# Mist Multihoming Fabric Lab
## Overview
This is a Mist managed EVPN VXLAN Campus Fabric lab setup. The core and
access layer switches are configured, managed and monitored using Mist
Cloud.
This lab focuses on **Multihoming** Fabric type.
The setup also has Linux VMs as end-host clients to verify communication
between hosts in different VRFs, followed by Mist NAC use case.
### Topology
### Known Limitations of Demos of this physical Sandbox Lab
- No support for ZTP/Claim Method. Use the Adopt Method on those devices for now.
- No support for virtual Chassis (vEX limit).
- No support for GBP (vEX limit).
Note:The instructions are not DAY-0, DAY-1 and DAY-2 compliant.
Please refer to the official mist guide to get the DAY-0, DAY-1 and DAY-2 operation information used in an actual deployment!
## Starting Lab
### Access to Lab
If you have not already signed up for the lab, please sign-up to get access.
You'll receive an email with lab URL and credentials.
### Access Devices
1. Open a browser and navigate to the URL provided to you
2. Once you login and see a screen like below. Right-click and **Open in a new tab**.
### Mist Org Access
1. Sign up to create a Mist account at this URL: [[https://manage.mist.com/signin.html#!signup/register]](https://manage.mist.com/signin.html#!signup/register)
- If you do not have a Global01 account, please sign up.
- If you have a Global01 mist account, skip to Sign-in step.
2. Fill in all the details:
3. Click **Create Account**
4. You'll receive an email invite from [[no-reply@mist.com]](mailto:no-reply@mist.com) to a Mist Org to validate your account.
5. Click **Validate Me!**
6. Sign in to your mist account [[https://manage.mist.com/#/]](https://manage.mist.com/#/)
7. IMPORTANT: Open the **MIST ORG access** on the URL provided to you, use following command to get access to the mist org assigned to you for this lab:
Note: Or press the UP-arrow button on your laptop to get the command on your cli -- edit the email-id part
```
add mist -e "email=YOUR_EMAIL_ID"
```
Note: Copy paste option: Normal copy paste may not work with guacamole server.
On a Windows device with an external keyboard, the guacamole menu is displayed by pressing Ctrl+Alt+Shift
On a Mac device with an external keyboard, the guacamole menu is displayed by pressing Ctrl+Command+Shift
Paste the command in the clipboard box
To get rid of the clipboard, use the same keys -Ctrl+Alt+Shift/Ctrl+Command+Shift.
You should be able to paste the text that you entered in the box.
8. After running the command, you'll receive an email from
Note: if you have not received the email, please contact Lab Procter
9. Click on the link in the email
10. Accept the invitation
11. You should now be able to access the mist org.
## Adding Switches to a Site
The switches will be adopted to the mist org by automation on setup. We need to assign the adopted switches to the site.
On Mist Org:
1. Click on **Organization > Inventory**
2. Select the **Switches** tab, and the **Entire Org** view.
3. Select all **Switches**, and click **Assign to Site** .
4. Assign it to **main_site**
## Create a Switch-Template
Here, we define configurations that are common to the devices across the site. This helps to minimize reconfiguration and errors, and helps with scaling.
We will define vlans, port profiles that applies to all the switches in site.
1. Navigate to Switch Template section **Organization > Wired > Switch Templates**
2. Click **Create Template**, and name it **switch_template**
### Import Switch Template
1. Download [this Switch template](switchtemplate-multihoming.json)
2. Import the template.json to your mist org
3. Skip to [Assign switch_template](### Assign switch-template to site) if your import was successful.
4. If your import of the switch template failed, please proceed to the next instructions.
### Manual Switch Configuration
1. Define the following **VLANs**:
- vlan1099
- **Name** - vlan1099
- **ID** - 1099
- vlan1088
- **Name** - vlan1088
- **ID** - 1088
- vlan1033
- **Name** - vlan1033
- **ID** - 1033
2. Define the following **Port Profiles**:
- vlan1099
- **Name** - vlan1099
- **Port Network** - vlan1099
- vlan1088
- **Name** - vlan1088
- **Port Network** - vlan1088
- vlan1033
- **Name** - vlan1033
- **Port Network** - vlan1088
### Assign switch_template to site
1. Click **Assign to Site**.
2. Select **main_site**, then click **Add**.
## Manage the device via MIST
Before we proceed, let's Manage all the devices via mist.
1. Click **Enable Switch Configuration**
2. Acknowledge this message and proceed.
## MULTIHOMING FABRIC with L2 Exit
### Configure the fabric.
1. Navigate to **Organization > Wired > Campus Fabric**
2. Enter the following under **Topology**:
- **Topology Type** - EVPN Multihoming
- **Name** - Multi-Homing
- **Virtual Gateway v4 MAC address** - Enabled
3. Add the following to **Collapsed Core** under **Nodes**:
- Core1
- Core2
4. Add the following to **Access** under **Nodes**:
- Access1
- Access2
5. Add the following **Networks** under **Network Settings**:
- vlan1099
- **Name** - vlan1099
- **ID** - 1099
- **IPv4 Subnet** - 10.99.99.0/24
- **IPv4 Gateway** - 10.99.99.1
- vlan1088
- **Name** - vlan1088
- **ID** - 1088
- **IPv4 Subnet** - 10.88.880/24
- **IPv4 Gateway** - 10.88.88.1
- vlan1033
- **Name** - vlan1033
- **ID** - 1033
- **IPv4 Subnet** - 10.33.33.0/24
- **IPv4 Gateway** - 10.33.33.1
6. For L2 exit, we must define a default route towards gateway present on the external WAN router attached (MX in this lab). Add the following VRF Instances:
- customera
- **Networks** - vlan1099
- **Extra Routes** - 0.0.0.0/0 via 10.99.99.254
- customerb
- **Networks** - vlan1088
- **Extra Routes** - 0.0.0.0/0 via 10.88.88.254
- devices
- **Networks** - vlan1033
- **Extra Routes(** - 0.0.0.0/0 via 10.33.33.254
Note: 10.99.99.254, 10.88.88.254, 10.33.33.254 are the IPs on vSRX acting as gateway to route traffic outside the fabric and also route traffic between VRFs.
7. Give name for the links between core and access:
- **Name** - core-access
- **Trunk Network** vlan1099, vlan1088, vlan1033
8. Review the summary:
9. Now lets connect the port links
10. Example:
11. Core1
12. Core2
13. Access-switches
14. Confirm the configurations:
15. Once you have completed verification, select the **Apply Changes**
16. Campus Fabric configuration ends here.
### WAN-Router (MX) Layer2 VLAN attached to Core
1. On mist, configure the Port on both of the Core switches.
2. Select **Core1 > Interface ge-0/0/0**, and click **Modify Port Configuration**
3. Configure the port with the following:
- **Port ID** - ge-0/0/0
- **Interface** - L2
- **Configuration Profile** - core-access
- **Port Aggregation** Enabled
- **AE Index** - 0
- **ESI-LAG** yes
4. Repeat for **Core2 > Interface ge-0/0/0**
### Verification
1. Access the switches from MIST, using Shell option.
2. Check the BGP summary on all the switches:
```
show bgp summary
```
```
show lacp interfaces
```
3. Both are in different vlans and VRFs. We need to assign an IP to Client-1 and add port config on the corresponding switch.
4. On Access-1, Configure port ge-0/0/3 with vlan1099 port profile.
5. On Access-2, Configure port ge-0/0/3 with vlan1088 port profile.
6. Set a static IP-Address
7. Access Client-1, add IP addresses and default routes:
```
ip addr add 10.99.99.99/24 dev eth1
ip link set dev eth1 up
ip route del default
ip route add default via 10.99.99.1
ip route
```
output:
```
default via 10.99.99.1 dev eth1
10.99.99.0/24 dev eth1 proto kernel scope link src 10.99.99.99
100.123.0.0/16 dev eth0 proto kernel scope link src 100.123.20.1
```
8. On Client-2, add IP addresses and default routes:
```
ip addr add 10.88.88.88/24 dev eth1
ip link set dev eth1 up
ip route del default
ip route add default via 10.88.88.1
ip route
```
output:
```
default via 10.88.88.1 dev eth1
10.88.88.0/24 dev eth1 proto kernel scope link src 10.88.88.88
100.123.0.0/16 dev eth0 proto kernel scope link src 100.123.20.2
```
9. Now you need to configure end-hosts (wired clients)
10. On Client-1, ping the virtual GW of this subnet:
```
ping -c3 10.99.99.1
PING 10.99.99.1 (10.99.99.1) 56(84) bytes of data.
64 bytes from 10.99.99.1: icmp_seq=1 ttl=64 time=0.765 ms
64 bytes from 10.99.99.1: icmp_seq=2 ttl=64 time=0.781 ms
64 bytes from 10.99.99.1: icmp_seq=3 ttl=64 time=0.642 ms
-- 10.99.99.1 ping statistics --
3 packets transmitted, 3 received, 0% packet loss, time 65ms
rtt min/avg/max/mdev = 0.642/0.729/0.781/0.065 ms
```
11. On Client-1, ping the static GW of core1 switch:
```
ping -c3 10.99.99.2
PING 10.99.99.2 (10.99.99.2) 56(84) bytes of data.
64 bytes from 10.99.99.2: icmp_seq=1 ttl=64 time=13.3 ms
64 bytes from 10.99.99.2: icmp_seq=2 ttl=64 time=4.31 ms
64 bytes from 10.99.99.2: icmp_seq=3 ttl=64 time=4.83 ms
```
12. On Client-1, ping the static GW of collapsed-core2 switch:
```
ping -c3 10.99.99.3
PING 10.99.99.3 (10.99.99.3) 56(84) bytes of data.
64 bytes from 10.99.99.3: icmp_seq=1 ttl=64 time=7.0 2 ms
64 bytes from 10.99.99.3: icmp_seq=2 ttl=64 time=3.69 ms
64 bytes from 10.99.99.3: icmp_seq=3 ttl=64 time=7.16 ms
```
13. On Client-1, ping the vSRX-WAN Router:
```
ping -c3 10.99.99.254
PING 10.99.99.254 (10.99.99.254) 56(84) bytes of data.
64 bytes from 10.99.99.254: icmp_seq=1 ttl=64 time=19.4 ms
64 bytes from 10.99.99.254: icmp_seq=2 ttl=64 time=4.71 ms
64 bytes from 10.99.99.254: icmp_seq=3 ttl=64 time=5.17 ms
```
14. On Client-1, ping something in the internet:
```
ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=20.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=15.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=13.2 ms
```
15. On Client-1, inspect the ARP-Table:
```
ip neigh show \| grep \"10.99\"
10.99.99.2 dev eth1 lladdr 2c:6b:f5:39:83:f0 STALE
10.99.99.254 dev eth1 lladdr 4c:96:14:1a:01:80 REACHABLE
10.99.99.3 dev eth1 lladdr 2c:6b:f5:a2:ad:f0 STALE
10.99.99.1 dev eth1 lladdr 00:00:5e:00:01:01 REACHABLE
```
16. On Client-2, ping the virtual GW of this subnet:
```
ping -c3 10.88.88.1
PING 10.88.88.1 (10.88.88.1) 56(84) bytes of data.
64 bytes from 10.88.88.1: icmp_seq=1 ttl=64 time=2.51 ms
64 bytes from 10.88.88.1: icmp_seq=2 ttl=64 time=2.75 ms
64 bytes from 10.88.88.1: icmp_seq=3 ttl=64 time=3.45 ms
```
17. On Client-2, ping the static GW of collapsed1 switch:
```
ping -c3 10.88.88.2
PING 10.88.88.2 (10.88.88.2) 56(84) bytes of data.
64 bytes from 10.88.88.2: icmp_seq=1 ttl=64 time=5.99 ms
64 bytes from 10.88.88.2: icmp_seq=2 ttl=64 time=3.68 ms
64 bytes from 10.88.88.2: icmp_seq=3 ttl=64 time=3.12 ms
```
18. On Client-2, ping the static GW of collapsed2 switch:
```
ping -c3 10.88.88.3
PING 10.88.88.3 (10.88.88.3) 56(84) bytes of data.
64 bytes from 10.88.88.3: icmp_seq=1 ttl=64 time=5.64 ms
64 bytes from 10.88.88.3: icmp_seq=2 ttl=64 time=3.67 ms
64 bytes from 10.88.88.3: icmp_seq=3 ttl=64 time=3.18 ms
```
19. On Client-2, ping the vSRX-WAN Router:
```
ping -c3 10.88.88.254
PING 10.88.88.254 (10.88.88.254) 56(84) bytes of data.
64 bytes from 10.88.88.254: icmp_seq=1 ttl=64 time=4.16 ms
64 bytes from 10.88.88.254: icmp_seq=2 ttl=64 time=4.63 ms
64 bytes from 10.88.88.254: icmp_seq=3 ttl=64 time=4.49 ms
```
20. On Client-2, ping something in the internet:
```
ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=14.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=18.5 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=13.1 ms
```
21. On Client-2, ping Client-1 in the other VRF (note that this traffic flows over WAN-Router):
```
ping -c3 10.99.99.99
PING 10.99.99.99 (10.99.99.99) 56(84) bytes of data.
64 bytes from 10.99.99.99: icmp_seq=1 ttl=62 time=10.2 ms
64 bytes from 10.99.99.99: icmp_seq=2 ttl=62 time=8.73 ms
64 bytes from 10.99.99.99: icmp_seq=3 ttl=62 time=9.11 ms
```
22. On Client-2, inspect the ARP-Table:
```
ip neigh show \| grep \"10.88\"
10.88.88.2 dev eth1 lladdr 2c:6b:f5:39:83:f0 STALE
10.88.88.254 dev eth1 lladdr 4c:96:14:1a:01:80 STALE
10.88.88.1 dev eth1 lladdr 00:00:5e:00:01:01 REACHABLE
10.88.88.3 dev eth1 lladdr 2c:6b:f5:a2:ad:f0 STALEs
```
23. Pings are successful across the VRFs. This verifies our fabric configuration and the wan router attachment.
Note: If you are not able to ping, please check the config on MX, the bgp summary and the lacp statuses and end-host port profiles.
## EVPN Insights
Mist Wired Assurance provides the user with Realtime status related to the health of the Campus Fabric EVPN Multihoming deployment using telemetry such as BGP neighbor status and TX/RX port statistics. The following screenshots are taken from the Campus Fabric EVPN Multihoming build by accessing the Campus Fabric option under the Organization/Wired of the Mist Portal:
From this view, Mist also provides remote accessibility into each device's console through the Remote Shell option as well as rich telemetry through the Switch Insights option. Remote Shell has been demonstrated throughout this document when displaying real time operational status of each device during the verification stage.
## Usecase: MIST NAC
MIST NAC option allows users to configure authentication policies and authentication labels to allow/deny traffic.
- Client-1 will be authenticated using the Client certificate
- Client-2 will be authenticated using the mac
1. On MIST, navigate to **Organization > Switch Templates**
2. Edit your existing Switch Template
3. Under **Port Profiles**, edit the exiting **vlan1099** and configure:
- **Use dot1x authentication** - Checked
4. Under Port profiles edit the exiting **vlan1088** and configure:
- **Use dot1x authentication** - Checked
- **Mac authentication** - Checked
- **Mac authentication only** - Checked
- **Authentication Protocol** - eap-md5
5. Define the mist **Authentication Server**
- **Authentication Server** - Mist Auth
6. Save the changes.
7. Navigate to **Organization > Access > Certificates**
1. Download the [CA certificate here](lab-ca-crt.txt).
2. Copy the content and add as below:
10. Click **Save**
11. We will define two auth labels, one for each client.
12. Navigate to **Organization > Access > Auth Policy Labels**
13. Add labels:
- **Name** - Client-1
- **Label Type** - Certificate Attribute
- **Label Value** - Common Name
- **Common Name Value** -
- **Name** - client-2-mac
- **Label Type** - Client List
- **Label Value** - *Client-2's eth1's mac address (example: 00:50:56:be:9b:99)*
14. To get Client-2's Mac address, SSH to Client-2 and run the following command (Copy eth1's mac).
```
ip link show eth1
```
15. Paste the mac as the label value on mist
16. Navigate to **Organization > Access > Auth Policies**
17. Click **Add Rule**:
- **Name** - Client-1-allow
- **Match Criteria** - Client-1 , EAP-TLS, wired
- **Policy** - Allow
18. Click *Add Rule** to add the second rule:
- **Name** - Client-2-allow
- **Match Criteria** - Client-2 , MAB, wired
- **Policy** - Allow
19. Click **Save**
20. Remote Shell to Access-1, and check the dot1x status:
```
show dot1x interface
```
21. Start a ping from Client-1
22. Lets configure the wpa_supplicant config file on Client-1:
```
vi /etc/wpa_supplicant/wpa_supplicant.conf
```
```
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=TLS
identity=\"user01@test.net\"
private_key=\"/home/jcluser/DEMO-CERTIFICATES/lab-client-1.pfx\"
private_key_passwd=\"Juniper!1\"
eapol_flags=0
}
```
23. "Escape:wq" to save the file
24. Initiate a requets towards Access-1 via eth1:
```
wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -i eth1
```
Output:
25. Remote shell to Access-1, Check the dot1x status:
```
show dot1x interface
```
26. Ping from Client-1
27. Ping from Client-2
28. Wait a minute and check the dot1x status on Access-2 using remote shell
29. Check the pings from Client-2
30. To see all the NAC events, navigate to **Auth Policies > Show NAC Events**
**You have successfully completed this Hands-On Lab!**
## Lab Survey
Please take 2 minutes and complet the [Mist Multihoming Fabric Hands-On Lab Survey](https://www.surveymonkey.com/r/PZYVY9W)
