Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure Junos Node Unifier for CSDS

Use this configuration example to configure Junos Node Unifier (JNU) for unified management of network devices in your Connected Security Distributed Services (CSDS) topology.

Junos Node Unifier (JNU) provides unified command line interface (CLI) view of all the nodes present in Connected Security Distributed Services (CSDS) topology. The JNU controller and the JNU satellite communicate over the management network. In this configuration example, you'll see how to configure JNU with dual controllers. If you've one JNU controller in your JNU topology, we've indicated steps that you can skip. Note that the controllers have dual Routing Engines (RE), re0 and re1, to continue forwarding packets, even if one RE fails.

Tip:
Table 1: Time Estimates

Reading Time

Less than an hour

Configuration Time

Less than an hour

Example Prerequisites

Table 2: Requirements

Hardware requirements

  • Juniper Networks® MX304 for JNU controllers

  • Juniper Networks® SRX4600 for JNU satellites

Software requirements

  • Junos OS Release 24.4R1

Ensure you’ve completed basic configuration of MX Series and SRX Series Firewalls, and the nodes can communicate with each other over the management network.

Before You Begin

Table 3: Resources, and Additional Information

Understand JNU for CSDS

Configure JNU to manage the network devices in the Connected Security Distributed Services (CSDS) architecture using a single touchpoint management solution. You can perform the following tasks using JNU:

  • Configure and manage the nodes using the Junos OS configuration commands.

  • Run the Junos OS operational mode commands.

Know more

Functional Overview

Table 4: Junos Node Unifier Functional Overview

JNU controller

The JNU controller node presents the unified CLI view of multiple network devices as a centralized entity, adding the devices as JNU satellites. This node runs jnud process to present unified user experience and uses remote procedure calls (RPC) to communicate with JNU satellites.

JNU satellites

JNU satellites operate under the control of the JNU controller. These nodes run security services. The jnud process also runs in the satellites.

Primary verification tasks

Verify the following:

  1. JNU controller lists the JNU satellites present in the JNU topology.

Topology Overview

Table 5: Devices, Role, and Functionality used in this Configuration

Hostname

Role

Function

MX1

JNU controller

Serves as a CLI touchpoint for all network devices in the JNU topology.

  • re0 IP address - 10.52.136.131/8

  • re1 IP address - 10.52.136.132/8

  • master-only IP address - 10.52.131.130/8

    The master-only IP address is an additional IP address configured on the management interface of both REs. This address is active only on the primary RE and moves to the new primary RE during a graceful Routing Engine switchover (GRES).

MX2

JNU controller (second controller)

Serves as a second controller for high availability

  • re0 IP address - 10.52.136.112/8

  • re1 IP address - 10.52.136.113/8

  • master-only IP address - 10.52.136.111/8

SRX1

JNU satellite

Node in JNU topology that you can manage using the JNU controller.

  • IP address - 10.52.130.203/8

For every new satellite, use a unique IP address.

The nodes use fxp0 management interface for communication between controller and satellites.

Topology Illustration

Figure 1: JNU Topology for CSDS JNU Topology for CSDS

Step-By-Step Prerequisite Configuration on MX1, MX2, and SRX1

  1. Enable SSH and NETCONF services on MX1, MX2, and SRX1.

  2. Ensure SSH keys are available on MX1, MX2, and SRX before configuring the JNU controller. You can generate SSH keys manually or use the auto-generated ones.

    Follow steps a to d to manually generate SSH keys on the MX Series routers and the SRX Series Firewalls. Generate these custom SSH keys separately for re0 and re1 on MX Series. Run these steps on every MX Series REs and SRX Series Firewalls.

    Note that when you use the command request jnu role controller invoke-on all-routing-engines on the controller and request jnu role satellite on the satellite during JNU configuration, Junos actively checks for custom SSH keys in /var/db/jnu/.ssh. If keys are missing, these commands generate new ones. If keys exist, the commands do not overwrite them.

    On each of the controller REs and satellites run the following steps.

    In this example topology, run the following steps on MX1 re0, MX1 re1, MX2 re0, MX2 re1, and SRX1. If you have a single controller, run these steps for MX1 re0, MX1 re1, and SRX1:

    1. At the shell prompt, create a directory to store SSH keypair.

    2. Create authentication keypair for SSH.

      In this configuration, we created the keys with RSA 2048-bit encryption. We support only RSA-based encryption.

    3. Get the public key.

    4. (Only for controllers) On the controller, to generate SSH keys on the other RE, run the following command in operational mode to login to the other RE, and repeat step 1 and 2. Ignore this step for the satellite:

Note the public keys that you generate to configure the JNU nodes. In the example topology, following are the public keys for MX1 re0, MX1 re1, MX2 re0, MX2 re1, and SRX1.

  • $ABC123c1r0 is the public key of MX1 re0.

  • $ABC123c1r1 is the public key of MX1 re1.

  • $ABC123c2r0 is the public key of MX2 re0.

  • $ABC123c2r1 is the public key of MX2 re1.

  • $ABC123 is the public key of SRX1.

Step-By-Step Controller Configuration on MX1

Ensure SSH keypair on MX1 re0, MX1 re1, MX2 re0, MX2 re1, and SRX1 are available and you've noted their public keys.

Configure JNU controller on MX1. Run the following steps.

Note:

For complete sample configurations on the DUT, see:
  1. Configure JNU controller role on all REs. Run this command on re0. Later, Junos synchronizes the configuration with re1.
  2. Configure controller auto-login into the other JNU nodes for the jnuadmin user. Repeat this step for every satellite that the controller manages.
    1. Set system login on MX1 for SRX1 using SRX1's public key.
    2. Set system login on MX1 for MX2 using MX2 re0's public key.

      Ignore this step if you've a single controller in your JNU topology.

    3. Set system login on MX1 for MX2 using MX2 re1's public key.

      Ensure to commit the configuration at this step.

      Ignore this step if you've a single controller in your JNU topology. Ensure to commit the configuration at step a if you've a single controller.

    4. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to SRX1 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

    5. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to MX2 re0 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

      Ignore this step if you have single controller in your JNU topology.

    6. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to MX2 re1 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

      Ignore this step if you have single controller in your JNU topology.

  3. Configure JNU management features on JNU controller.
    1. Enable feature-rich mode.
    2. Associate jnuadmin user for JNU management tasks.
    3. Associate other controller for JNU management tasks using its master-only IP.

      Ignore this step if you have single controller in your JNU topology.

  4. Configure dual RE settings.
    1. Configure commit synchronization on the REs by default, enable graceful switchover to the other RE in the event of failure of active RE, and enable non-stop routing (NSR).
    2. Configure master-only settings for re0 and re1.

      Ensure to commit the configuration at this step.

Step-By-Step Controller Configuration on MX2

Ensure SSH keypair on MX1 re0, MX1 re1, MX2 re0, MX2 re1, and SRX1 are available and you've noted their public keys.

Configure JNU controller on MX2. Run the following steps.

Note:

For complete sample configurations on the DUT, see:
  1. Configure JNU controller role on all REs. Run this command on re0.
  2. Configure controller auto-login into the other JNU nodes for the jnuadmin user. Repeat this step for every satellite that the controller manages.
    1. Set system login on MX2 for SRX1 using SRX1's public key.
    2. Set system login on MX2 for MX1 using MX1 re0's public key.

      Ignore this step if you've single controller in your JNU topology.

    3. Set system login on MX2 for MX1 using MX1 re1's public key.

      Ensure to commit the configuration at this step.

      Ignore this step if you've single controller in your JNU topology. Ensure to commit the configuration at step a if you've a single controller.

    4. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to SRX1 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

    5. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to MX1 re0 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

      Ignore this step if you have a single controller in your JNU topology.

    6. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to MX1 re1 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

      Ignore this step if you have a single controller in your JNU topology.

  3. Configure JNU management features on JNU controller.
    1. Enable feature-rich mode.
    2. Associate jnuadmin user for JNU management tasks.
    3. Associate other controller for JNU management tasks using its master-only IP.

      Ignore this step if you have single controller in your JNU topology.

  4. Configure dual RE settings.
    1. Configure commit synchronization on the REs by default, enable graceful switchover to the other RE in the event of failure of active RE, and enable NSR.
    2. Configure master-only settings for re0 and re1.

      Ensure to commit the configuration at this step.

Step-By-Step Satellite Configuration on SRX1

Before configuring the satellites, ensure you've configured the controllers. Ensure SSH keypair on SRX1 is available and you've noted its public key.

Configure JNU satellite on SRX1. Run the following steps. Repeat these steps for every satellite in your topology and adjust the configuration as per your topology.

Note:

For complete sample configurations on the DUT, see:
  1. Configure JNU satellite role.
  2. Configure satellite auto-login into the controllers for the jnuadmin user.
    1. Set system login on SRX1 for MX1 using MX1 re0's public key.
    2. Set system login on SRX1 for MX1 using MX1 re1's public key.
    3. Set system login on SRX1 for MX2 using MX2 re0's public key.

      Ignore this step if you've a single controller in your JNU topology.

    4. Set system login on SRX1 for MX2 using MX2 re1's public key.

      Ensure to commit the configuration at this step.

      Ignore this step if you've single controller in your JNU topology. Ensure to commit the configuration at step b if you've a single controller.

    5. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to MX1 re0 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

    6. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to MX1 re1 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

    7. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to MX2 re0 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

      Ignore this step if you have a single controller in your JNU topology.

    8. In the shell prompt, run the following command to add the SSH keys to the list of known hosts. For the first time, as the jnuadmin user, login to MX2 re1 using SSH. This step ensures the addition of the SSH keys to the list of known hosts.

      This prompts for Yes/No. Press Yes, hit enter, and quit (press Ctrl+C). You don't need to provide the password.

      Ignore this step if you have a single controller in your JNU topology.

  3. Configure JNU management features on JNU satellite.
    1. Enable feature-rich mode.
    2. Associate satellite for JNU management tasks.
    3. Associate jnuadmin user for JNU management tasks.
    4. Associate controller, MX1, for JNU management tasks.
    5. Associate controller, MX2, for JNU management tasks.

      Ensure to commit the configuration in this step.

      Ignore this step if you have a single controller in your JNU topology and commit the configuration in step e.

Verification

This section provides a list of show commands that you can use to verify the feature in this example.

Command Verification Task

show chassis jnu satellites

Verify JNU nodes synchronization.

show configuration chassis jnu-management

Verify nodes in JNU topology.

Verify JNU Nodes Synchronization

Purpose

Run the command to verify that the SRX1 is synchronized. The command also shows the JDM and vSRX Virtual Firewalls if they are present in your JNU topology. Both the controllers, MX1 and MX2, list the satellite that you add. Satellites push their schema to the controller during the initial synchronization.

Action

From operational mode, run show chassis jnu satellites command on MX1 and MX2 controller to verify that the satellites are added to the controllers.

Meaning

Controller lists the satellite's name, status, model, and Junos OS version. It approximately takes 5-6 minutes per controller per satellite for synchronization.

Verify Nodes in JNU Topology

Purpose

Run the command on the controllers and satellite to know the details of nodes in JNU topology.

Action

From operational mode, run show configuration chassis jnu-management command on MX1, MX2 and SRX1 to verify the nodes in JNU topology.

Meaning

The command shows the details of the controller and the satellite nodes.

Appendix 1: Set Commands on All Devices

Set command output on all devices.

Set Commands on MX1

Set Commands on MX2

Set Commands on SRX1

Appendix 2: Show Configuration Output on All Devices

Show command output on all devices.

Show Command on MX1

Show Command on MX2

Show Command on SRX1

See Also