diff --git a/docs/_aws_account_setup.md b/docs/_aws_account_setup.md new file mode 100644 index 0000000000..258e5cfca7 --- /dev/null +++ b/docs/_aws_account_setup.md @@ -0,0 +1,53 @@ + + +### Create an AWS Account + +If you already have an AWS account, skip to [Set Up IAM Access](#set-up-iam-access). + +1. Open a web browser and navigate to [https://aws.amazon.com/](https://aws.amazon.com/). +2. Click **Create an AWS Account**. +3. Enter your email address and choose an AWS account name, then click **Verify email address**. Check your inbox for the verification code and enter it when prompted. +4. Set a strong password for the root user and click **Continue**. +5. On the **Contact Information** page, select **Personal** or **Business** as appropriate, fill in all required fields, and click **Continue**. +6. On the **Billing Information** page, enter a valid payment method. AWS requires a credit or debit card to verify identity. Click **Verify and Continue**. +7. On the **Identity Verification** page, choose your verification method (SMS or voice call), enter your phone number, and complete the verification. +8. Select a **Support Plan**. The **Basic** plan is free and suitable for evaluation. Click **Complete sign up**. +9. Click **Go to the AWS Management Console** and sign in with your root account credentials. + +:::important +AWS best practice is to avoid using the root account for day-to-day operations. Perform the IAM setup in the next section before proceeding. +::: + +### Set Up IAM Access + +Create a dedicated IAM user with the permissions required to deploy SSR infrastructure. + +1. In the AWS Console, search for **IAM** in the top search bar and select it. +2. In the left navigation, select **Users**, then click **Create user**. +3. Enter a username (for example, `ssr-deploy-admin`) and click **Next**. +4. On the **Set permissions** page, select **Attach policies directly**. +5. Attach the following AWS managed policies: + - `AmazonEC2FullAccess` + - `AmazonVPCFullAccess` + - `AWSCloudFormationFullAccess` + - `IAMReadOnlyAccess` +6. Click **Next**, review the summary, then click **Create user**. +7. Select the newly created user and navigate to the **Security credentials** tab. +8. Under **Access keys**, click **Create access key**. Choose **Command Line Interface (CLI)** as the use case, acknowledge the recommendation, and click **Next**. +9. Click **Create access key**, then **Download .csv file** to save your credentials securely. Click **Done**. + +:::note +Store your access keys in a secure location. They cannot be retrieved after the initial creation. If lost, deactivate the old key and create a new one. +::: + +10. To use the AWS CLI, configure it with your new credentials: + +```bash +aws configure +``` + +When prompted, enter: +- **AWS Access Key ID**: from the downloaded CSV +- **AWS Secret Access Key**: from the downloaded CSV +- **Default region name**: your target deployment region (for example, `us-east-1`) +- **Default output format**: `json` diff --git a/docs/_aws_keypair.md b/docs/_aws_keypair.md new file mode 100644 index 0000000000..1ef485fb8d --- /dev/null +++ b/docs/_aws_keypair.md @@ -0,0 +1,33 @@ + + +#### Create an EC2 Key Pair + +An EC2 key pair is required to authenticate SSH access to your SSR instances. + +1. In the AWS Console, navigate to **EC2**. +2. In the left navigation pane, under **Network & Security**, click **Key Pairs**. +3. Click **Create key pair**. +4. Enter the following values: + + | Field | Value | + | ----- | ----- | + | Name | A descriptive name, for example `ssr-keypair` | + | Key pair type | RSA | + | Private key file format | `.pem` (for Linux/macOS/AWS CLI) or `.ppk` (for PuTTY on Windows) | + +5. Click **Create key pair**. The private key file downloads automatically. +6. Move the downloaded key file to a secure location, for example `~/.ssh/`, and set restrictive permissions: + +```bash +chmod 400 ~/.ssh/ssr-keypair.pem +``` + +:::important +This is the only time you can download the private key. If you lose it, you must create a new key pair. Store your key file securely and do not share it. +::: + +To connect to an instance using this key pair: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem t128@ +``` diff --git a/docs/_aws_security_groups.md b/docs/_aws_security_groups.md new file mode 100644 index 0000000000..57fb975914 --- /dev/null +++ b/docs/_aws_security_groups.md @@ -0,0 +1,68 @@ + + +#### Create the Conductor Security Group + +The Conductor security group controls inbound access to the Conductor instance. + +1. In the AWS Console, navigate to **EC2**. +2. In the left navigation pane, under **Network & Security**, click **Security Groups**. +3. Click **Create security group**. +4. Enter the following: + + | Field | Value | + | ----- | ----- | + | Security group name | `ssr-conductor-sg` | + | Description | `Security group for SSR Conductor` | + | VPC | Select your `ssr-vpc` | + +5. Under **Inbound rules**, click **Add rule** and add the following rules: + + | Type | Protocol | Port range | Source | Description | + | ---- | -------- | ---------- | ------ | ----------- | + | SSH | TCP | 22 | Your admin CIDR (e.g. `203.0.113.0/24`) | Admin SSH access | + | HTTPS | TCP | 443 | Your admin CIDR | Conductor GUI access | + | Custom TCP | TCP | 930 | `10.0.0.0/16` (VPC CIDR) | SSR to Conductor control | + | Custom TCP | TCP | 4505 | `10.0.0.0/16` | Salt master (router mgmt) | + | Custom TCP | TCP | 4506 | `10.0.0.0/16` | Salt master (router mgmt) | + +6. Leave **Outbound rules** as the default (all traffic allowed). +7. Click **Create security group**. + +:::note +Replace `Your admin CIDR` with the specific IP range of your management workstations. Using `0.0.0.0/0` is not recommended for production deployments. +::: + +#### Create the Router Security Group + +The Router security group controls inbound access to the SSR Router instance. + +1. Click **Create security group** again. +2. Enter the following: + + | Field | Value | + | ----- | ----- | + | Security group name | `ssr-router-sg` | + | Description | `Security group for SSR Router` | + | VPC | Select your `ssr-vpc` | + +3. Under **Inbound rules**, add the following: + + | Type | Protocol | Port range | Source | Description | + | ---- | -------- | ---------- | ------ | ----------- | + | SSH | TCP | 22 | Your admin CIDR | Admin SSH access | + | HTTPS | TCP | 443 | Your admin CIDR | Router GUI access | + | Custom UDP | UDP | 1280 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 1280 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 1283 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports | + | Custom UDP | UDP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports | + +4. Click **Create security group**. + +:::note +For a detailed reference of all ports required for SSR operation, see [Enable Ports on the Firewall](config_firewall_ports.md). +::: + +:::important +Do **not** enable the CloudFormation templates' default security group if you have created custom security groups as described above. You will specify your custom security groups during template deployment. +::: diff --git a/docs/_aws_vpc_setup.md b/docs/_aws_vpc_setup.md new file mode 100644 index 0000000000..79d40e3b7a --- /dev/null +++ b/docs/_aws_vpc_setup.md @@ -0,0 +1,99 @@ + + +#### Create the VPC + +A dedicated VPC isolates your SSR deployment and gives you full control over routing and network segmentation. + +1. In the AWS Console, search for **VPC** and select it. +2. Click **Create VPC**, and select **VPC only**. +3. Enter the following values: + + | Field | Value | + | ----- | ----- | + | Name tag | A descriptive name, for example `ssr-vpc` | + | IPv4 CIDR block | A private address range, for example `10.0.0.0/16` | + | IPv6 CIDR block | No IPv6 CIDR block | + | Tenancy | Default | + +4. Click **Create VPC**. + +### Create Subnets + +SSR requires three subnets for a conductor-managed router deployment. Create each subnet within the VPC you just created. + +:::note +Subnet CIDR examples below are based on the `10.0.0.0/16` VPC range. Adjust to fit your environment. +::: + +#### Management Subnet + +Used by the Conductor and for out-of-band administration of the Router. + +1. In the VPC Dashboard, click **Subnets**, then **Create subnet**. +2. Select your VPC from the **VPC ID** dropdown. +3. Enter the following: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-mgmt-subnet` | + | Availability Zone | Choose your preferred AZ | + | IPv4 CIDR block | `10.0.1.0/24` | + +4. Click **Create subnet**. +5. Select the new subnet, click **Actions**, and choose **Edit subnet settings**. +6. Enable **Auto-assign public IPv4 address** and save. + +#### Public (WAN) Subnet + +Used for external connectivity and peer SSR communication. + +1. Click **Create subnet**, select your VPC, and enter: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-public-subnet` | + | Availability Zone | Same AZ as the management subnet | + | IPv4 CIDR block | `10.0.2.0/24` | + +2. Click **Create subnet**. +3. Enable **Auto-assign public IPv4 address** on this subnet. + +#### Private (LAN) Subnet + +Used for internal workloads and application traffic. + +1. Click **Create subnet**, select your VPC, and enter: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-private-subnet` | + | Availability Zone | Same AZ as the other subnets | + | IPv4 CIDR block | `10.0.3.0/24` | + +2. Click **Create subnet**. +3. Do **not** enable Auto-assign public IPv4 for this subnet. + +### Create and Attach an Internet Gateway + +The Internet Gateway provides outbound internet connectivity to the management and public subnets. + +1. In the VPC Dashboard, click **Internet gateways**, then **Create internet gateway**. +2. Enter a name (for example, `ssr-igw`) and click **Create internet gateway**. +3. Select the new Internet Gateway, click **Actions**, then **Attach to VPC**. +4. Select your `ssr-vpc` and click **Attach internet gateway**. + +### Configure Route Tables + +Create a route table for the public-facing subnets and associate the management and public subnets with it. + +1. In the VPC Dashboard, click **Route tables**, then **Create route table**. +2. Enter a name (for example, `ssr-public-rt`) and select your `ssr-vpc`. +3. Click **Create route table**. +4. Select the new route table, click the **Routes** tab, then **Edit routes**. +5. Click **Add route**, enter `0.0.0.0/0` for the destination, and set the target to your `ssr-igw` Internet Gateway. Click **Save changes**. +6. Click the **Subnet associations** tab, then **Edit subnet associations**. +7. Select `ssr-mgmt-subnet` and `ssr-public-subnet`, then click **Save associations**. + +:::note +The private subnet intentionally uses the **main (default) route table** which has no internet gateway route, ensuring internal traffic does not have a direct path to the internet. +::: diff --git a/docs/_conductor_to_authority.md b/docs/_conductor_to_authority.md index 3d7cfe720d..d707d73070 100644 --- a/docs/_conductor_to_authority.md +++ b/docs/_conductor_to_authority.md @@ -1,10 +1,10 @@ -Take this opportunity to log into the Conductor GUI to complete the following operations. This will provide validation that the installation was successful, and familiarize you with GUI operations. +Take this opportunity to log into the Conductor GUI to complete the following operations. This provides validation that the installation was successful, and familiarizes you with GUI operations. #### Connecting the Conductor to the Network -To make sure the conductor is on a network and accessible via GUI, the IP address on the interface must be in the same subnet as the VLAN on the switch port. Use `https://` for GUI login. +To make sure the conductor is on a network and accessible via GUI, the IP address on the interface must be in the same subnet as the VLAN on the switch port. Use `https://192.168.128.1` for GUI login. 1. Select the **Conductor** from the Authority menu on the left side of the GUI. @@ -14,7 +14,7 @@ To make sure the conductor is on a network and accessible via GUI, the IP addres ![Conductor Configuration Icon](/img/conductor_config_icon.png) -3. Select the node for the conductor - in this example it is `node1`. +3. Select the node for the conductor - in this example it is `node0`. ![Conductor Node](/img/conductor_node.png) diff --git a/docs/_deploy_network_design.md b/docs/_deploy_network_design.md new file mode 100644 index 0000000000..0edb9119bd --- /dev/null +++ b/docs/_deploy_network_design.md @@ -0,0 +1,21 @@ + + +The following IP addressing and naming scheme is used consistently throughout this guide. Substitute your own values when configuring your network. + +| Parameter | Example Value | Description | +|-----------|--------------|-------------| +| Authority Name | `Authority128` | Organizational authority name | +| Conductor Router Name | `conductor1` | Conductor system name | +| Conductor Node Name | `node0` | Conductor node name | +| Conductor IP Address | `192.168.100.10` | Static management IP on the conductor | +| Conductor Subnet Mask | `/24` | Management network prefix | +| Conductor Gateway | `192.168.100.1` | Management network gateway | +| Router Name | `branch1` | Branch router system name | +| Router Node Name | `node0` | Router node name | +| Router WAN Interface | `wan1` (`ge-0-0`) | WAN port — uses DHCP | +| Router LAN Interface | `lan1` (`ge-0-3`) | LAN port | +| Router LAN IP Address | `192.168.1.1/24` | LAN gateway address | +| Tenant Name | `corp` | LAN-side user tenant | +| Service Name | `internet` | Internet breakout service | +| Service Address | `0.0.0.0/0` | All internet-bound traffic | +| Neighborhood | `internet` | SVR neighborhood name | diff --git a/docs/_deploy_ssr1200_port_map.md b/docs/_deploy_ssr1200_port_map.md new file mode 100644 index 0000000000..5876e26dab --- /dev/null +++ b/docs/_deploy_ssr1200_port_map.md @@ -0,0 +1,20 @@ + + +![SSR1200 Front Panel](/img/hdwr_ssr1200_faceplate.png) + +### Port Mapping + +| Name | Port | Description | PCI Address | Speed | Type | +| --- | --- | --- | --- | --- | --- | +| mgmt-0-0 | MGMT | Management interface | 0000:03:00.0 | 1000 | MGMT | +| ge-0-0 | Port 0/0 | WAN 1 network interface | 0000:03:00.1 | 1000 | WAN | +| ge-0-1 | Port 0/1 | WAN 2 network interface | 0000:03:00.2 | 1000 | WAN | +| ge-0-2 | Port 0/2 | WAN 3 network interface | 0000:03:00.3 | 1000 | WAN | +| ge-0-3 | Port 0/3 | LAN 1 network interface | 0000:01:00.0 | 1000 | LAN | +| ge-0-4 | Port 0/4 | LAN 2 network interface | 0000:01:00.1 | 1000 | LAN | +| ge-0-5 | Port 0/5 | HA Fabric network interface | 0000:01:00.2 | 1000 | HA Fabric | +| ge-0-6 | Port 0/6 | HA Sync network interface | 0000:01:00.3 | 1000 | HASync | +| xe-1-0 | Port 1/0 | LAN 3 network interface | 0000:07:00.3 | 10000 | LAN | +| xe-1-1 | Port 1/1 | LAN 4 network interface | 0000:07:00.2 | 10000 | LAN | +| xe-1-2 | Port 1/2 | LAN 5 network interface | 0000:07:00.1 | 10000 | LAN | +| xe-1-3 | Port 1/3 | LAN 6 network interface | 0000:07:00.0 | 10000 | LAN | diff --git a/docs/_deploy_ssr130_port_map.md b/docs/_deploy_ssr130_port_map.md new file mode 100644 index 0000000000..66d09770ea --- /dev/null +++ b/docs/_deploy_ssr130_port_map.md @@ -0,0 +1,18 @@ + + +The following image of the SSR130 includes Cellular and TAA subvariants. + +![SSR130 Front Panel](/img/hdwr_ssr130_faceplate.png) + +### Port Mapping + +| Name | Port | Description | PCI Address | Speed | Type | +| --- | --- | --- | --- | --- | --- | +| ge-0-0 | Port 0 | WAN 1 network interface | 0000:04:00.3 | 1000 | WAN | +| ge-0-1 | Port 1 | WAN 2 network interface | 0000:04:00.2 | 1000 | WAN | +| ge-0-2 | Port 2 | WAN 3 network interface | 0000:04:00.1 | 1000 | WAN | +| ge-0-3 | Port 3 | LAN 1 network interface | 0000:04:00.0 | 1000 | LAN | +| ge-0-4 | Port 4 | LAN 2 network interface | 0000:03:00.1 | 1000 | LAN | +| ge-0-5 | Port 5 | LAN 3 network interface | 0000:03:00.0 | 1000 | LAN | +| ge-0-6 | Port 6 | HA Fabric network interface | 0000:02:00.1 | 1000 | HA Fabric | +| ge-0-7 | Port 7 | HA Sync network interface | 0000:02:00.0 | 1000 | HASync | diff --git a/docs/_set_authority_name.md b/docs/_set_authority_name.md index ab4d48c2f0..7119e0cc90 100644 --- a/docs/_set_authority_name.md +++ b/docs/_set_authority_name.md @@ -7,6 +7,6 @@ The authority represents the complete set of all SSRs managed under a single org ![Authority Settings](/img/conductor_authority_name.png) -3. Under Basic Information, enter the new Authority name. For example, a good name for the Authority would be the name of the business, e.g., Acme Corp. +3. Under Basic Information, enter the new Authority name. ![Basic Information](/img/conductor_authority_name2.png) \ No newline at end of file diff --git a/docs/_vmware_conductor_find_pci.md b/docs/_vmware_conductor_find_pci.md new file mode 100644 index 0000000000..069e5093b6 --- /dev/null +++ b/docs/_vmware_conductor_find_pci.md @@ -0,0 +1,49 @@ + + +The SSR conductor configuration requires the PCI address of the VMXNet3 management NIC. Because VMware assigns PCI addresses dynamically based on VM slot assignment, you must discover the address from the running VM rather than assuming a fixed value. + +### Identify the Interface Name + +1. Log in to the conductor CLI or SSH session: + + ``` + ssh admin@192.168.100.10 + ``` + +2. Enter the Linux shell from the PCLI: + + ``` + admin@node0.conductor1# shell + ``` + +3. List the network interfaces: + + ```bash + ip link show + ``` + + The output shows the Linux interface names for each NIC. A VMXNet3 NIC on VMware is commonly named `ens192`, `ens160`, or `eth0`. Identify the interface that corresponds to the management network. + +### Find the PCI Address + +4. Use `ethtool` to retrieve the PCI bus info for that interface. Replace `ens192` with your actual interface name: + + ```bash + ethtool -i ens192 | grep bus-info + ``` + + Example output: + + ``` + bus-info: 0000:0b:00.0 + ``` + + The value after `bus-info:` (for example `0000:0b:00.0`) is the PCI address to use in the SSR conductor configuration. + +:::tip +If `ethtool` is not available, you can find the PCI address using: +```bash +ls -la /sys/class/net/ens192/device +``` +The symlink target contains the PCI address in the path, for example `../../../0000:0b:00.0`. +::: diff --git a/docs/_vmware_vm_create.md b/docs/_vmware_vm_create.md new file mode 100644 index 0000000000..214bfcdade --- /dev/null +++ b/docs/_vmware_vm_create.md @@ -0,0 +1,107 @@ + + +## Log In to VMware ESXi + +1. Open a web browser and navigate to your ESXi host. Log in with administrative credentials. + + ![VMware ESXi Login](/img/vmware_login.png) + +## Upload the SSR ISO to the Datastore + +1. From the ESXi Navigator, select **Storage**. + + ![Navigator Storage](/img/vmware_storage.png) + +2. Click the **Datastore Browser** button. + + ![Datastore Browser Button](/img/vmware_datastore_browser_button.png) + +3. Click **Upload**, navigate to the SSR 7.1.4 Universal ISO on your local workstation, and click **Open**. The ISO appears in the datastore. + + ![SSR ISO in Datastore](/img/vmware_ssr-iso.png) + +4. Click **Close**. + +## Create the Virtual Machine + +1. From the ESXi Navigator, select **Virtual Machines**, then click **Create / Register VM**. + + ![Register VM](/img/vmware_registervm.png) + +2. Select **Create a new virtual machine** and click **Next**. + +### Name and Guest OS + +3. Configure the following: + + | Field | Value | + |-------|-------| + | Name | A descriptive name, for example `ssr-conductor` | + | Compatibility | `ESXi 7.0 U2 virtual machine` | + | Guest OS family | `Linux` | + | Guest OS version | `CentOS 7 (64-bit)` | + + Click **Next**. + + ![Name the VM](/img/vmware_name-os.png) + +### Storage + +4. Select the datastore and storage type for the VM, then click **Next**. + + ![Storage Type](/img/vmware_storage_type.png) + +### Virtual Hardware + +5. Click **Virtual Hardware** and configure the following settings. These values meet the minimum conductor requirements; scale up for larger deployments (see [Conductor Scaling Recommendations](intro_system_reqs.md#conductor-scaling-recommendations)). + + | Setting | Value | Notes | + |---------|-------|-------| + | CPUs | `4` | Minimum; expand for >25 managed routers | + | Scheduling Affinity | `0-3` | Set under CPU → expand | + | Memory | `8 GB` | Minimum | + | Hard Disk 1 | `60 GB` | Minimum | + | SCSI Controller 0 | `VMware Paravirtual` | | + + ![Virtual Hardware Settings](/img/vmware_virt_hdwr.png) + +### Network Adapters + +6. By default, one network adapter is created. For a standalone conductor, one adapter is sufficient. Click the adapter to expand it and set the **Adapter Type** to **VMXNET3**. Set the **Network** to the management network portgroup connected to your conductor management subnet. + + :::note + If you plan to connect additional networks (for example, a dedicated conductor-to-router WAN), click **Add network adapter** to add additional VMXNet3 adapters now. For most deployments, one adapter is sufficient. + ::: + + ![Network Adapter Type](/img/vmware_net_adapter.png) + +### CD/DVD Media + +7. Expand **CD/DVD Drive 1**. In the dropdown, select **Datastore ISO file** and check **Connect**. The Datastore Browser opens. + +8. Select the SSR 7.1.4 ISO you uploaded earlier and click **Select**. + + ![CD ISO Selected](/img/vmware_cd-iso2.png) + +### VM Options (Boot Settings) + +9. Click the **VM Options** tab. + + ![VM Options](/img/vmware_vmoptions1.png) + +10. Expand **Boot Options** and configure: + + | Setting | Value | + |---------|-------| + | Firmware | `EFI` | + | Enable UEFI secure boot | **Disabled** (no check mark) | + + :::important + Secure Boot **must be disabled**. The SSR kernel modules are not signed, and Secure Boot will prevent the NIC drivers from loading, causing installation to fail. + ::: + + ![Boot Options](/img/vmware_vmoptions2.png) + +11. Click **Next**, review the summary, then click **Finish**. + + ![VM Complete](/img/vmware_finish.png) diff --git a/docs/deploy_appendix_conductor.mdx b/docs/deploy_appendix_conductor.mdx new file mode 100644 index 0000000000..4feac7393d --- /dev/null +++ b/docs/deploy_appendix_conductor.mdx @@ -0,0 +1,171 @@ +--- +title: "Appendix - Conductor Configuration" +sidebar_label: "Appendix - Conductor Configuration" +--- +import NetworkDesign from './_deploy_network_design.md'; + +This appendix contains the complete conductor configuration in SSR PCLI format for the `conductor1` system described in this guide. This configuration reflects the state after completing [Step 2 — Configure the Conductor](deploy_conductor_config.mdx) and [Step 3 — Configure the Router on the Conductor](deploy_router_config.mdx). + +## Network Design Reference + + + +## Applying This Configuration + +This configuration can be applied to a fresh conductor using the **import** function: + +1. Save the configuration below to a file, for example `acmecorp-conductor.cfg`. +2. Copy the file to the conductor at `/etc/128technology/config-exports/`. +3. From the conductor PCLI, run: + + ```bash + import config acmecorp-conductor.cfg + ``` + +4. Review any validation warnings, then commit: + + ```bash + commit + ``` + +Alternatively, copy and paste each configuration block into the PCLI in configuration mode (`configure` → `edit`). + +## Complete Conductor Configuration + +``` +config + authority + name Authority128 + + conductor-address 192.168.100.10 + + tenant corp + name corp + exit + + service Internet-Traffic + name Internet-Traffic + scope public + security internal + + access-policy + source corp + exit + + address 0.0.0.0/0 + exit + + router conductor1 + name conductor1 + inter-node-security internal + + node node0 + name node0 + role conductor + + device-interface mgmt-dev + name mgmt-dev + type ethernet + pci-address 0000:03:00.0 + + network-interface mgmt-intf + name mgmt-intf + type management + + address 192.168.100.10 + ip-address 192.168.100.10 + prefix-length 24 + gateway 192.168.100.1 + exit + exit + exit + exit + exit + + router branch1 + name branch1 + inter-node-security internal + + dns-config automatic + mode automatic + exit + + node node0 + name node0 + role combo + asset-id SSR130-ABC1234567 + + device-interface wan-dev + name wan-dev + type ethernet + pci-address 0000:04:00.3 + forwarding true + + network-interface wan1 + name wan1 + type external + conductor true + default-route true + source-nat true + management true + dhcp v4 + + management-vector mgmt-vec-wan + name mgmt-vec-wan + priority 10 + exit + + neighborhood internet + name internet + topology spoke + exit + exit + exit + + device-interface lan-dev + name lan-dev + type ethernet + pci-address 0000:04:00.0 + forwarding true + + network-interface lan1 + name lan1 + type external + tenant corp + + address 192.168.1.1 + ip-address 192.168.1.1 + prefix-length 24 + exit + exit + exit + exit + + service-route internet-route + name internet-route + service-name Internet-Traffic + type service-agent + + next-hop node0 wan1 + node-name node0 + interface wan1 + exit + exit + exit + exit +exit +``` + +## Configuration Notes + +| Item | Note | +|------|------| +| `asset-id` | Replace `SSR130-ABC1234567` with the actual serial number from the SSR130 device label | +| `conductor-address` | Replace `192.168.100.10` with the actual static IP assigned to the conductor's MGMT port | +| `gateway` | Replace `192.168.100.1` with your management network gateway | +| LAN address | Replace `192.168.1.1/24` with the LAN subnet for each branch site | +| Coordinates | The `location` field is not shown here; add ISO 6709 coordinates for your conductor and each branch site | + +## Adding Additional Routers + +To add a second SSR130 router (`branch2`), copy the `router branch1` block, change the router name to `branch2`, update the `asset-id` to the second device's serial number, and change the LAN IP to a different subnet (for example, `192.168.2.1/24`). All other authority-level objects (`tenant`, `service`) are shared. diff --git a/docs/deploy_appendix_router.mdx b/docs/deploy_appendix_router.mdx new file mode 100644 index 0000000000..b9ff55d433 --- /dev/null +++ b/docs/deploy_appendix_router.mdx @@ -0,0 +1,142 @@ +--- +title: "Appendix - Router Configuration" +sidebar_label: "Appendix - Router Configuration" +--- +import NetworkDesign from './_deploy_network_design.md'; + +This appendix contains the SSR130 branch router configuration in SSR PCLI format. This is the router-scoped portion of the configuration staged on the conductor for `branch1`. It reflects the final state after completing [Configure the Router on the Conductor](deploy_router_config.mdx) and [Upgrade Routers to 7.1.5](deploy_router_upgrade.mdx). + +The complete authority-level configuration (including the service and tenant objects that the router depends on) is in [Appendix - Conductor Configuration](deploy_appendix_conductor.mdx). + +## Network Design Reference + + + +## Router Configuration + +The following block shows the `branch1` router section in isolation, as it would appear within the authority configuration. + +``` +config + authority + + router branch1 + name branch1 + inter-node-security internal + + dns-config automatic + mode automatic + exit + + node node0 + name node0 + role combo + asset-id SSR130-ABC1234567 + + device-interface wan-dev + name wan-dev + type ethernet + pci-address 0000:04:00.3 + forwarding true + + network-interface wan1 + name wan1 + type external + conductor true + default-route true + source-nat true + management true + dhcp v4 + + management-vector mgmt-vec-wan + name mgmt-vec-wan + priority 10 + exit + + neighborhood internet + name internet + topology spoke + exit + exit + exit + + device-interface lan-dev + name lan-dev + type ethernet + pci-address 0000:04:00.0 + forwarding true + + network-interface lan1 + name lan1 + type external + tenant corp + + address 192.168.1.1 + ip-address 192.168.1.1 + prefix-length 24 + exit + exit + exit + exit + + service-route internet-route + name internet-route + service-name Internet-Traffic + type service-agent + + next-hop node0 wan1 + node-name node0 + interface wan1 + exit + exit + exit + + exit +exit +``` + +## Interface Summary + +| Interface | Device | PCI Address | Type | Configuration | +|-----------|--------|-------------|------|--------------| +| `wan1` | `wan-dev` (`ge-0-0`, Port 0) | `0000:04:00.3` | External | DHCP; conductor=true; management over forwarding; neighborhood `internet` | +| `lan1` | `lan-dev` (`ge-0-3`, Port 3) | `0000:04:00.0` | External | Static `192.168.1.1/24`; tenant `corp` | + +## Service Forwarding Summary + +| Service | Route | Type | Egress Interface | +|---------|-------|------|-----------------| +| `Internet-Traffic` (0.0.0.0/0) | `internet-route` | `service-agent` | `wan1` (direct breakout) | + +## Configuration Notes + +| Item | Note | +|------|------| +| `asset-id` | Replace `SSR130-ABC1234567` with the device serial number | +| LAN address | Replace `192.168.1.1/24` with the actual LAN subnet for this branch | +| `source-nat` | Must be `true` on the management interface; management traffic originates from `169.254.x.x` | +| `default-route` | Must be `true`; causes Linux to forward all OS-originated traffic through the SSR engine | +| `conductor` | Must be `true` on the WAN interface for the router to reach the conductor over the forwarding plane | +| Neighborhood | The `internet` neighborhood on the WAN interface allows this router to peer with hub routers via SVR if added later | + +## Verifying the Running Configuration + +To view the running configuration for this router from the conductor PCLI: + +```bash +show config running authority router branch1 +``` + +To compare the running configuration against the candidate (uncommitted changes): + +```bash +show config candidate authority router branch1 +``` + +To export the entire authority configuration to a file: + +```bash +export config running filename acmecorp-export.cfg +``` + +The exported file is saved to `/etc/128technology/config-exports/` on the conductor. diff --git a/docs/deploy_appendix_vmware_conductor.mdx b/docs/deploy_appendix_vmware_conductor.mdx new file mode 100644 index 0000000000..a341883de3 --- /dev/null +++ b/docs/deploy_appendix_vmware_conductor.mdx @@ -0,0 +1,282 @@ +--- +title: "Appendix - VMware Conductor Configuration" +sidebar_label: "Appendix - VMware Conductor Configuration" +--- + +This appendix contains the complete SSR PCLI configuration for the `conductor1` VMware ESXi deployment described in this guide. This configuration reflects the state after completing all steps through [Step 9 — Configure the Router on the Conductor](deploy_vmware_conductor.mdx#step-9-configure-the-router-on-the-conductor). + +## Network Design Reference + +The following values are used in this configuration. Substitute your own values where noted. + +| Parameter | Example Value | Description | +|-----------|--------------|-------------| +| Authority Name | `Authority128` | Organizational authority name | +| Conductor Router Name | `conductor1` | | +| Conductor Node Name | `node0` | | +| Conductor Management IP | `192.168.100.10` | Static IP on VMware management network | +| Conductor Subnet Mask | `/24` | | +| Conductor Gateway | `192.168.100.1` | Management network gateway | +| Conductor NIC PCI Address | `0000:0b:00.0` | **Example only** — must be replaced with the actual value from [Step 7](deploy_vmware_conductor.mdx#step-7-find-the-vm-nic-pci-address) | +| Router Name | `branch1` | Branch router system name | +| Router Asset ID | `SSR130-ABC1234567` | **Replace** with the actual SSR130 serial number | +| Router LAN IP | `192.168.1.1/24` | LAN gateway address for the branch | + +## Applying This Configuration + +This configuration can be applied to a freshly initialized conductor using the PCLI import function. + +1. Save the configuration below to a file — for example `vmware-conductor.cfg`. + +2. Copy the file to the conductor: + + ```bash + scp vmware-conductor.cfg admin@192.168.100.10:/tmp/ + ``` + +3. Log in to the conductor PCLI: + + ```bash + ssh admin@192.168.100.10 + ``` + +4. Enter configuration mode and import: + + ``` + admin@node0.conductor1# import config /tmp/vmware-conductor.cfg + ``` + +5. Review any validation warnings, then commit: + + ``` + admin@node0.conductor1 (config)# commit + Are you sure you want to commit the candidate config? [y/N]: y + ``` + +Alternatively, you may copy and paste each block into the PCLI while in `configure` → `edit` mode. + +## Complete Conductor Configuration + +``` +config + authority + name Authority128 + + conductor-address 192.168.100.10 + + tenant corp + name corp + exit + + service Internet-Traffic + name Internet-Traffic + scope public + security internal + + access-policy + source corp + exit + + address 0.0.0.0/0 + exit + + router conductor1 + name conductor1 + inter-node-security internal + + node node0 + name node0 + role conductor + + device-interface mgmt-dev + name mgmt-dev + type ethernet + pci-address 0000:0b:00.0 + forwarding false + + network-interface mgmt-intf + name mgmt-intf + type management + + address 192.168.100.10 + ip-address 192.168.100.10 + prefix-length 24 + gateway 192.168.100.1 + exit + exit + exit + exit + exit + + router branch1 + name branch1 + inter-node-security internal + + dns-config automatic + mode automatic + exit + + node node0 + name node0 + role combo + asset-id SSR130-ABC1234567 + + device-interface wan-dev + name wan-dev + type ethernet + pci-address 0000:04:00.3 + forwarding true + + network-interface wan1 + name wan1 + type external + conductor true + default-route true + source-nat true + management true + dhcp v4 + + management-vector mgmt-vec-wan + name mgmt-vec-wan + priority 10 + exit + + neighborhood internet + name internet + topology spoke + exit + exit + exit + + device-interface lan-dev + name lan-dev + type ethernet + pci-address 0000:04:00.0 + forwarding true + + network-interface lan1 + name lan1 + type external + tenant corp + + address 192.168.1.1 + ip-address 192.168.1.1 + prefix-length 24 + exit + exit + exit + exit + + service-route internet-route + name internet-route + service-name Internet-Traffic + type service-agent + + next-hop node0 wan1 + node-name node0 + interface wan1 + exit + exit + exit + exit +exit +``` + +## Configuration Notes + +| Item | Note | +|------|------| +| `pci-address` (conductor) | **Must be replaced** with the actual VMXNet3 NIC PCI address discovered in [Step 7](deploy_vmware_conductor.mdx#step-7-find-the-vm-nic-pci-address). The value `0000:0b:00.0` is a common example but is not universal. | +| `asset-id` | Replace `SSR130-ABC1234567` with the actual serial number from the SSR130 device label. | +| `conductor-address` | Replace `192.168.100.10` with the actual static IP assigned to the conductor VM if different. | +| `gateway` | Replace `192.168.100.1` with your management network gateway. | +| LAN address | Replace `192.168.1.1/24` with the correct LAN subnet for the branch site. | +| `forwarding` on conductor NIC | Set to `false` — the conductor management NIC is not a forwarding interface. This differs from the router WAN and LAN interfaces, which have `forwarding true`. | + +## Key Differences from Hardware Conductor Configuration + +The VMware conductor configuration is functionally identical to the SSR1200 hardware conductor configuration with two notable differences: + +| Field | SSR1200 Hardware | VMware VM | +|-------|-----------------|-----------| +| `pci-address` (conductor NIC) | Fixed (`0000:03:00.0` on SSR1200) | Discovered at install time; typically `0000:0b:00.0` but varies by VM slot assignment | +| `forwarding` (conductor NIC) | `false` | `false` | + +The branch router (`branch1`) configuration is **identical** in both guides. PCI addresses in the SSR130 (`0000:04:00.3`, `0000:04:00.0`) are fixed hardware values and do not change. + +## Adding Additional Routers + +To add a second SSR130 router (`branch2`), copy the `router branch1` block, change the router name to `branch2`, update the `asset-id` to the second device's serial number, and change the LAN IP to a different subnet (for example `192.168.2.1/24`). All authority-level objects (`tenant`, `service`) are shared across all routers. + +``` + router branch2 + name branch2 + inter-node-security internal + + dns-config automatic + mode automatic + exit + + node node0 + name node0 + role combo + asset-id SSR130-XXXXXXXXXXX + + device-interface wan-dev + name wan-dev + type ethernet + pci-address 0000:04:00.3 + forwarding true + + network-interface wan1 + name wan1 + type external + conductor true + default-route true + source-nat true + management true + dhcp v4 + + management-vector mgmt-vec-wan + name mgmt-vec-wan + priority 10 + exit + + neighborhood internet + name internet + topology spoke + exit + exit + exit + + device-interface lan-dev + name lan-dev + type ethernet + pci-address 0000:04:00.0 + forwarding true + + network-interface lan1 + name lan1 + type external + tenant corp + + address 192.168.2.1 + ip-address 192.168.2.1 + prefix-length 24 + exit + exit + exit + exit + + service-route internet-route + name internet-route + service-name Internet-Traffic + type service-agent + + next-hop node0 wan1 + node-name node0 + interface wan1 + exit + exit + exit +``` diff --git a/docs/deploy_aws.md b/docs/deploy_aws.md new file mode 100644 index 0000000000..8c982462b1 --- /dev/null +++ b/docs/deploy_aws.md @@ -0,0 +1,61 @@ +--- +title: Deploying SSR in Amazon Web Services +sidebar_label: AWS Deployment Overview +--- + +This section provides end-to-end deployment guides for running the Juniper Session Smart Router (SSR) in Amazon Web Services (AWS). The guides cover the full journey: from creating an AWS account and setting up the required cloud infrastructure through to a running, configured SSR deployment. + +## Deployment Models + +SSR supports two management models and two licensing models in AWS. Review the options below to choose the right guide for your deployment. + +### Management Model + +| Management Model | Description | Best For | +| ---------------- | ----------- | -------- | +| **Conductor-managed** | A Session Smart Conductor (also deployed in AWS or on-premises) centrally manages one or more SSR routers. Supports full SSR feature set including advanced routing policies, HA, and CLI/GUI administration. | Enterprise deployments requiring full control over routing policy and configuration | +| **Mist-managed** | SSR routers are managed through the Juniper Mist cloud portal using Zero Touch Provisioning (ZTP). Requires an active Mist organization and registration code. | WAN Assurance deployments integrated with the Mist AI platform | + +:::important +SSR Version 6.x installed from an AWS Marketplace image supports **Mist-managed** routers only. For a conductor-managed deployment running SSR 6.x, install SSR 5.x first and upgrade through the Conductor, or use the BYOL image with explicit version selection. +::: + +### Licensing Model + +| License Model | Description | +| ------------- | ----------- | +| **PAYG (Pay As You Go)** | Hourly billing through the AWS Marketplace. Includes a 30-day free trial. Best for proof-of-concept and evaluation. Software upgrades and on-premises deployments require a separate token. | +| **BYOL (Bring Your Own License)** | Install your own licensed copy of SSR software. Requires Artifactory credentials or a Mist registration code. Supports image-based installations. Requires Conductor version 6.3.0-R1 or newer for BYOL router management. | + +## Available Guides + +| Guide | Management | Licensing | Notes | +| ----- | ---------- | --------- | ----- | +| [AWS: Conductor-Managed Deployment](deploy_aws_conductor.mdx) | Conductor | BYOL | **Recommended starting point.** Complete end-to-end guide from AWS account to running router | +| [AWS: PAYG Conductor-Managed Router](intro_installation_quickstart_aws.md) | Conductor | PAYG | Evaluation / PoC deployments using marketplace hourly billing | +| [AWS: PAYG Mist-Managed Router](intro_installation_quickstart_mist_aws.md) | Mist | PAYG | Mist WAN Assurance with marketplace hourly billing | +| [AWS: BYOL Mist-Managed Router](intro_installation_quickstart_byol_mist_aws.md) | Mist | BYOL | Mist WAN Assurance with your own license | + +## Supported AWS Instance Types + +The following EC2 instance sizes are supported for SSR deployments. Choose the size that best meets your throughput and interface requirements. + +| AWS Instance Size | Max vNICs | vCPU | Memory | +| ----------------- | --------- | ---- | ------ | +| c5.xlarge | 4 | 4 | 8 GB | +| c5.2xlarge | 4 | 8 | 16 GB | +| c5.4xlarge | 8 | 16 | 32 GB | +| c5.9xlarge | 8 | 36 | 72 GB | +| c5n.xlarge | 4 | 4 | 10.5 GB | +| c5n.2xlarge | 4 | 8 | 21 GB | +| c5n.4xlarge | 8 | 16 | 42 GB | +| c5n.9xlarge | 8 | 36 | 96 GB | + +For Conductor sizing guidance when managing multiple routers, see [System Requirements](intro_system_reqs.md#conductor-scaling-recommendations). + +## Additional Resources + +- [Cloud Platform Support](supported_cloud_platforms.md) +- [System Requirements](intro_system_reqs.md) +- [Firewall Port Reference](config_firewall_ports.md) +- [BYOL Cloud Images Release Notes](release_notes_byol.md) diff --git a/docs/deploy_aws_conductor.mdx b/docs/deploy_aws_conductor.mdx new file mode 100644 index 0000000000..2449158fcd --- /dev/null +++ b/docs/deploy_aws_conductor.mdx @@ -0,0 +1,534 @@ +--- +title: "AWS: Conductor-Managed Deployment Guide" +sidebar_label: Conductor-Managed Deployment +--- + +import AwsAccountSetup from './_aws_account_setup.md'; +import AwsVpcSetup from './_aws_vpc_setup.md'; +import AwsKeypair from './_aws_keypair.md'; +import AwsSecurityGroups from './_aws_security_groups.md'; +import AuthorityName from './_set_authority_name.md'; +import SetConductorIP from './_set_conductor_ip.md'; +import ChangeDefaultPasswords from './_change_def_passwords.md'; +import NextStepsConfig from './_conductor_install_nextsteps.md'; + +This guide walks through deploying a complete Juniper Session Smart Router (SSR) solution in AWS using the **BYOL (Bring Your Own License)** model with a **Conductor-managed** architecture. When you complete this guide, you will have: + +- An AWS account and VPC configured for SSR +- A Session Smart Conductor deployed and configured +- A Session Smart Router deployed and onboarded to the Conductor +- A baseline working configuration verified end-to-end + +## Prerequisites + +Before you begin, confirm you have: + +- A Juniper account with Artifactory credentials (username and token) for accessing SSR software repositories. Contact your Juniper Sales representative if you do not have these. +- The SSR software version you want to deploy. Your Juniper Sales representative can advise if you are unsure. +- AWS CLI installed on your local workstation (optional, for CLI-based deployment). See the [AWS CLI installation guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). + +--- + +## Step 1: Set Up Your AWS Account + + + +--- + +## Step 2: Plan Your Deployment + +The following diagram illustrates the AWS infrastructure deployed by this guide: + +```mermaid +graph TB + subgraph AWS VPC ["AWS VPC (10.0.0.0/16)"] + subgraph mgmt ["Management Subnet (10.0.1.0/24)"] + COND[Session Smart Conductor\nEC2 Instance] + end + subgraph pub ["Public Subnet (10.0.2.0/24)"] + RTR_WAN[Router WAN Interface\nge-0-1] + end + subgraph priv ["Private Subnet (10.0.3.0/24)"] + RTR_LAN[Router LAN Interface\nge-0-2] + end + subgraph rtr_mgmt ["Router Mgmt Subnet (10.0.1.0/24)"] + RTR_MGMT[Router Mgmt Interface\nge-0-0] + end + end + IGW[Internet Gateway] --> mgmt + IGW --> pub + RTR_MGMT -->|Port 930, 4505, 4506| COND +``` + +### Deployment Summary + +| Component | AWS Resource | Subnet | Notes | +| --------- | ------------ | ------ | ----- | +| Conductor | EC2 instance | Management | Single NIC; SSH + HTTPS inbound | +| Router management interface | EC2 NIC | Management | Connects back to Conductor | +| Router WAN interface | EC2 NIC | Public | External/peer connectivity | +| Router LAN interface | EC2 NIC | Private | Internal workload connectivity | + +--- + +## Step 3: Create AWS Infrastructure + +### 3.1 Create VPC, Subnets, and Routing + + + +### 3.2 Create an EC2 Key Pair + + + +### 3.3 Create Security Groups + + + +--- + +## Step 4: Subscribe to the SSR BYOL Marketplace Offering + +1. Open the [Session Smart Networking Platform BYOL](https://aws.amazon.com/marketplace/pp/prodview-lz6cjd43qgw3c?sr=0-2&ref_=beagle&applicationId=AWSMPContessa) listing in the AWS Marketplace. +2. Click **Continue to Subscribe**. +3. Review and accept the terms and conditions. +4. Click **Continue to Configuration**. + +:::note +There is no software cost associated with the BYOL image. You pay only for the AWS EC2 compute resources. Software licensing is handled through your Artifactory credentials. +::: + +### Requesting a Private Offer + +If your environment has no outbound internet access to the SSR repositories, you can request a Private Offer instead: + +1. Locate your AWS Account ID: + - Open the [AWS Console](https://console.aws.amazon.com). + - Click the dropdown next to your username at the top right; the Account ID is displayed. + - Make a note of the Account ID. +2. Contact your Juniper Networks Sales representative and provide: + - Your AWS Account ID + - The SSR software version required for your deployment +3. Your Juniper Sales representative will email you the private offer. +4. Open the email and accept the terms and conditions to activate the offer. + +--- + +## Step 5: Deploy the Session Smart Conductor + +A Conductor must be deployed before any managed routers. The Conductor is a single EC2 instance with one network interface connected to the management subnet. + +### 5.1 Launch via AWS Console (CloudFormation) + +1. From the BYOL offering, click **Continue to Configuration**. +2. In the **Fulfillment Option** dropdown, select **CloudFormation Template**. +3. Select the **Juniper Session Smart Conductor** template. +4. Select your target region and click **Continue to Launch**. +5. In the **Choose Action** dropdown, select **Launch CloudFormation**, then click **Launch**. +6. The CloudFormation stack creation wizard opens. Fill in the stack parameters: + + | Parameter | Value | + | --------- | ----- | + | Stack name | A descriptive name, for example `ssr-conductor` | + | Name | Instance name, for example `conductor` | + | Instance Type | Select from the [supported instance sizes](deploy_aws.md#supported-aws-instance-types). `c5.xlarge` is recommended for small deployments | + | SSR Version | The SSR software version to install (for example `6.3.5-1`) | + | Artifactory Username | Your Artifactory username | + | Artifactory Token | Your Artifactory token | + | VPC ID | Select your `ssr-vpc` | + | Control Subnet ID | Select `ssr-mgmt-subnet` | + | Control Subnet Allowed CIDR | The CIDR of the management subnet (`10.0.1.0/24`) | + | Admin Allowed CIDR | Your admin workstation CIDR | + | Key Name | Select `ssr-keypair` | + +7. Click **Next** through the options pages, then click **Create stack**. + +![CloudFormation deployment complete](/img/platforms_aws_deployment_complete.png) + +8. Monitor the stack creation under the **Events** tab. When the status shows `CREATE_COMPLETE`, proceed to the **Outputs** tab. +9. Note the following values from the **Outputs** tab: + - **HTTPSLogin** — the URL to access the Conductor GUI + - **PublicEIP** — the public IP address of the Conductor instance + +:::note +After the CloudFormation stack reports `CREATE_COMPLETE`, allow an additional **10–15 minutes** for the BYOL SSR software installation to complete before attempting to log in. +::: + +### 5.2 Launch via AWS CLI (CloudFormation) + +If you prefer to deploy programmatically, follow the CloudFormation console steps 1–7 above to reach the template URL, then copy the **Amazon S3 URL** of the template. + +Create a parameters file `conductor.parameters.json`: + +```bash +vi conductor.parameters.json +``` + +Paste and adjust the following JSON: + +```json +{ + "Name": "", + "Version": "", + "InstanceType": "c5n.xlarge", + "ArtifactoryUsername": "", + "ArtifactoryPassword": "", + "VpcId": "", + "ControlSubnet": "", + "ControlAllowedCidr": "10.0.1.0/24", + "AdminAllowedCidr": "", + "KeyName": "ssr-keypair" +} +``` + +Deploy the stack: + +```bash +aws cloudformation create-stack \ + --stack-name ssr-conductor \ + --template-url \ + --parameters file://conductor.parameters.json \ + --capabilities CAPABILITY_IAM +``` + +Monitor deployment status: + +```bash +aws cloudformation describe-stacks \ + --stack-name ssr-conductor \ + --query 'Stacks[0].StackStatus' +``` + +### 5.3 Manual Deployment (Without CloudFormation) + +If you prefer not to use CloudFormation templates, you can launch the EC2 instance directly: + +1. In the AWS Console, navigate to **EC2** and click **Launch Instance**. +2. Under **Application and OS Images**, click **Browse more AMIs**, search for `Session Smart Networking Platform BYOL`, and select the image. +3. Choose an instance type (see [supported sizes](deploy_aws.md#supported-aws-instance-types)). +4. Under **Key pair**, select `ssr-keypair`. +5. Under **Network settings**, click **Edit**: + - Select your `ssr-vpc` + - Select `ssr-mgmt-subnet` + - Select `ssr-conductor-sg` as the security group +6. Under **Configure storage**, ensure at least **128 GB** is allocated. +7. Expand **Advanced details** and populate the **User data** field with the cloud-init configuration below to automate onboarding: + +```yaml +#cloud-config +write_files: + - path: /etc/128T-hardware-bootstrapper/onboarding-config.json + content: | + { + "name": "", + "ssr-version": "", + "mode": "conductor", + "artifactory-user": "", + "artifactory-password": "", + "node-name": "node0", + "cloud-provider": "aws" + } +``` + +| Field | Description | +| ----- | ----------- | +| `name` | The name to assign to this Conductor | +| `ssr-version` | SSR software version to install (for example `6.3.5-1`) | +| `artifactory-user` | Your Artifactory username | +| `artifactory-password` | Your Artifactory token/password | +| `node-name` | For a standalone Conductor, use `node0` | + +8. Click **Launch instance**. + +If you do not provide user data, run onboarding manually after the instance starts: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem ec2-user@ +sudo /usr/libexec/hardwareBootstrapper128t config-generator +``` + +Follow the prompts. The instance will reboot once when onboarding completes. + +--- + +## Step 6: Log In to the Conductor + +1. Navigate to the HTTPS URL from the CloudFormation Outputs tab (or `https://`). + + :::note + The Conductor uses a self-signed certificate by default. If your browser warns about an unsafe connection, you can safely proceed for initial setup. See [Configure Custom TLS Certificates](config_custom_certs.md) to install a trusted certificate. + ::: + +2. Log in with the default credentials: + - **Username:** `admin` + - **Password:** `128Tadmin` + +### Change Default Passwords + + + +--- + +## Step 7: Configure the Conductor + +### 7.1 Set the Authority Name + + + +Complete the authority name change by clicking **VALIDATE** and then **COMMIT**. + +### 7.2 Set the Conductor IP Address + + + +The Conductor's public IP address (from the CloudFormation Outputs or the EC2 console) is the address managed routers will use to connect. This must be set before deploying any routers. + +### 7.3 Add a Software Access Token (optional, for on-premises upgrades) + +If you require the ability to upgrade SSR software or deploy on-premises routers, add your Artifactory token to the Conductor. This propagates to all managed routers. + +SSH to the Conductor and run: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem t128@ +``` + +Then from the PCLI: + +```bash +pcli +set software access-token +``` + +### 7.4 Create a Basic Configuration + +Before deploying routers, create the minimum required configuration on the Conductor: an Authority, at least one Service, and a Tenant. + +For a step-by-step walkthrough, see [Configure the Conductor](intro_basic_conductor_config.md). + +A default configuration template is also available on the Conductor: + +1. Log in to the Conductor GUI and navigate to **Configuration**. +2. Select **Templates** and browse the available default templates. +3. Apply a template as the starting point for your deployment. See [Configuration Templates](config_templates.md#default-templates) for details. + +--- + +## Step 8: Deploy the Session Smart Router + +With the Conductor running and configured, deploy the router. The router uses three network interfaces (management, WAN, and LAN) attached to the corresponding subnets. + +### 8.1 Enable Enhanced Networking (ENA) + +Before launching the router instance, enable ENA support on the AMI to achieve maximum throughput. Run the following from your local workstation: + +```bash +aws ec2 modify-instance-attribute \ + --instance-id \ + --ena-support +``` + +:::note +If you are using the CloudFormation template, ENA is configured automatically. +::: + +### 8.2 Launch via AWS Console (CloudFormation) + +1. Return to the BYOL marketplace offering and click **Continue to Configuration**. +2. In the **Fulfillment Option** dropdown, select **CloudFormation Template**. +3. Select the **Juniper Session Smart Conductor Managed Router** template. +4. Select your target region and click **Continue to Launch**. +5. In the **Choose Action** dropdown, select **Launch CloudFormation**, then click **Launch**. +6. Fill in the stack parameters: + + | Parameter | Value | + | --------- | ----- | + | Stack name | For example `ssr-router-1` | + | Router Name | For example `branch-router-1` | + | Instance Type | Select from [supported sizes](deploy_aws.md#supported-aws-instance-types) | + | SSR Version | Must match or be lower than the Conductor version | + | Artifactory Username | Your Artifactory username | + | Artifactory Token | Your Artifactory token | + | VPC ID | Select your `ssr-vpc` | + | Management Subnet ID | Select `ssr-mgmt-subnet` | + | Public Subnet ID | Select `ssr-public-subnet` | + | Private Subnet ID | Select `ssr-private-subnet` | + | Conductor Primary IP | The private IP of your Conductor from Step 5 | + | Key Name | Select `ssr-keypair` | + +7. Click **Next**, then **Create stack**. + +![Router deployment](/img/platforms_aws_router_deployment.png) + +8. Wait for `CREATE_COMPLETE`. Allow an additional **10–15 minutes** for BYOL installation to complete. + +### 8.3 Launch via AWS CLI (CloudFormation) + +Create `router.parameters.json`: + +```json +{ + "RouterName": "", + "Version": "", + "InstanceType": "c5n.xlarge", + "ArtifactoryUsername": "", + "ArtifactoryPassword": "", + "VpcId": "", + "ManagementSubnet": "", + "PublicSubnet": "", + "PrivateSubnet": "", + "ConductorPrimaryIp": "", + "AdminAllowedCidr": "", + "KeyName": "ssr-keypair" +} +``` + +Deploy: + +```bash +aws cloudformation create-stack \ + --stack-name ssr-router-1 \ + --template-url \ + --parameters file://router.parameters.json \ + --capabilities CAPABILITY_IAM +``` + +### 8.4 Manual Deployment (Without CloudFormation) + +1. In the AWS Console, navigate to **EC2** → **Launch Instance**. +2. Search for and select the **Session Smart Networking Platform BYOL** AMI. +3. Choose an instance type. +4. Under **Network settings**, click **Edit** and configure **three** network interfaces: + + | Interface | Subnet | Security Group | + | --------- | ------ | -------------- | + | eth0 (primary) | `ssr-mgmt-subnet` | `ssr-router-sg` | + | eth1 | `ssr-public-subnet` | `ssr-router-sg` | + | eth2 | `ssr-private-subnet` | `ssr-router-sg` | + +5. Expand **Advanced details** and populate **User data** for automatic onboarding: + +```yaml +#cloud-config +write_files: + - path: /etc/128T-hardware-bootstrapper/onboarding-config.json + content: | + { + "name": "", + "ssr-version": "", + "mode": "conductor-managed", + "artifactory-user": "", + "artifactory-password": "", + "conductor-hosts": [""], + "cloud-provider": "aws" + } +``` + +| Field | Description | +| ----- | ----------- | +| `name` | The router name (must match the configured router in the Conductor) | +| `ssr-version` | SSR software version to install | +| `conductor-hosts` | List of Conductor IP addresses (use the private IP) | + +6. Click **Launch instance**. + +### 8.5 Network Interface Layout + +The router template deploys the EC2 instance with network interfaces attached in the following order. Use these names in your Conductor or Mist configuration: + +**With management interface (recommended):** + +| SSR Interface Name | EC2 Interface | Subnet | +| ------------------ | ------------- | ------ | +| `ge-0-0` | eth0 | Management | +| `ge-0-1` | eth1 | Public (WAN) | +| `ge-0-2` | eth2 | Private (LAN) | + +**Without management interface:** + +| SSR Interface Name | EC2 Interface | Subnet | +| ------------------ | ------------- | ------ | +| `ge-0-0` | eth0 | Public (WAN) | +| `ge-0-1` | eth1 | Private (LAN) | + +--- + +## Step 9: Disable Source/Destination Check + +By default, AWS drops traffic on a network interface where the instance is not the source or destination. Since the SSR forwards traffic on behalf of other hosts, this check must be disabled on the router's network interfaces. + +1. In the **EC2 Console**, select the router instance. +2. Click the **Actions** dropdown, then select **Networking** → **Change source/destination check**. + + ![AWS Networking menu](/img/AWS-bootstrap1.png) + +3. In the **Change Source/Destination Check** dialog, select **Stop** and click **Save**. + + ![Source/Destination Check](/img/AWS-bootstrap2.png) + +:::note +Repeat this step for each network interface on the router instance if the dialog applies per-interface. +::: + +--- + +## Step 10: Create Router Configuration on the Conductor + +Before the router can pass traffic, it must have a configuration that matches the router name and interface layout you deployed. + +For a complete walkthrough of creating a basic router configuration (router object, WAN interface, LAN interface, service route), see [Basic Router Configuration](intro_basic_router_config.md). + +Key points for an AWS deployment: + +- The **router name** in the Conductor configuration must exactly match the `name` field used in the cloud-init user data or the CloudFormation template. +- Use the interface names from the [Network Interface Layout](#85-network-interface-layout) table above. +- The **Conductor Address** set in Step 7.2 must be reachable from the router's management subnet. + +--- + +## Step 11: Verify the Deployment + +### Verify the Conductor is Running + +1. SSH to the Conductor: + ```bash + ssh -i ~/.ssh/ssr-keypair.pem t128@ + ``` +2. Check the service status: + ```bash + sudo systemctl status 128T + ``` +3. Confirm the service shows **Active (running)**. +4. Log in to the Conductor GUI at `https://` with the `admin` user. + +### Verify the Router has Connected + +1. In the Conductor GUI, navigate to **Routers**. +2. Confirm your router appears and shows a **Connected** state. +3. Check that the routing table and Session table are populated as expected. + +### Verify Traffic Forwarding + +From the Conductor PCLI, confirm sessions are being established: + +```bash +show sessions router +``` + +From the Conductor or Router GUI, use the **Topology** view to confirm adjacency and SVR path establishment. + +--- + +## Step 12: Next Steps + + + +### Additional Configuration Topics + +With SSR deployed and running in AWS, explore the following to complete your deployment: + +- **High Availability:** See [Conductor-managed HA Concepts](concepts_ha_options.md) for HA Conductor and Router configurations. +- **BGP with AWS TGW:** See [BGP Configuration](config_bgp.md) for connecting SSR to AWS Transit Gateway using BGP. +- **Security Hardening:** See [Security Hardening Guidelines](sec_hardening_guidelines.md). +- **Upgrading:** See [Upgrading the SSR](intro_upgrading.md) for the upgrade process on AWS instances. +- **Monitoring:** See [Monitoring the SSR](concepts_monitoring.md) for metrics and alerting configuration. diff --git a/docs/deploy_conductor_config.mdx b/docs/deploy_conductor_config.mdx new file mode 100644 index 0000000000..ec4f00cd5c --- /dev/null +++ b/docs/deploy_conductor_config.mdx @@ -0,0 +1,84 @@ +--- +title: Configure the Conductor +sidebar_label: Configure the Conductor +--- +import NetworkDesign from './_deploy_network_design.md'; +import AuthorityName from './_set_authority_name.md'; +import SetConductorIP from './_set_conductor_ip.md'; +import ConductorAuthority from './_conductor_to_authority.md'; + +This section configures the authority-level settings on the conductor: the authority name, conductor address, internet service, and corporate tenant. These objects are global to all routers in the authority. + +All steps are performed from the **Conductor GUI** at `https://192.168.100.10` unless otherwise noted. + +## Network Design Reference + + + +## 1. Set the Authority Name + + + +:::note +Use your organization's name as the authority name (for example, `Authority128`). The authority name cannot be changed after routers have been provisioned without re-onboarding them. +::: + +## 2. Set the Conductor Address + +The conductor address is the IP address that managed routers use to connect to this conductor. It must be reachable from each branch router's WAN interface. + + + +For this guide, enter `192.168.100.10` as the conductor address. + +## 3. Create the Corporate Tenant + +Tenants logically partition the network. The `corp` tenant represents corporate LAN users in this deployment and is referenced by the LAN interface configuration on each branch router. + +1. In the Conductor GUI, select **Configuration**. +2. Select **Authority**. +3. Scroll to **Tenants** and select **ADD**. +4. Enter the name `corp` and select **SAVE**. +5. At the top of the screen, select **VALIDATE** and then **COMMIT**. + +:::info +Tenants are authority-wide. A single `corp` tenant definition applies to all routers that assign it to a LAN interface. +::: + +## 4. Create an `Internet-Traffic` Service + +The *service* configuration element defines the IP destinations that the SSR will route. This process creates a single service representing all internet-bound traffic. + +1. Log in to the Conductor GUI. +2. Select **Configuration**. +3. Select **Authority** from the left panel. +4. Scroll down to **Services** and select **ADD**. +5. Enter the name `Internet-Traffic` and select **SAVE**. +6. On the Service screen, verify **Enabled** is set to `true`. +7. Scroll down to **Service Addresses** and select **ADD**. +8. Enter `0.0.0.0/0` and select **SAVE**. +9. Scroll down to **Access Policy** and select **ADD**. + - Set **Source** to `corp` (the tenant you will create in the next step). + - Select **SAVE**. +10. At the top of the screen, select **VALIDATE** and then **COMMIT**. + +## 5. Assign the Conductor Asset ID + + + +## What Was Configured + +At the end of this step your authority contains: + +| Object | Name | Value | +|--------|------|-------| +| Authority | `Authority128` | | +| Conductor Address | | `192.168.100.10` | +| Service | `Internet-Traffic` | `0.0.0.0/0` | +| Tenant | `corp` | LAN-side user population | + +## Next Step - Configure the Router on the Conductor + +The conductor must have the branch router's configuration staged **before** the router (hardware or virtual device) is powered on. When the router comes online and contacts the conductor, it downloads this configuration automatically. + +Proceed to [Configure the Router on the Conductor](deploy_router_config.mdx). diff --git a/docs/deploy_conductor_install.mdx b/docs/deploy_conductor_install.mdx new file mode 100644 index 0000000000..a34989e564 --- /dev/null +++ b/docs/deploy_conductor_install.mdx @@ -0,0 +1,165 @@ +--- +title: Install the Conductor +sidebar_label: Install the Conductor +--- +import SSR1200Ports from './_deploy_ssr1200_port_map.md'; +import VerifyConductorInstall from './_install_verify_conductor_install.md'; +import ChangeDefaultPasswords from './_change_def_passwords.md'; +import ConfigureToken from './_configure_token.md'; + +This section covers the physical hardware setup and software installation for the SSR1200 being used as the conductor. The SSR1200 conductor provides centralized management for all branch routers in the network. + +SSR 7.1.5 uses the **Universal ISO** installation process. If your SSR1200 shipped with SSR 6.3.0 or later pre-installed, skip the [Install the Software](#install-the-software) section and proceed directly to [Initialize the Conductor](#initialize-the-conductor). + +If your device has an SSR software version lower than SSR 6.3.0, there are specific requirements for upgrading to the latest SSR version. Please use the detailed instructions in [Upgrading the Conductor](upgrade_ibu_conductor#upgrade-using-the-gui) before proceeding. + +To help you identify the number of managed routers your SSR device can support, refer to the [Conductor Scaling Recommendations](intro_system_reqs.md#conductor-scaling-recommendations) in the System Requirements documentation. + +## SSR1200 Port Reference + + + +## Physical Setup + +Connect the SSR1200 before powering it on: + +1. **Connect the MGMT port** (`mgmt-0-0`, PCI `0000:03:00.0`) to a management network switch port that provides: + - A static IP assignment + - Connectivity to the internet (required for software downloads) + +2. **Connect a laptop** to any LAN port (Port 0/3 through Port 0/5) using a standard Ethernet cable. The laptop will be used to access the device initialization web interface at `https://192.168.128.1` during setup. + +3. Do **not** power on the device yet. + +## Install the Software + +:::note +Skip this section if your SSR1200 already has SSR 6.3.0 or later installed. +::: + +### Download the ISO + +Download the SSR 7.1.5 ISO from the Juniper software repository: + +- URL: [https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local/](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local/) +- You will be prompted for your Artifactory username and software access token. +- Select the `SSR-7.1.5-7.r2.el9.x86_64.ibu-v1.iso` ISO file. + +For instructions on creating a bootable USB from the ISO, see [Creating a Bootable USB](intro_creating_bootable_usb.md). + +### Boot from USB + +1. Connect the bootable USB to a USB port on the SSR1200. +2. Connect a console cable (RJ-45 rollover) to the **CONSOLE** port on the SSR1200 and to your laptop or console server. Set the baud rate to **115200 bps**. +3. Power on the SSR1200. +4. When the prompt `Press ESC for boot menu` appears, press **ESC**. +5. From the boot menu, select the USB device number and press **Enter**. +6. From the boot menu, press **TAB** or **DEL** to enter Setup if required. + +### Run the Installer + +1. At the boot image selection screen, select the SSR 7.1.5 image and press **Enter**. + + ![Choose Image](/img/u-iso2_choose_image.png) + +2. At the Install menu, select **Serial Console**. + + ![Install Type](/img/u-iso3_choose_install_type.png) + + :::note + Select **Serial** when using a console cable (recommended for data-center installations), and be sure the baud rate is set to 115200 bps. Select **VGA** only if you have a keyboard and monitor connected directly to the device. If no selection is made within 30 seconds, the system defaults to the **Serial Console** boot option. + ::: + +3. If you are installing a FIPS enabled system, select Install Option 1, then press **Enter**. + + If you are installing a physical device and do not require FIPS, skip the options and select **Enter**. The download and installation begins. + + :::note + IDP is not currently compatible with systems running in FIPS 140-3 mode, including Common Criteria or JITC deployments. + + If after installation you require IDP, FIPS mode must be disabled on the target system if IDP is to be enabled. Refer to [IDP Troubleshooting](ts_idp.md#fips-mode-and-idp) for information to disable FIPS mode. + ::: + + + ![Install Options](/img/u-iso4_install_options.png) + +4. The installation runs to completion automatically. This may take approximately 15–20 minutes. + + ![Install Progress](/img/u-iso5_begin_install.png) + +5. When prompted to reboot, allow the device to restart. Remove the USB drive before the next boot. + + ![Install Complete](/img/u-iso6_unpacker_complete.png) + +## Initialize the Conductor + +The SSR1200 exposes a web-based initialization interface on its LAN ports after the first boot. Use this interface to configure the conductor role, management IP address, and admin credentials. + +1. Ensure your laptop is connected to a LAN port on the SSR1200 and has a static IP in the `192.168.128.0/24` subnet. + + :::note + Assign your laptop a static IP address in the range `192.168.128.2`–`192.168.128.254` with a subnet mask of `255.255.255.0` before connecting. The initialization web interface is only accessible on the LAN-side ports prior to initialization. + ::: + +2. Open a web browser and navigate to: + + ``` + https://192.168.128.1 + ``` + + Accept the self-signed certificate warning. + + ![Initialization UI](/img/u-iso8_launch_gui.png) + +3. Under **SSR Managed**, select **SSR Conductor**. + + ![SSR Conductor Selection](/img/u-iso8a_initialize_conductor.png) + +4. Select **STANDALONE** for a single-conductor deployment. Select the **STATIC** address type, the **Provide Artifactory Credentials** checkbox, and enter the following information: + + | Field | Example Value | Notes | + |-------|--------------|-------| + | Conductor Name | `conductor1` | Used as the router name in the authority | + | Node IP Address | `192.168.100.10` | Static management IP | + | Node Gateway | `192.168.100.1` | Management network gateway | + | Interface Name | `mgmt-0-0` | Management interface | + | DNS Server | `8.8.8.8` | Optional; required for software downloads | + | Admin Password | _(your choice)_ | Minimum 8 chars, 1 upper, 1 lower, 1 number | + | Artifactory Username | _(your username)_ | Juniper software access | + | Artifactory Password | _(your token)_ | Juniper software access token | + + ![Conductor Configuration](/img/deploy_u-iso9_define_conductor.png) + + :::note + The admin, root, and t128 accounts are all set to the password you enter here. + ::: + + :::important + Record this password securely. It cannot be recovered if lost — only reset, which requires root access. + ::: + +5. Click **ASSOCIATE**. + +6. The SSR1200 reboots and comes online as a conductor. This process takes approximately 5–10 minutes. + +## Verify the Installation + +After the device restarts, connect your laptop to the management network and verify the conductor is running: + +:::note +At this point, it is good practice to remove the static IP previously set from your laptop. +::: + +Access the conductor GUI from the management network using: + +``` +https://192.168.100.10 +``` + +![Login to the Conductor](/img/dep-1200-cond-login.png) + +Log in with username `admin` and the password set during initialization. + +## Next Step + +Proceed to [Configure the Conductor](deploy_conductor_config.mdx). diff --git a/docs/deploy_guides_overview.md b/docs/deploy_guides_overview.md new file mode 100644 index 0000000000..46bb75abfc --- /dev/null +++ b/docs/deploy_guides_overview.md @@ -0,0 +1,12 @@ +--- +title: Deployment Guides Overview +sidebar_label: Overview +--- + +Conductor and Router Deployment Guides are provided to help walk a network engineer through the steps required to stand up a conductor-managed SSR network. + +Conductor deployments currently include an SSR1200, and VMWare ESX. In each case, the conductor will have a configuration ready for a branch router to onboard and come online, managed by the conductor, forwarding internet traffic for LAN users, and reachable by the conductor over the same WAN interface used for internet breakout. + +Router deployments currently include an SSR130. + +The deployment guides are intended to be used independently of one another, allowing you to mix and match deployment platforms. \ No newline at end of file diff --git a/docs/deploy_overview.mdx b/docs/deploy_overview.mdx new file mode 100644 index 0000000000..a1dfcd0d52 --- /dev/null +++ b/docs/deploy_overview.mdx @@ -0,0 +1,77 @@ +--- +title: Conductor-Managed Network Deployment Guide +sidebar_label: Overview +--- +import Mermaid from '@theme/Mermaid'; +import NetworkDesign from './_deploy_network_design.md'; + +This guide walks a network engineer through the steps required to stand up a conductor-managed SSR network using an **SSR1200 as the Conductor** and ready to onboard branch routers. By the end of the guide, the conductor will have a configuration ready for each branch router to bring it online, managed by the conductor, forwarding internet traffic for LAN users, and reachable by the conductor over the same WAN interface used for internet breakout. + +## Guide Sections + +| Step | Topic | Description | +|------|-------|-------------| +| 1 | [Install the Conductor](deploy_conductor_install.mdx) | Install SSR 7.1.5 on an SSR1200 and initialize it as a standalone conductor | +| 2 | [Configure the Conductor](deploy_conductor_config.mdx) | Set the authority name, conductor address, internet service, and corporate tenant | +| 3 | [Configure the Router on the Conductor](deploy_router_config.mdx) | Pre-stage each SSR130 router's configuration on the conductor before onboarding | +| — | [Appendix — Conductor Configuration](deploy_appendix_conductor.mdx) | Complete conductor PCLI configuration | + +## Network Topology + +The diagram below shows the logical network this guide builds. + +|"Management over\nForwarding (WAN)"| ISP + ISP <-->|"DHCP / Internet Breakout\n(service: Internet-Traffic)"| Router + LAN <-->|"LAN"| Router +`}/> + +## Roles + +| Device | Model | Role | +|--------|-------|------| +| `conductor1` | SSR1200 | Standalone SSR Conductor — centralized management and provisioning | +| `branch1` | SSR130 | Conductor-managed branch router — internet breakout and LAN services | + +## Network Design Reference + + + +## Prerequisites + +Before beginning, ensure the following are available: + +- **Juniper software access credentials** — Artifactory username and password for software downloads. +- **SSR 7.1.5 ISO image** — downloaded from [software.128technology.com](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/) using your Juniper software access credentials. +- **Bootable USB drive** — minimum 8 GB, prepared from the ISO. See [Creating a Bootable USB](intro_creating_bootable_usb.md). +- **Console access** — RJ-45 rollover cable or VGA/keyboard access to the SSR1200 for the initial installation. +- **Management network** — a network switch port providing DHCP or a known static IP for the SSR1200 MGMT port. +- **Static IP assignment for the conductor** — the IP address assigned to the conductor must be reachable from branch WAN links. +- **Mist portal account** — required for SSR130 Zero Touch Provisioning (ZTP). A free account suffices; WAN Assurance subscription is **not** required. +- **ISP WAN links** — each SSR130 branch requires an Ethernet WAN link providing DHCP. + +## Software Version Requirements + +This guide targets **SSR 7.1.5** on both conductor and routers. + +:::note +The router software version cannot be higher than the conductor software version. SSR130 routers that ship with an earlier software version are upgraded to 7.1.5 from the conductor after onboarding. See [Upgrading the Conductor](intro_upgrading.md) for general upgrade information. +::: + +## Related Documentation + +- [SSR Installation Overview](intro_installation.md) +- [Conductor Deployment Best Practices](bcp_conductor_deployment.md) +- [Service and Service Policy Design](bcp_service_and_service_policy_design.md) +- [Management Traffic over Forwarding Interfaces](config_management_over_forwarding.md) +- [Onboard an SSR Device to a Conductor](onboard_ssr_to_conductor.md) diff --git a/docs/deploy_router_config.mdx b/docs/deploy_router_config.mdx new file mode 100644 index 0000000000..18dcc6d2f8 --- /dev/null +++ b/docs/deploy_router_config.mdx @@ -0,0 +1,183 @@ +--- +title: Configure the Router on the Conductor +sidebar_label: Configure the Router +--- +import NetworkDesign from './_deploy_network_design.md'; + +It is a best practice to have a valid configuration staged on the conductor for this router — including a matching asset ID — before the router is powered on. When the SSR130 comes online and contacts the conductor, it downloads this configuration and applies it automatically. + +This section walks through creating the router configuration for `branch1` from the Conductor GUI. Repeat these steps for each additional SSR130 router in your network, substituting the appropriate router name, node name, asset ID, and addressing values. + +All steps are performed from the **Conductor GUI** at `https://192.168.100.10`. It is important that all steps be completed before committing the configuration. + +## Network Design Reference + + + +## 1. Create the Router + +1. Log in to the Conductor GUI. +2. Select **Configuration**. +3. Under **Authority**, scroll to **Routers** and select **ADD**. +4. Enter the router name `branch1` and select **SAVE**. +5. Set the following fields on the Router screen: + + | Field | Value | Notes | + |-------|-------|-------| + | Location | `+32.7767-096.7970/` | ISO 6709 coordinates; update for your site | + | Inter-node Security | `internal` | Required for SVR between nodes | + +6. Select **VALIDATE** and **COMMIT** to save. + +## 2. Create the Node + +1. Scroll down to **Nodes** and select **ADD**. +2. Enter the node name `node0` and select **SAVE**. +3. Set the following fields: + + | Field | Value | + |-------|-------| + | Role | `combo` | + | Asset ID | _(SSR130 serial number, e.g., `SSR130-ABC1234567`)_ | + +:::important +The asset-id must match the router-name that will be entered during the SSR130's initialization. The asset-id is how the device will be identified when it contacts the conductor. +::: + +4. Select **SAVE**. + +## 3. Configure the WAN Interface + +The WAN interface (`ge-0-0`, Port 0) connects to the ISP, obtains a DHCP address, and provides both internet forwarding and conductor management traffic via [Management over Forwarding](config_management_over_forwarding). + +### 3a. Create the WAN Device Interface + +1. Under the Node, scroll to **Device Interfaces** and select **ADD**. +2. Enter the name `wan-dev` and select **SAVE**. +3. Set the following fields: + + | Field | Value | + |-------|-------| + | Type | `ethernet` | + | PCI Address | `0000:04:00.3` | + | Forwarding | `true` | + +4. Select **SAVE**. + +### 3b. Create the WAN Network Interface + +1. Under the Device Interface, scroll to **Network Interfaces** and select **ADD**. +2. Enter the name `wan1` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `external` | | + | DHCP | `v4` | WAN IP is assigned by ISP DHCP | + | Conductor | `true` | Marks this interface for conductor connectivity | + | Default Route | `true` | Linux uses this interface as its default route | + | Source NAT | `true` | Required for management over forwarding | + | Management | `true` | Enables management over forwarding on this interface | + +4. Scroll down to **Management Vector** and select **ADD**. + - Enter name `mgmt-vec-wan` and priority `10`. + - Select **SAVE**. + +5. Scroll down to **Neighborhoods** and select **ADD**. + - Select `internet` as the neighborhood name. + - Verify **Topology** is set to `spoke`. + - Select **SAVE**. + +6. Select **VALIDATE** and **COMMIT**. + +:::important +`Source NAT` and `Default Route` must both be set to `true` on the management interface. Management traffic originates from the `169.254.x.x` range and must be source-NAT'd to a routable address before leaving the interface. The default route ensures Linux sends non-SVR traffic through the SSR forwarding engine. +::: + +## 4. Configure the LAN Interface + +The LAN interface (`ge-0-3`, Port 3) connects to the branch LAN and assigns the `corp` tenant to traffic arriving from that direction. + +### 4a. Create the LAN Device Interface + +1. Return to the **Node** level and scroll to **Device Interfaces**, then select **ADD**. +2. Enter the name `lan-dev` and select **SAVE**. +3. Set the following fields: + + | Field | Value | + |-------|-------| + | Type | `ethernet` | + | PCI Address | `0000:04:00.0` | + | Forwarding | `true` | + +4. Select **SAVE**. + +### 4b. Create the LAN Network Interface + +1. Under the LAN Device Interface, scroll to **Network Interfaces** and select **ADD**. +2. Enter the name `lan1` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `external` | | + | Tenant | `corp` | Assigns all LAN traffic to the corp tenant | + +4. Scroll down to **Interface Addresses** and select **ADD**. + - IP Address: `192.168.1.1` + - Prefix Length: `24` + - Select **SAVE**. + +5. Select **VALIDATE** and **COMMIT**. + +## 5. Configure DNS + +To enable the router to resolve FQDNs (for conductor connectivity and software downloads), configure DNS in automatic mode so that DNS servers are learned from the WAN DHCP lease. + +1. Return to the **Router** level. +2. Scroll to **DNS Config** and select **ADD**. +3. Set **Mode** to `manual` and enter DNS IP addresses such as `1.1.1.1` or `8.8.8.8`. +4. Select **SAVE**. +5. Select **VALIDATE** and **COMMIT**. + +## 6. Create the Internet Service Route + +The service route tells the router how to forward traffic matched by the `Internet-Traffic` service. In this deployment, internet-bound traffic is forwarded as a **service agent** (direct internet breakout) through the WAN interface. + +1. Return to the **Router** level. +2. Scroll to **Service Routes** and select **ADD**. +3. Enter the name `internet-route` and select **SAVE**. +4. Set the following fields: + + | Field | Value | + |-------|-------| + | Service Name | `Internet-Traffic` | + | Service Route Type | `service-agent` | + +5. Scroll to **Next Hop** and select **ADD**. + - Node: `node0` + - Network Interface: `wan1` + - Select **SAVE**. + +6. Select **VALIDATE** and **COMMIT**. + +## Configuration Summary + +The following objects have been created for `branch1`: + +| Object | Name | Key Settings | +|--------|------|-------------| +| Router | `branch1` | combo node, asset ID linked | +| WAN Device Interface | `wan-dev` | PCI `0000:04:00.3`, forwarding | +| WAN Network Interface | `wan1` | DHCP, conductor, default-route, source-nat, management, neighborhood `internet` | +| LAN Device Interface | `lan-dev` | PCI `0000:04:00.0`, forwarding | +| LAN Network Interface | `lan1` | tenant `corp`, address `192.168.1.1/24` | +| Service Route | `internet-route` | service `Internet-Traffic`, type `service-agent`, next-hop `node0/wan1` | + +:::tip +To add additional SSR130 routers to this deployment, repeat this entire section with a new router name (e.g., `branch2`), a new LAN subnet (e.g., `192.168.2.1/24`), and the corresponding device asset ID. +::: + +## Next Step + +Proceed to [Onboard SSR130 Routers](deploy_router_onboard.mdx). diff --git a/docs/deploy_router_onboard.mdx b/docs/deploy_router_onboard.mdx new file mode 100644 index 0000000000..5c439bd198 --- /dev/null +++ b/docs/deploy_router_onboard.mdx @@ -0,0 +1,177 @@ +--- +title: Onboard SSR130 Routers +sidebar_label: Onboard SSR130 Routers +--- +import SSR130Ports from './_deploy_ssr130_port_map.md'; + +This section covers the physical setup and initialization of each SSR130 branch router. Before beginning, confirm that the router configuration has been staged on the conductor as described in [Step 3 — Configure the Router on the Conductor](deploy_router_config.mdx). + +Repeat this section for each SSR130 in your deployment. + +:::important +It is a best practice to have a valid configuration staged on the conductor for this router — including a matching asset ID — before the router is powered on. +::: + +## SSR130 Port Reference + + + +## Onboarding Methods + +SSR130 routers running SSR 6.3.0 or later support two onboarding methods. Choose the method appropriate for your deployment: + +| Method | Best For | Requirements | +|--------|----------|-------------| +| [Web Workflow (Recommended)](#method-1-web-workflow) | Direct physical access at the branch | Laptop with Ethernet port | +| [Mist ZTP](#method-2-mist-ztp-zero-touch-provisioning) | Remote/zero-touch deployment | Mist portal account; conductor IP must be internet-reachable | + +--- + +## Method 1: Web Workflow + +Use this method when you have physical access to the SSR130 at the branch site. The device's initialization web interface guides you through the conductor association. + +### Physical Setup + +1. Connect **Port 0** (`ge-0-0`) to the ISP WAN Ethernet link. +2. Connect a laptop to **Port 3** (`ge-0-3`) using a standard Ethernet cable. + + :::note + Assign the laptop a static IP address in the range `192.168.128.2`–`192.168.128.254` with a subnet mask of `255.255.255.0`. + ::: + +3. **Power on the device**. + +### Initialize the Router + +1. Open a web browser and navigate to: + + ``` + https://192.168.128.1 + ``` + + Accept the self-signed certificate warning. + +2. Under **SSR Managed**, select **SSR Router Managed via Conductor**. + + ![SSR Conductor-managed router](/img/u-iso10_cond-mngd_router.png) + +3. Enter the following information: + + | Field | Value | + |-------|-------| + | Router Name | `branch1` _(must match the name configured on the conductor)_ | + | Conductor IP Address | `192.168.100.10` | + | Admin Password | _(the password set during conductor initialization)_ | + + ![Conductor Managed Association](/img/deploy_u-iso11_cond-mngd-assoc-new.png) + +4. Click **ASSOCIATE**. + +5. The SSR130 reboots, contacts the conductor at `192.168.100.10`, and downloads its configuration. This process takes approximately 5–10 minutes. + +6. Disconnect the laptop from Port 3 and connect your LAN switch to **Port 3** (`ge-0-3`). + +--- + +## Method 2: Mist ZTP (Zero Touch Provisioning) + +Use this method for remote or zero-touch deployments where the device must self-onboard without any physical laptop connection. + +### Prerequisites + +- A Mist portal account is required (free). WAN Assurance subscription is **not** required. +- The conductor IP address (`192.168.100.10`) must be reachable from the branch WAN link. + +### Step 1 — Create a Mist Account and Organization + +If you do not have a Mist account, create one at [https://manage.mist.com](https://manage.mist.com). + +Once logged in, create an Organization: + +1. Select **Organization** → **Settings** from the left menu. +2. Enter an organization name and save. + +### Step 2 — Create a Site with the Conductor IP + +Each physical location where an SSR130 will be deployed needs a Mist site. The conductor IP address is added to the site so that SSR devices can receive their conductor address via ZTP. + +1. Select **Organization** → **Site Configuration** from the left menu. +2. Click **Create Site**. +3. Enter a site name (for example, `Branch-Dallas`). +4. Scroll to the **Session Smart Conductor Address** field and enter `192.168.100.10`. + + ![Session Smart Conductor Address](/img/wanas_conductor_ip_mist.png) + +5. Save the site. + +### Step 3 — Physical Setup + +1. Connect **Port 0** (`ge-0-0`) to the ISP WAN Ethernet link providing: + - DHCP address assignment + - Internet connectivity (required to reach Mist) + +2. Connect your LAN devices to **Port 3** (`ge-0-3`). + +3. **Power on the device**. + +### Step 4 — Claim the Device + +Add the SSR130 to your Mist organization using the claim code on the device label: + +1. Locate the QR code / claim code label on the SSR130. + + ![Claim Code](/img/intro_wa_ssr130_quickstart_2.png) + +2. From the Mist portal, navigate to **Organization** → **Inventory**. +3. Click **Claim** and enter the claim code, or scan the QR code with the Mist mobile app. +4. Assign the device to the site created in Step 2. + +### Step 5 — Automatic Onboarding + +Once claimed and assigned to the site, the SSR130: + +1. Connects to Mist via Port 0 using the DHCP-assigned address. +2. Receives the conductor IP address from Mist. +3. Contacts the conductor at `192.168.100.10`. +4. Downloads and applies its staged configuration. + +No further interaction is required. Monitor onboarding progress from the Conductor GUI (see [Verify Onboarding](#verify-onboarding) below). + +--- + +## Verify Onboarding + +After the SSR130 connects to the conductor, verify the onboarding was successful from the **Conductor GUI**: + +1. Navigate to the **Routers** page. +2. The router (`branch1`) statuses may be **Re-Initializing**, **Synchronizing**, or **Running**. +3. Once fully synchronized, the status shows **Synchronized** and the router's asset ID appears under the router entry. + +From the conductor **PCLI**, verify using: + +```bash +show assets +``` + +The output should show the router in a **Synchronized** or **Running** state: + +``` +admin@node0.conductor1# show assets +===================== ============== =========== + Asset ID Router Status +===================== ============== =========== + SSR130-ABC1234567 branch1 Synchronized +``` + +From the router, verify the SSR service is active: + +```bash +sudo systemctl status 128T +``` + +The service should be listed as `Active (running)`. + +## Next Step + +Proceed to [Upgrade Routers to 7.1.5](deploy_router_upgrade.mdx). diff --git a/docs/deploy_router_upgrade.mdx b/docs/deploy_router_upgrade.mdx new file mode 100644 index 0000000000..5d50b88def --- /dev/null +++ b/docs/deploy_router_upgrade.mdx @@ -0,0 +1,132 @@ +--- +title: Upgrade Routers to SSR 7.1.5 +sidebar_label: Upgrade Routers +--- +import UpgradeNote701 from './_upgrade_701_conductor_note.md'; + +Once an SSR130 router is onboarded and synchronized with the conductor, upgrade it to SSR 7.1.5. Upgrades are initiated from the conductor and executed without requiring physical access to the router. + +:::note +The conductor must be running **SSR 7.1.5 or later** before upgrading any router to 7.1.5. The router software version cannot be higher than the conductor version. If you have not already upgraded the conductor to 7.1.5, do so first using the procedure in [Upgrading the Conductor](upgrade_ibu_conductor.mdx). +::: + + + +## Software Availability + +The conductor downloads the router software image from the Juniper software repository. The conductor must have: +- Valid Artifactory credentials configured +- Internet connectivity on the management network + +## Upgrade Using the Conductor GUI + +This is the recommended method for upgrading one or more routers. + +### Download the Software + +1. In the Conductor GUI, navigate to the **Routers** page. +2. Select **Software Lifecycle** at the top of the page. +3. Select **Initiate Upgrade** → **Download**. +4. Choose version `7.1.5` from the dropdown. +5. Select the router(s) to download to from the router list (for example, `branch1`). +6. Click **Start**. + +Monitor the download progress on the **Software Lifecycle** panel. Wait until the download status shows **Complete** before proceeding to the upgrade. + +### Run the Upgrade + +1. Return to **Software Lifecycle** and select **Upgrade**. +2. Select version `7.1.5`. +3. Select the router(s) to upgrade. +4. Click **Start**. + +The upgrade runs to completion with no interaction required. The router restarts automatically at the end of the process. + +To view installation history, select **Lifecycle History** on the Software Lifecycle panel. + +## Upgrade Using the Conductor PCLI + +Use this method to upgrade routers from the command line. + +Log in to the conductor PCLI: + +```bash +ssh admin@192.168.100.10 +``` + +### Step 1 — View Assets + +Confirm the router is connected and show its current software version: + +```bash +show assets +``` + +Example output: +``` +===================== ============== =========== + Asset ID Router Status +===================== ============== =========== + SSR130-ABC1234567 branch1 Synchronized +``` + +### Step 2 — Check Available Versions + +```bash +show system software available router branch1 node node0 +``` + +Confirm version `7.1.5` appears in the output. + +### Step 3 — Download the Software + +```bash +request system software download router branch1 node node0 version 7.1.5 +``` + +Monitor download progress: + +```bash +show system software download router branch1 node node0 +``` + +Wait until the status shows `completed`. + +### Step 4 — Upgrade the Router + +```bash +request system software upgrade router branch1 node node0 version 7.1.5 +``` + +Monitor upgrade progress: + +```bash +show system software upgrade router branch1 node node0 +``` + +The router restarts when the upgrade completes. Allow 5–10 minutes for the router to come back online and re-synchronize with the conductor. + +### Step 5 — Verify the Upgrade + +After the router restarts: + +```bash +show assets +``` + +Confirm the router shows version `7.1.5` and a status of **Synchronized**. + +## Upgrading Multiple Routers + +To upgrade multiple routers efficiently: + +- From the GUI: select all target routers in the Software Lifecycle panel before clicking Start. +- From the PCLI: run separate `request system software download` commands per router, then upgrade each router after its download completes. + +:::tip +It is recommended to upgrade routers during a maintenance window. Internet traffic forwarding is briefly interrupted when the router restarts during the upgrade. +::: + +## Next Step + +Proceed to [Verify the Deployment](deploy_verify.md). diff --git a/docs/deploy_verify.md b/docs/deploy_verify.md new file mode 100644 index 0000000000..4969c11f4f --- /dev/null +++ b/docs/deploy_verify.md @@ -0,0 +1,132 @@ +--- +title: Verify the Deployment +sidebar_label: Verify the Deployment +--- + +This section confirms that the deployment is fully operational. Run each check in sequence to validate every layer of the stack. + +## 1. Verify Router-to-Conductor Connectivity + +From the **Conductor PCLI**, confirm all routers are synchronized: + +```bash +show assets +``` + +Expected output for a healthy deployment: + +``` +===================== ============== =========== + Asset ID Router Status +===================== ============== =========== + SSR130-ABC1234567 branch1 Synchronized +``` + +If a router shows **Disconnected** or remains in **Synchronizing** for more than 15 minutes, see [Troubleshooting Conductor Connectivity](ts_connecting_to_routers.md). + +## 2. Verify Router Software Version + +Confirm each router is running SSR 7.1.5: + +```bash +show system version router branch1 +``` + +Expected output: +``` +Fri 2026-04-17 10:00:00 UTC +=========== ============================== ============ + Router Version Status +=========== ============================== ============ + branch1 7.1.5-7.el7.x86_64 Running +``` + +## 3. Verify WAN Interface + +From the Conductor PCLI, confirm the WAN interface has received a DHCP address: + +```bash +show network-interface router branch1 node node0 name wan1 +``` + +Verify that: +- **Operational State** is `up` +- **Address** shows a DHCP-assigned IP address from the ISP + +Alternatively, from the Conductor GUI: +1. Navigate to **Routers** → `branch1`. +2. Select the **Interfaces** tab. +3. Verify `wan1` shows an IP address and is operationally `up`. + +## 4. Verify LAN Interface + +```bash +show network-interface router branch1 node node0 name lan1 +``` + +Verify that: +- **Operational State** is `up` +- **Address** shows `192.168.1.1/24` + +## 5. Verify Internet Service Forwarding + +From a LAN device in the `192.168.1.0/24` subnet, confirm internet connectivity: + +```bash +ping 8.8.8.8 +``` + +Or from the router's PCLI, trace a path for a LAN user to the internet: + +```bash +admin@node0.branch1# show fib router branch1 +``` + +Look for an entry matching `0.0.0.0/0` (the `Internet-Traffic` service) with a next-hop pointing to `wan1`. + +To confirm active session forwarding, from the Conductor PCLI: + +```bash +show sessions router branch1 +``` + +Traffic from LAN hosts (`192.168.1.0/24`, tenant `corp`) destined for the internet should appear as active sessions egressing `wan1`. + +## 6. Verify Internet Breakout with Source NAT + +From a LAN device, confirm that outbound traffic is source-NAT'd to the WAN IP: + +```bash +curl -s https://api.ipify.org +``` + +The returned IP address should match the WAN DHCP address assigned to `wan1` — not the LAN address. + +Alternatively, verify source NAT is applied from the PCLI: + +```bash +show nat entries router branch1 +``` + +Entries for LAN source addresses (`192.168.1.x`) translated to the WAN IP confirm internet breakout with NAT is working. + +## Summary Checklist + +| Check | Expected Result | +|-------|----------------| +| Router asset status | `Synchronized` | +| Router software version | `7.1.5` | +| WAN interface (`wan1`) | Operationally `up`, DHCP IP assigned | +| LAN interface (`lan1`) | Operationally `up`, address `192.168.1.1/24` | +| Management over forwarding | Default route via `kni254`; conductor SSH accessible | +| Internet service | FIB entry for `0.0.0.0/0` present, sessions forwarding | +| Source NAT | LAN traffic egresses with WAN IP as source | + +## Congratulations + +Your conductor-managed SSR network is fully operational. The SSR1200 conductor is managing the SSR130 branch router, which is forwarding internet traffic for LAN users and maintaining its management connection to the conductor over the WAN interface. + +## Appendices + +- [Appendix Full Conductor Configuration](deploy_appendix_conductor.mdx) +- [Appendix Full Router Configuration](deploy_appendix_router.mdx) diff --git a/docs/deploy_vmware_conductor.mdx b/docs/deploy_vmware_conductor.mdx new file mode 100644 index 0000000000..16918d30c9 --- /dev/null +++ b/docs/deploy_vmware_conductor.mdx @@ -0,0 +1,400 @@ +--- +title: "VMware ESXi: Conductor-Managed Deployment Guide" +sidebar_label: "VMware ESXi Conductor" +--- +import Mermaid from '@theme/Mermaid'; +import CreateVM from './_vmware_vm_create.md'; +import FindPCI from './_vmware_conductor_find_pci.md'; +import ConductorIP from './_install_nmtui_conductor.md'; +import InitialBoot from './_install_nmtui_router.md'; +import VerifyConductorInstall from './_install_verify_conductor_install.md'; +import ChangeDefaultPasswords from './_change_def_passwords.md'; +import ConfigureToken from './_configure_token.md'; +import ConductorAuthority from './_conductor_to_authority.md'; +import AuthorityName from './_set_authority_name.md'; +import SetConductorIP from './_set_conductor_ip.md'; + +This guide walks a network engineer through every step required to stand up a conductor-managed SSR network using a **VMware ESXi virtual machine as the Conductor** and one or more **SSR130 branch routers**. By the end of the guide, the conductor VM will be running SSR 7.1.5, each branch router will be online and managed by the conductor, and internet traffic from LAN users will be forwarded through each router with management traffic returning to the conductor over the same WAN interface. + +## Guide Sections + +| Step | Topic | Description | +|------|-------|-------------| +| 1 | [Create the VMware VM](#step-1-create-the-vmware-vm) | Create and configure a VMware ESXi VM to host the conductor | +| 2 | [Install SSR 7.1.5](#step-2-install-ssr-714) | Boot the ISO and install the SSR software | +| 3 | [Configure Linux Networking](#step-3-configure-linux-networking) | Set the conductor's management IP using NMTUI | +| 4 | [Initialize the Conductor](#step-4-initialize-the-conductor) | Run the SSR Initializer to configure the conductor role | +| 5 | [Verify and Secure the Installation](#step-5-verify-and-secure-the-installation) | Confirm the conductor is running and change default passwords | +| 6 | [Configure the Conductor](#step-6-configure-the-conductor) | Set the authority name, conductor address, internet service, and corporate tenant | +| 7 | [Find the VM NIC PCI Address](#step-7-find-the-vm-nic-pci-address) | Identify the VMware NIC PCI address required for the conductor PCLI configuration | +| 8 | [Configure the Management Interface on the Conductor](#step-8-configure-the-management-interface) | Bind the conductor's management NIC in the SSR PCLI config | +| 9 | [Configure the Router on the Conductor](#step-9-configure-the-router-on-the-conductor) | Pre-stage each SSR130 router's configuration before onboarding | +| 10 | [Onboard SSR130 Routers](deploy_router_onboard.mdx) | Connect and initialize each SSR130 router so it joins the conductor | +| 11 | [Upgrade Routers to 7.1.5](deploy_router_upgrade.mdx) | Upgrade each onboarded router to SSR 7.1.5 from the conductor | +| 12 | [Verify the Deployment](deploy_verify.md) | Confirm connectivity, management, and internet forwarding | +| — | [Appendix A — Conductor Configuration](deploy_appendix_vmware_conductor.mdx) | Complete VMware conductor PCLI configuration | + +## Network Topology + +The diagram below shows the logical network this guide builds. + +|"Internet"| ISP + ISP <-->|"DHCP"| Router + Router <-->|"Internet Breakout\n(service: Internet-Traffic)"| Internet + LAN <-->|"LAN"| Router + Router <-->|"Management over\nForwarding (WAN)\nPort 930 / 4505 / 4506"| Gateway + ConductorVM <-->|"Management"| Gateway +`}/> + +## Roles + +| Device | Type | Role | +|--------|------|------| +| `conductor1` | VMware ESXi VM | Standalone SSR Conductor — centralized management and provisioning | +| `branch1` | vSSR or SSR130 | Conductor-managed branch router — internet breakout and LAN services | + +## Network Design Reference + +The following IP addressing and naming scheme is used consistently throughout this guide. Substitute your own values when configuring your network. + +| Parameter | Example Value | Description | +|-----------|--------------|-------------| +| Authority Name | `Authority128` | Organizational authority name | +| Conductor Router Name | `conductor1` | Conductor system name | +| Conductor Node Name | `node0` | Conductor node name | +| Conductor Management IP | `192.168.100.10` | Static IP on the VMware management network | +| Conductor Subnet Mask | `/24` | Management network prefix | +| Conductor Gateway | `192.168.100.1` | Management network gateway | +| Conductor NIC PCI Address | _(discovered at install)_ | VMXNet3 NIC PCI address; see [Step 7](#step-7-find-the-vm-nic-pci-address) | +| Router Name | `branch1` | Branch router system name | +| Router Node Name | `node0` | Router node name | +| Router WAN Interface | `wan1` (`ge-0-0`) | WAN port — uses DHCP | +| Router WAN PCI Address | `0000:04:00.3` | SSR130 Port 0 PCI address | +| Router LAN Interface | `lan1` (`ge-0-3`) | LAN port | +| Router LAN PCI Address | `0000:04:00.0` | SSR130 Port 3 PCI address | +| Router LAN IP Address | `192.168.1.1/24` | LAN gateway address | +| Tenant Name | `corp` | LAN-side user tenant | +| Service Name | `Internet-Traffic` | Internet breakout service | +| Service Address | `0.0.0.0/0` | All internet-bound traffic | +| Neighborhood | `internet` | SVR neighborhood name | + +## Prerequisites + +Before beginning, ensure the following are available: + +- **VMware ESXi 7.0 or later** — administrative access to an ESXi host. +- **SSR 7.1.5 Universal ISO** — downloaded from [software.128technology.com](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/) using your Juniper software access credentials. +- **Juniper software access credentials** — Artifactory username and password for software downloads and token provisioning. +- **Management network** — a VMware portgroup providing a DHCP lease or static IP for the conductor VM's management NIC, with internet access for software downloads. +- **Static IP assignment for the conductor** — the IP address assigned to the conductor must be reachable from each branch router's WAN interface (directly or via routing). This guide uses `192.168.100.10`. +- **Mist portal account** — required for SSR130 Zero Touch Provisioning (ZTP). A free account suffices; WAN Assurance subscription is **not** required. +- **ISP WAN links** — each SSR130 branch requires an Ethernet WAN link providing DHCP. + +## Software Version Requirements + +This guide targets **SSR 7.1.5** on both conductor and routers. + +:::note +The router software version cannot be higher than the conductor software version. SSR130 routers that ship with an earlier software version are upgraded to 7.1.5 from the conductor after onboarding. +::: + +--- + +## Step 1: Create the VMware VM + +Create an ESXi virtual machine to host the conductor. A minimum of **one VMXNet3 NIC** connected to your management network is required for a standalone conductor. + + + +--- + +## Step 2: Install SSR 7.1.5 + +Power on the VM and boot into the SSR ISO to install the software. + +1. Select the new VM in the ESXi Navigator and click the **Play** (Power On) button. + + ![Power On](/img/vmware_pwr-on.png) + +2. The VM boots into the SSR installation menu. Click in the console window to capture focus. + +3. Use the arrow keys to select **`Install 128T Routing Software VGA Console`** and press **Enter**. + + ![VGA Boot with Interactive Install](/img/install_select_interactive_vmware.png) + + :::note + If you do not make a selection within 30 seconds, the system defaults to the serial console boot option. For VMware, always select the **VGA Console** option. + ::: + +4. At the **Install Options** screen, press **Enter** to accept the standard installation (no FIPS). + +5. The Linux installation runs automatically. Installation progress is displayed on screen. + + ![Installation Status](/img/vmware_install_status.png) + +6. When the SSR software installation completes (approximately 20–30 minutes), the following screen is displayed: + + ![Installation Complete](/img/intro_installation_bootable_media_install_complete.png) + + Select **``** to shut down the VM. + +7. After the VM shuts down, detach the ISO: + - In the ESXi console, select the VM. + - Click **Edit** → expand **CD/DVD Drive 1** → change from **Datastore ISO file** to **Host device** or uncheck **Connect**. This prevents re-booting from the ISO. + +8. Power the VM back on using the **Play** button. + +--- + +## Step 3: Configure Linux Networking + +When the VM boots for the first time after installation, the SSR Interactive Installation workflow prompts you to configure Linux networking before the Initializer starts. + + + + + +--- + +## Step 4: Initialize the Conductor + +After completing NMTUI and quitting back to the shell, the SSR Initializer launches automatically. Follow these steps to configure the node as a standalone conductor. + +1. On the **SSR Initializer** wizard screen, use the space bar to select **Conductor** as the role, then press **Enter** to select **OK**. + + ![SSR Role](/img/initializer_Serial2.png) + +2. When asked _What kind of Conductor node is this?_, select **Standalone**. + + ![Identify the Node](/img/initializer_standalone.png) + +3. On the **Node Info** screen, enter the following: + + | Field | Example Value | Notes | + |-------|--------------|-------| + | Node Name | `node0` | The node name within the conductor system | + | Conductor Name | `conductor1` | The conductor system name; appears in PCLI prompt as `node0.conductor1` | + + ![Node Information](/img/initializer_Serial5a.png) + +4. On the **Password Setup** screen, create a password for the SSR admin user. The password must be: + - At least 8 characters long + - At least 1 uppercase letter + - At least 1 lowercase letter + - At least 1 number + - Must not contain the username in any form + - Must not repeat characters more than 3 times + + ![Password Setup](/img/initializer_Serial6.png) + + :::important + Record this password securely. It cannot be recovered if lost — only reset, which requires root access. + ::: + +5. Press **Enter** to select **OK**. The Initializer performs a hardware compatibility check, then bootstraps the SSR software. + +6. When prompted, select **``** to start the conductor. + + ![Initializer Complete](/img/initializer_complete.png) + +The system starts the SSR conductor service. This takes approximately 3–5 minutes. + +--- + +## Step 5: Verify and Secure the Installation + +### Verify the Installation + + + +You can also access the Conductor GUI by opening a browser and navigating to: + +``` +https://192.168.100.10 +``` + +Log in with username `admin` and the password set during initialization. + +### Change the Default Passwords + + + +### Configure the Software Access Token + + + +--- + +## Step 6: Configure the Conductor + +All steps in this section are performed from the **Conductor GUI** at `https://192.168.100.10` unless otherwise noted. + +### Connect the Conductor to the Authority + + + +### Set the Authority Name + + + +:::note +Use your organization's name as the authority name (for example, `Authority128`). The authority name cannot be changed after routers have been provisioned without re-onboarding them. +::: + +### Set the Conductor Address + +The conductor address is the IP that managed routers use to reach this conductor. It must be reachable from each branch router's WAN interface. + + + +For this guide, enter `192.168.100.10` as the conductor address. + +### Create an `Internet-Traffic` Service + +The *service* configuration element defines the IP destinations that the SSR will route. This process creates a single service representing all internet-bound traffic. + +1. Log in to the Conductor GUI. +2. Select **Configuration**. +3. Select **Authority** from the left panel. +4. Scroll down to **Services** and select **ADD**. +5. Enter the name `Internet-Traffic` and select **SAVE**. +6. On the Service screen, verify **Enabled** is set to `true`. +7. Scroll down to **Service Addresses** and select **ADD**. +8. Enter `0.0.0.0/0` and select **SAVE**. +9. Scroll down to **Access Policy** and select **ADD**. + - Set **Source** to `corp` (the tenant you will create in the next step). + - Select **SAVE**. +10. At the top of the screen, select **VALIDATE** and then **COMMIT**. + +### Create the Corporate Tenant + +Tenants logically partition the network. The `corp` tenant represents corporate LAN users. + +1. Select **Configuration** → **Authority**. +2. Scroll to **Tenants** and select **ADD**. +3. Enter the name `corp` and select **SAVE**. +4. Select **VALIDATE** then **COMMIT**. + +### What Was Configured + +| Object | Name | Value | +|--------|------|-------| +| Authority | `Authority128` | | +| Conductor Address | | `192.168.100.10` | +| Service | `Internet-Traffic` | `0.0.0.0/0` | +| Tenant | `corp` | LAN-side user population | + +--- + +## Step 7: Find the VM NIC PCI Address + +Before configuring the conductor's management interface in the SSR PCLI, you must identify the PCI address of the VMXNet3 NIC in the VM. + + + +Record the PCI address (for example, `0000:0b:00.0`). You will use it in the next step. + +--- + +## Step 8: Configure the Management Interface + +The SSR conductor PCLI configuration must include a `device-interface` entry that maps the conductor's management NIC to its Linux PCI address. This binding allows the SSR software to associate the SSR management plane with the correct physical interface. + +1. Log in to the Conductor GUI at `https://192.168.100.10`. +2. Select **Configuration**. +3. Under **Authority**, scroll to **Routers** and select `conductor1`. +4. Select the node `node0`. +5. Scroll to **Device Interfaces** and select **ADD**. +6. Enter the name `mgmt-dev` and select **SAVE**. +7. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `ethernet` | | + | PCI Address | _(value from Step 7)_ | For example `0000:0b:00.0` | + | Forwarding | `false` | The conductor management NIC does not forward packets | + +8. Select **SAVE**. + +9. Under the `mgmt-dev` device interface, scroll to **Network Interfaces** and select **ADD**. +10. Enter the name `mgmt-intf` and select **SAVE**. +11. Set the following fields: + + | Field | Value | + |-------|-------| + | Type | `management` | + +12. Scroll to **Interface Addresses** and select **ADD**. + - IP Address: `192.168.100.10` + - Prefix Length: `24` + - Gateway: `192.168.100.1` + - Select **SAVE**. + +13. Select **VALIDATE** then **COMMIT**. + +:::note +After committing, the SSR service will briefly restart to apply the interface binding. The GUI may be temporarily unavailable for 30–60 seconds. +::: + +--- + +## Step 9: Configure the Router on the Conductor + +The conductor must have the branch router's configuration staged **before** the router (hardware or virtual device) is powered on. When the router comes online and contacts the conductor, it downloads this configuration automatically. + +:::important +The router configuration steps for VMware-based conductors are identical to those for hardware-based conductors. Use the [Configure the Router on the Conductor](deploy_router_config.mdx) process in the SSR130 Router Deployment Guide for the complete configuration procedure. All steps, field values, and PCI addresses for the **SSR130** apply unchanged regardless of the conductor deployment platform. +::: + +The key configuration objects created in that step are summarized below for reference: + +| Object | Name / Value | Notes | +|--------|-------------|-------| +| Router | `branch1` | | +| Node | `node0`, role `combo` | Asset ID = SSR130 serial number | +| WAN device interface | `wan-dev`, PCI `0000:04:00.3`, forwarding `true` | SSR130 Port 0 | +| WAN network interface | `wan1`, type `external`, DHCP `v4`, conductor `true`, source-nat `true`, management `true` | Management over Forwarding enabled | +| Management vector | `mgmt-vec-wan`, priority `10` | | +| Neighborhood | `internet`, topology `spoke` | | +| LAN device interface | `lan-dev`, PCI `0000:04:00.0`, forwarding `true` | SSR130 Port 3 | +| LAN network interface | `lan1`, type `external`, tenant `corp`, IP `192.168.1.1/24` | | +| DNS config | mode `automatic` | | +| Service route | `internet-route`, service `internet`, type `service-agent`, next-hop `node0 wan1` | | + +--- + +## Steps 10–12: Onboard, Upgrade, and Verify + +The following steps are identical for all conductor deployment types: + +| Step | Guide | +|------|-------| +| Onboard SSR130 Routers | [Onboard SSR130 Routers](deploy_router_onboard.mdx) | +| Upgrade Routers to 7.1.5 | [Upgrade Routers to 7.1.5](deploy_router_upgrade.mdx) | +| Verify the Deployment | [Verify the Deployment](deploy_verify.md) | + +--- + +## Related Documentation + +- [Installing SSR in VMware ESXi](install_vmware_config) +- [Single Conductor Interactive Installation](single_conductor_install) +- [System Requirements](intro_system_reqs) +- [Conductor Deployment Best Practices](bcp_conductor_deployment) +- [Management Traffic over Forwarding Interfaces](config_management_over_forwarding) +- [Onboard an SSR Device to a Conductor](onboard_ssr_to_conductor) diff --git a/docs/intro_system_reqs.md b/docs/intro_system_reqs.md index 89a9742355..219e4388a4 100644 --- a/docs/intro_system_reqs.md +++ b/docs/intro_system_reqs.md @@ -8,7 +8,7 @@ The Session Smart Networking Platform runs on both bare metal servers and as a v ### Minimum Platform Specifications -These are the minimum platform specifications for running the SSR Networking Platform software, on bare-metal or for the host platform when running virtualized SSR. +These are the minimum platform specifications for running the SSR Networking Platform software, on bare-metal, or for the host platform when running virtualized SSR (vSSR). - 4 Core x86_64-v2 processor, single socket - 8GB Memory, ECC required diff --git a/sidebars.js b/sidebars.js index 2448b5b239..916d73edd8 100644 --- a/sidebars.js +++ b/sidebars.js @@ -7,6 +7,64 @@ module.exports = { "about_releases", "about_support_policy", ], + "Deployment Guides": [ + "deploy_guides_overview", + { + "type": "category", + "label": "Conductor Deployment Guides", + "items": [ + { + "type": "category", + "label": "SSR1200 Conductor", + "items": [ + "deploy_overview", + "deploy_conductor_install", + "deploy_conductor_config", + "deploy_router_config", + "deploy_appendix_conductor", + ], + }, + { + "type": "category", + "label": "VMware ESXi Conductor", + "items": [ + "deploy_vmware_conductor", + "deploy_appendix_vmware_conductor", + ], + }, + { + "type": "category", + "label": "AWS Conductor", + "items": [ + "deploy_aws_conductor", + ], + }, + ], + }, + { + "type": "category", + "label": "Router Deployment Guides", + "items": [ + { + "type": "category", + "label": "SSR130 Router", + "items": [ + "deploy_router_onboard", + "deploy_router_upgrade", + "deploy_verify", + "deploy_appendix_router", + ], + }, + { + "type": "category", + "label": "AWS Router", + "items": [ + "deploy_aws", + ], + }, + ], + }, + ], "Release Notes": [ { "type": "category", @@ -76,7 +134,7 @@ module.exports = { "release_notes_byol_3.0", "release_notes_byol_2.0", "release_notes_byol" - ] + ], }, ], "Hardware Support":[ diff --git a/src/pages/index.js b/src/pages/index.js index 618eb8cf10..16be8bece9 100644 --- a/src/pages/index.js +++ b/src/pages/index.js @@ -98,11 +98,11 @@ const features = [ ), }, { - title: <>Best Practices, - link: 'docs/bcp_sdwan_design_guide', + title: <>Deployment Guides, + link: 'docs/deploy_guides_overview', description: ( <> - Recommended guides and design patterns + Deployment Guides for virtual and physical SSR devices. ), }, diff --git a/static/img/conductor_address.png b/static/img/conductor_address.png index bf66400917..a6a85ecb75 100644 Binary files a/static/img/conductor_address.png and b/static/img/conductor_address.png differ diff --git a/static/img/dep-1200-cond-login.png b/static/img/dep-1200-cond-login.png new file mode 100644 index 0000000000..037b1ebe0d Binary files /dev/null and b/static/img/dep-1200-cond-login.png differ diff --git a/static/img/deploy_u-iso11_cond-mngd-assoc-new.png b/static/img/deploy_u-iso11_cond-mngd-assoc-new.png new file mode 100644 index 0000000000..1b1fae2a17 Binary files /dev/null and b/static/img/deploy_u-iso11_cond-mngd-assoc-new.png differ diff --git a/static/img/deploy_u-iso9_define_conductor.png b/static/img/deploy_u-iso9_define_conductor.png new file mode 100644 index 0000000000..c1c57cb23b Binary files /dev/null and b/static/img/deploy_u-iso9_define_conductor.png differ diff --git a/static/img/u-iso2_choose_image.png b/static/img/u-iso2_choose_image.png index c584495e03..9b33f4728b 100644 Binary files a/static/img/u-iso2_choose_image.png and b/static/img/u-iso2_choose_image.png differ diff --git a/static/img/u-iso3_choose_install_type.png b/static/img/u-iso3_choose_install_type.png index ff772605d3..dd8e6567fe 100644 Binary files a/static/img/u-iso3_choose_install_type.png and b/static/img/u-iso3_choose_install_type.png differ diff --git a/static/img/u-iso4_install_options.png b/static/img/u-iso4_install_options.png index 37e606f3d7..3c8a5d79f4 100644 Binary files a/static/img/u-iso4_install_options.png and b/static/img/u-iso4_install_options.png differ diff --git a/static/img/u-iso5_begin_install.png b/static/img/u-iso5_begin_install.png index 2d3aee765a..03126bb6c0 100644 Binary files a/static/img/u-iso5_begin_install.png and b/static/img/u-iso5_begin_install.png differ diff --git a/static/img/u-iso6_unpacker_complete.png b/static/img/u-iso6_unpacker_complete.png index 4a3d6edf50..58d4067400 100644 Binary files a/static/img/u-iso6_unpacker_complete.png and b/static/img/u-iso6_unpacker_complete.png differ