Getting Started

Physical Port Connections—Overview

The following port connections are necessary to setup the Juniper Mist Edge appliance.

• Mist Port (Out-of-Band Management Port) —The OOBM interface communicates with the Juniper Mist cloud. The interface configures network components, sends statistics, and checks the status of the Juniper Mist Edge, the Mist Edge cluster, and the AP tunnels. The interface has a Dynamic Host Configuration Protocol (DHCP) IP address by default and you can configure the interface with a static IP address.

  When used as an access assurance proxy, Mist Port establishes a RadSec connection to the Mist Access Assurance Cloud service.

• Tunnel Port—You can configure the tunnel (data) ports on the Juniper Mist Edge as upstream or downstream ports. The upstream data port connects to the trusted side of the network. The downstream is an untagged port that is connected to the public untrusted side of the network.

  You can configure the tunnel (data) ports on the Juniper Mist Edge as single-arm or dual-arm (downstream and upstream). configuration. A single arm configuration carries both upstream and downstream traffic. A dual arm configuration carries upstream and downstream traffic on two different ports.

  To establish a Layer 2 Tunneling Protocol version 3 (L2TPv3) or IPsec tunnel from the Juniper® Series of High-Performance Access Points. Tunnel IP is the static IP address that an AP uses to set up the L2TPv3 tunnel between the AP and the Juniper Mist Edge.

  It is an interface to which access points (APs) form a tunnel. You can configure the tunnel IP address in the Tunnel IP Configuration pane of the Juniper Mist portal.

  If a firewall exists between the AP management subnet and the Mist Edge Tunnel IP, you must allow the traffic destined to the Tunnel IP on port 1701 for L2TPv3 tunnels and allow the traffic destined to the Tunnel IP on port 500/4500 for IPSec tunnels.

  You can use the Tunnel (data) port for both upstream or downstream port or you can divide it into separate upstream and downstream ports. You can use the data (tunnel) port to connect to the upstream router as a trunk port. Tunnel (data) port is connected to a trunk port that has all the VLANs configured to which the WLAN maps.

Note:

Mist Edge operates on a microservices-based architecture, where services are instantiated from the cloud as needed. On the Mist Edge, for the tunnel ports to be up and for the tunnel service to be running, the device must first be configured with a tunnel IP and must be mapped to a cluster. Subsequently, that cluster must be mapped to a tunnel.

Note:

Mist Edge device must be assigned to a tunnel before you can upgrade the tunnel services version. Once the tunnel service is up and running, you can upgrade the tunnel services version. If a tunnel is not assigned at either the organization level or the site level, the tunnel services upgrade will not be successful.

Note:

Ensure that the OOBM and the tunnel termination IP addresses are on different subnets.

OOBM Configuration

The Juniper Mist Edge passes information about configuration, telemetry, and lifecycle management through the OOBM port to the Juniper Mist cloud. The following images depict an OOBM port and data ports on the five models of the Juniper Mist Edge.

1. OOBM port

2. Data port (ge0)

3. Data port (ge1)

1. Data port (xe0)

2. Data port (xe1)

3. OOBM port

1. OOBM port

2. Data port (xe0)

3. Data port (xe1)

4. Data port (xe2)

5. Data port (xe3)

1. OOBM port

2. Data port (xge0)

3. Data port (xge1)

4. Data port (xge2)

5. Data port (xge3)

Note:

The OOBM port on the Juniper Mist Edge device is marked as MIST. By default, the OOBM port is configured for Dynamic Host Configuration Protocol (DHCP).

Connect the OOBM port of the Juniper Mist Edge to an access-mode interface of a switch. Depending on your circumstances, you can configure a static IP address from the Juniper Mist portal or from the CLI.

If your network is DHCP enabled, you must first connect to the Juniper Mist cloud by using DHCP. You then use the Juniper Mist portal to configure the static IP address. Here's an example of a configured static IP address:

If your network is not DHCP enabled, use the Juniper Mist Edge CLI to configure the OOBM port. On the Juniper Mist Edge, you can use the management port labeled as IDRAC to access the BIOS, system status, and the Juniper Mist Edge CLI.

The Integrated Dell Remote Access Controller (iDRAC) uses DHCP when you connect the device to a network. You can view the IP address from the front panel through View > IPv4 > IDRAC IP. You can access the iDRAC user interface by using the URL https://iDRAC IP address.

The default IDRAC user is root. The password is available on the back of the pull-out tag of the Juniper Mist Edge.

Note:

These instructions apply to all models except the ME-X6, which lacks a front LCD panel. ME-X6 users should check their DHCP lease or use IP scanning tools to find the iDRAC IP address.

• 1- Power button

• 2- Pull-out tag

You can specify the OOBM parameters in the CLI.

You can connect to the console interface on the physical appliance by using a terminal software and configure the OOBM IP address. After the management IP address is set, you can connect to the Mist Edge using SSH and perform additional configurations. The user credentials are:

• mist —The default username.

• Claim-code—The default password and the password for the root (su -) user.

You can use the following command format to specify the OOBM parameters:

For example,

The following table lists the default OOBM Interface ID for the Juniper Mist Edge (ME) models.

Table 1: Default OOBM for the Juniper Mist Edge (ME) Models

Mist Edge Appliance Model	Interface ID
Mist Edge-X1	eno1
Mist Edge-X1-M	eno8303
Mist Edge-X5	eno3
Mist Edge X5-M/Mist Edge-X10	ens1f0
Mist Edge-X6	eno8303np0

To set up the Juniper Mist Edge on the Juniper Mist portal, you enter details about the device, including the Tunnel IP address. The Tunnel IP address is different from the OOBM IP address received through DHCP and the static IP address that you assign to bring up the device. Therefore, you must set aside two IP addresses for the Juniper Mist Edge—one for the OOBM interface and the other for the Tunnel IP interface. The addresses should be from the different subnets. The Juniper Mist Edge can communicate to the Juniper Mist cloud only when the following fully qualified domain names (FQDNs) and ports are available for the OOBM interface. Refer Juniper Mist Ports and IP Addresses for information.

Understanding Tunnel Interface Configuration

You can configure the tunnel (data) ports on the Juniper Mist Edge as a single arm or as dual arms (downstream and upstream).

• Single Arm—Carries both upstream and downstream traffic. You can configure and detect one or more ports as a single Link Aggregation Control Protocol (LACP).

• Dual Arm—Carries upstream and downstream traffic on two different ports. You can configure and detect dual arm port configuration as two LACPs.

  Note:

  LACP is enabled only when more than one port is selected for downstream, upstream, or combined connections.

Understanding Tunnel IP or Downstream Port

Tunnel IP is the virtual interface used by an AP to establish the L2TPv3 tunnel between the AP and the Juniper Mist Edge. It is an untagged port that should be connected to the internal IP network.

Ensure that your router or firewall does port forwarding to the Tunnel Interface IP address (UDP port 1701). This is the interface to which APs from a site or multiple sites will communicate to establish a L2TPv3 tunnel.

Note:

The Tunnel IP switch virtual interface (SVI) on the Juniper Mist Edge is a protected interface. Therefore, even without firewall protection, the interface is only accessible to:

• UDP port 1701 for L2TPv3, and UDP ports 500 and 4500 for IPsec

• TCP port 2083 for RADIUS over TLS (RadSec)

For the remote worker use case alone, the Juniper Mist Edge uses UDP ports 500 and 4500 and TCP port 2083. For all the other campus and branch use cases, the Juniper Mist Edge uses UDP port 1701.

Understanding Upstream Data Port

You can connect your upstream data port to the trusted side of the network. This interface would typically connect to your core or aggregate switch trunked with all the necessary user VLANs allowed. Juniper Mist Edge allows L2 tagged traffic from the tunnels to this port.

To create a dual-arm configuration, in the Juniper Mist portal, select Separate Upstream and Downstream Traffic on the Tunnel Interface Configuration page. You can assign the interfaces as needed.

For information on Single-Arm and Dual-Arm Configuration, see Tunnel Port—Single-Arm and Dual-Arm Configuration

The following figure illustrates two configuration examples. The example on the left depicts Mist Edge-X5-M or Mist Edge-X10, and the example on the right depicts Mist Edge-X1. The ge0 (or xe0 and xe1) interface is connected to the public untrusted side and the ge1 (or xe2 and xe3) interface is connected to the corporate network with all the user VLANs tagged.

You can use a single-arm configuration where either a single port or multiple ports are configured in the port channel. The following example depicts a single-arm configuration where you can select one or more port channels.

For information on onboarding the Mist Edge device and to set the initial configuration see, Juniper Mist Edge Quick Start Guide.

Guidelines to follow while bringing the Mist Edge online

After onboarding a Mist Edge device, please follow these guidelines while bringing the device online:

• Power button indicator—When the Mist Edge device is powered on and the device is up and running, ensure that the power button is green. See Figure 5.

• Out-of-Band Management (OOBM)—Once the OOBM is configured and the firewall rules are set, the Mist Edge device should appear as Connected with an amber dot and Registered in the Mist Edge inventory. This indicates that the device is successfully connected to cloud, but there is no active AP tunnel configured. If a Mist Edge device is not connected to the cloud, it appears as Disconnected with a red dot in the Mist Edge inventory.

• LACP configuration—When selecting single-arm or dual-arm configurations with more than one port chosen for downstream, upstream, or combined connections, LACP is enabled by default. Please ensure that the connected switch ports are configured correctly.

• Tunnel interfaces—The tunnel interfaces and tunnel IP remain down until the Mist Edge is added to a cluster with a tunnel.

• Networking considerations—Ensure that the OOBM and the tunnel | IP addresses are on different subnets to isolate management and tunnel network.

• Proxy configuration—If your environment uses a proxy, ensure that the OOBM is configured to connect to the Mist cloud and other resources. This can be done either manually or automatically through DHCP. By default, OOBM is DHCP-enabled and will automatically retrieve the proxy URL using DHCP options. Make sure that the proxy is responding correctly.

• Firewall settings—Check if a firewall is blocking the traffic from the Mist Edge device to the Mist cloud. If there is firewall in front of OOBM or Tunnel IP, make sure that the relevant ports are enabled.

  Ensure that port 443 is open to allow traffic to ep-terminator.mistsys.net. For more information, see Firewall Configuration.

By following these guidelines, you can ensure a smooth setup process for the Mist Edge device.