Your First Hybrid WAN (Distributed) Deployment
Install Junos Software onto NFX from USB Port
This section details how to install Junos OS software version 15.1X53-D496.0 onto an NFX250 from a USB drive. Doing this sets the device to the factory default state. We also perform some confirmation steps and obtain the device’s serial number. This procedure is for an NFX250 device.
Before You Begin
In order for this procedure to succeed, you must have the following
Physical access to the USB port of the NFX device
A USB drive of at least 4GB containing the Junos OS Software image, 15.1X53-D496.0, inserted into the USB port of the NFX
Access to the console port of the NFX device (This can be physical access or access over a terminal server)
A DHCP server that is reachable from the ge-0/0/11 interface of the NFX250. This DHCP server must be able to provide IP address, name server, and default gateway to the NFX upon request.
The following procedures contain comments that are added to clarify the steps that are discussed.
- Ensure that the USB drive containing the Junos OS software
image is inserted in the USB port of the NFX device.
This allows you to boot the NFX from the USB drive.
- Access the NFX console either directly or using a terminal
You do not need to login; just ensure that you are actively connected.
- Power off the NFX device.
- Power on the NFX device.
- Immediately return to the session that you have open to
the console port of the nfx1 device.
From the console of the nfx1 device, press the ESC key every second until the following message appears: Esc is pressed. Go to boot options.
If you do not see this message in the console and the NFX appears to be booting normally, you need to wait for the boot to complete and then go back to step 1.
- A menu appears after a brief time. Use the down arrow key to select Boot Manager, then press Enter.
- When the Boot Manager menu appears, press Enter to boot from the USB00 drive.
- When the GNU GRUB menu appears, use the up or down arrow keys to select Install Juniper Linux with secure boot support and then press Enter.
At this point, the NFX will install the software contained on the USB drive. Installation takes some time. You can keep your console connection active to watch the installation process.
The NFX is made up of multiple components that load and boot in a specific order. See NFX 250 Overview for details. The PFE of the NFX may take a few minutes to complete the boot and allow the jsxe0 interface to obtain its address from DHCP.
You can login to the console of the NFX as root and confirm that the jsxe0 interface has received its address using the following procedure:
- Press Enter to refresh the login prompt
- At the jdm login prompt, type root and press Enter.
There is no password assigned to the root user at this point. For the purposes of this deployment exercise, do not set a root password at this time.
- At the root@jdm:~# prompt, type cli and press Enter.
- Type show interfaces jsxe0 and press Enter.
The jsxe0 interface has a number of logical interfaces used internally by the NFX for different purposes. You are looking for the jsxe0.0 logical interface. Confirm that the DHCP server has provided an address in the proper range before continuing.
root@jdm:~# show interfaces jsxe0 Logical interface jsxe0.1 (Index 4) Flags: Up Input packets : 0 Output packets: 252 Protocol inet, MTU: 1500 Logical interface jsxe0.2 (Index 5) Flags: Up Input packets : 3 Output packets: 274 Protocol inet, MTU: 1500 Logical interface jsxe0.0 (Index 3) Flags: Up Input packets : 7097 Output packets: 8722 Protocol inet, MTU: 1500 Destination: 172.26.133.0/24, Local: 172.26.133.106, Broadcast: 172.26.133.255
At this point, you can confirm that the DNS name server and default gateway are working by issuing the ping command to some host on the Internet.
root@jdm:~ # cli
root@jdm:~ > ping www.juniper.net count 1
PING e1824.dscb.akamaiedge.net (18.104.22.168) 56(84) bytes of data. 64 bytes from a23-223-165-73.deploy.static.akamaitechnologies.com (22.214.171.124): icmp_seq=1 ttl=56 time=2.67 ms --- e1824.dscb.akamaiedge.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.670/2.670/2.670/0.000 ms
The last part of this procedure is to login to the Junos Control Plane (jcp) in order to obtain the device serial number which will be used later in the SD-WAN deployment.
root@jdm:~ > ssh vjunos0
Last login: Tue Jan 22 06:28:51 2019 --- JUNOS 15.1X53-D40.3 Kernel 32-bit FLEX JNPR-10.1-20160217.114153_fbsd-builder_stable_10 At least one package installed on this device has limited support. Run 'file show /etc/notices/unsupported.txt' for details.
root> show chassis hardware
Hardware inventory: Item Version Part number Serial number Description Chassis DXXXXXXXXXX3 Pseudo CB 0 Routing Engine 0 BUILTIN BUILTIN RE-NFX250-S2 FPC 0 REV 04 650-066113 DXXXXXXXXXX3 CPU BUILTIN BUILTIN FPC CPU PIC 0 REV 04 BUILTIN BUILTIN 10x10/100/1000 Base-T-2x1G SFP- Power Supply 0 Fan Tray 0 fan-ctrl-0 0, Front to Back Airflow - AFO Fan Tray 1 fan-ctrl-0 1, Front to Back Airflow - AFO
The device serial number is listed on the Chassis line of the output. In this example, it is partly obscured for security purposes. Make note of the serial number for later use.
Modify Device Templates
From this point on in this deployment example, we assume that your CSO software is installed at 192.168.101.12 and that you know the login credentials for the cspadmin user of the Administration Portal.
In this section, we modify an existing device template so that it works for this example.
- Open your web browser and in the URL field, enter https://192.168.101.12
- Enter the login credentials for the Administration Portal.
By default, the username is cspadmin and the password is randomly generated during installation. If this is the first time logging into the Administration Portal, you must set a new password for the cspadmin user.
- Navigate to Resources > Device Templates
- Find the device template named NFX250 as Managed Internet CPE.
- Select the check-box next to the template and then select Template Settings from the Edit Device Template pull-down
A new window titled Template Settings appears
- In the Template Settings window, ensure that the following
things are set:
By requiring an activation code, a CPE device will not be allowed to communicate with CSO until the tenant has activated a site using the activation code. The value of the activation code will be set later in the process.
Stage 2 configurations are configurations that can be added to a device after the initial, stage 1, provisioning of the device. This setting prevents the automatic deployment of a stage 2 configuration.
This setting ensures that the jmgmt0 interface is not enabled on the NFX device. Since this is a managed Internet service and the NFX device will be sitting on the customer’s premise, this might be a useful setting to prevent unwanted login by the tenant.
Do not change any other settings.
- Select Save when finished.
Create and Configure a New Tenant
In this section we use the Administrator Portal to add a tenant to CSO.
- Select Tenants from the left-nav panel
- Click the Add Tenant button
If there are no tenants created yet, Add Tenant will be a button. If there are tenants, click the “+” to create a new tenant.
- In the Add Tenant window that appears:
Enter a name for your tenant such as Tenant1
Fill in the Admin User information
Select the check-boxes next to all three Roles in the Available section and click the arrow link to move them to the Selected section
Set the User Password to never expire
If needed, you can configure password expiry rules here.
In the Deployment Type window, select the check-box next to Hybrid WAN Sites
The window advances to the Tenant Properties section. For this example, browse the Tenant properties but do not make any changes
The window advances to the Summary section. Review the summary.
A pop-up message appears that tells you that the Add Tenant job was started. After some time, your new tenant appears in the list of tenants.
Create and Configure a Site for the Tenant
In this section, we move to the Customer Portal for the newly configured tenant in order to create a site.
This procedure begins in the Tenants window of the Administration Portal, at the list of tenants.
- Click on the name of the tenant that you just created
This will take you to the Customer Portal for that tenant. The Dashboard is displayed
- Select Sites link from the left-nav bar
- In the Sites window that appears, click the Add Spoke Site - Hybrid
A new window titled Add Site for <Tenant> appears.
- Fill out the information in the Site Information section.
The only required information in this window is the site name. Enter a site name that makes sense, like: site1
If you fill in the address information, CSO will use it to display the site on maps in some of the monitoring windows.
- Click Next
This brings up the Connectivity Requirements section.
- Under Connection Plan, click the left (<) or right (>) arrow until you see the NFX250 as MAnaged Internet CPE box. Click on that box.
This activates the Connectivity Requirements for the Selected Plan section.
You cannot modify any settings for the WAN_0 interface because there are strict requirements for this device template that the WAN_0 must be an Internet-facing interface.
- Click Next when finished
The window advances to the Summary
- Review the Summary section
- Click OK when you’re finished reviewing
You will see pop-up messages appear for site-creation job start and site-creation job finished.
- Click the check-box next to the site you just created
- Click the Configure Site button
This brings up a new window titled Configure Site <site-name>.
- In the Configuration Section, click the Advanced
On this tab, fill in the following information:
Name Server IP List: <Click the pull-down menu, if no results are found, enter the IP address of a DNS name server>.
This is a required field.
You must press enter when you have completed the IP address entry. If you don’t the entry will be lost.
Ntp server IP LIst: <This is an optional field. However, it is a good idea to enable NTP whenever possible. Enter the IP address of an NTP server.>
Select timezone: <This is an optional field. However, it is a good idea to set this to the appropriate time zone. Select the appropriate time zone for this site.>
- Click the Devices tab
On this tab, fill in the following information:
Serial Number: <Enter the serial number of your NFX250 device>
This is a required field.
We create the spoke site first so that we can establish the departments (security zones) that will be used by the tenant. We cannot create a hub site until this is determined. If you attempt to create a hub site before creating a spoke site, CSO displays an error.
One of the steps in configuring the spoke site is to associate it with a hub. Therefore, we cannot configure the site until after the hub has been created.