Understand SD-WAN Sites and Devices
In Contrail Service Orchestration (CSO), there are two categories of SD-WAN devices: spoke devices and hub devices. These are explained in the sections below.
Spoke Devices
The CPE device at an enterprise customer’s branch site acts as a spoke device in the SD-WAN model. The device also acts as a gateway router, providing connectivity from the branch site to other sites in the tenant network and to the Internet. There are two types of spoke devices: on-premises spoke and cloud spoke.
On-Premises Spoke Devices
On–premises spoke devices can be either NFX Series devices or specific SRX Series devices.
NFX Series Network Services Platform
The NFX Series Network Services Platform used as an on-premises spoke device differentiates from traditional CPE devices in that it can host a range of multivendor VNFs and support service chaining, managed by orchestration software in the cloud. NFX Series devices eliminate the operational complexities of deploying multiple physical network devices at a customer site.
A key VNF supported on the NFX Series platform is the vSRX Virtual Firewall. In the CSO SD–WAN solution, the vSRX instance performs the gateway router function, given its routing and switching capabilities. It also provides the same feature-rich security services found on a standard SRX series devices. Table 1 shows the supported NFX hardware models.
The NFX150 features a built–in SRX firewall in place of the vSRX functionality found on other NFX Series devices.
Platform |
Models Supported |
---|---|
NFX150 Network Services Platform |
NFX150–S1 NFX150–S1E NFX150–C–S1 NFX150–C–S1–AE/AA NFX150–C–S1E–AE/AA |
NFX250 Network Services Platform |
NFX250–LS1 NFX250–S1 NFX250–S2 |
SRX Series Devices and vSRX Virtual Firewalls
A physical SRX device can be used in place of the NFX platform to provide the gateway router function, as can a vSRX instance installed on a server. Table 2 shows the supported SRX hardware and vSRX virtual firewalls
Platform |
Models Supported |
---|---|
SRX Series |
SRX4600 (SD-WAN spoke) SRX4200 SRX4100 SRX550M SRX380 SRX345 SRX340 SRX320 SRX300 |
SRX1500 |
|
vSRX Virtual Firewalls |
vSRX (standalone) |
vSRX (installed in NFX250) |
|
vSRX 3.0 (standalone) |
Cloud Spoke Devices
A CSO SD–WAN cloud spoke device, in the form of a vSRX, can be located in an AWS virtual private cloud (VPC). The vSRX serves as a spoke device in the cloud; once the endpoint comes online, it acts like any other spoke device.
Spoke Redundancy
Two redundant CPE devices can be used at spoke sites to protect against device and link failures. For more detail, see the Resiliency and High Availability section of the CSO Design and Architecture Guide.
Provider Hub Devices
The CSO SD–WAN solution supports two deployment topologies: dynamic mesh and hub-and-spoke. In a dynamic mesh deployment, each site has a CPE device that connects to the other sites and the enterprise hub device. In a hub-and-spoke deployment, there is at least one provider hub device and one or more spoke devices.
The provider hub device terminates both MPLS/GRE and IPsec tunnels from spoke devices.
Provider Hubs
In a service provider (SP) environment, the service provider hosts a provider hub device in their network. The provider hub device acts as a point of presence (POP) or connection point. It is typically a shared device, providing hub functionality to multiple customers (tenants) through the use of virtual routing and forwarding instances (VRF). The SP administrator and the OpCo administrator can both manage the provider hub device.In CSO SaaS, the SP administrator role is performed by Juniper Networks as the cspadmin user (or equivalent). The OpCo administrator role can be assigned to a user by the SP administrator, but the OpCo administrator does not have SP administrator privileges.Table 3 lists the provider hub devices supported in a CSO SD-WAN environment.
Role |
Supported Device Types |
---|---|
Provider Hub |
SRX4600 SRX4200 SRX4100 SRX1500 |
vSRX |
|
vSRX 3.0 |
Provider Hub Redundancy
Two redundant provider hub devices can be used at one POP to protect against device and link failures, and to provide upstream multi-homing for spoke sites. For more detail, see the Resiliency and High Availability section of the CSO SD-WAN - Design and Architecture Guide.
Enterprise Hub Sites and Devices
A special type of spoke device, called an enterprise hub device, can be deployed as the CPE at an on-premises site. The spoke site that functions this way, must be configured as an enterprise hub site during site addition. Adding an enterprise hub site opens additional functionality for the site:
Can act as the anchor point for site–to–site communications on the customer’s network.
Can act as the central breakout node for the customer’s network.
Offers a specialized department called the data–center department.
Supports dynamic LAN segments with BGP and OSPF route imports, including default routes, from the LAN–side L3 device.
Allows for intent-based breakout profiles to create granular breakout behavior based on department, application, site, and so on.
In an enterprise environment, the enterprise hub is owned by the customer (tenant) and usually resides within an enterprise data center. Only the customer’s spoke sites can connect to the enterprise hub device. OpCo administrators and tenant administrators can manage the enterprise hub. Table 4 lists the enterprise hub devices supported in a CSO SD-WAN environment.
Role |
Supported Device Types |
---|---|
Enterprise Hub |
SRX380 SRX4600 SRX4200 SRX4100 |
SRX1500 |
|
vSRX |
|
vSRX 3.0 |