Configure Hub Profiles for SRX Series Firewalls

Each hub device in a Juniper Mist™ cloud topology must have its own profile. Hub profiles are a convenient way to create an overlay and assign a path for each WAN link on that overlay in Juniper WAN Assurance.

The difference between a hub profile and a WAN edge template is that you apply the hub profile to an individual device that’s at a hub site. And the WAN edge templates are bound to spoke sites that have multiple devices and bound with the same template across multiple sites. Every Hub WAN interface creates an overlay endpoint for spokes. Spoke WAN interfaces map the appropriate Hub WAN interfaces, defining the topology. Hub profiles drive the addition, removal of paths on your overlay.

When you create a hub profile for the Juniper Networks® SRX Series Firewall, the Mist cloud generates and installs the SSL certificates automatically. It also sets up WAN uplink probes for failover detection.

In this task, you create a hub profile and then clone the same profile to create a second hub profile in the Juniper Mist cloud portal.

Configure a Hub Profile

A hub profile comprises the set of attributes that associate with a particular hub device. Hub profiles include name, LAN,WAN, traffic steering, application policies, and routing options. You can assign the hub profile to a hub device and after a hub profile is loaded onto the site, the device assigned to the site picks up the attributes of that hub profile.

To configure a hub profile:

In the Juniper Mist cloud portal, click Organization > WAN > Hub Profiles.
A list of existing profiles, if any, appears.
Click Create Profile in the upper right corner.

Note:
You can also create a hub profile by importing a JavaScript Object Notation (JSON file) using the Import Profile option.

Enter the name of the profile and click Create.

Table 1 summarizes the options you can set in a hub profile.

Table 1: Hub Profile Options
Field	Description
Name	The profile name. Enter a unique name for the profile. The profile name can include up to 64 characters. Example: hub1.
NTP	IP address or hostname of the Network Time Protocol (NTP) server. NTP allows network devices to synchronize their clocks with a central source clock on the Internet.
Applies to Device	Site to associate the hub profile. The drop-down menu shows a list of the WAN edge devices available in the inventory of the current site.
Hub Group	Configure a hub group by specifying a hub group identifier (number). Hub groups are used to group hub devices logically. Hub groups help you scale your hub architecture horizontally. By assigning a set of devices to a hub group, spokes can form overlay paths to hub endpoints within the group. Each hub group is limited to 31 hub endpoints.
DNS Settings	IP address or host name of Domain Name System (DNS) servers. Network devices use the DNS name servers to resolve hostnames to IP addresses.
Secure Edge Connectors	Secure Edge connector details. Secure Edge performs traffic inspection for the WAN edge devices that the Juniper Mist cloud portal manages.
WAN	WAN interface details. The hub profile uses these details to create an overlay endpoint for spokes. For each of the WAN links, you can define the physical interface, the type of WAN (Ethernet or DSL), the IP configuration, and the overlay hub endpoints for the interfaces. See Add WAN Interfaces to the Hub Profile.
LAN	LAN interface details. This section lists the hub side of the LAN interfaces that connect the hub to the LAN segment. You assign the networks, create VLANs, and set up IP addresses and DHCP options (none, relay, or server). See Add a LAN Interface to the Hub Profile.
Traffic Steering	Steering paths. Define the different paths the traffic can take to reach its destination. For any traffic steering policy, you can include paths for traffic to traverse, as well as the strategies for utilizing those paths. See Configure Traffic-Steering Policies.
Application Policies	Policies to enforce rules for traffic. Define network (source), application (destination), traffic steering policies, and policy action. See Configure an Application Policy.
Routing	Routing options for routing traffic between the hub and spokes. You can s enable Border Gateway Protocol (BGP) underlay routing, where routes are learned dynamically or use static routing to define routes manually. See
CLI Configuration	CLI configuration commands. If you want to configure settings that are not available in the template's GUI, you can configure them using CLI commands in the set format.

Click Save.

Add WAN Interfaces to the Hub Profile

Create WAN interfaces for the hub profile. WAN interfaces become the connection across the SD-WAN. The hub profile automatically creates an overlay endpoints for each WAN interface. Note that the overlay Hub Endpoints is where you tell the spoke (branch) about the hub endpoints.

To add WAN interfaces to the hub profile:

Scroll down to the WAN section and click Add WAN to open the Add WAN Configuration pane.

Complete the configurations according to the details provided in Table 2.

Table 2: WAN Interface Configuration
Field	WAN Interface 1	WAN Interface 2
Name (a label and not a technology)	INET	MPLS
Overlay Hub Endpoint (generated automatically)	hub1-INET	hub1-MPLS
WAN Type	Ethernet	Ethernet
Interface	ge-0/0/0	ge-0/0/1
VLAN ID	-	-
IP Address	{{WAN0_PFX}}.254	{{WAN1_PFX}}.254
Prefix Length	24	24
Gateway	{{WAN0_PFX}}.1	{{WAN1_PFX}}.1
Source NAT	Check Interface.	Check Interface.
Override for Public IP	Check Override for Public IP. Provide Public IP={{WAN0_PUBIP} }	Check Override for Public IP. Provide Public IP={{WAN1_PUBIP} }
Public IP	{{WAN0_PUBIP}}	{{WAN1_PUBIP}}

Note:

Use Network Address Translation (NAT) along with advertising the public IP address unless the WAN address is a publicly routable address.

Click Save

Figure 1 shows the list of WAN interfaces you created.

Figure 1: Configured WAN Interfaces

Add a LAN Interface to the Hub Profile

Hub-side of LAN interfaces connect a hub device to the LAN segment.

To add a LAN interface to the hub profile:

Scroll down to the LAN section, click the Add LAN button to open the Add LAN Configuration pane.

Complete the configuration according to the details provided in Table 3.

Table 3: LAN Interface Configuration
Field	LAN Interface
Network	HUB1-LAN1 (existing network selected from drop-down list)
Interface	ge-0/0/4
IP Address	{{HUB1_LAN1_PFX}}.1
Prefix Length	24
Untagged VLAN	No
DHCP	No

Click Save.
Figure 2 shows the LAN interface you created.
Figure 2: Configured LAN Interfaces

Configure Traffic-Steering Policies

Traffic steering is where you define the different paths that application traffic can take to traverse the network. The paths that you configure within traffic steering determine the destination zone. For any traffic steering policy, you need to define the paths for traffic to traverse and strategies for utilizing those paths. Strategies include:

Ordered—Starts with a specified path and failover to backup path(s) when needed
Weighted—Distributes traffic across links according to a weighted bias, as determined by a cost that you input
Equal-cost multipath—Load balances traffic equally across multiple paths

When you apply a hub profile to a device, the traffic-steering policy determines the overlay, WAN and LAN interfaces, order of policies, and usage of Equal Cost Multi-Path (ECMP). The policy also determines how interfaces or a combination of interfaces interact to steer the traffic.

To configure traffic-steering policies:

Scroll down to the Traffic Steering section, and click Add Traffic Steering to display the Traffic Steering configuration pane.

Configure three traffic-steering policies: one for the overlay, one for the underlay, and one for the central breakout, according to the details provided in Table 4.

Table 4: Traffic-Steering Policy Configuration
Field	Traffic-Steering Policy 1	Traffic-Steering Policy 2	Traffic-Steering Policy 3
Name	Underlay (HUB-LAN)	Overlay	Central Breakout
Strategy	Ordered	ECMP	Ordered
PATHS For path types, existing LAN and WAN networks are made available for selection as endpoints.	Type—LAN Network —HUB1-LAN1	Type—WAN Network —hub1-INET and hub1-MPLS	Type—WAN Network —WAN: INET and WAN: MPLS

Figure 3 shows the list of the traffic-steering policies that you created.

Figure 3: Traffic-Steering Policies

Configure an Application Policy

Application policies are where you define which network and users can access which applications, and according to which traffic-steering policy. The settings in Networks/Users determine the source zone. The Applications and Traffic Steering path settings determine the destination zone. Additionally, you can assign a policy action— permit or deny to allow or block traffic. Mist evaluates and applies application policies in the order in which you list them in the portal. You can use Up Arrow and Down arrows to change the order of policies.

Figure 4 shows different traffic-direction requirements in this task. The image depicts a basic initial traffic model for a corporate VPN setup (third spoke device and second hub device are not shown).

Figure 4: Traffic-Direction Topology

In this task, you create the following application rules to allow traffic:

Rule 1—Allows traffic from spoke sites to reach the hub (and to a server in the DMZ attached to the hub device).
Rule 2—Allows traffic from servers in the DMZ attached to the hub to reach spoke devices.
Rule 3—Allows traffic from spoke devices to reach spoke device hair-pinning through a hub device
Rule 4—Allows Internet-bound traffic from the hub device to the Internet (local breakout). In this rule, define the destination as "Any" with IP address 0.0.0.0/0. The traffic uses the WAN underlay interface with SNAT applied to reach IP addresses on the Internet as a local breakout.
Note:
Avoid creating rules with same destination name and IP address 0.0.0.0/0. If required, create destinations with different names using IP address 0.0.0.0/0.
From the spoke devices to the Internet directly (not passing through the hub device). In this rule, define the destination as "Any" with IP address 0.0.0.0/0. The traffic uses the WAN underlay interface with SNAT applied to reach IP addresses on the Internet as a local breakout. This method implements a central breakout at the hub for all spoke devices.

To configure an application policy:

Scroll down to the Application Policy section, click Add Policy to create a new rule in the policy list.
Note:
- For SRX Series Firewalls, you must associate a traffic-steering policy to the application policy.
- The order of application policies in the policies list is very important for SRX Series Firewalls.
Click the Name column and give the policy a name, and then click the blue checkmark to apply your changes.

Figure 5: Adding a New Application Policy

Create application rules according to the details provided in Table 5.

Table 5: Application Policy Rule Configuration
No. (Policy Order)	Rule Name	Network	Action	Destination	Steering
1	Spoke-to-Hub-DMZ	ALL.SPOKE-LAN1	Pass	HUB1-LAN1	HUB-LAN
2	Hub-DMZ-to-Spokes	HUB1-LAN1	Pass	SPOKE-LAN1	Overlay
3	Spoke-to-Spoke-on-Hub-Hairpin	ALL.SPOKE-LAN1	Pass	SPOKE-LAN1	Overlay
4	Hub-DMZ-to-Internet	HUB1-LAN1	Pass	ANY	LBO
5	Spokes-Traffic-CBO-on-Hub	ALL.SPOKE-LAN1	Pass	ANY	LBO

Figure 6 shows a list of the application policies that you created.

Figure 6: Application Policy Summary

In the above illustration, the green counter marks indicates the policies you have created for the traffic requirements in Figure 4.

Allow ICMP pings for debugging and for checking device connectivity.
The default security configuration for SRX Series Firewalls does not allow ICMP pings from LAN device to the local interface of the WAN edge router. You might need to test connectivity before devices attempt to connect to the outside network. You allow ICMP pings for debugging and for checking device connectivity.

On an SRX Series Firewall, you can use the following CLI configuration statement to allow pings to the local LAN interface for debugging.

Create a Second Hub Profile by Cloning the Existing Hub Profile

Hub devices are unique throughout your network. You have to create an individual profile for each hub device. Juniper Mist™ enables you to create a hub profile by cloning the existing profile and applying modifications wherever required.

To create a second hub profile by cloning an existing hub profile:

In the Juniper Mist cloud portal, click Organization > WAN > Hub Profiles.
A list of existing hub profiles, if any, appears.
Click the hub profile (example: hub1) that you want to clone. The profile page of the selected hub profile opens.
In the upper right corner of the screen, click More and select Clone.

Figure 7: Create a New Hub Profile By Using the Clone Option
Name the new profile (example: hub2) and click Clone.

If you see any errors while naming the profile, refresh your browser.
Start configuring the profile. Since you've used variables when creating the original hub profile, you don't need to configure all options from the beginning. You need to change only the required configurations to reflect HUB2 details. For example, change Network to HUB2-LAN1 and change IP Address to {{HUB2_LAN1_PFX}}.1.

Figure 8: Edit a Cloned Profile
Change the LAN interface to include HUB2. Example: HUB2-LAN1 and {{HUB2_LAN1_PFX}}.1
Confirm that the variables in the configuration have changed to reflect hub2 profile details. Example: Overlay definitions have changed to hub2-INET and hub2-MPLS.

Figure 9: Updated Traffic-Steering Policy
Scroll down to the TRAFFIC STEERING pane and edit the entry to change the Paths to LAN: HUB2-LAN1.

Figure 10: Update Paths in a Traffic-Steering Policy

Update the application rules according to the details provided in Table 6. For example, wherever applicable, change HUB1-LAN to HUB2-LAN.

Table 6: Application Rules Configuration
S.No.	Rule Name	Network	Action	Destination	Steering
1	Spoke-to-Hub-DMZ	ALL.SPOKE-LAN1	Pass	HUB2-LAN1	HUB-LAN
2	Hub-DMZ-to-Spokes	HUB2-LAN1	Pass	SPOKE-LAN1	Overlay
3	Spoke-to-Spoke-on-Hub-Hairpin	ALL.SPOKE-LAN1	Pass	SPOKE-LAN1	Overlay
4	Hub-DMZ-to-Internet	HUB2-LAN1	Pass	ANY	LBO
5	Spokes-Traffic-CBO-on-Hub	ALL.SPOKE-LAN1	Pass	ANY	LBO

Figure 11 shows the details of the updated application policies after you save your changes.

Figure 11: Updated Application Policy Summary

Hub-to-Hub Overlay

The Hub-to-hub overlay feature allows a you to form a peer path between two hub devices. You can utilize the hub-to-hub overlay path as a preferred route for data center traffic originating from sites. Additionally, these hub-to-hub overlays can serve as failover paths in scenarios involving hub-to-spoke connections.

Configure Hub-to-Hub Overlay
Verification

Configure Hub-to-Hub Overlay

To create Hub-to-Hub overlay, the WAN interfaces of one hub map to the WAN interfaces of another hub, thus forming an overlay and designating a traffic pathway.

Note:

Hub-to-Hub overlay can utilize different WAN interfaces on both hub devices. It is not mandatory for the overlay to form between identical WAN interfaces on the two hubs.

Consider you have two hubs, Hub device A and Hub device B, and you wish to establish an overlay between them.

Hub device A is equipped with two WAN interfaces: WAN-1-A and WAN-2-A. You must pair these WAN interfaces with the WAN interfaces of Hub device B, which are WAN-1-B and WAN-2-B, marking them as hub endpoints.

Similarly, for Hub device B:

It features two WAN Interfaces: WAN-1-B and WAN-2-B. These should be linked to the WAN Interfaces of Hub Device A (WAN-1-A and WAN-2-A) to complete the setup as hub endpoints.

Use the following steps to create hub endpoints:

On Juniper Mist portal, select WAN Edges and click the hub device. Ensure that the hub device you select must be part of hub topology.
Figure 12: Hub Device in Hub Topology
On the WAN Edge > Device-Name page, go to Properties section and scroll down to Hub Profile.
Click the hub profile link to open the Hub Profile page.
Scroll-down to WAN section and click a WAN interface which you want to use for overlay.
In the Edit WAN Configuration window, scroll down to Hub-to-Hub Endpoints and click Add Hub-to-Hub Endpoints option.
Figure 13: Adding Hub-to-Hub Endpoints
1. Select a hub endpoint point (WAN interface) from the drop-down menu. Choose the WAN interface of the other hub device to establish an overlay connection.
  Figure 14: Select WAN Interface for Overlay
2. Click Save. The selected hub endpoint appears under Hub to Hub Endpoints columns in WAN pane.
Select another WAN interface and repeat the same procedure to add another endpoint.
Now, both endpoints appear under Hub to Hub Endpoints columns in WAN pane.
Figure 15: Configured Hub to Hub Endpoints of First Hub Device
Click Save.

Now, lets configure WAN interfaces of other hub device to complete the setup as hub endpoints.

On Juniper Mist portal, select WAN Edges and click the hub device. This is the hub device from which you earlier chose the WAN interface for establishing the overlay.
On the WAN Edge > Device-Name page, go to Properties section and scroll down to Hub Profile.
Click the hub profile link to open the Hub Profile page.
Scroll-down to WAN section and click a WAN interface which you want to use for overlay.
In the Edit WAN Configuration window, scroll down to Hub-to-Hub Endpoints and click Add Hub-to-Hub Endpoints option.
1. Select a hub endpoint point from the drop-down menu. Select the WAN interface of the same hub device that was configured in the prior procedure
2. Click Save. The selected hub endpoint appears under Hub to Hub Endpoints columns in WAN pane.
Select another WAN interface and repeat the same procedure to add another endpoint.
Now, both endpoints appear under Hub yo Hub Endpoints columns in WAN pane.
Figure 16: Configured Hub to Hub Endpoints of Second Hub Device
Click Save.

Verification

On Juniper Mist portal, you can verify the established hub-to-hub overlays by checking the topology of the WAN Edge device:

On the WAN Edge page, the Topology column displays Hub/Mesh.

Figure 17: Topology Displaying as Hub/Mesh

Go to WAN Edge page of the device and check Topology Details section. The portal displays peer details and also connection status.

Figure 18: Hub-to-Hub Overlay Topology Details

ON THIS PAGE