Juniper Midsize Campus Design Using Mist Wired Reference Manual
Reference Architecture
Published
2021-02-08
Midsize Campus Design Using Mist Wired
Assurance
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Reference Architecture Midsize Campus Design Using Mist Wired Assurance
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
Table of Contents
1
Reference Architecture for a Midsize Campus Using Mist Wired Assurance
Overview: Midsize Campus Solution Using Mist Wired Assurance | 6
Introduction | 6
Framework | 6
Midsize Campus Solution Reference Architecture for Mist Wired Assurance | 8
Access Module | 8
Wired Access | 8
Wireless Access | 9
Aggregation Module | 10
iii
Edge Module | 11
Edge Firewall | 11
Edge Router | 12
Deploying Midsize Campus with Mist Wired Assurance | 13
Policy Orchestration | 13
Security | 15
Quality of Service | 15
High Availability | 16
High Availability at Layer 2 | 17
Spanning Tree Protocol (STP) | 17
Virtual Chassis | 18
High availability at Layer 3 | 19
Configure the SRX Series Device | 20
Connecting the SRX and Juniper EX Series Switch | 23
Configure the EX Series Switch in the Juniper Mist Cloud | 27
How to Activate a Brownfield Switch | 29
Troubleshooting | 31
Day 1: Use a Template-Based Configuration with Device and Port Profile | 32
Wireless Configuration on the Juniper Mist Cloud | 43
Additional SSID Configuration | 48
Conclusion | 52
iv
1
CHAPTER
Reference Architecture for a Midsize
Campus Using Mist Wired Assurance
Overview: Midsize Campus Solution Using Mist Wired Assurance | 6
Midsize Campus Solution Reference Architecture for Mist Wired Assurance | 8
Deploying Midsize Campus with Mist Wired Assurance | 13
Overview: Midsize Campus Solution Using Mist Wired Assurance
IN THIS SECTION
Introduction | 6
Framework | 6
Introduction
6
Campus networks are constantly evolving and growing at a rapid rate. No longer merely comprised of
homogenous desktops and printers, a campus now includes an array of IP devices: phones, Juniper Access
Points, tablets, and more. Knowledge workers can work anywhere, as their access permits. Providing a
consistent experience, regardless of how or where the user connects, can increase the overall productivity.
Organizations must build a network that can provide flexibility while protecting critical data from
unauthorized access.
Framework
The Juniper Networks Midsize Campus solution is built upon a standard solution architectural approach.
The baseline architecture is based on a series of building blocks, built by Juniper Networks, that are meant
to address the entire network.
For the Midsize Campus Solution Reference Architecture using Mist Wired Assurance, the following
modules are detailed:
Access
•
Aggregation
•
Edge
•
Each of the modules take into consideration the following elements and design requirements:
Policy orchestration
•
Network management
•
Security
g301232
Mist AP
EX4650
L3
L2
Collapsed Core
Access
EX2300/ EX3400/ EX4300
Employee
Guest
IoT
Employee
Guest
IoT
SRX Series Router
•
Quality of service (QoS)
•
High availability (HA) and resiliency
•
Figure 1 on page 7 illustrates the solution modules and the design considerations described in this
reference architecture.
Figure 1: Midsize Campus Solution Reference Architecture Framework
7
Midsize Campus Solution Reference Architecture for Mist Wired Assurance
IN THIS SECTION
Access Module | 8
Aggregation Module | 10
Edge Module | 11
The solution reference architecture was designed using a modular approach. Each of the design modules
are described in detail in the following sections.
8
Access Module
The access module is comprised of:
Wired access
•
Wireless access
•
Wired Access
In a campus network, access switches provide network connectivity to end users by connecting IP-enabled
devices such as desktops, phones, and printers. Access layer switches typically reside in the wiring closets
of each floor in each physical campus facility.
Design recommendations for the access module are:
Port density—Needed for client connection, as well as an uplink to the aggregation/core layers to reduce
•
the client-to-uplink oversubscription ratio
Scalability—On a need-to-grow basis to help reduce capital and operating expenditures
•
Flexibility—Ability to enable port density and scalability regardless of where the physical infrastructure
•
is located
High availability (HA)—Redundant path, always-on power, and nonstop forwarding
•
Power over Ethernet (PoE)—Ability to enable services to devices such as phones, video endpoints, and
•
Juniper Access Points without extra power cabling, reducing capital expenditures and simplifying cabling
infrastructure
Quality of service (QoS)—Classification, marking, and prioritization of traffic flows
•
Segmentation—Ability to maintain separation of traffic when needed
•
Security infrastructure integration—Access control to prevent unauthorized users and devices
•
The access layer serves as the pathway to all network services. This layer becomes a primary boundary of
access control for security requirements as well. Virtualization capabilities, such as virtual LANs (VLANs)
and virtual routers, are important for supporting required segmentation of the access layer network. Virtual
chassis provides the flexibility and scalability to support connectivity throughout the closet while simplifying
management. In addition, integrating network security with unified access control is another important
aspect. As a first line of defense, security controls such as broadcast storm control, Dynamic Host
Configuration Protocol (DHCP) snooping, and Address Resolution Protocol (ARP) spoofing protection
should be enabled to prevent service disruption to authorized clients. With increasing use of multicast
applications, it is also important to consider enabling multicast features such as Internet Group Management
Protocol (IGMP) snooping and Multicast Routing Protocol (MRP) support.
9
Wireless Access
In a campus environment, Juniper Access Points provide network access to end-user devices like access
switches. With increased wireless performance and proliferation of mobile devices, wireless connectivity
is becoming the primary mode of access on the campus network. Both real-time and bandwidth-demanding
applications are running over wireless networks. However, the user expects the same level of network
services (security, QoS, accessibility, and HA) as with a wired connection. Wireless access must be robust
and reliable to deliver these demands.
In a Mist enabled wireless LAN (WLAN) design, only the Juniper Access Point is required for access. The
Juniper Access Point transmits a radio frequency (RF) signal on a configured set of channels. Wireless
clients then associate with the AP to establish a wireless connection. An 802.1Q trunk for the AP to the
access switch is configured so that wireless traffic enters the wired network directly on access switches.
This WLAN approach can provide comparable performance to a wired connection; however, it is not
scalable because each individual Juniper Access Point must be configured manually.
Without a centralized component that can control and store critical information, several challenges can
arise. For instance, as users roam from Juniper Access Point to Juniper Access Point, they might experience
service disruptions. As a wireless client associates with a Juniper Access Point, the nearest Juniper Access
Point recognizes the client information and establishes a network connection. If the client roams outside
the RF coverage of the associated Juniper Access Point, the client will experience a dropped connection
and then attempt to re-associate with the next nearest Juniper Access Point. Managing RF spectrum on
a per Juniper Access Point basis becomes cumbersome, where one Juniper Access Point might impede
upon another Juniper Access Point’s signal, or in other cases not carry enough signal at all. Rogue wireless
devices can also become an issue, since it becomes burdensome to locate when unauthorized wireless
clients enter the network without a centralized authentication point.
Aggregation Module
The aggregation layer aggregates connections and traffic flows from multiple access layer switches and
wireless networks to provide high-density connectivity to the campus core.
Design recommendations for the aggregation module are:
Scalability
•
High-performance and throughput
•
HA
•
Network services integration
•
10
QoS support
•
Full N + 1 or N + N hardware redundancy
•
Control plane redundancy
•
Ability to upgrade the software while in-service
•
Ability to combine physical chassis into a single, logical control plane
•
Aggregation layer switches must offer high-density ports to provide maximum scalability, along with
wire-rate forwarding for maximum throughput. Also, a non-blocking architecture at the aggregation layer
is important to minimize the oversubscription ratio, because a large number of client connections are
supported through these devices. Therefore, it is critical to have HA hardware and software features that
deliver reliability and robustness. For device-level redundancy, the aggregation hardware should be deployed
in pairs. The primary function of the aggregation layer infrastructure is to provide high throughput and
non-blocking switching/routing fabric. The dynamic routing protocol support, high-performance control
plane, and high-capacity data plane are important features of aggregation layer devices.
In a midsize enterprise campus, the aggregation layer is not as distributed as the access layer, which makes
it easier to place your security defenses and introduce segmentation using virtual routers or VLANs to
contain threats. Traffic control with QoS capabilities, such as multiple queues, queue capacity, and integration
help run real-time applications and prioritize critical applications appropriately. For multicast applications
support, Multicast Routing Protocol (MRP) and efficient multicast replication techniques are important in
aggregation layer devices.
The aggregation switch has the primary responsibility of multiplexing a large set of access ports into a
smaller set of ports that can be consumed by the core switch. Because the aggregation switch multiplexes
a high number of access ports, the scale requirements increase linearly for every access port it aggregates.
For example, if an access switch supports 10,000 MAC addresses and the aggregation switch consolidated
100 access switches, the total MAC scale required at the aggregation switch is 10,000 x 100 = 1,000,000
MAC addresses.
Edge Module
The edge module is the gateway for remote access to the campus network. Also, the edge module
aggregates, inspects, and encapsulates all traffic coming in and out of campus core to the Internet. The
edge is viewed as the primary path for all campus network egress and ingress.
The edge module is comprised of:
Edge firewall
•
Edge router
•
Edge Firewall
11
An edge firewall provides perimeter security services such as traffic inspection, access policies, network
address translation (NAT), and IPSec. All traffic leaving out of and arriving into the campus must pass
through the edge firewall. This is enforced through physically cabling the edge firewall between the edge
routers and core switch as well as the capability to permit and deny certain types of traffic.
The edge firewall must address the following security and tunneling considerations:
Ability to create granular firewall filters that can inspect Layer 2 through Layer 4 traffic
•
Support unicast reverse path forwarding modes: loose, strict, and VRF
•
Support SSH
•
IPSec
•
GRE
•
To resolve IP address conflicts and bridge IPv6 islands, the edge firewall must support a wide variety of
Network Address Translation (NAT) protocols:
Basic NAT44
•
NAPT44
•
NAPT66
•
Twice NAT44
•
NAPT-PT
•
To provide HA and reliable services, edge firewalls support clustering with active/passive failover. In
active/passive failover one firewall node remains active and handles all control plane processing and data
plane forwarding. In the event of a failure, the secondary node takes over and then becomes the primary
node.
Edge Router
An edge router connects the campus network to the service provider for Internet access. HA must be a
priority at the edge router, because the router serves as the primary connection between the campus
network and the Internet. It is also considered the first line of defense for attacks coming from the Internet.
Ability to limit what type of traffic can access the control plane
•
Ability to determine specific types of ingress control plane traffic and enforce packets per second (PPS)
•
limitations
Ability to police traffic to a certain bandwidth and penalizing excess traffic by changing the forwarding
•
class or simply discarding the traffic
Ability to create granular firewall filters that can inspect Layer 2 through Layer 4 traffic
•
Support unicast reverse path forwarding (URPF) modes: loose, strict, and VRF
•
12
Full N + 1 or N + N hardware redundancy
•
Control plane redundancy
•
Ability to upgrade the software while still remaining in-service
•
Link aggregation
•
Loop-free alternates
•
Default gateway redundancy
•
There are various network protocols coming from the Internet to the edge router. The following protocol
families must be supported on the edge router:
IPv4
•
IPv6
•
ISO
•
MPLS
•
The edge router must also support widely deployed routing protocols. The following routing protocols
must be supported on the edge router:
Static routes
•
RIP
•
OSPF
•
OSPF-TE
•
OSPFv3
•
IS-IS
•
BGP
•
Deploying Midsize Campus with Mist Wired Assurance
IN THIS SECTION
Policy Orchestration | 13
Security | 15
Quality of Service | 15
High Availability | 16
13
High Availability at Layer 2 | 17
Spanning Tree Protocol (STP) | 17
Virtual Chassis | 18
High availability at Layer 3 | 19
Configure the SRX Series Device | 20
Connecting the SRX and Juniper EX Series Switch | 23
Configure the EX Series Switch in the Juniper Mist Cloud | 27
How to Activate a Brownfield Switch | 29
Troubleshooting | 31
Day 1: Use a Template-Based Configuration with Device and Port Profile | 32
Wireless Configuration on the Juniper Mist Cloud | 43
Additional SSID Configuration | 48
Conclusion | 52
Policy Orchestration
With the proliferation of mobiles devices and ubiquitous Internet availability, employees and guest users
need to connect to the campus network, regardless if whether they are on the premises or working remotely.
Users likewise need connect using corporate devices as well as their own (BYOD), all with the same level
of security and access experience. These requirements demand role-based policy orchestration. Indeed,
policy orchestration and access control are two of the more critical elements in delivering a secure
infrastructure for the midsize enterprise campus solution because they provide a comprehensive suite of
features for device connectivity and security. When users connect to the network, the policy orchestration
engine must:
Identify the user and the role of the user.
•
Authenticate and authorize the user.
•
Identify whether or not the client device of the user is company-owned or BYOD.
•
Identify the type of OS running on the client devices (MAC OSX, PC Windows, or other).
•
Quarantine the device if necessary.
•
Detect the location of the entry point.
•
Detect traffic encryption requirements.
•
Provide accountability of user access (for example, report the number of attempts and success rate).
•
14
Likewise, the access control must provide:
Guest access control.
•
Layer 2 access control (802.1X, MAC authentication).
•
MAC authorization and device profiling.
•
Protection against MAC spoofing.
•
Monitoring and containment of unauthorized connections.
•
Role-based access control.
•
Identity-aware networking (Network Access Control (NAC) and Identity and Access Management (IAM)).
•
This Midsize Campus solution uses Mist Wired Assurance and supports both user parameters and device
MACs for access control. Using a mix of user-based and MAC-based authentication methods provides
scale, as does the use of a dedicated LDAP back-end server.
Creating a WLAN (SSID) specific for guest users (such as vendors or contractors) allows them to be separated
from corporate users, so, for example, they can enter the network without a corporate device or supplicant.
DUA (Device/User/Application) Profiles determine the number of devices (with MAC association) and
number of users including guests. In this example, we assumed guest access users will make up about 10
percent of total users.
Use Interface for Metadata Access Point (IF-MAP) protocol for session information transfers to the secure
access server in real time. (IF-MAP is an open standard protocol that communicates information about
sessions, roles, access zones, and other elements between clients to the server as a federation.)
When setting up your own network to implement this example, you include support for active/passive or
active/active high availability (note that active/passive set up can limit performance, but you can use load
balancing to help scale nonclustered nodes and increase performance.)
You can also use additional services or service modules in the same chassis to support remote access
services and network access control (NAC) policy services as part of an overall security strategy managed
by a security management server.
Security
Robust security is important to the campus environment. This includes perimeter security, which must
provide stateful firewall protection ingress and egress to the campus network as well as protect all traffic
within the various silos of the campus network. Part of the security posture for the solution is also to
provide role-based access control (RBAC) to the network, including AAA in conjunction with 802.1x, which
provides an endpoint access authentication model.
15
Additional device security should be associated to headless network devices, such as printers and video
surveillance cameras, to provide the ability to prevent MAC spoofing attempts with these types of devices
which have the inability to provide traditional AAA credentials.
Access security posture for the Campus solution should allow authenticated endpoints to be dynamically
allocated to different VLANs automatically. Activation and transmission of firewall filters and VLAN
assignments should be supported on access switches with a policy provided by an authentication server.
If the authentication server cannot be reached, switches will support an authorization failed policy, in
which devices are set to a non-authenticated state. Authenticated ports will remain authenticated for the
duration of the connected session until the device is disconnected (either physically or logically) or the
policy has timed out. The switch ports will also provide a method to grant trusted access to resources,
while denying non-authenticated devices or providing only limited access to a remediation service.
Quality of Service
Quality of service (QoS) is an essential design category for maintaining application and user real-time
performance monitoring (RPM) and ensuring consistent performance of the network. Although the Midsize
Enterprise Campus solution reference architecture is designed for high bandwidth services with gigabit
Ethernet or 10GE links, QoS should be considered mandatory for any campus deployment, regardless of
bandwidth, for any interface or access point with the potential for congestion or contention for resources.
QoS policies are implemented for per-hop-behavior (PHB), meaning that each device should be configured
to ensure consistent end-to-end policy enforcement. Although QoS policies are implemented as PHB, QoS
should be considered end-to-end and flow through the entire campus in order to correctly adhere to the
g301423
Mist AP
EX4650
L3
L2
Collapsed Core
Access
Employee
Guest
IoT
Employee
Guest
IoT
SRX Series Router
EX2300
EX3400
EX4300
Multifield classifiers
Rewrite Rules
BA Classifiers
Rate Limiting
RPMs of the specific applications and campus policies.
Figure 2 on page 16 illustrates the QoS classification used in the validated reference architecture.
Figure 2: QoS Classification of Traffic
16
QoS policies are first established by setting the trust boundaries and the relationships of marking the traffic
in the campus network. For this reference architecture, trusted relationships (trusted inter-switch policies)
are established at the aggregation and core layers of the network. In a trusted relationship, the classifications
and markings of the traffic do not require a rewrite or an inspection. However, queuing and policing policies
should be considered at the ingress and egress of all inter-switch links. WAN policies (both to the corporate
WAN and to the Internet) can be constrained by lower bandwidth access links (less than 100 MB) and thus
require a QoS policy with queuing and policing applied to maintain RPMs . Depending on the inbound and
outbound QoS policy for the campus, WAN links can have different levels of trust associated with the
interface. The access layer should be considered untrusted. At the access layer, QoS access policies include
queuing, policing, classification, marking, and rewriting for ingress traffic. Based on the campus QoS policy,
some devices may be considered trusted, such as an IP phone, which would receive its marking policy from
the corporate IP PBX. WLAN QoS policies are configured at the WLAN controller, which provides the
campus administrator the ability to trust the client DSCP through the wireless connection.
For more information on setting up QoS from the Juniper Mist portal, see: QoS for Switches
High Availability
High availability (HA) and resiliency is essential for maintaining connectivity and avoiding service disruption.
The expectation in this Midsize Enterprise Campus Solution Reference Architecture is to ensure
uninterrupted (sub-second recovery) access, including during voice and video sessions, in the event of
Loading...