Adding Cloud Spoke Sites for SD-WAN Deployment
A cloud spoke represents an automation endpoint (virtual machine (VM) or an EC2 Instance) running a Juniper Networks vSRX Virtual Firewall image in the Amazon Web Services(AWS) virtual private cloud (VPC). The cloud spoke sites are connected to the hub sites using the overlay connections. You create a cloud spoke site from the Sites page. This topic describes how to add a cloud spoke site for a tenant.
You can add a cloud spoke site only in hub-and-spoke topology.
To ensure that only hub-and-spoke topology is created, we recommend you to disable the DVPN configuration while adding the tenant.
You cannot add a cloud spoke site in full mesh topology.
Only the tenants with SD-WAN Advanced service level can create a cloud spoke site.
To add a cloud spoke site:
Field |
Description |
|---|---|
| General | |
|
Site Information |
|
|
Site Name |
Enter a unique name for the site. Enter a unique string of alphanumeric characters and special character (-). The maximum length is 32 characters. Example: aws-cloud-spoke |
|
Device Host Name |
The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters. |
|
Site Group |
(Optional) Select a site group to which you want to assign the site. Example: cloud-spoke |
|
Site Capabilities |
Note:
Only the tenants with SD-WAN Advanced service level can create a cloud spoke site. The Secure SD-WAN Advanced option is selected automatically. |
|
Address and Contact Information |
|
|
Street Address |
Enter the street address of the site. |
|
City |
Enter the name of the city where the site is located. |
|
State/Province |
Select the state or province where the site is located. |
|
ZIP/Postal Code |
Enter the postal code for the site. |
|
Country |
Select the country where the site is located. You can click the Validate button to verify the address that you specified:
|
|
Contact Name |
Enter the name of the contact person for the site. |
|
|
Enter the e-mail address of the contact person for the site. |
|
Phone |
Enter the phone number of the contact person for the site. |
|
Advanced Configuration |
|
|
Domain Name Server (DNS) |
Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses. |
|
NTP Server |
Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration. |
|
Select Timezone |
Select the time zone for the site. Click Next to continue. |
| Device | |
|
Activation Code |
If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site. |
|
Device Root Password |
The default root password is fetched from the ENC_ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device. |
|
Management Interface Family |
Select IPv4 or IPv6. |
|
Device Template |
Click a device template to select the plan for WAN connectivity. A device template contains information such as device family, a list of SD-WAN features supported, and the number of links supported. Note:
vSRX Virtual Firewall as SD-WAN spoke in AWS template supports cloud spoke site for AWS VPC. |
|
Hub Configuration |
|
|
Primary Provider Hub |
Select the hub site to which the spoke site must connect. |
|
Secondary Provider Hub |
Select a secondary hub site. |
|
Cloud Information |
|
|
Region |
Select the region to which the site belongs. The regions in CSO are mapped to the regions in the AWS account. Example: Ohio |
|
VPC ID |
Enter the VPC ID from the AWS account. To obtain VPC ID:
Ensure that the VPC is connected to an Internet gateway. To check whether VPC is attached:
Example: vpc-6d810314 |
|
Management Subnet |
Specify whether CSO must create a new subnet or use an existing subnet from the AWS account. The management subnet of vSRX Virtual Firewall is used to push the initial stage-1 configuration. The following options are available:
|
|
IP Prefix |
Enter the management IP prefix. The first four IP addresses in the subnet are reserved by AWS. For example, IP addresses x.x.x.0/x through x.x.x.3/x are always reserved by AWS. Hence, provide an IP address prefix other than the reserved IP address prefix. Example: 105.0.1.5/24 |
|
WAN Links |
|
|
WAN_0 (ge-0/0/0) WAN_1 (ge-0/0/1) |
Select the check boxes to configure the WAN links. You can configure up to two WAN links per site that support SD-WAN. |
|
Link Type |
Displays the connection type for WAN underlays. Only Internet link is supported. |
|
Egress Bandwidth |
Enter the maximum bandwidth (in Mbps) to be allowed for a specific WAN link. |
|
Address Assignment Method |
Select the method of assigning an IP address to the WAN link—DHCP or STATIC.
|
|
Static IP Prefix |
If you configure the address assignment method as STATIC, enter the private IPv4 address of the WAN link from the subnet. For example, if the IPv4 CIDR address is 105.0.2.0/24 for a WAN interface in the AWS account, then enter any IP address within the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix. Example: 105.0.2.12/24 |
|
Gateway IP Address |
If you configured the address assignment method as STATIC, enter the IPv4 address for the gateway of the WAN service provider. Typically, the first IP address in the subnet is selected for gateway IP address. Example: 105.0.2.1 |
| MTU | Applicable only to IPv4 addresses. Enter the maximum transmission unit (MTU) size for the media or protocol. The supported MTU range can vary depending on the device, interface type, network topology, and other individual requirements. See also: MTU Default and Maximum Values and LTE Mini Physical Interface Modules (LTE Mini-PIM).Editing the MTU values of all the OAM-enabled WAN links of a site at the same time might result in tunnel flapping. You must ensure that at least one OAM-enabled WAN link always remains undisrupted for a site. For example, if you have a site with four WAN links (including two links that support OAM traffic), you can edit the MTU values of all the WAN links except one OAM-enabled link at the same time. After the edit is complete and the changes are saved, you can edit the site again and update the remaining WAN link. Note:
If you enable the PPPoE/PPP option under a WAN link, the MTU option is displayed under the PPPoE/PPP Settings section for that link. |
|
Elastic IP |
Elastic IP address is a public, static IPv4 address designed for dynamic cloud computing. The public IP address is mapped to the private subnet IP using one-to-one NAT. You must allocate the IP addresses based on the number of WAN links that are enabled. For example, If two WAN links are enabled, then you must allocate two elastic IP addresses. Example: 34.213.255.184 |
|
Advanced Settings |
Based on the connectivity requirement, the following fields are populated: |
|
Provider |
Enter the name of the service provider (SP). |
|
Cost/Month |
Enter the cost per month of the subscribed bandwidth in the specified currency. In bandwidth-optimized SD-WAN, this information is used to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters. |
|
Link Priority |
Enter a value in the range 1-255. A lower value indicates a more preferred link. A value of 1 indicates highest priority and a value of 255 indicates lowest priority. If you do not enter a value, the link priority is considered as 255. |
|
Enable Local Breakout |
Click the toggle button to enable or disable (default) local breakout on the WAN link.
|
|
Breakout Options |
Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic. |
|
Autocreate Source NAT Rule |
If the WAN link is enabled for local breakout, you can click the toggle button to automatically create an interface-based source NAT rule on the WAN link. The automatically-created source NAT rule is implicitly defined and applied to the site and is not visible on the NAT Policies page. By default, this field is disabled. Note:
If this option is enabled for a WAN interface W1 during the site addition workflow, a series of NAT source rules are automatically created. Each automatically created NAT rule is from a zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set. For example, the following zone to W1 interface rule-set might be created: Zone1 --> W1: Translation=Interface Zone2 --> W1: Translation=Interface Zone3 --> W1: Translation=Interface To manually override any of these rules, you can create a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant zone and WAN interface as the source and destination. For example: Zone1 --> W1 : Translation=Pool-2 The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule. You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example: Zone1, Port 56578 --> W1: Translation=Pool-2 |
|
Preferred Breakout Link |
Click the toggle button to enable the WAN link as the preferred breakout link. If you disable this option, then the breakout link is chosen using ECMP from the available breakout links. |
|
BGP Underlay Options |
Note:
This setting can be configured only if IPv4 address assignment (with STATIC as the address assignment method) and local breakout are enabled for the WAN link. Click the toggle button to enable BGP underlay routing. When you enable BGP underlay routing, route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:
Note:
If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route. |
|
Primary Neighbor |
Displays the IP address that you entered for the gateway for the WAN link. |
|
Secondary Neighbor |
If you want to provide PE resiliency, you can configure a secondary PE node. Enter the IP address of the secondary PE node. Note:
If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE. |
|
eBGP Peer-AS-Number |
Enter the autonomous system (AS) number for the external (EBGP) peer. Note:
If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP). |
|
Authentication |
Select the BGP route authentication method to be used:
|
|
Auth Key |
If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets. |
|
Advertise Public LAN Prefixes |
Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default. If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay. Note:
When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet. If a site has two versions of the route installed for the same LAN prefix in the overlay and underlay, the overlay routes are always preferred over underlay. |
|
Use for OAM Traffic |
If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link. This WAN link is then used to establish the OAM tunnel. |
|
Overlay Tunnel Type |
Select the mesh overlay tunnel type—GRE and GRE_IPSEC. MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type. |
|
Overlay Peer Device |
Displays the peer hub device to which the site is connected. |
|
Overlay Peer Interface |
Select the interface name of the hub device to which the WAN link of the site is connected. |
|
Backup Link |
Select a backup link through which traffic can be routed when the primary links are unavailable. You cannot select the default link as the backup link. Note that you cannot assign the backup link for exclusive breakout traffic (the Use only for breakout traffic option). If local breakout is enabled for the site, the breakout traffic is also routed through the backup link when the breakout link is not available. When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, note that the SLA data is not monitored for the backup link. |
|
Default Links |
Select the default links that must be used for routing traffic. The site can have multiple default links to the hub site as well as to the Internet. Default links are used primarily for overlay traffic but can be used for local breakout traffic as well. A default link cannot be used exclusively for local breakout traffic. The default link is optional and in case it is not chosen, all links are used through equal-cost multipath (ECMP). |
|
Management Connectivity |
|
|
OAM IP Prefix |
Enter an IPv4 address prefix (such as 10.100.100.11/32) for the loopback interface on the CPE device. The IP address prefix should be a /32 IP address prefix and must be unique across the entire management network. Note:
We recommend that you do not configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO. |
|
DVPN Threshold for Tunnel Creation |
Enter the maximum number of sessions closed between the connected sites in a duration of two minutes at which full mesh is created between the two sites. The default value is 5. For example, if you specify the number of sessions as 5, dynamic mesh tunnels are created if the number of sessions closed between two branch sites in 2 minutes exceeds 5. |
|
DVPN Threshold for Tunnel Deletion |
Enter the number of sessions closed between the connected sites in a duration of 15 minutes below which full mesh is deleted between the two sites. The default value is 8. For example, if you specify the number of sessions closed as 8, dynamic mesh tunnels are deleted if the number of sessions closed is lesser than or equal to 8. |
| LAN |
Add at least one LAN segment. |
|
LAN Segment |
Displays the LAN segment that you configure on the switch. To add a LAN segment, click the + icon on the top, right corner of the LAN table. The Add LAN Segment page appears. See Table 2. |
Field |
Description |
|---|---|
Add LAN Segment |
|
Name |
Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters. No spaces are allowed and the maximum length is 15 characters. |
Department |
Select a department to which the LAN segment is to be assigned. Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details. You group LAN segments as departments for ease of management and for applying policies at the department-level. |
Gateway Address/Mask |
Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24. |
CPE Ports |
Click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment:
Note:
You can select only one port if the CPE is an SRX Series Firewall. |