- play_arrow Introduction
- About the Administration Portal User Guide
- Administration Portal Overview
- Administration Portal Tasks for SP Administrators And OpCo Administrators
- Accessing Administration Portal
- Personalize the Administration Portal
- Switching the Tenant Scope
- About the Administration Portal Dashboard
- Changing the Administration Portal Password
- Resetting Your Password
- Configuring Two-Factor Authentication
- Resend Activation Link in Administration Portal
- Changing the Password on First Login
- Resetting the Password for OpCo and Tenant Users
- Setting Password Duration
- Extending the User Login Session
- About the Display Preferences
- Add a Theme in Administration Portal
- Apply or Modify a Theme
- Upload a Custom Font
- play_arrow Managing E-Mail
- play_arrow Managing Authentication
- play_arrow Managing Tenants
- Tenant Overview
- Full Mesh Topology Overview
- Understanding Specific Route-based Routing Within the SD-WAN Overlay
- About the Tenants Page
- Adding a Single Tenant
- Edit Tenant Parameters
- Importing Data for Multiple Tenants
- Allocating Network Services to a Tenant
- Viewing the Create History of Imported Tenant Data
- Delete a Tenant
- Viewing the History of Deleted Tenant Data
- Dynamic Mesh Tunnels Overview
- Configuring Dynamic Mesh Tunnel Thresholds for all Tenants
- Updating the Terms of Use
- play_arrow Managing Operating Companies
- play_arrow Managing Signatures
- Signature Database Overview
- About the Signature Database Page
- Downloading a Signature Database
- Download Locations for Signature Database
- Application Signatures Overview
- About the Application Signatures Page
- Understanding Custom Application Signatures
- Adding Application Signatures
- Editing, Cloning, and Deleting Application Signatures
- Adding Application Signature Groups
- Editing, Cloning, and Deleting Application Signature Groups
- play_arrow Managing Profiles
- Application Quality of Experience Overview
- Configure and Monitor Application Quality of Experience
- About the Application Traffic Type Profiles Page
- Predefined Application Traffic Type Profiles
- Add Traffic Type Profiles
- Edit and Delete Application Traffic Type Profiles
- SLA Profiles and SD-WAN Policies Overview
- About the SLA-Based Steering Profiles Page
- Adding SLA-Based Steering Profiles
- Editing and Deleting SLA-Based Steering Profiles
- About the Path-Based Steering Profiles Page
- Adding Path-Based Steering Profiles
- Editing and Deleting Path-Based Steering Profiles
- About the Breakout Profiles Page
- Adding Breakout Profiles
- Editing and Deleting Breakout Profiles
- play_arrow Managing Licenses
- play_arrow Managing Users and Roles
- Role-Based Access Control Overview
- About the Users Page in Administration Portal
- Add Service Provider and OpCo Users
- Edit and Delete Service Provider Users and OpCo Users
- Resetting the Password for Service Provider, OpCo, and Tenant Users
- Roles Overview
- About the Roles Page
- Add User-Defined Roles for Service Provider, OpCo, and Tenant Users
- Edit, Clone, and Delete User-Defined Roles for Service Provider, OpCo, and Tenant Users
- Access Privileges for Role Scopes (Operating Company and Tenant)
- play_arrow Managing Jobs
- play_arrow Managing Audit Logs
- play_arrow Monitoring
- About the Monitor Overview Page
- Alerts Overview
- About the Generated Alerts Page
- About the Alert Definitions/Notifications Page
- Creating and Managing Security Alerts
- About the Alarms Page
- BGP Alarms on Provider Hubs
- Monitoring Support for LTE Links on Dual CPEs
- Enable E-mail Notifications for SD-WAN Alarms
- Rogue Device Detection
- Multitenancy
- About the SLA Performance of All Tenants Page
- About the SLA Performance of a Single Tenant Page
- Monitoring Application-Level SLA Performance for Secure SD-WAN-Advanced
- Viewing the SLA Performance of a Site
- Viewing the SLA Performance of an Application or Application Group
- Understanding SLA Performance Score for Applications, Links, Sites, and Tenants
- Syslog Streaming
Secure OAM Network Overview
The management and control plane traffic between a customer premises equipment (CPE) device associated with an SD-WAN branch site and Contrail Service Orchestration (CSO) consists of the following:
SSH and HTTPS sessions between the CPE device and CSO.
BGP session between the CPE device and a virtual route reflector (VRR).
System log traffic between the CPE device and CSO.
This traffic must be carried across the network through a secure and redundant communication channel. To provide such a secure and redundant communication channel, you must configure a secure Operation, Administration, and Maintenance (OAM) network between the SD-WAN branch sites and CSO.
This topic provides an overview of the secure OAM network, explains the workflow for configuring a secure OAM network, and benefits of a secure OAM network in an SD-WAN deployment.
Topology of a Secure OAM Network
CSO uses the provider hub devices as SD-WAN hubs to set up IPsec tunnels and provision site-to-site or site-to-hub traffic. The provider hub acts as a concentrator for terminating the IPsec tunnels from SD-WAN branch sites. The provider hub device is located in the service provider’s point of presence (POP). A provider hub device can be a SRX Series services gateway, or a vSRX instance. In CSO Release 5.0, provider hub devices are owned and managed by the Juniper Network team that hosts the cloud-based CSO.
In CSO Release 5.0, the OAM hub is instantiated within the CSO. You do not need a provider hub for OAM network.
Figure 1 shows the connections between the SD-WAN branch site, provider hub, and CSO.

The secure OAM network is built using a dedicated IPsec tunnel (overlay connection) that is established between the CPE device associated with the SD-WAN branch site and a provider hub with OAM capability. The provider hub is connected to CSO through a secure private network (underlay connection) that is owned by the service provider.
Because the loopback IP address of the CPE device is used for OAM communication, it is fixed and unique across the entire deployment, and is always reachable from CSO over the IPsec tunnel. Even if the WAN interfaces are behind NAT and are assigned private IP addresses (by using DHCP), the OAM connectivity between the SD-WAN branch site and the provider hub is not impacted. The IPsec tunnel can still be established over the Internet WAN link including the LTE access type.
The secure OAM network is supported on both hub-and-spoke and full-mesh topologies.
Workflow for Establishing a Secure OAM Network
Use the following workflow to establish a secure OAM network between the SD-WAN branch site and the provider hub. As the provider hub is located in the service provider’s POP, it has a private and secure connectivity to CSO.
To establish a secure OAM network between SD-WAN sites and the provider hub:
Log in to Customer Portal, and add a provider hub site. Associate the provider hub site with one of the available provider hub devices.
In Customer Portal, add a branch site for the CPE device in SD-WAN deployment.
When you create the site, specify the IP address prefix for the site and select at least one WAN link for OAM traffic. The WAN link with the Use for OAM traffic option enabled is used to set up the secure OAM tunnel to the provider hub device.
Note:For an NFX250 CPE device, specify at least one WAN link with traffic type as OAM and Data. If device redundancy is enabled, then specify one WAN link for each CPE device with the traffic type as OAM and Data.
The CPE device is detected and activated. The Zero Touch Provisioning (ZTP) process is triggered over the secure OAM tunnel and the device is moved to provisioned state. The management and control plane traffic is carried across the secure OAM tunnel.
Benefits of Secure OAM Network
IPsec tunnel redundancy—The secure OAM network supports a maximum of two IPsec tunnels between each SD-WAN branch site and the provider hub, thus providing redundancy and ensuring that OAM traffic is not lost even in the case of a WAN link failure.
Hub device redundancy—In case of multihoming at the branch sites, each CPE device at the site is connected to two provider hubs, and the IPsec tunnels are established from the SD-WAN branch site to both the primary and secondary provider hub devices. This hub device redundancy ensures that the OAM traffic is not lost even if a hub fails.
Note:Sites with SD-WAN Essentials service do not support multihoming.