Networking and Automation

Automation, Certifications, JNCIA-CLOUD, Juniper, SD-WAN

Juniper SD-WAN: Basic overview of CSO (Contrail Service Orchestration)

At the time of writing this post Juniper have released version 5.3.

The Juniper SD-WAN solution runs on:

  • NFX Series Network Services Platforms,
  • MX Series Routers
  • SRX Series Services Gateways, along with the vSRX Virtual Firewall

Title: Basic Concept; Source: juniper.net

The end devices that are participating in the solution are called sites. Do not mix it with a site as a collection of multiple devices. A site is a device.

The main types are:

  • Provider Hub
  • Enterprise Hub
  • Spoke Site

The WAN side of the end devices is built in the hub-and-spoke as standard and can also operate in a dynamic mesh fashion. In hub-and-spoke topology the end device will build the overlay IPsec Tunnels to the Enterprise/Provider Hubs for Mgmt/Data. There is also something called Dynamic VPN Tunnels which will build a dynamic tunnel directly between the spokes. This is when the minimum threshold of sessions between the two spokes is met. The CPE devices use at least one, and up to four, WAN interfaces as connection paths. CSO allows you to give preference to one WAN path over another. You can use Traffic Steering or Breakout Profiles. Each path can have a service level agreement (SLA) profile applied – it monitors jitter, latency, congestion. It understands the Path Preference. For example, if one of the paths will fail it will automatically re-route the traffic through another path.

The LAN side of the spoke sites can have multiple separate departments (VRFs) on multiple LAN ports. The traffic is securely segregated by using the IPsec Tunnels.

What is the difference between Provider and Enterprise Hubs?

Firstly we must understand how is CSO segregating the devices. It is using scopes:

  • Global. It can hold Provider Hubs and the end devices. The Provider Hubs defined in here can serve all of the scopes.
  • Operating Company (OpCo) (contained within the Global Scope). It can hold Provider Hubs and the end devices.  The Provider Hubs can serve the OpCo it is defined in and its’ Tenants.
  • Tenant (contained within OpCo, which then is part of the Global Scope). It can hold Enterprise/Provider Hubs and the end devices. The Provider Hubs are only linked here. They are defined in the previous two scopes. The Enterprise Hubs get defined within the Tenant and serve the Tenant only.

All of the above is  dependent on the solution type you have purchased. It can be on-prem CSO setup or in the Juniper’s cloud. On-prem has all 3 scopes. You are in charge of the whole solution. However the cloud version will not have the global scope as it will be under the management of Juniper. Each OpCo is built by Juniper initiated by the license activation per-OpCo. Your own Provider Hubs can no longer be shared between OpCos anymore. It is contained within OpCo/Tenant.


Leave a Reply