ReferenceArchitecture
Midsize Campus Design Using Mist Wired
Assurance
Published
2021-02-08
ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
JuniperNetworks,theJuniperNetworkslogo,Juniper,andJunosareregisteredtrademarksofJuniperNetworks,Inc. in theUnitedStatesandothercountries. Allothertrademarks,servicemarks,registeredmarks,orregisteredservicemarks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Reference Architecture Midsize Campus Design Using Mist Wired Assurance
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR2000NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSERLICENSEAGREEMENT
TheJuniperNetworksproductthatisthesubjectofthistechnicaldocumentationconsistsof(orisintendedforusewith) JuniperNetworkssoftware.UseofsuchsoftwareissubjecttothetermsandconditionsoftheEndUserLicenseAgreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
iii
1ReferenceArchitectureforaMidsizeCampusUsingMistWiredAssurance
Overview:MidsizeCampusSolutionUsingMistWiredAssurance | 6
Introduction | 6
Framework | 6
MidsizeCampusSolutionReferenceArchitectureforMistWiredAssurance | 8
Access Module | 8
Wired Access | 8
Wireless Access | 9
Aggregation Module | 10
Edge Module | 11
Edge Firewall | 11
Edge Router | 12
DeployingMidsizeCampuswithMistWiredAssurance | 13
Policy Orchestration | 13
Security | 15
Quality of Service | 15
High Availability | 16
High Availability at Layer 2 | 17
Spanning Tree Protocol (STP) | 17
Virtual Chassis | 18
High availability at Layer 3 | 19
Configure the SRX Series Device | 20
Connecting the SRX and Juniper EX Series Switch | 23
Configure the EX Series Switch in the Juniper Mist Cloud | 27
How to Activate a Brownfield Switch | 29
Troubleshooting | 31
Day 1: Use a Template-Based Configuration with Device and Port Profile | 32
Wireless Configuration on the Juniper Mist Cloud | 43
Additional SSID Configuration | 48
iv
Conclusion | 52
1
CHAPTER
Overview: Midsize Campus Solution Using Mist Wired Assurance | 6
Midsize Campus Solution Reference Architecture for Mist Wired Assurance | 8
Deploying Midsize Campus with Mist Wired Assurance | 13
6
Overview:MidsizeCampusSolutionUsingMistWired
Assurance
INTHISSECTION
Introduction | 6
Framework | 6
Campus networks are constantly evolving and growing at a rapid rate. No longer merely comprised of homogenousdesktopsandprinters,acampusnowincludesanarrayofIPdevices:phones,JuniperAccess Points, tablets, and more. Knowledge workers can work anywhere, as their access permits. Providing a consistentexperience,regardlessofhoworwheretheuserconnects,canincreasetheoverallproductivity. Organizations must build a network that can provide flexibility while protecting critical data from unauthorized access.
The Juniper Networks Midsize Campus solution is built upon a standard solution architectural approach. Thebaselinearchitectureisbasedonaseriesofbuildingblocks,builtbyJuniperNetworks,thataremeant to address the entire network.
For the Midsize Campus Solution Reference Architecture using Mist Wired Assurance, the following modules are detailed:
•Access
•Aggregation
•Edge
Each of the modules take into consideration the following elements and design requirements:
•Policy orchestration
•Network management
7
•Security
•Quality of service (QoS)
•High availability (HA) and resiliency
Figure 1 on page 7 illustrates the solution modules and the design considerations described in this reference architecture.
Figure1:MidsizeCampusSolutionReferenceArchitectureFramework
SRX Series Router
Collapsed Core
|
L3 |
EX4650 |
L2 |
Access
EX2300/ EX3400 / EX4300
Mist AP
Employee
|
Employee |
Guest |
Guest |
IoT |
IoT |
<![endif]>g301232
8
MidsizeCampusSolutionReferenceArchitecturefor
MistWiredAssurance
INTHISSECTION
Aggregation Module | 10
Edge Module | 11
The solution reference architecture was designed using a modular approach. Each of the design modules are described in detail in the following sections.
AccessModule
The access module is comprised of:
•Wireless access
WiredAccess
Inacampusnetwork,accessswitchesprovidenetworkconnectivitytoendusersbyconnectingIP-enabled devicessuchasdesktops,phones,andprinters. Accesslayerswitchestypicallyresideinthewiringclosets of each floor in each physical campus facility.
Design recommendations for the access module are:
•Portdensity—Neededforclientconnection,aswellasanuplinktotheaggregation/corelayerstoreduce the client-to-uplink oversubscription ratio
•Scalability—On a need-to-grow basis to help reduce capital and operating expenditures
•Flexibility—Ability to enable port density and scalability regardless of where the physical infrastructure is located
•High availability (HA)—Redundant path, always-on power, and nonstop forwarding
9
•Power over Ethernet (PoE)—Ability to enable services to devices such as phones, video endpoints, and JuniperAccessPointswithoutextrapowercabling,reducingcapitalexpendituresandsimplifyingcabling infrastructure
•Quality of service (QoS)—Classification, marking, and prioritization of traffic flows
•Segmentation—Ability to maintain separation of traffic when needed
•Security infrastructure integration—Access control to prevent unauthorized users and devices
Theaccesslayerservesasthepathwaytoallnetworkservices. Thislayerbecomesaprimaryboundaryof access control for security requirements as well. Virtualization capabilities, such as virtual LANs (VLANs) andvirtualrouters,areimportantforsupportingrequiredsegmentationoftheaccesslayernetwork.Virtual chassisprovidestheflexibilityandscalabilitytosupportconnectivitythroughouttheclosetwhilesimplifying management. In addition, integrating network security with unified access control is another important aspect. As a first line of defense, security controls such as broadcast storm control, Dynamic Host Configuration Protocol (DHCP) snooping, and Address Resolution Protocol (ARP) spoofing protection should be enabled to prevent service disruption to authorized clients. With increasing use of multicast applications,itisalsoimportanttoconsiderenablingmulticastfeaturessuchasInternetGroupManagement Protocol (IGMP) snooping and Multicast Routing Protocol (MRP) support.
WirelessAccess
In a campus environment, Juniper Access Points provide network access to end-user devices like access switches. With increased wireless performance and proliferation of mobile devices, wireless connectivity isbecomingtheprimarymodeofaccessonthecampusnetwork.Bothreal-timeandbandwidth-demanding applications are running over wireless networks. However, the user expects the same level of network services(security,QoS,accessibility,andHA)aswithawiredconnection. Wirelessaccessmustberobust and reliable to deliver these demands.
In a Mist enabled wireless LAN (WLAN) design, only the Juniper Access Point is required for access. The Juniper Access Point transmits a radio frequency (RF) signal on a configured set of channels. Wireless clients then associate with the AP to establish a wireless connection. An 802.1Q trunk for the AP to the access switch is configured so that wireless traffic enters the wired network directly on access switches. This WLAN approach can provide comparable performance to a wired connection; however, it is not scalable because each individual Juniper Access Point must be configured manually.
Without a centralized component that can control and store critical information, several challenges can arise.Forinstance,asusersroamfromJuniperAccessPointtoJuniperAccessPoint,theymightexperience servicedisruptions. AsawirelessclientassociateswithaJuniperAccessPoint,thenearestJuniperAccess Point recognizes the client information and establishes a network connection. If the client roams outside the RF coverage of the associated Juniper Access Point, the client will experience a dropped connection and then attempt to re-associate with the next nearest Juniper Access Point. Managing RF spectrum on a per Juniper Access Point basis becomes cumbersome, where one Juniper Access Point might impede uponanotherJuniperAccessPoint’ssignal,orinothercasesnotcarryenoughsignalatall. Roguewireless
10
devices can also become an issue, since it becomes burdensome to locate when unauthorized wireless clients enter the network without a centralized authentication point.
AggregationModule
The aggregation layer aggregates connections and traffic flows from multiple access layer switches and wireless networks to provide high-density connectivity to the campus core.
Design recommendations for the aggregation module are:
•Scalability
•High-performance and throughput
•HA
•Network services integration
•QoS support
•Full N + 1 or N + N hardware redundancy
•Control plane redundancy
•Ability to upgrade the software while in-service
•Ability to combine physical chassis into a single, logical control plane
Aggregation layer switches must offer high-density ports to provide maximum scalability, along with wire-rateforwardingformaximumthroughput. Also,anon-blockingarchitectureattheaggregationlayer is important to minimize the oversubscription ratio, because a large number of client connections are supportedthroughthesedevices. Therefore,itiscriticaltohaveHAhardwareandsoftwarefeaturesthat deliverreliabilityandrobustness.Fordevice-levelredundancy,theaggregationhardwareshouldbedeployed in pairs. The primary function of the aggregation layer infrastructure is to provide high throughput and non-blocking switching/routing fabric. The dynamic routing protocol support, high-performance control plane, and high-capacity data plane are important features of aggregation layer devices.
Inamidsizeenterprisecampus,theaggregationlayerisnotasdistributedastheaccesslayer,whichmakes it easier to place your security defenses and introduce segmentation using virtual routers or VLANs to containthreats.TrafficcontrolwithQoScapabilities,suchasmultiplequeues,queuecapacity,andintegration help run real-time applications and prioritize critical applications appropriately. For multicast applications support, Multicast Routing Protocol (MRP) and efficient multicast replication techniques are important in aggregation layer devices.
The aggregation switch has the primary responsibility of multiplexing a large set of access ports into a smallersetofportsthatcanbeconsumedbythecoreswitch. Becausetheaggregationswitchmultiplexes ahighnumberofaccessports,thescalerequirementsincreaselinearlyforeveryaccessportitaggregates. Forexample,ifanaccessswitchsupports10,000MACaddressesandtheaggregationswitchconsolidated
11
100accessswitches,thetotalMACscalerequiredattheaggregationswitchis10,000x100=1,000,000 MAC addresses.
EdgeModule
The edge module is the gateway for remote access to the campus network. Also, the edge module aggregates, inspects, and encapsulates all traffic coming in and out of campus core to the Internet. The edge is viewed as the primary path for all campus network egress and ingress.
The edge module is comprised of:
•Edge router
EdgeFirewall
An edge firewall provides perimeter security services such as traffic inspection, access policies, network address translation (NAT), and IPSec. All traffic leaving out of and arriving into the campus must pass through the edge firewall. This is enforced through physically cabling the edge firewall between the edge routers and core switch as well as the capability to permit and deny certain types of traffic.
The edge firewall must address the following security and tunneling considerations:
•Ability to create granular firewall filters that can inspect Layer 2 through Layer 4 traffic
•Support unicast reverse path forwarding modes: loose, strict, and VRF
•Support SSH
•IPSec
•GRE
To resolve IP address conflicts and bridge IPv6 islands, the edge firewall must support a wide variety of Network Address Translation (NAT) protocols:
•Basic NAT44
•NAPT44
•NAPT66
•Twice NAT44
•NAPT-PT
To provide HA and reliable services, edge firewalls support clustering with active/passive failover. In active/passivefailoveronefirewallnoderemainsactiveandhandlesallcontrolplaneprocessinganddata
12
plane forwarding. In the event of a failure, the secondary node takes over and then becomes the primary node.
EdgeRouter
An edge router connects the campus network to the service provider for Internet access. HA must be a priority at the edge router, because the router serves as the primary connection between the campus networkandtheInternet.ItisalsoconsideredthefirstlineofdefenseforattackscomingfromtheInternet.
•Ability to limit what type of traffic can access the control plane
•Abilitytodeterminespecifictypesofingresscontrolplanetrafficandenforcepacketspersecond(PPS) limitations
•Ability to police traffic to a certain bandwidth and penalizing excess traffic by changing the forwarding class or simply discarding the traffic
•Ability to create granular firewall filters that can inspect Layer 2 through Layer 4 traffic
•Support unicast reverse path forwarding (URPF) modes: loose, strict, and VRF
•Full N + 1 or N + N hardware redundancy
•Control plane redundancy
•Ability to upgrade the software while still remaining in-service
•Link aggregation
•Loop-free alternates
•Default gateway redundancy
TherearevariousnetworkprotocolscomingfromtheInternettotheedgerouter. Thefollowingprotocol families must be supported on the edge router:
•IPv4
•IPv6
•ISO
•MPLS
The edge router must also support widely deployed routing protocols. The following routing protocols must be supported on the edge router:
•Static routes
•RIP
•OSPF
•OSPF-TE
13
•OSPFv3
•IS-IS
•BGP
DeployingMidsizeCampuswithMistWiredAssurance
INTHISSECTION
Security | 15
Quality of Service | 15
High Availability | 16
High Availability at Layer 2 | 17
Spanning Tree Protocol (STP) | 17
Virtual Chassis | 18
High availability at Layer 3 | 19
Configure the SRX Series Device | 20
Connecting the SRX and Juniper EX Series Switch | 23
Configure the EX Series Switch in the Juniper Mist Cloud | 27
How to Activate a Brownfield Switch | 29
Troubleshooting | 31
Day 1: Use a Template-Based Configuration with Device and Port Profile | 32
Wireless Configuration on the Juniper Mist Cloud | 43
Additional SSID Configuration | 48
Conclusion | 52
PolicyOrchestration
With the proliferation of mobiles devices and ubiquitous Internet availability, employees and guest users needtoconnecttothecampusnetwork,regardlessifwhethertheyareonthepremisesorworkingremotely. Users likewise need connect using corporate devices as well as their own (BYOD), all with the same level
14
of security and access experience. These requirements demand role-based policy orchestration. Indeed, policy orchestration and access control are two of the more critical elements in delivering a secure infrastructure for the midsize enterprise campus solution because they provide a comprehensive suite of featuresfordeviceconnectivityandsecurity.Whenusersconnecttothenetwork,thepolicyorchestration engine must:
•Identify the user and the role of the user.
•Authenticate and authorize the user.
•Identify whether or not the client device of the user is company-owned or BYOD.
•Identify the type of OS running on the client devices (MAC OSX, PC Windows, or other).
•Quarantine the device if necessary.
•Detect the location of the entry point.
•Detect traffic encryption requirements.
•Provide accountability of user access (for example, report the number of attempts and success rate).
Likewise, the access control must provide:
•Guest access control.
•Layer 2 access control (802.1X, MAC authentication).
•MAC authorization and device profiling.
•Protection against MAC spoofing.
•Monitoring and containment of unauthorized connections.
•Role-based access control.
•Identity-awarenetworking(NetworkAccessControl(NAC)andIdentityandAccessManagement(IAM)).
This Midsize Campus solution uses Mist Wired Assurance and supports both user parameters and device MACs for access control. Using a mix of user-based and MAC-based authentication methods provides scale, as does the use of a dedicated LDAP back-end server.
CreatingaWLAN(SSID)specificforguestusers(suchasvendorsorcontractors)allowsthemtobeseparated
fromcorporateusers,so,forexample,theycanenterthenetworkwithoutacorporatedeviceorsupplicant. DUA (Device/User/Application) Profiles determine the number of devices (with MAC association) and number of users including guests. In this example, we assumed guest access users will make up about 10 percent of total users.
UseInterfaceforMetadataAccessPoint(IF-MAP)protocolforsessioninformationtransferstothesecure access server in real time. (IF-MAP is an open standard protocol that communicates information about sessions, roles, access zones, and other elements between clients to the server as a federation.)
15
Whensettingupyourownnetworktoimplementthisexample,youincludesupportforactive/passiveor
active/activehighavailability(notethatactive/passivesetupcanlimitperformance,butyoucanuseload balancing to help scale nonclustered nodes and increase performance.)
You can also use additional services or service modules in the same chassis to support remote access servicesandnetworkaccesscontrol(NAC)policyservicesaspartofanoverallsecuritystrategymanaged by a security management server.
Robust security is important to the campus environment. This includes perimeter security, which must provide stateful firewall protection ingress and egress to the campus network as well as protect all traffic within the various silos of the campus network. Part of the security posture for the solution is also to providerole-basedaccesscontrol(RBAC)tothenetwork,includingAAAinconjunctionwith802.1x,which provides an endpoint access authentication model.
Additional device security should be associated to headless network devices, such as printers and video surveillancecameras,toprovidetheabilitytopreventMACspoofingattemptswiththesetypesofdevices which have the inability to provide traditional AAA credentials.
Access security posture for the Campus solution should allow authenticated endpoints to be dynamically allocated to different VLANs automatically. Activation and transmission of firewall filters and VLAN assignments should be supported on access switches with a policy provided by an authentication server. If the authentication server cannot be reached, switches will support an authorization failed policy, in whichdevicesaresettoanon-authenticatedstate. Authenticatedportswillremainauthenticatedforthe duration of the connected session until the device is disconnected (either physically or logically) or the policy has timed out. The switch ports will also provide a method to grant trusted access to resources, while denying non-authenticated devices or providing only limited access to a remediation service.
QualityofService
Quality of service (QoS) is an essential design category for maintaining application and user real-time performancemonitoring(RPM)andensuringconsistentperformanceofthenetwork.AlthoughtheMidsize Enterprise Campus solution reference architecture is designed for high bandwidth services with gigabit Ethernet or 10GE links, QoS should be considered mandatory for any campus deployment, regardless of bandwidth,foranyinterfaceoraccesspointwiththepotentialforcongestionorcontentionforresources.
QoSpoliciesareimplementedforper-hop-behavior(PHB),meaningthateachdeviceshouldbeconfigured toensureconsistentend-to-endpolicyenforcement.AlthoughQoSpoliciesareimplementedasPHB,QoS
16
should be considered end-to-end and flow through the entire campus in order to correctly adhere to the RPMs of the specific applications and campus policies.
Figure 2 on page 16 illustrates the QoS classification used in the validated reference architecture.
Figure2:QoSClassificationofTraffic
SRX Series Router
Collapsed Core |
L3 |
|
|
EX4650 |
L2 |
Access |
|
|
|
|
|
EX2300 |
|
|
|
EX3400 |
|
|
|
EX4300 |
|
Mist AP |
|
|
|
|
|
Multifield classifiers |
|
Employee |
Employee |
Rewrite Rules |
|
Guest |
Guest |
BA Classifiers |
|
IoT |
IoT |
Rate Limiting |
|
|
|
<![endif]>g301423
QoSpoliciesarefirstestablishedbysettingthetrustboundariesandtherelationshipsofmarkingthetraffic inthecampusnetwork.Forthisreferencearchitecture,trustedrelationships(trustedinter-switchpolicies) areestablishedattheaggregationandcorelayersofthenetwork.Inatrustedrelationship,theclassifications andmarkingsofthetrafficdonotrequirearewriteoraninspection.However,queuingandpolicingpolicies shouldbeconsideredattheingressandegressofallinter-switchlinks.WANpolicies(bothtothecorporate WANandtotheInternet)canbeconstrainedbylowerbandwidthaccesslinks(lessthan100MB)andthus requireaQoSpolicywithqueuingandpolicingappliedtomaintainRPMs . Dependingontheinboundand outbound QoS policy for the campus, WAN links can have different levels of trust associated with the interface.Theaccesslayershouldbeconsidereduntrusted.Attheaccesslayer,QoSaccesspoliciesinclude queuing,policing,classification,marking,andrewritingforingresstraffic.BasedonthecampusQoSpolicy, somedevicesmaybeconsideredtrusted,suchasanIPphone,whichwouldreceiveitsmarkingpolicyfrom the corporate IP PBX. WLAN QoS policies are configured at the WLAN controller, which provides the campus administrator the ability to trust the client DSCP through the wireless connection.
For more information on setting up QoS from the Juniper Mist portal, see: QoS for Switches
HighAvailability
Highavailability(HA)andresiliencyisessentialformaintainingconnectivityandavoidingservicedisruption. The expectation in this Midsize Enterprise Campus Solution Reference Architecture is to ensure uninterrupted (sub-second recovery) access, including during voice and video sessions, in the event of