Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[CSO] How to allow an internet connection for LAN segments deployed in spoke



Article ID: KB35087 KB Last Updated: 14 Oct 2019Version: 1.0

This article explains the configuration needed via CSO in order for internet connectivity for LAN segments.

The content in this article applies to CSO 5.0.1.


There are two ways to achieve this goal:

  1. Via Local Breakout in spoke

    When creating sites, local breakout must be enabled and the WAN links that are used for local breakout traffic on the site that needs to be configured. You also need to specify whether the WAN links are used exclusively for local breakout traffic or for both local breakout and non-Internet traffic. If a specific WAN link is used exclusively for local breakout, then overlay tunnels for that WAN link are not created.

    Note: Local breakout must be enabled when creating the sites which takes care of automatic rule provisioning. This cannot be done after the site has been provisioned.

    FW policy must be provisioned from the selected Department (which contains LAN segment) to Any, in order to take care of outgoing traffic.

  2. Routing traffic via hub, including NAT config in hub (No Local breakout)

    This can be achieved by including NAT config in Stage-2 template of hub.

    Configuration Designer must be used to build custom stage 2 templates, which later can be available at Resources > Device Template

    To add a stage-2 configuration template:

    1. Select Resources > Device Template.

      The Device Templates page appears.

    2. Select a device template for which you want to add the stage-2 configuration and select Edit Device Template > Stage-2 Config Templates.

    Note: In 5.0.3, Config designer is integrated to admin portal. If you are running 5.0.1/5.0.1, please contact your Juniper Support Representative to create custom stage 2 templates. (Global admin and SP admin has privilege to access designer tool and OpCo/tenant admin is unauthorized.)

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search