Day 0: Add an EX Series Switch to the Juniper Mist Cloud
Requirements
We recommend that all switches in an organization be managed exclusively through the Juniper Mist cloud, and not from the device’s CLI.
The switch needs to connect to a DNS server (an NTP server is also recommended), and it needs to be able to connect to the Juniper Mist cloud architecture over the Internet. If there is a firewall between the cloud and the switch, you need to allow outbound access on TCP port 2200 to the management port of the switch. In addition, you need the following items:
A Juniper Mist Wired Assurance Subscription, and logon credentials for the Juniper Mist portal
Physical access to the switch to connect the cables
A supported Juniper EX Series switch
A user account on the switch to make CLI configurations (brownfield option)
This example shows how to connect an EX Series switch to the Juniper Mist cloud architecture, and how to bring it onboard to your organization in the Juniper Mist portal. Cloud-ready, or “greenfield” switches can be automatically added to the Juniper Mist cloud using the ZTP option, or they can be added manually by entering an activation code for the switch in the Juniper Mist portal.
“Brownfield” switches, that is, switches being brought into the Juniper Mist cloud architecture from a previous deployment, can also be added to the Juniper Mist cloud. Both procedures are described in this example.
Overview of the ZTP Process
Once a cloud-ready switch is connected to the Internet and powered on for the first time, it triggers an onboard phone-home client (PHC) to get configuration updates from the phone-home server (PHS) as shown in Figure 2. The default behavior is for the PHC to connect to a redirect server, which then redirects it to a phone home server where the switch can get the configuration or software image. This enables the switch to securely and automatically obtain the most recent Junos OS configuration or software image, with no intervention other than physically connecting the switch to the network. Alternatively, you can configure the switch to use a Dynamic Host Configuration Protocol (DHCP) server configured with the necessary ZTP options to complete the ZTP process. To revert to the ZTP default, you need to boot from the factory-default state (or you can issue the Junos OS request system zeroize command to reset the configuration).
Topology
How to Activate a Greenfield Switch
To adopt a cloud-ready switch manually, you need an activation code for the switch. Activation codes are sent through e-mail to the address on record at the time of purchase, or they can be obtained by contacting the Juniper Mist Customer Engagement team. Using the activation code adopts the switch and any Juniper access points that are part of the purchase order, as well as claims any subscriptions that are included in your purchase.
Manually Add a Cloud-Ready Switch to the Juniper Mist Cloud:
Step-by-Step Procedure
- Start by unboxing your switch, connecting the management port to the Internet, and powering it on. As part of the ZTP process, the switch automatically accesses the PHC server (or the DHCP server if you have set this up instead) and then connects to the Juniper Mist cloud for configuration updates.
- Using a Web browser, log in to your Juniper
Mist account. The Monitor page appears, showing an overview of the Juniper Mist cloud
and any Juniper access points and clients that are already connected. In the menu on the left,
click Organization > Inventory to open that page.
Figure 3: The Juniper Mist Inventory Page 
- Select Switches at the top of the Inventory page, and then click the Claim Switches button and enter the activation code for the switch.
Figure 4: The Claim Switches Page 
- Fill out the other fields on the page as you like. Select Manage configuration with Juniper Mist and then enter a root password for the switch. Note that this choice puts the switch under the management of the Juniper Mist portal, and as such, we recommend that local configuration using the CLI be restricted to prevent conflicts (for example, you might want to create a system login message on the switch to warn against making configuration changes locally, from the CLI).
Once the ZTP process resolves, the switch automatically appears in the Inventory page. If the switch doesn’t appear after a few minutes, despite refreshing the web page, log out and then log back in.
Activate a Brownfield Switch
It is important to back up your existing Junos OS configuration on the switch before activating a brownfield switch because when the switch is adopted for management from the Juniper Mist cloud, the old configuration is replaced. Back up your existing Junos OS configuration by running the request system software configuration-backup (path) command, which saves the currently active configuration and any installation-specific parameters.
To retain your existing Junos OS configuration after it is adopted, copy the configuration and append it below the switch adoption command (shown in Figure 5). Do this before you click the Copy to Clipboard button. You can run the show configuration command in the Junos OS CLI to display the existing configuration for copying.
Likewise, To prevent users from using the Junos CLI to configure the switch after it has been adopted into the Juniper Mist cloud, you may want to create a system login message on the switch to warn against making configuration changes, or to restrict their management access altogether by changing the password or placing restrictions on the Junos CLI user accounts.
How to Add a Brownfield Switch to the Juniper Mist Cloud
Step-by-Step Procedure
This procedure describes how to set up a secure connection between a supported EX Series switch running a supported version of Junos OS. In it, you will make a few configuration changes to the Juniper Mist portal, and some to the switch using the Junos OS CLI. Be sure you can log in to both systems.
- Log in to your organization on the Juniper Mist cloud and then click Organization > Inventory in the menu.
- Select Switches at the top of the page that appears, and then click
the Adopt Switch button in the upper-right corner to generate the Junos OS CLI
commands needed for the interoperability. The commands create a Juniper Mist user account,
and a SSH connection to the Juniper Mist cloud over TCP port 2200 (the switch connection
is from a management interface and is used for configuration settings and sending telemetry
data).
Figure 5: The Switch Adoption Page 
- In the page that appears, click Copy to Clipboard to get the commands from the Juniper Mist cloud.
- In the Junos OS CLI, type edit to start configuration mode, and then paste the commands you just copied (type top if you are not already at the base level of the hierarchy).
- If you want to add a system message, use the following command:
user@host# set system login message message text here - You can confirm your updates on the switch by running show commands
at the [system services] level of the hierarchy, and again at the [system
login user juniper-mist] level of the hierarchy.
show system servicesssh { protocol-version v2; } netconf { ssh; } outbound-ssh { client juniper-mist { device-id 550604ec-12df-446c-b9b0-eada61808414; secret "trimmed"; ## SECRET-DATA keep-alive { retry 3; timeout 5; } services netconf; oc-term.mistsys.net { port 2200; retry 1000; timeout 60; } } } dhcp-local-server { group guest { interface irb.188; } group employee { interface irb.189; } group management { interface irb.180; } }show system login user juniper-mistuser@Switch-1# show system login user juniper-mist class super-user; authentication { encrypted-password "$trimmed ## SECRET-DATA } - Run the commit command to save the configuration.
- Back in the Juniper Mist portal, click Organization > Inventory > Switches and select the switch you just added.
- Click the More drop-down list at the top of the page, and then click the Assign to Site button.
- In the page that appears, choose which site you want to assign the switch to, and then select Manage configuration with Mist.
Add the Switch to the Juniper Mist Cloud Architecture and View Details
Now that the switch is able to register with the Juniper Mist portal, the next steps are to add the switch to the appropriate site and assign access points.
Step-by-Step Procedure
- To add the switch to a site, click Organization > Inventory in the Juniper Mist menu and then the Switches tab at the top of the page that appears.
- Select the switch you just added, and then click the More button. Click Assign to Site, and then choose a site from the drop-down list that appears in the Assign Switches page. Click the Assign to Site button to complete the action.
Figure 7: The Switches Page Shows the EX Series Switch 
- Next, select Switches from the menu on the left and click a switch
name to display the access points connected to that switch.
Hover your mouse cursor over a switch in the list to see summary details of the switch, or click it to expose attached devices.
Click the name of the switch (which appears above the list) to open a page where you can dig in to switch details, including various metrics and properties. Scroll down to see the Junos configuration for that specific switch.
Figure 8: Switch Details in The Switches Page 
Troubleshooting
Confirm your connection from the switch to the Juniper Mist cloud by running the Junos OS command below.
user@host> show system connections | grep 2200The command output shows the switch connection to the Juniper Mist cloud. It includes the IP address of the management interface on the switch, the destination IP address of the Juniper Mist cloud, and the connection result.
tcp4 0 0 10.10.70.89.63208 <ip-address>.2200 ESTABLISHED
If there is no ACK of the SYN packet, chances are that outbound packets over TCP port 2200 are being blocked by the firewall, and this issue needs to be resolved before the switch can appear in the Juniper Mist portal under Organization > Inventory > Switches.