Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Mist Edge VM Deployment

This chapter describes how to deploy a Mist Edge VM.

Configure a VMware Port Group

This topic provides information about a Juniper Mist port group configuration, with examples.

OOBM Port Group

In this example VLAN ID is set to 0 on the VMware  side, while the actual untagged VLAN on the switchport is set to 5. .

OOBM Port Group

Tunnel IP Port Group

In this example, incoming tunnel connections from the access point (AP) land in this tunnel IP port group.

Figure 1: Tunnel IP Port Group Tunnel IP Port Group

Upstream Port Group

You can configure the upstream port as trunk to tag all VLANs. The ESXi running a basic vSwitch has a 4095 VLAN ID that tags all VLANs automatically. The dvSwitch on a large-scale vCenter deployment enables you to configure VLAN range.

Figure 2: Upstream Port Group Upstream Port Group

Multiple Uplinks and LAG Configuration

While VMware supports multiple uplinks with static or dynamic link aggregation, the default behavior for port groups in Promiscuous mode causes issues with any broadcast or Layer 2 (L2) multicast traffic.

By default, VMware vSwitch or dvSwitch copies any outgoing broadcast or multicast frame to all the uplinks, including the one it came in from. You must disable this behavior to allow client traffic to be tunneled without causing any loops on the network. This change is mandatory whenever using multiple uplinks with VMware (ESXi or vCenter).

For more information about disabling this behavior, see VMware KB article

Enabling ReversePathFwdCheckPromisc on VMware ESXi Portal

  1. From the Navigator window, select Manage > System > Advanced Settings.
  2. Scroll down or use the search bar to go to the Net.ReversePathFwdCheckPromis option.
  3. Select Net.ReversePathFwdCheckPromisc and click Edit option.
  4. In the Edit option Net.ReversePathFwdCheckPromisc window, update the New value field to 1 and click Save.
    Note:

    For the settings to take effect, the guest OS must toggle the Promiscuous mode off and on. An operation such as a guest OS reboot or a vMotion to another ESXi host with the /Net/ReversePathFwdCheckPromisc setting enabled is sufficient. The setting does not require a reboot of the ESXi host to take effect.

Create a Juniper Mist Edge VM Using the VMWare ESXi Portal

This topic describes how to download installation image from Juniper Mist portal and create a Juniper Mist Edge VM.

To to download installation image and to create a Juniper Mist Edge VM:

  1. From the left menu of the Juniper Mist portal, select Mist Edges > Mist Edge Inventory.
  2. On the Mist Edge Inventory pane, click Create Mist Edge.
  3. In the Create Mist Edge page, enter a name in the add Mist Edge Name field and select a model from the Model drop-down. For Virtual Mist Edge, select VM as the model.
  4. Download the Installation Image and SHA256 checksum from the links.
  5. Verify the checksum.
    On a Mac, you can use the inbuilt SHASUM to generate the SHA256 checksum of the downloaded installation image.

    You can match the generated checksum with the content in the downloaded checksum file.

    On a Windows PC, you can use the inbuilt tool, certutil with the MD5 or SHA256 hash algorithms (amongst others) to establish the unique checksum of any file.

  6. In the VMWare ESXi Portal, upload the ISO to the VMware storage, as the following screenshot shows:
  7. Create a VM with the following settings:

    Ensure that you add all the network interfaces at this stage. Use the VMXNET3 adapter type and not E1000/E1000E, and add the network interfaces in the following order:

    1. Out of Band management (OOBM)

    2. Tunnel IP interface

    3. Upstream Port

    Set two IP addresses for Juniper Mist Edge—one for OOBM and other for Tunnel IP, from different subnets. The OOBM IP address is different from Tunnel IP that you enter in the Mist Edge details on Juniper Mist portal. This is true whether you receive the OOBM IP address through the Dynamic Host Control Protocol (DHCP) or the static IP address you assign while bringing up the Mist Edge VM.

  8. After the VM is created, click Finish and Start the VM.
  9. When the Mist Edge VM is powered on, select Install.

    Please note that the default selection on the Mist Edge VM installation screen is Graphical install.. Change it to Install and press the Enter key.

    The Mist Edge VM is installed in a minute or two and prompts for a mxedge login.

    The VM installation is automated. You do not need to intervene after you select the Install option.

    Log in to the Mist Edge VM and claim it to the Juniper Mist™ cloud.

Deploy Juniper Mist Edge Using the Juniper Mist Portal

This chapter provides information about the various tasks that you perform to deploy the Juniper Mist™ Edge.

Create Juniper Mist Edge

When you want to implement a virtual Mist Edge architecture using a Juniper Mist Edge appliance as the virtual machine (VM), you have to create a Juniper Mist Edge from the Juniper Mist Portal.

To create a Juniper Mist Edge from the Juniper Mist portal:

  1. From the left menu of the Juniper Mist portal, select Mist Edges > Mist Edge Inventory.
  2. On the Mist Edge Inventory pane, click Create Mist Edge.
  3. In the Create Mist Edge page, enter a name in the add Mist Edge Name field and select a model from the Model drop-down. For Virtual Mist Edge, select VM as the model.
  4. Download the Installation Image and SHA256 checksum from the links.
  5. Verify the checksum.
    On a Mac, you can use the inbuilt SHASUM to generate the SHA256 checksum of the downloaded installation image.

    You can match the generated checksum with the content in the downloaded checksum file.

    On a Windows PC, you can use the inbuilt tool, certutil with the MD5 or SHA256 hash algorithms (amongst others) to establish the unique checksum of any file.

  6. In the Mist Edge Inventory page, select the newly created Juniper Mist Edge. The page displays the configuration options available for the Juniper Mist Edge.

    Tunnel IP configuration is always a static IP address to which the Access Points try to set up tunnel connections (either L2TPv3 or IPSec).

    DHCP provides the Out of Band management (OOBM) IP by default. You can also configure static OOBM IP in the portal and it is different from the Tunnel IP.

  7. Copy and save the Registration Code.

Create a Mist Cluster and Assign a Mist Edge

After you create a Juniper Mist Edge on the Juniper Mist portal, you must add the device to a Mist Cluster. A cluster can comprise a single edge device or multiple edge devices. You can skip this step for Mist Edges at Site level.

To create a cluster:

  1. From the left menu of the Juniper Mist portal, select Mist Edges.
    Mist Edges Clusters page appears.
  2. In the Mist Edges Clusters page, click Create Cluster.
  3. On the Create Mist Cluster page, enter a name in the Cluster Name field and in the Select Mist Edges field, select the edge devices to add to the cluster.
  4. Click Create to create the cluster.

Provision the Virtual Mist Edge

After you configure the Juniper Mist Edge on the Juniper Mist portal, you can connect to the console interface on the physical appliance using a terminal software and configure the OOBM IP address.

Once your Virtual Mist Edge boots up for the first time, login to the device using the following credentials:

  1. Enter the username and password.

    The default username is mist, the password is Mist@1234and the default root (su-) password is mist.

  2. Get the current management IP address by issuing the command ip a .
    The OOBM interface is ens192.
  3. Use SSH to connect to the Juniper Mist Edge with the username mist
    ssh mist@OOBM-IP. Enter Mist@1234 as the password.
  4. Switch to root by issuing the command su-. Enter mist as the password.
  5. To bootstrap the device and onboard it to the Mist Cloud, issue the following commands from CLI:
    mist@mxedge:~$ su – Password: mist root@mxedge:~# apt-get update
  6. After the update, register the device. Enter the command mxagent-helper configure ----claim-code REGISTRATION CODE.

    At the end of the process, you see the following message:

    After the process is complete, the Juniper Mist Edge reboots automatically. At this point, you do not need SSH to connect to the Juniper Mist Edge. The device pulls the configuration from the Juniper Mist cloud.

    After the reboot, the Juniper Mist Edge appears as connected on the Mist Edge Inventory page. An orange dot also indicates the connected status of the device.

Create Mist Tunnel (Organization Level)

After you create a cluster, you must configure a tunnel and bind the tunnel to the cluster. Typically, the tunnel is where you list all your user VLANs (client VLANs) that you want to extend from your corporate network to the APs.

To create a Mist Tunnel at the organization level:

  1. From the left menu of the Juniper Mist portal, select Mist Edges.
    Mist Tunnels page appears.
  2. In the Mist Tunnels pane, click Create Tunnel.
    Mist Tunnels page appears.
  3. On the Mist Tunnels pane, in the VLAN ID(s) field, specify all the user VLANs that you must tunnel back. Separate the VLANs in the list with commas.
  4. In the Custer pane, assign the tunnel to a primary or a secondary Mist Edge Cluster that you have created earlier. In either the Primary Cluster or the Secondary Cluster field, select the required cluster from the drop-down list. You can retain the default entry or selection in the other fields on the page.
    After you create a tunnel, the tunnel termination service download is complete on the Mist Edge.

Create Mist Tunnel (Site Level)

You can configure Juniper Mist Edge as a Site edge:

  • For deployments where traffic must be tunneled at each site due to the underlying network constraints or security concerns.

  • When only APs from a single site need to be tunneled to a Juniper Mist Edge.

  • When you have many sites with site-specific Juniper Mist Edge appliances and you want to reuse a WLAN template for ease of operation.

After you claim the Juniper Mist Edge, you must assign it to a site, like an AP. You can manage the configuration of the edge from Site-> Mist Edge in the Juniper Mist portal. Specify Mist tunnel properties and failover preferences from the specific site settings.

To create a Mist Tunnel at the site level:

  1. From the left menu of the Juniper Mist portal, select Organization > Site Configuration .
    Sites page appears.
  2. On the Sites page, click Create Site.
  3. On the Site Configuration page, select a site in the Site Name field to add a tunnel for any desired site. Next, click Add Tunnel
  4. On the Add Tunnels page, in the VLAN ID(s) field, enter all the user VLANs that you want to extend from your corporate network to the APs. Separate the VLANs in the list with commas.
  5. Select Enable Primary Cluster. In the Hostname IPs field, enter the IP address or the fully qualified domain name (FQDN) of the cluster with which the APs will communicate.
    This cluster IP address is the same as the tunnel IP address that you previously configured for the Juniper Mist Edge.
  6. Click Save.

Configure WLAN Template

A WLAN template is a collection of WLAN policies, tunneling policies and WxLAN policies. Instead of repeating a given configuration across multiple service set identifiers (SSIDs), with WLAN templates you can set it once and then attach APs to the template to automatically inherit the setting. Both the APs and WLAN must belong to the same site.

You must use the WLAN Templates to enable the corporate SSID. You can create a WLAN template and use the template assignment for:

  • Specific sites or a collection of individual sites that are mapped to a Site-Group.

  • Entire organization with actual office sites added as exceptions.

To configure a WLAN template:

  1. From the left menu of the Juniper Mist portal, select Organization > Wireless > WLAN Templates. .
  2. On the WLAN Templates page, click Create Template.
  3. On the New Template page, enter a name and select Entire Org or Site and Site Groups to assign the template.
    Figure 3: WLAN Template Assigned to Site and Site Groups WLAN Template Assigned to Site and Site Groups
    Figure 4: WLAN Template Assigned to Entire Organization with Some Exceptions WLAN Template Assigned to Entire Organization with Some Exceptions
  4. In the WLAN templates page, select Add WLAN in the WLANs pane. In the Create WLAN page, you can specify the security settings.
  5. In the Create WLAN page, specify the number of VLANs to be tunneled through the Juniper Mist Edge in the VLAN ID field .
    Note that Juniper® Series of High-Performance Access Points do not tunnel any WLAN configured with an untagged VLAN. You can choose the APs that are tunneled as per the deployment type.
  6. For organization-level deployment, select Custom Forwarding to and then select Mist from the drop-down list. Next, select tunnel profile from the Tunnel drop-down list. Note that this Mist tunnel must be the same VLAN that you want to tunnel.