Managing LAN Segments on a Tenant Site

A network on a tenant site is divided into multiple LAN segments to improve traffic management and security. A LAN segment is a small portion of a LAN that is used by a work group. A grouping of multiple LAN segments form a department. LAN segments are separated by a bridge or router.

Starting from Release 6.1.0, CSO supports automatic discovery of subnets behind LAN routers, which are connected to a Customer Premise Equipment (CPE) such as NFX or SRX Series Firewalls. Administrators can announce additional subnets on a LAN segment by using static and dynamic routing.

In addition, CSO enables you to control the route advertisements per LAN segment.

You can view and manage LAN segments from the LAN tab of the Site Name page.

These topics describe how to manage LAN segments on a site.

Adding LAN Segments

You add LAN segments from the Site Name page.

To add a LAN segment:

Click Resources > Site Management.
The Sites page appears.
Click the site for which you want to add the LAN segment.
The Site-Name page appears.
Click the add icon (+) on the LAN tab.
The Add LAN Segment page appears.
Complete the configuration settings according to the guidelines provided in Table 1.
Note:
Fields marked with an asterisk (*) are mandatory.
Click OK.
You are returned to the Site-Name page, where the LAN segment that you added is displayed.

Table 1: Add LAN Segment Settings
Field	Description
Use for Overlay VPN	Enable the Use for Overlay VPN field to associate the LAN segment with the selected department (VRF + ZONE) for overlay traffic to other sites. Disable the Use for Overlay VPN field to associate the LAN segment with a security zone for underlay breakout. You must define zone-based security policies. Note: When adding a new site, this field is enabled by default and cannot be modified. However, when you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page, you can enable or disable this option.
Name	Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length allowed is 15 characters.
CPE Port	Note: Applicable to SRX Series Firewalls. Select the CPE port to be added in the LAN segment. When you add a new LAN Segment to a provisioned site from the LAN tab of the `Site-Name` page, you can select (or create) a LAG interface or a redundant Ethernet (reth) interface (for dual CPE cluster) to connect the SRX Series CPE devices to an EX series switch. To use the et interface on SRX4600 devices, you must create a LAG interface and configure the et interface as a member of the LAG (aggregated Ethernet or ae) interface. See Create LAG Interface. For an SRX4600 dual CPE cluster, you can use the et interface if it is configured as a member of the redundant Ethernet (reth) interface.
Add LAG Interface	Note: This option is available when you add a new LAN Segment to a provisioned site from the LAN tab of the `Site-Name` page. Click the link to create a LAG interface (ae interface) if you want to use it to connect the SRX Series CPE to the EX Series switch. See Create LAG Interface for details.
Create RETH Interface	Note: This option is available when you add a new LAN Segment to a provisioned site from the LAN tab of the `Site-Name` page. Click the link to create a reth interface for an SD-WAN site with a dual CPE cluster. See Create a RETH Interface for details.
Type Note: This field is displayed only for LAN segments associated with enterprise hub sites.	Select the type of LAN segment: Directly Connected (default)—Indicates that the LAN segment is directly connected to the site. Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.
VLAN ID	Enter the VLAN ID for the LAN segment. By default, VLAN ID is set to 1 and native VLAN is enabled for untagged traffic. You can use VLAN IDs in the following ranges to configure LAN segments: SRX Series Firewalls (single and dual CPE) and vSRX Virtual Firewall: 1 – 4094 (in releases prior to CSO Release 6.2.0, the range is 1 – 4049) NFX250 (single and dual CPE) and NFX150 devices: 1 - 4049
Use for Native VLAN	Enable this option to use the VLAN ID specified above for untagged traffic. The CPE interface is configured with a native-vlan-id, which has the same value as the VLAN ID.
Department	Note: This field is available only if the Use for Overlay VPN field is enabled. Select a department to which the LAN segment is assigned. Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details. You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.
Gateway Address/Mask	Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment. For example: 192.0.2.8/24.
Zone	Note: This field is available only if the Use for Overlay VPN field is disabled. Select a security zone to be associated with this LAN segment. Alternatively click Create Zone to create a new security zone and assign that to this LAN segment. See Adding a Security Zone for details.
DHCP	For directly connected LAN segments, click the toggle button to enable DHCP. You can enable DHCP if you want to assign IP addresses by using a DHCP server or disable DHCP if you want to assign a static IP address to the LAN segment. Note: If you enable DHCP, additional fields appear on the page.
Additional fields related to DHCP
Address Range Low	Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Address Range High	Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.
Maximum Lease Time	Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server. Default: 1440 Range: 0 through 4,294,967,295 seconds.
Name Server	Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address. Note: DNS servers are used to resolve hostnames into IP addresses.
CPE Ports	Note: Applicable to NFX150 and NFX250 devices. For sites with SD-WAN capability, the CPE Ports field is disabled and the CPE ports that you can include in the LAN segment are listed. Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.
Static Routing Use this section to configure static routing on the LAN segment. Provide the IP addresses of all the LAN routers connected to the CPE device and the static subnets behind these routers.
Add LAN Router IP Prefix
LAN Router IP	Enter the IP address of the LAN router that is connected to the CPE device.
Prefix	Enter the subnets that are connected to the LAN router.
BFD	Enable Bidirectional Forwarding Detection (BFD) to detect any failures on the static route.
Dynamic Routing
Routing Protocol	Enable this toggle button to configure dynamic routing using the BGP or OSPF protocol.
BFD	Enable Bidirectional Forwarding Detection (BFD) to detect any failures in the LAN segment.
Protocol	Select either BGP or OSPF.
BGP Configuration Note: Starting in Release 6.1.0, CSO explicitly disables the long-lived graceful restart (LLGR) capability for BGP peering sessions with provider edge (PE) and data center or LAN routers. Disabling LLGR ensures that the CPE does not differentiate the route advertisements to the peering router irrespective of the peering router’s LLGR capability. Prior to CSO Release 6.1.0, LLGR helper mode is enabled by default (implicit behavior of Junos OS) on the CPE for BGP peering towards PE router in IP VPN deployments, and data center or LAN routers in data center deployments.
Authentication	Select the BGP route authentication method to be used: None—Indicates that no authentication should be used. This is the default. Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.
Auth Key	If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.
BGP Options	You can select the following options based on your requirements: AS-OVERRIDE: Replaces all occurrences of the peer AS number in the AS path with its own AS number before advertising the route to the peer. AS-PATH-PREPEND: Prepends one or more autonomous system (AS) numbers at the beginning of an AS path. Prepending an AS path makes a shorter AS path look longer and therefore it becomes less preferable to BGP. AS-LOOP: Allows the local device’s AS number to be added in the received AS paths. You can specify the number of times the detection of local AS is allowed in the AS path.
Loop Count	This field is displayed only if you select AS-LOOP. Enter the maximum number of times the detection of local AS is allowed in the AS path.
Peer IP Address	Enter the IP address of the LAN BGP peer.
Peer AS Number	Enter the autonomous system (AS) number of the LAN BGP peer. By default, CSO uses the AS number 64512. You can enter a different AS number.
Local AS Number	Enter the local AS number. When you configure this parameter, the local AS number is used for BGP peering instead of the global AS number configured for the CPE.
OSPF Configuration
OSPF Area ID	Specify the OSPF area identifier to be used for the dynamic route.
Authentication	Select the OSPF route authentication method to be used: Password—Indicates that password-based authentication should be used. If you choose this option, you must specify the password. (This is the default). Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key. None—Indicates that no authentication should be used.
Password	Enter the password to be used to verify the authenticity of OSPF packets.
Confirm Password	Retype the password for confirmation purposes.
MD5 Auth Key ID	If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID. Range: 1 through 255.
Auth Key	If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets.
Route Advertisement Control
LAN Route(s) to Overlay	When this option is enabled, LAN routes are advertised to the remote CPEs. By default, this option is enabled.
Overlay Route(s) to LAN	This option is displayed only if you enable the Routing Protocol toggle button. By default, this option is disabled. Enable this option to advertise the remote CPE routes received in a department to the LAN router. Note: In CSO Release 6.0.0 and earlier releases, this option is called Advertise LAN Prefix and is applicable only for data center departments.
Aggr/Static Routes to Overlay	Enable this option to allow advertisement of of summarized routes as static or aggregate routes to the overlay network. If a large number of LAN routes are present, then you can disable the LAN Route(s) to Overlay option and use this option to advertise aggregate routes. If you want to advertise additional routes, then you can enable the LAN Route(s) to Overlay option and use this option to advertise additional static routes.

Edit a LAN segment

You can edit LAN segments associated with a site from the LAN tab in the Site Management page.

To edit a LAN segment:

Click Resources > Site Management.
The Site Management page appears.
Click the Site-Name link for which you want to edit the associated LAN segment.
The Site-Name page appears.
Select the LAN tab.
The associated LAN segments are displayed.
Select the LAN segment you want to edit and click the edit (pencil) icon.
The Edit LAN segment page appears.
Complete the configuration settings according to the guidelines provided in Adding LAN Segments.

Note:
You cannot edit the Name and Use for Overlay VPN fields.
Click OK.
An Edit LAN segment job is triggered and you are returned to the LAN tab of the Site Management page.

A confirmation message appears (with the job link) at the top of the page indicating that the job was created. You can click the job link to view details of the job (including job status, start date and time, and end date and time). Alternatively, you can view the status of the job on the Jobs (Monitor > Jobs) page.

After the Edit LAN segment job is completes successfully, the edited LAN segment with status as Modified is listed on the LAN tab of the Site Management page.
Deploy the modified LAN segment to apply the changes on the site. See Deploying LAN Segments.

Deploying LAN Segments

After you create a LAN segment and assign it to a department, you must deploy the LAN segment. You can deploy LAN segments from the Site Name page.

To deploy one or more LAN segments:

Click the LAN tab.
Select one or more LAN segments that you want to deploy and click Deploy.
A Deploy LAN Segment job is created.

Note:
If a Deploy LAN Segment job is in progress for a site, wait for the job to finish before triggering another Deploy LAN Segment job.

If you attempt to trigger a Deploy LAN segment job when another one is running, the job fails with a message indicating that the previous LAN segment deployment job is in progress.
Click More > Deploy History to view job status and deployment history of the LAN segment.
The Deploy LAN Segment History page displayed.

Alternatively, you can verify the status of the job from the Monitor > Jobs page.

Deleting LAN Segments

You can delete a LAN segments from the Site Name page.

To delete a LAN segment:

Select a LAN segment and click the delete icon (X) icon on the LAN tab.
The Delete LAN Segment page appears.
Click OK to confirm deletion.
The LAN segment is deleted.

ON THIS PAGE

Managing LAN Segments on a Tenant Site

Adding LAN Segments

Edit a LAN segment

Deploying LAN Segments

Deleting LAN Segments