Enterprise Cloud and Transformation
Juniper Employee , Juniper Employee Juniper Employee
Enterprise Cloud and Transformation
Demo of Juniper’s SD-WAN Solution
Nov 2, 2017

You’ve been hearing about SD-WAN for years and probably have a pretty good idea about what it is, so I won’t bore you with historical details that are easily found with a quick Internet search. Instead, let’s get right to the point of this blog: Juniper’s SD-WAN solution.


Juniper has built a rock-solid multi-tenant SD-WAN solution that supports features such as Deep Packet Inspection (DPI), dynamic path selection, analytics, centralized policy management, and a rich user interface. At the heart of Juniper’s SD-WAN, lies Contrail Services Orchestration (CSO), which you have probably come across when announced in customer win stories, 3rd party technical evaluation reports, or industry interoperability testing articles.


For the universal CPE (uCPE), Juniper’s SD-WAN solution offers the carrier-grade NFX250 Network Services Platform, which runs vSRX Virtual Firewall with all of its advanced security and routing features.  NFX250 supports multiple Juniper and 3rd party VNFs.


SRX Services Gateways can also be used as physical on-premises CPEs. With DPI support, Juniper’s SD-WAN recognizes thousands of applications with easy-to-create policies for dynamically selecting traffic paths and managing switchover between links.


Now that we’ve described Juniper’s SD-WAN solution, let’s take a closer look at a demo setup (using CSO 3.1 release on a single x86 server) that offers detailed insight into how it all works. 


Running an End-to-End SD-WAN Demo


This simulation features a customer called Prime, headquartered in Sunnyvale, CA, with branch offices in Westford, MA and Dallas, TX.  We created a hub using an SRX345 Services Gateway in the main office with two spokes: an SRX340 in Westford and an NFX250 in Dallas.  The sites are connected through both Internet and MPLS links (created MPLS Cloud using MX routers).



Figure 1: CSO Snapshot of Prime Inc. Network


Deployment of the equipment was painless using zero-touch provisioning (ZTP); the rollout was easy to monitor using real-time logs found under the Monitor tab.  The next step was to define and deploy some firewall and NAT security policies via CSO’s easy-to-use interface and real-time monitoring capabilities.  A NAT policy allowed traffic from the two branch sites to travel over the Internet.  A firewall policy was also created to allow certain traffic types to reach the sites.



Figure 2: Creating Firewall Policy in CSO.


SD-WAN Policies and SLA Profiles


Once reachability was confirmed, I created SD-WAN policies that allowed me to control and monitor applications, define application priorities, WAN links to use, and other options that gave me complete control over and visibility into the network.  SLAs were configured and assigned based on application priority and traffic type—for instance, voice vs. best-effort Internet traffic.  As shown in Figure 3, customers can define performance thresholds as part of an SLA profile; metrics include throughput, latency, packet loss, jitter, and delay.



Figure 3: Creating SLA Profile in CSO.


Once the SD-WAN policies are deployed, CSO offers a comprehensive overview of applications running in the network.  I started three Internet sessions on one site and was amazed to see activity from various different applications, all silently running in the background, start to appear.



Figure 4: Monitoring Applications using CSO.


Link Switchover as Per SLA Definition


One of the main benefits of SD-WAN is the ability to seamlessly move traffic to available WAN links if the primary link is not meeting SLA thresholds.  By creating an SLA with a strict latency target, I was able to see traffic move from one link to another without disrupting the impacted application’s performance.  Figure 5 shows the switchover event in the site traffic diagram, with details explaining why the event occurred and where the traffic was redirected.



Figure 5: Link Switchover event in CSO.


Running Juniper’s SD-WAN demo in the lab will reinforce anyone’s understanding of the technology and help them recognize the various features available.   The solution is agile and fully automated, which facilitates rapid installation and deployment, real-time monitoring with centralized troubleshooting tools, and supports smooth integration of various equipment and software components.  Additionally, full-featured and robust routing and switching Junos capabilities, along with complete security suite (SRX/vSRX on carrier-grade x86 NFX250) combined with support for true multitenancy, makes Juniper’s SD-WAN offering a stand out among the industry’s offerings.




Juniper's SD-WAN Solution

Juniper's SD-WAN Solution Brief



Nov 2, 2017
Thank you for putting this together. This provides a really good overview of the basic functionalities of the demo. I do have a few questions. 1. As you take the NFX250 out of the box, what level of configuration is required to have it connect to the hub? 2. What does spoke-to-spoke traffic look like, while simultaneously allowing spoke-to-hub? Thanks again, I have been very interested in the SD-WAN solution, looking at it more from an Enterprise environment that would need multi-tenancy.
Nov 3, 2017
Juniper Employee

Thank you for the comments. Usually when you plug NFX250 in your network the management interface (in JDM) will get IP assigned thru DHCP. In my case, I assigned the management IP statically to use certain IPs in my lab.  Also, to get the box activated thru redirect-server (requires box to be registered with Juniper's support) you don't need to do anything on NFX250, but as it's a lab environment, I copied certificate from csp-regional-msvm to the NFX250 and changed authentication server from Juniper's public redirect-server to my lab environment.  As for the hub and spoke traffic, in this case, traffic has to pass thru hub.


I would love to answer any further questions and assist with your demo setup ☺..You can email me at osaafein@juniper.net


Best regards,


Ous Saafein

Nov 3, 2017
Juniper Employee

Very well explained and a well written blog. I am sure this would be of great help to our field. Kudos to you.

Nov 24, 2017
Sukhjit Hayre

Is their any ADVPN support that would allow spoke to spoke direct comms?