Onboarding Juniper Mist-Managed Access Switches as Virtual Edge Nodes

This article walks through the steps to onboard, configure, and manage access switches managed by Juniper Mist as Virtual Edge Nodes in the Elisity Platform.

The following chart describes the terminology used in this document:

Cloud Control Center	Elisity's cloud native and cloud delivered control, policy and management plane.
Juniper Mist	Juniper's cloud hosted network management console
Virtual Edge Node	An access switch onboarded to a Virtual Edge to be leveraged as an enforcement point in the network.

Deploying Juniper Mist Virtual Edge in Cloud Control Center

The integration between Elisity and Juniper is a departure from our other method of onboarding Cisco and Arista switching infrastructure. Instead of deploying an Elisity Virtual Edge on premise for Identity and Policy, Elisity instantiates a cloud hosted Virtual Edge that integrates with Juniper Mist via API in order to onboard Juniper access switches, collect device identity data, and manage microsegmentation policies. 

A light weight flow collector is deployed on premise and leverages an standard Virtual Edge VM but instantiates a dedicated Juniper flow collector docker container. 

This architecture is detailed in the following diagram. 

 

Enabling Juniper Mist Integration

Creating an Elisity Switch Template

Step 1: Log into Juniper Mist and navigate to Organization > Switch Templates. 

 

Step 2: Either edit an existing template or create a new one. 

 

Step 3: In the CLI Configuration section add the following commands

Note:

The following commands enable Group-Based Policy (GBP) in the EVPN-VXLAN fabric. All IP addresses and interface names shown are examples only. You must update them to match your environment and review the configuration carefully before applying.

set forwarding-options evpn-vxlan gbp ingress-enforcement
set chassis forwarding-options vxlan-gbp-l3-profile

set interfaces lo0 unit 0 family inet address 1.2.3.4/32
set routing-options router-id 1.2.3.4
set protocols evpn encapsulation vxlan
set protocols evpn extended-vni-list all
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 1.2.3.4:100
set switch-options vrf-target target:1:100

 

Step 4: If the template is not already assigned to a site, assign it to a site. Select Assign to Sites.

Select the site you wish to apply the template to and click Add and Apply.

 

Step 5: The next step is to override the template on a per switch basis in order to configure additional CLI commands that are specific to that switch. Navigate to Switches, select the site, and then select the switch you wish to configure. At the top of the screen, click the hostname of the switch to enter switching configuration mode. 

 

Step 6: In the CLI Configuration section and under the Additional CLI Commands subsection add the following commands and select Save:

The following is only an example. 

set interfaces irb unit 601 family inet address <VLAN601 IP/Mask>
set vlans VLAN601 l3-interface irb.601

set interfaces irb unit 602 family inet address <VLAN602 IP/Mask>
set vlans VLAN602 l3-interface irb.602

set vlans VLAN601 vxlan vni 601
set vlans VLAN602 vxlan vni 602
set vlans VLAN601 vlan-id 601
set vlans VLAN602 vlan-id 602

set services inline-monitoring template template_1 template-refresh-rate 30
set services inline-monitoring template template_1 observation-domain-id 25
set services inline-monitoring template template_1 template-id 32768
set services inline-monitoring template template_1 flow-inactive-timeout 10
set services inline-monitoring template template_1 template-type ipv4-template
set services inline-monitoring instance i1 template-name template_1
set services inline-monitoring instance i1 collector c2 source-address <Flow Source IP>
set services inline-monitoring instance i1 collector c2 destination-address <Virtual Edge IP>
set services inline-monitoring instance i1 collector c2 dscp 21
set services inline-monitoring instance i1 collector c2 destination-port 31739
set firewall family inet filter ipv4_ingress term rule1 then inline-monitoring-instance i1

set interfaces irb unit 601 family inet filter input ipv4_ingress
set interfaces irb unit 602 family inet filter input ipv4_ingress

 

Generating Juniper Mist API Token

Step 1: Log into Juniper Mist and navigate to Organization > Settings. 

 

Step 2: Copy Organization ID to a notepad as this information will be used later in the deployment guide. 

 

Step 3: In the API Token section, select Create Token

Give the token a name, set the Access Level to Super User and the Site Access to All Sites and then select Generate. 

 

Step 4: After generating the token, Copy the Key as it will be used in the next section of the integration guide.

Configuring a Juniper Mist Cloud Controller

Step 1: Navigate to Virtual Edges > Settings.

Step 2: Select Cloud Controllers > Add Controller.

Step 3: Add the following details for the cloud controller and click Add.

• Name - Enter a name for the cloud controller.
• URL - Enter the URL for the Juniper Mist portal as follows:
  1. Log in to the Juniper Mist portal.
  2. Copy the URL from the address bar.
  3. Change https://manage.ac2.mist.com/... to https://api.ac2.mist.com/...
• Org ID - Enter the Organization ID which is available in Juniper Mist under Organization>Settings>Organization Settings>Organization ID.
• API Key - Enter the key generated during token creation.
• Description - Enter a description for the cloud controller.

 

 

Adding Virtual Edge Nodes in Cloud Control Center

Step 1 - Launch the Virtual Edge Node Deployment Wizard

Select the Virtual Edge Node tab in the bottom menu, and select + Add Virtual Edge Node then select Add Single Virtual Edge Node. This will launch the Virtual Edge Node Deployment Wizard.

 

Step 2 - Choose a Virtual Edge Group

First, a selection pane will appear with options for selecting a VE Group, Standalone VE, Switch-hosted VE, or Cloud-hosted VE (ie. Juniper VE) for managing the VEN or VENs that you are attempting to deploy.

Step 3 - Choose the Virtual Edge Node Type

After selecting your VE or VE Group and clicking save, you will be directed to select the Virtual Edge Type. Select Cloud Controller as the Virtual Edge Node type.

 Step 4 - Virtual Edge Node Configuration

Next, provide some basic information about the switch and make a few configuration selections. See the list below for details.

The following chart provides details about each field in this step.

Switch Management IP	This is the management IP of the switch you wish to onboard as a Virtual Edge Node for policy enforcement.
Serial Number	The Serial Number of the switch you wish to onboard as a Virtual Edge Node. This can be found in Organization > Inventory > Switches.
Cloud Controller	Select the previously created Cloud Controller configuration.
Description	This allows a user-defined description to be configured for the VEN. This field is optional.

 

Find the Serial Number of your switch here:

 

Step 5 - Site Label and Distribution Zone

In this step, you can choose to inherit Site Label and Distribution Zones from the parent Virtual Edge, or you can choose to manually assign a Site Label and Distribution Zone directly to the Virtual Edge Node. 

Site Label	Site labels can be applied to Virtual Edge Nodes for policy distribution and for analytics purposes. Site labels are used to assign Virtual Edges and Virtual Edge Nodes to Policy Sets. Read more about Site Labels and Policy Sets here.
Distribution Zone	Here we can select to inherit the Distribution Zone from the parent Virtual Edge, or we can assign an Access Distribution Zone or create an Isolated Distribution Zone. If you are unfamiliar with the concept of Distribution Zones, read here.

 

Step 6 - Review the Summary and Click Finish

After filling out all the required fields, click Next to go to the summary page. Here you can review and edit all configurations made in the wizard. Clicking Edit on any section will take you back to that section, where you can then modify the configuration. Once you have reviewed the configuration summary, click Finish. The Virtual Edge Node onboarding process will begin immediately.

 

Checking the Status of a VEN Onboarding

In the top right of your Cloud Control Center dashboard, you will see a notification icon. After beginning the VEN onboarding, a blue dot will indicate that the status of your VEN onboarding has an update. 

 

Clicking on this icon will reveal the status of your VEN onboarding. As each step of the onboarding is completed successfully, that item is marked with a green check mark and a "Success" status.

 

 

Once the onboarding is complete, your VEN will show green in Cloud Control Center and information about the switch is now visible such as hostname, switch model, number of discovered devices, and more. 

 

 

Port Configurations on Virtual Edge Nodes

Port configurations for endpoint discovery and analytics can be manually configured or automated based on the following logic.

Elisity offers the ability to automate the configuration process for switch ports to selectively enable or disable the collection of device and analytics data. This automation is enabled during Virtual Edge Node onboarding where administrators have the option to enable Enhanced Endpoint Discovery, Flow Telemetry, and Passive Endpoint Discovery upon onboarding. This automation is designed to enhance network security and operational efficiency by focusing on relevant data collection and minimizing unnecessary endpoint discovery and telemetry on specific ports. This prevents discovery and analytics of devices that are not in the scope of an organizations microsegmentation efforts, such as upstream networking equipment or daisy chained access switch designs.  

 

 

Endpoint Discovery and Telemetry Mechanisms

Endpoint DiscoveryEndpoint Discovery leverages embedded switch functionality to learn and track devices connected to the switch directly or through a trunk to a downstream switch. With automatic configuration, Flow Telemetry will be disabled on the specified port types but can still be enabled or disabled manually per switchport, or globally on a per-VEN basis as required.

Flow TelemetryFlow Telemetry, Elisity's equivalent of NetFlow, provides valuable insights into your network's traffic patterns. With automatic configuration, Flow Telemetry will be disabled on the specified port types but can still be enabled or disabled manually per switchport, or globally on a per-VEN basis as required.

 

Criteria for Automatic Port Configuration

Elisity leverages Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP), along with a set of rules based on interface types and network topology, to classify switch ports as either User Network Interfaces (UNI) or Network-to-Network Interfaces (NNI). This classification determines where Endpoint Discovery and Flow Telemetry are enabled, ensuring accurate network visibility while preventing redundant data collection.

UNI and NNI Port Detection and Endpoint Discovery Configuration

By default, all ports are classified as UNI unless they meet NNI criteria. Elisity evaluates multiple factors, including CDP/LLDP neighbor data, VRF configurations, port descriptions, and interface types, to make this determination.

A port is classified as NNI if:

•  
  • It has a CDP/LLDP neighbor that is identified as a router, switch (bridge for LLDP), or IGMP device. Exceptions include WLANs and Hosts, which remain classified as UNI.
  • Its interface name contains keywords such as Router, Firewall, or NNI.
  • It is listed as an interface in any VRF instance.
  • It is administratively down.
  • It is not a switchport.
  • It is a Stackwise Virtual Link.
  • For Port-Channel interfaces: If any of its member interfaces meet NNI criteria, the Port-Channel itself is classified as NNI. However, member interfaces are ignored for Endpoint Discovery.

Ports that do not meet any of the above conditions remain classified as UNI, meaning Endpoint Discovery is enabled to track directly connected devices.

Flow Telemetry Configuration

Flow Telemetry is configured differently from Endpoint Discovery. Unlike Endpoint Discovery, which is disabled on Port-Channel interfaces and their members, Flow Telemetry is enabled on individual Port-Channel members for more granular traffic visibility.

Flow Telemetry is disabled on:

•  
  • VLAN, AP, LOOP, TUNNEL, and CHANNEL interfaces.
  • Management interfaces such as GigabitEthernet0/0 (most models) and TenGigabitEthernet0/1 (Cisco 9600).
  • Stackwise Virtual Links.

CDP/LLDP for Uplink Detection

Elisity periodically scans CDP/LLDP neighbor tables to detect topology changes. If a port connects to another switch or router, Endpoint Discovery and Flow Telemetry are automatically disabled to prevent redundant infrastructure visibility. These updates occur every five minutes, ensuring configurations remain accurate as the network evolves.

 

Modifying Port Configurations for a VEN

After onboarding, you can review the port configurations in Cloud Control Center for each port and modify them according to your network design and the scope of your microsegmentation efforts. If you chose to leave these options disabled during onboarding, now is the time to either enable autoconfiguration or manually configure each switchport for each setting.
 

To do this, select your VEN, navigate to Port Configurations, and click Edit Port Configuration. This will take you to the port configuration editor for all three settings, regardless of which port configuration setting you are currently viewing.

 

If you have not yet configured any port configurations, simply click on Add Port Configuration as seen below.

 

The port configuration editor is very straightforward. For each setting, you can globally enable or disable for the selected VEN. Just below the global setting, you can choose automatic or manual port configurations for the selected setting. For manual configuration, you can select specific ports or select all ports by clicking the top check box. After selecting ports, use the arrows between the two columns to move ports into the Disabled Ports or Enabled Ports tables. 

Selecting Automatic Configuration will overwrite any manually configured ports, and will disable the ability to select switchports for each table as this process will be handled according to the logic defined earlier in this article.

After reviewing these port configs and making any adjustments, click submit and your configurations will be immediately pushed to the VEN. Within 24 hours you should begin to see discovery data and analytics.

 

Decommissioning and Deleting a Virtual Edge Node

Decommissioning a VEN takes the enforcement point out of service by removing the configurations from the switch, but retains the configuration in Cloud Control Center so that you can easily put the VEN back in service with a single click.

Open the details view of your Virtual Edge Node and then select Decommission in the top right. The Virtual Edge Node status will say Decommissioned. 

 

You can also decommission from the main VEN dashboard by clicking the three dots to the right and selecting Decommission Virtual Edge Node. 

If you want to decommission multiple VENs simultaneously, select the VENs using the check boxes on the left and click Bulk Actions. Here you can perform various bulk actions such as restart Restonf, Decommission, and Delete. 

In any case, you will be presented with a confirmation request to finalize the decommission action with warnings or errors where applicable.

After decommissioning, the Activity Panel will show the status of the decommission process. The Activity Panel is accessible through the notification icon in the top right corner of Cloud Control Center. 

After completing the decommission process for the VENs, you can then delete them from Cloud Control Center, or leave as decommissioned for easily recommissioning at a later time. Clicking the more options button under the actions panel to the right of the VENs will show the delete or recommission options for each VEN. These options are also available in the bulk actions menu as seen earlier. Deleting a VEN requires no further action.

 

Virtual Edge Nodes can be recommissioned in th same way that they are decommissioned. Recommissioning a VEN will also provide a status feedback in the activity panel for tracking the step by step recommissioning process.