Contrail Service Orchestration (CSO) Solutions Overview
Juniper Networks CSO SD-WAN and NGFW management solutions offer automated branch connectivity while improving network service delivery and agility. CSO is a multi-tenant platform that manages physical and virtual network devices, creates and manages Juniper Networks and third-party virtualized network functions (VNFs), and uses those elements to deploy network solutions for both enterprises and service providers (SPs) and their customers. CSO multi-tenancy provides security and tenant isolation that keeps the objects and users belonging to one tenant or operating company (OpCo) from seeing or interacting with those of another tenant or OpCo.
CSO is available as an on-premises version (CSO on-premises) or a Software as a Service (CSO SaaS). For more information, see Understand CSO Versions (On-Premises and Software as a Service).
CSO offers multiple network solutions that benefit enterprise customers and service providers and their customers:
Provide lifecycle management for devices and services
Automate physical and virtual device provisioning
Provide Day 0, Day 1, and Day 2 configuration
Monitor remote devices
Provide full lifecycle management of firewall, NAT, and Internet breakout policies for user traffic
Provide high-level reporting about devices and user traffic
Contrail Software-Defined WAN Solution (SD-WAN)
The Contrail SD-WAN solution offers a flexible and automated way to route traffic through the cloud using overlay networks. It is an overlay network solution that provides an enhanced application user experience. It acts as both a data controller and a management orchestrator. At its most basic, an SD-WAN solution encompasses multiple sites, multiple connections between sites, and a WAN controller as shown in Figure 1.
The CPE devices in a Contrail SD-WAN solution (also known as on-premises spoke devices) have a WAN side and a LAN side. On the WAN side, hub-and-spoke and dynamic mesh topologies are supported. The CPE devices use at least one, and up to four, WAN interfaces as connection paths to provider hub devices, enterprise hub devices, other spoke devices, and the Internet. The supported hub devices are shown in Table 1:
Hub Device |
Used as |
|---|---|
vSRX |
Enterprise Hub and Provider Hub |
SRX380 |
Enterprise Hub |
SRX1500 |
Enterprise Hub and Provider Hub |
SRX4100 |
Enterprise Hub and Provider Hub |
SRX4200 |
Enterprise Hub and Provider Hub |
SRX4600 |
Enterprise Hub and Provider Hub |
The hub devices help to provide the overlay networking needed for the Contrail SD-WAN solution.
CSO allows you to give preference to one WAN path over another for any given traffic through the use of traffic steering and breakout profiles. Thus, business-critical traffic and data can be routed through the provider hub using MPLS/GRE while non-critical traffic can be routed over the Internet connection through an IPsec tunnel. Each path can have a service level agreement (SLA) profile applied. The SLA profile monitors the path for latency, congestion, and jitter while also accounting for path preference. Should the path fail to meet one or more of the required parameters, traffic is re-routed to another path automatically.
The LAN side of the CPE devices connect to the customer’s LAN segments. Multiple departments at the customer site that occupy different LAN segments can have their traffic securely segregated. NFX Series spoke devices can also provide service chains of network services in addition to the routing flexibility already available.
You can use the solutions as turnkey implementations or connect to other operational support and business support systems (OSS/BSS) through northbound Representational State Transfer (REST) APIs.
Next Generation Firewall (NGFW) Deployment Model
The NGFW deployment focuses on providing remote network security through the use of SRX Series NGFW devices as CPE at the spoke site; unlike the SD-WAN deployments which focus on secure site-to-site connectivity. A high-level view of the spoke site with NGFW is shown in Figure 2.
An NGFW deployment is carried out in the Customer Portal of CSO as a site deployment. The tenant under which the site is deployed must have the NGFW service available. This service is included in the tenant configuration by the tenant administrator during tenant onboarding.