This article walks through the steps to onboard, configure, and manage Juniper Mist integration with the Elisity Platform. This integration requires Cloud Control Center 15.6 or later.
NOTE:
As of Cloud Control Center release 15.6, Juniper Mist support is in beta. Enhancements to Juniper Mist support will come in subsequent releases. Some important details and limitations exist and are noted below:
- The following Juniper Access switch models have been tested
- EX4400
- Cloud Control Center integrates with Juniper Mist via API
- A dedicated docker container is deployed on an Elisity Virtual Edge VM solely as a flow forwarder. Elisity supports running a Cisco VE container and a Flow Forwarder container on the same VM instance.
- For each VLAN where enforcement is desired, an IRB must be configured.
- Layer 4 policy is not supported, only the final policy action of Permit All or Deny All will take effect
- Policy Logging is not supported
- As of Cloud Control Center 15.6, Elisity only supports a single Token for all sites.
Prerequisites
- Licensed Juniper Mist Instance and Switches
- Juniper Mist Global Region
- Juniper Mist Org ID
- Juniper Mist API Key
he following chart describes the terminology used in this document
Cloud Control Center | Elisity's cloud native and cloud delivered control, policy and management plane. |
Juniper Mist | Juniper's cloud hosted network management console |
Juniper Mist Virtual Edge | The Elisity software hosted as a component of Cloud Control Center |
Flow Forwarder | The Elisity software hosted on premise that collects flows from access switches and forwards them to the Juniper Mist Virtual Edge in the cloud |
Virtual Edge Node | An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network. |
Deploying Juniper Mist Virtual Edge in Cloud Control Center
The integration between Elisity and Juniper is a departure from our other method of onboarding Cisco and Arista switching infrastructure. Instead of deploying an Elisity Virtual Edge on premise for Identity and Policy, Elisity instantiates a cloud hosted Virtual Edge that integrates with Juniper Mist via API in order to onboard Juniper access switches, collect device identity data, and manage microsegmentation policies.
A light weight flow collector is deployed on premise and leverages an standard Virtual Edge VM but instantiates a dedicated Juniper flow collector docker container.
This architecture is detailed in the following diagram.
Enabling Juniper Mist Integration
Creating an Elisity Switch Template
Step 1: Log into Juniper Mist and navigate to Organization > Switch Templates.
Step 2: Either edit an existing template or create a new one.
Step 3: In the CLI Configuration section add the following commands
set forwarding-options evpn-vxlan gbp ingress-enforcement
set chassis forwarding-options vxlan-gbp-l3-profile
set interfaces lo0 unit 0 family inet address 1.2.3.4/32
set routing-options router-id 1.2.3.4
set protocols evpn encapsulation vxlan
set protocols evpn extended-vni-list all
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 1.2.3.4:100
set switch-options vrf-target target:1:100
Step 4: If the template is not already assigned to a site, assign it to a site. Select Assign to Sites.
Select the site you wish to apply the template to and click Add and Apply.
Step 5: The next step is to override the template on a per switch basis in order to configure additional CLI commands that are specific to that switch. Navigate to Switches, select the site, and then select the switch you wish to configure. At the top of the screen, click the hostname of the switch to enter switching configuration mode.
Step 6: In the CLI Configuration section and under the Additional CLI Commands subsection add the following commands and select Save:
Note:
You must change the IP addresses, names, and IRB numbers to match your organizations's requirements. Change the Flow Source IP placeholder with the IP of the source interface for flow export and the Flow Forwarder IP placeholder with the IP address of the Elisity Flow Forwarder.
The following output is only an example.
set interfaces irb unit 601 family inet address <VLAN601 IP/Mask>
set vlans VLAN601 l3-interface irb.601
set interfaces irb unit 602 family inet address <VLAN602 IP/Mask>
set vlans VLAN602 l3-interface irb.602
set vlans VLAN601 vxlan vni 601
set vlans VLAN602 vxlan vni 602
set vlans VLAN601 vlan-id 601
set vlans VLAN602 vlan-id 602
set services inline-monitoring template template_1 template-refresh-rate 30
set services inline-monitoring template template_1 observation-domain-id 25
set services inline-monitoring template template_1 template-id 32768
set services inline-monitoring template template_1 flow-inactive-timeout 10
set services inline-monitoring template template_1 template-type ipv4-template
set services inline-monitoring instance i1 template-name template_1
set services inline-monitoring instance i1 collector c2 source-address <Flow Source IP>
set services inline-monitoring instance i1 collector c2 destination-address <Flow Forwarder IP>
set services inline-monitoring instance i1 collector c2 dscp 21
set services inline-monitoring instance i1 collector c2 destination-port 31739
set firewall family inet filter ipv4_ingress term rule1 then inline-monitoring-instance i1
set interfaces irb unit 601 family inet filter input ipv4_ingress
set interfaces irb unit 602 family inet filter input ipv4_ingress
Generating Juniper Mist API Token
Step 1: Log into Juniper Mist and navigate to Organization > Settings.
Step 2: Copy Organization ID to a notepad as this information will be used later in the deployment guide.
Step 4: In the API Token section, select Create Token
Give the token a name, set the Access Level to Super User and the Site Access to All Sites and then select Generate. Copy the token as it will be used later in the integration guide.
Deploying a Juniper Mist Virtual Edge
Step 1: Navigate to Virtual Edges. Under Standalone Virtual Edges, select + Add Virtual Edge.
Step 2: Select type Cloud Hosted. Give the Virtual Edge a name, enter the Mist Global Region, Org ID, API Key and Description and select Add.
NOTE:
You can determine the correct Mist Global Region for your organization by looking in the address bar of the Juniper Mist portal.
- Log in to the Juniper Mist portal.
- In the address bar, notice the first part of the URL, starting with the word manage and ending with com.
Example: https://manage.ac2.mist.com/admin/?org_id=xxxxxxx-xxxx-xxx
Your Mist Global Region is similar but starts with api instead of manage.
In the above example, the resulting Mist Global Region is api.ac2.mist.com.
After some time, the status of the Juniper Mist Virtual Edge hosted in the cloud should should show Online.
Deploying a Flow Collector
To collect and analyze flows from the Juniper access switch infrastructure, a lightweight docker container based on the Virtual Edge VM is deployed on premise. To get familiar with Elisity's Virtual Edge VM please read the Virtual Edge Deployment Guide (Hypervisor-hosted) article. Just like in the standard Virtual Edge VM deployment, a virtual machine operating system is deployed and a docker container is launched. The YAML file generated by Cloud Control Center and executed on the VM determines the type of docker container launched. In this scenario we will launch a Flow Collector.
Step 1: Follow the previous steps to deploy a Virtual Edge but this time select Virtual Edge Type Flow Forwarder. Provide an IP address for the Flow Forwarder (different than the Virtual Edge VM but in the same subnet), Gateway IP, DNS, Host Name and Description. Select Add.
Step 2: Download the provisioning YAML by selecting the newly deployed Flow Forwarder on the Virtual Edge page and select Download Files.
- VE_DOCKER_xxxxxxxxxxxxxxxx.yml
This YAML file contains all of the details the Virtual Edge VM needs to deploy the Flow Forwarder container on the host system. Each Virtual Edge VM receives a unique identifier which is embedded in the file name. Below is an example of the content in the YAML file generated by Cloud Control Center.
version: '2'
services:
Netflow-Forwarder:
networks:
vlan1:
ipv4_address: 10.60.60.60
cap_add:
- ALL
environment:
- EDGE_TYPE=VE
- EDGE_TOKEN=eyJ2ZV9yZWdfa2V5IjoiYWQ2MmMiYTUxOWJmYzk0OSIsInZlX3VwbGlua19pcCI6IjEwLjYwLjYwLjYwIiwidmVfY2xvdWRfbWFuYWdlX3VybCI6IjU0Ljc1LjIxNC4yMTIiLCJ2ZV9kbnNfc2VydmVyIjpbIjguOC44LjgiLCI4LjguOC40Il0sInZlX29wZW52cG5fc2VydmVyIjoiNTQuNzUuMjE0LjIxMiIsInZlX29wZW52cG5fY2EiOiItLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS1cbk1JSUJYRENDQVFHZ0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQVZNUk13RVFZRFZRUURFd3B2WkdJeWNtOXZcbmRFTkJNQjRYRFRJME1EUXdOREEzTlRBek9Wb1hEVE0wTURRd05EQTNOVEF6T1Zvd0ZURVRNQkVHQTFVRUF4TUtcbmIyUmlNbkp2YjNSRFFUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJHRkpiSW5GVGJuVS8vL2Zcbm52R3RzRzdrNkNCUVFwc2lCNnRXNnB3NzIrVS9NZGxPR3VaRkZTVFloTXdjbjNnVTVlT2d5cUNHNTZHd3F2b2tcbldCRDZINEdqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lDcERBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWRcbkRnUVdCQlQvbkQrZExxaFpmQ3R4WDArVzNrTzhzbXhJbVRBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQXgvcnVcbjcxNDRjYUp0Y2lPcWhPbGlaN2RGVWJYM1JsL0YxWDUyWnZJQWwwRUNJUUR4N0c3a041WlEwV3JGZ3VWL0NuMkRcbjNvTFNJWC9lWHcvRER5bkFjZ1hmb1E9PVxuLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLVxuIiwidmVfb3BlbnZwbl9wcml2YXRlX2tleSI6Ii0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLVxuTUlHSEFnRUFNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQkcwd2F3SUJBUVFnbWk4WGEycHVKVzV0QlJCWVxuWDNwSW5vY3V4VGErcHVXWmMreE1IMlBzVlQyaFJBTkNBQVFDaVBBMTUwSi9RUXJzTXp5VlRFQ1R3WnhNWGNaR1xuYnNpNGxyeFNPR0swUG5hV3J3blB1Y2l0TnpjZzBGb2tZamtkbTRCeUdyTE50SVp6TU5HMVc0bStcbi0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS1cbiIsInZlX29wZW52cG5fc2VydmVyX3BvcnQiOiIxMTk0IiwidmVfb3BlbnZwbl9wcm90b2NvbCI6InVkcCIsInZlX29wZW52cG5fY2VydCI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJQmhqQ0NBU3VnQXdJQkFnSVJBTEJob25JeWtab25VN0xvMkF1Y3ZYZ3dDZ1lJS29aSXpqMEVBd0l3RlRFVFxuTUJFR0ExVUVBeE1LYjJSaU1uSnZiM1JEUVRBZUZ3MHlOREEwTURVeE1ETTROVGRhRncweU5UQTBNRFV4TURNNFxuTlRkYU1Cc3hHVEFYQmdOVkJBTVRFR0ZrTmpKak1XRTFNVGxpWm1NNU5Ea3dXVEFUQmdjcWhrak9QUUlCQmdncVxuaGtqT1BRTUJCd05DQUFRQ2lQQTE1MEovUVFyc016eVZURUNUd1p4TVhjWkdic2k0bHJ4U09HSzBQbmFXcnduUFxudWNpdE56Y2cwRm9rWWprZG00QnlHckxOdElaek1ORzFXNG0rbzFZd1ZEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd1xuRXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JUL1xubkQrZExxaFpmQ3R4WDArVzNrTzhzbXhJbVRBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQXdLSUpldldKL2lSK1xud3hCQ053ZDQ4cmFCemdNOSs0dkF3RmpJbDNwSlNmd0NJUUNvZmIxSTBwYjBzU2NhNkxwL2tUYWdQQ3NaZlVDN1xuS0NXUTFPZGsrR0grd2c9PVxuLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLVxuIn0=
entrypoint: /etc/init.d/forwarder-ve
# Change the image tag version appropriately instead of <PREFERRED_NF_VERSION>
image: elisity/forwarder_ve:<PREFERRED_NF_VERSION>
restart: always
hostname: Netflow-Forwarder
container_name: Netflow-Forwarder
stdin_open: true
tty: true
privileged: true
volumes:
- type: bind
source: /etc/elisity/VE/Netflow-Forwarder/data/
target: /iox_data/
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
networks:
vlan1:
driver: ipvlan
driver_opts:
parent: ens192
ipam:
config:
- subnet: 10.60.60.0/24
gateway: 10.60.60.1
Step 3: Edit line 14 that says elisity/forwarder_ve:<PREFERRED_NF_VERSION> to reflect the Flow Forwarder release you are deploying. If you do not know the correct version number, contact your Elisity technical contact. For example:
image: elisity/forwarder_ve:release-15.6.0
Step 4: Follow the Virtual Edge Deployment Guide (Hypervisor-hosted) to deploy a Virtual Edge VM. Stop after Step 10 right before the "Adding the Virtual Edge in Cloud Control Center" section.
Step 5: Transfer the YAML file to the Virtual Edge VM host system /home/elisity directory, and run the following command from the same directory to deploy the container. Make sure to use the appropriate YAML file name generated by Cloud Control Center, not the example one below.
When prompted for a password, use the same password you used to log into the Virtual Edge VM host system.
sudo upgrade-edge create VE_DOCKER_xxxxxxxxxxxxxxxx.yml
After a couple seconds the container will be created and the following output will be displayed
Creating VE ... done
VE successfully created !
Run the following command to make sure the container is running properly
docker ps
An output similar to the one below should be displayed:
Step 6: Check Cloud Control Center to ensure that the Flow Forwarder registered successfully and show a status of Online. If the Flow Forward status never changes to Online, then there is an IP connectivity issue between the Flow Forwarder container and Cloud Control Center.
Now you can onboard your existing Juniper access switches as Elisity Virtual Edge Nodes for policy enforcement by following the Onboard Juniper EX4400 series switches article. COME BACK AND FIX THIS.
Deleting Juniper Mist Virtual Edge and Flow Forwarder
Step 1: Select the more options icon to the right of the Juniper Mist Virtual Edge and then select Delete Virtual Edge.
NOTE: Before you can delete a Juniper Mist Virtual Edge, all Virtual Edge Nodes onboarded with that Virtual Edge must first be deleted.
Step 2: Select the more options icon to the right of the Flow Forwarder and then select Delete Virtual Edge.