- play_arrow Introduction
- play_arrow Customer Portal Overview
- About the Customer Portal User Guide
- Customer Portal Overview
- Accessing Customer Portal
- Personalize the Customer Portal
- Switching the Tenant Scope
- Setting Up Your Network with Customer Portal
- About the Customer Portal Dashboard
- Changing the Customer Portal Password
- Resetting the Password
- Changing the Password on First Login
- Set a New Password After Your Existing Password Expires
- Configuring Two-Factor Authentication
- Extending the User Login Session
- Resend Activation Link in Customer Portal
- View and Edit Tenant Settings
- play_arrow Users and Roles
- Role-Based Access Control Overview
- About the Users Page in Customer Portal
- Adding Tenant and OpCo Tenant Users
- Editing and Deleting Tenant and OpCo Tenant Users
- Resetting the Password for Tenant Users
- Roles Overview
- About the Tenant Roles Page
- Adding User-Defined Roles for Tenant Users
- Editing, Cloning, and Deleting User-Defined Roles for Tenant Users
- Access Privileges for Role Scopes (Tenant and Operating Company)
- play_arrow SD-WAN and NGFW Deployments
-
- play_arrow Managing Sites, Site Groups, and Site Templates
- play_arrow Managing Sites
- About the Site Management Page
- Multihoming Overview
- Enterprise Hubs Overview
- Understand BGP Underlay Routing and Provider Edge (PE) Resiliency
- Upgrading Sites Overview
- Add Enterprise Hubs with SD-WAN Capability
- Add Provider Hub Sites in SD-WAN Deployments
- Adding Cloud Spoke Sites for SD-WAN Deployment
- Provisioning a Cloud Spoke Site in AWS VPC
- Manually Adding Branch Sites
- Add a Branch Site with SD-WAN Capability
- Adding and Provisioning a Next Generation Firewall Overview
- Enabling Integration with Mist Access Points
- Add a Standalone Next-Generation Firewall Site
- Managing LAN Segments on a Tenant Site
- Manage a Site
- Start a Network Service
- Disable a Network Service
- Delete a Network Service
- Add IP VPN Configuration to Provider Hubs
- Edit IP VPN Configuration for Provider Hubs
- Delete IP VPN Configuration from Provider Hubs
- Viewing the Sites History
- Edit Site Overview
- Edit Branch and Enterprise Hub Site Parameters
- Reconfigure Static Tunnels
- Edit Site Examples
- Upgrading Sites
- Delete a Site—Enterprise Hub, Cloud Spoke, and Branch
- play_arrow Managing Site Groups
- play_arrow Managing Site Templates
- play_arrow Managing Mesh Tags
- play_arrow Managing Dynamic Mesh
-
- play_arrow Managing Devices and Resources
- play_arrow Managing Authentication
- play_arrow Managing Devices
- Device Redundancy Support Overview
- Activate a Device
- Activating Dual CPE Devices (Device Redundancy)
- Viewing the History of Tenant Device Activation Logs
- Zero Touch Provisioning Overview
- Workflow for Onboarding a Device Using ZTP
- Configure an SRX Series CPE to Discover an EX Series Switch or AP Connected to the CPE
- play_arrow Managing Device Images
- play_arrow Managing Resources
- Multidepartment CPE Device Support
- About the Devices Page
- Perform Return Material Authorization (RMA) for a Device
- Grant Return Material Authorization (RMA) for a Device
- Manage a Single CPE Device
- Rebooting a CPE Device
- Configuring APN Settings on CPE Devices
- Identifying Connectivity Issues by Using Ping
- Identifying Connectivity Issues by Using Traceroute
- Remotely Accessing a Device CLI
- View the Current Configuration on a Device
- Generate Device RSI for Enterprise Hub and Spoke Devices
- Configuring the Firewall Device
- About the Physical Interfaces Page
- About the Logical Interfaces Page
- Adding a Logical Interface
- Editing, Deleting, and Deploying Logical Interfaces
- Enable LLDP on a CPE Interface
- Create LAG Interface
- Create a RETH Interface
- Create a Redundancy Group
- Manage Redundancy Groups
- Adding a Security Zone
- Adding a Routing Instance
- Create Management Connectivity Between a CPE and a Switch
- Discover an EX Series Switch or APs Configured Behind a CPE
- View an EX Series Switch or an AP on Mist
- View an SRX Series CPE on Juniper Mist
- About the Static Routes Page
- Adding a Static Route
- Editing, Deleting, and Deploying Static Routes
- play_arrow Managing Device Templates
- play_arrow Managing Configuration Templates
- Configuration Templates Overview
- Configuration Templates Workflow
- About the Configuration Templates Page
- Predefined Configuration Templates
- Edit, Clone, and Delete Configuration Templates
- Deploy Configuration Templates to Devices
- Undeploy a Configuration Template from a Device
- Dissociate a Configuration Template from a Device
- Preview and Render Configuration Templates
- Import Configuration Templates
- Export a Configuration Template
- Assign Configuration Templates to Device Templates
- Add Configuration Templates
- Jinja Syntax and Examples for Configuration Templates
- View the Configuration Deployed on Devices
- play_arrow Managing Licenses
- play_arrow Managing Signature Database and Certificates
- Signature Database Overview
- About the Signature Database Page
- Manually Installing Signatures
- Automating Signature Database Installation
- Managing Signature Installation Settings (Auto Installation)
- Certificates Overview
- About the Certificates Page
- Importing a Certificate
- Installing and Uninstalling Certificates
- About the VPN Authentication Page
- Modify PKI Settings for All Sites
- Modify PKI Settings for Selected Sites
- play_arrow Managing Juniper Identity Management Service
-
- play_arrow Managing Network Services and Shared Objects
- play_arrow Configuring Network Services
- play_arrow Managing Shared Objects
- Addresses and Address Groups Overview
- About the Addresses Page
- Creating Addresses or Address Groups
- Editing, Cloning, and Deleting Addresses and Address Groups
- Services and Service Groups Overview
- About the Services Page
- Creating Services and Service Groups
- Creating Protocols
- Editing and Deleting Protocols
- Editing, Cloning, and Deleting Services and Service Groups
- Application Signatures Overview
- About the Application Signatures Page
- Understanding Custom Application Signatures
- Adding Application Signatures
- Editing, Cloning, and Deleting Application Signatures
- Adding Application Signature Groups
- Editing, Cloning, and Deleting Application Signature Groups
- About the Departments Page
- Add a Department
- Delete a Department
- About the Protocols Page
- Add a Protocol Endpoint
- Edit or Delete Protocol Endpoint
-
- play_arrow Monitoring Jobs and Audit Logs
- play_arrow Managing Jobs
- play_arrow Managing Audit Logs
-
- play_arrow Monitoring Alarms, Events, and Threats
- play_arrow Monitoring Security Alerts and Alarms
- About the Monitor Overview Page
- Alerts Overview
- About the Generated Alerts Page
- About the Alert Definitions/Notifications Page
- Managing Security Alerts Definitions
- Creating Security Alert Definitions
- Editing, Cloning, and Deleting Security Alert Definitions
- About the Alarms Page
- Enable E-mail Notifications for SD-WAN Alarms
- Rogue Device Detection
- Monitoring Support for LTE Links on Dual CPEs
- play_arrow Monitoring Security
- About the All Security Events Page
- About the Firewall Events Page
- About the Web Filtering Events Page
- About the IPsec VPNs Events Page
- About the Content Filtering Events Page
- About the Antispam Events Page
- About the Antivirus Events Page
- About the IPS Events Page
- About the Screen Events Page
- About the Traffic Logs Page
- play_arrow Monitoring SD-WAN Events
- play_arrow Monitoring Applications
- About the SLA Performance of a Single Tenant Page
- Viewing the SLA Performance of a Site
- Viewing the SLA Performance of an Application or Application Group
- Application Visibility Overview
- About the Application Visibility Page
- About the User Visibility Page
- Viewing Application or User Visibility Data for Specific Sites
- play_arrow Monitoring Threats
- Syslog Streaming
-
- play_arrow Managing Reports
- play_arrow Security Reports
- Reports Overview
- About the Security Report Definitions Page
- Scheduling, Generating, Previewing, and Sharing Security Reports
- About the Security Generated Reports Page
- Creating Log Report Definition
- Creating Bandwidth Report Definition
- Creating ANR Report Definition
- Editing, Deleting, and Cloning Log Report Definitions
- Editing, Deleting, and Cloning Bandwidth Report Definitions
- Editing, Deleting, and Cloning ANR Report Definitions
- play_arrow SD-WAN Reports
-
ON THIS PAGE
Traffic Steering Profiles and SD-WAN Policies Overview
Contrail Service Orchestration (CSO) enables you to create traffic steering profiles and map them to software-defined WAN (SD-WAN) policies for traffic management.
Traffic Steering Profiles
Traffic steering profiles are created for applications or groups of applications for all tenants. Traffic-based steering profiles are categorized as follows:
SLA profiles are created for applications or groups of applications for all tenants. SLA-Based Steering Profiles—An SLA-based steering profile consists of a set of configurable constraints such as SLA configuration, SLA threshold, SLA parameters, path selection criteria, Class of Service, and upstream and downstream data rates.
Note:The Secure SD-WAN Essentials service does not support SLA-based steering profiles.
Path-Based Steering Profiles—A path-based steering profile consists of a set of configurable constraints such as path preference, traffic type profiles, and upstream and downstream data rates.
Breakout Profiles—A breakout profile consists of set of configurable constraints such as type of breakout, traffic type profiles, path preference, and upstream and downstream data rates. A cloud breakout profile is added by Contrail Service Orchestration (CSO) by default.
Table 1, Table 2 and Table 3 lists the categories of configurable constraints that are defined in an SLA profile.
Category | Description |
|---|---|
SLA profile parameters | You can define one or more than one of the following SLA profile parameters:
|
Path preference and failover | Paths are the WAN links to be used for the SLA profile. You can select MPLS, Internet, or any link as the preferred path. MPLS is more latency-sensitive than Internet. You can trigger the path failover criteria when any of the SLA parameters is violated, or when all the SLA parameters are violated. |
Class of service | Class of service (CoS) provides different levels of service assurances to various forms of traffic. CoS enables you to divide traffic into classes and offer an assured service level for each class. The classes of service listed in increasing order of priority and sensitivity to latency are best effort, voice, interactive video, streaming audio or video, control, and business essential. The default CoS is voice. |
Rate limiters | Rate limiters are defined for traffic shaping and efficient bandwidth utilization. You can define the following rate limiters:
|
You must define at least one of the SLA parameters or path preference. You cannot leave both path preference and SLA parameters fields blank at the same time.
Category | Description |
|---|---|
Path preference | Paths are the WAN links to be used for the SLA profile. You can select an MPLS or Internet link as the preferred path. MPLS is more latency-sensitive than Internet. |
Class of service | Class of service (CoS) provides different levels of service assurances to various forms of traffic. CoS enables you to divide traffic into classes and offer an assured service level for each class. The classes of service listed in increasing order of priority and sensitivity to latency are best effort, voice, interactive video, streaming audio or video, control, and business essential. The default CoS is voice. |
Rate limiters | Rate limiters are defined for traffic shaping and efficient bandwidth utilization. You can define the following rate limiters:
|
Category | Description |
|---|---|
Type | The type of breakout profile that you want to add:
|
Traffic Type Profile | The traffic type profile to apply class of service parameters to the breakout traffic. You can select only a traffic type profile that is enabled. |
Preferred Path | The preferred path (MPLS, Internet, or Any) to be used for breaking out the traffic. If a WAN link type that matches the preferred path is enabled for breakout, then that WAN link type is used for breakout traffic. If you specify that any path can be used, then there is no preference and all breakout-enabled links are used in a load-balancing mode. |
Rate Limiting | Rate limiting of breakout traffic for cacheable applications. By default, rate limiting is disabled. If you enable rate limiting, you must specify the upstream and downstream parameters, and the loss priority. |
Upstream Rate | The maximum upstream rate (in Kbps) for all cacheable applications associated with the breakout profile. |
Upstream Burst Size | The maximum size (in bytes) of a steady stream of traffic sent at average rates that exceed the upstream rate limit for short periods. |
Downstream Rate | The maximum downstream rate (in Kbps) for all cacheable applications associated with the breakout profile. |
Downstream Burst Size | The maximum size (in bytes) of a steady stream of traffic sent at average rates that exceed the downstream rate limit for short periods. |
Loss Priority | Loss priority based on which packets are dropped or retained when network congestion occurs. Packet drops are most likely when the loss priority is High and least likely when the loss priority is Low. |
SD-WAN Policies
SD-WAN policy intents help in optimum utilization of the WAN links and efficient load distribution of traffic. SD-WAN policy intents are applied to source endpoints (such as sites and departments) and destination endpoints (applications or application groups) and can be defined for site-to-site traffic (by using SLA profiles) or for breakout traffic (by using breakout profiles).
Policy intents consist of the following parameters:
Source—A source endpoint that you can choose from a list of sites, site groups, and departments or a combination of all of these. The SD-WAN policy intent is applied to the selected source endpoint.
Destination—A destination endpoint that you can choose from a list of applications and predefined or custom application groups. You can select a maximum of 32 applications or application groups as destination endpoints. The SD-WAN policy intent is applied to the selected destination endpoint.
Applications are classified into the following categories:
Cacheable applications, which refer to applications or application groups that are stored in the application cache when they are recognized by the device. After they are stored in the application cache, subsequent sessions are routed directly through the correct WAN link.
Non-cacheable applications, which refer to applications or application groups that are not stored in the application cache and all sessions are first routed through the default path, and then routed to the correct WAN link based on the SD-WAN policy.
Traffic Steering Profile—Depending on whether you want to apply the policy intent to site-to-site traffic or breakout traffic, you can associate the traffic steering profile with the policy intent. The following options are available:
SLA-based steering profile— Applicable for site-to-site traffic (Not applicable to the Secure SD-WAN Essentials service.)
Path-based steering profile— Applicable for site-to-site traffic
Breakout profile—Applicable for breakout traffic (local, central, or cloud).
Intent name—A unique name for the SD-WAN policy intent.
SD-WAN supports advanced policy-based routing (APBR). APBR enables you to dynamically define the routing behavior of the SD-WAN network based on applications. Dynamic application-based routing makes it possible to define policies and to switch WAN links on the fly based on the application's defined SLA parameters. The APBR mechanism classifies sessions based on applications and application signatures and uses policy intents to identify the best possible route for the application. When the best possible route does not meet the application's defined SLA requirements, the SD-WAN network finds the next best possible route to meet SLA requirements.
For example, consider an application in a site. If you want the application group to use custom throughput, latency, or jitter, you can create an SLA profile with these custom values. You can then create an intent and configure the intent with the application and apply the custom SLA profile. When the intent is deployed, CSO determines the best suited WAN link to route traffic based in the application. If the WAN link fails to meet SLA requirements in runtime, the SD-WAN network switches WAN links to the next best suited path.
On the basis of the configured traffic-based steering profile constraints, you can categorize SD-WAN policies into three types:
Path-based steering policy—If only the path preference is defined and none of the SLA parameters are defined in the SLA profile, then the policy is called a path-based steering policy. In path-based steering profile, you can define the path (MPLS or Internet) that must be used for a given traffic type profile, You cannot configure SLA parameters or path failover criteria for a path-based steering profile. The traffic type profile must be in enabled state in order to be used in any profile.
SLA-based steering policy—If one or more SLA parameters in the SLA profile are defined, then the policy is called an SLA-based steering policy. In an SLA-based steering profile, each profile is associated with a traffic type profile and tracks the SLA parameters such as packet loss, Jitter and RTT. The traffic type profile must be in enabled state in order to be used in any profile. Based on your requirements, you can choose the recommended SLA threshold or enter custom SLA threshold for the traffic type profile. You can even set the path preference (Any, MPLS, or Internet) to switch traffic from one WAN interface to another based on the path failover criteria.
When an intent is deployed on a site, if the WAN link chosen by the SD-WAN network does not meet the SLA requirements and the network performance deteriorates, then the site switches WAN links to meet the SLA requirements. The link switching is recorded as an SD-WAN event and displayed in the SD-WAN Events page in the customer portal and the Tenant_name SLA Performance pages in the administration and customer portals.
Breakout policy—If local breakout, central breakout, or cloud breakout parameters are defined, then the policy is called a breakout policy.
