Add a Provider Hub Device

A provider hub device resides in a POP within the SP or OpCo network. Provider hub devices are shared amongst multiple tenants through the use of virtual routing and forwarding (VRF) instances configured on the provider hub itself. They allow site-to-site traffic to flow in hub-and-spoke deployments, serve as OAM gateway devices for management traffic between CSO and CPE devices, and can serve as backup data hubs when an enterprise hub device is used in a tenant.

Provider hubs come in three varieties: OAM_ONLY, DATA_ONLY, or OAM_AND_DATA.

OAM_ONLY and OAM_AND_DATA hubs pass OAM traffic between CSO and the CPE devices. CPE devices connect to these OAM-capable hubs over IPSec. In the CSO on-premises installation, the SP administrator adds the OAM-capable hubs. In CSO SaaS, the OAM-capable hubs are provided (by Juniper Networks) as part of the service.
DATA_ONLY and OAM_AND_DATA hubs route site-to-site user traffic in a hub-and-spoke topology. These data-capable provider hubs are optional. In the CSO on-premises installation, the SP or OpCo administrator creates the data-capable hubs. In CSO SaaS, the OpCo administrator creates the data-capable hubs.

Best Practice:

It is recommended that all provider hubs be clearly named for their data and OAM capabilities.

Note:

For SD-WAN Advanced service, we recommend that you configure two OAM-capable provider hubs to provide redundancy in the OAM network. In CSO SaaS, Juniper Networks provisions two OAM-capable hubs by default. In the CSO on-premises version, the SP Administrator must add the OAM-capable hubs.
Before you add the provider hub, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the enterprise hub device, as explained in Supported Devices for SD-WAN, and Ports and Protocols to Open.

To add a provider hub device:

Select Resources > Provider Hub Devices.

The Provider Hub Devices page appears.
Click the add (+) icon.

The Add Provider Hub page appears, displaying the General settings to configured.
Configure the General settings as explained in Table 1, and click Next.

You are taken to the WAN section of the wizard.

Note:
Fields marked with an asterisk (*) are mandatory.
Configure the WAN settings as explained in Table 2 and click Next.

You are taken to the Summary section of the wizard.
Review the configuration in the Summary tab, and modify the settings, if required.

You can also download the settings that you configure as a JavaScript Object Notation (JSON) file by clicking the Download as JSON link at the bottom of the page
Click OK.
- If you entered a serial number during activation and automatic activation is enabled, the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Table 4.
  
  Click OK to close the page.
  
  Note:
  If you don’t want to wait for the provider hub activation to finish, you can close the page and monitor the status of the activation from the Jobs page (Monitor > Jobs).
  
  The time taken for provider hub activation varies depending on the device that CSO is activating.
- If you did not enter a serial number or if automatic activation is disabled, you are returned to the Provider Hub Devices page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job.
  
  After the job is finished, CSO displays a confirmation message with a job link. The status of the site changes to CREATED. You must manually activate the device to finish the activation process. To manually activate the provider hub:
  1. Select the device and click Activate Device.
    
    The Activate Site page appears.
  2. If a serial number was not specified when the site was added, enter the serial number of the device in the Serial Number field. Serial numbers are case sensitive.
    
    If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark.
  3. If automatic activation was disabled when the site was added, enter the activation code of the device in the Activation Code field.
  4. Click OK.
    
    CSO triggers a job and the Site Activation Progress page appears after a few seconds. Because the site was previously modelled, the Ship Device task is the first task to be executed. The rest of the steps are as explained in Table 4.

Tip:

After you add a provider hub, you can modify certain parameters for DATA_ONLY provider hubs. For more information, see the Edit Provider Hub Site Parameters topic in the CSO Administration Portal User Guide (available on the CSO Documentation page).

Table 1: General Settings (Add Provider Hub [Device] Page)
Field	Guideline
Site Information
Site Name	Enter a name for the provider hub device. The name can contain alphanumeric characters and hyphens (-) and must not exceed 15 characters. For example, LA-PHub-OAM
Device Host Name	The device host name is auto-generated by default. You can change the name but not the prefix. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Management Region	Displays regional as the management region. You cannot modify this field.
Site Capability	Select the capability of the provider hub device: OAM_ONLY—Transmits only OAM traffic. Note: This option is available only for SP Administrator users in the on-premises version of CSO. DATA_ONLY—Transmits only data traffic. OAM_AND_DATA—Transmits both data traffic and OAM traffic. For provider hubs added with data only capability, CSO establishes a secure OAM tunnel between the provider hub with data capability and a provider hub with OAM_ONLY or OAM AND DATA capability).
POP	Select the POP to which you want to assign the provider hub device.
Authentication Type	Select the type of authentication to use for establishing secure IPsec tunnels: Pre-shared key, which is the default. Public Key Infrastructure
Advanced Configuration
Domain Name Server	Specify the IPv4 or IPv6, or both IPv4 and IPv6 addresses of one or more Domain Name System (DNS) servers.
NTP Server	Specify the IP address or fully-qualified domain name (FQDN) of the NTP server.
Select Timezone	Select the time zone to which the provider hub device belongs.

Table 2: WAN Settings (Add Provider Hub [Device] Page)
Field	Guideline
Device Series	Displays SRX as the device series because currently only SRX Series devices are supported as provider hubs.
[Device Template]	Ensure that you select the correct device template for the provider hub device from the carousel. For example, for an SRX1500 device, you can select SRX as SD-WAN Hub (or a modified version of that template) as the device template. Note: Check that the interface names in the device template match the ones on the device that you’re using.
Device Information
Serial Number	If you want CSO to proceed with the provider hub activation immediately after you complete the add provider hub workflow, enter the serial number. If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark. If you want CSO to only model the provider hub, leave this field blank. If you don’t enter a serial number, you must manually activate the provider hub later.
Auto Activate	Automatic activation is typically enabled by default (based on the setting in the device template). When automatic activation is enabled, zero-touch provisioning (ZTP) of the provider hub device is automatically triggered after the site is added to CSO. If you want the device to be activated manually, click the toggle button to disable automatic activation.
Activation Code	If you disabled automatic activation, enter the activation code that must be entered when the device is manually activated later. When you manually activate the device later, CSO checks the activation code entered against the activation code specified here and activates the device only if the activation codes match.
Device Root Password	The default root password is fetched from the ENC_ROOT_PASSWORD field in the services template. You can keep the password or change it by entering a password in plain-text format. The password is encrypted and stored.
Boot Image	If you want to upgrade the provider hub device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the zero touch provisioning (ZTP) process. If you don't specify a boot image, which is the default option (Use Image on Device) in the list, then the CSO skips the procedure to upgrade the device during ZTP.
Management Connectivity
Loopback IP Prefix	By default, CSO assigns the IPv4 address prefix for the loopback interface on the device.
OAM Interface	For provider hubs with OAM or OAM and data capabilities, select the interface on the provider hub device that you want to use to connect the provider hub device to CSO. This interface is used only for OAM connectivity. The interface names are listed are the names configured in device template.
OAM VLAN	For provider hubs with OAM or OAM and data capabilities, enter an OAM VLAN ID for in-band management of the hub device. If you specify an OAM VLAN ID, then in-band OAM traffic reaches the device through the selected OAM interface.
OAM IP Prefix	For provider hubs with OAM or OAM and data capabilities, enter an IPv4 address prefix for the OAM interface in the provider hub device. The prefix must be unique across the entire management network.
OAM Gateway	For provider hubs with OAM or OAM and data capabilities, enter the IP address of the next-hop through which the connectivity from the provider hub device to CSO is established.
EBGP Peer-AS	For provider hubs with OAM or OAM and data capabilities, enter the autonomous system (AS) number of the external BGP (EBGP) peer. The AS number is unique to the service provider and is needed to establish the EBGP peering session.
WAN Links
WAN_0 (`Interface-Name`)	This field is enabled by default. Enter parameters related to WAN_0. You must configure the fields marked with an asterisk (*) to proceed.
Local Interface	Displays the interface name configured in the device template. You cannot modify this field.
Link Type	Select the underlay network type (MPLS or Internet) of the WAN link.
Public IP Address	Enter the public IPv4 address for the WAN link. This IP address should be provided only if the static IP prefix is a private address and 1:1 NAT is configured.
Data VLAN ID	Enter the VLAN ID that is associated with the WAN link.
Underlay Address Families
IPv4	Click the toggle button to enable or disable IPv4 address assignment for the WAN link. By default, IPv4 address assignment is enabled for the WAN link. The WAN link requires an IPv4 address to connect to an IPv4 network.
Address Assignment Method	Displays the address assignment method used for the IPv4 WAN link (STATIC). You cannot modify this field.
Static IP Prefix	Enter the IPv4 address prefix of the WAN link.
Gateway IP Address	Enter the IPv4 address of the gateway of the WAN service provider.
MTU	Applicable only to IPv4 addresses. Enter the maximum transmission unit (MTU) size for the media or protocol. The supported MTU range can vary depending on the device, interface type, network topology, and other individual requirements. See also: MTU Default and Maximum Values and LTE Mini Physical Interface Modules (LTE Mini-PIM). Editing the MTU values of all the OAM-enabled WAN links of a site at the same time might result in tunnel flapping. You must ensure that at least one OAM-enabled WAN link always remains undisrupted for a site. For example, if you have a site with four WAN links (including two links that support OAM traffic), you can edit the MTU values of all the WAN links except one OAM-enabled link at the same time. After the edit is complete and the changes are saved, you can edit the site again and update the remaining WAN link. Note: If you enable the PPPoE/PPP option under a WAN link, the MTU option is displayed under the PPPoE/PPP Settings section for that link.
IPv6	Click the toggle button to enable or disable IPv6 address assignment for the WAN link. By default, IPv6 address assignment is disabled for the WAN link. The WAN link requires an IPv6 address to connect to an IPv6 network.
Address Assignment Method	Displays the address assignment method used for the IPv6 WAN link (STATIC). You cannot modify this field.
Static IP Prefix	Enter the IPv6 address prefix of the WAN link.
Gateway IP Address	Enter the IPv6 address of the gateway of the WAN service provider.
WAN_1 (`Interface-Name`)	Click the toggle button to enable or disable the WAN link. When you enable the WAN link, fields related to the WAN link appear. You must configure the fields marked with an asterisk (*) to proceed. Refer to the fields described for WAN_0 (`Interface-Name`) for an explanation of the fields
WAN_2 (`Interface-Name`)	Click the toggle button to enable or disable the WAN link. When you enable the WAN link, fields related to the WAN link appear. You must configure the fields marked with an asterisk (*) to proceed. Refer to the fields described for WAN_0 (`Interface-Name`) for an explanation of the fields
WAN_3 (`Interface-Name`)	Click the toggle button to enable or disable the WAN link. When you enable the WAN link, fields related to the WAN link appear. You must configure the fields marked with an asterisk (*) to proceed. Refer to the fields described for WAN_0 (`Interface-Name`) for an explanation of the fields
Additional Configuration	If you want to deploy additional configuration during the ZTP process, you can select one or more configuration templates and set the parameters for each template. The configuration templates for the device family are displayed.
Configuration Templates List	For each configuration template that you select: Select one or more configuration templates from the list that you want to deploy on the device during ZTP. Click Set Parameters. The Device Configurations page appears. The names and configuration parameters of the configuration templates that you selected are displayed in the Configure tab. For each configuration template, enter values for the parameters. (Optional) Click the Summary tab to view the Junos OS configuration commands that will be deployed on the device for the different configuration templates. Click Save. You are returned to the WAN tab. The Junos OS configuration commands will be deployed on the device during the ZTP process.

See Pre-Deployment Tasks for CSO SD-WAN and Next-Generation Firewall for the next task.