Paragon Automation System Requirements
Before you install the Paragon Automation software, ensure that your system meets the requirements that we describe in these sections.
Hardware Requirements
This section describes the minimum hardware resources that are required on each node VM in the Paragon Automation cluster, for evaluation purposes or for small deployments.
The compute, memory, and disk requirements of the cluster nodes can vary based on the intended capacity of the system. The intended capacity depends on the number of devices to be onboarded and monitored, types of sensors, and frequency of telemetry messages. If you increase the number of devices, you'll need higher CPU and memory capacities.
To get a scale and size estimate of a production deployment and to discuss detailed dimensioning requirements, contact your Juniper Partner or Juniper Sales Representative. Juniper Paragon Automation Release 2.2.0 supports a scale of a maximum of 800 devices.
Each of the four nodes in the cluster must have:
-
16-core vCPU
-
32-GB RAM
-
300-GB SSD
The VMs do not need to be on the same server, but need to be able to communicate over the same L2 network. You need one or more servers with enough CPU, memory, and disk space to accommodate the hardware resources listed in this section.
Software Requirements
Use VMware ESXi 8.0 to deploy Paragon Automation.
Network Requirements
The four nodes must be able to communicate with each other through SSH. The nodes must be able to sync to an NTP server. SSH is enabled automatically during the VM creation, and you will be asked to enter the NTP server address during the cluster creation. Ensure that there is no firewall blocking NTP or blocking SSH traffic between the nodes in case they are on different servers.
Figure 1 illustrates the IP addresses required to install Paragon Automation.
You need to have the following addresses available for the installation, all in the same subnet.
-
Four interface IP addresses, one for each of the four nodes
-
Internet gateway IP address
-
Three virtual IP (VIP) addresses for:
-
Generic ingress IP address shared between gNMI, OC-TERM (SSH connections from devices), and the Web GUI—This is a general-purpose VIP address that is shared between multiple services and used to access Paragon Automation from outside the cluster.
-
Paragon Active Assurance Test Agent gateway (TAGW)—This VIP address serves HTTP-based traffic to the Paragon Active Assurance Test Agent endpoint.
-
PCE server—This VIP address is used to establish Path Computational Element Protocol (PCEP) sessions between Paragon Automation and the devices. The PCE server VIP configuration is necessary to view live topology updates in your network.
The VIP addresses are added to the outbound SSH configuration that is required for a device to establish a connection with Paragon Automation. The outbound SSH commands for OC-TERM and gNMI both use VIP addresses.
-
-
Hostnames mapped to the VIP addresses—Along with VIP addresses, you can also enable devices to connect to Paragon Automation using hostnames. However, you must ensure that the hostnames and the VIP addresses are correctly mapped in the DNS and your device is able to connect to the DNS. If you configure Paragon Automation to use hostnames, the hostnames take precedence over VIP addresses and are added to the outbound SSH configuration used during onboarding devices.
Configure IPv6 Addresses
In this release, you can configure the Paragon Automation cluster using IPv6 addresses in addition to the existing IPv4 addresses. With IPv6 addressing configured, you can use IPv6 addresses for OC-TERM, gNMI, the Active Assurance TAGW,and access to the Web GUI. You must have the following additional addresses available at the time of installation:
-
Four interface IPv6 addresses, one for each of the four nodes
-
Internet gateway IPv6 address
-
Two IPv6 VIP addresses for generic ingress and Active Assurance TAGW
-
Hostnames mapped to the IPv6 VIP addresses—You can also use hostnames to connect to IPv6 addresses. You must ensure that the hostnames are mapped correctly in the DNS to resolve to the IPv6 addresses.
If hostnames are not configured and IPv6 addressing is enabled in the cluster, the IPv6 VIP addresses are added to the outbound SSH configuration, used for device onboarding, instead of IPv4 addresses.
We do not support configuring an IPv6 address for the PCE server.
Also, to use IPv6 addresses, you must install Paragon Automation with Release 2.2.0 afresh. You cannot configure IPv6 on a setup upgraded from Release 2.1.0.
In addition to the listed IP addresses and hostnames, you need to have the following information available with you at the time of installation:
-
Primary and secondary DNS server addresses for IPv4 and IPv6 (if needed)
-
NTP server information
Figure 1 illustrates the IP and VIP addresses required to install a Paragon Automation cluster.
Communication within and from outside of the cluster
You must allow intracluster communication between the nodes. In particular, you must keep the ports listed in Table 1 open for communication.
|
Port |
Usage |
From |
To |
Comments |
|---|---|---|---|---|
| Infrastructure Ports | ||||
|
22 |
SSH for management |
All cluster nodes |
All cluster nodes |
Require a password or SSH-key |
|
2222 TCP |
Paragon Shell configuration sync |
All cluster nodes |
All cluster nodes |
Require password or SSH-key |
|
443 TCP |
HTTPS for registry |
All cluster nodes |
Primary nodes |
Anonymous read access Write access is authenticated |
|
2379 TCP |
etcd client port |
Primary nodes |
Primary nodes |
Certificate-based authentication |
|
2380 TCP |
etcd peer port |
Primary nodes |
Primary nodes |
Certificate-based authentication |
|
5473
|
Calico CNI with Typha |
All cluster nodes |
All cluster nodes |
— |
|
6443 |
Kubernetes API |
All cluster nodes |
All cluster nodes |
Certificate-based authentication |
|
7472 TCP |
MetalLB metric port |
All cluster nodes |
All cluster nodes |
Anonymous read only, no write access |
|
7946 UDP |
MetalLB member election port |
All cluster nodes |
All cluster nodes |
— |
| 8443 |
HTTPS for registry data sync |
Primary nodes |
Primary nodes |
Anonymous read access Write access is authenticated |
|
9345 |
rke2-server |
All cluster nodes |
All cluster nodes |
Token based authentication |
|
10250 |
kubelet metrics |
All cluster nodes |
All cluster nodes |
Standard Kubernetes authentication |
|
10260 |
RKE2 cloud controller |
All cluster nodes |
All cluster nodes |
Standard Kubernetes authentication |
|
32766 TCP |
Kubernetes node check for PCE service local traffic policy |
All cluster nodes |
All cluster nodes |
Read access only |
|
Calico CNI Ports |
||||
|
4789 UDP |
Calico CNI with VXLAN |
All cluster nodes |
All cluster nodes |
— |
|
5473 TCP |
Calico CNI with Typha |
All cluster nodes |
All cluster nodes |
— |
|
51820 UDP |
Calico CNI with Wireguard |
All cluster nodes |
All cluster nodes |
— |
The following ports must be open for communication from outside the cluster.
|
Port |
Usage |
From |
To |
|---|---|---|---|
|
443 |
Web GUI + API |
External user computer/desktop |
Web GUI Ingress VIP address(es) |
|
443 |
Paragon Active Assurance Test Agent |
External network devices |
Paragon Active Assurance Test Agent VIP address |
|
2200 |
OC-TERM |
External network devices |
Web GUI Ingress VIP address(es) |
|
4189 |
PCE Server |
External network devices |
PCE Server VIP address |
|
6800 |
Paragon Active Assurance Test Agent |
External network devices |
Paragon Active Assurance Test Agent VIP address |
|
32767 |
gNMI |
External network devices |
Web GUI Ingress VIP address(es) |
Web Browser Requirements
The latest versions of Google Chrome, Mozilla Firefox, and Safari.
We recommend that you use Google Chrome.