Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Test Objectives

The objective of the testing performed was to ensure that the features work as designed in the context of a Juniper Mist-managed IP Clos fabric. All configurations of the fabric itself, the GBP tag assignment, and the SGT policy configuration (with a few exceptions) must be performed through the Juniper Mist portal since this is the same as the end user experience. Dynamic GBP tag assignments were performed using a local, third-party RADIUS server and the Juniper Mist Access Assurance solution. Scale testing was also conducted.

Test Goals

The testing for this JVD was intended to achieve the following goals. Review the separate Test Report Brief for more information.

Goals for the tests performed:

  • Test everything using ingress GBP enforcement. This is the default configuration of a Juniper Mist-managed fabric. No other options are available.
  • Test all Juniper Mist portal static and dynamic GBP tag assignments:
    • IPv4 prefix-based, static GBP tag assignments called Subnets.
    • MAC address host-based, static GBP tag assignments called MAC Address.
    • VLAN ID-based, static GBP tag assignments called Network.
    • Dynamic GBP tag assignments for RADIUS authorization information.
  • Limited testing using additional Junos OS CLI configuration was performed to test the following GBP tag assignments:
    • Switch port-based (interface-based) static GBP tag assignments.
  • Dynamic GBP tag assignments for RADIUS authorization information utilizing different RADIUS servers:
    • A third-party RADIUS server local to the test bed.
    • Juniper Mist Access Assurance solution as a cloud-based authentication service.
    • MAC-based GBP tag assignments based on RADIUS authentication for both of the above servers.
    • 802.1X EAP-based GBP tag assignments based on RADIUS authentication for both of the above servers.
  • Testing the hierarchy of static GBP tag assignments was performed within Layer 2 classifiers.
  • Testing that a dynamic GBP tag assignment overrides a static GBP tag assignment was performed.
  • Testing of wired clients towards wireless clients was performed when the APs directly breakout wireless client traffic at the AP. That traffic can then be identified at a trunk port of the access switch, where the AP is attached, via static assignments such as VLAN or IP address.
  • Scale testing was performed, and the details are shared in the test report.
  • A minimum of 3 GBP tags were used which allowed us to test different permutations of allowed and blocked traffic through SGT policy.
  • Table 1 shows the matrix that was used in respect to location of a wired client on an access switch.
Table 1: Table 2: Wired Client Testing
Wired Client to Wired Client testing
  Wired Client1 Wired Client2 Wired Client3 Wired Client4
Location on access switch Located on a VC member Same VC member as Client1 but different port Different VC Member than Client1 Different switch than Client1
Same VLAN for all clients GBP tag1 GBP tag1 GBP tag1 GBP tag1
Same VLAN for all clients GBP tag1 GBP tag2 GBP tag2 GBP tag2
Same VLAN for all clients GBP tag1 GBP tag3 GBP tag3 GBP tag3
Note:

Review the separate Test Report for detailed information.

Test Non-Goals

The following tests were not performed for this JVD for various reasons:

  • Testing without a fabric managed by Juniper Mist cloud was not a goal of this JVD. Even though it’s possible to build a fabric based on Junos CLI commands without it being managed by the Juniper Mist cloud, the goal was to utilize the Juniper Mist portal to manage the fabric and configure GBP tag assignments and SGT through the Juniper Mist portal.
  • Testing with Juniper Apstra configuration management was not performed.
  • Testing any other Juniper switches supporting VXLAN GBP such as EX4650, QFX5120-48Y, and QFX5120-32C was not performed since these switches are not supported in a Juniper Mist-managed fabric as access switches.
  • Testing egress enforcement was not performed. The test cases focus on ingress enforcement since the Juniper Mist cloud uses this configuration as the default.
  • Juniper Mist™ Edge integration testing was not performed. It will be added later.
  • Testing with the new GBP Layer 4 static assignment features introduced in Junos OS Release 23.2R1 was not performed:
    • The current version of the Juniper Mist portal does not allow configuring the Layer 4 static GBP tag assignments, so this test would have required us to use the additional CLI function.
  • Testing with more than one third-party RADIUS server vendor was not performed. It was assumed that if one third-party RADIUS server worked, all others should work as well. If any third-party RADIUS server vendor does not have a definition for the Juniper RADIUS dictionary, add a vendor-specific dictionary and use the Juniper vendor ID 2636. You must also configure the RADIUS authorization attribute “Juniper-switching-filter” value 48 as a string. Support for custom RADIUS dictionaries is a common thing with all production-grade RADIUS servers.