Day One+

Juniper AI-Driven Enterprise

IN THIS GUIDE

Step 1: Begin | 1

Step 2: Up and Running | 10

Step 3: Keep Going | 23

Step 1: Begin

IN THIS SECTION

Before You Begin | 2

Connect to the Juniper Mist Cloud Architecture | 3

Connect a Greenfield Switch | 3

Connect a Brownfield Switch | 5

Problems? | 9

The goal of this Day One+ guide is to get you up and running with the Juniper AI-driven network and see what it can do
for you. As you’ll see, both the onboarding and provisioning of the physical devices (your switches and access points) are
highly automated. There’s nothing to install on your workstation, and for the most part, nothing to configure in the Junos
OS CLI. All the features are available through the portal on the cloud.

We’ll start by connecting a Juniper switch to the Juniper Mist cloud architecture, and then we’ll look at some key features
in the cloud-hosted Juniper Mist portal. There are more than 100 types of service-level expectations (SLEs) that are
available, in real time, through the dashboards on the portal. These SLEs measure key compliance metrics for your wired
network and result in vastly simpler operations, streamlined troubleshooting, and better visibility into your users’ network
experience.
 2

The following illustration gives a quick overview of the Juniper AI-driven network. It shows how Juniper Mist cloud services
use telemetry from the physical infrastructure to develop AI-powered automation that is delivered through the cloud and
accessible from the portal.

One thing to mention: Juniper Mist cloud architecture supports location services and contact tracing, but we’re not going
to get into those things here. For more information on these and a bunch of other features, you can check out our website.

Before You Begin

The switch you’re connecting needs to be able to reach to the Juniper Mist cloud architecture over the Internet. So, if
there’s a firewall between the cloud and the switch, you need to allow outbound access on TCP port 2200. Once the
switch connects to the Juniper Mist cloud, it automatically downloads the necessary commands to the Junos OS and
completes the provisioning. If you don’t want to use this automated procedure, or if the switch you’re connecting isn’t
set up for it, then connect the switch to an DNS server (you'll still need to allow outbound access through the firewall).

You’ll also need:

• Physical access to the switch to connect the cables

• Login credentials for the Juniper Mist portal

 3

• An activation code to adopt the switch and any Juniper access points that are part of your order

• A user account on the switch to make CLI configurations (only applies to the brownfield option, which is described later)

• A supported Juniper EX Series switch running a supported version of Junos OS

Here’s a summary of supported Juniper EX Series switches driven by Mist AI:

Connect to the Juniper Mist Cloud Architecture

There are two kinds of switches when it comes to connecting to the Juniper Mist cloud architecture: greenfield and
brownfield. Greenfield switches are typically new and come cloud-ready, which means you can add them to the Juniper
Mist cloud automatically using the zero touch provisioning (ZTP) option. As the name implies, this is fast and simple—connect
the switch to the network, open a path to the Internet, and let the cloud architecture make the remaining configurations.
As part of the ZTP process, the switch automatically accesses what’s known as a phone-home server, which brokers a
connection to the Juniper Mist cloud architecture and coordinates the necessary Junos OS configuration updates. If you
don’t want to use the phone-home server, you can configure the switch to use a DHCP server instead. The point is, the
switch needs to be able to resolve the Juniper Mist cloud address, and either method will do.

Brownfield switches are typically those that are already in use somewhere on the network, and now you want to connect
them to the Juniper Mist cloud. Connecting brownfield switches to the cloud is also pretty straightforward, but you need
to do the configurations by hand using the Junos OS CLI. We’ll cover both cases.

Connect a Greenfield Switch

1. Start by unboxing your switch, if you haven’t already, and then connect the management port to the Internet and
power on the switch.

2. Open a Web browser and log in to your Juniper Mist account. The Monitor page appears, showing an overview of the
Juniper Mist cloud architecture and any Juniper access points and clients that are already connected.

3. In the menu on the left, click Organization > Inventory to open that page.
 4

Here’s a picture of the Inventory page we’re talking about:

4. Select Switches at the top of the Inventory page, and then click the Claim Switches button and enter the activation
code for the switch.

Here’s a picture of the Claim Switches page:

5. Fill in the other fields as appropriate for your network. Select Manage configuration with Juniper Mist and then enter
a root password for the switch.

Note that this choice puts the switch under the management of the Juniper Mist portal, and as such, we recommend
that local configuration using the CLI be restricted to prevent conflicts (for example, you might want to create a system
login message on the switch to warn against making configuration changes locally, from the CLI).

Once the ZTP process is finished, the switch automatically appears in the Inventory page. If the switch doesn’t appear
after a few minutes, despite refreshing the webpage, log out and then log back in.
 5

Connect a Brownfield Switch

Back Up Your Configuration

It is important to back up your existing Junos OS configuration because when once you adopt the switch into the Juniper
Mist cloud architecture, the old configuration is completely replaced.

• In Junos OS, run the request system software configuration-backup path command to save the currently active
configuration and any installation-specific parameters.

Once the switch is adopted, you should manage it exclusively from the Juniper Mist portal and not the local CLI. As such,
consider taking the following actions:

• Create a system login message on the switch to warn users against making configuration changes locally, from the Junos
OS

• Restrict management access by changing account passwords

• Place restrictions on existing user accounts

To connect a brownfield switch, you'll need to use the Junos OS CLI to make some configuration changes to the Juniper
Mist portal and to the switch. Be sure you can log in to both.

1. Log in to your organization on the Juniper Mist portal and then click Organization > Inventory in the menu.

2. Select Switches at the top of the page that appears, and then click the Adopt Switch button in the upper-right corner
to generate the Junos OS CLI commands needed for the interoperability (these commands create a Juniper Mist user
account and an SSH connection to the Juniper Mist cloud architecture over TCP port 2200).

Here’s what the Switch Adoption page looks like:

 6

3. From the Switch Adoption page, click Copy to Clipboard to get the commands.

4. In the Junos OS CLI, type edit to start configuration mode, and then paste the commands you just copied (type top if
you are not already at the base level of the hierarchy).

5. Back in the Juniper Mist portal, click Organization > Inventory > Switches and select the switch you just added.

6. Click the More drop-down list at the top of the page, and then click the Assign to Site button to continue making your
selections as prompted.

7. Confirm your updates on the switch by running show commands at the [system services] hierarchy level, and again at
the [system login user juniper-mist] hierarchy level.

show system services

ssh {
protocol-version v2;
}
netconf {
ssh;
}
outbound-ssh {
client juniper-mist {
device-id 550604ec-12df-446c-b9b0-eada61808414;
secret "trimmed"; ## SECRET-DATA
keep-alive {
retry 3;
timeout 5;
}
services netconf;
oc-term.mistsys.net {
port 2200;
retry 1000;
timeout 60;
}
}
}
dhcp-local-server {
group guest {
interface irb.188;
}
group employee {
interface irb.189;
}
group management {
interface irb.180;
 7

}
}

show system login user mist

user@Switch-1# show system login user mist

class super-user;
authentication {
encrypted-password "$trimmed ## SECRET-DATA
}

Now that the switch can register with the Juniper Mist portal, the next thing to do is to add the switch to a site and assign
access points. You do this from the portal.

Here’s what the Juniper Access Points page looks like:

1. To add the switch to a site, click Organization > Inventory in the Juniper Mist menu and then the Switches tab at the
top of the next page.

2. Select the switch you just added, and click the More button.

• Click Assign to Site, and then choose a site from the drop-down list that appears in the Assign Switches page.

• Click the Assign to Site button to complete the action.

3. Click Access Points to see a list of any unassigned access points.

4. Click Switches to see a list of switches, and choose a switch from the list to confirm that it and the Juniper Mist portal
are correctly provisioned.
 8

Here’s what the Switches page looks like, with EX Series switches:

5. From the Switches page, click a switch name to drill down into a detailed view of that switch, including connected
access points and clients. For each switch on the list, you can view various properties, including the version, model
number, CPU and memory utilization, bytes transferred, power drawn by the PoE devices, and port errors.

TIP: Hover your mouse cursor over the image of the switch port at the top of the page to see details such
as the connection speed, PoE status, and throughput.
 9

Here’s what the Wired Insights page looks like:

Problems?

You can confirm your connection from the switch to the Juniper Mist cloud architecture by running the following Junos
OS command:

user@host> show system connections | grep 2200

The command output shows the switch connection to the cloud . It includes the IP address of the management interface
on the switch, the destination IP address, and the connection result.

tcp4 0 0 10.10.70.89.63208 <ip-address>.2200 ESTABLISHED

If there is no ACK of the SYN packet, chances are that outbound packets over TCP port 2200 are being blocked by the
firewall. This issue needs to be resolved before the switch can appear in the Juniper Mist portal under Organization >
Inventory > Switches.
 10

Step 2: Up and Running

IN THIS SECTION

Look Around the Juniper Mist Portal | 10

Network Visibility | 12

Service-Level Expectations | 15

Switch Health | 18

Access Points | 19

Marvis Actions | 21

Look Around the Juniper Mist Portal

The Juniper Mist platform you’re setting up includes Wired Assurance Service for automated operations and service levels,
Health Statistics for detailed visibility into EX Series switches, and a plethora of device and network details that you can
drill down to from most of the dashboard pages.
 11

The image below illustrates how Juniper Mist cloud services use telemetry from the physical infrastructure to provide you
with AI-driven health insights through the Juniper Mist cloud.

Our Virtual Network Assistant, which we call Marvis, uses natural language processing (NLP) for troubleshooting and
applies continuous learning through supervised machine learning self-driving capabilities. Marvis Actions come in both
self-driving and driver assist modes. As you’ll see, you can use Marvis to list wired clients connected to the network and
troubleshoot any corresponding issues that it identifies (such as speed mismatches, missing VLANs, switch health, and
anomaly detection). Marvis helps identify the root cause of issues across various IT domains (WLAN, LAN, WAN, and
security), and automatically resolves issues within its purview. In addition you can use the Juniper Mist portal to do the
following:

• Streamline troubleshooting (SLEs, root cause, anomaly detection, Marvis Actions).

• Automatically apply a Junos OS configuration setting to new switches based on common templates that cover most
enterprise features. For corner cases, you can always access the switch and use its CLI from the portal.

• Enable dynamic port configurations to work with any RADIUS server based on user group, MAC OUI, or LLDP name
match.

• Set up flexible port assignments with manual or dynamic configurations, using port profiles and templates that are based
on connected endpoint type.

• Measures pre-connection and post-connection metrics with SLEs.

OK. Let’s see how all this works.

 12

Network Visibility
 13

The main Monitor page in the Juniper Mist portal shows an overview of the network. From here, you can you drill down
into specific events and connected devices, see the pre-connection and post-connection experience on the wired network,
and identify switches that are seeing anomalies on the same site.

1. Log in to your organization, or to the public Live Demo (if you have an account). The Live Demo, which we use in these
screen shots, has a variety of connected devices and live analytics that you can explore.

Here’s what the Monitor page looks like:

2. From the Monitor page, scroll down and start exploring on your own. The depth and breadth of what you can do from
this page is too much to describe here, so take some time to click around. Use the online help to learn about whatever
interests you.

3. Let’s look at an example based on another view of the network, this time, Wi-Fi coverage mapped in the context of a
building floor plan. Click Switches in the menu, and then select the Location tab to show the distribution of switches
across the floor plan of an office building.

In this view, you can see all the switches and access points, where they are situated, and the respective health status
of each. Furthermore, you can click any device to show its status, including which devices are connected to it.

4. To see whether there are any Wi-Fi dead spots, click 2.4 GHz and the 5 GHz in the Wi-Fi Coverage box on the right
side of the page. You’ll see visual representation of the coverage. This makes it easy to understand users' Wi-Fi
experience in the area.
 14

5. Click any device name on the map to drill-down to its configuration and health details. When you do, an AP Details
link becomes available in the Summary box that appears about half-way down the page.
 15

Here’s an example showing 2.4 GHz Wi-Fi Coverage when it’s mapped across a floor plan:

Service-Level Expectations
 16

Now let’s see how you can track service-level expectations (SLEs) for wired, wireless, and WAN connections using the
dashboards. Juniper Mist lets you set service level thresholds for all the major things that impact wireless performance,
including time to connect, coverage, capacity, roaming, and network uptime. If any of your parameters are violated, you
can have the system alert you about the reasons why the parameter is not being met, the top mobile devices affected,
the top wireless networks affected, and so on. For example, you might have a goal of 2 seconds for the minimum time it
takes mobile users to connect to the Wi-Fi. With one quick look, you can see that this SLE is only being met 72 percent
of the time. Something is wrong. Let’s find out what.

Here’s what the Monitor page looks like after drilling down to Wireless SLEs:

1. Click Monitor in the menu, then Service Levels, and select the Wireless tab.

2. Since we’re interested in Time to Connect, click that to drill down and see the Juniper Mist insights about what factors
are causing the delays.

Here’s what the Monitor page looks like after drilling down for a root cause analysis of the poor time to connect
statistic:
17
 18

3. As you can see in the break out classifiers that are listed alongside the Time to Connect service level metric, the cause
is clearly “Association.” This is responsible for 100 percent of the delays. Without getting too far into the weeds, let’s
just say the Association statistic calculates the time it takes from the start of the mobile client’s association packet to
the time when the client successfully moves data. Anything longer than two seconds is flagged.

In the chart at the bottom of the page, you can jump to the Correlation chart to see which devices are implicated—or
better yet, let’s just jump to the Summary chart to see what Mavis has to say about it:

Time to Connect
The client was slow to connect on 100% of attempts primarily due to slow association.

This problem is widespread at site "Live Demo", correlating most strongly with the
"Live_demo_SLOW_demo" WLAN.
Most of the client failures occurred on the "Live_demo_SLOW_demo" WLAN and "LD_GPS_AP" access
point.

If you were curious about the deeper cause, from this same page, you could click Networks > WLAN and then
Live_temo_SLOW_demo to dig into the configuration settings of that particular WLAN, and resolving the issue.

Switch Health
 19

Now let’s take a quick look at the Switch Health page, where you can get a root-cause analysis of any of the following
service level metrics: throughput, successful connections, and switch health.

1. Click Monitor in the menu on the left, and then Service Levels. Choose the Wired tab at the top of the page and then
click the chart that says Switch Health.

Here’s what the Switch Health page looks like after drilling down for a root cause analysis of the poor Switch Health
statistic:

As you can see, Switch Health is at 30 percent, and a quick glance at the break-out classifiers shows the reason why:
CPU usage is at 97 percent, which means the CPU is implicated in 97 percent of the issues associated with this switch.

2. In the chart that appears below the CPU breakout details, click Distribution to identify the switch by name, and then,
if you want, click the name to drill further down and see what is going on.

Access Points
 20

Juniper Mist access points provide a Wi-Fi connection to users (and devices) within the target area, using a wired connection
to an EX Series switch. Juniper Mist access points are also purpose-built to collect metadata for over 150 states that the
cloud-hosted AI engine uses to perform analytics, machine learning, location service, and event correlation. They incorporate
a third radio for always-on security monitoring, troubleshooting, and synthetic client tests.

In the Juniper Mist portal, you can view all the access points in a given network or site from the Access Points page. From
there, you can quickly assess the number of clients attached, the devices capabilities (such as Wi-Fi or Bluetooth or both),
device uptime, and other details.

Let’s explore this page now.

1. Click Access Points in the menu on the left to open the page.

• If you have any unassigned access points in the network, they’ll appear at the bottom of the page. You can claim
them by clicking the Inventory button at the top of the page and then the Claim APs button that appears in the
upper-right corner of the resulting page.

• If you want to troubleshoot access point issues, select an access point from the list and click the AP Insights link in
the Access Point details page. The Access Point Insights page appears.

Here’s what the Access Points Overview page looks like:

 21

Marvis Actions
 22

Bad cables can be a nasty bit of business in the networking world. Cables rarely ever fail, so when they do, no one ever
thinks to look for a bad cable as the root cause of the ensuing issues. Marvis can detect bad cables easily by inferring the
cause from the network symptoms that surround it. Note that on your newly deployed switch, chances are you won’t
have any issues to find right now. The same is true for the Live Demo site, which might or might not currently have this
exact issue to show. Nevertheless, you can see the issue illustrated in the Marvis Actions dashboard, and that is what the
following steps describe. By the way, bad cables are just one of the many, many things Marvis detects—we’re looking at
it only because it provides a quick and clear illustration of Marvis’ scope.

1. Click Marvis in the menu on the left, and then click the Actions button in the upper right-hand corner of the page that
appears.

Here’s what the Marvis page looks like after drilling down into a Bad Cable:

2. “Switch” appears in the chart with a 3 next it, indicating that Marvis has detected three issues with the device. To drill
down and see what they are, click Switch and expose the three issues. One of them is “Bad Cable.”

3. Scroll down to see the Marvis Actions report, which says the following:

Test & Replace Cable

Based on errors seen, the below ports have a bad cable connected to them. Please test and
replace the cable if needed.
 23

From this same page, we can see that Marvis is also reporting a Negotiation Mismatch, and an issue detected in one of
the access points connected to the switch. Upon further examination, the issue turns out to be an “EAP/802.1X Failure”,
which means the RADIUS server cannot be reached. Marvis identifies the probable cause, and suggests the solution as
follows: These APs are missing as NAS client on the Radius server. Please add them in order to resolve the issue.

The analytics truly are rich.

Step 3: Keep Going

At this point, you’re up and running with your Juniper switch and the Juniper Mist portal. First, we connected your switch
to the Juniper Mist cloud architecture, then we poked around a bit in the portal to get a general sense of the kinds of
things that are possible.

And now that you have experienced some of the key features in the Mist portal, here’s how you can continue to learn as
you go:

If you want to Then

See all documentation available for Juniper Mist Visit the Juniper Mist documentation or our page in the
Juniper TechLibrary Juniper Mist documentation

See EX Series documentation for supported switches Visit the product pages for the following switches

• EX3200
• EX3400
• EX4300

See hardware documentation for various access points Visit the access point page

• Juniper Wireless Access Points

• AP21, AP41, AP43, AP61 BT11

Use templates, virtual chassis, or both to simplify switch See Juniper Mist account
configuration

Find more information about Juniper Mist location services See Juniper Mist account to log in to the Juniper Mist
and contract tracing, or other advanced Juniper Mist portal and explore advanced features
features

Manually add a brownfield switch to the Juniper Mist portal See Manual EX Series Switch Configurations for the
Juniper Mist Cloud

Stay up-to-date on new and changed features and known See the Juniper Mist Wireless LAN Documentation
and resolved issues
 24

If you want to Then

Learn about Juniper Mist Premium Analytics including See mist.com

configuration details for Juniper access points

Learn about troubleshooting clients with Marvis Actions See Marvis and General Troubleshooting

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the
United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the
property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Copyright © 2020
Juniper Networks, Inc. All rights reserved. Rev. 01, Sept 2020.