Wireless

Good Afternoon,

I'm fairly new to Juniper so forgive any questions that may seem simple.

My organization currently utilizes the Juniper Mist platform for our site configurations.  Usually we'll have a FW, Switch, and AP's.  However, we have some Micro Sites where we need to be able to setup a PoE firewall and a single AP43.  No Switching.  We also have a wired printer for the wireless clients.

We typically create 3 VLANs to separate 'internal' wifi, 'guest' wifi, and the management traffic for the AP. 

Thus far, I've been unable to come up with a design that allows Wifi clients to communicate with our printer.  Initially, I attempted creating application policies within Mist to allow traffic over layer 3 between networks (created a network just for the printer), but could not get that to work.  Then I read up on options to turn the SRX interfaces into layer 2 switched ports.  I've been fighting with that for over a week thus far with various errors.  I also reached out to support and got nowhere after 90 minutes on a call.

Does anyone currently use a design like this that could offer some insight?

Good Afternoon,

I'm fairly new to Juniper so forgive any questions that may seem simple.

My organization currently utilizes the Juniper Mist platform for our site configurations.  Usually we'll have a FW, Switch, and AP's.  However, we have some Micro Sites where we need to be able to setup a PoE firewall and a single AP43.  No Switching.  We also have a wired printer for the wireless clients.

We typically create 3 VLANs to separate 'internal' wifi, 'guest' wifi, and the management traffic for the AP. 

Thus far, I've been unable to come up with a design that allows Wifi clients to communicate with our printer.  Initially, I attempted creating application policies within Mist to allow traffic over layer 3 between networks (created a network just for the printer), but could not get that to work.  Then I read up on options to turn the SRX interfaces into layer 2 switched ports.  I've been fighting with that for over a week thus far with various errors.  I also reached out to support and got nowhere after 90 minutes on a call.

Does anyone currently use a design like this that could offer some insight?

Hi,

Let me try to help you with an example. 

Let me explain first a bit how Mist is handling interfaces on a SRX device.  When you configure a "ge-X/X/X" interface mist is creating a "vlan and an IRB" interface where it will bind the IP onto the IRB interface and then adds the selected interface as "tagged/untagged" depending on what you select, towards the vlan.

In your case let me use your VLAN's. 

VLAN: WIFI

For example you have port ge-0/0/4 as the port the printer is connected on.  In the Mist interface you go to Lan and then use the "add lan" button, this will open the side panel to add interfaces/networks for your Lan.

Here you select form the Networks drop down menu the "wifi" network.

Next step:  Interface ( here you fill in the port your printer is connected on so in my example ge-0/0/4)

Next step:  look a bit down towards (Untagged VLAN (SRX Only)) here you select untagged (I am assuming your printer is by default not configured to do tagged vlans)

The rest of the already populated settings you do not "touch or change". 

Push the add button.  (after this you scroll to the top of the page) and push the save button. 

Now you need to wait a few "minutes" to let mist deploy the configuration onto the SRX and commit the config. 

Depending on the configuration of the printer (static / dhcp ip-address) you should be able to reach the printer from one of your wifi clients ( this if you allow traffic between clients in the same vlan (this can be configured in the accesspoint template or in the specific AP config itself within mist).

The other option you have is to deploy the interface config by pasting in the corresponding CLI commands in the "Cli configuration" pane within Mist for the specific SRX. (I would suggest doing this only for CLI commands that are not "supported" by the Mist interface (example IPv6 interface config / static dhcp assigned IP's) 

@spuluka did paste a link for the layer2 interface configs for the SRX. (The creation of the VLAN/IRB interface is already done by mist) so you only need to look at the "ge-x/x/x) config.

Hope this helps a bit.

Good Afternoon,

I'm fairly new to Juniper so forgive any questions that may seem simple.

My organization currently utilizes the Juniper Mist platform for our site configurations.  Usually we'll have a FW, Switch, and AP's.  However, we have some Micro Sites where we need to be able to setup a PoE firewall and a single AP43.  No Switching.  We also have a wired printer for the wireless clients.

We typically create 3 VLANs to separate 'internal' wifi, 'guest' wifi, and the management traffic for the AP. 

Thus far, I've been unable to come up with a design that allows Wifi clients to communicate with our printer.  Initially, I attempted creating application policies within Mist to allow traffic over layer 3 between networks (created a network just for the printer), but could not get that to work.  Then I read up on options to turn the SRX interfaces into layer 2 switched ports.  I've been fighting with that for over a week thus far with various errors.  I also reached out to support and got nowhere after 90 minutes on a call.

Does anyone currently use a design like this that could offer some insight?

Hi Marc, thanks for the reply.

If I'm understanding you correctly, you're saying that, as long as leaving my Wi-Fi network traffic untagged and leaving the printer untagged this should work.

In our current switched environments, our internal/LAN traffic is tagged for VLAN 10, as is our internal Wi-Fi.  Based on your description, are you saying that this would not be possible to replicate with Just a firewall and AP?  That the only way to accomplish layer 2 communication would be to leave our internal Wi-Fi network untagged?

Hi,

Let me try to help you with an example. 

Let me explain first a bit how Mist is handling interfaces on a SRX device.  When you configure a "ge-X/X/X" interface mist is creating a "vlan and an IRB" interface where it will bind the IP onto the IRB interface and then adds the selected interface as "tagged/untagged" depending on what you select, towards the vlan.

In your case let me use your VLAN's. 

VLAN: WIFI

For example you have port ge-0/0/4 as the port the printer is connected on.  In the Mist interface you go to Lan and then use the "add lan" button, this will open the side panel to add interfaces/networks for your Lan.

Here you select form the Networks drop down menu the "wifi" network.

Next step:  Interface ( here you fill in the port your printer is connected on so in my example ge-0/0/4)

Next step:  look a bit down towards (Untagged VLAN (SRX Only)) here you select untagged (I am assuming your printer is by default not configured to do tagged vlans)

The rest of the already populated settings you do not "touch or change". 

Push the add button.  (after this you scroll to the top of the page) and push the save button. 

Now you need to wait a few "minutes" to let mist deploy the configuration onto the SRX and commit the config. 

Depending on the configuration of the printer (static / dhcp ip-address) you should be able to reach the printer from one of your wifi clients ( this if you allow traffic between clients in the same vlan (this can be configured in the accesspoint template or in the specific AP config itself within mist).

The other option you have is to deploy the interface config by pasting in the corresponding CLI commands in the "Cli configuration" pane within Mist for the specific SRX. (I would suggest doing this only for CLI commands that are not "supported" by the Mist interface (example IPv6 interface config / static dhcp assigned IP's) 

@spuluka did paste a link for the layer2 interface configs for the SRX. (The creation of the VLAN/IRB interface is already done by mist) so you only need to look at the "ge-x/x/x) config.

Hope this helps a bit.

Good Afternoon,

I'm fairly new to Juniper so forgive any questions that may seem simple.

My organization currently utilizes the Juniper Mist platform for our site configurations.  Usually we'll have a FW, Switch, and AP's.  However, we have some Micro Sites where we need to be able to setup a PoE firewall and a single AP43.  No Switching.  We also have a wired printer for the wireless clients.

We typically create 3 VLANs to separate 'internal' wifi, 'guest' wifi, and the management traffic for the AP. 

Thus far, I've been unable to come up with a design that allows Wifi clients to communicate with our printer.  Initially, I attempted creating application policies within Mist to allow traffic over layer 3 between networks (created a network just for the printer), but could not get that to work.  Then I read up on options to turn the SRX interfaces into layer 2 switched ports.  I've been fighting with that for over a week thus far with various errors.  I also reached out to support and got nowhere after 90 minutes on a call.

Does anyone currently use a design like this that could offer some insight?

Hi,

You create the Wifi /management network as you always do (So tagged from the SRX towards the AP or AP's on this specific location). 

The only thing you do is connect your Printer to one of the available ports in the SRX. this port only you configure as untagged as I described above. 

For example you have port ge-0/0/4 as the port the printer is connected on.  In the Mist interface you go to Lan and then use the "add lan" button, this will open the side panel to add interfaces/networks for your Lan.

Here you select form the Networks drop down menu the "wifi" network.

Next step:  Interface ( here you fill in the port your printer is connected on so in my example ge-0/0/4)

Next step:  look a bit down towards (Untagged VLAN (SRX Only)) here you select untagged (I am assuming your printer is by default not configured to do tagged vlans)

The rest of the already populated settings you do not "touch or change".  (these are things like the shown Ip address / subnetmask etc etc) You leave those as they are filled in.

Once you commited the config, the printer should get an IP from the Wireless VLAN dhcp pool and all clients should be able to reach the printer.

Hi Marc, thanks for the reply.

If I'm understanding you correctly, you're saying that, as long as leaving my Wi-Fi network traffic untagged and leaving the printer untagged this should work.

In our current switched environments, our internal/LAN traffic is tagged for VLAN 10, as is our internal Wi-Fi.  Based on your description, are you saying that this would not be possible to replicate with Just a firewall and AP?  That the only way to accomplish layer 2 communication would be to leave our internal Wi-Fi network untagged?

Hi,

Let me try to help you with an example. 

Let me explain first a bit how Mist is handling interfaces on a SRX device.  When you configure a "ge-X/X/X" interface mist is creating a "vlan and an IRB" interface where it will bind the IP onto the IRB interface and then adds the selected interface as "tagged/untagged" depending on what you select, towards the vlan.

In your case let me use your VLAN's. 

VLAN: WIFI

For example you have port ge-0/0/4 as the port the printer is connected on.  In the Mist interface you go to Lan and then use the "add lan" button, this will open the side panel to add interfaces/networks for your Lan.

Here you select form the Networks drop down menu the "wifi" network.

Next step:  Interface ( here you fill in the port your printer is connected on so in my example ge-0/0/4)

Next step:  look a bit down towards (Untagged VLAN (SRX Only)) here you select untagged (I am assuming your printer is by default not configured to do tagged vlans)

The rest of the already populated settings you do not "touch or change". 

Push the add button.  (after this you scroll to the top of the page) and push the save button. 

Now you need to wait a few "minutes" to let mist deploy the configuration onto the SRX and commit the config. 

Depending on the configuration of the printer (static / dhcp ip-address) you should be able to reach the printer from one of your wifi clients ( this if you allow traffic between clients in the same vlan (this can be configured in the accesspoint template or in the specific AP config itself within mist).

The other option you have is to deploy the interface config by pasting in the corresponding CLI commands in the "Cli configuration" pane within Mist for the specific SRX. (I would suggest doing this only for CLI commands that are not "supported" by the Mist interface (example IPv6 interface config / static dhcp assigned IP's) 

@spuluka did paste a link for the layer2 interface configs for the SRX. (The creation of the VLAN/IRB interface is already done by mist) so you only need to look at the "ge-x/x/x) config.

Hope this helps a bit.

Good Afternoon,

I'm fairly new to Juniper so forgive any questions that may seem simple.

My organization currently utilizes the Juniper Mist platform for our site configurations.  Usually we'll have a FW, Switch, and AP's.  However, we have some Micro Sites where we need to be able to setup a PoE firewall and a single AP43.  No Switching.  We also have a wired printer for the wireless clients.

We typically create 3 VLANs to separate 'internal' wifi, 'guest' wifi, and the management traffic for the AP. 

Thus far, I've been unable to come up with a design that allows Wifi clients to communicate with our printer.  Initially, I attempted creating application policies within Mist to allow traffic over layer 3 between networks (created a network just for the printer), but could not get that to work.  Then I read up on options to turn the SRX interfaces into layer 2 switched ports.  I've been fighting with that for over a week thus far with various errors.  I also reached out to support and got nowhere after 90 minutes on a call.

Does anyone currently use a design like this that could offer some insight?

So in this case, since I would need wireless clients to also have access to the same network as the printer, VLAN 10 in this case, are you stating that I would configure the LAN network on both ge-0/0/4 and 5 to both include and tag the VLAN 10 network?  

Hi,

You create the Wifi /management network as you always do (So tagged from the SRX towards the AP or AP's on this specific location). 

The only thing you do is connect your Printer to one of the available ports in the SRX. this port only you configure as untagged as I described above. 

For example you have port ge-0/0/4 as the port the printer is connected on.  In the Mist interface you go to Lan and then use the "add lan" button, this will open the side panel to add interfaces/networks for your Lan.

Here you select form the Networks drop down menu the "wifi" network.

Next step:  Interface ( here you fill in the port your printer is connected on so in my example ge-0/0/4)

Next step:  look a bit down towards (Untagged VLAN (SRX Only)) here you select untagged (I am assuming your printer is by default not configured to do tagged vlans)

The rest of the already populated settings you do not "touch or change".  (these are things like the shown Ip address / subnetmask etc etc) You leave those as they are filled in.

Once you commited the config, the printer should get an IP from the Wireless VLAN dhcp pool and all clients should be able to reach the printer.

Hi Marc, thanks for the reply.

If I'm understanding you correctly, you're saying that, as long as leaving my Wi-Fi network traffic untagged and leaving the printer untagged this should work.

In our current switched environments, our internal/LAN traffic is tagged for VLAN 10, as is our internal Wi-Fi.  Based on your description, are you saying that this would not be possible to replicate with Just a firewall and AP?  That the only way to accomplish layer 2 communication would be to leave our internal Wi-Fi network untagged?

Hi,

Let me try to help you with an example. 

Let me explain first a bit how Mist is handling interfaces on a SRX device.  When you configure a "ge-X/X/X" interface mist is creating a "vlan and an IRB" interface where it will bind the IP onto the IRB interface and then adds the selected interface as "tagged/untagged" depending on what you select, towards the vlan.

In your case let me use your VLAN's. 

VLAN: WIFI

For example you have port ge-0/0/4 as the port the printer is connected on.  In the Mist interface you go to Lan and then use the "add lan" button, this will open the side panel to add interfaces/networks for your Lan.

Here you select form the Networks drop down menu the "wifi" network.

Next step:  Interface ( here you fill in the port your printer is connected on so in my example ge-0/0/4)

Next step:  look a bit down towards (Untagged VLAN (SRX Only)) here you select untagged (I am assuming your printer is by default not configured to do tagged vlans)

The rest of the already populated settings you do not "touch or change". 

Push the add button.  (after this you scroll to the top of the page) and push the save button. 

Now you need to wait a few "minutes" to let mist deploy the configuration onto the SRX and commit the config. 

Depending on the configuration of the printer (static / dhcp ip-address) you should be able to reach the printer from one of your wifi clients ( this if you allow traffic between clients in the same vlan (this can be configured in the accesspoint template or in the specific AP config itself within mist).

The other option you have is to deploy the interface config by pasting in the corresponding CLI commands in the "Cli configuration" pane within Mist for the specific SRX. (I would suggest doing this only for CLI commands that are not "supported" by the Mist interface (example IPv6 interface config / static dhcp assigned IP's) 

@spuluka did paste a link for the layer2 interface configs for the SRX. (The creation of the VLAN/IRB interface is already done by mist) so you only need to look at the "ge-x/x/x) config.

Hope this helps a bit.

Good Afternoon,

I'm fairly new to Juniper so forgive any questions that may seem simple.

My organization currently utilizes the Juniper Mist platform for our site configurations.  Usually we'll have a FW, Switch, and AP's.  However, we have some Micro Sites where we need to be able to setup a PoE firewall and a single AP43.  No Switching.  We also have a wired printer for the wireless clients.

We typically create 3 VLANs to separate 'internal' wifi, 'guest' wifi, and the management traffic for the AP. 

Thus far, I've been unable to come up with a design that allows Wifi clients to communicate with our printer.  Initially, I attempted creating application policies within Mist to allow traffic over layer 3 between networks (created a network just for the printer), but could not get that to work.  Then I read up on options to turn the SRX interfaces into layer 2 switched ports.  I've been fighting with that for over a week thus far with various errors.  I also reached out to support and got nowhere after 90 minutes on a call.

Does anyone currently use a design like this that could offer some insight?