Add a Branch Site with SD-WAN Capability

An on-premises spoke (branch) represents an endpoint that is part of customer premises equipment (CPE) at any physical location such as branch office or point of sale location. Typically, these points are connected using overlay connections to hub sites. You can add a branch site from the Site Management page.

The following device templates are supported for branch sites:

NFX150 as SD-WAN CPE
NFX250 as SD-WAN CPE
Dual NFX250 as SD-WAN CPEs
SRX as SD-WAN CPE
Dual SRX as SD-WAN CPEs
SRX4x00 as SD-WAN CPE
Dual SRX4x00 as SD-WAN CPEs

From CSO release 5.4.0 onward, the branch site creation and site activation workflows can be optionally separated, giving more flexibility for on-site installation of customer premises equipment (CPE).

In SD-WAN deployments comprising single or dual customer premises equipment (CPE), tenant administrators have an option to enter the serial number of the CPE device(s) after adding the branch sites. The branch site can be added by a tenant administrator and the CPE device associated with the site can be activated manually by another authorized user. The authorized user must enter either the serial number and the activation code, or only the serial number when manually activating the CPE device later. The option to add branch sites without serial number of a CPE device is applicable to both SRX and NFX (NFX150 and NFX250) device templates.

Note:

In Dual CPE device templates, you cannot add serial number of one CPE and avoid entering serial number of the other CPE device. You can either enter serial numbers for both primary and secondary devices while creating the site or enter both serial numbers while activating the site.

Starting in Release 6.0.0, CSO supports the following SD-WAN services for a site:

Secure SD-WAN Essentials—Provides the basic SD-WAN services. This service is ideal for small enterprises looking for managing simple WAN connectivity with comprehensive NGFW security services at the branch sites, using link-based application steering. The SD-WAN Essentials service allows Internet traffic to breakout locally, and thus avoids the need to backhaul web traffic over costly VPN or MPLS links. The sites support features such as intent-based firewall policies, WAN link management and control, CSO-controlled routing between sites connected through the static VPN, and site to site communication through MPLS or internet links behind NAT. A tenant with the SD-WAN Essentials service level can create only SD-WAN Essentials sites.

Note:
You can upgrade a Secure SD-WAN Essentials site to a Secure SD-WAN Advanced site by editing the site information (allowed if the SD-WAN service level of the tenant is upgraded to Advanced).
Secure SD-WAN Advanced—Provides the complete SD-WAN service. This service is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. Site-to-Site connectivity can be established by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels. Enterprise wide intent based SD-WAN policies and service-level agreement (SLA) measurements allow CSO to differentiate and dynamically route traffic for different applications.
- SD-WAN sites on CSO Release 5.4.0 or earlier versions are treated as SD-WAN Advanced sites. You cannot downgrade the SD-WAN service level of a tenant from SD-WAN Advanced to SD-WAN Essentials.

Starting from CSO Release 6.0.0, the branch site creation workflow is simplified by making the provisioning of services optional during the onboarding process. You can configure the service during the site creation or add the service later. To add a branch site without the SD-WAN service, see Add Branch or Enterprise Hub Sites Without Provisioning a Service

To add a branch site with only SD-WAN capability:

Select Resources > Site Management.

The Sites page appears.
Click Add and select Branch Site (Manual).

The Add Branch Site page appears.
Complete the configuration settings according to the guidelines provided in Table 1.

Note:
Fields marked with an asterisk (*) are mandatory.
(Optional) You can review the configuration in the Summary tab and modify the settings, if required.
Click OK.
- If you entered a serial number during activation and automatic activation is enabled, the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Troubleshooting Site Activation Issues.
  
  Click OK to close the Site Activation Progress page.
- If you did not enter a serial number and the automatic activation is disabled, you are returned to the Site Management page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job. After the job is finished, CSO displays a confirmation message with a job link. The status of the site changes to CREATED.
  
  You must manually activate the device to finish the activation process.
Note:
The following procedure is applicable if zero touch provisioning (ZTP) is set true in the device template. If ZTP is disabled in the device template, you must copy the stage-1 configuration and commit it on the device for CSO to proceed with the activation.

To manually activate the CPE (branch site) device:
1. Select the branch site CPE that has to be activated.
2. Click Activate Site link in the Site Management page.
  
  The Activate Site page appears.
3. Enter the serial number(s) of the device and the activation code. Click OK.
  
  The Site Activation Progress page appears displaying the progress of steps executed for activating the CPE device. On successful activation of the device, the Site Status changes from Created to Provisioned.
If you have enabled the Zero Touch Provisioning field, CSO applies the stage-1 configuration automatically.

Note:
The device is activated automatically, if you have already provided the activation code and device serial number while creating the firewall site.

If you have disabled the Zero Touch Provisioning field for the device, you must manually configure the stage-1 configuration on the device.
1. Click the Click to copy stage-1 config link next to the Prestage Device task on the Site Activation Progress page. If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site, under the Site Status column.
  
  Note:
  You can also copy the configuration from the Devices page (Resources > Devices). Select the device and click Stage1 Config.
  
  The Stage-1 Configuration page appears displaying the stage-1 configuration.
2. Copy the stage-1 configuration.
3. Log in to the device and enter Junos OS configuration mode.
4. Paste the configuration that you copied and commit the configuration.
  
  CSO applies the pre-script and stage-1 configuration (includes the device configuration). The status of the site changes to MANAGED on the Sites page.
If you selected SD-WAN Services while adding the device, then CSO generates the service provisioning configuration and applies it on the device. The site status changes to PROVISIONED in the Site Management page.

If you did not select SD-WAN Services while adding the device, then the device remains in the MANAGED state until you apply the service. You can edit the site and add the service. After you add the service, CSO applies the service provisioning configuration and the device is provisioned.

Field

Description

General

Site Information

Site Name

Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

Device Host Name

The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.

Site Group

Select a site group to which you want to assign the site.

Site Capabilities

Note:

Device Management, enabled by default, allows you to create a site with only device management capability (without any services) and add services later.

To add an SD-WAN capability for this site, choose one of the following SD-WAN service types:

Secure SD-WAN Essentials—(Available for tenants with SD-WAN Essentials or Advanced service level) Provides basic SD-WAN services. The sites support features such as intent-based firewall policies, WAN link management and control, CSO-controlled routing between sites connected through the static VPN, and site to site communication through MPLS-based or internet-based links. The SD-WAN Essentials service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP.
Secure SD-WAN Advanced—(Available for tenants with SD-WAN Advanced service level) Provides complete SD-WAN services. This service level is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. Site-to-Site connectivity can be established by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels. Enterprise wide intent based SD-WAN policies and service-level agreement (SLA) measurements allow to differentiate and dynamically route traffic for different applications.

Address and Contact Information

Street Address

Enter the street address of the site.

City

Enter the city where the site is located.

State/Province

Select the state or province where the site is located.

ZIP/Postal Code

Enter the postal code for the site.

Country

Select the country where the site is located.

Click the Validate button to verify the address.

The site address verification successful message is displayed if the address is verified.

You can click the View location on a map link to see the address location.
If the address cannot be verified, the Site address could not be validated message is displayed .

Contact Name

Enter the name of the contact person for the site.

Enter the e-mail address of the contact person for the site.

Phone

Enter the phone number of the contact person for the site.

Advanced Configuration

Domain Name Server

Specify one or more IPv4 or IPv6, or both IPv4 and IPv6 addresses of the DNS server. To specify more than one DNS server address, type the address, press Enter, and then type the next address, and so on.

DNS servers are used to resolve hostnames into IP addresses.

NTP Server

Specify the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers.

Example: ntp.example.net

The site must have DNS reachability to resolve the FQDN during site configuration.

Select Timezone

Select the time zone of the site.

Device

Note:

Some fields in this section are displayed only if you enable the Device Redundancy option.

Device Redundancy

Disabled by default. Enable this option for dual CPEs.

The following prerequisites are necessary for enabling device redundancy:

Ensure that the control and fabric ports between both the nodes are connected.
Ensure that the device is preconfigured for management connectivity (factory-default or prestaged). Do not configure the control, fabric, and data (reth) ports as these ports will be reconfigured.

To identify the control, fabric, management, and data ports for each SRX model, refer to the SRX High Availability Configurator tool.

Note:
Do not generate the configuration in the tool as CSO generates and applies the cluster configuration automatically.
If you are using ZTP on SRX300 and SRX320 devices, use ge-0/0/7 as the predefined DHCP port instead of ge-0/0/0.
Provide the fabric and data (reth) port information in the device template. The control and fxp0 ports are predefined. To change the control port, change it in the platform device template. To change the data (reth) port, change it in the SDWAN device template.

Device Series

Select the device series to which the CPE belongs—SRX, NFX150, or NFX250.

Based on the device series that you select, the supported device templates (containing information for configuring devices) are listed.

Select a device template for the selected device series.

Device Model

Select the device model number.

Device Root Password

The default root password is fetched from the ENC_ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device.

Zero Touch Provisioning

Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default.

Note:

By default, this button is disabled for vSRX Virtual Firewall. You can enable this button, if the Junos OS version running on vSRX Virtual Firewall supports phone-home client.

To use ZTP, ensure the following:

Device must have connectivity to CSO and Juniper phone-home server (https://redirect.juniper.net)

Use telnet to verify connectivity:

telnet redirect.juniper.net:443

telnet CSO Hostname/IP:443

If the connection is established, the device has connectivity to the phone-home server and CSO.
Required certificates for phone-home server and CSO must be present on the device.

If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image.

If you disable ZTP, ensure that the device has connectivity to CSO. If the device is not prestaged/preconfigured, then you must provide the details under the Management Connectivity section so that CSO can generate the configuration as part of the stage-1 configuration. You can skip the Management Connectivity section if the device has connectivity to CSO.

If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device to start the onboarding process. Use any of the following options to copy the stage-1 configuration:

Click the Click to copy stage-1 config link next to Prestage Device task on the Site Activation Progress page.

If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site under the Site Status column.
On the Devices page (Resources > Devices), select the device and click Stage1 Config.

Serial Number

For a single CPE device, enter the serial number of the CPE device. Serial numbers are case-sensitive.

If you do not enter serial number, the branch site is created but the CPE device associated with the site is not activated. See Step 5 for more information.

Node 0 Serial Number

For a dual CPE device, enter the serial number of the primary CPE device. The serial number is case sensitive.

If you do not enter serial number, the branch site is created but the CPE device is not activated. See Step 5 for more information.

Node 1 Serial Number

For a dual CPE device, enter the serial number of the secondary CPE device. The serial number is case sensitive.

If you do not enter serial number, the branch site is created but the CPE device is not activated. See Step 5 for more information.

Is Cluster Already Formed?

Note:

This field is available only for SRX dual CPE devices.

Click the toggle button to specify whether the SRX cluster has been manually formed (Yes) or not (No).

Cluster ID

Note:

This field is available only for SRX dual CPE devices.

If the SRX cluster hasn’t been formed manually, specify a unique ID for the cluster.

Range: 1 through 15

If you’ve enabled ZTP for the site, the cluster is automatically formed when the site is activated. If you’ve disabled ZTP, the following processes are displayed on the Site Activation Progress page (that appears after you’ve added the branch site):

After CSO models the site (that is, after the Model Site process completes successfully), click the Click to copy pre script link, which appears next to the Pre Script process.
Execute the commands as directed.

After the Pre Script process completes successfully, the SRX cluster is formed and the recovery.conf file is saved on the cluster. In case you want to delete the site later, you’ll need this file to remove the stage-1 configuration and other configurations pushed to the device by CSO.
Manually configure the stage-1 configuration on the primary device in the cluster. See Step 6.

After the cluster is detected, CSO executes the bootstrap and provisioning processes and completes provisioning the cluster.

Auto Activate

Click the toggle button to enable or disable automatic activation of the CPE device.

If you disable automatic activation, refer Activate a Device topic to manually activate the CPE.

Activation Code

If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.

Node 0 Activation Code

If the automatic activation of dual CPEs is disabled, enter the activation code to manually activate the primary CPE device.

Node 1 Activation Code

If the automatic activation of dual CPEs is disabled, enter the activation code to manually activate the secondary CPE device.

Boot Image

Select the boot image from the drop-down list if you want to upgrade the image for the CPE device.

The boot image is the latest build image uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process.

If the boot image is not provided, then the device skips the procedure to upgrade the device image. The boot image (NFX or SRX) is populated based on the device template that you have selected while creating a site. See Uploading a Device Image.

(Device Template)

Select a device template, which contains information for configuring a device.

Management Connectivity

Note:

This section is displayed only when Zero Touch Provisioning is disabled. If you are adding a chassis cluster, then you must provide the interface details for both the nodes.

Address Family

Select IPv4 or IPv6.

Interface Name

This is the WAN interface that the device uses to connect to CSO.

Access Type Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links.

Address assignment

DHCP is selected by default. If you want to provide a static IP address, select STATIC.

Management VLAN ID

Enter a VLAN ID for the WAN link.

Range: 0 through 4094

PPPoE

Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).

ADSL/VDSL SFP Annex

Applicable only to MPLS or Internet links with ADSL or VDSL access types.

Click the toggle button to enable the Annex J support through an xDSL SFP module. Annex J is specified in ITU-T recommendations G.992.3 and G.992.5.

If you keep this option disabled, you must use a Mini-PIM module for connectivity.

Hub Configuration

Note:

Hub selection is optional for both SD-WAN Advanced and Essentials sites. SD-WAN Essentials sites do not support multihoming. However, you can edit an Essentials site (post activation) to upgrade it to an Advanced site and add a secondary hub later if required, provided that the tenant’s service level is upgraded to Advanced.

You can connect a Secure SD-WAN Advanced branch site only to Secure SD-WAN Advanced enterprise hubs.

Primary Provider Hub

Select the primary hub site to which this branch site must connect.

Secondary Provider Hub

Note:

Not applicable to sites with the Secure SD-WAN Essentials service.

Select the secondary hub site to which this site must connect.

This site connects to the secondary data hub site when the primary data hub is not reachable.

Primary Enterprise Hub

Select the enterprise hub with which you want to connect the branch site. If you specify an enterprise hub, then the initial site-to-site traffic as well as the central breakout (backhaul) traffic (if applicable) is sent through the enterprise hub instead of the hub site.

Secondary Enterprise Hub

Note:

Not applicable to sites with the Secure SD-WAN Essentials service.

Select the secondary enterprise hub for this branch site.

The branch site connects with secondary enterprise hub when the primary enterprise hub is not reachable.

Use Mesh Tags to connect EHub

This toggle button is enabled by default. If this button is enabled, CSO uses mesh tags to automatically form the overlay tunnel between the site and the enterprise hubs.

Disable this toggle button if you want to manually create static tunnel (per WAN link) between the branch site and the enterprise hubs. If you disable this option, you must manually enable at least one WAN link to connect to the enterprise hub by using the Connects to Enterprise Hubs toggle button in the Advanced Settings of the WAN link.

WAN Links

Note:

In Release 6.1.0, CSO moves a site to the PROVISIONED state when at least one of the WAN links obtains the IP address and is activated. You can activate the remaining DHCP WAN links later. If the provisioned site establishes Dynamic VPN (DVPN) tunnels to other sites before the DHCP WAN links are activated, then these DHCP WAN links participate in DVPN only when the tunnels are deleted and added back (that is, traffic between a pair of sites falls below the delete threshold, and then crosses the create threshold again).

WAN_0 WAN-Interface-Name

This field is enabled by default.

Enter parameters related to WAN_0. Fields marked with an asterisk (*) must be configured to proceed.

Link Type

Select whether the link is an MPLS link or Internet link.

Access Type

Select the access type for the underlay link. Starting in CSO Release 6.3.0, you can select LTE for SRX300 Series dual CPE devices.

Note:

You can select the LTE access type only for one WAN link. You can select the ADSL or VDSL access type only for two WAN links.
You cannot configure:
- LTE as the access type if you are using the dual NFX device templates.
- ADSL or VDSL as the access type if you are using the dual SRX, or the single or dual NFX device templates.
Ethernet is configured as the access type for the underlay link.
SRX300 does not support LTE and ADSL access types.
On SRX300 line of Services Gateways (except SRX300 devices) and NFX150 devices, the LTE WAN link is supported through a SIM card that is inserted in the SIM slot of the Mini-Physical Interface Module (Mini-PIM). On NFX250 devices, the LTE WAN link is supported through a USB dongle (Vodafone K5160 dongle) that is plugged into the USB port of the CPE device.
LTE is supported on MPLS links only if there is no NAT in the end-to-end path.
CSO supports the following combination of MPLS tunnels (with ADSL or VDSL access types) for a branch device:
- From the branch site (with an ADSL or VDSL access type) to an enterprise hub, provider hub, or a branch site (with Ethernet link).
- From the branch site (with an ADSL or VDSL access type) to another branch site (with an ADSL or VDSL link).
CSO does not support site-to-site DVPN tunnels over LTE in dual CPE deployments. Tunnels are formed if the sites have matching mesh tags; however, the tunnels might not come up.
CSO does not support PPP over LTE in dual CPE deployments.

Link Redundancy

In SRX300 Series dual CPE deployments, the LTE Mini-PIM can be installed on either a single node (node 0 or node1) or both nodes (represented as a single WAN link on CSO).

If the LTE Mini-PIM is installed in only one node, then this option is not applicable and must be disabled. Configure the corresponding WAN link (WAN_0 or WAN_2 for node 0 and WAN_1 or WAN_3 for node 1) as an LTE WAN link.

Enable the toggle button if the LTE Mini-PIM is installed in both the nodes. However, as the LTE link operates in active/backup mode in dual CPE deployments, only one link is active at a time. If you prefer to have the active link on node 0, then configure either the WAN_0 or WAN_2 link as an LTE WAN link. Similarly, if you prefer to have the active link on node 1, configure either the WAN_1 or WAN_3 link.

Note:

Before configuring an LTE WAN link, you must update the device template with the slots in which the LTE Mini-PIM is installed.

The following table summarizes the information provided above:

Node 0	Node 1	LTE Redundancy	WAN Link
LTE Mini-PIM installed	LTE Mini-PIM installed	Enable	WAN_0 or WAN_2 (if you prefer to have the active LTE link on node 0) WAN_1 or WAN_3 (if you prefer to have the active LTE link on node 1)
LTE Mini-PIM installed	LTE Mini-PIM not installed	Disable	WAN_0 or WAN_2
LTE Mini-PIM not installed	LTE Mini-PIM installed	Disable	WAN_1 or WAN_3

Note:

You cannot edit the Link Redundancy option for an existing LTE WAN link. To change the Link Redundancy setting, you must delete the WAN link and reconfigure it.

WAN Link (Node 0 or Node 1)

Displays the node to which the WAN link belongs. WAN_0 and WAN_2 belong to node 0 whereas WAN_1 and WAN_3 belong to node 1.

PPPoE/PPP

Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet) or PPP (Point-to-Point Protocol). By default, this toggle button is disabled.

PPPoE works with Ethernet, ADSL, and VDSL access types while PPP works with the LTE access type.

Note:

This toggle button is not available for Internet links with LTE as the access type.

You can enable PPPoE or PPP per WAN link. If you’ve enabled this toggle button, you must specify the PPPoE or PPP parameters (username, password, and authentication protocol) for the PPPoE or PPP server, respectively. The PPPoE or PPP server assigns an IP address to the WAN link after successful authentication. For more information, see the PPPoE/PPP Settings section in this table. You can enable PPPoE or PPP on MPLS-based or internet-based WAN links.

If you’ve disabled this toggle button, select a method (DHCP or STATIC) to assign an IP address to the WAN link from the Address Assignment list.

ADSL/VDSL SFP Annex

Applicable only to MPLS or Internet links with ADSL or VDSL access types.

Click the toggle button to enable the Annex J support through an xDSL SFP module. Annex J is a specified in ITU-T recommendations G.992.3 and G.992.5.

If you keep this option disabled, you must use a Mini-PIM module for connectivity.

You can enable or disable this option only on new WAN links being added to a site. You cannot enable or disable this option for the existing WAN links by using the site edit workflow.

You can enable this option along with other parameters such as PPoE, static IP address (IPv4/IPv6), DHCP, and VLAN ID.

Access Point Name (APN)

The access point name (APN) determines the Packet Data Network Gateway (P-GW) that the CPE device must use to connect to the Packet Data Network (PDN) such as Internet. All CPE devices are shipped with default APN settings. However, if you choose to use a private APN with the current LTE service provider or to use a different LTE service provider, enter the APN for the CPE device (as specified by the service provider) in this field.

This field is displayed only if you have enabled PPPoE/PPP for MPLS links with LTE as the access type. If you have disabled PPPoE/PPP for these links, CSO uses the default APN settings.

Egress Bandwidth

Enter the maximum bandwidth, in Mbps, allowed on the WAN link.

Range: 1 through 10,000.

Note:

This option is not available for Internet and MPLS links with LTE access type.

Underlay Address Families

IPv4

Click the toggle button to enable or disable IPv4 address assignment for the WAN link. By default, IPv4 address assignment is enabled for the WAN link.

The WAN link requires an IPv4 address to connect to an IPv4 network.

Address Assignment Method

Select the method of assigning an IPv4 address to the WAN link—DHCP (Dynamic Host Configuration Protocol) or STATIC.

This field is displayed only if you have disabled the PPPoE/PPP toggle button.

If you select STATIC, you must provide the IPv4 address prefix and the gateway IPv4 address for the WAN link.

Note:

For Internet and MPLS links with LTE access type, you can select only DHCP for address assignment.

Static IP Prefix

If you’ve configured the address assignment method as STATIC, enter the IPv4 address prefix of the WAN link.

Gateway IP Address

If you’ve configured the address assignment method as STATIC, enter the IPv4 address of the gateway of the WAN service provider.

MTU

Applicable only to IPv4 addresses.

Enter the maximum transmission unit (MTU) size for the media or protocol. The supported MTU range can vary depending on the device, interface type, network topology, and other individual requirements. See also: MTU Default and Maximum Values and LTE Mini Physical Interface Modules (LTE Mini-PIM).

Editing the MTU values of all the OAM-enabled WAN links of a site at the same time might result in tunnel flapping. You must ensure that at least one OAM-enabled WAN link always remains undisrupted for a site. For example, if you have a site with four WAN links (including two links that support OAM traffic), you can edit the MTU values of all the WAN links except one OAM-enabled link at the same time. After the edit is complete and the changes are saved, you can edit the site again and update the remaining WAN link.

Note:

Editing the MTU value of a WAN link can affect the traffic flow on that link.
If you enable the PPPoE/PPP option under a WAN link, the MTU option is displayed under the PPPoE/PPP Settings section for that link.

IPv6

Click the toggle button to enable or disable IPv6 address assignment for the WAN link. By default, IPv6 address assignment is disabled for the WAN link.

The WAN link requires an IPv6 address to connect to an IPv6 network.

Note:

IPv6 address assignment is supported only for sites with Secure SD-WAN Advanced service.
You cannot enable IPv6 address assignment for NFX250 devices.

Address Assignment Method

Select the method of assigning an IPv6 address to the WAN link—DHCP (Dynamic Host Configuration Protocol - router advertisement only), STATIC, or SLAAC (Stateless Address Auto Configuration).

This field is displayed only if you’ve disabled the PPPoE/PPP toggle button.

If you select STATIC, you must provide the IPv6 address prefix and the gateway IPv6 address for the WAN link.

Note:

For Internet and MPLS links with LTE access type, you can select only DHCP for address assignment.

Static IP Prefix

If you’ve configured the address assignment method as STATIC, enter the IPv6 address prefix of the WAN link.

Gateway IP Address

If you’ve configured the address assignment method as STATIC, enter the IPv6 address of the gateway of the WAN service provider.

WAN Link (Primary or Secondary)

For dual CPE device templates, displays whether the WAN link is a primary link or a secondary link. You cannot modify this field.

Advanced Settings

Address Family (Tunnel Creation)

Select the underlay address family (IPv4 or IPv6) that is used to establish the overlay tunnel. The options on the list are populated based on the address family that you’ve configured for the underlay (either IPv4 or IPv6, or both).

Provider

Enter the name of the service provider (SP) providing the WAN service.

Only alphanumeric characters and '_', '@', '.', '/', '#', '&', '+' and '-' are allowed. The maximum number of characters allowed in 15.

Cost/Month

Enter the cost for using the WAN link per month and select the currency in which the cost is indicated from the adjacent drop-down list.

Range: 1 through 10,000.

In bandwidth-optimized SD-WAN, CSO uses this information to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters.

Link Priority

Enter a value in the range 1-255. A lower value indicates a more preferred link. A value of 1 indicates highest priority and a value of 255 indicates lowest priority. If you do not enter a value, the link priority is considered as 255.

Enable Local Breakout

Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled.

Note:

If you enable this option, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.
If you do not enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan, then local breakout is disabled for the site.

Breakout Options

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

MAP-E

Click the toggle button to enable or disable the Mapping of Address and Port with Encapsulation (MAP-E) functionality on the IPv6 WAN link. By default, MAP-E is disabled.

MAP-E supports transporting IPv4 packets across an IPv6 network by using IPv4-in-IPv6 encapsulation.

For more information on MAP-E, see Mapping of Address and Port with Encapsulation on NFX Series Devices.

Note:

MAP-E is compliant only with the Japan Network Enabler (JPNE) standards.
CSO supports MAP-E only on one WAN link of the branch site (Secure SD-WAN Advanced service only) with NFX150 as the CPE. IPV6 address assignment and local breakout must be enabled for the WAN link.

Autocreate Source NAT Rule

Note:

Sites with Secure SD-WAN Essentials service support interface-based source NAT rules only. If you enable this options for an SD-WAN Essentials site, interface-based source NAT rules are automatically applied. If you enable this options for an SD-WAN Advanced site, you must select a source NAT rule from the Translation field.

Click the toggle button to enable or disable the automatic creation of source NAT rules. By default, this field is enabled when IPv4 address assignment and local breakout are enabled for the WAN link.

Table 2 explains how source NAT rules are automatically created on the WAN link. The automatically-created source NAT rules are implicitly defined and applied to the site and is not visible on the NAT Policies page.

Note:

You can manually override automatically created NAT rules, by creating a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant department zone and WAN interface as the source and destination. For example:

Dept-Zone1 --> W1 : Translation=Pool-2

The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule.

You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example:

Dept-Zone1, Port 56578 --> W1: Translation=Pool-2

Translation

Note:

This field is displayed only if the automatic creation of source NAT rules is enabled for the WAN link, and the SD-WAN service used is Advanced. Sites with Secure SD-WAN Essentials service support interface-based source NAT rules only.

Select the type of NAT to use for the traffic on the WAN link:

Interface—Use interface-based NAT, which is the default.
Pool—Use pool-based NAT. If you select this option, you must specify the IP addresses that are to be used for the NAT pool.

Note:
No NAT is performed for tenant-owned public IP addresses.

IP Addresses

For pool-based NAT, enter one or more IP addresses, subnets, or an IP address range. Separate multiple IP addresses by using commas and use a hyphen to denote a range; for example, 192.0.2.1-192.0.2.50.

Preferred Breakout Link

Click the toggle button to enable the WAN link as the most preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP from the available breakout links.

BGP Underlay Options

Note:

Not applicable to sites with SD-WAN Essentials service.

Note:

This setting can be configured only if IPv4 address assignment (with STATIC as the address assignment method) and local breakout are enabled for the WAN link.

Click the toggle button to enable BGP underlay routing.

When you enable BGP underlay routing, route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:

CSO advertises the WAN interface subnet.
If you configured pool-based translation, CSO advertises the NAT address pool.

Note:

If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route.

Primary Neighbor

Displays the IP address that you entered for the gateway for the WAN link.

Secondary Neighbor

If you want to provide PE resiliency, you can configure a secondary PE node.

Enter the IP address of the secondary PE node.

Note:

If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE.

eBGP Peer-AS-Number

Enter the autonomous system (AS) number for the external (EBGP) peer.

Note:

If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP).

Authentication

Select the BGP route authentication method to be used:

None—Indicates that no authentication should be used. This is the default.
Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

Advertise Public LAN Prefixes

Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default.

If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay.

Note:

When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet. If a site has two versions of the route installed for the same LAN prefix in the overlay and underlay, the overlay routes are always preferred over underlay.

Use For Fullmesh

Click the toggle button to specify whether the WAN link can be a part of a fullmesh topology.

A site with a single-CPE device can have a maximum of three WAN links enabled for meshing and a site with dual-CPE devices can have a maximum of four WAN links enabled for meshing.

Note:

Even if you enable this field, sites with SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or the Tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.

Mesh Overlay Link Type

When Use for Fullmesh field is enabled, select the type of mesh overlay link—GRE and GRE_IPSEC.

If the link type is Internet, by default, the value for mesh overlay link type is GRE_IPSEC.

If the link type is MPLS, select one of the following options:

GRE-IPSEC
GRE

Note:

If you’ve enabled IPv6 address assignment for the WAN links, you can select only GRE-IPSEC as the type of mesh overlay link.

Mesh Tag

When the Use for Fullmesh field is enabled, enter the tag to be associated with the WAN link for creating tunnels. You can assign only one tag to the link.

Matching mesh tags is one of the criteria used to form tunnels between sites that support meshing.

For a branch site, you can select one mesh tag.
For a enterprise hub you can select one or more mesh tags.

For more information about mesh tags, see Mesh Tags Overview.

Connects to Enterprise Hubs

This field is not displayed if you have enabled the Use Mesh Tags to Connect EHub field in the Hub Configuration section.

Enable this toggle button if you want to manually connect the site to an enterprise hub, without using mesh tags.

Primary EHub Tunnel Type