Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Topology of the Cloud CPE Solution

    Topology of the Solution

    Figure 1 shows the topology of the Cloud CPE solution. One Contrail Service Orchestration installation can support both a centralized deployment and a distributed deployment, although service providers can also choose to implement only one of these deployments.

    Figure 1: Cloud CPE Solution Topology

    Cloud CPE Solution Topology

    Service providers use the central server to set up the deployment through Administration Portal and create network services through Network Service Designer. Similarly, customers activate and manage network services through their own dedicated view of Customer Portal on the central server.

    Centralized Deployment

    Figure 2 illustrates the topology of a centralized deployment. Customers access network services in a regional cloud through a Layer 3 VPN.

    Figure 2: Centralized Deployment Topology

    Centralized Deployment

    The central and regional POPs contain one or more Contrail Cloud Platform installations. VNFs reside on Contrail compute nodes in the Contrail Cloud Platform and service chains are created in Contrail. You can choose whether to use a dedicated OpenStack Keystone on the central infrastructure server or the OpenStack Keystone on the Contrail controller node in the central POP to authenticate Contrail Service Orchestration operations. The Contrail Cloud Platform provides Contrail Analytics for this deployment.

    The MX Series router in the Contrail Cloud Platform is an SDN gateway and provides a Layer 3 routing service to customer sites through use of virtual routing and forwarding (VRF) instances, known in Junos OS as Layer 3 VPN routing instances. A unique routing table for each VRF instance separates each customer’s traffic from other customers’ traffic. The MX Series router is a PNE.

    Sites can access the Internet directly, through the central POP, or both. Data traveling from one site to another passes through the central POP.

    Distributed Deployment

    Figure 3 illustrates the topology of a distributed deployment.

    Figure 3: Distributed Deployment Topology

    Distributed Deployment

    Each site in a distributed deployment hosts a CPE device on which the vSRX application is installed to provide security and routing services. The Cloud CPE solution supports the following CPE devices:

    • NFX250 Network Services Platform
    • SRX Series Services Gateway
    • vSRX implementation on an x86 server

      The vSRX CPE device can reside at a customer site or in the service provider cloud. In both cases, you configure the site in Contrail Service Orchestration as a on-premise site. Authentication of the vSRX as a CPE device takes place through SSH.

    An MX Series router in each regional POP acts as an IPsec concentrator and provider edge router (PE) router for the CPE device. An IPsec tunnel, with endpoints on the CPE device and MX Series router, enables Internet access from the CPE device. Data flows from one site to another through a GRE tunnel with endpoints on the PE routers for the sites. The distributed deployment also supports SD-WAN functionality for traffic steering, based on 5-tuple (source IP address, source TCP/UDP port, destination IP address, destination TCP/UDP port and IP protocol) criteria.

    Network administrators can configure the MX Series router, the GRE tunnel, and the IPsec tunnel through Administration Portal. Similar to the centralized deployment, the MX Series router in the distributed deployment is a PNE.

    The CPE device provides the NFVI, which supports the VNFs and service chains. Customers can configure sites, CPE devices, and network services with Customer Portal.

    The OpenStack Keystone resides on the central infrastructure server and Contrail Analytics resides on a dedicated server.

    SD-WAN Edge Deployment

    You can extend a distributed deployment to provide SD-WAN Edge functionality. Figure 4 illustrates the topology of this deployment.

    Figure 4: SD-WAN Edge Topology

    SD-WAN Edge Topology

    An MX Series router in each regional POP acts as a PE router for the CPE devices. An SRX Series Services Gateway acts as an IPsec concentrator for the CPE device and as an SD-WAN gateway. The customer can configure application-based routing (APBR) and IP monitoring on the CPE device through Customer Portal. Traffic is then routed according to the rules the end user defines.

    In addition, you can configure connections from a CPE device to two PE routers and two IPsec tunnels to provide redundancy. if the end user does not configure APBR, Contrail Service Orchestration provides load-balancing of traffic between the two IPsec tunnels.

    Modified: 2017-02-05