Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Contrail Service Orchestration (CSO) Contrail Service Orchestration Customer Portal User Guide Managing Sites, Site Groups, and Site Templates Managing Sites

Contrail Service Orchestration Customer Portal User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Contrail Service Orchestration Customer Portal User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Adding Cloud Spoke Sites for SD-WAN Deployment

Release: Contrail Service Orchestration 6.3.0
{}
Change Release
date_range 27-May-23
arrow_backward
arrow_forward

A cloud spoke represents an automation endpoint (virtual machine (VM) or an EC2 Instance) running a Juniper Networks vSRX Virtual Firewall image in the Amazon Web Services(AWS) virtual private cloud (VPC). The cloud spoke sites are connected to the hub sites using the overlay connections. You create a cloud spoke site from the Sites page. This topic describes how to add a cloud spoke site for a tenant.

Note:

  • You can add a cloud spoke site only in hub-and-spoke topology.

  • To ensure that only hub-and-spoke topology is created, we recommend you to disable the DVPN configuration while adding the tenant.

  • You cannot add a cloud spoke site in full mesh topology.

  • Only the tenants with SD-WAN Advanced service level can create a cloud spoke site.

To add a cloud spoke site:

  1. Select Resources > Site Management.

    The Sites page appears.

  2. Click Add and select Cloud Spoke.

    The Add Cloud Spoke Site page appears.

  3. Complete the configuration settings according to the guidelines provided in Table 1.
    Note:

    Fields marked with an asterisk (*) are mandatory.

  4. Review the configuration and modify the settings, if needed, from the Summary tab.
  5. Click OK.

    The newly added cloud spoke site is displayed on the Sites page.

Table 1: Fields on the Add Cloud Spoke Site Page

Field

Description
General

Site Information

Site Name

Enter a unique name for the site. Enter a unique string of alphanumeric characters and special character (-). The maximum length is 32 characters.

Example: aws-cloud-spoke

Device Host Name

The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.

Site Group

(Optional) Select a site group to which you want to assign the site.

Example: cloud-spoke

Site Capabilities
Note:

Only the tenants with SD-WAN Advanced service level can create a cloud spoke site.

The Secure SD-WAN Advanced option is selected automatically.

Address and Contact Information

Street Address

Enter the street address of the site.

City

Enter the name of the city where the site is located.

State/Province

Select the state or province where the site is located.

ZIP/Postal Code

Enter the postal code for the site.

Country

Select the country where the site is located.

You can click the Validate button to verify the address that you specified:

  • The Site address verification successful message is displayed if the address can be verified. You can click the View location on a map link to see the address location.

  • If the address cannot be verified, the Site address could not be validated message is displayed .

Contact Name

Enter the name of the contact person for the site.

Email

Enter the e-mail address of the contact person for the site.

Phone

Enter the phone number of the contact person for the site.

Advanced Configuration

  

Domain Name Server (DNS)

Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.

NTP Server

Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration.

Select Timezone

Select the time zone for the site.

Click Next to continue.

Device  

Activation Code

If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.

Device Root Password

The default root password is fetched from the ENC_ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device.

Management Interface Family

Select IPv4 or IPv6.

Device Template

Click a device template to select the plan for WAN connectivity.

A device template contains information such as device family, a list of SD-WAN features supported, and the number of links supported.

Note:

vSRX Virtual Firewall as SD-WAN spoke in AWS template supports cloud spoke site for AWS VPC.

Hub Configuration

Primary Provider Hub

Select the hub site to which the spoke site must connect.

Secondary Provider Hub

Select a secondary hub site.

Cloud Information

Region

Select the region to which the site belongs. The regions in CSO are mapped to the regions in the AWS account.

Example: Ohio

VPC ID

Enter the VPC ID from the AWS account.

To obtain VPC ID:

  1. Log in to your AWS account.

  2. Search for the VPC service.

  3. Click the VPC dashboard.

  4. Select a VPC ID.

Ensure that the VPC is connected to an Internet gateway.

To check whether VPC is attached:

  1. Log in to your AWS account.

  2. Search for the VPC service.

  3. Click the Internet Gateway dashboard.

  4. Check whether the VPC state is attached.

Example: vpc-6d810314

Management Subnet

Specify whether CSO must create a new subnet or use an existing subnet from the AWS account. The management subnet of vSRX Virtual Firewall is used to push the initial stage-1 configuration. The following options are available:

  • Use an existing subnet in AWS account

  • Create new

IP Prefix

Enter the management IP prefix. The first four IP addresses in the subnet are reserved by AWS. For example, IP addresses x.x.x.0/x through x.x.x.3/x are always reserved by AWS. Hence, provide an IP address prefix other than the reserved IP address prefix.

Example: 105.0.1.5/24

WAN Links

WAN_0 (ge-0/0/0)

WAN_1 (ge-0/0/1)

Select the check boxes to configure the WAN links. You can configure up to two WAN links per site that support SD-WAN.

Link Type

Displays the connection type for WAN underlays. Only Internet link is supported.

Egress Bandwidth

Enter the maximum bandwidth (in Mbps) to be allowed for a specific WAN link.

Address Assignment Method

Select the method of assigning an IP address to the WAN link—DHCP or STATIC.

  • If you select DHCP, the IP address is provided by using the DHCP server of the service provider of the WAN link.

  • If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.

Static IP Prefix

If you configure the address assignment method as STATIC, enter the private IPv4 address of the WAN link from the subnet. For example, if the IPv4 CIDR address is 105.0.2.0/24 for a WAN interface in the AWS account, then enter any IP address within the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.

Example: 105.0.2.12/24

Gateway IP Address

If you configured the address assignment method as STATIC, enter the IPv4 address for the gateway of the WAN service provider. Typically, the first IP address in the subnet is selected for gateway IP address.

Example: 105.0.2.1

MTU

Applicable only to IPv4 addresses.

Enter the maximum transmission unit (MTU) size for the media or protocol. The supported MTU range can vary depending on the device, interface type, network topology, and other individual requirements. See also: MTU Default and Maximum Values and LTE Mini Physical Interface Modules (LTE Mini-PIM).

Editing the MTU values of all the OAM-enabled WAN links of a site at the same time might result in tunnel flapping. You must ensure that at least one OAM-enabled WAN link always remains undisrupted for a site. For example, if you have a site with four WAN links (including two links that support OAM traffic), you can edit the MTU values of all the WAN links except one OAM-enabled link at the same time. After the edit is complete and the changes are saved, you can edit the site again and update the remaining WAN link.

Note:

If you enable the PPPoE/PPP option under a WAN link, the MTU option is displayed under the PPPoE/PPP Settings section for that link.

Elastic IP

Elastic IP address is a public, static IPv4 address designed for dynamic cloud computing. The public IP address is mapped to the private subnet IP using one-to-one NAT. You must allocate the IP addresses based on the number of WAN links that are enabled. For example, If two WAN links are enabled, then you must allocate two elastic IP addresses.

Example: 34.213.255.184

Advanced Settings

Based on the connectivity requirement, the following fields are populated:

Provider

Enter the name of the service provider (SP).

Cost/Month

Enter the cost per month of the subscribed bandwidth in the specified currency. In bandwidth-optimized SD-WAN, this information is used to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters.

Link Priority

Enter a value in the range 1-255. A lower value indicates a more preferred link. A value of 1 indicates highest priority and a value of 255 indicates lowest priority. If you do not enter a value, the link priority is considered as 255.

Enable Local Breakout

Click the toggle button to enable or disable (default) local breakout on the WAN link.

  • If you enable this option, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.

  • If you do not enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan, then local breakout is disabled for the site.

Breakout Options

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

Autocreate Source NAT Rule

If the WAN link is enabled for local breakout, you can click the toggle button to automatically create an interface-based source NAT rule on the WAN link. The automatically-created source NAT rule is implicitly defined and applied to the site and is not visible on the NAT Policies page.

By default, this field is disabled.

Note:

If this option is enabled for a WAN interface W1 during the site addition workflow, a series of NAT source rules are automatically created. Each automatically created NAT rule is from a zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set.

For example, the following zone to W1 interface rule-set might be created:

Zone1 --> W1: Translation=Interface
Zone2 --> W1: Translation=Interface
Zone3 --> W1: Translation=Interface

To manually override any of these rules, you can create a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant zone and WAN interface as the source and destination. For example:

Zone1 --> W1 : Translation=Pool-2

The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule.

You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example:

Zone1, Port 56578 --> W1: Translation=Pool-2

Preferred Breakout Link

Click the toggle button to enable the WAN link as the preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP from the available breakout links.

BGP Underlay Options
Note:

This setting can be configured only if IPv4 address assignment (with STATIC as the address assignment method) and local breakout are enabled for the WAN link.

Click the toggle button to enable BGP underlay routing.

When you enable BGP underlay routing, route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:

  • CSO advertises the WAN interface subnet.

  • If you configured pool-based translation, CSO advertises the NAT address pool.

Note:

If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route.

Primary Neighbor

Displays the IP address that you entered for the gateway for the WAN link.

Secondary Neighbor

If you want to provide PE resiliency, you can configure a secondary PE node.

Enter the IP address of the secondary PE node.

Note:

If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE.

eBGP Peer-AS-Number

Enter the autonomous system (AS) number for the external (EBGP) peer.

Note:

If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP).

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

Advertise Public LAN Prefixes

Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default.

If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay.

Note:

When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet. If a site has two versions of the route installed for the same LAN prefix in the overlay and underlay, the overlay routes are always preferred over underlay.

Use for OAM Traffic

If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link.

This WAN link is then used to establish the OAM tunnel.

Overlay Tunnel Type

Select the mesh overlay tunnel type—GRE and GRE_IPSEC.

MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

Overlay Peer Device

Displays the peer hub device to which the site is connected.

Overlay Peer Interface

Select the interface name of the hub device to which the WAN link of the site is connected.

Backup Link

Select a backup link through which traffic can be routed when the primary links are unavailable. You cannot select the default link as the backup link. Note that you cannot assign the backup link for exclusive breakout traffic (the Use only for breakout traffic option). If local breakout is enabled for the site, the breakout traffic is also routed through the backup link when the breakout link is not available.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, note that the SLA data is not monitored for the backup link.

Default Links

Select the default links that must be used for routing traffic. The site can have multiple default links to the hub site as well as to the Internet.

Default links are used primarily for overlay traffic but can be used for local breakout traffic as well. A default link cannot be used exclusively for local breakout traffic. The default link is optional and in case it is not chosen, all links are used through equal-cost multipath (ECMP).

Management Connectivity

  

OAM IP Prefix

Enter an IPv4 address prefix (such as 10.100.100.11/32) for the loopback interface on the CPE device. The IP address prefix should be a /32 IP address prefix and must be unique across the entire management network.

Note:

We recommend that you do not configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO.

DVPN Threshold for Tunnel Creation

Enter the maximum number of sessions closed between the connected sites in a duration of two minutes at which full mesh is created between the two sites.

The default value is 5.

For example, if you specify the number of sessions as 5, dynamic mesh tunnels are created if the number of sessions closed between two branch sites in 2 minutes exceeds 5.

DVPN Threshold for Tunnel Deletion

Enter the number of sessions closed between the connected sites in a duration of 15 minutes below which full mesh is deleted between the two sites.

The default value is 8.

For example, if you specify the number of sessions closed as 8, dynamic mesh tunnels are deleted if the number of sessions closed is lesser than or equal to 8.

LAN

Add at least one LAN segment.

LAN Segment

Displays the LAN segment that you configure on the switch.

To add a LAN segment, click the + icon on the top, right corner of the LAN table. The Add LAN Segment page appears. See Table 2.

Table 2: Fields on the Add LAN Segment Page

Field

Description

Add LAN Segment

Name

Enter a name for the LAN segment.

The name for a LAN segment should be a unique string of alphanumeric characters. No spaces are allowed and the maximum length is 15 characters.

Department

Select a department to which the LAN segment is to be assigned.

Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details.

You group LAN segments as departments for ease of management and for applying policies at the department-level.

Gateway Address/Mask

Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24.

CPE Ports

Click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment:

  • CPE ports that you can include in the LAN segment are listed.

    Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

Note:

You can select only one port if the CPE is an SRX Series Firewall.

Related Documentation

arrow_backward PREVIOUS Add Provider Hub Sites in SD-WAN Deployments
NEXT arrow_forward Provisioning a Cloud Spoke Site in AWS VPC
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top