Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add SD-WAN Branch Sites

An on-premise spoke (or a branch) represents an endpoint, like the customer premises equipment (CPE) device at a physical location, such as a branch office. Typically, these sites are connected using overlay connections to hub sites. Starting in CSO Release 6.0.0, in SD-WAN deployments, using hubs to connect sites is optional.

Note:

Before you add the SD-WAN branch sites, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the SD-WAN CPE device. For details, see Supported Devices for SD-WAN, and Ports and Protocols to Open.

To add branch sites with SD-WAN capability:

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click Add, and select Branch Site (Manual).

    The Add Branch Site wizard appears, displaying the General settings to be configured.

    Note:

    Fields marked with an asterisk (*) are mandatory.
  3. Configure the General settings as explained in Table 1, and click Next.

    You are taken to the WAN section of the workflow.

  4. Configure the WAN settings as explained in Table 2, and click Next.
    Note:

    In Release 6.1.0, CSO moves a site to the PROVISIONED state when at least one of the WAN links obtains the IP address and is activated.

    You are taken to the LAN section of the workflow.

  5. You can add LAN segments when you’re adding the site or after a site is provisioned. To add a LAN segment during the site addition workflow:
    1. Click the add (+) icon.

      The Create LAN Segment page appears.

    2. Configure the LAN segment settings as explained in Table 4.
    3. Click OK.

      You are returned to the LAN section of the workflow and the LAN segment that you added is displayed.

  6. Click Next.

    You are taken to the Summary section of the workflow.

  7. Review the configuration in the Summary section and, if required, modify the settings.
  8. Click Finish.

    • If you entered a serial number during activation and automatic activation is enabled, the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Table 4.

      Click OK to close the Site Activation Progress page.

      Note:

      If you don’t want to wait for the site activation to finish, you can close the Site Activation Progress page and monitor the status of the site activation from the Jobs page (Monitor > Jobs).

      The time taken for site activation varies depending on the device that CSO is activating.

    • If you did not enter a serial number or if automatic activation is disabled, you are returned to the Sites page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job.

      After the job is finished, CSO displays a confirmation message with a job link. The status of the site changes to CREATED and an Activate Site link is displayed. You must manually activate the site to finish the process. For more information, see Manually Activate a Site.

Tip:

After you add a site, you can modify (depending on the site status) certain parameters of the site. For more information, see Edit Site Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).
Table 1: General Information (Add [SD-WAN] Branch)

Field

Guideline

Site Information

  

Site Name

Enter a unique name for the site. The name can contain alphanumeric characters, and hyphens (-) and cannot exceed 32 characters.

Site Group

If you want the site to be part of a site group, select the site group. By default, None is selected, which means that the site doesn’t belong to any site group.

Site Capabilities

  

WAN Capabilities
Note:

Device Management, enabled by default, allows you to create a site with only device management capability (without any services) and add services later.

To add an SD-WAN capability for this site, choose one of the following SD-WAN service types:

  • Secure SD-WAN Essentials—(Available for tenants with SD-WAN Essentials or Advanced service level) Provides basic SD-WAN services. This service is ideal for small enterprises looking for managing simple WAN connectivity with comprehensive NGFW security services at the branch sites, using link-based application steering. This service supports features such as intent-based firewall policies, WAN link management and control, and site to site communication through MPLS or internet links. The SD-WAN Essentials service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP.

  • Secure SD-WAN Advanced—(Available for tenants with SD-WAN Advanced service level) Provides complete SD-WAN services. This service is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. You can establish site-to-site connectivity by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels. Enterprise wide intent based SD-WAN policies and service-level agreement (SLA) measurements allow to differentiate and dynamically route traffic for different applications.

Address and Contact Information

Enter the address of the branch site and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on the geographical map on the Monitor Overview page.

Advanced Configuration

For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers.

Domain Name Server

Specify one or more IPv4 or IPv6, or both IPv4 and IPv6 addresses of the DNS server. To specify more than one DNS server address, type the address, press Enter, and then type the next address, and so on.

NTP Server

If needed, specify the IP addresses of one or more NTP servers.

Select Timezone

Select a time zone for the site.
Table 2: Device (Add Branch Site)

Field

Guideline

Device Series

Select the device series of the CPE device; for example, SRX.

Based on the device series that you selected, the supported device templates are displayed.

Ensure that you select the correct device template from the carousel.

For example, for an SRX300 device, select SRX as SD-WAN CPE (or a modified version of that template) as the device template.

Device Information
Note:

If you selected a dual CPE template, additional fields are displayed. For more information, see Creating On-Premise Sites in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Serial Number

If you want CSO to proceed with the site activation immediately after you complete the site addition workflow, enter the serial number. If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark.

If you want CSO to only model the site, leave this field blank. If you don’t enter a serial number, you must manually activate the site later.

Device Root Password

The default root password is fetched from the ENC _ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device

Zero Touch Provisioning

Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default.

Note:

By default, this button is disabled for vSRX. You can enable this button, if the Junos OS version running on vSRX supports phone-home client.

If ZTP is disabled, you must manually copy the stage-1 configuration (generated automatically by CSO) to the device and commit the configuration on the device.

If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the device is upgraded to the image that you select for the Boot Image.

Is Cluster Already Formed?
Note:

This field is available only for SRX dual CPE devices.

Click the toggle button to specify whether the SRX cluster has been manually formed (Yes) or not (No).

Cluster ID
Note:

This field is available only for SRX dual CPE devices.

If the SRX cluster hasn’t been formed manually, specify a unique ID for the cluster.

Range: 1 through 15

If you’ve enabled ZTP for the site, the cluster is automatically formed when the site is activated. If you’ve disabled ZTP, the following processes are displayed on the Site Activation Progress page (that appears after you’ve added the branch site):

  1. After CSO models the site (that is, after the Model Site process completes successfully), click the Click to copy pre script link, which appears next to the Pre Script process.

  2. Execute the commands as directed.

    After the Pre Script process completes successfully, the SRX cluster is formed and the recovery.conf file is saved on the cluster. In case you want to delete the site later, you’ll need this file to remove the stage-1 configuration and other configurations pushed to the device by CSO.

  3. Manually configure the stage-1 configuration (generated automatically by CSO) to the primary device in the cluster and commit the configuration on the device.

After the cluster is detected, CSO executes the bootstrap and provisioning processes and completes provisioning the cluster.

Auto Activate

Click the toggle button to specify whether the site activation requires an activation code or not:

  • Enabled—The site is activated automatically without an activation code. This is the default setting.

  • Disabled—The site activation proceeds only after you enter an activation code. If you choose this setting, enter the activation code (in the Activation Code field) that must be entered to activate the device.

Boot Image

If you want to upgrade the branch device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the ZTP process.

If you don't specify a boot image, which is the default selection (Use Image on Device) in the list, then CSO skips the procedure to upgrade the device during ZTP.

Hub Configuration
Note:

Hub selection is optional for both SD-WAN Advanced and Essentials sites. SD-WAN Essentials sites do not support multihoming, that is, you cannot select a secondary hub for SD-WAN Essentials branch sites.

For sites with SD-WAN Advanced service, you must specify at least one hub to which the branch site must connect (in the Primary Provider Hub, Secondary Provider Hub,Primary Enterprise Hub, and Secondary Enterprise Hub fields). The combinations supported are listed in Table 3.

Use Mesh Tags to connect EHub

This toggle button is enabled by default. If this button is enabled, CSO uses mesh tags to automatically form the overlay tunnel between the site and the enterprise hubs.

Disable this toggle button if you want to manually create static tunnel (per WAN link) between the branch site and the enterprise hubs. If you disable this option, you must manually enable at least one WAN link to connect to the enterprise hub by using the Connects to Enterprise Hubs toggle button in the Advanced Settings of the WAN link.

WAN Links

You can configure a maximum of four WAN links and must configure at least one WAN link.

WAN_0 (WAN-Interface-Name)

The first WAN link is enabled by default.

Note:

Fields marked with an asterisk (*) must be configured to proceed.

Link Type

Select the type of link (MPLS or Internet) for the WAN link.

For the first WAN link, we recommend that you use the default (Internet) for the underlay network type to ensure reachability to the redirect server.

Access Type

Select the access type for the underlay link. Starting in CSO Release 6.3.0, you can select LTE for SRX300 Series dual CPE devices.

You can select LTE access type only for one WAN link.

You can select ADSL or VDSL access type only for two WAN links.

Note:

  • You can select the LTE, ADSL, or VDSL access type only for one WAN link.

  • You cannot configure:

    • LTE as the access type if you are using the dual NFX device templates.

    • ADSL or VDSL as the access type if you are using the dual SRX, or the single or dual NFX device templates.

    Ethernet is configured as the access type for the underlay link.

  • SRX300 does not support LTE and ADSL access types.

  • On SRX300 Series devices (except SRX300 devices) and NFX150 devices, the LTE WAN link is supported through a SIM card that is inserted in the SIM slot of the Mini-Physical Interface Module (Mini-PIM).

    On NFX250 devices, the LTE WAN link is supported through a USB dongle (Vodafone K5160 dongle) that is plugged into the USB port of the CPE device.

  • LTE is supported on MPLS links only if there is no NAT in the end-to-end path.

CSO supports the following combination of MPLS tunnels (with ADSL or VDSL access types) for a branch device:

  • From the branch site (with an ADSL or VDSL access type) to an enterprise hub, provider hub, or a branch site (with Ethernet link).

  • From the branch site (with an ADSL or VDSL access type) to another branch site (with an ADSL or VDSL link).

CSO does not support site-to-site DVPN tunnels over LTE in dual CPE deployments. Tunnels are formed if the sites have matching mesh tags; however, the tunnels might not come up.

CSO does not support PPP over LTE in dual CPE deployments.
Link Redundancy

In SRX300 Series dual CPE deployments, the LTE Mini-PIM can be installed on either a single node (node 0 or node1) or both nodes (represented as a single WAN link on CSO).

If the LTE Mini-PIM is installed in only one node, then this option is not applicable and must be disabled. Configure the corresponding WAN link (WAN_0 or WAN_2 for node 0 and WAN_1 or WAN_3 for node 1) as an LTE WAN link.

Enable the toggle button if the LTE Mini-PIM is installed in both the nodes. However, as the LTE link operates in active/backup mode in dual CPE deployments, only one link is active at a time. If you prefer to have the active link on node 0, then configure either the WAN_0 or WAN_2 link as an LTE WAN link. Similarly, to have the active link on node 1, configure either the WAN_1 or WAN_3 link.

Note:

Before configuring an LTE WAN link, you must update the device template with the slots in which the LTE Mini-PIM is installed.

The following table summarizes the information provided above:

Node 0 Node 1 LTE Redundancy WAN Link
LTE Mini-PIM installed LTE Mini-PIM installed Enable
  • WAN_0 or WAN_2 (if you prefer to have the active LTE link on node 0)
  • WAN_1 or WAN_3 (if you prefer to have the active LTE link on node 1)
LTE Mini-PIM installed LTE Mini-PIM not installed Disable WAN_0 or WAN_2
LTE Mini-PIM not installed LTE Mini-PIM installed Disable WAN_1 or WAN_3
Note:

You cannot edit the Link Redundancy option for an existing LTE WAN link. To change the Link Redundancy setting, you must delete the WAN link and reconfigure it.

WAN Link (Node 0 or Node 1)

Displays the node to which the WAN link belongs. WAN_0 and WAN_2 belong to node 0 whereas WAN_1 and WAN_3 belong to node 1.

PPPoE/PPP

This field is displayed only for Internet links with Ethernet, ADSL, or VDSL access type, and for MPLS links with Ethernet or LTE access types.

Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol [PPP] over Ethernet) or PPP. By default, this toggle button is disabled.

PPPoE works with Ethernet, ADSL, and VDSL access types while PPP works with the LTE access type.

If you’ve enabled this toggle button, you must specify the authentication parameters in the PPPoE/PPP Settings section of the page.You can enable PPPoE or PPP per WAN link.

ADSL/VDSL SFP Annex

Applicable only to MPLS or Internet links with ADSL or VDSL access types.

Click the toggle button to enable the Annex J support through an xDSL SFP module. Annex J is specified in ITU-T recommendations G.992.3 and G.992.5.

If you keep this option disabled, you must use a Mini-PIM module for connectivity.

You can enable or disable this option only on new WAN links being added to a site. You cannot enable or disable this option for the existing WAN links by using the site edit workflow.

You can enable this option along with other parameters such as PPoE, static IP address (IPv4/IPv6), DHCP, and VLAN ID.

Egress Bandwidth

This field is not available when you configure LTE as the access type.

Enter the maximum egress bandwidth (in Mbps) allowed for the WAN link.

Underlay Address Families

IPv4

Click the toggle button to enable or disable IPv4 address assignment for the WAN link. By default, IPv4 address assignment is enabled for the WAN link.

The WAN link requires an IPv4 address to connect to an IPv4 network.

Address Assignment Method

This field is not available if you’ve enabled PPPoE/PPP. For LTE access type, only DHCP is available as the address assignment method.

Select the method of assigning an IPv4 address to the WAN link—DHCP (Dynamic Host Configuration Protocol) or STATIC.

  • If you select DHCP, the IP address is provided by using the DHCP server of the WAN link’s service provider.

  • If you select STATIC, you must provide the IPv4 address prefix and the gateway IPv4 address for the WAN link.

Static IP Prefix

If you’ve configured the address assignment method as STATIC, enter the IPv4 address prefix of the WAN link.

Gateway IP Address

If you’ve configured the address assignment method as STATIC, enter the IPv4 address of the gateway of the WAN service provider.
MTU

Applicable only to IPv4 addresses.

Enter the maximum transmission unit (MTU) size for the media or protocol. The supported MTU range can vary depending on the device, interface type, network topology, and other individual requirements. See also: MTU Default and Maximum Values and LTE Mini Physical Interface Modules (LTE Mini-PIM).

Editing the MTU values of all the OAM-enabled WAN links of a site at the same time might result in tunnel flapping. You must ensure that at least one OAM-enabled WAN link always remains undisrupted for a site. For example, if you have a site with four WAN links (including two links that support OAM traffic), you can edit the MTU values of all the WAN links except one OAM-enabled link at the same time. After the edit is complete and the changes are saved, you can edit the site again and update the remaining WAN link.

Note:

If you enable the PPPoE/PPP option under a WAN link, the MTU option is displayed under the PPPoE/PPP Settings section for that link.

IPv6

Click the toggle button to enable or disable IPv6 address assignment for the WAN link. By default, IPv6 address assignment is disabled for the WAN link.

The WAN link requires an IPv6 address to connect to an IPv6 network.

Note:

  • IPv6 address assignment is supported only for sites with Secure SD-WAN Advanced service.

  • You cannot enable IPv6 address assignment for NFX250 devices.

Address Assignment Method

Select the method of assigning an IPv6 address to the WAN link—DHCP (Dynamic Host Configuration Protocol), STATIC, or SLAAC (Stateless Address Auto Configuration).

If you select STATIC, you must provide the IPv6 address prefix and the gateway IPv6 address for the WAN link.

Static IP Prefix

If you’ve configured the address assignment method as STATIC, enter the IPv6 address prefix of the WAN link.

Gateway IP Address

If you’ve configured the address assignment method as STATIC, enter the IPv6 address of the gateway of the WAN service provider.

Access Point Name (APN)

This field can be configured only for MPLS links with LTE access type and PPPoE/PPP enabled. For MPLS links with LTE as the access type and PPPoE/PPP disabled, CSO uses the default APN settings that the CPE device is shipped with.

The access point name (APN) determines the Packet Data Network Gateway (P-GW) that the CPE device must use to connect to the Packet Data Network (PDN) such as Internet. All CPE devices are shipped with default APN settings. However, if you choose to use a private APN with the current LTE service provider or to use a different LTE service provider, enter the APN for the CPE device (as specified by the service provider) in this field.

Advanced Settings

  

Address Family (Tunnel Creation)

Select the underlay address family (IPv4 or IPv6) that is used to establish the overlay tunnel. The options on the list are populated based on the address family that you’ve configured for the underlay (either IPv4 or IPv6, or both).

Provider

Enter the name of the WAN link’s service provider.

Cost/Month

Leave this as the default because this field is currently not used in CSO.

Enable Local Breakout

Click the toggle button to enable the WAN link to be used for local breakout. The toggle button is disabled by default, which means that the WAN link cannot be used for local breakout.

Local breakout is an SD-WAN feature that enables Internet links to break out traffic directly from a site. For example, if you want to provide guests who visit your enterprise with Internet access, you can use local breakout to break out guest traffic locally from the site directly to the Internet.

Note:

  • If you enable local breakout, this only means that the WAN link can be used for local breakout. To enable traffic to break out from the site, you must also configure a breakout profile, reference that profile in an SD-WAN policy intent, and deploy the SD-WAN policy.

  • If you do not enable local breakout on at least one WAN link for a single CPE site and at least two WAN links for a dual CPE site, then local breakout is disabled for the site.

If you enable local breakout, additional fields appear.

Breakout Options

This field is displayed only if local breakout is enabled for the WAN link.

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

MAP-E

Click the toggle button to enable or disable the Mapping of Address and Port with Encapsulation (MAP-E) functionality on the IPv6 WAN link. By default, MAP-E is disabled.

MAP-E supports transporting IPv4 packets across an IPv6 network by using IPv4-in-IPv6 encapsulation.

For more information on MAP-E, see Mapping of Address and Port with Encapsulation on NFX Series Devices.

Note:

  • MAP-E is compliant only with the Japan Network Enabler (JPNE) standards.

  • CSO supports MAP-E only on one WAN link of the branch site (Secure SD-WAN Advanced service only) with NFX150 as the CPE. IPV6 address assignment and local breakout must be enabled for the WAN link.

Autocreate Source NAT Rule
Note:

Sites with Secure SD-WAN Essentials service support interface-based source NAT rules only. If you enable this options for an SD-WAN Essentials site, interface-based source NAT rules are automatically applied. If you enable this options for an SD-WAN Advanced site, you must select a source NAT rule from the Translation field.

This field is displayed only if IPv4 address assignment and local breakout are enabled for the WAN link.

When you enable local breakout on a link, this setting is enabled by default, which triggers automatic creation of source NAT rules for the site.

You can click the toggle button to disable the automatic creation of source NAT rules. If you disable this field, then you must manually add a source NAT rule for local breakout and deploy the NAT policy on the site.

Note:

If NAT is not enforced by a separate device in your network (for example, an Internet gateway firewall), then we recommend that you enable this setting because it allows CSO to automatically create a NAT policy for the site.

Translation

This field is displayed only if the automatic creation of source NAT rules is enabled for the WAN link, and the SD-WAN service used is Advanced. Sites with Secure SD-WAN Essentials service support interface-based source NAT rules only.

Select the type of NAT to use for the traffic on the WAN link:

  • Interface—Use interface-based NAT, which is the default setting.

  • Pool—Use pool-based NAT. If you select this option, you must specify the IP addresses that are to be used for the NAT pool.

IP Addresses

For pool-based NAT, enter one or more IP addresses, subnets, or an IP address range. Separate multiple IP addresses by using commas and use a hyphen to denote a range; for example, 192.0.2.1-192.0.2.50.

Note:

No NAT is performed for tenant-owned public IP addresses that were added during the tenant addition workflow.

Preferred Breakout Link

if the WAN link is enabled for local breakout, click the toggle button to enable the WAN link as the most preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP (equal-cost multipath) from the available breakout links.

BGP Underlay Options
Note:

Not applicable to sites with SD-WAN Essentials service.
Note:

BGP underlay routing is typically used by service providers, and can be configured only if IPv4 address assignment (with STATIC as the address assignment method) and local breakout are enabled for the WAN link.

Click the toggle button to enable BGP underlay routing.

When you enable BGP underlay routing, route advertisements to the primary Provider Edge (PE) node and, if configured, the secondary PE node occur as follows:

  • CSO advertises the WAN interface subnet.

  • If you configured pool-based translation, CSO advertises the NAT address pool.

Note:

If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route.

Primary Neighbor

Displays the IP address that you entered for the gateway for the WAN link.

Secondary Neighbor

If you want to provide PE resiliency, you can configure a secondary PE node.

Enter the IP address of the secondary PE node.

Note:

If the primary PE node goes down, then the secondary PE is used as the next hop. When the primary PE comes back up, the route next hops are changed to the primary PE.

eBGP Peer-AS-Number

Enter the autonomous system (AS) number for the external (EBGP) peer.

Note:

If the peer AS number is not configured or the peer AS number that is configured is the same as that of the CPE site, then the BGP type is assumed to be internal BGP (IBGP).

Local AS Number

Enter the local AS number for the WAN link. When you configure this parameter, the local AS number is used for eBGP peering instead of the global AS number configured for the device.

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

Advertise Public LAN Prefixes

Click the toggle button to enable the advertisement of public LAN prefixes. This field is disabled by default.

If the tenant has a public IP address pool configured and you enable the advertisement of public LAN prefixes, then for LAN segments that are created with a subnet that falls under the tenant public IP address pool, CSO advertises the LAN subnet to the BGP underlay.

Note:

When public LAN advertisement is enabled for the WAN link, public LAN prefixes are advertised through the BGP underlay towards MPLS or the Internet.

Use for Fullmesh

Click the toggle button to enable the WAN link to be part of a full mesh topology.

Note:

Sites with SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or the Tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.

Configure the two additional fields that appear:

Mesh Overlay Link Type

If the WAN link is enabled for full mesh, select the type of encapsulation to be used for the overlay tunnels in the full mesh topology:

Note:

For links with public IP addresses, we recommend that you use GRE over IPsec as the mesh overlay link type.

  • GRE_IPSEC—Use GRE over IPsec.

  • GRE—Use GRE. This option is available only for MPLS links.

Note:

If you’ve enabled IPv6 address assignment for the WAN links, you can select only GRE-IPSEC as the type of mesh overlay link.

Mesh Tag

If the WAN link is enabled for full mesh, select the mesh tag for the WAN link.

Note:

The tunnels between two branch sites or an branch site and an enterprise hub site are added based on matching mesh tags. So, if you want meshing to take place between such sites, the mesh tags must be the same for both sites.

For more information about mesh tags, see Mesh Tags Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Connects to Enterprise Hubs

This field is displayed only if you have enabled the Use Mesh Tags to Connect EHub field in the Hub Configuration section.

Enable this toggle button if you want to manually connect the site to an enterprise hub, without using mesh tags.

Primary EHub Tunnel Type

This field is displayed only if you have enabled the Connects to Enterprise Hubs field.

Select the tunnel type to be used for the connection between the branch site and the primary enterprise hub.

Primary EHub Peer Device

This field is displayed only if you have enabled the Connects to Enterprise Hubs field.

Displays the name of the primary enterprise hub you have selected.

Primary Ehub Peer Interface

This field is displayed only if you have enabled the Connects to Enterprise Hubs field.

Select the primary enterprise hub WAN link that needs to be part of the tunnel. You can select multiple WAN links.

Secondary EHub Tunnel Type

This field is displayed only if you have enabled the Connects to Enterprise Hubs field.

Select the tunnel type to be used for the connection between the branch site and the secondary enterprise hub.

Secondary EHub Peer Device

This field is displayed only if you have enabled the Connects to Enterprise Hubs field.

Displays the name of the secondary enterprise hub you have selected.

Secondary Ehub Peer Interface

This field is displayed only if you have enabled the Connects to Enterprise Hubs field.

Select the secondary enterprise hub WAN link that needs to be part of the tunnel. You can select multiple WAN links.

Use for OAM traffic
Note:

The Connects to Hubs field is available only if you have selected a provider hub.

Click the toggle button to enable the use of the WAN link for OAM traffic. The WAN link is then used to establish an OAM tunnel for communication between the enterprise hub site and CSO.

You must configure at least one WAN link to be used for OAM traffic. To ensure redundancy, we recommend that you configure at least two WAN links that can be used for OAM traffic. In addition, for added management redundancy, use two links with different transport paths.

Backup Link

Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.

Default Link

Select one or more links that will be used for routing traffic in the absence of matching SD-WAN policy intents. A site can have multiple default links to the hub site.

Default links are used primarily for overlay traffic but can also be used for local breakout traffic. However, a default link cannot be used exclusively for local breakout traffic. If you do not specify a default link, then ECMP is used to choose the link on which to route traffic.

Data VLAN ID

Enter a VLAN ID for the WAN link.

Range: 0 through 4049 (4050 to 4094 is reserved by CSO).

Note:

  • If you are configuring more than one WAN link on the same physical interface, only one WAN link can be untagged; for the remaining WAN links, you must configure a VLAN ID.

  • A combination of tagged and untagged on the same physical interface is supported only for single CPE devices.

WAN_1 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_2 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

WAN_3 (WAN-Interface-Name)

Click the toggle button to enable or disable (default) the WAN link.

When you enable the WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured to proceed.

Refer to the fields described for WAN_0 (WAN-Interface-Name) for an explanation of the fields

Advanced Configuration

Note:

Sites with SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.

OAM IP Prefix

We recommend that you do not configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO.

Traffic Volume Metrics

Choose a method to compute the SD-WAN traffic volume on the WAN links of the site. CSO uses this data to provide a graphical representation of the WAN traffic volume on the Site Details page.

  • Session-Based—Computes and reports the session-based traffic volume on the site's WAN links, at the closure of each session. This is the default method.
  • Time-Based—Computes and reports the traffic volume at periodic intervals during a session.

DVPN Threshold for Tunnel Creation

Specify the threshold for the number of sessions (flows) closed (in a two-minute duration) between the branch site and a destination site. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the branch site and the destination site.

For example, if you specify a threshold of as 7, dynamic mesh tunnels are created if the number of sessions closed (in two minutes) between the branch site and destination site exceeds 7.

DVPN Threshold for Tunnel Deletion

Specify the threshold for the number of sessions closed (in a 15-minute duration) between the branch site and a destination site. When the number of sessions closed is lower than the specified threshold, the tunnel between the branch site and destination site is deleted.

For example, if you specify the number of sessions closed as 5, dynamic mesh tunnels between the branch site and destination site are deleted if the number of sessions closed (in a 15-minute duration) is lesser than or equal to 5.

Configuration Templates (Optional)

If you want to deploy additional configuration during the ZTP process, you can select one or more configuration templates and set the parameters for each template.

Configuration Templates List

For each configuration template that you select

  1. Select one or more configuration templates from the list that you want to deploy on the device during ZTP.

  2. Click Set Parameters.

    The Device Configurations page appears. The names and configuration parameters of the configuration templates that you selected are displayed in the Configure tab.

  3. For each configuration template, enter values for the parameters.

  4. (Optional) Click the Summary tab to view the Junos OS configuration commands that will be deployed on the device for the different configuration templates.

  5. Click Save.

    You are returned to the WAN tab. The Junos OS configuration commands will be deployed on the device during the ZTP process.
Table 3: Supported Combinations of Provider and Enterprise Hubs

Provider Hubs Specified

Enterprise Hubs Specified

Primary

None

Primary

Primary

Primary

Primary and Secondary

Primary and Secondary

None

Primary and Secondary

Primary

Primary and Secondary

Primary and Secondary

None

Primary

None

Primary and Secondary
Table 4: Fields on the Add LAN Segment page (Add Branch Spoke)

Field

Description

Use for Overlay VPN

Enable the Use for Overlay VPN field to associate the LAN segment with the selected department (VRF + ZONE) for overlay traffic to other sites.

Disable the Use for Overlay VPN field to associate the LAN segment with a security zone for underlay breakout. You must define zone-based security policies.

Note:

When adding a new site, this field is enabled by default and cannot be modified. However, when you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page, you can enable or disable this option.

Name

Enter a name for the LAN segment.

The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length allowed is 15 characters.

CPE Port
Note:

Applicable to SRX Series devices.

Select the CPE port to be added in the LAN segment.

When you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page, you can select (or create) a LAG interface or a redundant Ethernet (reth) interface (for dual CPE cluster) to connect the SRX Series CPE devices to an EX series switch.

To use the et interface on SRX4600 devices, you must create a LAG interface and configure the et interface as a member of the LAG (aggregated Ethernet or ae) interface. See Create LAG Interface.

For an SRX4600 dual CPE cluster, you can use the et interface if it is configured as a member of the redundant Ethernet (reth) interface.

Add LAG Interface
Note:

This option is available when you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page.

Click the link to create a LAG interface (ae interface) if you want to use it to connect the SRX Series CPE to the EX Series switch. See Create LAG Interface for details.

Create RETH Interface
Note:

This option is available when you add a new LAN Segment to a provisioned site from the LAN tab of the Site-Name page.

Click the link to create a reth interface for an SD-WAN site with a dual CPE cluster. See Create a RETH Interface for details.

Type

Note:

This field is displayed only for LAN segments associated with enterprise hub sites.

Select the type of LAN segment:

  • Directly Connected (default)—Indicates that the LAN segment is directly connected to the site.

  • Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.

VLAN ID

Enter the VLAN ID for the LAN segment. By default, VLAN ID is set to 1 and native VLAN is enabled for untagged traffic.

Range: 1 to 4049 .

Use for Native VLAN

Enable this option to use the VLAN ID specified above for untagged traffic. The CPE interface is configured with a native-vlan-id, which has the same value as the VLAN ID.

Department
Note:

This field is available only if the Use for Overlay VPN field is enabled.

Select a department to which the LAN segment is assigned.

Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details.

You can group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.

Gateway Address/Mask

Enter a valid gateway IP address and mask for the LAN segment. This address will be the default gateway for endpoints in this LAN segment.

For example: 192.0.2.8/24.

Zone
Note:

This field is available only if the Use for Overlay VPN field is disabled.

Select a security zone to be associated with this LAN segment. Alternatively click Create Zone to create a new security zone and assign that to this LAN segment. See Adding a Security Zone for details.

DHCP

For directly connected LAN segments, click the toggle button to enable DHCP.

You can enable DHCP if you want to assign IP addresses by using a DHCP server or disable DHCP if you want to assign a static IP address to the LAN segment.

Note:

If you enable DHCP, additional fields appear on the page.

Additional fields related to DHCP

Address Range Low

Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Address Range High

Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment.

Maximum Lease Time

Specify the maximum duration (in seconds) for which a client can request for and hold a lease on the DHCP server.

Default: 1440

Range: 0 through 4,294,967,295 seconds.

Name Server

Specify one or more IPv4 addresses of the DNS server.

To enter more than one DNS server address, type the address, press Enter, and then type the next address.

Note:

DNS servers are used to resolve hostnames into IP addresses.

CPE Ports
Note:

Applicable to NFX150 and NFX250 devices.

For sites with SD-WAN capability, the CPE Ports field is disabled and the CPE ports that you can include in the LAN segment are listed.

Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

Static Routing

Use this section to configure static routing on the LAN segment. Provide the IP addresses of all the LAN routers connected to the CPE device and the static subnets behind these routers.

Add LAN Router IP Prefix

LAN Router IP

Enter the IP address of the LAN router that is connected to the CPE device.

Prefix

Enter the subnets that are connected to the LAN router.

BFD

Enable Bidirectional Forwarding Detection (BFD) to detect any failures on the static route.

Dynamic Routing

Routing Protocol

Enable this toggle button to configure dynamic routing using the BGP or OSPF protocol.

BFD

Enable Bidirectional Forwarding Detection (BFD) to detect any failures in the LAN segment.

Protocol

Select either BGP or OSPF.

BGP Configuration

Note:

Starting in Release 6.1.0, CSO explicitly disables the long-lived graceful restart (LLGR) capability for BGP peering sessions with provider edge (PE) and data center or LAN routers. Disabling LLGR ensures that the CPE does not differentiate the route advertisements to the peering router irrespective of the peering router’s LLGR capability.

Prior to CSO Release 6.1.0, LLGR helper mode is enabled by default (implicit behavior of Junos OS) on the CPE for BGP peering towards PE router in IP VPN deployments, and data center or LAN routers in data center deployments.

Authentication

Select the BGP route authentication method to be used:

  • None—Indicates that no authentication should be used. This is the default.

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

Auth Key

If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

BGP Options

You can select the following options based on your requirements:

  • AS-OVERRIDE: Replaces all occurrences of the peer AS number in the AS path with its own AS number before advertising the route to the peer.

  • AS-PATH-PREPEND: Prepends one or more autonomous system (AS) numbers at the beginning of an AS path. Prepending an AS path makes a shorter AS path look longer and therefore it becomes less preferable to BGP.

  • AS-LOOP: Allows the local device’s AS number to be added in the received AS paths. You can specify the number of times the detection of local AS is allowed in the AS path.

Loop Count

This field is displayed only if you select AS-LOOP.

Enter the maximum number of times the detection of local AS is allowed in the AS path.

Peer IP Address

Enter the IP address of the LAN BGP peer.

Peer AS Number

Enter the autonomous system (AS) number of the LAN BGP peer. By default, CSO uses the AS number 64512. You can enter a different AS number.

Local AS Number

Enter the local AS number. When you configure this parameter, the local AS number is used for BGP peering instead of the global AS number configured for the CPE.

OSPF Configuration

OSPF Area ID

Specify the OSPF area identifier to be used for the dynamic route.

Authentication

Select the OSPF route authentication method to be used:

  • Password—Indicates that password-based authentication should be used. If you choose this option, you must specify the password. (This is the default).

  • Use MD5—Indicates that MD5 is to be used for authentication. If you choose this option, you must specify an authentication key.

  • None—Indicates that no authentication should be used.

Password

Enter the password to be used to verify the authenticity of OSPF packets.

Confirm Password

Retype the password for confirmation purposes.

MD5 Auth Key ID

If you specified that MD5 should be used for authentication, enter the OSPF MD5 authentication key ID.

Range: 1 through 255.

Auth Key

If you specified that MD5 should be used for authentication, enter an MD5 authentication key, which is used to verify the authenticity of OSPF packets.

Route Advertisement Control

LAN Route(s) to Overlay

When this option is enabled, LAN routes are advertised to the remote CPEs. By default, this option is enabled.

Starting in CSO Release 6.2.0, you can configure export policies in conjunction with the LAN Route(s) to Overlay option for more granular control over routes that are advertised to the overlay network. For example, when the LAN Route(s) to Overlay option is enabled, you can configure policies to prevent specific routes from being advertised. Similarly, when the LAN Route(s) to Overlay option is disabled, you can configure policies to allow only specific routes to be advertised.

Overlay Route(s) to LAN

This option is displayed only if you enable the Routing Protocol toggle button. By default, this option is disabled.

Enable this option to advertise the remote CPE routes received in a department to the LAN router.

Note:

In CSO Release 6.0.0 and earlier releases, this option is called Advertise LAN Prefix and is applicable only for data center departments.

Starting in CSO Release 6.2.0, you can use the following policies for granular control of the route advertisements:
  • Import policies for granular control of the routes that a CPE device accepts from the list of routes advertised by the LAN router.
  • Export policies for granular control of the routes that a CPE device advertises to the LAN router.

Static/Aggr Routes to Overlay

Enable this option to allow advertisement of static or aggregate routes to the overlay network.

  • If a large number of LAN routes are present, then you can disable the LAN Route(s) to Overlay option and use this option to advertise aggregate routes.

  • If you want to advertise additional routes, then you can enable the LAN Route(s) to Overlay option and use this option to advertise additional static routes.

See Post-Provisioning Tasks for Enterprise Hub and SD-WAN Spoke Sites.