Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


SD-LAN Deployment Architectures


This topic describes the SD-LAN deployment architectures. There are three basic SD-LAN architectures:

  1. LAN segment connected behind an SD-WAN hub—For this model, the LAN is in the data center and you need to provision CSO to use dynamic routing protocols for connectivity between the hub and LAN.

  2. LAN segment connected by switches or Virtual Chassis behind an SD-WAN spoke—For this model, EX Series switches or Virtual Chassis connect to an on-premises spoke device (NFX Series or SRX Series) at a remote site. You can also place Mist access points behind a switch.


    Juniper Networks recommends this model because it provides flexibility and the opportunity to expand your LAN with additional switches and WiFi access points over time.

  3. LAN segment connected directly to an SD-WAN spoke—For this model, the LAN connects directly to the on-premises spoke device.

Figure 1 shows a sample design of how you can deploy SD-LAN in a remote branch location and a data center, and then connect the sites together across an SD-WAN.

Figure 1: SD-LAN Topology
SD-LAN Topology

SD-LAN allows you to deploy, provision, manage, and monitor EX Series access switches, EX Series Virtual Chassis, and SRX Series Security Gateways deployed at your spoke sites. CSO can also recognize Mist access points behind an EX Series switch or Virtual Chassis. The LAN devices can be deployed either as standalone devices or behind existing SD-WAN CPE devices. In addition to device visibility, the SD-LAN solution allows CSO to learn the details of the on-premises spoke site’s LANs through the use of dynamic routing protocols such as BGP and OSPF.

SD-LAN Architectures

When you implement SD-LAN with an EX switch or Virtual Chassis as shown in Figure 2, the LAN device must be connected to a WAN router device. The WAN router device can be an existing CPE on-premises spoke device as part of an SD-WAN solution, a standalone NGFW device as described later, or a third-party router. The WAN router serves as the gateway to other spoke sites through enterprise hub devices and, ultimately, to CSO.

Figure 2: SD-LAN Using EX Switch
SD-LAN Using EX Switch

The EX switches can be provisioned using zero-touch provisioning (ZTP). a Virtual Chassis can be provisioned in CSO using ZTP, but the Virtual Chassis itself must be fully formed prior to provisioning. CSO can manage the following aspects of the deployed EX switch or Virtual Chassis:

  • Configure system-wide settings around DHCP, SNMP, Radius, and so on

  • Configure device specific LAN settings such as VLANs, interfaces, 802.1x, POE, port security, and so on through the use of stage 2 configuration.

The EX switch or Virtual Chassis gives visibility into the local LAN and allows for the inclusion of Mist access points into the CSO orchestration model. When deployed in any of these ways, any existing Mist access points that are connected to the EX switch, at that site, are automatically seen by CSO.

Usage Notes on SD-LAN Architecture

EX Series switches and Virtual Chassis are supported in CSO. Once a switch or Virtual Chassis has been provisioned, you can:

  • Configure and monitor the ports of the EX switch or Virtual Chassis–You can either configure the ports by accessing each port individually or by using a port profile, from the Ports tab of the Devices page in the Customer Portal UI. You can configure and deploy port authentication profiles to implement network access control (NAC), and firewall filters to enforce security on the switch ports. After you configure the switch ports, you can monitor the ports from the Devices page of the Customer Portal UI.

  • Perform an image upgrade for Virtual Chassis members—CSO supports the upgrade of images for an EX Series access switch or Virtual Chassis. Images for each member of the Virtual Chassis are upgraded one after the other in the order – Linecard, Backup, and Master.

  • Add firewall configurations for EX Series switches—You can configure firewall filters for EX Series switches and Virtual Chassis. A firewall filter defines the rules to permit or deny packets that are transiting a switch port. You can assign the firewall filter as an ingress filter or egress filter to a switch port either while manually configuring the port or through port profiles.

  • Set up RMA for defective EX Series switches—You can initiate the Return Material Authorization (RMA) workflow for a defective EX Series switch (physical standalone switch) when the switch is behind an SRX Series device acting as an SD-WAN CPE, next-generation firewall, or internet gateway.

    You can set up RMA for an EX Virtual Chassis member when the Virtual Chassis is deployed as a standalone switch (that is, behind an internet gateway) only.