Contrail Service Orchestration
Contrail Service Orchestration (CSO) is an SD-WAN orchestration and management platform that uses automation and virtualization to connect sites together across the wide area, including local breakout where desired. CSO works with SRX Series and NFX Series devices to provide an agile, software-defined approach to site connectivity, supporting both hub-and-spoke and dynamic mesh architectures.
User traffic is routed across logical overlay networks that sit on the physical underlay infrastructure. As long as the remote WAN-facing devices have underlay connectivity, configuring or changing overlay WAN connectivity is as simple as pushing new configuration to the remote devices.
Managed service providers can use CSO to provide WAN connectivity solutions to their enterprise customers. Individual enterprises can use CSO to configure WAN connectivity for their own sites as well as manage and monitor application SLAs with intent-based policies.
CSO is available as a software-as-a-service (SaaS) and as a downloadable on-premises installation:
CSO-as-a-Service (CSOaaS) — A Juniper–provided SaaS installation in AWS. Juniper’s highly scalable CSO installation in AWS is available for customers to use by subscription. Juniper provides subscribers with access to a portal where they can log in to CSO to manage their own networks. Managed service providers and individual enterprises subscribe to this cloud-based service.
CSO On-Premises — A software package that you purchase once and install on your own compute infrastructure. Managed service providers and large enterprises who want complete control over their installation choose this option.
If you are a managed service provider who wants both the convenience of a CSOaaS solution and the control of a CSO on-premises installation (possibly due to regulatory or compliance requirements), contact Juniper Networks to learn more about a dedicated CSOaaS product.
CSOaaS reduces the complexity and overhead involved in managing the servers, virtual machines, and orchestration and management infrastructures needed to run CSO. As shown in Figure 1, Juniper Networks is responsible for the CSO installation and all of the back-end CSO infrastructure. Managed service providers subscribe to CSOaaS and provide their enterprise customers with an SD-WAN service. Individual enterprises subscribe to CSOaaS to use SD-WAN to manage their own network connectivity.
Figure 2 shows CSO in an on-premises deployment. The managed service provider who installs and deploys CSO has full control and responsibility for the entirety of the CSO deployment.
In both cases, managed service providers supply their own POP infrastructure including the provider data hub devices that break out customer traffic to the provider network. For the CSO on-premises installation, the managed service provider additionally supplies the provider OAM hub that terminates secure OAM connections from remote sites and forwards the tunneled OAM traffic to CSO. A single SRX series device can simultaneously support the provider data hub and provider OAM hub roles.
Here are the highlights of the CSO solution:
End-to-end management and orchestration – Feature rich, horizontally scalable, easy-to-use, microservices-based orchestration platform
Integrated Security – Full security suite with NGFW, UTM, and more, with all traffic in encrypted tunnels
Single Orchestrator – CPE zero touch provisioning, VNF and PNF deployment, managed security, SD-WAN services
Adherence to open standards – Not book-ended, easily interoperable with existing service provider and enterprise infrastructure and third-party CPEs through open APIs and protocols, with software deployable on public as well as private clouds
Full routing and MPLS stacks – Support for BGP/OSPF/IS-IS/MPLS/VRRP, etc. on WAN and LAN; scalable architecture with distributed SD-WAN hubs
Carrier grade appliance – Innovative branch device (NFX Series) with service chaining support for 3rd-party VNFs
CSO provides the automation of Layer 3 connectivity as well as distributed Layer 4 to Layer 7 services. This implementation uses intelligent CPE devices located at branch sites to connect to hub devices as well as other branch sites. Traffic can flow from a branch site to a hub site, between branch sites directly, and break out from a branch or hub site to the Internet.
Figure 3 shows a basic SD-WAN model with two sites connected through two different networks, and with the WAN access at both sites controlled by an SD-WAN controller.
The CSO SD–WAN solution brings SDN–like capabilities to managed service providers and enterprises, offering agility, automation, and rapid automated recovery from failed WAN links, while containing WAN service costs. You can add connectivity options such as broadband or cellular Internet connections to your existing IP/MPLS VPN services, allowing you to prioritize critical traffic across the connections, as well as move traffic proactively to a backup link if the primary link’s quality degrades enough to put a service–level agreement (SLA) at risk.
CSO Next Generation Firewall (NGFW)
You can use CSO to deploy a standalone next-generation firewall (NGFW) device at remote branch spoke sites. NGFW deployment provides remote network security through the use of SRX Series devices as customer-premises equipment (CPE) at a spoke site. This solution offers managed security and LAN visibility to a single location without providing CSO-managed site-to-site connectivity or VNFs, like the CSO SD-WAN solution provides. Figure 4 shows a simplified NGFW deployment.