One of the key features of the Contrail SD-WAN solution is the ability to “plug-and-play” new spoke devices using ZTP (autoinstallation). The redirect server is a Juniper-owned, public-facing web server that plays a role in any new device’s initial setup, as follows:
Before performing ZTP, add the appropriate CSO SSL certificate to the redirect server.
When a spoke device first comes online, it uses a local DHCP server to obtain an IP address and name server information.
The spoke device then contacts the redirect server, which provides the DNS name and certificate for CSO.
The spoke device then contacts the CSO server to obtain its initial configuration.
Usage Notes for the Redirect Server:
At least one of the device’s WAN interfaces must obtain its IP address from a DHCP server, in order to also be assigned a name server and a default route.
Both CSO and the redirect server must be reachable over the same WAN interface.
Design Considerations for CSO and Redirect Server
The redirect server is located on the Internet, and cannot be moved. However, there are multiple options for the placement of CSO to enable ZTP for new spoke devices.
In Figure 1, both the redirect server and CSO are located on the Internet. In this case, the spoke device obtains and uses IP addressing and other information provided through its Internet-facing interface, and can then reach both the redirect server (first) and CSO (second) through that same interface.
In Figure 2, CSO is located on an OAM network attached to the MPLS VPN, while the redirect server is reachable on the Internet. In this case, two scenarios are possible:
The spoke device obtains IP addressing and other information through its MPLS-facing interface. Since the redirect server is located on the Internet, the MPLS service provider must make the Internet reachable from the MPLS network. With this connection in place, the spoke device can reach both servers through the same interface (in this case, WAN_0).
The spoke device obtains IP addressing and other information through its Internet-facing interface. Since the CSO server is connected to the MPLS network, the service provider must allow the CSO server to be reachable from the Internet (typically using a NAT gateway). With this connection in place, the spoke device can reach both servers through the same interface (in this case, WAN_1).
Bypassing the Redirect Server
In some cases, it may not be desirable or practical to use the Juniper redirect server. In these cases, a spoke device can be pre-staged to include reachability information for the CSO server before being shipped to the customer location.