Table 1 provides definitions for the terminology used throughout this guide.
Table 1: CSO Terminology
A tenant site, connected to other sites in either a full mesh or hub-and-spoke topology. Also known as a spoke site.
Customer-premises equipment—A device placed at a remote customer spoke site that provides services (such as WAN routing or firewall filtering) for the remote site. The CPE allows the remote site to connect with a hub or other spoke sites. Legacy CPE devices provide single services, newer CPE devices (such as the NFX Series and SRX Series devices) provide multiple services to enable the SD-WAN and NGFW solutions. See also on-premises spoke device.
Contrail Service Orchestration—A Juniper Networks software product that facilitates the Contrail SD-WAN and NGFW solutions. You access CSO through a graphical user interface (GUI) to harness its built-in automation capabilities, which enable you to provision, manage, and monitor your WAN, campus, and branch networks.
A resource conserving method for implementing full-mesh topologies. All of the sites in the full mesh are included in the topology; but the site-to-site VPNs are not brought up until traffic crosses a user-defined threshold called the Dynamic VPN threshold.
A single-tenant on-premises spoke device deployed as a hub at an enterprise hub site. The enterprise hub can serve as the hub portion of a hub-and-spoke topology. When deployed like this, the provider hub (if any) serves as a backup hub to the enterprise hub for site-to-site communications.
Enterprise Hub Site
A special type of spoke site with enhanced capabilities that approximate those of a provider hub site.
A site that acts as a hub for traffic from multiple spokes in a hub-and-spoke topology. In the absence of an enterprise hub, all spoke-to-spoke traffic flows through the provider hub. See also Provider Hub and Enterprise Hub.
Management and Orchestration
A text-based label for WAN interfaces on CPE devices. Mesh tags enable SLA-based dynamic VPN creation between customer sites. Only interfaces with matching mesh tags can form a VPN.
Lightweight, modular building blocks that implement a specific function and communicate with other functions using well defined interfaces (e.g. RESTFul APIs). Can be scaled independently.
Multiprotocol BGP—A routing protocol used for large-scale, multi-tenancy deployments
Next-generation firewall—An SRX Series Services Gateway placed at a remote customer site that acts as a CPE and provides WAN and advanced security services.
Network Service Controller—The SD-WAN controller layer of CSO, provides topology and CPE lifecycle management functionality, as well as site-to-site routing and reachability.
On-premises spoke device
Operating Company—Typically a service provider who has multiple large tenants. A single instance of CSO can have multiple OpCos, each with multiple tenants.
Note: An OpCo administrator is the highest level of administrator available for CSOaaS.
Physical Network Function—Network service provided by a physical device, such as firewall services provided by an SRX Series Services Gateway.
Point of Presence—Typically a physical location where the provider has assets used to deploy one or more of the available solutions. Assets are network devices such as edge routers, provider hubs, and server resources. The POP can also be a data center where the provider can deploy CSO.
A multitenant hub device located in a POP on the service provider’s network. A provider hub can terminate IPsec tunnels for both overlay and secure OAM networks. Provider hub devices can also terminate MPLSoGRE and MPLSoGREoIPsec tunnels. Only an SP administrator or OpCo administrator can add, modify, or delete provider hub devices.
Note: For CSOaaS, an OpCo administrator can add only DATA_ONLY hubs.
Software-defined wide area network—Uses CSO to provision, manage, and monitor on-premises spoke devices, provider hubs, and enterprise hubs located across a WAN environment. Typically includes the use of NFX Series Network Services Platforms and SRX Series Services Gateways.
Juniper Networks security-focused implementation of operations, administration, and management (OAM) functions within CSO.
Any customer location, such as an on-premises spoke, an enterprise hub, or cloud spoke.
A tenant branch site in a hub-and-spoke topology.
Typically an enterprise customer with many branches (sites) who subscribes to the offerings provided by the service provider. Sites are provisioned within a tenant. One tenant cannot see the sites or assets of another.
Virtualized Network Function—Network service provided by software running in a virtual environment, such as the vSRX virtual firewall.
Zero touch provisioning, also known as autoinstallation.