Add Enterprise Hub Sites

Site Information

Site Name

Enter a unique name for the site. The name can contain alphanumeric characters and hyphens (-), and cannot exceed 32 characters.

Device Host Name

The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.

Site Group

If you want the site to be part of a site group, select the site group. By default, None is selected, which means that the site doesn’t belong to any site group.

Site Capabilities

To add an SD-WAN capability for this site, choose one of the following SD-WAN service types:

• Secure SD-WAN Essentials—(Available for tenants with SD-WAN Essentials or Advanced service level) Provides basic SD-WAN services. This service is ideal for small enterprises looking for managing simple WAN connectivity with comprehensive NGFW security services at the branch sites, using link-based application steering. The SD-WAN Essentials service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP.

  Note:

  A tenant with the Advanced SD-WAN service level can create enterprise hubs only with the Advanced SD-WAN service. A Secure SD-WAN Advanced branch site connects only to secure SD-WAN Advanced enterprise hubs.

• Secure SD-WAN Advanced—(Available for tenants with SD-WAN Advanced service level) Provides complete SD-WAN services. This service is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. You can establish site-to-site connectivity by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels. Enterprise wide intent based SD-WAN policies and service-level agreement (SLA) measurements allow to differentiate and dynamically route traffic for different applications. This service includes Secure SD-WAN Essentials service.

Address and Contact Information

Enter the address and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on a geographical map on the Monitor Overview page.

Advanced Configuration

For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers.

Domain Name Server

If needed, specify the IPv4 or IPv6, or both IPv4 and IPv6 addresses of one or more DNS servers.

NTP Server

If needed, specify the IP addresses of one or more NTP servers.

Select Timezone

Select a time zone for the site.

Device Redundancy

Disabled by default. Enable this option only for dual CPEs.

Device Series

Displays SRX as the device series (family). You cannot modify this field because only certain SRX Series devices can be configured as enterprise hubs.

Device Model

Select the SRX model.

[Device Template]

Ensure that you select the correct device template from the carousel; the template depends on the device that you are using as the enterprise hub.

For example, for an SRX4100 device, select SRX4x00 as SD-WAN CPE (or a modified version of that template) as the device template.

Device Information

Serial Number

If you want CSO to proceed with the site activation immediately after you complete the site addition workflow, enter the serial number. If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark.

If you want CSO to only model the site, leave this field blank. If you don’t enter a serial number, you must manually activate the site later.

Device Root Password

The default root password is fetched from the ENC _ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device.

Zero Touch Provisioning

By default, Zero Touch Provisioning is enabled. If you want to disable ZTP, click the toggle button.

To use ZTP, ensure the following:

• Device must have connectivity to CSO and Juniper phone-home server (https://redirect.juniper.net)

  Use telnet to verify connectivity:

  telnet redirect.juniper.net:443

  telnet CSO Hostname/IP:443

  If the connection is established, the device has connectivity to the phone-home server and CSO.

• Required certificates for phone-home server and CSO must be present on the device.

If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image.

If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device. Use any of the following options to copy the stage-1 configuration:

• Click the Click to copy stage-1 config link next to Prestage Device task in the Site Activation Progress page.

  If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site under the Site Status column.

• On the Devices page (Resources > Devices), select the device and click Stage1 Config.

Is Cluster Already Formed?

Click the toggle button to specify whether the SRX cluster has been manually formed (Yes) or not (No).

Cluster ID

If the SRX cluster hasn’t been formed manually, specify a unique ID for the cluster.

Range: 1 through 15

If you’ve enabled ZTP for the site, the cluster is automatically formed when the site is activated. If you’ve disabled ZTP, the following processes are displayed on the Site Activation Progress page (that appears after you’ve added the branch site):

1. After CSO models the site (that is, after the Model Site process completes successfully), click the Click to copy pre script link, which appears next to the Pre Script process.

2. Execute the commands as directed.

   After the Pre Script process completes successfully, the SRX cluster is formed and the recovery.conf file is saved on the cluster. In case you want to delete the site later, you’ll need this file to remove the stage-1 configuration and other configurations pushed to the device by CSO.

3. Manually copy the stage-1 configuration (generated automatically by CSO) to the primary device in the cluster, and commit the configuration on the device.

After the cluster is detected, CSO executes the bootstrap and provisioning processes and completes provisioning the cluster.

Auto Activate

Click the toggle button to specify whether the site activation requires an activation code or not:

• Enabled—The site is activated automatically without an activation code. This is the default setting.

• Disabled—The site activation proceeds only after you enter an activation code. If you choose this setting, enter the activation code (in the Activation Code field) that must be entered to activate the device.

Boot Image

If you want to upgrade the enterprise hub device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the zero touch provisioning (ZTP) process.

If you don't specify a boot image, which is the default option (Use Image on Device) in the list, then the CSO skips the procedure to upgrade the device during ZTP.

Management Interface Family

Select the IP address type (IPv4 or IPv6) for the management interface. This field is displayed only if you have enabled Zero Touch Provisioning.

Management Connectivity

Address Family

Select the IP address type (IPv4 or IPv6).

Interface Name

Enter the management interface.

Access Type

Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.

Address assignment

DHCP is selected by default. If you want to provide a static IP address, select STATIC.

Management VLAN ID

Enter a VLAN ID for the WAN link.

PPPoE

Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).

Hub Configuration

Primary Provider Hub

If you previously added provider hub sites (DATA or OAM and DATA capability) for the tenant and want to have a backup for the enterprise hub, select a provider hub site as the primary provider hub.

Secondary Provider Hub

If you previously added provider hub sites (DATA or OAM and DATA capability) for the tenant and want provider hub redundancy, select another provider hub as the secondary provider hub.

WAN Links

You can configure a maximum of four WAN links and must configure at least one WAN link.

WAN_0 (WAN-Interface-Name)

The first WAN link is enabled by default.

Fields marked with an asterisk (*) must be configured to proceed.

Link Type

For the first WAN link, we use the default (Internet) for the underlay network type to ensure reachability to the redirect server.

Egress Bandwidth

Enter the maximum egress bandwidth (in megabits per second [Mbps]) that is allowed for the WAN link.

Underlay Address Families

IPv4

By default, IPv4 address assignment is enabled for the WAN link.

The WAN link requires an IPv4 address to connect to an IPv4 network.

Address Assignment Method

Displays the method of assigning an IPv4 address to the WAN link (STATIC). You cannot modify this field.

You must provide the IPv4 address prefix and the gateway IPv4 address for the WAN link.

Static IP Prefix

Enter the IPv4 address prefix of the WAN link.

Gateway IP Address

Enter the IPv4 address of the gateway of the WAN service provider.

Applicable only to IPv4 addresses.

Editing the MTU values of all the OAM-enabled WAN links of a site at the same time might result in tunnel flapping. You must ensure that at least one OAM-enabled WAN link always remains undisrupted for a site. For example, if you have a site with four WAN links (including two links that support OAM traffic), you can edit the MTU values of all the WAN links except one OAM-enabled link at the same time. After the edit is complete and the changes are saved, you can edit the site again and update the remaining WAN link.

Public IP Address

Enter the public IPv4 address for the link, if needed.

Advanced Settings

Advanced Settings

Address Family (Tunnel Creation)

Displays the underlay address family (IPv4) that is used to establish the overlay tunnel.

Provider

Enter the name of the WAN link’s service provider.

Cost/Month

Leave this as the default because this field is currently not used in CSO.

Enable Local Breakout

Click the toggle button to enable the WAN link to be used for local breakout. The toggle button is disabled by default, which means that the WAN link cannot be used for local breakout.

Local breakout is an SD-WAN feature that enables Internet links to break out traffic directly from a site. For example, if you want to provide guests who visit your enterprise with Internet access, you can use local breakout to break out guest traffic locally from the site directly to the Internet.

If you enable local breakout, additional fields appear.

Breakout Options

This field is displayed only if local breakout is enabled for the WAN link.

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

Autocreate Source NAT Rule

This field is displayed only if local breakout is enabled for the WAN link.

When you enable local breakout on a link, this setting is enabled by default, which triggers automatic creation of source NAT rules for the site.

You can click the toggle button to disable the automatic creation of source NAT rules. If you disable this field, then you must manually add a source NAT rule for local breakout and deploy the NAT policy on the site.

Table 5 explains how source NAT rules are automatically created on the WAN link. The automatically-created source NAT rules are implicitly defined and applied to the site and is not visible on the NAT Policies page.

Translation

This field is displayed only if the automatic creation of source NAT rules is enabled for the WAN link, and the SD-WAN service used is Advanced. Sites with Secure SD-WAN Essentials service support interface-based source NAT rules only.

Select the type of NAT to use for the traffic on the WAN link:

• Interface—Use interface-based NAT, which is the default setting.

• Pool—Use pool-based NAT. If you select this option, you must specify the IP addresses that are to be used for the NAT pool.

IP Addresses

For pool-based NAT, enter one or more IP addresses, subnets, or an IP address range. Separate multiple IP addresses by using commas and use a hyphen to denote a range; for example, 192.0.2.1-192.0.2.50.

Preferred Breakout Link

if the WAN link is enabled for local breakout, click the toggle button to enable the WAN link as the most preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP (equal-cost multipath) from the available breakout links.

BGP Underlay Options

Click the toggle button to enable BGP underlay routing.

When you enable BGP underlay routing, route advertisements to the primary Provider Edge (PE) node and, if configured, the secondary PE node occur as follows:

• CSO advertises the WAN interface subnet.

• If you configured pool-based translation, CSO advertises the NAT address pool.

Primary Neighbor

Displays the IP address that you entered for the gateway for the WAN link.

Secondary Neighbor

If you want to provide PE resiliency, you can configure a secondary PE node.

Enter the IP address of the secondary PE node.

eBGP Peer-AS-Number

Enter the autonomous system (AS) number for the external (EBGP) peer.

Local AS Number

Enter the local AS number for the WAN link. When you configure this parameter, the local AS number is used for eBGP peering instead of the global AS number configured for the device.

Authentication

Select the BGP route authentication method to be used:

• None—Indicates that no authentication should be used. This is the default.

• Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

Advertise Public LAN Prefixes

Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default.

If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay.

Use for Fullmesh

Click the toggle button to enable the WAN link to be part of a full mesh topology.

A site can have all WAN links enabled for meshing.

Configure the two additional fields that appear:

Mesh Overlay Link Type

If the WAN link is enabled for full mesh, select the type of encapsulation to be used for the overlay tunnels in the full mesh topology:

• GRE_IPSEC—Use GRE over IPsec.

• GRE—Use GRE. This option is available only for MPLS links.

Mesh Tag

Select one or more mesh tags for the WAN link.

For more information about mesh tags, see Mesh Tags Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Use for OAM traffic

Click the toggle button to enable the use of the WAN link for Operation, Administration, and Maintenance (OAM) traffic. The WAN link is then used to establish an OAM tunnel for communication between the enterprise hub site and CSO.

Connects to Hubs

Click the toggle button to specify that the WAN link of the site connects to a hub.

VLAN ID

Enter a VLAN ID for the WAN link.

Range: 0 through 4049 (4050 to 4094 is reserved by CSO).

To enable the configuration of WAN links as logical interfaces, you must modify the device template and configure the WAN ports as logical interfaces.

Backup Link

Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.

Default Link

Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site.

Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then equal-cost multipath (ECMP) is used to choose the link on which to route traffic.

WAN_1 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_2 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_3 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

Advanced Configuration

OAM IP Prefix

We recommend that you do not configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO.

Traffic Volume Metrics

Choose a method to compute the SD-WAN traffic volume on the WAN links of the site. CSO uses this data to provide a graphical representation of the WAN traffic volume on the Site Details page.

• Session-Based—Computes and reports the session-based traffic volume on the site's WAN links, at the closure of each session. This is the default method.
• Time-Based—Computes and reports the traffic volume at periodic intervals during a session.

DVPN Threshold for Tunnel Creation

Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the enterprise hub site and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the enterprise hub site and the destination site.

For example, if you specify a threshold as 7, dynamic mesh tunnels are created if the number of sessions closed (in two minutes) between the enterprise hub site and destination site exceeds 7.

DVPN Threshold for Tunnel Deletion

Specify the threshold for the number of sessions closed (in a 15-minute duration) between the enterprise hub site and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the enterprise hub site and destination site is deleted.

For example, if you specify the number of sessions closed as 5, dynamic mesh tunnels between the enterprise hub site and destination site are deleted if the number of sessions closed (in a 15-minute duration) is lesser than or equal to 5.

Additional Configuration

If you want to deploy additional configuration during the ZTP process, you can select one or more configuration templates and set the parameters for each template.

Configuration Templates List

For each configuration template that you select

1. Select one or more configuration templates from the list that you want to deploy on the device during ZTP.

2. Click Set Parameters.

   The Device Configurations page appears. The names and configuration parameters of the configuration templates that you selected are displayed in the Configure tab.

3. For each configuration template, enter values for the parameters.

4. (Optional) Click the Summary tab to view the Junos OS configuration commands that will be deployed on the device for the different configuration templates.

5. Click Save.

   You are returned to the WAN tab. The Junos OS configuration commands will be deployed on the device during the ZTP process.

Use for Overlay VPN

Enable the Use for Overlay VPN field to associate the LAN segment with the selected department (VRF + ZONE) for overlay traffic to other sites.

Disable the Use for Overlay VPN field to associate the LAN segment with a security zone for underlay breakout. You must define zone-based security policies.

Name

Enter a name for the LAN segment.

The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length allowed is 15 characters.

CPE Port

Select the CPE port to be added in the LAN segment.

When you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page, you can select (or create) a LAG interface or a redundant Ethernet (reth) interface (for dual CPE cluster) to connect the SRX Series CPE devices to an EX series switch.

To use the et interface on SRX4600 devices, you must create a LAG interface and configure the et interface as a member of the LAG (aggregated Ethernet or ae) interface. See Create LAG Interface.

For an SRX4600 dual CPE cluster, you can use the et interface if it is configured as a member of the redundant Ethernet (reth) interface.

Add LAG Interface

Click the link to create a LAG interface (ae interface) if you want to use it to connect the SRX Series CPE to the EX Series switch. See Create LAG Interface for details.

Create RETH Interface

Click the link to create a reth interface for an SD-WAN site with a dual CPE cluster. See Create a RETH Interface for details.

Type

Select the type of LAN segment:

• Directly Connected (default)—Indicates that the LAN segment is directly connected to the site.

• Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.

VLAN ID

Enter the VLAN ID for the LAN segment. By default, VLAN ID is set to 1 and native VLAN is enabled for untagged traffic.

Range: 1 to 4049 .

Use for Native VLAN

Enable this option to use the VLAN ID specified above for untagged traffic. The CPE interface is configured with a native-vlan-id, which has the same value as the VLAN ID.

Department

Select a department to which the LAN segment is assigned.

Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details.

You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.

Gateway Address/Mask

Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment.

For example: 192.0.2.8/24.

Zone

Select a security zone to be associated with this LAN segment. Alternatively click Create Zone to create a new security zone and assign that to this LAN segment. See Adding a Security Zone for details.

DHCP

For directly connected LAN segments, click the toggle button to enable DHCP.

You can enable DHCP if you want to assign IP addresses by using a DHCP server or disable DHCP if you want to assign a static IP address to the LAN segment.

Additional fields related to DHCP

Address Range Low

Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Address Range High

Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Maximum Lease Time

Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server.

Default: 1440

Range: 0 through 4,294,967,295 seconds.

Name Server

Specify one or more IPv4 addresses of the DNS server.

To enter more than one DNS server address, type the address, press Enter, and then type the next address.

CPE Ports

For sites with SD-WAN capability, the CPE Ports field is disabled and the CPE ports that you can include in the LAN segment are listed.

Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

Static Routing

Use this section to configure static routing on the LAN segment. Provide the IP addresses of all the LAN routers connected to the CPE device and the static subnets behind these routers.

Add LAN Router IP Prefix

LAN Router IP

Enter the IP address of the LAN router that is connected to the CPE device.

Prefix

Enter the subnets that are connected to the LAN router.

BFD

Enable Bidirectional Forwarding Detection (BFD) to detect any failures on the static route.

Dynamic Routing

Routing Protocol

Enable this toggle button to configure dynamic routing using the BGP or OSPF protocol.

BFD

Enable Bidirectional Forwarding Detection (BFD) to detect any failures in the LAN segment.

Protocol

Select either BGP or OSPF.

BGP Configuration

Authentication

Select the BGP route authentication method to be used:

• None—Indicates that no authentication should be used. This is the default.

• Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

BGP Options

You can select the following options based on your requirements:

• AS-OVERRIDE: Replaces all occurrences of the peer AS number in the AS path with its own AS number before advertising the route to the peer.

• AS-PATH-PREPEND: Prepends one or more autonomous system (AS) numbers at the beginning of an AS path. Prepending an AS path makes a shorter AS path look longer and therefore it becomes less preferable to BGP.

• AS-LOOP: Allows the local device’s AS number to be added in the received AS paths. You can specify the number of times the detection of local AS is allowed in the AS path.

Loop Count

This field is displayed only if you select AS-LOOP.

Enter the maximum number of times the detection of local AS is allowed in the AS path.

Peer IP Address

Enter the IP address of the LAN BGP peer.

Peer AS Number

Enter the autonomous system (AS) number of the LAN BGP peer. By default, CSO uses the AS number 64512. You can enter a different AS number.

Local AS Number

Enter the local AS number. When you configure this parameter, the local AS number is used for BGP peering instead of the global AS number configured for the CPE.

OSPF Configuration

OSPF Area ID

Specify the OSPF area identifier to be used for the dynamic route.

Authentication

Select the OSPF route authentication method to be used:

• Password—Indicates that password-based authentication should be used. If you choose this option, you must specify the password. (This is the default).

• Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

• None—Indicates that no authentication should be used.

Password

Enter the password to be used to verify the authenticity of OSPF packets.

Confirm Password

Retype the password for confirmation purposes.

MD5 Auth Key ID

If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID.

Range: 1 through 255.

Auth Key

If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets.

Route Advertisement Control

LAN Route(s) to Overlay

When this option is enabled, LAN routes are advertised to the remote CPEs. By default, this option is enabled.

Starting in CSO Release 6.2.0, you can configure export policies in conjunction with the LAN Route(s) to Overlay option for more granular control over routes that are advertised to the overlay network. For example, when the LAN Route(s) to Overlay option is enabled, you can configure policies to prevent specific routes from being advertised. Similarly, when the LAN Route(s) to Overlay option is disabled, you can configure policies to allow only specific routes to be advertised.

Overlay Route(s) to LAN

This option is displayed only if you enable the Routing Protocol toggle button. By default, this option is disabled.

Enable this option to advertise the remote CPE routes received in a department to the LAN router.

• Import policies for granular control of the routes that a CPE device accepts from the list of routes advertised by the LAN router.
• Export policies for granular control of the routes that a CPE device advertises to the LAN router.

Static/Aggr Routes to Overlay

Enable this option to allow advertisement of static or aggregate routes to the overlay network.

• If a large number of LAN routes are present, then you can disable the LAN Route(s) to Overlay option and use this option to advertise aggregate routes.

• If you want to advertise additional routes, then you can enable the LAN Route(s) to Overlay option and use this option to advertise additional static routes.

Model Site—CSO first models the site to begin the activation process. If you didn’t enter a serial number or disabled automatic activation, you must manually activate the site as explained in Manually Activate a Site.

Prestage Device—Depending on the type of device used, you might need to copy the configuration that is generated by CSO and commit the configuration on the device. For such devices, CSO can move to the next step (detecting the device) only after the configuration is committed successfully on the device.

1. On the Devices page (Resources > Devices), select the device and click Stage1 Config.

   The configuration to be copied appears in a separate page.

2. Click Copy to copy the configuration to the clipboard

3. Log in to the device by using SSH and enter Junos OS configuration mode.

4. Paste the configuration that you copied and commit the configuration.

This step typically goes through without problems. However, if you encounter a problem, log in to the device (using a console or a management interface), access the CLI, and verify that the stage-1 configuration was committed on the device.

Detect Device—The device reaches out to CSO, and communication with CSO is established.

This task typically takes a few minutes. If the status shows as Pending after about 10 minutes, try the troubleshooting steps.

If the device is not detected:

1. Check that the correct interfaces on the device are connected.

2. Log in to the device, and access the CLI.

3. Check the system time that is configured on the device by executing the show system uptime command, and ensure that the system time is accurate. A mismatch in time might mean that the device is unable to connect to the redirect server.

4. Note:

   This step is applicable only for branch sites.

   Execute the show interfaces terse command.

   In the command output, verify whether the device received a DHCP IP address. If the device did not receive an IP address, try to reconnect.

5. If the device has a valid IP address, then verify that the device can reach the Internet by using the ping command. For example, ping www.juniper.net.

   If the ping command executes successfully, this means that the device can reach the Internet, and DNS resolution is working.

6. Verify whether the device has the permissions required for outgoing connections on port 443 by executing the telnet redirect.juniper.net 443 command.

   If the device has the required permissions, you should see an output similar to the following:

   Trying 192.0.2.155...
   Connected to telnet-host.example.com.
   Escape character is '^]'.
   

Bootstrap Device—This task comprises the following sub-tasks:

1. A secure OAM tunnel (using IPsec) from the device to the OAM hub is established.

2. An outbound SSH connection from the device is established with CSO.

3. An Internal BGP (iBGP) peering between the device and the virtual route reflector (VRR) is established.

4. The device sends a Bootstrap Complete message to CSO, which CSO receives and marks the bootstrap as completed.

CSO applies the pre-script and stage-1 (includes the device configuration) configuration.

This task typically takes a few minutes to finish. If the status shows as Pending after about 10 minutes, try the troubleshooting steps.

If the bootstrap device task does not finish successfully:

1. Verify whether the stage-1 configuration was deployed on the device by executing the show configuration | display set | match outbound-ssh | match 7804 command.

   If the resulting output is similar to the following sample output, it means that the stage-1 configuration was deployed successfully.

   set system services outbound-ssh client 
   CSO-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
   192.0.2.100 port 7804

2. Check if the secure OAM tunnels are up by executing the following commands:

   • show security ike sa command. If the State field in the output doesn't display UP, it means that port 500 is blocked. Ensure that you open 500 and retry the activation job (from the Jobs page).

   • show security ipsec sa command. If the State field in the output doesn't display UP, it means that port 4500 is blocked. Open port 4500, and retry the activation job (from the Jobs page).

3. Verify whether the device has established BGP peering with the VRR by executing the show bgp summary command.

   If the State field in the output displays Establ, it means that BGP peering is established successfully.

4. Verify whether the secure OAM session is established by executing the show security flow session destination-port 7804 command.

   If the resulting output is similar to the following output, it means that the secure OAM session was established successfully.

   Session ID: 430000098, Policy name: default-policy-00/2, Timeout: 1778, Valid
     In: 192.0.2.10/15190 --> 192.0.2.20/23;tcp, If: ge-7/1/0.0, Pkts: 109, Bytes: 5874, CP Session ID: 430000093
     Out: 192.0.2.20/23 --> 192.0.2.10/15190;tcp, If: ge-7/1/1.0, Pkts: 64, Bytes: 4015, CP Session ID: 430000093
   Total sessions: 1

Manage Device—After CSO applies the configuration on the device, the status of the device changes to Managed.

If the status is showing Pending after about 10 minutes, try the troubleshooting steps.

Go to the Jobs page (Monitor > Jobs), search for the ZTP job, and check the status.

Click the job-name link to view the tasks associated with the job and their status. You can drill down further by clicking the task-name link. If the status of the job or task is In Progress, wait until the job or task finishes. If the job failed, you can retry the job by selecting the job, and clicking the Retry Job button.

Disabled

Not applicable (No NAT)

None.

Enabled

Interface-Based (Default)—CSO creates interface-based NAT rules.

Source NAT rules are automatically created, with each rule from a department zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set.

For example, the following department zone to (WAN link) W1 interface rule-set might be created:

Dept-Zone1 --> W1: Translation=Interface
Dept-Zone2 --> W1: Translation=Interface
Dept-Zone3 --> W1: Translation=Interface

When traffic from a branch site breaks out at an enterprise hub, a source NAT rule is automatically created at the enterprise hub from the department routing group (also referred to as VRF group) to the WAN interface.

Dept-vrf-group --> W1: Translation=Interface

Enabled

Pool-Based—CSO automatically creates pool-based NAT rules (Not applicable to sites with SD-WAN Essentials service).

Source NAT rules are automatically created, with each rule from a department zone to the WAN NAT pool with a translation of type pool.

For example, a source NAT rule from department zone to NAT pool might be created:

Dept-Zone1 --> W1 : Translation=Pool-1
Dept-Zone2 --> W1 : Translation=Pool-1

When traffic from a branch site breaks out at an enterprise hub, a source NAT rule is automatically created at the enterprise hub from the department routing group to the WAN pool.

Dept-vrf-group --> W1: Translation=Pool