Getting Started

Specifications for Physical Appliances

The following table lists the physical appliances with models and specifications:

Table 1: Juniper Mist Edge Models with Specifications

Model	Maximum APs	Maximum Clients	Maximum Throughput	Data and Management Interfaces	Power Supply
ME-X1	500	5000	2 Gbps	Dual-Port 1GbE (Data) Dual-Port 1GbE (Mgmt)	Single, Cabled Power Supply, 250W
ME –X1-M	500	5000	4 Gbps	Dual Port 1GbE (Data) and Dual Port 1Gbe (Mgmt)	Single, cabled, 250W
ME–X5	5000	50,000	20 Gbps	Dual Port 10GbE SFP+ (Data) and Dual Port 1GbE (Mgmt)	Dual, Hot plug, Redundant (1+1), 750W
ME– X5-M	5000	100,000	40 Gbps	Quad Port 10GbE SFP+ (Data) and Dual Port 10GbE SFP+ (Mgmt)	Dual, Hot plug, Redundant (1+1), 750W
ME– X6	5000	100,000	100 Gbps	Quad-Port 25GbE SFP28 (Data) and Quad-Port 25GbE SFP28 (Mgmt)	Dual, Hot-plug, Redundant (1+1), 800W
ME– X10	10,000	100,000	40 Gbps	Quad Port 10GbE SFP+ (Data) and Dual Port 10GbE SFP+ (Mgmt)	Dual, Hot plug, Redundant (1+1), 750W

Contact your Juniper account team to identify which Juniper Mist Edge option is right for you.

For specifications for a virtual appliance, see Table 1

Physical Port Connections—Overview

The following port connections are necessary to setup the Juniper Mist Edge appliance.

• Out-of-Band Management (OOBM)—To connect to the Juniper Mist cloud and RADIUS over TLS (RadSec) Proxy service. The OOBM interface communicates with the Juniper Mist cloud. The interface configures network components, sends statistics, and checks the status of the Juniper Mist Edge, the Mist Edge cluster, and the AP tunnels. The interface has a Dynamic Host Configuration Protocol (DHCP) IP address by default and you can configure the interface with a static IP address.

• Tunnel IP—To establish a Layer 2 Tunneling Protocol version 3 (L2TPv3) or IPsec tunnel from the Juniper® Series of High-Performance Access Points. Tunnel IP is the static IP address that an AP uses to set up the L2TPv3 tunnel between the AP and the Juniper Mist Edge.

  It is an interface to which access points (APs) form a tunnel. You can configure the tunnel IP address in the Tunnel IP Configuration pane of the Juniper Mist portal.

  If a firewall exists between the AP management subnet and the Mist Edge Tunnel IP, you must allow the traffic destined to the Tunnel IP on port 1701 for L2TPv3 tunnels and allow the traffic destined to the Tunnel IP on port 500/4500 for IPSec tunnels.

  You can use the Tunnel (data) port for both upstream or downstream port or you can divide it into separate upstream and downstream ports. You can use the data (tunnel) port to connect to the upstream router as a trunk port. Tunnel (data) port is connected to a trunk port that has all the VLANs configured to which the WLAN maps.

Note:

Ensure that the OOBM and the tunnel termination IP addresses are on different subnets.

OOBM Configuration

The Juniper Mist Edge passes information about configuration, telemetry, and lifecycle management through the OOBM port to the Juniper Mist cloud. The following images depict an OOBM port and data ports on three models of the Juniper Mist Edge.

1. OOBM port

2. Data port (ge0)

3. Data port (ge1)

1. Data port (xe0)

2. Data port (xe1)

3. OOBM port

1. OOBM port

2. Data port (xe0)

3. Data port (xe1)

4. Data port (xe2)

5. Data port (xe3)

1. OOBM port

2. Data port (xge1)

3. Data port (xge0)

Note:

The OOBM port on the Juniper Mist Edge device is marked as MIST. By default, the OOBM port is configured for Dynamic Host Configuration Protocol (DHCP).

You must connect the OOBM port of the Juniper Mist Edge to an access-mode interface of a switch. Depending on your circumstances, you can configure a static IP address from the Juniper Mist portal or from the CLI.

If your network is DHCP enabled, you must first connect to the Juniper Mist cloud by using DHCP. You then use the Juniper Mist portal to configure the static IP address. Here's an example of a configured static IP address:

If your network is not DHCP enabled, use the Juniper Mist Edge CLI to configure the OOBM port. On the Juniper Mist Edge, you can use the management port labeled as IDRAC to access the BIOS, system status, and the Juniper Mist Edge CLI.

The Integrated Dell Remote Access Controller (iDRAC) uses DHCP when you connect the device to a network. You can view the IP address from the front panel through View > IPv4 > IDRAC IP. You can access the iDRAC user interface by using the URL https://iDRAC IP address.

The default IDRAC user is root. The password is available on the back of the pull-out tag of the Juniper Mist Edge.

• 1- Power button

• 2- Pull-out tag

You can specify the OOBM parameters on the CLI.

You can connect to the console interface on the physical appliance by using a terminal software and configure the OOBM IP address. After the management IP address is set, you can SSH to the Mist Edge and perform additional configurations. The user credentials are:

• mist —The default username.

• Claim-code—The default password and the password for the root (su -) user.

You can use the following command format to specify the OOBM parameters:

For example,

The following table lists the default OOBM Interface ID for the Juniper Mist Edge (ME) models.

Table 2: Default OOBM for the Juniper Mist Edge (ME) Models

Mist Edge Appliance Model	Interface ID
Mist Edge-X1	eno1
Mist Edge-X1-M	eno8303
Mist Edge-X5	eno3
Mist Edge X5-M/Mist Edge-X10	ens1f0
Mist Edge-X6	eno8303np0

To set up the Juniper Mist Edge on the Juniper Mist portal, you enter details about the device, including the Tunnel IP address. The Tunnel IP address is different from the OOBM IP address received through DHCP and the static IP address that you assign to bring up the device. Therefore, you must set aside two IP addresses for the Juniper Mist Edge—one for the OOBM interface and the other for the Tunnel IP interface. The addresses should be from the different subnets. The Juniper Mist Edge can communicate to the Juniper Mist cloud only when the following fully qualified domain names (FQDNs) and ports are available for the OOBM interface. Refer Juniper Mist Ports and IP Addresses for information.

Understanding Tunnel Interface Configuration

You can configure the tunnel (data) ports on the Juniper Mist Edge as a single arm or as dual arms (downstream and upstream).

• Single Arm—Carries both upstream and downstream traffic. You can configure and detect one or more ports as a single Link Aggregation Control Protocol (LACP).

• Dual Arm—Carries upstream and downstream traffic on two different ports. You can configure and detect dual arm port configuration as two LACPs.

Understanding Tunnel IP or Downstream Port

Tunnel IP is the virtual interface that an AP uses to set up the L2TPv3 tunnel between the AP and the Juniper Mist Edge.

You must connect your downstream port to the untrusted side of your network that typically connects to your firewall. The downstream port is untagged and you must connect the port to the tunnel IP network.

Ensure that your router or firewall either does port forwarding to the Tunnel Interface IP address (UDP port 1701). This is the interface to which APs from a site or multiple site will communicate to in order to establish a L2TPv3 tunnel.

Note:

The Tunnel IP switch virtual interface (SVI) on the Juniper Mist Edge is a protected interface. Therefore, even without firewall protection, the interface is only accessible to:

• UDP port 1701 for L2TPv3, and UDP ports 500 and 4500 for IPsec

• TCP port 2083 for RADIUS over TLS (RadSec)

For the remote worker use case alone, the Juniper Mist Edge uses UDP ports 500 and 4500 and TCP port 2083. For all the other campus and branch use cases, the Juniper Mist Edge uses UDP port 1701.

Understanding Upstream Data Port

You can connect your upstream data port to the trusted side of the network. This interface would typically connect to your core or aggregate switch trunked with all the necessary user VLANs allowed. Juniper Mist Edge allows L2 tagged traffic from the tunnels to this port.

To create a dual-arm configuration, in the Juniper Mist portal, select Separate Upstream and Downstream Traffic on the Tunnel Interface Configuration page. You can assign the interfaces as needed.

The following figure illustrates two configuration examples. The example on the left depicts Mist Edge-X5-M or Mist Edge-X10, and the example on the right depicts Mist Edge-X1. The ge0 (or xe0 and xe1) interface is connected to the public untrusted side and the ge1 (or xe2 and xe3) interface is connected to the corporate network with all the user VLANs tagged.

You can use a single-arm configuration where either a single port or multiple ports are configured in the port channel. The following example depicts a single-arm configuration where you can select one or more port channels.

Juniper Mist Edge Deployment Types

Depending on your networking needs, you may want an organization-level Juniper Mist Edge or a site-level Juniper Mist Edge.

• Organization-level—In this deployment, you have to configure a Mist cluster and a Mist tunnel. Here, all APs with service set identifier (SSID) configuration for tunneling to a Juniper Mist Edge forms a Layer 2 Tunneling Protocol (L2TP) tunnel to that device. Note that APs belonging to any site can form this tunnel. See Create Mist Cluster and Create Mist Tunnel (Organization Level) .

• Site-level—In this deployment, you have to configure a site tunnel under site configuration. The APs with SSID configuration for tunneling to a site forms tunnels only to the Juniper Mist Edges that are in the same site. You can configure Juniper Mist Edge as a Site edge for deployments where traffic must be tunneled at each site due to the underlying network constraints or security concerns.

  See Create Mist Tunnel (Site level).