Within our SD-WAN tech blog, we have generally introduced the benefits of the software-defined wide-area network (SD-WAN) technology, which enables service providers to evolve their WAN connectivity offerings through a high degree of flexibility, visibility and control. But how can we implement this approach to gain these benefits? Which solutions exist on the market that can meet these expectations? In this tech blog, we take a closer look at the details of the Contrail SD-WAN from Juniper Networks.

 

Contrail SD-WAN – a comprehensive solution for the branch transformation

The branch transformation towards the software-defined branch (SD-Branch) and Multicloud starts with the connectivity enabled through SD-WAN, and Juniper Networks offers with their Contrail SD-WAN a comprehensive solution built on their secure and universal customer premise equipment (CPE), layered with software-defined networking for controller-based policy and management.

 

 

In the SD-WAN field, Juniper Networks takes advantage of their large technology portfolio, and experiences gained in the area of data centres and campus networks. With Contrail SD-WAN offers Juniper Networks high-efficient end-to-end security and automation capabilities satisfying the need for multi-cloud access.

 

The Contrail Service Orchestration (CSO) software platform builds the basis

The key element of the Contrail SD-WAN solution is the Juniper Networks Contrail Service Orchestration (CSO) software platform, delivering automation, simplicity and openness to the design. Operating within a multi-vendor, multi-tenant environment, it ensures secure implementation, analysis and management of each unique network. CSO can be used to oversee parts of the SD-WAN services infrastructure for enterprise customers, and it provides a customised, easy-to-use self-serve portal. The current version of this platform is CSO 4.1.0 released in March 2019.

Source: Software-Defined Branch as a Key Part of Multicloud (J-Net Forum)

The Contrail SD-WAN controller – which comes with CSO – is the “SD-WAN brain” of the solution and manages the devices, topology and CPE lifecycle management functionality. The SD-WAN orchestrator provides a global view of all resources and tenant management, end-to-end traffic orchestration, visibility, and monitoring. In addition to this, offers Contrail SD-WAN integrated Security with Intent-based policy management and a full security suite with NGFW, UTM, Sky ATP, etc.

 

CSO’s easy-to-use user interface

The web-based user interface of the CSO platform abstracts the complexity involved in creating and managing network services and uses Intent-based policies and SLA parameters to differentiate and direct traffic flows across the available paths as desired.

Contrail CSO – user interface

The demo videos below give good insight into the structure and functionality of the user interface. The video on the left side shows how easy it is to check applications, SLA performance or to generate SD-WAN performance reports within seconds. The video on the right introduces the simplicity of the provisioning process of new branches through Zero Touch Provisioning (ZTP) and how to create and push new Intent-based policies.

 

Contrail SD-WAN 4.0.2 Demo Video

Juniper SD-WAN Demonstration

 

On-premise and cloud spoke devices

One of the Questions that arises is what CPEs can be deployed with Contrail SD-WAN? In the image below you can see the supported on-premise spoke devices by the CSO platform with version CSO 4.1.0: the physical NFX250 or NFX150 platform, one of the physical SRX devices (SRX300, SRX550M, SRX4100, SRX4200) or the virtual vSRX running on an x86 server.

Source: Juniper Networks TechLibrary – SD-WAN Deployment Architectures

The NFX250 is Juniper’s primary CPE device capable of hosting a range of multivendor Virtualised Network Functions (VNFs) while within the Contrail SD-WAN solution a vSRX instance is orchestrated, providing the Gateway routing functionality.

 

Each device can have multiple WAN links to forward and receive data, and one of the WAN interfaces is used for OAM traffic to manage the on-premise device. In addition to those on-premise variants, you can also deploy the vSRX as a cloud spoke device in the Amazon Virtual Private Cloud (Amazon VPC).

Contrail SD-WAN architecture – putting all together

We have learned that Juniper Networks Contrail SD-WAN is mainly built on the CSO software platform and the deployed CPEs. The figure below shows the common SD-WAN architecture, which includes multiple sites, multiple connections between those sites, an SD-WAN controller and multiple overlay tunnels.

The Contrail SD-WAN solution supports hub-and-spoke and dynamic mesh topologies. What does that mean? In the dynamic mesh deployment, each site has a CPE device like the NFX250 that connects to the other sites so that all sites are interconnected. In the hub-and-spoke implementation, a spoke device like the NFX250 is installed at the customer’s branch site connected to the customer LAN segments on the one hand and to the cloud hub device via the WAN interfaces on the other. The spoke device acts as a gateway and provides connectivity to other sites in the tenant network and the Internet.

Source: Juniper Networks TechLibrary – SD-WAN Deployment Architectures

There is at least one hub device which is owned by the service provider and resides within the provider’s point of presence (POP) and shared by multiple customers acting as SD-WAN Gateway and terminating tunnels from one or more spoke devices. In an enterprise environment, the cloud hub is owned by the customer and resides in the enterprise data centre. As Juniper Networks SD-WAN solution is based on standards like IPSec, the solution can also be integrated into existing gateways, which removes the need to deploy additional infrastructure. The hub devices supported by the Contrail Service Orchestration (CSO) platform with CSO Release 4.1 are shown in the image below.

Source: Juniper Networks TechLibrary – SD-WAN Deployment Architectures

Test Report by EANTC in 2018

In September 2018 the European Advanced Networking Test Centre (EANTC) completed an independent test report about the Contrail SD-WAN Solution from Juniper Networks. EANTC stated that test cases successfully verified Juniper’s claims of the Contrail SD-WAN being a secure, scalable and customizable solution with many add-on features corresponding to today’s and future service provider requirements.

Download:

 

 

Contrail SD-WAN – implemented in the XT3Lab

To give customers an insight into the functionality and benefits of Contrail SD-WAN, Xantaro operates a test installation in the XT3Lab. If you are interested in more details, please use the contact form below for a live demo of Contrail SD-WAN or even a practical approach via the Xantaro SD-WAN Accelerator pilot.

 

Link to Juniper’s official Contrail Service Orchestration (CSO) Documentation

 

Useful links for further information

 


MrMrsMs

 

 

Please find here further information regarding data protection.