Data Sheet

1

Product Overview

Contrail Service Orchestration

is a comprehensive software

management and orchestration

software product that provides

multisite and multicloud secure

network services like VPNs, SD-

WAN, and SD-Branch for secure

CPE, universal CPE, virtual CPE,

and virtual cloud endpoints.

Contrail Service Orchestration’s

intuitive user interface allows both

service providers and enterprises

to simultaneously select

centralized and distributed virtual

network functions for simple,

seamless service deployment.

Service management and

troubleshooting are streamlined;

tenants use self-service portals to

select the services that best meet

their business requirements.

Product Description Multicloud has fundamentally altered the traffic patterns and security postures of the

enterprise network, making it increasingly difficult to manage. Whether you manage your

company’s WAN, use WAN services, or provide them to enterprise customers, it’s time

to rethink your approach to network architecture and service management. You need a

solution that’s secure, flexible, and one that can simplify growing network complexity.

As service providers look to help enterprise organizations address their needs for multicloud

connectivity to support cloud-based business tools and resources, increased security,

an increasing number of devices in the workplace, and a growing mobile workforce, they

face a number of network and operational challenges. At the same time, competition is

increasing, as competitive providers are now able to deliver services over-the-top of their

network using virtualization technology. Service providers need to be able to address the

rapidly changing needs of their enterprise business customers. They need to respond

quickly, reducing service design, deployment, and delivery time windows, and place greater

ownership of service customization and management in customers’ hands. Yet their legacy

static networks and rigid service delivery infrastructures hinder their ability to react quickly

and deliver new responsive services on demand.

Juniper® Contrail® Service Orchestration empowers enterprises and service providers

to drastically reduce delivery times for managed services, transforming a multi-month

experience into a near real-time point-and-click operation by automating the entire service

delivery life cycle. As a component of Juniper Contrail SD-WAN, CSO reduces and optimizes

the operational costs by dynamically and efficiently routing traffic based on user and

application policies and analytics, significantly enhancing the user experience and allowing

service providers to grow revenue.

As a component of Juniper Cloud CPE, Contrail Service Orchestration seamlessly integrates

with Contrail Provider Cloud for turnkey cloud orchestration, creating a vertically integrated

Network Functions Virtualization (NFV) management and orchestration stack that delivers

and manages virtual and physical network services. It also integrates with the NFX Series

Network Services Platform, controlling these universal CPE devices. Juniper and third-party

virtual network functions (VNFs) running on the NFX Series or Contrail Provider Cloud are

easily integrated into consumable, higher-level managed services.

Contrail Service Orchestration

2

Data SheetContrail Service Orchestration

Architecture and Key ComponentsContrail Service Orchestration consists of the following key

components:

Network Service Designer: The Network Service Designer provides

product managers and network architects with an intuitive

point-and-click solution for performing the service definition

process of Juniper and third-party VNFs that is part of service

life cycle management. An easy step-by-step service design

implementation wizard walks you through the complete service

definition process, specifying the VNF onboarding process, VNF

version control, VNF description, and more. The Network Service

Designer also assists with service configuration parameters,

service chaining templates, and customer-specific service catalogs

that get exposed through the customer portal. The entire service

definition is saved in a database via standard YANG data models,

providing easy integration with third-party operations support

systems (OSS) and business support systems (BSS).

Figure 1: Contrail Service Orchestration Network Service Designer

Administration Portal: The Administration Portal gives network

administrators simultaneous visibility into customers’ on-

premises and hybrid cloud-based services, enabling them to

easily monitor and troubleshoot service health and status.

Detailed service information is readily accessible for monitoring

virtual or physical customer premises equipment (CPE), service

level agreements (SLAs), CPE resource diagnostic reports,

service catalog resources, and other administrative functions.

The Administration Portal supports role-based access control

(RBAC), as well as both local authentication and SAML-based

authentication for single sign-on (SSO). Administrators can also

create more users with specific roles and access privileges.

Figure 2: Contrail Service Orchestration Administration Portal

Multitenant Customer Portal: The Customer Portal is provided

through a unified portal with access to functions governed by

an RBAC to provide a per tenant admin and tenant operator

role (read-only access). Tenants, such as service provider

customers, have the freedom to self-select the services that best

fit their business needs. They also have the ability to select the

appropriate service deployment model on-premises or in the

cloud, with the flexibility to determine when to deploy, change, or

delete a service in near real time. Service providers can choose to

develop their own customer portal GUI using REST APIs.

Figure 3: Contrail Service Orchestration Customer Portal

Security Management: Contrail Service Orchestration includes

the ability through the same management platform to

orchestrate managed security services as part of the suite of

network services. You can manage Network Address Translation

(NAT) policy or intent-based firewall policy to ensure security

across Layer 4 transport rules through Layer 7 application

rules. Automation of the policies allows for consistent and

easy deployment across the network. With integrated security

dashboards and alerts, you always have visibility that sites are

secure. With security management built in, pervasive and always-

on security is part of every deployment.

Figure 4: Integrated Secure SD-WAN

3

Data SheetContrail Service Orchestration

Contrail Service Orchestration Features and Benefits

Features Benefits

Service creation workflow portal Service managers and administrators can intuitively define a customized service catalog through a simple wizard.

Resource management schemas Eliminates error-prone provisioning processes by recommending the most efficient service creation model based on defined VNFs that best meet tenant needs. The intelligent service design portal establishes a workflow that reduces the time required to define and deliver new services to market, increasing productivity and lowering operational expenses.

Automated service delivery The entire service life cycle is automated and orchestrated. When a tenant selects a service they want, regardless of the deployment model required—centralized, distributed, or hybrid—the service is automatically delivered to the customer.

Dynamic application traffic routing Improve application performance and avoid negative impacts caused by packet loss, jitter, delay, and poor throughput.

Junos Space® Security Director: comprehensive, fully integrated security management

Full-stack security is included for simple, automated, and consistent security visibility, policy management, and enforcement.

Open-standard BGP protocols for routing Easily works with existing WAN and service provider routing environments and additional SD-WAN controllers.

Open YANG data models and open APIs Integrates with other systems like BSS/OSS and IT service management (ITSM), or extends the platform with custom automation to accelerate workflow.

Multitenant service onboarding with tenant-customized profiles

Every tenant has a personalized experience, allowing for the creation of services that best fit their business needs.

Unified management of composable and distributed VNFs

Functions—based on universal CPEs or NFV cloud infrastructures—can be seamlessly interconnected to speed and ease secure network service creation.

Built-in physical network element management for Juniper systems

Automatically connects the access layer of the provider edge gateway in a central office to the virtual service instance.

Zero-Touch Provisioning (ZTP) and configuration for universal CPE devices

The NFX Series platform is automatically provided configuration, element management, and VNF life cycle management.

Any deployment model over any network implementation

Supports any WAN architecture, including full or partial mesh, over any transport network. Auto-provisions the underlay WAN network transport with various VPN technologies such as IPsec, GRE tunneling, L2/L3 VPN, and more.

Integrates with Contrail Provider Cloud Cloud-delivered NFV is easily integrated with Contrail Service Orchestration or higher-level existing OSS/BSS environments.

CSO SD-WAN Features and Benefits

Features Benefits

NFX Series Network Services Platform integration

Fully integrated with the NFX Series Network Services Platform, CSO delivers a fully automated deployment experience for Contrail SD-WAN customers. Simply take the NFX Series device out of the box, connect it to the network, and apply power.

SRX Series Services Gateways integration

Fully integrated with the SRX Series Services Gateways, CSO delivers a fully automated deployment experience for Contrail SD-WAN customers. Simply take the SRX Series device out of the box, connect it to the network, and apply power.

Multihoming with traffic failover support

NFX Series and SRX Series platforms are able to connect with two different hub devices in a hub and spoke topology. Traffic automatically switches from the primary hub to the secondary hub if the primary hub, its connection, or all of its overlay tunnels are down. When the primary and/or its tunnels become available, traffic is automatically reverted back.

MX Series and SRX Series hub gateway support

Contrail SD-WAN supports the use of both the Juniper Networks MX Series 3D Universal Edge Routers and SRX Series Services Gateways to be used as cloud-based hub devices. This provides service providers and enterprise organizations with the ability to leverage the same Juniper infrastructure already in their network.

On-premises hub gateway support

Supports the use of the SRX Series Services Gateways as premises-based hub devices, providing enterprise organizations the ability to leverage the same Juniper infrastructure already in their network.

Advanced policy-based routing (APBR)

Lets you classify traffic flows based on application attributes and apply filters based on these attributes to redirect the traffic.

Local breakout Lets you break out Internet (all non-VPN) traffic at the local site. The enterprise IT manager is able to define which links at the site can be used for local breakout, and also enable automatic interface-based source NAT policy for the local breakout links.

Full mesh support While full mesh networks are expensive to set up and maintain, because every site on the network is connected to every other site, they provide a high degree of reliability through the multiple data paths created.

Security features: Unified threat management (UTM) support

Provides integrated security: antivirus, antispam, Web filtering, and content filtering. Because it is fully integrated and based on the SRX Series high-performance next-generation firewall (NGFW) solution, customers have peace of mind that the solution is fully integrated, works out of the box, and provides industry-leading security performance.

Security features: NAT and SSL

Integrated NAT and SSL support ensures that traffic is protected whether flowing across MPLS tunnels, VPNs, or the Internet.

Threat map support Provides you with the ability to visualize your network geographically. Users are able to monitor incoming and outgoing traffic, blocked and allowed threat events from IPS, antivirus and antispam engine feeds, and unsuccessful login attempts. This is all provided via a simple to use GUI.

Remote device reboot In the event that an on-premises device might need to be rebooted, CSO can reboot the device from a remote location. This minimizes the need for local IT staff or service provider truck rolls.

4

Data SheetContrail Service Orchestration

SpecificationsSystem recommendations and operating environment depend on

the intended use. There are four recommended Contrail Service

Orchestration deployment configurations that support varying

scale and redundancy:

1. Demonstration mode without high availability

2. Trial mode with high availability

3. Production mode without high availability

4. Production mode with high availability

Recommended Operating Environment

• Network: 1GbE or 10GbE interface card (one or more)

• OS: Linux OS (Ubuntu 14.04.5 LTS)

• Storage: Greater than 1 TB Serial Advanced Technology

Attachment (SATA), Serial Attached SCSI (SAS), or solid-

state drive (SSD)

• Servers: Quanta (QuantaPlex T41S-U), Supermicro (SYS-

2028TPHC1TR-OTO-4), or Dell (R420) (Intel E5-2670v3 or

better) using 2.4GHz 64-bit dual x86 processor

Table 1 below reflects the server requirements per configuration.

Detailed configurations of virtual machines and memory

allocations to the Contrail Service Orchestration functions can be

found in the Contrail Service Orchestration deployment guide.

Table 1: Server Requirements per Configuration

Configuration Number of Servers

vCPUs per Server

Memory per Server (GB RAM)

Demo non-HA configuration 1 48 256

Production non-HA configuration

3 48 256

Production HA configuration 9 48 256

Trial HA configuration 3 48 256

Juniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services

that are designed to accelerate, extend, and optimize your

high-performance network. Our services allow you to maximize

operational efficiency while reducing costs and minimizing

risk, achieving a faster time to value for your network. Juniper

Networks ensures operational excellence by optimizing the

network to maintain required levels of performance, reliability,

and availability. For more details, please visit www.juniper.net/us/

en/products-services.

Ordering InformationThis product adheres to the Juniper Software Advantage pricing

model.

The Contrail SD-WAN solution provides annual and multi-

year subscriptions that include Contrail Service Orchestration.

They are available in simple bundles of software and hardware

platforms, but you may also choose to purchase Contrail Service

Orchestration and other systems individually.

As this is a virtual appliance/software product, you would

not buy any hardware license from Juniper, but instead,

procure the hardware and additional required support for this

hardware from an additional third-party vendor. For additional

information on supported hypervisor(s) and VM requirements

and recommended hardware configuration, please refer to the

technical documentation for this product on our website under

the Support section.

Juniper Networks products are sold directly as well as through

Juniper partners and resellers.

For more information on the Juniper Software Advantage

business model, please visit www.juniper.net/us/en/products-

services/sdn/contrail/. For information on how to buy, please visit

www.juniper.net/us/en/how-to-buy.

CSO Cloud CPE Features and Benefits

Features Benefits

Distributed model with NFX Series platforms Fully integrated with the NFX Series Network Services Platform, which allows service providers to design, develop, and deliver a portfolio of managed services from one orchestration solution. CSO and the NFX Series can support a number of Juniper and third-party VNF solutions, and Juniper Professional Services can support customers in integrating additional VNFs as needed.

Distributed model with SRX Series platforms Fully integrated with the SRX Series Services Gateways, which allows service providers to easily deploy a high-performance NGFW-based managed security solution that is fully automated and orchestrated from a centralized management platform.

Centralized model with Contrail Provider Cloud and Contrail Networking

CSO can be deployed with Contrail Provider Cloud and Contrail Networking to deliver a cloud-based virtual managed service delivery solution. In this model, service providers can host and manage their services-focused VNFs in their data centers, leveraging service chaining to map customers to the services they order. This solution can be used with the SRX Series or NFX Series on-premises CPE devices or other third-party network interface devices (NIDs).

Hybrid model CSO supports a hybrid model, which allows service providers to distribute some services to the customer premises, while hosting other services in their data centers. This provides service providers with greater flexibility to best support their operational and business model requirements. In some cases, users may choose to start small, deploying a service from the cloud and then, as the demand for the service increases, eventually distribute it out to the end customer premises.

Corporate and Sales Headquarters

Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or +1.408.745.2000

Fax: +1.408.745.2100

www.juniper.net

Copyright 2018 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper,

and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All

other trademarks, service marks, registered marks, or registered service marks are the property of their

respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper

Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

APAC and EMEA Headquarters

Juniper Networks International B.V.

Boeing Avenue 240

1119 PZ Schiphol-Rijk

Amsterdam, The Netherlands

Phone: +31.0.207.125.700

Fax: +31.0.207.125.701

Data SheetContrail Service Orchestration

1000559-008-EN Feb 2018

EXPLORE JUNIPERGet the App.

About Juniper NetworksJuniper Networks challenges the status quo with products,

solutions and services that transform the economics of

networking. Our team co-innovates with customers and partners

to deliver automated, scalable and secure networks with agility,

performance and value. Additional information can be found at

Juniper Networks or connect with Juniper on Twitter and Facebook.