CSO jclab demo

Owned by Jean-luc KRIKER

Last updated: Aug 13, 2020

2 min read

https://services.jlabs.juniper.net/kb?id=kb_article_view&sysparm_article=KB0010824&sys_kb_id=d73d510213f6c05034fbd7028144b0f2&spa=1

Demo instructions

https://services.jlabs.juniper.net/sys_attachment.do?sys_id=133d510213f6c05034fbd7028144b0f7

Pre -work ( on board 2 out of 3 vSRX )	[JCL Official Demo] Contrail SD-WAN 5.2.0 - Cloud CSO
	My document: Demo Procedure and serial number.txt
Enable console port on the vSRX ( spoke and hub )
get the serial number the vSRX ( spoke and hub ) E-Hub : 8A9AEC392D29 Spoke-1: CD208CE65C4E Spoke-2: D50C01BD6620 E-Hub : B98660690BA7 Spoke-1: C232DEDE45B4 Spoke-2: A35151948B56 E-Hub : D318879C3874 Spoke-1: 7DC5A31FE5D5 Spoke-2: 9EFF58CEDC4E	Access thru the console port default credential: root / Juniper!1
Log into CSO to onboard the vSRX 1- Hub 2- the vSRX ( only one, to	https://contrail-juniper.net/ Credential in the template: ????
	Device template
1- Hub Log using the console port get the serial number	1- clone the "Device Template": CSOaaS vSRX E-HUB >>> jlk_CSOaaS vSRX E-HUB 2- change the password to Juniper!1
2- Spoke Log using the console port get the serial number	1- clone the "Device Template": CSOaaS vSRX CPE >>> jlk_CSOaaS vSRX CPE 2- change the password to Juniper!1
On-boarding Enterprise Hub and Spoke
	3- Onboarding Enterprise Hub
	2b- Onboard vSRX onto CSOaaS
Signature Database
	Administration > Signature Database >>> Click on "Install on Device" and select all the device.
Src-NAT Policy @E-HUB
	Because we don’t have local breakout + NAT enabled at the spoke, in this demo, we will have to add a policy to allow NATing at the hub.
Configuration > NAT > NAT Policies	Name: ehubNATPolicy Manage Auto-Proxy ARP: TRUE [DEFAULT] Site Applied on: E-HUB
"Add Rule" to Src-NAT Policy Rules:
Configuration > NAT > NAT Policies > "Policy name" > "Add rule" > "Add Source NAT Rule" >	Rule Name: ehubNATPolicy-rule1 Src: Any-IP4 AND trust Zone Dst: Any-IPv4 AND Zone: untrust or untrust_WAN_0 AND Services: any Translation: Interface
DELPOY ( the NAT policy define )
FireWall Policy:
1- site-to-site traffic and site-to-internet traffic flow
LAN Site to Internet	name: site2internet_ALLOWED Src: Department: Default Select Action: Allow Dst: Address Any Advanced Security ( UTM or IPS ): none >> SAVE
default department site x to def dept site Y ( or LAN Site to LAN Site )	name: site2site_ALLOWED Src: Department: Default Select Action: Allow Dst: Department: Default Advanced Security ( UTM or IPS ): none >> SAVE
2- allow traffic from trust zone to the untrust zone


SD-WAN local breakout policy: