Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure an Anchor Tunnel

In specific deployments where traffic needs to be tunneled to a DMZ (Demilitarized Zone) within the data center, anchor tunnels can be used.

When configuring a Mist Edge in a DMZ, it is essential to set up the network interfaces to connect to both the untrusted external network (the Internet) on one port and the trusted internal network on another. You should also configure the Tunnel IP to specify the IP address that the access points (APs) use to establish a secure tunnel back to the corporate network, effectively isolating DMZ traffic from the internal network. If you have multiple Mist Edge devices, you must create a cluster to distribute the load of the AP tunnels. Additionally, you can establish an anchor tunnel to enable traffic flow between the Mist Edges.

In this setup, we have a DMZ that faces the Internet and a core Mist Edge located internally (data center). The internal Mist Edge acts as the initiator, while the external Mist Edge is terminated by a tunnel established by the internal Mist Edge. This establishes a Mist Edge-to-Mist Edge tunnel, also known as anchor tunnels.

To enable traffic flow between Mist Edges in a DMZ configuration using an anchor tunnel:

  1. Onboard the Mist Edge device into the Juniper Mist cloud portal by claiming it with the provided claim code. Configure OOBM and tunnel ports for network access. See Onboard One or More Mist Edges Using a Web Browser.

  2. Enter the IP address or hostname of the internal network gateway in the Tunnel IP Configuration field.

  3. If you have multiple Mist Edge devices, create clusters and map the Mist Edge devices to the cluster.

    Within one of the clusters, the internal Mist Edge devices can be used to terminate access point (AP) tunnels. See Create a Mist Cluster.

  4. In the Mist Tunnel page, configure an Anchor Tunnel to enable traffic flow between the Mist Edge devices. Define the VLANs that need to be tunneled to the DMZ. See Create a Mist Tunnel.

  5. Map the Anchor Tunnel on the peer edge. Ensure that the same VLANS are configured on both the Edge devices.

  6. Configure the WLAN security settings and specify the VLANs to be tunneled. See Configure WLAN Template.

  7. Configure firewall rules to allow traffic to flow between the DMZ and the data center, as needed.