routing into WAN.

You can manage the switch by in-band management, where in, the trunk ports carry the management traffic in addition to data.

Note The ae0 port of the SRX Series device is configured as the trunk port for communication with the switch.

The DHCP server, configured on the CPE or firewall, runs on the trunk ports to:

During ZTP of a site with both WAN and LAN capabilities, the switch is provisioned after the CPE or firewall is provisioned.

When you add a switch to an already provisioned site, CSO redeploys the stage-2 configuration on the CPE or firewall to configure DHCP and LAG. The DHCP configuration enables management connectivity to the switch and allows CSO to discover and provision the switch.

Monitoring Switches Overview

You can monitor the following for an EX Series switch on the Device-Name page (Resources > Devices):