Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add Enterprise Hubs with SD-WAN Capability

An enterprise hub site is an SD-WAN site that is used to carry site-to-site traffic between on-premise spoke sites (branch sites) and to break out backhaul (central breakout) traffic from branch sites. An enterprise hub typically has a data center department behind it; however, this is not enforced in Contrail Service Orchestration (CSO). The following device templates are supported for enterprise hubs:

  • SRX as SD-WAN CPE (vSRX Virtual Firewall only)

  • Dual SRX as SD-WAN CPEs (vSRX Virtual Firewall only)

  • SRX-1500 as SD-WAN CPE

  • Dual SRX1500 as SD-WAN CPEs

  • SRX4x00 as SD-WAN CPE

  • Dual SRX4x00 as SD-WAN CPEs

Note:

Starting in CSO Release 6.0.0, in SD-WAN deployments, using hubs to connect sites is optional.

In SD-WAN deployments comprising single or dual customer premises equipment (CPE), tenant administrators have an option to enter the serial number of the CPE device(s) after adding the enterprise hub sites. The enterprise hub can be added by a tenant administrator and activated manually by another authorized user. The authorized user must enter either the serial number and the activation code, or only the serial number when manually activating the device later.

Note:

In Dual CPE device templates, you cannot add serial number for one CPE and skip entering serial number for the other CPE device. You can either enter serial numbers for both primary and secondary devices while creating the site or enter both serial numbers while activating the site.

Starting in Release 6.0.0, CSO supports the following SD-WAN services for a site:

  • Secure SD-WAN Essentials—Provides the basic SD-WAN services, ideal for small enterprises. See Add a Branch Site with SD-WAN Capability for details.

    Note:

    A tenant with the Advanced SD-WAN service level can create enterprise hubs only with the Advanced SD-WAN service. A Secure SD-WAN Advanced branch site connects only to secure SD-WAN Advanced enterprise hubs.

  • Secure SD-WAN Advanced—Provides the complete SD-WAN service. All sites of the tenant with Secure SD-WAN Advanced service are connected in full mesh or hub-and-spoke topology.

    Note:

    The SD-WAN sites on CSO Release 5.4 or earlier versions are treated as SD-WAN Advanced sites.

Starting from CSO Release 6.0.0, the enterprise hub site creation workflow is simplified by making the provisioning of services optional during the onboarding process. You can configure the service during the site creation or add the service later. To add an enterprise site without the SD-WAN service, see Add Branch or Enterprise Hub Sites Without Provisioning a Service.

To add an enterprise hub site:

Note:

You can add enterprise hub sites only for tenants with real-time optimized SD-WAN mode.

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click Add and select Enterprise Hub.

    The Add Enterprise Hub page appears.

  3. Complete configuration settings according to guidelines provided in Table 1.
    Note:

    Fields marked with an asterisk (*) are mandatory.

  4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
  5. Click OK.
    • If you entered a serial number during activation and automatic activation is enabled, the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Troubleshooting Site Activation Issues.

      Click OK to close the Site Activation Progress page.

    • If you did not enter a serial number and the automatic activation is disabled, you are returned to the Site Management page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job. After the job is finished, CSO displays a confirmation message with a job link. The status of the site changes to CREATED.

      You must manually activate the device to finish the activation process.

    Note:

    The following procedure is applicable if zero touch provisioning (ZTP) is set true in the device template. If ZTP is disabled in the device template, you must copy the stage-1 configuration and commit it on the device for CSO to proceed with the activation.

    To manually activate the CPE (enterprise hub) device:

    1. Select the enterprise hub that has to be activated.
    2. Click Activate Site link in the Site Management page.

      The Activate Site page appears.

    3. Enter the serial number(s) of the device and the activation code. Click OK.

      The Site Activation Progress page appears displaying the progress of steps executed for activating the enterprise hub. On successful activation of the device, the Site Status changes from Created to Provisioned.

Table 1: Add Enterprise Hub for <Tenant-Name> Settings (WAN Capability)

Field

Description

General

Site Information

Site Name

Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

Device Host Name

The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.

Site Group

Select a site group to which you want to assign the site.

Site Capabilities

Note:

Device Management, enabled by default, allows you to create a site with only device management capability (without any services) and add services later.

To add an SD-WAN capability for this site, choose one of the following SD-WAN service types:

  • Secure SD-WAN Essentials—(Available for tenants with SD-WAN Essentials service level) Provides basic SD-WAN services. This service is ideal for small enterprises looking for managing simple WAN connectivity with comprehensive NGFW security services at the branch sites, using link-based application steering. The SD-WAN Essentials service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP.

  • Secure SD-WAN Advanced—(Available for tenants with SD-WAN Advanced service level) Provides complete SD-WAN services. This service is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. You can establish site-to-site connectivity by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels. Enterprise wide intent based SD-WAN policies and service-level agreement (SLA) measurements allow to differentiate and dynamically route traffic for different applications.

    Note:

    A Secure SD-WAN Advanced branch site connects only to secure SD-WAN Advanced enterprise hubs.

Address and Contact Information

Street Address

Enter the street address of the site.

City

Enter the name of the city where the site is located.

State/Province

Select the state or province where the site is located.

ZIP/Postal Code

Enter the postal code for the site.

Country

Select the country where the site is located.

You can click the Validate button to verify the address that you specified:

  • The Site address verification successful message is displayed if the address can be verified. You can click the View location on a map link to see the address location.

  • If the address cannot be verified, the Site address could not be validated message is displayed .

Contact Name

Enter the name of the contact person for the site.

Email

Enter the e-mail address of the contact person for the site.

Phone

Enter the phone number of the contact person for the site.

Click Next to continue.

Advanced Configuration

Domain Name Server

Specify one or more IPv4 or IPv6, or both IPv4 and IPv6 addresses of the DNS server. To specify more than one DNS server address, type the address, press Enter, and then type the next address, and so on.

DNS servers are used to resolve hostnames into IP addresses.

NTP Server

Specify the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers.

Example: ntp.example.net

The site must have DNS reachability to resolve the FQDN during site configuration.

Select Timezone

Select the time zone of the site.

Device
Note:

Some fields in this section are displayed only if you enable the Device Redundancy option.

Device Redundancy

Disabled by default. Enable this option for dual CPEs.

The following prerequisites are necessary for enabling device redundancy:

  • Ensure that the control and fabric ports between both the nodes are connected.

  • Ensure that the device is preconfigured for management connectivity (factory-default or prestaged). Do not configure the control, fabric, and data (reth) ports as these ports will be reconfigured.

    To identify the control, fabric, management, and data ports for each SRX model, refer to the SRX High Availability Configurator tool.

    Note:

    Do not generate the configuration in the tool as CSO generates and applies the cluster configuration automatically.

  • If you are using ZTP on SRX300 and SRX320 devices, use ge-0/0/7 as the predefined DHCP port instead of ge-0/0/0.

  • Provide the fabric and data (reth) port information in the device template. The control and fxp0 ports are predefined. To change the control port, change it in the platform device template. To change the data (reth) port, change it in the SDWAN device template.

Device Series

Select the device series to which the CPE belongs.

Based on the device series that you select, the supported device templates (containing information for configuring devices) are listed.

Device Model

Select the device model number.

Device Root Password

The default root password is fetched from the ENC_ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device.

Serial Number

For a single CPE device, enter the serial number of the CPE device. Serial numbers are case-sensitive.

If you do not enter serial number, the enterprise hub is added but not activated. See Step 4 to enter serial number and activate the enterprise hub site later.

   

Node 0 Serial Number

For dual CPEs, enter the serial number of the primary CPE device. The serial number is case sensitive.

If you do not enter serial number, the enterprise hub site is added but not activated. See Step 4 to enter serial number and activate the enterprise hub site later.

Node 1 Serial Number

For dual CPEs, enter the serial number of the secondary CPE device. The serial number is case sensitive.

If you do not enter serial number, the enterprise hub site is added but not activated. See Step 4 to enter serial number and activate the enterprise hub site later.

Zero Touch Provisioning

Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default.

Note:

By default, this button is disabled for vSRX Virtual Firewall. You can enable this button, if the Junos OS version running on vSRX Virtual Firewall supports phone-home client.

To use ZTP, ensure the following:

  • Device must have connectivity to CSO and Juniper phone-home server (https://redirect.juniper.net)

    Use telnet to verify connectivity:

    telnet redirect.juniper.net:443

    telnet CSO Hostname/IP:443

    If the connection is established, the device has connectivity to the phone-home server and CSO.

  • Required certificates for phone-home server and CSO must be present on the device.

If you enable ZTP, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image.

If you disable ZTP, ensure that the device has connectivity to CSO. If the device is not prestaged or preconfigured, then you must provide the details under the Management Connectivity section so that CSO can generate the configuration as part of the stage-1 configuration. You can skip the Management Connectivity section if the device has connectivity to CSO.

If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device to start the onboarding process. Use any of the following options to copy the stage-1 configuration:

  • Click the Click to copy stage-1 config link next to Prestage Device task on the Site Activation Progress page.

    If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site under the Site Status column.

  • On the Devices page (Resources > Devices), select the device and click Stage1 Config.

Is Cluster Already Formed?

Note:

This field is available only for SRX dual CPE devices.

Click the toggle button to specify whether the SRX cluster has been manually formed (Yes) or not (No).

Cluster ID

Note:

This field is available only for SRX dual CPE devices.

If the SRX cluster hasn’t been formed manually, specify a unique ID for the cluster.

Range: 1 through 15

If you’ve enabled ZTP for the site, the cluster is automatically formed when the site is activated. If you’ve disabled ZTP, the following processes are displayed on the Site Activation Progress page (that appears after you’ve added the branch site):

  1. After CSO models the site (that is, after the Model Site process completes successfully), click the Click to copy pre script link, which appears next to the Pre Script process.

  2. Execute the commands as directed.

    After the Pre Script process completes successfully, the SRX cluster is formed and the recovery.conf file is saved on the cluster. In case you want to delete the site later, you’ll need this file to remove the stage-1 configuration and other configurations pushed to the device by CSO.

  3. Manually copy the stage-1 configuration (generated automatically by CSO) to the primary device in the cluster and commit the configuration on the device.

After the cluster is detected, CSO executes the bootstrap and provisioning processes and completes provisioning the cluster.

Auto Activate

Click the toggle button to enable (default) or disable automatic activation of the CPE device.

Activation Code

If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.

Node 0 Activation Code

If the automatic activation of dual CPEs is disabled, enter the activation code to manually activate the primary CPE device.

Node 1 Activation Code

If the automatic activation of dual CPEs is disabled, enter the activation code to manually activate the secondary CPE device.

Management Interface Family

Select the IP address type (IPv4 or IPv6) for the management interface. This field is displayed only if you have enabled Zero Touch Provisioning.

Boot image

Select the boot image from the drop-down list if you want to upgrade the image for the CPE device.

The boot image is the latest build image uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process.

If the boot image is not provided, then the device skips the procedure to upgrade the device image. The boot image is populated based on the device template that you have selected while creating a site. See Uploading a Device Image.

(Device Template)

Select a device template, which contains information for configuring a device.

Management Connectivity

Note:

This section is displayed only when Zero Touch Provisioning is disabled. If you are adding a chassis cluster, then you must provide the interface details for both the nodes.

Address Family

Select the IP address type (IPv4 or IPv6).

Interface Name

This is the WAN interface that the device uses to connect to CSO.

Access Type

Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.

Address Assignment

DHCP is selected by default. If you want to provide a static IP address, select STATIC.

Management VLAN ID

Enter a VLAN ID for the WAN link.

Range: 0 through 4094

PPPoE

Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).

Hub Configuration

Note:

Hub selection is optional for both SD-WAN Advanced and Essentials sites. SD-WAN Essentials sites do not support multihoming. However, you can edit an Essentials site (post activation) to upgrade it to an Advanced site and add a secondary hub later if required, provided that the tenant’s service level is upgraded to Advanced.

Primary Provider Hub

Select the provider hub site (or primary provider hub site in case of multihoming) to which you want to connect the enterprise hub site.

If you do not specify a provider hub site, then the enterprise hub site can connect only to the branch sites that are associated with the enterprise hub site.

If you specify a provider hub site, then the enterprise hub site can also connect to the branch sites to which that provider hub site is associated.

Secondary Provider Hub

Note:

Not applicable to sites with SD-WAN Essentials service.

Select the secondary provider hub site (in case of multihoming) to which you want to connect the enterprise hub site.

When the primary provider hub is down, the enterprise hub connects to the secondary provider hub and the branch sites to which that provider hub site is associated.

WAN Links

Note:

In Release 6.1.0, CSO moves a site to the PROVISIONED state when at least one of the WAN links obtains the IP address and is activated. You can activate the remaining DHCP WAN links later. If the provisioned site establishes Dynamic VPN (DVPN) tunnels to other sites before the DHCP WAN links are activated, then these DHCP WAN links participate in DVPN only when the tunnels are deleted and added back (that is, traffic between a pair of sites falls below the delete threshold, and then crosses the create threshold again).

WAN_0 (WAN-Interface-Name)

This field is enabled by default.

Enter parameters related to the WAN_0 (WAN-Interface-Name) link. Fields marked with an asterisk (*) must be configured to proceed.

Link Type

Select whether the link would be an MPLS link or Internet link.

Note:

By default, CSO monitors the MPLS WAN gateway, whereas it does not monitor the Internet WAN gateway. To change this default behavior, add the appropriate nameserver when you configure a new site. For existing sites, you can edit the site to add the nameserver.

  • To enable monitoring of the WAN gateway for an Internet WAN link, add the nameserver 0.0.0.0.

  • To disable monitoring of the WAN gateway for an MPLS WAN link, add the nameserver 255.255.255.255.

Egress Bandwidth

Enter the maximum bandwidth (in Mbps) that the CPE allows towards the WAN link.

Range: 1 through 10,000.

Public IP Address

Enter the public IPv4 address for the link.

Note:

This IP address should be provided only if the static IP prefix is a private IP address and 1:1 NAT is configured.

Underlay Address Families

IPv4

By default, IPv4 address assignment is enabled for the WAN link.

The WAN link requires an IPv4 address to connect to an IPv4 network.

Address Assignment Method

Displays the method of assigning an IPv4 address to the WAN link (STATIC). You cannot modify this field.

You must provide the IPv4 address prefix and the gateway IPv4 address for the WAN link.

Static IP Prefix

Enter the IPv4 address prefix of the WAN link.

Gateway IP Address

Enter the IPv4 address of the gateway of the WAN service provider.

MTU

Applicable only to IPv4 addresses.

Enter the maximum transmission unit (MTU) size for the media or protocol. The supported MTU range can vary depending on the device, interface type, network topology, and other individual requirements. See also: MTU Default and Maximum Values and LTE Mini Physical Interface Modules (LTE Mini-PIM).

Editing the MTU values of all the OAM-enabled WAN links of a site at the same time might result in tunnel flapping. You must ensure that at least one OAM-enabled WAN link always remains undisrupted for a site. For example, if you have a site with four WAN links (including two links that support OAM traffic), you can edit the MTU values of all the WAN links except one OAM-enabled link at the same time. After the edit is complete and the changes are saved, you can edit the site again and update the remaining WAN link.

Note:

If you enable the PPPoE/PPP option under a WAN link, the MTU option is displayed under the PPPoE/PPP Settings section for that link.

WAN Link (Primary or Secondary)

For dual CPE device templates, displays whether the WAN link is a primary link or a secondary link. You cannot modify this field.

Advanced Settings

Address Family (Tunnel Creation)

Displays the underlay address family (IPv4) that is used to establish the overlay tunnel.

Provider

Enter the name of the service provider providing the WAN service.

Cost/Month

Enter the cost for using the WAN link per month and select the currency in which the cost is indicated from the adjacent drop-down list.

Range: 1 through 10,000.

In bandwidth-optimized SD-WAN, CSO uses this information to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters.

Link Priority

Enter a value in the range 1-255. A lower value indicates a more preferred link. A value of 1 indicates highest priority and a value of 255 indicates lowest priority. If you do not enter a value, the link priority is considered as 255.

Enable Local Breakout

Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled.

Note:
  • If you enable this option, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.

  • If you do not enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan, then local breakout is disabled for the site.

Breakout Options

When the Enable Local Breakout field is enabled, select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

Autocreate Source NAT Rule

Note:

Sites with Secure SD-WAN Essentials service support interface-based source NAT rules only. If you enable this options for an SD-WAN Essentials site, interface-based source NAT rules are automatically applied. If you enable this options for an SD-WAN Advanced site, you must select a source NAT rule from the Translation field.

Click the toggle button to enable or disable the automatic creation of source NAT rules. By default, this field is enabled when local breakout is enabled on the WAN link.

Table 2 explains how source NAT rules are automatically created on the WAN link. The automatically-created source NAT rules are implicitly defined and applied to the site and is not visible on the NAT Policies page.

Note:

You can manually override automatically created NAT rules, by creating a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant department zone and WAN interface as the source and destination. For example:

Dept-Zone1 --> W1 : Translation=Pool-2

The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule.

You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example:

Dept-Zone1, Port 56578 --> W1: Translation=Pool-2

Translation

This field is displayed only if the automatic creation of source NAT rules is enabled for the WAN link, and the SD-WAN service used is Advanced. Sites with Secure SD-WAN Essentials service support interface-based source NAT rules only.

Select the type of NAT to use for the traffic on the WAN link:

  • Interface—Use interface-based NAT, which is the default.

  • Pool—Use pool-based NAT. If you select this option, you must specify the IP addresses that are to be used for the NAT pool.

    Note:

    No NAT is performed for tenant-owned public IP addresses that were added during the tenant addition workflow.

IP Addresses

For pool-based NAT, enter one or more IP addresses, subnets, or an IP address range. Separate multiple IP addresses by using commas and use a hyphen to denote a range; for example, 192.0.2.1-192.0.2.50.

Preferred Breakout Link

Click the toggle button to enable a WAN link as the most preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP from the available breakout links.

BGP Underlay Options

Note:

Not applicable to sites with the SD-WAN Essentials service.

Note:

This setting can be configured only if the address assignment is static and local breakout is enabled.

Click the toggle button to enable BGP underlay routing.

When you enable BGP underlay routing, route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:

  • CSO advertises the WAN interface subnet.

  • If you configured pool-based translation, CSO advertises the NAT address pool.

Note:

If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route.

Primary Neighbor

Displays the IP address that you entered for the gateway for the WAN link.

Secondary Neighbor

If you want to provide PE resiliency, you can configure a secondary PE node.

Enter the IP address of the secondary PE node.

Note:

If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE.

eBGP Peer-AS-Number

Enter the autonomous system (AS) number for the external (EBGP) peer.

Note:

If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP).

Local AS Number

Enter the local AS number for the WAN link. When you configure this parameter, the local AS number is used for eBGP peering instead of the global AS number configured for the device.

Note:

The local AS number must be different from the global AS and eBGP peer AS numbers.

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

Advertise Public LAN Prefixes

Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default.

If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay.

Note:

When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet. If a site has two versions of the route installed for the same LAN prefix in the overlay and underlay, the overlay routes are always preferred over underlay.

Use For Fullmesh

Click the toggle button to specify whether the WAN link can be a part of a full mesh topology.

A site can have all WAN links enabled for meshing.

Note:
  • For link redundancy, you must enable at least two WAN links for full mesh.

  • Even if you enable this option, sites with SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.

Mesh Overlay Link Type

When Use for Fullmesh field is enabled, select the type of mesh overlay link—GRE and GRE_IPSEC.

  • If the link type is Internet, the value for mesh overlay link type is GRE_IPSEC.

  • If the link type is MPLS, select one of the following options:

    • GRE-IPSEC

    • GRE

Mesh Tag

When the Use for Fullmesh field is enabled, select one or more mesh tags to be associated with the WAN link for creating tunnels.

Matching mesh tags is one of the criteria used to form tunnels between sites that support meshing.

For more information about mesh tags, see Mesh Tags Overview“.

Connects to Provider Hubs

Note:

The Connects to Provider Hubs field is available only if you have selected a provider hub.

Click the toggle button to specify that the WAN link of the site connects to a provider hub.

Note:
  • For sites with a single CPE, you must enable at least one WAN link to connect to the hub so that OAM traffic can be transmitted.

  • For sites with a dual CPE, you must enable at least one WAN link per device to connect to the hub so that OAM traffic can be transmitted.

Use for OAM Traffic

If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link.

This WAN link is then used to establish the OAM tunnel.

Overlay Tunnel Type

This field is displayed when the Connects to Provider Hubs field is enabled and only one provider hub (primary) is specified.

Select the mesh overlay tunnel type (GRE and GRE_IPSEC) for the tunnel to the primary hub.

MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

Overlay Peer Device

This field is displayed when the Connects to Provider Hubs field is enabled and only one provider hub (primary) is specified.

Displays the peer hub device to which the site is connected.

Overlay Peer Interface

This field is displayed when the Connects to Provider Hubs field is enabled and only one provider hub (primary) is specified.

Select the interface name of the hub device to which the WAN link of the site is connected.

Overlay Tunnel Type 1

This field is displayed when the Connects to Provider Hubs field is enabled and both primary and secondary hubs are specified.

Select the mesh overlay tunnel type (GRE and GRE_IPSEC) for the tunnel to the primary hub.

MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

Overlay Peer Device 1

This field is displayed when the Connects to Provider Hubs field is enabled and both primary and secondary hubs are specified.

Displays the primary peer hub device to which the site is connected.

Overlay Peer Interface 1

This field is displayed when the Connects to Provider Hubs field is enabled and both primary and secondary hubs are specified.

Select the interface name of the primary hub device to which the WAN link of the site is connected.

Overlay Tunnel Type 2

This field is displayed when the Connects to Provider Hubs field is enabled and both primary and secondary hubs are specified.

Select the mesh overlay tunnel type (GRE and GRE_IPSEC) for the tunnel to the secondary hub.

MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

Overlay Peer Device 2

This field is displayed when the Connects to Provider Hubs field is enabled and both primary and secondary hubs are specified.

Displays the secondary peer hub device to which the site is connected.

Overlay Peer Interface 2

This field is displayed when the Connects to Provider Hubs field is enabled and both primary and secondary hubs are specified.

Select the interface name of the secondary hub device to which the WAN link of the site is connected.

Backup Link

Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.

Default Link

Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site.

Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then equal-cost multipath (ECMP) is used to choose the link on which to route traffic.

VLAN ID

Enter a VLAN ID for the WAN link.

Range: 0 through 4049 (4050 to 4094 is reserved by CSO).

Note:
  • If you are configuring more than one WAN link on the same physical interface, only one WAN link can be untagged; for the remaining WAN links, you must configure a VLAN ID.

  • A combination of tagged and untagged on the same physical interface is supported only for single CPE devices.

  • You cannot have a combination of tagged and untagged WAN links on the same et interface. If you are configuring multiple WAN links on the same et interface, then you must specify a VLAN ID for all the links.

To enable the configuration of WAN links as logical interfaces in SD-WAN branch sites, the SP Administrator user must modify the device template and configure the WAN ports as logical interfaces.

WAN_1 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_2 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_3 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

Advanced Configuration

Note:

Sites with Secure SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.

OAM IP Prefix

Enter an IPv4 address prefix (such as 10.100.100.11/32) for the loopback interface on the CPE device. The IP address prefix should be a /32 IP address prefix and must be unique across the entire management network.

Note:

We recommend that you do not configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO.

Traffic Volume Metrics

Choose a method to compute the SD-WAN traffic volume on the WAN links of the site. CSO uses this data to provide a graphical representation of the WAN traffic volume on the Site Details page.

  • Session-Based—Computes and reports the session-based traffic volume on the site's WAN links, at the closure of each session. This is the default method.
  • Time-Based—Computes and reports the traffic volume at periodic intervals during a session.

DVPN Threshold for Tunnel Creation

Note:

Not applicable to sites with SD-WAN Essentials service.

Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the enterprise hub and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the enterprise hub and the destination site.

The default value is 5.

For example, if you specify the Create Threshold as 5, dynamic mesh tunnels are created if the number of sessions closed between the enterprise hub and destination site exceeds 5 in 2 minutes.

DVPN Threshold for Tunnel Deletion

Note:

Not applicable to sites with SD-WAN Essentials service.

Specify the threshold for the number of sessions closed (in a 15-minute duration) between the enterprise hub and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the enterprise hub and destination site is deleted.

The default value is 2.

For example, if you specify the number of sessions closed as 2, dynamic mesh tunnels between the enterprise hub and destination site are deleted if the number of sessions closed is lesser than or equal to 2.

LAN Segment Configuration

Refer to Table 3 for configuring LAN segments.

Configuration Templates (Optional)

Configuration Templates List

Select one or more configuration templates from the list. This list is filtered based on the device that you select.

Configuration templates are stage-2 templates that are added by your OpCo administrators or SP administrators or Tenant administrators.

Note:

You must set the parameters of the configuration templates that you have selected before you move to the LAN section.

To set the parameters for the selected configuration templates:

  1. After you select one or more configuration templates, click Set Parameters.

    The Device Configurations page appears. This page consists of two tabs—Configure and Summary

  2. In the Configure tab fill in the attributes for each of the configuration templates.

    (Optional) View the CLI commands in the Summary tab.

  3. Click Save.

    You have added and set the parameters for the configuration templates that are part of the site template that you are creating.

Refer to Table 3 for configuring LAN segments.

Table 2: Automatic Creation of Source NAT Rules

Autocreate Source NAT Rule

Translation

NAT Rules Creation

Disabled

Not applicable (No NAT)

None.

Enabled

Interface-Based (Default)—CSO creates interface-based NAT rules.

Source NAT rules are automatically created, with each rule from a department zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set.

For example, the following department zone to (WAN link) W1 interface rule-set might be created:

Dept-Zone1 --> W1: Translation=Interface
Dept-Zone2 --> W1: Translation=Interface
Dept-Zone3 --> W1: Translation=Interface

When traffic from a branch site breaks out at an enterprise hub, a source NAT rule is automatically created at the enterprise hub from the department routing group (also referred to as VRF group) to the WAN interface.

Dept-vrf-group --> W1: Translation=Interface

Enabled

Pool-Based—CSO automatically creates pool-based NAT rules (Not applicable to sites with SD-WAN Essentials service).

Source NAT rules are automatically created, with each rule from a department zone to the WAN NAT pool with a translation of type pool.

For example, a source NAT rule from department zone to NAT pool might be created:

Dept-Zone1 --> W1 : Translation=Pool-1
Dept-Zone2 --> W1 : Translation=Pool-1

When traffic from a branch site breaks out at an enterprise hub, a source NAT rule is automatically created at the enterprise hub from the department routing group to the WAN pool.

Dept-vrf-group --> W1: Translation=Pool
Table 3: Add LAN Segment Settings

Field

Description

Use for Overlay VPN

Enable the Use for Overlay VPN field to associate the LAN segment with the selected department (VRF + ZONE) for overlay traffic to other sites.

Disable the Use for Overlay VPN field to associate the LAN segment with a security zone for underlay breakout. You must define zone-based security policies.

Note:

When adding a new site, this field is enabled by default and cannot be modified. However, when you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page, you can enable or disable this option.

Name

Enter a name for the LAN segment.

The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length allowed is 15 characters.

CPE Port

Note:

Applicable to SRX Series Firewalls.

Select the CPE port to be added in the LAN segment.

When you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page, you can select (or create) a LAG interface or a redundant Ethernet (reth) interface (for dual CPE cluster) to connect the SRX Series CPE devices to an EX series switch.

To use the et interface on SRX4600 devices, you must create a LAG interface and configure the et interface as a member of the LAG (aggregated Ethernet or ae) interface. See Create LAG Interface.

For an SRX4600 dual CPE cluster, you can use the et interface if it is configured as a member of the redundant Ethernet (reth) interface.

Add LAG Interface

Note:

This option is available when you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page.

Click the link to create a LAG interface (ae interface) if you want to use it to connect the SRX Series CPE to the EX Series switch. See Create LAG Interface for details.

Create RETH Interface

Note:

This option is available when you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page.

Click the link to create a reth interface for an SD-WAN site with a dual CPE cluster. See Create a RETH Interface for details.

Type

Note:

This field is displayed only for LAN segments associated with enterprise hub sites.

Select the type of LAN segment:

  • Directly Connected (default)—Indicates that the LAN segment is directly connected to the site.

  • Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.

VLAN ID

Enter the VLAN ID for the LAN segment. By default, VLAN ID is set to 1 and native VLAN is enabled for untagged traffic.

Range: 1 to 4094 for SRX Series Firewalls (single and dual CPE) and vSRX Virtual Firewall. In releases prior to CSO Release 6.2.0, the range is 1 – 4049.

Use for Native VLAN

Enable this option to use the VLAN ID specified above for untagged traffic. The CPE interface is configured with a native-vlan-id, which has the same value as the VLAN ID.

Department

Note:

This field is available only if the Use for Overlay VPN field is enabled.

Select a department to which the LAN segment is assigned.

Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details.

You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.

Gateway Address/Mask

Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment.

For example: 192.0.2.8/24.

Zone

Note:

This field is available only if the Use for Overlay VPN field is disabled.

Select a security zone to be associated with this LAN segment. Alternatively click Create Zone to create a new security zone and assign that to this LAN segment. See Adding a Security Zone for details.

DHCP

For directly connected LAN segments, click the toggle button to enable DHCP.

You can enable DHCP if you want to assign IP addresses by using a DHCP server or disable DHCP if you want to assign a static IP address to the LAN segment.

Note:

If you enable DHCP, additional fields appear on the page.

Additional fields related to DHCP

Address Range Low

Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Address Range High

Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Maximum Lease Time

Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server.

Default: 1440

Range: 0 through 4,294,967,295 seconds.

Name Server

Specify one or more IPv4 addresses of the DNS server.

To enter more than one DNS server address, type the address, press Enter, and then type the next address.

Note:

DNS servers are used to resolve hostnames into IP addresses.

CPE Ports

Note:

Applicable to NFX150 and NFX250 devices.

For sites with SD-WAN capability, the CPE Ports field is disabled and the CPE ports that you can include in the LAN segment are listed.

Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

Static Routing

Use this section to configure static routing on the LAN segment. Provide the IP addresses of all the LAN routers connected to the CPE device and the static subnets behind these routers.

Add LAN Router IP Prefix

LAN Router IP

Enter the IP address of the LAN router that is connected to the CPE device.

Prefix

Enter the subnets that are connected to the LAN router.

BFD

Enable Bidirectional Forwarding Detection (BFD) to detect any failures on the static route.

Dynamic Routing

Routing Protocol

Enable this toggle button to configure dynamic routing using the BGP or OSPF protocol.

BFD

Enable Bidirectional Forwarding Detection (BFD) to detect any failures in the LAN segment.

Protocol

Select either BGP or OSPF.

BGP Configuration

Note:

Starting in Release 6.1.0, CSO explicitly disables the long-lived graceful restart (LLGR) capability for BGP peering sessions with provider edge (PE) and data center or LAN routers. Disabling LLGR ensures that the CPE does not differentiate the route advertisements to the peering router irrespective of the peering router’s LLGR capability.

Prior to CSO Release 6.1.0, LLGR helper mode is enabled by default (implicit behavior of Junos OS) on the CPE for BGP peering towards PE router in IP VPN deployments, and data center or LAN routers in data center deployments.

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

BGP Options

You can select the following options based on your requirements:

  • AS-OVERRIDE: Replaces all occurrences of the peer AS number in the AS path with its own AS number before advertising the route to the peer.

  • AS-PATH-PREPEND: Prepends one or more autonomous system (AS) numbers at the beginning of an AS path. Prepending an AS path makes a shorter AS path look longer and therefore it becomes less preferable to BGP.

  • AS-LOOP: Allows the local device’s AS number to be added in the received AS paths. You can specify the number of times the detection of local AS is allowed in the AS path.

Loop Count

This field is displayed only if you select AS-LOOP.

Enter the maximum number of times the detection of local AS is allowed in the AS path.

Peer IP Address

Enter the IP address of the LAN BGP peer.

Peer AS Number

Enter the autonomous system (AS) number of the LAN BGP peer. By default, CSO uses the AS number 64512. You can enter a different AS number.

Local AS Number

Enter the local AS number. When you configure this parameter, the local AS number is used for BGP peering instead of the global AS number configured for the CPE.

OSPF Configuration

OSPF Area ID

Specify the OSPF area identifier to be used for the dynamic route.

Authentication

Select the OSPF route authentication method to be used:

  • Password—Indicates that password-based authentication should be used. If you choose this option, you must specify the password. (This is the default).

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

  • None—Indicates that no authentication should be used.

Password

Enter the password to be used to verify the authenticity of OSPF packets.

Confirm Password

Retype the password for confirmation purposes.

MD5 Auth Key ID

If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID.

Range: 1 through 255.

Auth Key

If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets.

Route Advertisement Control

LAN Route(s) to Overlay

When this option is enabled, LAN routes are advertised to the SD-WAN overlay. By default, this option is enabled.

Export Policy

For more granular control over routes that are advertised to the overlay network, you can configure policies in conjunction with the LAN Route(s) to Overlay option. For example, when the LAN Route(s) to Overlay option is enabled, you can configure policies to prevent specific routes from being advertised. Similarly, when the LAN Route(s) to Overlay option is disabled, you can configure policies to allow only specific routes to be advertised.

To change the order of the policies, drag and drop the rows to move them up or down. To add a policy, click the + icon.

Add Export Policy

Name Enter a name for the policy. The name can contain letters, numbers, and hyphens (-) and can be up to 255 characters long.
Match Conditions A match condition defines the criteria that the route must match. You can define one or more of the following match conditions:
  • From: Protocol—Select one or more protocols to match.
  • From: Prefix—Enter the route prefixes to match.
  • Prefix Match—Select the match type for the prefix:
    • Exact: Routes must exactly match one of the prefixes.
    • Longer: Routes must be within the specified prefixes and the route's prefix length must be greater than the given prefix length.
    • orlonger: Routes must be within the specified prefixes and the route's prefix length must be greater than or equal to the given prefix length.
  • From: Tag—Enter a number to be associated with the routes.

    Range: 0 through 4,294,967,295

Then: Action

Select any of the following actions for the routes that meet the match conditions:

  • Accept—Advertise the matched routes to the SD-WAN overlay.
  • Reject—Reject the matched routes.
  • Next Term—Evaluate the next term in the policy.

Overlay Route(s) to LAN

This option is displayed only if you enable the Routing Protocol toggle button. By default, this option is disabled.

Enable this option to advertise the SD-WAN overlay routes to the LAN router. You can use import and export policies for granular control of the route advertisements.

Note:

In CSO Release 6.0.0 and earlier releases, this option is called Advertise LAN Prefix and is applicable only for data center departments.

BGP or OSPF Import Policy (This section is displayed if you enabled dynamic routing.)

You can use import policies for granular control of the routes that CPE devices accept from the list of routes advertised by the LAN router.

To change the order of the policies, drag and drop the rows to move them up or down. To add a policy, click the + icon. See Table 4

BGP or OSPF Export Policy (This section is displayed if you enabled dynamic routing.)

You can add export policies for granular control of the routes that the CPE advertises to the LAN router.

To change the order of the policies, drag and drop the rows to move them up or down. To add a policy, click the + icon. See Table 4

Aggr/Static Routes to Overlay

Enable this option to allow advertisement of summarized routes as static or aggregate routes to the overlay network.

  • If a large number of LAN routes are present, then you can disable the LAN Route(s) to Overlay option and use this option to advertise aggregate routes.

  • If you want to advertise additional routes, then you can enable the LAN Route(s) to Overlay option and use this option to advertise additional static routes.

Table 4: BGP and OSPF Policies
Policy Type Match Conditions Actions
BGP Import Policy You can define one or more of the following match conditions:
  • From: Prefix—Enter the route prefixes to match.
  • Prefix Match—Select the match type for the prefix:
    • Exact: Routes must exactly match one of the prefixes.
    • Longer: Routes must be within the specified prefixes and the route's prefix length must be greater than the given prefix length.
    • orlonger: Routes must be within the specified prefixes and the route's prefix length must be greater than or equal to the given prefix length.
  • From: Neighbor—Enter the IP address of the LAN BGP peer.
  • From: Community—Enter the name of one or more communities. A match occurs if one name matches the community attribute of the received prefix.
  • From: AS Path—Enter the preconfigured autonomous systems (AS) path regular expression that must be matched.
  • Then: AS Path Prepend—Enter the AS numbers that must be prepended to a route’s AS Path. Use a space to separate the numbers.
  • Then: AS Path Expand Count—Enter the number of times the last AS number in the existing AS path must be affixed to the beginning of the AS path. The AS numbers are added before the local AS number is added to the path.

    Range: 1 through 32

  • Then: Add Community—Add a new community.
  • Then: Local Preference—Enter a local preference value for the route.

    Range: 0 through 4,294,967,295

  • Then: Action—Select any of the following actions for the routes that meet the match conditions:
    • Accept—Accept the matched routes.
    • Reject—Reject the matched routes.
    • Next Term—Evaluate the next term in the policy.
BGP Export Policy You can define one or more of the following match conditions:
  • From: Protocol—Enter the protocols to match.
  • From: Prefix—Enter the route prefixes to match. You can enter only IPv4 addresses.
  • Prefix Match—Select the match type for the prefix:
    • Exact: Routes must exactly match one of the prefixes.
    • Longer: Routes must be within the specified prefixes and the route's prefix length must be greater than the given prefix length.
    • orlonger: Routes must be within the specified prefixes and the route's prefix length must be greater than or equal to the given prefix length.
  • From: Prefix Length Range—Enter a range of prefix lengths to match.
  • From: Neighbor—Enter the IP address of the LAN BGP peer.
  • From: Community—Enter the name of one or more communities. A match occurs if one name matches the community attribute of the received prefix.
  • From: Tag—Enter a number to be associated with the routes.

    Range: 0 through 4,294,967,295

  • AS Path—Enter the preconfigured autonomous systems (AS) path regular expression that must be matched.
  • Then: AS Path Prepend—Enter the AS numbers that must be prepended to a route’s AS Path. Use a space to separate the numbers.
  • Then: AS Path Expand Count—Enter the number of times the last AS number in the existing AS path must be affixed to the beginning of the AS path. The AS numbers are added before the local AS number is added to the path.

    Range: 1 through 32

  • Then: Add Community—Add a new community.
  • Then: Nexthop Self—Enable this option to configure the loopback address of the CPE as the next hop.
  • Then: Local Preference—Enter a local preference value for the route.

    Range: 0 through 4,294,967,295

  • Then: Action—Select any of the following actions for the routes that meet the match conditions:

    • Accept—Advertise the matched routes to the LAN router.
    • Reject—Reject the matched routes.
    • Next Term—Evaluate the next term in the policy.
OSPF Import Policy You can define one or more of the following match conditions:
  • From: Prefix—Enter the route prefixes to match.
  • Prefix Match—Select the match type for the prefix:
    • Exact: Routes must exactly match one of the prefixes.
    • Longer: Routes must be within the specified prefixes and the route's prefix length must be greater than the given prefix length.
    • orlonger: Routes must be within the specified prefixes and the route's prefix length must be greater than or equal to the given prefix length.
  • From: Tag—Enter a number to be associated with the routes.

    Range: 0 through 4,294,967,295

Then: Action—Select any of the following actions for the routes that meet the match conditions:

  • Accept—Accept the matched routes.
  • Reject—Reject the matched routes.
  • Next Term—Evaluate the next term in the policy.
OSPF Export Policy You can define one or more of the following match conditions:
  • From: Protocol—Enter the protocols to match.
  • From: Prefix—Enter the route prefixes to match. You can enter only IPv4 addresses.
  • Prefix Match—Select the match type for the prefix:
    • Exact: Routes must exactly match one of the prefixes.
    • Longer: Routes must be within the specified prefixes and the route's prefix length must be greater than the given prefix length.
    • orlonger: Routes must be within the specified prefixes and the route's prefix length must be greater than or equal to the given prefix length.
  • From: Neighbor—Enter the IP addresses of one or more OSPF neighbors.
  • From: Community—Enter the name of one or more communities. A match occurs if one name matches the community attribute of the received prefix.
  • AS Path—Enter the preconfigured autonomous systems (AS) path regular expression that must be matched.
  • Then: Tag—Enter a string or number to be associated with the routes.

    Range: 0 through 4,294,967,295

  • Then: Action—Select any of the following actions for the routes that meet the match conditions:
    • Accept—Advertise the matched routes to the LAN router.
    • Reject—Reject the matched routes.
    • Next Term—Evaluate the next term in the policy.