Create the Campus Fabric

Choose the Campus Fabric Topology

Select the Campus Fabric IP Clos option as shown in Figure 4.

In the Topology Name field, provide a name following company standards.

Topology Settings

• BGP Local AS: represents the starting point of private BGP AS numbers that are automatically allocated per device. You can use whatever private BGP AS number range suits your deployment, routing policy is provisioned by Mist to ensure the AS numbers are never advertised outside of the fabric.
• Subnet: Represents the pool of IP addresses used for P2P links between devices. You can use whatever range suits your deployment. Mist breaks this subnet into /31 subnet addressing per link. This number can be modified to suit the specific deployment scale. For example, a /24 subnet provides up to 128 P2P /31 subnets.
• Auto Router ID Subnet: Represents the pool of IP addresses associated with each device’s loopback address. Each device will automatically get a loopback IP address /32 assigned from this pool. You can use whatever range suits your deployment. VXAN tunneling using a VTEP is associated with this address. The loopback IP addresses assigned here are only visible in the underlay transport network. The definition of these underlay loopback IP addresses is critical for the operation of the EVPN/VXLAN fabric.
• Loopback per-VRF-subnet: Represents a second pool of loopback IP addresses which are associated each with an L3-VRF and switch of the overlay fabric network. It is designed for scale-out services in the overlay network where some services, like DHCP relay, share a single IP address that is external to the fabric. This is the case for anycast fabrics like ERB and IP Clos. If those L3-VRF use a dedicated loopback IP address per VRF and switch it is easy to send back returning answers to an originating VRF or switch.

Note:

In previous versions of this document, you did not have the default configuration fields for Auto Router ID, Subnet, and loopback per-VRF subnet. Instead, you had a field for loopback prefix definition like shown in Figure 5 and then you had to assign the loopback addresses for each fabric node manually. This now changed towards automatic loopback address assignments via the configuration of the Prefix Pool.

Note:

We recommend default settings for all options unless it conflicts with other networks attached to the campus fabric. The P2P links between each layer utilize /31 addressing to conserve IP addresses.

Select Campus Fabric Nodes

Select devices to participate at each layer of the Campus Fabric IP Clos. We recommend that you validate each device’s presence in the Site switch inventory before the creation of the campus fabric.

The next step is to assign the switches to the layers. Since the switches are named relative to target layer functionality, they can be quickly assigned to their roles.

The Services Block Router is where the campus fabric interconnects external devices such as firewalls, routers, or other critical devices. For example, DHCP and RADIUS servers. Devices to which external services connect to the campus fabric are known as border leaf devices. If you want to connect these services or devices to the Campus Fabric IP Clos in a separate device or pair of devices, clear the Use Core as border option and select the Select Switches option to choose the devices.

Note:

Placing the Services Block Router on a dedicated pair of switches (or single switch) alleviates the encapsulation and de-encapsulation of VXLAN headers from the core layer. If you want to combine this capability within the core devices, you must select the Use Core as border option.

Once all layers have selected the appropriate devices, you must provide an underlay loopback IP address for each device. This loopback is associated with a logical construct called a VTEP and is used as the source address of the VXLAN tunnel. Campus Fabric IP Clos has VTEPs for VXLAN tunneling on the access switches and the core switches when you enable the Core Border option.

When you define an Auto Router ID Subnet prefix, the underlay loopback IP address and router ID assignment happen automatically. There is no need to manually assign them. You may still see warnings as shown in Figure 6 about an unassigned router ID. You can ignore those since the automatic assignments happen at a later phase.

Note:

If the Auto Router ID Subnet Field is not configured (empty), you can use the previous mode of operation and manually assign the underlay loopback IP addresses as router IDs on each device that needs one. Make sure that all IP addresses are in the same subnet as required by Mist Cloud Fabric configuration.

Configure Networks

Enter network information such as VLANs and VRF (routing instances for traffic isolation purposes) options. VLANs are mapped to virtual network identifiers (VNIs) and can optionally be mapped to VRFs to provide customers a way to logically separate traffic patterns such as IoT devices from Corp IT.

VRF

In campus fabric deployment, the use of EVPN VXLAN supports native traffic isolation using routing instances, commonly called VRFs, for macro-segmentation purposes.

For more information on routing instances, see https://www.juniper.net/documentation/us/en/software/junos/routing-overview/topics/concept/routing-instances-overview.html.

VLANs can be placed into a common VRF. Here, all VLANs within each VRF have full connectivity to each other and other external networking resources. A common use case includes most enterprise domains that isolate guest wireless traffic to save Internet connectivity.

By default, the campus fabric provides complete isolation between VRFs, thus forcing inter-VRF communications to traverse a firewall or other security device. This aligns with most enterprise security use cases and compliance and is represented in this document.

Networks

VLANs can be created or imported under this section including the IP subnet and Default Gateway for each VLAN.

The Shared Elements section of the campus fabric template includes the Networks section mentioned above where VLANs are created. This can be found under the Organization > Switch Templates section, then choose the appropriate template:

Back to the campus fabric build, select Add Existing Network that includes L2 VLAN information. All VLAN and IP information is inherited from the template.

You can edit existing networks, manually add new networks, or import from an existing template:

Other IP Configuration

Mist Wired Assurance provides automatic IP addressing of integrated routing and bridging (IRB) interfaces for each of the VLANs. Then, Port Profiles and Port Configuration associate the VLAN with specific ports.

This fabric type uses anycast addressing for all devices participating in the L3 subnet. In this case, Access1 and Access2 switches are configured with shared IP addresses for each L3 subnet.

For more information on anycast gateways, see https://www.juniper.net/documentation/us/en/software/junos/evpn-vxlan/topics/concept/evpn-mclag-irb-gateway-anycast-address.html.

By default, all VLANs are placed in the default VRF. The VRF option allows you to group common VLANs into the same VRF or separate VRFs depending on traffic isolation requirements. This example includes three VRFs or routing instances: corp-it, developers, and guest-wifi. Here, you build the first corp-it VRF and select the pre-defined VLAN, vlan1099.

By default, inter-VRF communications are not supported within the campus fabric. If inter-VRF communications are required, each VRF can include extra routes such as a default route that instructs the campus fabric to use an external router or firewall for further routing capabilities or security inspection. In this example, all traffic is trunked over the ESI-LAG and the Juniper MX router handles inter-VRF routing. See Figure 1.

Notice that the MX router participates in the VLANs defined within the campus fabric and is the gateway of last resort for all traffic leaving the subnet. Select the Add Extra Routes option to inform Mist to forward all traffic leaving 10.99.99.0/24 to use the next hop of the Juniper MX router: 10.99.99.254.

Create two additional VRFs:

• developers using vlan 1088 with 0.0.0.0/0 utilizing 10.88.88.254
• guest-wifi using vlan 1033 with 0.0.0.0/0 utilizing 10.33.33.254

Now that all VLANs are configured and assigned to each VRF, click Continue at the upper-right section of the Mist UI to move to the next step.

Configure Campus Fabric Ports

The final step is to select physical ports among core, distribution, and access switches.

Note:

We recommend that you have the output of the “show lldp neighbors” command from each switch. Juniper enables LLDP out of the box and provides additional LLDP attributes when the switch is added to a campus fabric. This output provides a source of truth for which ports should be selected at each layer.

Core Switches

Core1:

Starting with Core1, select xe-1/0/5 and xe-1/0/6 terminating on distribution switches 1 and 2 respectively.

Core2:

On Core2, select xe-1/0/4 and xe-1/0/5 terminating on distribution switches 1 and 2 respectively.

Distribution Switches

When configuring the distribution switches, Dist1 and Dist2, you’ll notice two interconnect options exist:

• Link to Core
• Link to Access

Dist1:

Select Link to Core and choose xe-0/0/5 and xe-0/0/4 terminating on core switches 1 and 2 respectively.

Select Link to Access and choose ge-0/0/36 and ge-0/0/37 terminating on access switches 1 and 2 respectively.

Next, select the following interconnects of Dist2:

• Link to Core:
  • xe-0/0/6 – Core1
  • xe-0/0/5 – Core2
• Link to Access:
  • ge-0/0/36 – Access2
  • ge-0/0/37 – Access1

Access Switches

Finally, select the following interface combinations for Access1 and Access2:

Note:

QFX 5120-48Y Switch is an example switch that is targeted for the distribution layer in a campus fabric. The device supports blocks of four ports per PHY; Ports0-3, 4-7, and so on. All ports within the same PHY must operate at the same speed.

Access1:

• ge-0/0/36 – Distribution Switch – Dist1
• ge-0/0/37 – Distribution Switch – Dist2

Access2:

• ge-0/0/36 – Distribution Switch – Dist1
• ge-0/0/37 – Distribution Switch – Dist2

Once you have completed selecting all requisite port combinations, click Continue at the upper right-hand corner of the Mist UI.

Campus Fabric Configuration Confirmation

This last section provides the ability to confirm each device’s configuration as shown in Figure 7:

Note:

Because we have configured the use of Auto Router ID Subnet, the underlay loopback IP addresses may still not be assigned in this page and warnings may appear as shown above. Please ignore this for now as the assignment happens when you apply the configuration for the first time.

Once you have completed verification, click the Apply Changes button at the upper right-hand corner of the Mist UI.

You must complete the second stage confirmation to create the fabric.

Mist displays the following banner including the estimated time for the campus fabric to be built. The process includes the following:

• Mist builds point-to-point interfaces between all devices with IP addresses chosen from the range presented at the onset of the build.
• Each device is configured with a loopback address from the range presented at the onset of the build.
• eBGP is provisioned at each device with unique BGP autonomous system numbers. The primary goal of the underlay is to leverage ECMP for load-balancing traffic on a per-packet level for device loopback reachability. The primary goal of the eBGP overlay is to support customer traffic using EVPN-VXLAN.
• IP addressing of each L3 gateway IRB assigned to the access layer.
• IP addressing of each underlay lo0.0 loopback. This happens automatically in this case.
• Configuration of routing policies for underlay and overlay connectivity.
• Optimized MTU settings for P2P underlay, L3 IRB, and ESI-LAG bundles.
• Mist creates VXLAN to VLAN mapping using Virtual Network Identifier (VNI) addresses that are automatically assigned.
• VRF creation of corp-it, developers, and guest-wifi instances, each with an associated VLAN.
• VXLAN tunnelling creation between access devices and access-core devices (in support of the northbound MX router that is configured in subsequent steps).
• Downloadable connection table (.csv format) that can be used by those involved in the physical buildout of the campus fabric.
• Graphical interface depicting all devices with BGP peering and physical link status.

Once you click Close Campus Fabric Configuration, you can view a summary of the newly created Campus Fabric IP Clos.

With Juniper Mist Wired Assurance, you can download a connection table (.csv format) representing the physical layout of the campus fabric. This can be used to validate all switch interconnects for those participating in the physical campus fabric build. Once the campus fabric is built or in the process of being built, you can download the connection table.

Connection Table spreadsheet:

Apply VLANs to Access Ports

As previously discussed, Mist provides the ability to templatize well-known services such as RADIUS, NTP, DNS, and others that can be used across all devices within a site. These templates can also include VLANs and port profiles that can be targeted at each device within a site. The last step before verification is to associate VLANs with the requisite ports on each access switch.

In this case, Desktop1 and Desktop2 are associated with different ports on each access switch which requires the configuration to be applied to Access1/2 respectively. See Figure 1.

Mist APs connect to the same port on Access1/2 allowing the Switch Template to be customized with this configuration. For example, the following (found under the Organization > Switch Template) is customized to associate each switch with its role: Core, Distribution, and Access. Additionally, all access switches (defined by EX4400 Switch in this example) associated the AP port profile named “myaccess” with ge-0/0/16 without the need to configure each switch.

Using Access1 as an example, we apply vlan1099 to port ge-0/0/11 under the Port Configuration section on the Access1 switch. In this example, vlan1099 (corp-it), vlan1088 (developers), and vlan1033 (guest-wifi) are defined in the Switch Template. These VLANs are defined under the Organization > Switch template section. Here, vlan1099 is selected under the configuration profile.

The Switch Template definition for vlan1099 is shown in Figure 8, representing attributes associated with VLANs such as dot1x authentication, Quality of Service (QoS), and power over Ethernet (PoE). Similarly, you can configure vlan1088 and vlan1033.