Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

How to Configure a Virtual Mist Edge Appliance

This chapter provides information about the overview and various tasks that you perform to configure a virtual Mist edge appliance.

Virtual Mist Edge Overview

You can run Juniper Mist Edge as a hypervisor on VMware to implement a virtual Mist Edge architecture using a Juniper Mist Edge appliance as the virtual machine (VM).

Hardware Specifications for a Mist Edge Virtual Machine

The following are the minimum hardware requirements to implement a Mist Edge VM.

Table 1: Hardware Specifications for a Mist Edge VM
Hardware Component Quantity or Capacity
CPU

4 vCPUs
RAM

32 GB
Hard disk

100 GB (thick provisioned)
NIC

Three virtual NICs

  • Supported VMware hypervisor—VMware ESXi, tested versions - 6.7.0, 7.0

  • CPU support—Juniper Mist Edge requires 1G HugePages support from the CPU. Hence, the minimum supported CPU is Intel Haswell family and above. Juniper Mist Edge does not work on older Intel CPUs or on AMD CPUs.

  • NIC Support—Juniper Mist Edge requires Data Plane Development Kit (DPDK) support. Please refer to https://core.dpdk.org/supported/nics/intel/ to see if your NIC is supported.

  • Preferred NICs—Intel x520 Dual Port 10GbE SFP+, Intel i350 Dual Port 1GbE, rNDC Qlogic Quad Port 10GbE SFP+, and rNDC Intel i350

Note:

Contact Juniper Mist Sales team to obtain a link to Mist Edge ISO file for installation.

Virtual Network Interfaces

Juniper Mist Edge requires the following three virtual NIC interfaces:

  • Out-of-Band Management (OOBM) Port Group—To connect Juniper Mist Edge to the Juniper Mist™ cloud and Radius Proxy service.

  • Downstream (Tunnel IP) Port Group—To allow Mist Tunnel (L2TPv3 or IPSEC) establishment from a Mist access point (AP).

  • Upstream Port Group—To uplink to the wired network with all the VLANs that need to be extended for clients.

The following image illustrates virtual NIC interfaces:

Virtual Network Interfaces

Firewall Port Requirements

Configure the firewall to allow the following connections:

  • The OOBM interface must have outbound access to ep-terminator.mistsys.net or ep-terminator.eu.mistsys.net (for the EU AWS environment) on TCP port 443.

  • The tunnel IP interface must allow incoming traffic on UDP Port 1701 (either the non IPsec campus or the branch use case).

  • For remote teleworker use cases with IPsec encryption, the tunnel IP interface must allow incoming traffic on UDP port 500 and UDP port 4500. Also, the firewall needs to execute port translation from outside to the tunnel IP address.

  • For a remote user in a Dot1x RadSec Proxy implementation, the OOBM interface should be able to access the RADIUS server. Also, the firewall must execute port translation on TCP port 2083 toward the tunnel IP address.

VMware Port Groups

You can configure three port groups for Juniper Mist Edge on VMware. Actual binding of port groups to individual vSwitches or dvSwitches or to physical NICs does not matter. You can adapt the binding of port groups to individual vSwitches or dvSwitches or to physical NICs based on customer and network requirements.

The following image depicts the port groups for virtual Mist Edge:

Figure 1: VMware Port Groups VMware Port Groups

Example: Mist Edge VM Deployment

This chapter describes how to deploy a Mist Edge VM.

Configure a VMware Port Group

This topic provides information about a Juniper Mist port group configuration, with examples.

OOBM Port Group

In this example VLAN ID is set to 0 on the VMware  side, while the actual untagged VLAN on the switchport is set to 5. .

OOBM Port Group

Tunnel IP Port Group

In this example, incoming tunnel connections from the access point (AP) land in this tunnel IP port group.

Figure 2: Tunnel IP Port Group Tunnel IP Port Group

Upstream Port Group

You can configure the upstream port as trunk to tag all VLANs. The ESXi running a basic vSwitch has a 4095 VLAN ID that tags all VLANs automatically. The dvSwitch on a large-scale vCenter deployment enables you to configure VLAN range.

Figure 3: Upstream Port Group Upstream Port Group

Multiple Uplinks and LAG Configuration

While VMware supports multiple uplinks with static or dynamic link aggregation, the default behavior for port groups in Promiscuous mode causes issues with any broadcast or Layer 2 (L2) multicast traffic.

By default, VMware vSwitch or dvSwitch copies any outgoing broadcast or multicast frame to all the uplinks, including the one it came in from. You must disable this behavior to allow client traffic to be tunneled without causing any loops on the network. This change is mandatory whenever using multiple uplinks with VMware (ESXi or vCenter).

For more information about disabling this behavior, see VMware KB article

Enabling ReversePathFwdCheckPromisc on VMware ESXi Portal
  1. From the Navigator window, select Manage > System > Advanced Settings.
  2. Scroll down or use the search bar to go to the Net.ReversePathFwdCheckPromis option.
  3. Select Net.ReversePathFwdCheckPromisc and click Edit option.
  4. In the Edit option Net.ReversePathFwdCheckPromisc window, update the New value field to 1 and click Save.
    Note:

    For the settings to take effect, the guest OS must toggle the Promiscuous mode off and on. An operation such as a guest OS reboot or a vMotion to another ESXi host with the /Net/ReversePathFwdCheckPromisc setting enabled is sufficient. The setting does not require a reboot of the ESXi host to take effect.

Create a Juniper Mist Edge VM Using the VMWare ESXi Portal

This topic describes how to download installation image from Juniper Mist portal and create a Juniper Mist Edge VM.

To download installation image and to create a Juniper Mist Edge VM:

  1. From the left menu of the Juniper Mist portal, select Mist Edges > Mist Edge Inventory.
  2. On the Mist Edge Inventory pane, click Create Mist Edge.
  3. In the Create Mist Edge page, enter a name in the add Mist Edge Name field and select a model from the Model drop-down. For Virtual Mist Edge, select VM as the model.
  4. Download the Installation Image and SHA256 checksum from the links.
  5. Verify the checksum.
    On a Mac, you can use the inbuilt SHASUM to generate the SHA256 checksum of the downloaded installation image.

    You can match the generated checksum with the content in the downloaded checksum file.

    On a Windows PC, you can use the inbuilt tool, certutil with the MD5 or SHA256 hash algorithms (amongst others) to establish the unique checksum of any file.

  6. In the VMWare ESXi Portal, upload the ISO to the VMware storage, as the following screenshot shows:
  7. Create a VM with the following settings:

    Ensure that you add all the network interfaces at this stage. Use the VMXNET3 adapter type and not E1000/E1000E, and add the network interfaces in the following order:

    1. Out of Band management (OOBM)

    2. Tunnel IP interface

    3. Upstream Port

    Set two IP addresses for Juniper Mist Edge—one for OOBM and other for Tunnel IP, from different subnets. The OOBM IP address is different from Tunnel IP that you enter in the Mist Edge details on Juniper Mist portal. This is true whether you receive the OOBM IP address through the Dynamic Host Control Protocol (DHCP) or the static IP address you assign while bringing up the Mist Edge VM.

  8. After the VM is created, click Finish and Start the VM.
  9. When the Mist Edge VM is powered on, select Install.
    Note: The default selection on the Mist Edge VM installation screen is Graphical install. If you want to install a Mist Edge VM, change the selection to Install and press the Enter key.

    The Mist Edge VM is installed in a minute or two and prompts for a mxedge login.

    The VM installation is automated. You do not need to intervene after you select the Install option.

    Log in to the Mist Edge VM and claim it to the Juniper Mist™ cloud.

Deploy Juniper Mist Edge Using the Juniper Mist Portal

This chapter provides information about the various tasks that you perform to deploy the Juniper Mist™ Edge.

Create Juniper Mist Edge

When you want to implement a virtual Mist Edge architecture using a Juniper Mist Edge appliance as the virtual machine (VM), you have to create a Juniper Mist Edge from the Juniper Mist Portal.

To create a Juniper Mist Edge from the Juniper Mist portal:

  1. From the left menu of the Juniper Mist portal, select Mist Edges > Mist Edge Inventory.
  2. On the Mist Edge Inventory pane, click Create Mist Edge.
  3. In the Create Mist Edge page, enter a name in the add Mist Edge Name field and select a model from the Model drop-down. For Virtual Mist Edge, select VM as the model.
  4. Download the Installation Image and SHA256 checksum from the links.
  5. Verify the checksum.
    On a Mac, you can use the inbuilt SHASUM to generate the SHA256 checksum of the downloaded installation image.

    You can match the generated checksum with the content in the downloaded checksum file.

    On a Windows PC, you can use the inbuilt tool, certutil with the MD5 or SHA256 hash algorithms (amongst others) to establish the unique checksum of any file.

  6. In the Mist Edge Inventory page, select the newly created Juniper Mist Edge. The page displays the configuration options available for the Juniper Mist Edge.

    Tunnel IP configuration is always a static IP address to which the Access Points try to set up tunnel connections (either L2TPv3 or IPSec).

    DHCP provides the Out of Band management (OOBM) IP by default. You can also configure static OOBM IP in the portal and it is different from the Tunnel IP.

  7. Copy and save the Registration Code.

Provision the Virtual Mist Edge

After you configure the Juniper Mist Edge on the Juniper Mist portal, you can connect to the console interface on the physical appliance using a terminal software and configure the OOBM IP address.

Once your Virtual Mist Edge boots up for the first time, login to the device using the following credentials:

  1. Enter the username and password.

    The default username is mist, the password is Mist@1234 and the default root (su-) password is mist.

  2. Configure the DHCP address. If DHCP is not available, configure the static IP address.
  3. Configure the proxy URL.
  4. Get the current management IP address by issuing the command ip a .
    The OOBM interface is ens192.
  5. Use SSH to connect to the Juniper Mist Edge with the username mist
    ssh mist@OOBM-IP. Enter Mist@1234 as the password.
  6. Switch to root by issuing the command su-. Enter mist as the password.
  7. To register the device and onboard it to the Mist Cloud, issue the following commands from CLI:
    mist@mxedge:~$ su –
    Password: mist
    root@mxedge:~#
  8. After the update, register the device. .
    Enter the following command:

    At the end of the process, you see the following message:

    After the process is complete, the Juniper Mist Edge reboots automatically. At this point, you do not need SSH to connect to the Juniper Mist Edge. The device pulls the configuration from the Juniper Mist cloud.

    After the reboot, the Juniper Mist Edge appears as connected on the Mist Edge Inventory page. An orange dot also indicates the connected status of the device.

Create a Mist Cluster and Assign a Mist Edge

After you create a Juniper Mist Edge on the Juniper Mist portal, you must add the device to a Mist Cluster. A cluster can comprise a single edge device or multiple edge devices. You can skip this step for Mist Edges at Site level.

To create a cluster:

  1. From the left menu of the Juniper Mist portal, select Mist Edges.
    Mist Edges Clusters page appears.
  2. In the Mist Edges Clusters page, click Create Cluster.
  3. On the Create Mist Cluster page, enter a name in the Cluster Name field and in the Select Mist Edges field, select the edge devices to add to the cluster.
  4. Click Create to create the cluster.

Create Mist Tunnel (Organization Level)

After you create a cluster, you must configure a tunnel and bind the tunnel to the cluster. Typically, the tunnel is where you list all your user VLANs (client VLANs) that you want to extend from your corporate network to the APs.

To create a Mist Tunnel at the organization level:

  1. From the left menu of the Juniper Mist portal, select Mist Edges.
  2. In the Mist Tunnels pane, click Create Tunnel.
    Mist Tunnels page appears.
  3. On the Mist Tunnels page, in the VLAN ID(s) field, specify all the user VLANs that you must tunnel back. Separate the VLAN IDs in the list with commas.
  4. In the Cluster pane, assign the tunnel to a primary or a secondary Mist Edge Cluster created using the steps described in Create a Mist Cluster earlier. In either the Primary Cluster or the Secondary Cluster field, select the required cluster from the drop-down list. You can retain the default entry or selection in the other fields on the page.
    After you map the Mist Edge and tunnel to a cluster, the tunnel termination service is instantiated from the cloud on the Mist Edge.

Create Mist Tunnel (Site Level)

After you claim the Juniper Mist Edge, you can assign it to a site.

To create a Mist Tunnel at the site level:

  1. From the left menu of the Juniper Mist portal, select Organization > Site Configuration and select your desired site.
  2. On the Site Configuration page, to add a tunnel for the desired site, click Add Tunnel.
  3. On the Add Tunnels page, in the VLAN ID(s) field, enter all the user VLANs that you want to extend from your corporate network to the APs. Separate the VLAN IDs in the list with commas.
  4. Select Enable Primary Cluster. In the Hostname IPs field, enter the IP address or the fully qualified domain name (FQDN) of the cluster with which the APs will communicate.
    This cluster IP address is the same as the tunnel IP address that you configured on the Juniper Mist Edge.
  5. Click Save.

Configure WLAN Template

A WLAN template is a collection of WLAN policies, tunneling policies and WxLAN policies. Instead of repeating a given configuration across multiple service set identifiers (SSIDs), with WLAN templates you can set it once and then attach APs to the template to automatically inherit the setting. Both the APs and WLAN must belong to the same site.

You must use the WLAN Templates to enable the corporate SSID. You can create a WLAN template and use the template assignment for:

  • Specific sites or a collection of individual sites that are mapped to a Site-Group.

  • Entire organization with actual office sites added as exceptions.

To configure a WLAN template:

  1. From the left menu of the Juniper Mist portal, select Organization > Wireless > WLAN Templates.
  2. On the WLAN Templates page, click Create Template.
  3. Enter a name for the template in the Template Name field. Click Create. The name will appear in the WLAN Template list.
  4. On the new template page, select Entire Org or Sites and Site Groups to assign the template to an organization or to Sites and Site groups.
    Figure 4: WLAN Template Assigned to Sites and Site Groups WLAN Template Assigned to Sites and Site Groups
    Figure 5: WLAN Template Assigned to Entire Organization with Some Exceptions WLAN Template Assigned to Entire Organization with Some Exceptions
  5. On the WLAN templates page, in the WLANs pane, select Add WLAN .
    The Create WLAN page appears.
    1. In the Create WLAN page, you can specify the security settings.
    2. Enter other settings, as needed. For tips about the various WLAN settings, see WLAN Options.
    3. In the Create WLAN page, specify the number of VLANs to be tunneled through the Juniper Mist Edge in the VLAN ID field.
      Note that Juniper® Series of High-Performance Access Points do not tunnel any WLAN configured with an untagged VLAN. You can choose the APs that are tunneled as per the deployment type.
    4. In the Create WLAN page, for organization-level deployment, select Custom Forwarding to and then select Mist from the drop-down list. Next, select tunnel profile from the Tunnel drop-down list. Note that this Mist tunnel must be the same VLAN that you want to tunnel.
    5. In the Create WLAN page, for site-level deployment, select Custom Forwarding to and then select Site Edge from the drop-down list.
    6. Click Create.