# Campus and Branch Fullstack Lab

## Lab Summary

The switch and MistAP in this lab are managed, configured and monitored using Mist.

This is an introductory lab, walking you through how to navigate through
mist portal for configuring interfaces, hostname, define switch
templates, port profile, radius server and authentication methods.

### Topology

![screenshot](./images/Image1.png)

### Access Devices

Open a browser and navigate to the URL provided to you

Use the crendentials provided to you for login. Once logged in, you should able to list the device list as below:

Right click on the devices listed and 'open in a new tab' to access the resources.

![screenshot](./images/Image2.png)

Use Juniper!1 as the password:

![screenshot](./images/Image3.png)

## Mist Org Access

### Sign up to create a Mist account.

> ULR: <https://manage.mist.com/signin.html#!signup/register>
>
> Fill in all the details:
>
> ![screenshot](./images/Image4.png)
>
> Click on 'Create Account'

### Validate your account

> You'll receive an email invite from <no-reply@mist.com> to a Mist Org
> to validate your account:
>
> ![screenshot](./images/Image5.png)

### Sign-in

> Sign in to your mist account: <https://manage.mist.com/#/>

### Get access to your Mist Org:

> To get access to the mist org assigned to you for this lab, provide
> the on-site Lab representative with the your email address.
>
> As soon as they add you, you'll receive another email from
> <no-reply@mist.com>
>
> Click on the link on the link
>
> ![screenshot](./images/Image6.png)

### Accept the invitation

> ![screenshot](./images/Image7.png)
>
> You should now be able to access the mist org.

## Lab instructions: 

### Initial Configuration on Switch

> On Mist portal, **navigate to the Switch section** and select the
> onboarded switch.

1.  **Give it a name: EX4300**

> ![screenshot](./images/Image8.png)

2.  **Add management IP config in Additional CLI:**

> delete interfaces em0
>
> delete interfaces vme
>
> delete interfaces me0
>
> set interfaces me0 unit 0 family inet address 100.123.105.1/16
>
> ![screenshot](./images/Image9.png)

3.  **Manage the Switch via Mist:**

> ![screenshot](./images/Image10.png)

4.  **Save the changes** and wait for it to push the config to the
    device.

> ![screenshot](./images/Image11.png)

### Create and configure a switch template for the site

> A switch template makes scaling easier.
>
> On Mist:

1.  **Create Switch template**

> Navigate to Organization 🡪 Switch templates
>
> ![screenshot](./images/Image12.png)
>
> Click on the create option and give a name to it.
>
> ![screenshot](./images/Image13.png)
>
> ![screenshot](./images/Image14.png)

2.  **Configure Radius Server**

> ![screenshot](./images/Image15.png)
>
> **10.0.0.10** is an external radius server in the lab.
>
> Use password: **Juniper!1**

3.  **Configure VLANs**

> VLAN 1 is defined by default. We are defining another vlan with name
> lan and vlan-id as 2.
>
> ![screenshot](./images/Image16.png)

4.  **Configure Port Profiles**

> We define port profiles for wired and wireless networks so we can
> assign them to the interfaces based on our topology connecting to AP
> and a wired client.
>
> ![screenshot](./images/Image17.png)
> 
> ![screenshot](./images/Image18.png)

5.  **Assign the switch template to the site.**

> ![screenshot](./images/Image19.png)
>
> ![screenshot](./images/Image20.png)

6.  **Save the changes.**

### Configure the Switch

> On Mist:

1.  **Assign a new Static IP to the switch.**

> The switch does get an IP lease on irb.0 interface from the DHCP
> server .
>
> We will see how we can add a static IP to the switch.

1.  **Navigate to Switch 🡪 EX4300**

> You can see the DHCP lease IP as below:
>
> ![screenshot](./images/Image21.png)

2.  **Add static IP as below:**

> IP: 10.0.0.5
>
> Subnet: /16
>
> Default Gateway: 10.0.0.1
>
> Primary DNS: 8.8.8.8
>
> Secondary DNS: 8.8.4.4
>
> ![screenshot](./images/Image22.png)

3.  **Save the changes** and wait for it to reflect on the switch.

<!-- -->

2.  **Verify the changes**

> Use the remote shell option to SSH into the switch.
>
> The changes expected in the switch after the last push should be as
> below:
>
> ![screenshot](./images/Image23.png)
>
> ![screenshot](./images/Image24.png)

3.  **Configure Interfaces on Switch**

> We configure ge-0/0/1 with vlan-1( default) port profile -- lan. This
> interface is connected to AP
>
> We configure ge-0/0/2 with vlan-2 port profile -- lan. This interface
> is connected to a wired client (windowsPC)

1.  **ge0/0/0 is a trunk port connecting to WAN.**

> ![screenshot](./images/Image25.png)

2.  **ge-0/0/1 is an access port, connected to the AP in default vlan**

> ![screenshot](./images/Image26.png)

3.  **ge-0/0/2 is also an access port, connected to the wired client
    (windows PC)**

> ![screenshot](./images/Image27.png)

4.  **Let's configure DHCP server**

> On the Mist 🡪 Switch, configure DHCP server to hand out lease for
> devices in vlan-id 2 network.

1.  **Configure irb.2 with L3 network**

> ![screenshot](./images/Image28.png)
>
> ![screenshot](./images/Image29.png)

2.  **Configure the DHCP server:**

> ![screenshot](./images/Image30.png)
>
> ![screenshot](./images/Image31.png)

5.  **Save the changes.**

> We have now configured our required network (vlan 2), port
> profiles(wlan and wan profiles), configured interfaces with port
> profiles and configured a DHCP server for handing out lease to devices
> in vlan-2.

### Create WLAN on Mist

> **Navigate to Site -\> WLAN**
>
> ![screenshot](./images/Image32.png)

1.  **Create WLAN:**

> Provide a custom SSID : WLAN-xyz

2.  **Define the Security type**

> In the security section, use the PSK option to define the type of pf
> security and provide a password. We have used "Juniper!1" as the
> password. It can be any value you prefer.
>
> ![screenshot](./images/Image33.png)

3.  **Click on create to finish setting up the WLAN.**

### Connect PC to MistAP Wi-Fi

> Let's try to connect to WLAN using the PC in the setup.
>
> The Wi-Fi adapter will list the WLAN SSID that you created.

1.  **Access PC**

> ![screenshot](./images/Image34.png)
>
> Open in a new window

2.  **Connect to SSID**

> Look for the SSID to connect to the Wi-Fi.
>
> Go to Wi-Fi settings and connect to WLAN.
>
> We are using Juniper!1 as password. It was set during the WLAN
> creation on mist org.
>
> ![screenshot](./images/Image35.png)

3.  **Check Wi-Fi Client Insights**

> On Mist:
>
> ![screenshot](./images/Image36.png)
>
> ![screenshot](./images/Image37.png)
>
> Click on the client-insights to get more information
>
> ![screenshot](./images/Image38.png)

### Wired Assurance

> Windows PC is our wired client for this section.
>
> We want this WindowsPC to be able to access our network based on mac
> authentication criteria. So, we configure the file on the radius
> server.
>
> ![screenshot](./images/Image39.png)

1.  **Configure Radius Server file to allow authentication for
    WindowsPC**

    1.  **Get mac address of Ethernet1 on Windows-PC**

        1.  **Access WindowPCs and open command prompt.**

> ![screenshot](./images/Image40.png)

2.  **Copy the mac on Eth1**

> Use command **ipconfig /all**. Note the mac on Ethernet1 adapter.
>
> ![screenshot](./images/Image41.png)

2.  **Configure radius server**

    1.  **Access the radius server**

> ![screenshot](./images/Image42.png)

2.  **Edit** **the file on radius server**

> Add the mac in the **wired** section of the preconfigured file.
>
> jcluser@Template-LinuxJumpStation:\~\$ sudo -i
>
> \[sudo\] password for jcluser: Juniper!1
>
> **root@Template-LinuxJumpStation:\~# vi
> /root/freeradius/raddb/mods-config/files/authorize**

3.  **Edit** **the mac in the file.**

> Make sure it's all lower-case. Else the authentication will fail.
>
> ![screenshot](./images/Image43.png)

4.  **Save the file and restart the radius docker container using the
    commands below.**

> docker rm -f radius
>
> cd freeradius
>
> docker build -t freeradius/freeradius-server .
>
> docker run \--restart=always \--name=radius -t -d -p
> 1812-1813:1812-1813/udp freeradius/freeradius-server -X

2.  **Verify:**

    1.  **Access WindowsPC and open network connections.**

> Disable and then enable Ethernet1 interface.
>
> ![screenshot](./images/Image44.png)
>
> The ethernet1 on windows PC will receive a new IP, once it gets
> authenticated by the server.
>
> ![screenshot](./images/Image45.png)

2.  **Check the authentication status on the switch.**

> Use the remote shell option for Switch
>
> ![screenshot](./images/Image23.png)
>
> mist@EX4300\> show dot1x interface detail
>
> ![screenshot](./images/Image46.png)

3.  **On mist, check the wired client insights**

> ![screenshot](./images/Image47.png)

### Wireless Client Assurance

> This use case shows the mac-based authentication for wireless clients.
>
> Modify the existing WLAN configuration to include mac authentication option and the radius server configuration.
>
> First, we configure and then we verify

1.  **Configure**

> On Mist:

1.  **Edit WLAN**

> **Navigate to Site 🡪 WLAN 🡪 edit the existing one**
>
> ![screenshot](./images/Image33.png)
>
> ![screenshot](./images/Image48.png)
>
> **Save the configs.**

2.  **Configure radius server file**

> Add PC's Wi-Fi adapter's mac address to the radius server.

1.  **Access PC**

> Retrieve the mac from the command prompt on PC
>
> ![screenshot](./images/Image49.png)

2.  **Access the radius server**

> Modify the 'authorize' file as shown below.

3.  **Add the mac address in the wireless section of the preconfigured
    file.**

> labuser@Template-LinuxJumpStation:\~\$ sudo -i
>
> \[sudo\] password for labuser: Juniper!1
>
> root@Template-LinuxJumpStation:\~# vi
> /root/freeradius/raddb/mods-config/files/authorize
>
> ![screenshot](./images/Image50.png)

4.  **Save the file and restart the radius docker container using the
    below commands**

> docker rm -f radius
>
> cd freeradius
>
> docker build -t freeradius/freeradius-server .
>
> docker run \--restart=always \--name=radius -t -d -p
> 1812-1813:1812-1813/udp freeradius/freeradius-server -X

2.  **Verify**

    1.  **Connect to the wireless network again on PC.**

> Once connected, you can check the dhcp leased IP on the Wi-Fi adapter
> and also check the wireless client insights.
>
> ![screenshot](./images/Image51.png)

2.  **Check Client Insights on Mist**

> On mist: navigate to Clients 🡪 Wireless Clients 🡪 Client Insights
>
> ![screenshot](./images/Image52.png)
>
> ![screenshot](./images/Image53.png)

### WAN Assurance

> Let's check junos CLI of the device and check that the autogenerated
> Certificates are in bound
>
> SSH to vSRX or get access to it via Remote shell

2.  **Check pki local certificate information**

> Access vSRX
>
> mist@SRX\> show security pki local-certificate
>
> ![screenshot](./images/Image54.png)

3.  **We need to check if Application IDs are loaded, the Tracking is
    enabled and that there is now a TLS connection via destination-port
    6514 to the Mist Portal.**

> mist@SRX\> show services application-identification status
>
> ![screenshot](./images/Image55.png)

4.  **Open another SSH session for vSRX**

> telnet signatures.juniper.net port 443
>
> Check if there are already Applications detected
>
> ![screenshot](./images/Image56.png)

## Monitoring, Reporting and Debugging

### EX-Switch Port Statistics and Debugging (basic)

This is an overview on how to utilize mist for monitoring.

![screenshot](./images/Image57.png)

Here you see the summary on the available items you can see in the
overview.

![screenshot](./images/Image58.png)


Let's focus on the Ports status first to find what it provides as
information.

![screenshot](./images/Image59.png)

Hover with the Mouse over some Ports. In this example you see a wired
Port:

![screenshot](./images/Image60.png)

Next is a Port where an AP is connected to (we have no PoE in this
Switch).

![screenshot](./images/Image61.png)

Next is the overview about the measured assurance compliance.

![screenshot](./images/Image62.png)

Check the Switch properties like the Junos Version that is on it and the
Model.

![screenshot](./images/Image63.png)

Review the Switch statistics next:

![screenshot](./images/Image64.png)

Now check out the testing Tools that are available to you

![screenshot](./images/Image65.png)

You see a couple of those Testing Tools available to you so let's try
some.

![screenshot](./images/Image66.png)

If those Testing Tools do not give you information you are looking for
the alternative offered here would be a remote **SSH-Shell to the
Device** and then you can **use the local CLI** on the Device as you can
see in the example below

![screenshot](./images/Image67.png)

### Switch Insights

You can now go and explore Switch Insights via clicking here:

![screenshot](./images/Image68.png)

![screenshot](./images/Image69.png)

Then you see the Timeline of Switch events and when something has
happened.

![screenshot](./images/Image70.png)

Using the Mouse, you can mark a Field within to zoom in which will give
you more details

(Note: these graphs are added for information purposes only. They
may/may not show up during your lab )

![screenshot](./images/Image71.png)

If there are Events in the current selected Event Timeline, they will
appear below with more details on what was reported.

![screenshot](./images/Image72.png)

Now review all the possible events that the System has configured and
will report. You see this is a quite extensive list.

![screenshot](./images/Image73.png)

The next Widgets you see in this view contain more details about

- CPU Utilization

- Memory Usage

- Transferred Bytes (TX/RX)

- Port Errors

- PoE Power Utilization

![screenshot](./images/Image74.png)

Then again you have the Port view on the Front Panel. Interesting may be
the Port List here

![screenshot](./images/Image75.png)

It is important to notice that when you click on a Port in the Front
Panel View or in the Port List you go a level deeper and get an insight
view for a single Port of the Switch.

![screenshot](./images/Image76.png)

The last fields as Switch Properties and Status

![screenshot](./images/Image77.png)

### Wired Clients and Insights

Information about connected Wired Clients is available via **Clients \>
Wired Clients**.

!screenshot[](./images/Image78.png)

This is then the overview page for a Site with attached Clients

![screenshot](./images/Image79.png)

When you click on **a single** **Client link** indicated above, a
specific Client view opens telling you were exactly it is attached. This
view also gives you the ability to go a level deeper and get insight
information.

![screenshot](./images/Image80.png)

![screenshot](./images/Image81.png)

Congratulations, you have completed the lab!

## Lab Survey

Please take 2 minutes and complet the [Mist Fullstack Hands-On Lab Survey](https://www.surveymonkey.com/r/ZP5PBV2)

![Mist-HOL-Survey-qr-code](./images/Mist-HOL-Survey-qr-code.png)