diff --git a/docs/_aws_account_setup.md b/docs/_aws_account_setup.md new file mode 100644 index 0000000000..258e5cfca7 --- /dev/null +++ b/docs/_aws_account_setup.md @@ -0,0 +1,53 @@ + + +### Create an AWS Account + +If you already have an AWS account, skip to [Set Up IAM Access](#set-up-iam-access). + +1. Open a web browser and navigate to [https://aws.amazon.com/](https://aws.amazon.com/). +2. Click **Create an AWS Account**. +3. Enter your email address and choose an AWS account name, then click **Verify email address**. Check your inbox for the verification code and enter it when prompted. +4. Set a strong password for the root user and click **Continue**. +5. On the **Contact Information** page, select **Personal** or **Business** as appropriate, fill in all required fields, and click **Continue**. +6. On the **Billing Information** page, enter a valid payment method. AWS requires a credit or debit card to verify identity. Click **Verify and Continue**. +7. On the **Identity Verification** page, choose your verification method (SMS or voice call), enter your phone number, and complete the verification. +8. Select a **Support Plan**. The **Basic** plan is free and suitable for evaluation. Click **Complete sign up**. +9. Click **Go to the AWS Management Console** and sign in with your root account credentials. + +:::important +AWS best practice is to avoid using the root account for day-to-day operations. Perform the IAM setup in the next section before proceeding. +::: + +### Set Up IAM Access + +Create a dedicated IAM user with the permissions required to deploy SSR infrastructure. + +1. In the AWS Console, search for **IAM** in the top search bar and select it. +2. In the left navigation, select **Users**, then click **Create user**. +3. Enter a username (for example, `ssr-deploy-admin`) and click **Next**. +4. On the **Set permissions** page, select **Attach policies directly**. +5. Attach the following AWS managed policies: + - `AmazonEC2FullAccess` + - `AmazonVPCFullAccess` + - `AWSCloudFormationFullAccess` + - `IAMReadOnlyAccess` +6. Click **Next**, review the summary, then click **Create user**. +7. Select the newly created user and navigate to the **Security credentials** tab. +8. Under **Access keys**, click **Create access key**. Choose **Command Line Interface (CLI)** as the use case, acknowledge the recommendation, and click **Next**. +9. Click **Create access key**, then **Download .csv file** to save your credentials securely. Click **Done**. + +:::note +Store your access keys in a secure location. They cannot be retrieved after the initial creation. If lost, deactivate the old key and create a new one. +::: + +10. To use the AWS CLI, configure it with your new credentials: + +```bash +aws configure +``` + +When prompted, enter: +- **AWS Access Key ID**: from the downloaded CSV +- **AWS Secret Access Key**: from the downloaded CSV +- **Default region name**: your target deployment region (for example, `us-east-1`) +- **Default output format**: `json` diff --git a/docs/_aws_keypair.md b/docs/_aws_keypair.md new file mode 100644 index 0000000000..1ef485fb8d --- /dev/null +++ b/docs/_aws_keypair.md @@ -0,0 +1,33 @@ + + +#### Create an EC2 Key Pair + +An EC2 key pair is required to authenticate SSH access to your SSR instances. + +1. In the AWS Console, navigate to **EC2**. +2. In the left navigation pane, under **Network & Security**, click **Key Pairs**. +3. Click **Create key pair**. +4. Enter the following values: + + | Field | Value | + | ----- | ----- | + | Name | A descriptive name, for example `ssr-keypair` | + | Key pair type | RSA | + | Private key file format | `.pem` (for Linux/macOS/AWS CLI) or `.ppk` (for PuTTY on Windows) | + +5. Click **Create key pair**. The private key file downloads automatically. +6. Move the downloaded key file to a secure location, for example `~/.ssh/`, and set restrictive permissions: + +```bash +chmod 400 ~/.ssh/ssr-keypair.pem +``` + +:::important +This is the only time you can download the private key. If you lose it, you must create a new key pair. Store your key file securely and do not share it. +::: + +To connect to an instance using this key pair: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem t128@ +``` diff --git a/docs/_aws_security_groups.md b/docs/_aws_security_groups.md new file mode 100644 index 0000000000..57fb975914 --- /dev/null +++ b/docs/_aws_security_groups.md @@ -0,0 +1,68 @@ + + +#### Create the Conductor Security Group + +The Conductor security group controls inbound access to the Conductor instance. + +1. In the AWS Console, navigate to **EC2**. +2. In the left navigation pane, under **Network & Security**, click **Security Groups**. +3. Click **Create security group**. +4. Enter the following: + + | Field | Value | + | ----- | ----- | + | Security group name | `ssr-conductor-sg` | + | Description | `Security group for SSR Conductor` | + | VPC | Select your `ssr-vpc` | + +5. Under **Inbound rules**, click **Add rule** and add the following rules: + + | Type | Protocol | Port range | Source | Description | + | ---- | -------- | ---------- | ------ | ----------- | + | SSH | TCP | 22 | Your admin CIDR (e.g. `203.0.113.0/24`) | Admin SSH access | + | HTTPS | TCP | 443 | Your admin CIDR | Conductor GUI access | + | Custom TCP | TCP | 930 | `10.0.0.0/16` (VPC CIDR) | SSR to Conductor control | + | Custom TCP | TCP | 4505 | `10.0.0.0/16` | Salt master (router mgmt) | + | Custom TCP | TCP | 4506 | `10.0.0.0/16` | Salt master (router mgmt) | + +6. Leave **Outbound rules** as the default (all traffic allowed). +7. Click **Create security group**. + +:::note +Replace `Your admin CIDR` with the specific IP range of your management workstations. Using `0.0.0.0/0` is not recommended for production deployments. +::: + +#### Create the Router Security Group + +The Router security group controls inbound access to the SSR Router instance. + +1. Click **Create security group** again. +2. Enter the following: + + | Field | Value | + | ----- | ----- | + | Security group name | `ssr-router-sg` | + | Description | `Security group for SSR Router` | + | VPC | Select your `ssr-vpc` | + +3. Under **Inbound rules**, add the following: + + | Type | Protocol | Port range | Source | Description | + | ---- | -------- | ---------- | ------ | ----------- | + | SSH | TCP | 22 | Your admin CIDR | Admin SSH access | + | HTTPS | TCP | 443 | Your admin CIDR | Router GUI access | + | Custom UDP | UDP | 1280 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 1280 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 1283 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports | + | Custom UDP | UDP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports | + +4. Click **Create security group**. + +:::note +For a detailed reference of all ports required for SSR operation, see [Enable Ports on the Firewall](config_firewall_ports.md). +::: + +:::important +Do **not** enable the CloudFormation templates' default security group if you have created custom security groups as described above. You will specify your custom security groups during template deployment. +::: diff --git a/docs/_aws_vpc_setup.md b/docs/_aws_vpc_setup.md new file mode 100644 index 0000000000..79d40e3b7a --- /dev/null +++ b/docs/_aws_vpc_setup.md @@ -0,0 +1,99 @@ + + +#### Create the VPC + +A dedicated VPC isolates your SSR deployment and gives you full control over routing and network segmentation. + +1. In the AWS Console, search for **VPC** and select it. +2. Click **Create VPC**, and select **VPC only**. +3. Enter the following values: + + | Field | Value | + | ----- | ----- | + | Name tag | A descriptive name, for example `ssr-vpc` | + | IPv4 CIDR block | A private address range, for example `10.0.0.0/16` | + | IPv6 CIDR block | No IPv6 CIDR block | + | Tenancy | Default | + +4. Click **Create VPC**. + +### Create Subnets + +SSR requires three subnets for a conductor-managed router deployment. Create each subnet within the VPC you just created. + +:::note +Subnet CIDR examples below are based on the `10.0.0.0/16` VPC range. Adjust to fit your environment. +::: + +#### Management Subnet + +Used by the Conductor and for out-of-band administration of the Router. + +1. In the VPC Dashboard, click **Subnets**, then **Create subnet**. +2. Select your VPC from the **VPC ID** dropdown. +3. Enter the following: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-mgmt-subnet` | + | Availability Zone | Choose your preferred AZ | + | IPv4 CIDR block | `10.0.1.0/24` | + +4. Click **Create subnet**. +5. Select the new subnet, click **Actions**, and choose **Edit subnet settings**. +6. Enable **Auto-assign public IPv4 address** and save. + +#### Public (WAN) Subnet + +Used for external connectivity and peer SSR communication. + +1. Click **Create subnet**, select your VPC, and enter: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-public-subnet` | + | Availability Zone | Same AZ as the management subnet | + | IPv4 CIDR block | `10.0.2.0/24` | + +2. Click **Create subnet**. +3. Enable **Auto-assign public IPv4 address** on this subnet. + +#### Private (LAN) Subnet + +Used for internal workloads and application traffic. + +1. Click **Create subnet**, select your VPC, and enter: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-private-subnet` | + | Availability Zone | Same AZ as the other subnets | + | IPv4 CIDR block | `10.0.3.0/24` | + +2. Click **Create subnet**. +3. Do **not** enable Auto-assign public IPv4 for this subnet. + +### Create and Attach an Internet Gateway + +The Internet Gateway provides outbound internet connectivity to the management and public subnets. + +1. In the VPC Dashboard, click **Internet gateways**, then **Create internet gateway**. +2. Enter a name (for example, `ssr-igw`) and click **Create internet gateway**. +3. Select the new Internet Gateway, click **Actions**, then **Attach to VPC**. +4. Select your `ssr-vpc` and click **Attach internet gateway**. + +### Configure Route Tables + +Create a route table for the public-facing subnets and associate the management and public subnets with it. + +1. In the VPC Dashboard, click **Route tables**, then **Create route table**. +2. Enter a name (for example, `ssr-public-rt`) and select your `ssr-vpc`. +3. Click **Create route table**. +4. Select the new route table, click the **Routes** tab, then **Edit routes**. +5. Click **Add route**, enter `0.0.0.0/0` for the destination, and set the target to your `ssr-igw` Internet Gateway. Click **Save changes**. +6. Click the **Subnet associations** tab, then **Edit subnet associations**. +7. Select `ssr-mgmt-subnet` and `ssr-public-subnet`, then click **Save associations**. + +:::note +The private subnet intentionally uses the **main (default) route table** which has no internet gateway route, ensuring internal traffic does not have a direct path to the internet. +::: diff --git a/docs/_conductor_to_authority.md b/docs/_conductor_to_authority.md index 3d7cfe720d..d707d73070 100644 --- a/docs/_conductor_to_authority.md +++ b/docs/_conductor_to_authority.md @@ -1,10 +1,10 @@ -Take this opportunity to log into the Conductor GUI to complete the following operations. This will provide validation that the installation was successful, and familiarize you with GUI operations. +Take this opportunity to log into the Conductor GUI to complete the following operations. This provides validation that the installation was successful, and familiarizes you with GUI operations. #### Connecting the Conductor to the Network -To make sure the conductor is on a network and accessible via GUI, the IP address on the interface must be in the same subnet as the VLAN on the switch port. Use `https://` for GUI login. +To make sure the conductor is on a network and accessible via GUI, the IP address on the interface must be in the same subnet as the VLAN on the switch port. Use `https://192.168.128.1` for GUI login. 1. Select the **Conductor** from the Authority menu on the left side of the GUI. @@ -14,7 +14,7 @@ To make sure the conductor is on a network and accessible via GUI, the IP addres ![Conductor Configuration Icon](/img/conductor_config_icon.png) -3. Select the node for the conductor - in this example it is `node1`. +3. Select the node for the conductor - in this example it is `node0`. ![Conductor Node](/img/conductor_node.png) diff --git a/docs/_deploy_network_design.md b/docs/_deploy_network_design.md new file mode 100644 index 0000000000..0edb9119bd --- /dev/null +++ b/docs/_deploy_network_design.md @@ -0,0 +1,21 @@ + + +The following IP addressing and naming scheme is used consistently throughout this guide. Substitute your own values when configuring your network. + +| Parameter | Example Value | Description | +|-----------|--------------|-------------| +| Authority Name | `Authority128` | Organizational authority name | +| Conductor Router Name | `conductor1` | Conductor system name | +| Conductor Node Name | `node0` | Conductor node name | +| Conductor IP Address | `192.168.100.10` | Static management IP on the conductor | +| Conductor Subnet Mask | `/24` | Management network prefix | +| Conductor Gateway | `192.168.100.1` | Management network gateway | +| Router Name | `branch1` | Branch router system name | +| Router Node Name | `node0` | Router node name | +| Router WAN Interface | `wan1` (`ge-0-0`) | WAN port — uses DHCP | +| Router LAN Interface | `lan1` (`ge-0-3`) | LAN port | +| Router LAN IP Address | `192.168.1.1/24` | LAN gateway address | +| Tenant Name | `corp` | LAN-side user tenant | +| Service Name | `internet` | Internet breakout service | +| Service Address | `0.0.0.0/0` | All internet-bound traffic | +| Neighborhood | `internet` | SVR neighborhood name | diff --git a/docs/_deploy_ssr1200_port_map.md b/docs/_deploy_ssr1200_port_map.md new file mode 100644 index 0000000000..5876e26dab --- /dev/null +++ b/docs/_deploy_ssr1200_port_map.md @@ -0,0 +1,20 @@ + + +![SSR1200 Front Panel](/img/hdwr_ssr1200_faceplate.png) + +### Port Mapping + +| Name | Port | Description | PCI Address | Speed | Type | +| --- | --- | --- | --- | --- | --- | +| mgmt-0-0 | MGMT | Management interface | 0000:03:00.0 | 1000 | MGMT | +| ge-0-0 | Port 0/0 | WAN 1 network interface | 0000:03:00.1 | 1000 | WAN | +| ge-0-1 | Port 0/1 | WAN 2 network interface | 0000:03:00.2 | 1000 | WAN | +| ge-0-2 | Port 0/2 | WAN 3 network interface | 0000:03:00.3 | 1000 | WAN | +| ge-0-3 | Port 0/3 | LAN 1 network interface | 0000:01:00.0 | 1000 | LAN | +| ge-0-4 | Port 0/4 | LAN 2 network interface | 0000:01:00.1 | 1000 | LAN | +| ge-0-5 | Port 0/5 | HA Fabric network interface | 0000:01:00.2 | 1000 | HA Fabric | +| ge-0-6 | Port 0/6 | HA Sync network interface | 0000:01:00.3 | 1000 | HASync | +| xe-1-0 | Port 1/0 | LAN 3 network interface | 0000:07:00.3 | 10000 | LAN | +| xe-1-1 | Port 1/1 | LAN 4 network interface | 0000:07:00.2 | 10000 | LAN | +| xe-1-2 | Port 1/2 | LAN 5 network interface | 0000:07:00.1 | 10000 | LAN | +| xe-1-3 | Port 1/3 | LAN 6 network interface | 0000:07:00.0 | 10000 | LAN | diff --git a/docs/_deploy_ssr130_port_map.md b/docs/_deploy_ssr130_port_map.md new file mode 100644 index 0000000000..66d09770ea --- /dev/null +++ b/docs/_deploy_ssr130_port_map.md @@ -0,0 +1,18 @@ + + +The following image of the SSR130 includes Cellular and TAA subvariants. + +![SSR130 Front Panel](/img/hdwr_ssr130_faceplate.png) + +### Port Mapping + +| Name | Port | Description | PCI Address | Speed | Type | +| --- | --- | --- | --- | --- | --- | +| ge-0-0 | Port 0 | WAN 1 network interface | 0000:04:00.3 | 1000 | WAN | +| ge-0-1 | Port 1 | WAN 2 network interface | 0000:04:00.2 | 1000 | WAN | +| ge-0-2 | Port 2 | WAN 3 network interface | 0000:04:00.1 | 1000 | WAN | +| ge-0-3 | Port 3 | LAN 1 network interface | 0000:04:00.0 | 1000 | LAN | +| ge-0-4 | Port 4 | LAN 2 network interface | 0000:03:00.1 | 1000 | LAN | +| ge-0-5 | Port 5 | LAN 3 network interface | 0000:03:00.0 | 1000 | LAN | +| ge-0-6 | Port 6 | HA Fabric network interface | 0000:02:00.1 | 1000 | HA Fabric | +| ge-0-7 | Port 7 | HA Sync network interface | 0000:02:00.0 | 1000 | HASync | diff --git a/docs/_deploy_vmware_conductor_network_design.md b/docs/_deploy_vmware_conductor_network_design.md new file mode 100644 index 0000000000..09a4ccd9b9 --- /dev/null +++ b/docs/_deploy_vmware_conductor_network_design.md @@ -0,0 +1,16 @@ + + +The following IP addressing and naming scheme is used consistently throughout this guide. Substitute your own values when configuring your network. + +| Parameter | Example Value | Description | +|-----------|--------------|-------------| +| Authority Name | `Authority128` | Organizational authority name | +| Conductor Router Name | `conductor1` | Conductor system name | +| Conductor Node Name | `node0` | Conductor node name | +| Conductor Management IP | `192.168.100.10` | Static IP on the VMware management network | +| Conductor Subnet Mask | `/24` | Management network prefix | +| Conductor Gateway | `192.168.100.1` | Management network gateway | +| DNS Server | `8.8.8.8` | DNS used during initialization | +| Tenant Name | `corp` | LAN-side user tenant | +| Service Name | `Internet-Traffic` | Internet breakout service | +| Service Address | `0.0.0.0/0` | All internet-bound traffic | diff --git a/docs/_deploy_vmware_router_network_design.md b/docs/_deploy_vmware_router_network_design.md new file mode 100644 index 0000000000..3649970df5 --- /dev/null +++ b/docs/_deploy_vmware_router_network_design.md @@ -0,0 +1,23 @@ + + +The following IP addressing and naming scheme is used consistently throughout this guide. Substitute your own values when configuring your network. + +| Parameter | Example Value | Description | +|-----------|--------------|-------------| +| Authority Name | `Authority128` | Organizational authority name | +| Conductor Router Name | `conductor1` | Pre-existing conductor system name | +| Conductor IP Address | `192.168.100.10` | Conductor IP — must be reachable from the router WAN | +| Router Name | `branch1` | VMware router system name | +| Router Node Name | `node0` | Router node name | +| Router Asset ID | `branch1` | Asset ID reported after initialization; see [Step 2](deploy_vmware_router_install.mdx#find-the-router-asset-id) | +| WAN Device Interface | `wan-dev` | WAN device interface name | +| WAN Network Interface | `wan1` | WAN network interface name | +| WAN PCI Address | _(discovered in [Step 3](deploy_vmware_router_pci.mdx))_ | VMXNet3 WAN NIC PCI address | +| LAN Device Interface | `lan-dev` | LAN device interface name | +| LAN Network Interface | `lan1` | LAN network interface name | +| LAN PCI Address | _(discovered in [Step 3](deploy_vmware_router_pci.mdx))_ | VMXNet3 LAN NIC PCI address | +| Router LAN IP Address | `192.168.1.1/24` | LAN gateway address | +| Tenant Name | `corp` | LAN-side user tenant | +| Service Name | `Internet-Traffic` | Internet breakout service | +| Service Address | `0.0.0.0/0` | All internet-bound traffic | +| Neighborhood | `internet` | SVR neighborhood name | diff --git a/docs/_set_authority_name.md b/docs/_set_authority_name.md index ab4d48c2f0..7119e0cc90 100644 --- a/docs/_set_authority_name.md +++ b/docs/_set_authority_name.md @@ -7,6 +7,6 @@ The authority represents the complete set of all SSRs managed under a single org ![Authority Settings](/img/conductor_authority_name.png) -3. Under Basic Information, enter the new Authority name. For example, a good name for the Authority would be the name of the business, e.g., Acme Corp. +3. Under Basic Information, enter the new Authority name. ![Basic Information](/img/conductor_authority_name2.png) \ No newline at end of file diff --git a/docs/_vmware_conductor_find_pci.md b/docs/_vmware_conductor_find_pci.md new file mode 100644 index 0000000000..069e5093b6 --- /dev/null +++ b/docs/_vmware_conductor_find_pci.md @@ -0,0 +1,49 @@ + + +The SSR conductor configuration requires the PCI address of the VMXNet3 management NIC. Because VMware assigns PCI addresses dynamically based on VM slot assignment, you must discover the address from the running VM rather than assuming a fixed value. + +### Identify the Interface Name + +1. Log in to the conductor CLI or SSH session: + + ``` + ssh admin@192.168.100.10 + ``` + +2. Enter the Linux shell from the PCLI: + + ``` + admin@node0.conductor1# shell + ``` + +3. List the network interfaces: + + ```bash + ip link show + ``` + + The output shows the Linux interface names for each NIC. A VMXNet3 NIC on VMware is commonly named `ens192`, `ens160`, or `eth0`. Identify the interface that corresponds to the management network. + +### Find the PCI Address + +4. Use `ethtool` to retrieve the PCI bus info for that interface. Replace `ens192` with your actual interface name: + + ```bash + ethtool -i ens192 | grep bus-info + ``` + + Example output: + + ``` + bus-info: 0000:0b:00.0 + ``` + + The value after `bus-info:` (for example `0000:0b:00.0`) is the PCI address to use in the SSR conductor configuration. + +:::tip +If `ethtool` is not available, you can find the PCI address using: +```bash +ls -la /sys/class/net/ens192/device +``` +The symlink target contains the PCI address in the path, for example `../../../0000:0b:00.0`. +::: diff --git a/docs/_vmware_router_find_pci.md b/docs/_vmware_router_find_pci.md new file mode 100644 index 0000000000..2944d7cd9c --- /dev/null +++ b/docs/_vmware_router_find_pci.md @@ -0,0 +1,83 @@ + + +The SSR router configuration requires the PCI address of each VMXNet3 NIC. Because VMware assigns PCI addresses dynamically based on VM slot assignment, you must discover the actual values from the running VM. + +## Log In to the Router + +1. From the **Conductor PCLI**, open a shell session on the router: + + ``` + admin@node0.conductor1# enter router branch1 + admin@node0.branch1# shell + ``` + + Alternatively, SSH directly to the router's WAN IP (if known): + + ```bash + ssh admin@ + ``` + + Then drop to the Linux shell from the PCLI: + + ``` + admin@node0.branch1# shell + ``` + +## List Network Interfaces + +2. List all network interfaces: + + ```bash + ip link show + ``` + + The output shows the Linux interface names for each NIC. VMXNet3 NICs on VMware are commonly named `ens192`, `ens224`, `eth0`, `eth1`, or similar. + + :::tip + If you are unsure which Linux interface corresponds to which VMware portgroup, compare the MAC addresses. In the VMware ESXi UI, select the VM → **Edit Settings** → expand each Network Adapter to see its MAC address. Match these to the MAC addresses shown in `ip link show`. + ::: + +## Find the PCI Address for Each Interface + +3. Use `ethtool` to retrieve the PCI bus address for the WAN interface (NIC 1). Replace `ens192` with your actual WAN interface name: + + ```bash + ethtool -i ens192 | grep bus-info + ``` + + Example output: + + ``` + bus-info: 0000:0b:00.0 + ``` + +4. Repeat for the LAN interface (NIC 2). Replace `ens224` with your actual LAN interface name: + + ```bash + ethtool -i ens224 | grep bus-info + ``` + + Example output: + + ``` + bus-info: 0000:13:00.0 + ``` + +5. Record both addresses in your network design reference: + + | Interface | Linux Name | Example PCI Address | + |-----------|-----------|---------------------| + | WAN (`wan-dev`) | `ens192` _(example)_ | `0000:0b:00.0` _(example)_ | + | LAN (`lan-dev`) | `ens224` _(example)_ | `0000:13:00.0` _(example)_ | + + :::important + These are example values. Your actual PCI addresses will differ. Use the values you discover here in [Step 4 — Configure the Router on the Conductor](deploy_vmware_router_config.mdx). + ::: + +:::tip +If `ethtool` is not available, you can find the PCI address using: +```bash +ls -la /sys/class/net/ens192/device +``` +The symlink target contains the PCI address in the path, for example `../../../0000:0b:00.0`. +::: diff --git a/docs/_vmware_router_vm_create.md b/docs/_vmware_router_vm_create.md new file mode 100644 index 0000000000..1f3a5143f9 --- /dev/null +++ b/docs/_vmware_router_vm_create.md @@ -0,0 +1,106 @@ + + +## Log In to VMware ESXi + +1. Open a web browser and navigate to your ESXi host. Log in with administrative credentials. + + ![VMware ESXi Login](/img/vmware_login.png) + +## Upload the SSR ISO to the Datastore + +1. From the ESXi Navigator, select **Storage**. + + ![Navigator Storage](/img/vmware_storage.png) + +2. Click the **Datastore Browser** button. + + ![Datastore Browser Button](/img/vmware_datastore_browser_button.png) + +3. Click **Upload**, navigate to the `SSR-7.1.5-7.r2.el9.x86_64.ibu-v1.iso` on your local workstation, and click **Open**. The ISO appears in the datastore. + + ![SSR ISO in Datastore](/img/vmware_ssr-iso.png) + +4. Click **Close**. + +## Create the Virtual Machine + +1. From the ESXi Navigator, select **Virtual Machines**, then click **Create / Register VM**. + + ![Register VM](/img/vmware_registervm.png) + +2. Select **Create a new virtual machine** and click **Next**. + +### Name and Guest OS + +3. Configure the following: + + | Field | Value | + |-------|-------| + | Name | A descriptive name, for example `ssr-router-branch1` | + | Compatibility | `ESXi 7.0 U2 virtual machine` | + | Guest OS family | `Linux` | + | Guest OS version | `CentOS 7 (64-bit)` | + + Click **Next**. + + ![Name the VM](/img/vmware_name-os.png) + +### Storage + +4. Select the datastore and storage type for the VM, then click **Next**. + + ![Storage Type](/img/vmware_storage_type.png) + +### Virtual Hardware + +5. Click **Virtual Hardware** and configure the following settings. These values meet the minimum router requirements: + + | Setting | Value | Notes | + |---------|-------|-------| + | CPUs | `4` | Minimum | + | Scheduling Affinity | `0-3` | Set under CPU → expand | + | Memory | `8 GB` | Minimum | + | Hard Disk 1 | `60 GB` | Minimum | + | SCSI Controller 0 | `VMware Paravirtual` | | + + ![Virtual Hardware Settings](/img/vmware_virt_hdwr.png) + +### Network Adapters + +6. A VMware router requires **two VMXNet3 network adapters**: one for WAN and one for LAN. By default, one adapter is created. + + - Set the existing adapter's **Adapter Type** to **VMXNET3** and connect it to your **WAN portgroup** — the portgroup that provides your ISP WAN connection with DHCP. + - Click **Add network adapter** to add a second adapter. Set its **Adapter Type** to **VMXNET3** and connect it to your **LAN portgroup** — the portgroup connected to your branch LAN. + + :::note + The order of the adapters (NIC 1 = WAN, NIC 2 = LAN) corresponds to the PCI addresses you will identify in [Step 3 — Find VM NIC PCI Addresses](deploy_vmware_router_pci.mdx). Note which portgroup each adapter is connected to. + ::: + + ![Network Adapter Type](/img/vmware_net_adapter.png) + +### CD/DVD Media + +7. Expand **CD/DVD Drive 1**. In the dropdown, select **Datastore ISO file** and check **Connect**. The Datastore Browser opens. + +8. Select the `SSR-7.1.5-7.r2.el9.x86_64.ibu-v1.iso` file and click **Select**. + + ![Select CD/ISO](/img/vmware_cd-iso.png) + +### VM Options + +9. Click **VM Options** at the top of the page. + + ![VM Options](/img/vmware_vmoptions1.png) + +10. Expand **Boot Options** and configure the following: + + - **Firmware**: `EFI` + - **Enable UEFI secure boot**: Disabled (no check mark) + + Click **Next**. + + ![Boot Options](/img/vmware_vmoptions2.png) + +11. Review the configuration summary. Click **Back** to make any corrections, then click **Finish**. + + ![VM Complete](/img/vmware_finish.png) diff --git a/docs/_vmware_vm_create.md b/docs/_vmware_vm_create.md new file mode 100644 index 0000000000..1a33c58d30 --- /dev/null +++ b/docs/_vmware_vm_create.md @@ -0,0 +1,106 @@ + + +## Log In to VMware ESXi + +Open a web browser and navigate to your ESXi host. Log in with administrative credentials. + + ![VMware ESXi Login](/img/vmware_login.png) + +## Create the Virtual Machine + +1. From the VMWare Navigator window, click on **Create/Register VM**. + + ![Create VM](/img/dep1-vm-create-vm.png) + +2. In the **Select creation type** window click **Create a new virtual machine** and then click **Next**. + + ![VM Type](/img/dep2-vm-creation-type.png) + +### Name and Guest OS + +Use the steps below to configure the following: + + | Field | Value | + |-------|-------| + | Name | A descriptive name. In this example, `Conductor` | + | Compatibility | `ESXi 7.0 U2 virtual machine` | + | Guest OS family | `Linux` | + | Guest OS version | `CentOS 7 (64-bit)` | + +3. Name the Virtual Machine **Conductor**. + +4. Select **Linux** from the Guest OS family dropdown selection, and select the Guest OS version as **Centos 7**. Click **Next**. + + ![Name VM](/img/dep3-vm-name-os.png) + +### Storage + +5. From the Storage screen, select **datastore1** and click **Next**. + + ![VM Storage](/img/dep4-vm-storage.png) + +### Virtual Hardware + +6. On the **Customize settings** screen, click **Virtual Hardware** and configure the following settings. + + These values meet the minimum conductor requirements; scale up for larger deployments (see [Conductor Scaling Recommendations](intro_system_reqs.md#conductor-scaling-recommendations)). + + | Setting | Value | Notes | + |---------|-------|-------| + | CPUs | `4` | Minimum; expand for >25 managed routers | + | Scheduling Affinity | `0-3` | Set under CPU → expand | + | Memory | `8 GB` | Minimum | + | Hard Disk 1 | `62 GB` | Minimum | + + ![Storage Parameters](/img/dep5-vm-params.png) + + Click **Next** when the settings are configured. + +### Network Adapters + +By default, one network adapter is created. For a standalone conductor, one adapter is sufficient. Click the adapter to expand it and set the **Adapter Type** to **VMXNET3**. Set the **Network** to the management network portgroup connected to your conductor management subnet. + + :::note + If you plan to connect additional networks (for example, a dedicated conductor-to-router WAN), click **Add network adapter** to add additional VMXNet3 adapters now. For most deployments, one adapter is sufficient. + ::: + + ![Network Adapter Type](/img/dep6-vm-nics.png) + +### CD/DVD Media - Software Selection + +7. As shown in the image above, expand **CD/DVD Drive 1**. + +8. Place a check next to **Connect at power on**. In the dropdown to the right, select **Datastore ISO file** and then click **Browse**. The Datastore Browser opens. + +9. Select the `SSR-7.1.4-3.r2.el9.x86_64.ibu-v1.iso` and click **Select**. + + ![CD ISO Selected](/img/dep7-vm-selectversion.png) + +10. Confirm the settings, and then click **Next**. + + ![Confirm Settings](/img/dep8-vm-confirm.png) + + + +11. Review the summary, then click **Finish**. + + ![VM Complete](/img/dep9-vm-summary.png) + + diff --git a/docs/deploy_appendix_conductor.mdx b/docs/deploy_appendix_conductor.mdx new file mode 100644 index 0000000000..4feac7393d --- /dev/null +++ b/docs/deploy_appendix_conductor.mdx @@ -0,0 +1,171 @@ +--- +title: "Appendix - Conductor Configuration" +sidebar_label: "Appendix - Conductor Configuration" +--- +import NetworkDesign from './_deploy_network_design.md'; + +This appendix contains the complete conductor configuration in SSR PCLI format for the `conductor1` system described in this guide. This configuration reflects the state after completing [Step 2 — Configure the Conductor](deploy_conductor_config.mdx) and [Step 3 — Configure the Router on the Conductor](deploy_router_config.mdx). + +## Network Design Reference + + + +## Applying This Configuration + +This configuration can be applied to a fresh conductor using the **import** function: + +1. Save the configuration below to a file, for example `acmecorp-conductor.cfg`. +2. Copy the file to the conductor at `/etc/128technology/config-exports/`. +3. From the conductor PCLI, run: + + ```bash + import config acmecorp-conductor.cfg + ``` + +4. Review any validation warnings, then commit: + + ```bash + commit + ``` + +Alternatively, copy and paste each configuration block into the PCLI in configuration mode (`configure` → `edit`). + +## Complete Conductor Configuration + +``` +config + authority + name Authority128 + + conductor-address 192.168.100.10 + + tenant corp + name corp + exit + + service Internet-Traffic + name Internet-Traffic + scope public + security internal + + access-policy + source corp + exit + + address 0.0.0.0/0 + exit + + router conductor1 + name conductor1 + inter-node-security internal + + node node0 + name node0 + role conductor + + device-interface mgmt-dev + name mgmt-dev + type ethernet + pci-address 0000:03:00.0 + + network-interface mgmt-intf + name mgmt-intf + type management + + address 192.168.100.10 + ip-address 192.168.100.10 + prefix-length 24 + gateway 192.168.100.1 + exit + exit + exit + exit + exit + + router branch1 + name branch1 + inter-node-security internal + + dns-config automatic + mode automatic + exit + + node node0 + name node0 + role combo + asset-id SSR130-ABC1234567 + + device-interface wan-dev + name wan-dev + type ethernet + pci-address 0000:04:00.3 + forwarding true + + network-interface wan1 + name wan1 + type external + conductor true + default-route true + source-nat true + management true + dhcp v4 + + management-vector mgmt-vec-wan + name mgmt-vec-wan + priority 10 + exit + + neighborhood internet + name internet + topology spoke + exit + exit + exit + + device-interface lan-dev + name lan-dev + type ethernet + pci-address 0000:04:00.0 + forwarding true + + network-interface lan1 + name lan1 + type external + tenant corp + + address 192.168.1.1 + ip-address 192.168.1.1 + prefix-length 24 + exit + exit + exit + exit + + service-route internet-route + name internet-route + service-name Internet-Traffic + type service-agent + + next-hop node0 wan1 + node-name node0 + interface wan1 + exit + exit + exit + exit +exit +``` + +## Configuration Notes + +| Item | Note | +|------|------| +| `asset-id` | Replace `SSR130-ABC1234567` with the actual serial number from the SSR130 device label | +| `conductor-address` | Replace `192.168.100.10` with the actual static IP assigned to the conductor's MGMT port | +| `gateway` | Replace `192.168.100.1` with your management network gateway | +| LAN address | Replace `192.168.1.1/24` with the LAN subnet for each branch site | +| Coordinates | The `location` field is not shown here; add ISO 6709 coordinates for your conductor and each branch site | + +## Adding Additional Routers + +To add a second SSR130 router (`branch2`), copy the `router branch1` block, change the router name to `branch2`, update the `asset-id` to the second device's serial number, and change the LAN IP to a different subnet (for example, `192.168.2.1/24`). All other authority-level objects (`tenant`, `service`) are shared. diff --git a/docs/deploy_appendix_router.mdx b/docs/deploy_appendix_router.mdx new file mode 100644 index 0000000000..b9ff55d433 --- /dev/null +++ b/docs/deploy_appendix_router.mdx @@ -0,0 +1,142 @@ +--- +title: "Appendix - Router Configuration" +sidebar_label: "Appendix - Router Configuration" +--- +import NetworkDesign from './_deploy_network_design.md'; + +This appendix contains the SSR130 branch router configuration in SSR PCLI format. This is the router-scoped portion of the configuration staged on the conductor for `branch1`. It reflects the final state after completing [Configure the Router on the Conductor](deploy_router_config.mdx) and [Upgrade Routers to 7.1.5](deploy_router_upgrade.mdx). + +The complete authority-level configuration (including the service and tenant objects that the router depends on) is in [Appendix - Conductor Configuration](deploy_appendix_conductor.mdx). + +## Network Design Reference + + + +## Router Configuration + +The following block shows the `branch1` router section in isolation, as it would appear within the authority configuration. + +``` +config + authority + + router branch1 + name branch1 + inter-node-security internal + + dns-config automatic + mode automatic + exit + + node node0 + name node0 + role combo + asset-id SSR130-ABC1234567 + + device-interface wan-dev + name wan-dev + type ethernet + pci-address 0000:04:00.3 + forwarding true + + network-interface wan1 + name wan1 + type external + conductor true + default-route true + source-nat true + management true + dhcp v4 + + management-vector mgmt-vec-wan + name mgmt-vec-wan + priority 10 + exit + + neighborhood internet + name internet + topology spoke + exit + exit + exit + + device-interface lan-dev + name lan-dev + type ethernet + pci-address 0000:04:00.0 + forwarding true + + network-interface lan1 + name lan1 + type external + tenant corp + + address 192.168.1.1 + ip-address 192.168.1.1 + prefix-length 24 + exit + exit + exit + exit + + service-route internet-route + name internet-route + service-name Internet-Traffic + type service-agent + + next-hop node0 wan1 + node-name node0 + interface wan1 + exit + exit + exit + + exit +exit +``` + +## Interface Summary + +| Interface | Device | PCI Address | Type | Configuration | +|-----------|--------|-------------|------|--------------| +| `wan1` | `wan-dev` (`ge-0-0`, Port 0) | `0000:04:00.3` | External | DHCP; conductor=true; management over forwarding; neighborhood `internet` | +| `lan1` | `lan-dev` (`ge-0-3`, Port 3) | `0000:04:00.0` | External | Static `192.168.1.1/24`; tenant `corp` | + +## Service Forwarding Summary + +| Service | Route | Type | Egress Interface | +|---------|-------|------|-----------------| +| `Internet-Traffic` (0.0.0.0/0) | `internet-route` | `service-agent` | `wan1` (direct breakout) | + +## Configuration Notes + +| Item | Note | +|------|------| +| `asset-id` | Replace `SSR130-ABC1234567` with the device serial number | +| LAN address | Replace `192.168.1.1/24` with the actual LAN subnet for this branch | +| `source-nat` | Must be `true` on the management interface; management traffic originates from `169.254.x.x` | +| `default-route` | Must be `true`; causes Linux to forward all OS-originated traffic through the SSR engine | +| `conductor` | Must be `true` on the WAN interface for the router to reach the conductor over the forwarding plane | +| Neighborhood | The `internet` neighborhood on the WAN interface allows this router to peer with hub routers via SVR if added later | + +## Verifying the Running Configuration + +To view the running configuration for this router from the conductor PCLI: + +```bash +show config running authority router branch1 +``` + +To compare the running configuration against the candidate (uncommitted changes): + +```bash +show config candidate authority router branch1 +``` + +To export the entire authority configuration to a file: + +```bash +export config running filename acmecorp-export.cfg +``` + +The exported file is saved to `/etc/128technology/config-exports/` on the conductor. diff --git a/docs/deploy_appendix_vmware_conductor.mdx b/docs/deploy_appendix_vmware_conductor.mdx new file mode 100644 index 0000000000..a3acf70a4e --- /dev/null +++ b/docs/deploy_appendix_vmware_conductor.mdx @@ -0,0 +1,132 @@ +--- +title: "Appendix - VMware Conductor Configuration" +sidebar_label: "Appendix - VMware Conductor Configuration" +--- + +This appendix contains the complete SSR PCLI configuration for the `conductor1` VMware ESXi conductor described in this guide. Apply this configuration after completing [Step 3 — Configure the Conductor](deploy_vmware_conductor_config.mdx). + +:::note +Router configuration (including PCI addresses and interface definitions for branch routers) is documented in the [VMware Router Deployment Guide Appendix](deploy_appendix_vmware_router.mdx). +::: + +## Network Design Reference + +The following values are used in this configuration. Substitute your own values where noted. + +| Parameter | Example Value | Description | +|-----------|--------------|-------------| +| Authority Name | `Authority128` | Organizational authority name | +| Conductor Name | `conductor1` | | +| Conductor Node Name | `node0` | | +| Conductor Management IP | `192.168.100.10` | Static IP on VMware management network | +| Conductor Subnet Mask | `/24` | | +| Conductor Gateway | `192.168.100.1` | Management network gateway | +| Conductor NIC PCI Address | `0000:0b:00.0` **Example only** | Discover actual value with `ethtool -i \| grep bus-info` | + +## Applying This Configuration + +This configuration can be applied to a freshly initialized conductor using the PCLI import function. + +1. Save the configuration below to a file — for example `vmware-conductor.cfg`. + +2. Copy the file to the conductor: + + ```bash + scp vmware-conductor.cfg admin@192.168.100.10:/tmp/ + ``` + +3. Log in to the conductor PCLI: + + ```bash + ssh admin@192.168.100.10 + ``` + +4. Enter configuration mode and import: + + ``` + admin@node0.conductor1# import config /tmp/vmware-conductor.cfg + ``` + +5. Review any validation warnings, then commit: + + ``` + admin@node0.conductor1 (config)# commit + Are you sure you want to commit the candidate config? [y/N]: y + ``` + +Alternatively, you may copy and paste each block into the PCLI while in `configure` → `edit` mode. + +## Complete Conductor Configuration + +``` +config + authority + name Authority128 + + conductor-address 192.168.100.10 + + tenant corp + name corp + exit + + service Internet-Traffic + name Internet-Traffic + scope public + security internal + + access-policy + source corp + exit + + address 0.0.0.0/0 + exit + + router conductor1 + name conductor1 + inter-node-security internal + + node node0 + name node0 + role conductor + + device-interface mgmt-dev + name mgmt-dev + type ethernet + pci-address 0000:0b:00.0 + forwarding false + + network-interface mgmt-intf + name mgmt-intf + type management + + address 192.168.100.10 + ip-address 192.168.100.10 + prefix-length 24 + gateway 192.168.100.1 + exit + exit + exit + exit + exit + exit +exit +``` + +## Configuration Notes + +:::important +The `pci-address` value `0000:0b:00.0` is an example. The actual PCI address of the VMXNet3 NIC in your conductor VM must be discovered after installation. From the Linux shell on the conductor, run: + +```bash +ethtool -i | grep bus-info +``` + +Substitute the discovered value in the `device-interface mgmt-dev` block before applying this configuration. +::: + +| Item | Note | +|------|------| +| `pci-address` (conductor NIC) | **Must be replaced** with the actual VMXNet3 NIC PCI address. The value `0000:0b:00.0` varies by VM slot assignment. | +| `conductor-address` | Replace `192.168.100.10` with the actual static IP assigned to the conductor VM if different. | +| `gateway` | Replace `192.168.100.1` with your management network gateway. | +| `forwarding` on conductor NIC | Set to `false` — the conductor management NIC is not a forwarding interface. | diff --git a/docs/deploy_appendix_vmware_router.mdx b/docs/deploy_appendix_vmware_router.mdx new file mode 100644 index 0000000000..4d383bc60e --- /dev/null +++ b/docs/deploy_appendix_vmware_router.mdx @@ -0,0 +1,158 @@ +--- +title: "Appendix: VMware Router Configuration" +sidebar_label: "Appendix: VMware Router Config" +--- +import NetworkDesign from './_deploy_vmware_router_network_design.md'; + +This appendix contains the complete SSR PCLI configuration for the `branch1` VMware router described in this guide. This configuration reflects the final state after completing all steps through [Step 4 — Configure the Router on the Conductor](deploy_vmware_router_config.mdx). + +:::important +This appendix uses **example** PCI addresses (`0000:0b:00.0` for WAN, `0000:13:00.0` for LAN). Replace these with the actual values discovered in [Step 3 — Find VM NIC PCI Addresses](deploy_vmware_router_pci.mdx). +::: + +## Network Design Reference + + + +## Applying This Configuration + +This configuration can be applied to the conductor using the PCLI import function. + +1. Save the router configuration block below to a file — for example, `vmware-router-branch1.cfg`. + +2. Copy the file to the conductor: + + ```bash + scp vmware-router-branch1.cfg admin@192.168.100.10:/tmp/ + ``` + +3. Log in to the conductor PCLI: + + ```bash + ssh admin@192.168.100.10 + ``` + +4. Enter configuration mode and import: + + ```text + admin@node0.conductor1# import config /tmp/vmware-router-branch1.cfg + ``` + +5. Review any validation warnings, then commit: + + ```text + admin@node0.conductor1 (config)# commit + Are you sure you want to commit the candidate config? [y/N]: y + ``` + +Alternatively, copy and paste each block into the PCLI while in `configure` → `edit` mode. + +:::note +The authority-level objects this router depends on (`Internet-Traffic` service, `corp` tenant, and conductor address) must already exist in the running configuration. For the complete authority-level configuration, see [Appendix — Conductor Configuration](deploy_appendix_conductor.mdx). +::: + +## Router Configuration + +The following block shows the `branch1` router section as it appears within the authority configuration. This is the router-scoped portion only. + +```text +config + authority + + router branch1 + name branch1 + inter-node-security internal + + dns-config manual + mode manual + server 1.1.1.1 + server 8.8.8.8 + exit + + node node0 + name node0 + role combo + asset-id branch1 + + device-interface wan-dev + name wan-dev + type ethernet + pci-address 0000:0b:00.0 + forwarding true + + network-interface wan1 + name wan1 + type external + conductor true + default-route true + source-nat true + management true + dhcp v4 + + management-vector mgmt-vec-wan + name mgmt-vec-wan + priority 10 + exit + + neighborhood internet + name internet + topology spoke + exit + exit + exit + + device-interface lan-dev + name lan-dev + type ethernet + pci-address 0000:13:00.0 + forwarding true + + network-interface lan1 + name lan1 + type external + tenant corp + + address 192.168.1.1 + ip-address 192.168.1.1 + prefix-length 24 + exit + exit + exit + exit + + service-route internet-route + name internet-route + service-name Internet-Traffic + type service-agent + + next-hop node0 wan1 + node-name node0 + interface wan1 + exit + exit + exit + + exit +exit +``` + +## Interface Summary + +| Interface | Device Interface | PCI Address | Type | Configuration | +|-----------|-----------------|-------------|------|---------------| +| `wan1` | `wan-dev` | `0000:0b:00.0` _(example)_ | External | DHCP, conductor, default-route, source-nat, management, neighborhood `internet` | +| `lan1` | `lan-dev` | `0000:13:00.0` _(example)_ | External | tenant `corp`, static `192.168.1.1/24` | + +## Service Route Summary + +| Service Route | Service | Type | Next Hop | +|--------------|---------|------|---------| +| `internet-route` | `Internet-Traffic` | `service-agent` | `node0 / wan1` | + +## Design Notes + +**Management over Forwarding** — The `wan1` interface carries both internet traffic and conductor management sessions simultaneously. Management traffic from the `169.254.x.x` range is source-NAT'd to the WAN DHCP address before leaving the interface. This eliminates the need for a separate out-of-band management network at the branch site. + +**Internet Breakout** — The `internet-route` service route directs all `corp`-tenant traffic matching the `Internet-Traffic` service (destination `0.0.0.0/0`) out through `wan1` as a service-agent. The source NAT setting on `wan1` ensures LAN client traffic is translated to the WAN IP before it reaches the ISP. + +**PCI Address Binding** — VMware assigns PCI addresses based on the VM's hardware slot configuration. The example addresses in this appendix (`0000:0b:00.0`, `0000:13:00.0`) are illustrative only. Always use the values discovered by following [Step 3 — Find VM NIC PCI Addresses](deploy_vmware_router_pci.mdx). diff --git a/docs/deploy_aws.md b/docs/deploy_aws.md new file mode 100644 index 0000000000..8c982462b1 --- /dev/null +++ b/docs/deploy_aws.md @@ -0,0 +1,61 @@ +--- +title: Deploying SSR in Amazon Web Services +sidebar_label: AWS Deployment Overview +--- + +This section provides end-to-end deployment guides for running the Juniper Session Smart Router (SSR) in Amazon Web Services (AWS). The guides cover the full journey: from creating an AWS account and setting up the required cloud infrastructure through to a running, configured SSR deployment. + +## Deployment Models + +SSR supports two management models and two licensing models in AWS. Review the options below to choose the right guide for your deployment. + +### Management Model + +| Management Model | Description | Best For | +| ---------------- | ----------- | -------- | +| **Conductor-managed** | A Session Smart Conductor (also deployed in AWS or on-premises) centrally manages one or more SSR routers. Supports full SSR feature set including advanced routing policies, HA, and CLI/GUI administration. | Enterprise deployments requiring full control over routing policy and configuration | +| **Mist-managed** | SSR routers are managed through the Juniper Mist cloud portal using Zero Touch Provisioning (ZTP). Requires an active Mist organization and registration code. | WAN Assurance deployments integrated with the Mist AI platform | + +:::important +SSR Version 6.x installed from an AWS Marketplace image supports **Mist-managed** routers only. For a conductor-managed deployment running SSR 6.x, install SSR 5.x first and upgrade through the Conductor, or use the BYOL image with explicit version selection. +::: + +### Licensing Model + +| License Model | Description | +| ------------- | ----------- | +| **PAYG (Pay As You Go)** | Hourly billing through the AWS Marketplace. Includes a 30-day free trial. Best for proof-of-concept and evaluation. Software upgrades and on-premises deployments require a separate token. | +| **BYOL (Bring Your Own License)** | Install your own licensed copy of SSR software. Requires Artifactory credentials or a Mist registration code. Supports image-based installations. Requires Conductor version 6.3.0-R1 or newer for BYOL router management. | + +## Available Guides + +| Guide | Management | Licensing | Notes | +| ----- | ---------- | --------- | ----- | +| [AWS: Conductor-Managed Deployment](deploy_aws_conductor.mdx) | Conductor | BYOL | **Recommended starting point.** Complete end-to-end guide from AWS account to running router | +| [AWS: PAYG Conductor-Managed Router](intro_installation_quickstart_aws.md) | Conductor | PAYG | Evaluation / PoC deployments using marketplace hourly billing | +| [AWS: PAYG Mist-Managed Router](intro_installation_quickstart_mist_aws.md) | Mist | PAYG | Mist WAN Assurance with marketplace hourly billing | +| [AWS: BYOL Mist-Managed Router](intro_installation_quickstart_byol_mist_aws.md) | Mist | BYOL | Mist WAN Assurance with your own license | + +## Supported AWS Instance Types + +The following EC2 instance sizes are supported for SSR deployments. Choose the size that best meets your throughput and interface requirements. + +| AWS Instance Size | Max vNICs | vCPU | Memory | +| ----------------- | --------- | ---- | ------ | +| c5.xlarge | 4 | 4 | 8 GB | +| c5.2xlarge | 4 | 8 | 16 GB | +| c5.4xlarge | 8 | 16 | 32 GB | +| c5.9xlarge | 8 | 36 | 72 GB | +| c5n.xlarge | 4 | 4 | 10.5 GB | +| c5n.2xlarge | 4 | 8 | 21 GB | +| c5n.4xlarge | 8 | 16 | 42 GB | +| c5n.9xlarge | 8 | 36 | 96 GB | + +For Conductor sizing guidance when managing multiple routers, see [System Requirements](intro_system_reqs.md#conductor-scaling-recommendations). + +## Additional Resources + +- [Cloud Platform Support](supported_cloud_platforms.md) +- [System Requirements](intro_system_reqs.md) +- [Firewall Port Reference](config_firewall_ports.md) +- [BYOL Cloud Images Release Notes](release_notes_byol.md) diff --git a/docs/deploy_aws_conductor.mdx b/docs/deploy_aws_conductor.mdx new file mode 100644 index 0000000000..2449158fcd --- /dev/null +++ b/docs/deploy_aws_conductor.mdx @@ -0,0 +1,534 @@ +--- +title: "AWS: Conductor-Managed Deployment Guide" +sidebar_label: Conductor-Managed Deployment +--- + +import AwsAccountSetup from './_aws_account_setup.md'; +import AwsVpcSetup from './_aws_vpc_setup.md'; +import AwsKeypair from './_aws_keypair.md'; +import AwsSecurityGroups from './_aws_security_groups.md'; +import AuthorityName from './_set_authority_name.md'; +import SetConductorIP from './_set_conductor_ip.md'; +import ChangeDefaultPasswords from './_change_def_passwords.md'; +import NextStepsConfig from './_conductor_install_nextsteps.md'; + +This guide walks through deploying a complete Juniper Session Smart Router (SSR) solution in AWS using the **BYOL (Bring Your Own License)** model with a **Conductor-managed** architecture. When you complete this guide, you will have: + +- An AWS account and VPC configured for SSR +- A Session Smart Conductor deployed and configured +- A Session Smart Router deployed and onboarded to the Conductor +- A baseline working configuration verified end-to-end + +## Prerequisites + +Before you begin, confirm you have: + +- A Juniper account with Artifactory credentials (username and token) for accessing SSR software repositories. Contact your Juniper Sales representative if you do not have these. +- The SSR software version you want to deploy. Your Juniper Sales representative can advise if you are unsure. +- AWS CLI installed on your local workstation (optional, for CLI-based deployment). See the [AWS CLI installation guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). + +--- + +## Step 1: Set Up Your AWS Account + + + +--- + +## Step 2: Plan Your Deployment + +The following diagram illustrates the AWS infrastructure deployed by this guide: + +```mermaid +graph TB + subgraph AWS VPC ["AWS VPC (10.0.0.0/16)"] + subgraph mgmt ["Management Subnet (10.0.1.0/24)"] + COND[Session Smart Conductor\nEC2 Instance] + end + subgraph pub ["Public Subnet (10.0.2.0/24)"] + RTR_WAN[Router WAN Interface\nge-0-1] + end + subgraph priv ["Private Subnet (10.0.3.0/24)"] + RTR_LAN[Router LAN Interface\nge-0-2] + end + subgraph rtr_mgmt ["Router Mgmt Subnet (10.0.1.0/24)"] + RTR_MGMT[Router Mgmt Interface\nge-0-0] + end + end + IGW[Internet Gateway] --> mgmt + IGW --> pub + RTR_MGMT -->|Port 930, 4505, 4506| COND +``` + +### Deployment Summary + +| Component | AWS Resource | Subnet | Notes | +| --------- | ------------ | ------ | ----- | +| Conductor | EC2 instance | Management | Single NIC; SSH + HTTPS inbound | +| Router management interface | EC2 NIC | Management | Connects back to Conductor | +| Router WAN interface | EC2 NIC | Public | External/peer connectivity | +| Router LAN interface | EC2 NIC | Private | Internal workload connectivity | + +--- + +## Step 3: Create AWS Infrastructure + +### 3.1 Create VPC, Subnets, and Routing + + + +### 3.2 Create an EC2 Key Pair + + + +### 3.3 Create Security Groups + + + +--- + +## Step 4: Subscribe to the SSR BYOL Marketplace Offering + +1. Open the [Session Smart Networking Platform BYOL](https://aws.amazon.com/marketplace/pp/prodview-lz6cjd43qgw3c?sr=0-2&ref_=beagle&applicationId=AWSMPContessa) listing in the AWS Marketplace. +2. Click **Continue to Subscribe**. +3. Review and accept the terms and conditions. +4. Click **Continue to Configuration**. + +:::note +There is no software cost associated with the BYOL image. You pay only for the AWS EC2 compute resources. Software licensing is handled through your Artifactory credentials. +::: + +### Requesting a Private Offer + +If your environment has no outbound internet access to the SSR repositories, you can request a Private Offer instead: + +1. Locate your AWS Account ID: + - Open the [AWS Console](https://console.aws.amazon.com). + - Click the dropdown next to your username at the top right; the Account ID is displayed. + - Make a note of the Account ID. +2. Contact your Juniper Networks Sales representative and provide: + - Your AWS Account ID + - The SSR software version required for your deployment +3. Your Juniper Sales representative will email you the private offer. +4. Open the email and accept the terms and conditions to activate the offer. + +--- + +## Step 5: Deploy the Session Smart Conductor + +A Conductor must be deployed before any managed routers. The Conductor is a single EC2 instance with one network interface connected to the management subnet. + +### 5.1 Launch via AWS Console (CloudFormation) + +1. From the BYOL offering, click **Continue to Configuration**. +2. In the **Fulfillment Option** dropdown, select **CloudFormation Template**. +3. Select the **Juniper Session Smart Conductor** template. +4. Select your target region and click **Continue to Launch**. +5. In the **Choose Action** dropdown, select **Launch CloudFormation**, then click **Launch**. +6. The CloudFormation stack creation wizard opens. Fill in the stack parameters: + + | Parameter | Value | + | --------- | ----- | + | Stack name | A descriptive name, for example `ssr-conductor` | + | Name | Instance name, for example `conductor` | + | Instance Type | Select from the [supported instance sizes](deploy_aws.md#supported-aws-instance-types). `c5.xlarge` is recommended for small deployments | + | SSR Version | The SSR software version to install (for example `6.3.5-1`) | + | Artifactory Username | Your Artifactory username | + | Artifactory Token | Your Artifactory token | + | VPC ID | Select your `ssr-vpc` | + | Control Subnet ID | Select `ssr-mgmt-subnet` | + | Control Subnet Allowed CIDR | The CIDR of the management subnet (`10.0.1.0/24`) | + | Admin Allowed CIDR | Your admin workstation CIDR | + | Key Name | Select `ssr-keypair` | + +7. Click **Next** through the options pages, then click **Create stack**. + +![CloudFormation deployment complete](/img/platforms_aws_deployment_complete.png) + +8. Monitor the stack creation under the **Events** tab. When the status shows `CREATE_COMPLETE`, proceed to the **Outputs** tab. +9. Note the following values from the **Outputs** tab: + - **HTTPSLogin** — the URL to access the Conductor GUI + - **PublicEIP** — the public IP address of the Conductor instance + +:::note +After the CloudFormation stack reports `CREATE_COMPLETE`, allow an additional **10–15 minutes** for the BYOL SSR software installation to complete before attempting to log in. +::: + +### 5.2 Launch via AWS CLI (CloudFormation) + +If you prefer to deploy programmatically, follow the CloudFormation console steps 1–7 above to reach the template URL, then copy the **Amazon S3 URL** of the template. + +Create a parameters file `conductor.parameters.json`: + +```bash +vi conductor.parameters.json +``` + +Paste and adjust the following JSON: + +```json +{ + "Name": "", + "Version": "", + "InstanceType": "c5n.xlarge", + "ArtifactoryUsername": "", + "ArtifactoryPassword": "", + "VpcId": "", + "ControlSubnet": "", + "ControlAllowedCidr": "10.0.1.0/24", + "AdminAllowedCidr": "", + "KeyName": "ssr-keypair" +} +``` + +Deploy the stack: + +```bash +aws cloudformation create-stack \ + --stack-name ssr-conductor \ + --template-url \ + --parameters file://conductor.parameters.json \ + --capabilities CAPABILITY_IAM +``` + +Monitor deployment status: + +```bash +aws cloudformation describe-stacks \ + --stack-name ssr-conductor \ + --query 'Stacks[0].StackStatus' +``` + +### 5.3 Manual Deployment (Without CloudFormation) + +If you prefer not to use CloudFormation templates, you can launch the EC2 instance directly: + +1. In the AWS Console, navigate to **EC2** and click **Launch Instance**. +2. Under **Application and OS Images**, click **Browse more AMIs**, search for `Session Smart Networking Platform BYOL`, and select the image. +3. Choose an instance type (see [supported sizes](deploy_aws.md#supported-aws-instance-types)). +4. Under **Key pair**, select `ssr-keypair`. +5. Under **Network settings**, click **Edit**: + - Select your `ssr-vpc` + - Select `ssr-mgmt-subnet` + - Select `ssr-conductor-sg` as the security group +6. Under **Configure storage**, ensure at least **128 GB** is allocated. +7. Expand **Advanced details** and populate the **User data** field with the cloud-init configuration below to automate onboarding: + +```yaml +#cloud-config +write_files: + - path: /etc/128T-hardware-bootstrapper/onboarding-config.json + content: | + { + "name": "", + "ssr-version": "", + "mode": "conductor", + "artifactory-user": "", + "artifactory-password": "", + "node-name": "node0", + "cloud-provider": "aws" + } +``` + +| Field | Description | +| ----- | ----------- | +| `name` | The name to assign to this Conductor | +| `ssr-version` | SSR software version to install (for example `6.3.5-1`) | +| `artifactory-user` | Your Artifactory username | +| `artifactory-password` | Your Artifactory token/password | +| `node-name` | For a standalone Conductor, use `node0` | + +8. Click **Launch instance**. + +If you do not provide user data, run onboarding manually after the instance starts: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem ec2-user@ +sudo /usr/libexec/hardwareBootstrapper128t config-generator +``` + +Follow the prompts. The instance will reboot once when onboarding completes. + +--- + +## Step 6: Log In to the Conductor + +1. Navigate to the HTTPS URL from the CloudFormation Outputs tab (or `https://`). + + :::note + The Conductor uses a self-signed certificate by default. If your browser warns about an unsafe connection, you can safely proceed for initial setup. See [Configure Custom TLS Certificates](config_custom_certs.md) to install a trusted certificate. + ::: + +2. Log in with the default credentials: + - **Username:** `admin` + - **Password:** `128Tadmin` + +### Change Default Passwords + + + +--- + +## Step 7: Configure the Conductor + +### 7.1 Set the Authority Name + + + +Complete the authority name change by clicking **VALIDATE** and then **COMMIT**. + +### 7.2 Set the Conductor IP Address + + + +The Conductor's public IP address (from the CloudFormation Outputs or the EC2 console) is the address managed routers will use to connect. This must be set before deploying any routers. + +### 7.3 Add a Software Access Token (optional, for on-premises upgrades) + +If you require the ability to upgrade SSR software or deploy on-premises routers, add your Artifactory token to the Conductor. This propagates to all managed routers. + +SSH to the Conductor and run: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem t128@ +``` + +Then from the PCLI: + +```bash +pcli +set software access-token +``` + +### 7.4 Create a Basic Configuration + +Before deploying routers, create the minimum required configuration on the Conductor: an Authority, at least one Service, and a Tenant. + +For a step-by-step walkthrough, see [Configure the Conductor](intro_basic_conductor_config.md). + +A default configuration template is also available on the Conductor: + +1. Log in to the Conductor GUI and navigate to **Configuration**. +2. Select **Templates** and browse the available default templates. +3. Apply a template as the starting point for your deployment. See [Configuration Templates](config_templates.md#default-templates) for details. + +--- + +## Step 8: Deploy the Session Smart Router + +With the Conductor running and configured, deploy the router. The router uses three network interfaces (management, WAN, and LAN) attached to the corresponding subnets. + +### 8.1 Enable Enhanced Networking (ENA) + +Before launching the router instance, enable ENA support on the AMI to achieve maximum throughput. Run the following from your local workstation: + +```bash +aws ec2 modify-instance-attribute \ + --instance-id \ + --ena-support +``` + +:::note +If you are using the CloudFormation template, ENA is configured automatically. +::: + +### 8.2 Launch via AWS Console (CloudFormation) + +1. Return to the BYOL marketplace offering and click **Continue to Configuration**. +2. In the **Fulfillment Option** dropdown, select **CloudFormation Template**. +3. Select the **Juniper Session Smart Conductor Managed Router** template. +4. Select your target region and click **Continue to Launch**. +5. In the **Choose Action** dropdown, select **Launch CloudFormation**, then click **Launch**. +6. Fill in the stack parameters: + + | Parameter | Value | + | --------- | ----- | + | Stack name | For example `ssr-router-1` | + | Router Name | For example `branch-router-1` | + | Instance Type | Select from [supported sizes](deploy_aws.md#supported-aws-instance-types) | + | SSR Version | Must match or be lower than the Conductor version | + | Artifactory Username | Your Artifactory username | + | Artifactory Token | Your Artifactory token | + | VPC ID | Select your `ssr-vpc` | + | Management Subnet ID | Select `ssr-mgmt-subnet` | + | Public Subnet ID | Select `ssr-public-subnet` | + | Private Subnet ID | Select `ssr-private-subnet` | + | Conductor Primary IP | The private IP of your Conductor from Step 5 | + | Key Name | Select `ssr-keypair` | + +7. Click **Next**, then **Create stack**. + +![Router deployment](/img/platforms_aws_router_deployment.png) + +8. Wait for `CREATE_COMPLETE`. Allow an additional **10–15 minutes** for BYOL installation to complete. + +### 8.3 Launch via AWS CLI (CloudFormation) + +Create `router.parameters.json`: + +```json +{ + "RouterName": "", + "Version": "", + "InstanceType": "c5n.xlarge", + "ArtifactoryUsername": "", + "ArtifactoryPassword": "", + "VpcId": "", + "ManagementSubnet": "", + "PublicSubnet": "", + "PrivateSubnet": "", + "ConductorPrimaryIp": "", + "AdminAllowedCidr": "", + "KeyName": "ssr-keypair" +} +``` + +Deploy: + +```bash +aws cloudformation create-stack \ + --stack-name ssr-router-1 \ + --template-url \ + --parameters file://router.parameters.json \ + --capabilities CAPABILITY_IAM +``` + +### 8.4 Manual Deployment (Without CloudFormation) + +1. In the AWS Console, navigate to **EC2** → **Launch Instance**. +2. Search for and select the **Session Smart Networking Platform BYOL** AMI. +3. Choose an instance type. +4. Under **Network settings**, click **Edit** and configure **three** network interfaces: + + | Interface | Subnet | Security Group | + | --------- | ------ | -------------- | + | eth0 (primary) | `ssr-mgmt-subnet` | `ssr-router-sg` | + | eth1 | `ssr-public-subnet` | `ssr-router-sg` | + | eth2 | `ssr-private-subnet` | `ssr-router-sg` | + +5. Expand **Advanced details** and populate **User data** for automatic onboarding: + +```yaml +#cloud-config +write_files: + - path: /etc/128T-hardware-bootstrapper/onboarding-config.json + content: | + { + "name": "", + "ssr-version": "", + "mode": "conductor-managed", + "artifactory-user": "", + "artifactory-password": "", + "conductor-hosts": [""], + "cloud-provider": "aws" + } +``` + +| Field | Description | +| ----- | ----------- | +| `name` | The router name (must match the configured router in the Conductor) | +| `ssr-version` | SSR software version to install | +| `conductor-hosts` | List of Conductor IP addresses (use the private IP) | + +6. Click **Launch instance**. + +### 8.5 Network Interface Layout + +The router template deploys the EC2 instance with network interfaces attached in the following order. Use these names in your Conductor or Mist configuration: + +**With management interface (recommended):** + +| SSR Interface Name | EC2 Interface | Subnet | +| ------------------ | ------------- | ------ | +| `ge-0-0` | eth0 | Management | +| `ge-0-1` | eth1 | Public (WAN) | +| `ge-0-2` | eth2 | Private (LAN) | + +**Without management interface:** + +| SSR Interface Name | EC2 Interface | Subnet | +| ------------------ | ------------- | ------ | +| `ge-0-0` | eth0 | Public (WAN) | +| `ge-0-1` | eth1 | Private (LAN) | + +--- + +## Step 9: Disable Source/Destination Check + +By default, AWS drops traffic on a network interface where the instance is not the source or destination. Since the SSR forwards traffic on behalf of other hosts, this check must be disabled on the router's network interfaces. + +1. In the **EC2 Console**, select the router instance. +2. Click the **Actions** dropdown, then select **Networking** → **Change source/destination check**. + + ![AWS Networking menu](/img/AWS-bootstrap1.png) + +3. In the **Change Source/Destination Check** dialog, select **Stop** and click **Save**. + + ![Source/Destination Check](/img/AWS-bootstrap2.png) + +:::note +Repeat this step for each network interface on the router instance if the dialog applies per-interface. +::: + +--- + +## Step 10: Create Router Configuration on the Conductor + +Before the router can pass traffic, it must have a configuration that matches the router name and interface layout you deployed. + +For a complete walkthrough of creating a basic router configuration (router object, WAN interface, LAN interface, service route), see [Basic Router Configuration](intro_basic_router_config.md). + +Key points for an AWS deployment: + +- The **router name** in the Conductor configuration must exactly match the `name` field used in the cloud-init user data or the CloudFormation template. +- Use the interface names from the [Network Interface Layout](#85-network-interface-layout) table above. +- The **Conductor Address** set in Step 7.2 must be reachable from the router's management subnet. + +--- + +## Step 11: Verify the Deployment + +### Verify the Conductor is Running + +1. SSH to the Conductor: + ```bash + ssh -i ~/.ssh/ssr-keypair.pem t128@ + ``` +2. Check the service status: + ```bash + sudo systemctl status 128T + ``` +3. Confirm the service shows **Active (running)**. +4. Log in to the Conductor GUI at `https://` with the `admin` user. + +### Verify the Router has Connected + +1. In the Conductor GUI, navigate to **Routers**. +2. Confirm your router appears and shows a **Connected** state. +3. Check that the routing table and Session table are populated as expected. + +### Verify Traffic Forwarding + +From the Conductor PCLI, confirm sessions are being established: + +```bash +show sessions router +``` + +From the Conductor or Router GUI, use the **Topology** view to confirm adjacency and SVR path establishment. + +--- + +## Step 12: Next Steps + + + +### Additional Configuration Topics + +With SSR deployed and running in AWS, explore the following to complete your deployment: + +- **High Availability:** See [Conductor-managed HA Concepts](concepts_ha_options.md) for HA Conductor and Router configurations. +- **BGP with AWS TGW:** See [BGP Configuration](config_bgp.md) for connecting SSR to AWS Transit Gateway using BGP. +- **Security Hardening:** See [Security Hardening Guidelines](sec_hardening_guidelines.md). +- **Upgrading:** See [Upgrading the SSR](intro_upgrading.md) for the upgrade process on AWS instances. +- **Monitoring:** See [Monitoring the SSR](concepts_monitoring.md) for metrics and alerting configuration. diff --git a/docs/deploy_conductor_config.mdx b/docs/deploy_conductor_config.mdx new file mode 100644 index 0000000000..ec4f00cd5c --- /dev/null +++ b/docs/deploy_conductor_config.mdx @@ -0,0 +1,84 @@ +--- +title: Configure the Conductor +sidebar_label: Configure the Conductor +--- +import NetworkDesign from './_deploy_network_design.md'; +import AuthorityName from './_set_authority_name.md'; +import SetConductorIP from './_set_conductor_ip.md'; +import ConductorAuthority from './_conductor_to_authority.md'; + +This section configures the authority-level settings on the conductor: the authority name, conductor address, internet service, and corporate tenant. These objects are global to all routers in the authority. + +All steps are performed from the **Conductor GUI** at `https://192.168.100.10` unless otherwise noted. + +## Network Design Reference + + + +## 1. Set the Authority Name + + + +:::note +Use your organization's name as the authority name (for example, `Authority128`). The authority name cannot be changed after routers have been provisioned without re-onboarding them. +::: + +## 2. Set the Conductor Address + +The conductor address is the IP address that managed routers use to connect to this conductor. It must be reachable from each branch router's WAN interface. + + + +For this guide, enter `192.168.100.10` as the conductor address. + +## 3. Create the Corporate Tenant + +Tenants logically partition the network. The `corp` tenant represents corporate LAN users in this deployment and is referenced by the LAN interface configuration on each branch router. + +1. In the Conductor GUI, select **Configuration**. +2. Select **Authority**. +3. Scroll to **Tenants** and select **ADD**. +4. Enter the name `corp` and select **SAVE**. +5. At the top of the screen, select **VALIDATE** and then **COMMIT**. + +:::info +Tenants are authority-wide. A single `corp` tenant definition applies to all routers that assign it to a LAN interface. +::: + +## 4. Create an `Internet-Traffic` Service + +The *service* configuration element defines the IP destinations that the SSR will route. This process creates a single service representing all internet-bound traffic. + +1. Log in to the Conductor GUI. +2. Select **Configuration**. +3. Select **Authority** from the left panel. +4. Scroll down to **Services** and select **ADD**. +5. Enter the name `Internet-Traffic` and select **SAVE**. +6. On the Service screen, verify **Enabled** is set to `true`. +7. Scroll down to **Service Addresses** and select **ADD**. +8. Enter `0.0.0.0/0` and select **SAVE**. +9. Scroll down to **Access Policy** and select **ADD**. + - Set **Source** to `corp` (the tenant you will create in the next step). + - Select **SAVE**. +10. At the top of the screen, select **VALIDATE** and then **COMMIT**. + +## 5. Assign the Conductor Asset ID + + + +## What Was Configured + +At the end of this step your authority contains: + +| Object | Name | Value | +|--------|------|-------| +| Authority | `Authority128` | | +| Conductor Address | | `192.168.100.10` | +| Service | `Internet-Traffic` | `0.0.0.0/0` | +| Tenant | `corp` | LAN-side user population | + +## Next Step - Configure the Router on the Conductor + +The conductor must have the branch router's configuration staged **before** the router (hardware or virtual device) is powered on. When the router comes online and contacts the conductor, it downloads this configuration automatically. + +Proceed to [Configure the Router on the Conductor](deploy_router_config.mdx). diff --git a/docs/deploy_conductor_install.mdx b/docs/deploy_conductor_install.mdx new file mode 100644 index 0000000000..a34989e564 --- /dev/null +++ b/docs/deploy_conductor_install.mdx @@ -0,0 +1,165 @@ +--- +title: Install the Conductor +sidebar_label: Install the Conductor +--- +import SSR1200Ports from './_deploy_ssr1200_port_map.md'; +import VerifyConductorInstall from './_install_verify_conductor_install.md'; +import ChangeDefaultPasswords from './_change_def_passwords.md'; +import ConfigureToken from './_configure_token.md'; + +This section covers the physical hardware setup and software installation for the SSR1200 being used as the conductor. The SSR1200 conductor provides centralized management for all branch routers in the network. + +SSR 7.1.5 uses the **Universal ISO** installation process. If your SSR1200 shipped with SSR 6.3.0 or later pre-installed, skip the [Install the Software](#install-the-software) section and proceed directly to [Initialize the Conductor](#initialize-the-conductor). + +If your device has an SSR software version lower than SSR 6.3.0, there are specific requirements for upgrading to the latest SSR version. Please use the detailed instructions in [Upgrading the Conductor](upgrade_ibu_conductor#upgrade-using-the-gui) before proceeding. + +To help you identify the number of managed routers your SSR device can support, refer to the [Conductor Scaling Recommendations](intro_system_reqs.md#conductor-scaling-recommendations) in the System Requirements documentation. + +## SSR1200 Port Reference + + + +## Physical Setup + +Connect the SSR1200 before powering it on: + +1. **Connect the MGMT port** (`mgmt-0-0`, PCI `0000:03:00.0`) to a management network switch port that provides: + - A static IP assignment + - Connectivity to the internet (required for software downloads) + +2. **Connect a laptop** to any LAN port (Port 0/3 through Port 0/5) using a standard Ethernet cable. The laptop will be used to access the device initialization web interface at `https://192.168.128.1` during setup. + +3. Do **not** power on the device yet. + +## Install the Software + +:::note +Skip this section if your SSR1200 already has SSR 6.3.0 or later installed. +::: + +### Download the ISO + +Download the SSR 7.1.5 ISO from the Juniper software repository: + +- URL: [https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local/](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local/) +- You will be prompted for your Artifactory username and software access token. +- Select the `SSR-7.1.5-7.r2.el9.x86_64.ibu-v1.iso` ISO file. + +For instructions on creating a bootable USB from the ISO, see [Creating a Bootable USB](intro_creating_bootable_usb.md). + +### Boot from USB + +1. Connect the bootable USB to a USB port on the SSR1200. +2. Connect a console cable (RJ-45 rollover) to the **CONSOLE** port on the SSR1200 and to your laptop or console server. Set the baud rate to **115200 bps**. +3. Power on the SSR1200. +4. When the prompt `Press ESC for boot menu` appears, press **ESC**. +5. From the boot menu, select the USB device number and press **Enter**. +6. From the boot menu, press **TAB** or **DEL** to enter Setup if required. + +### Run the Installer + +1. At the boot image selection screen, select the SSR 7.1.5 image and press **Enter**. + + ![Choose Image](/img/u-iso2_choose_image.png) + +2. At the Install menu, select **Serial Console**. + + ![Install Type](/img/u-iso3_choose_install_type.png) + + :::note + Select **Serial** when using a console cable (recommended for data-center installations), and be sure the baud rate is set to 115200 bps. Select **VGA** only if you have a keyboard and monitor connected directly to the device. If no selection is made within 30 seconds, the system defaults to the **Serial Console** boot option. + ::: + +3. If you are installing a FIPS enabled system, select Install Option 1, then press **Enter**. + + If you are installing a physical device and do not require FIPS, skip the options and select **Enter**. The download and installation begins. + + :::note + IDP is not currently compatible with systems running in FIPS 140-3 mode, including Common Criteria or JITC deployments. + + If after installation you require IDP, FIPS mode must be disabled on the target system if IDP is to be enabled. Refer to [IDP Troubleshooting](ts_idp.md#fips-mode-and-idp) for information to disable FIPS mode. + ::: + + + ![Install Options](/img/u-iso4_install_options.png) + +4. The installation runs to completion automatically. This may take approximately 15–20 minutes. + + ![Install Progress](/img/u-iso5_begin_install.png) + +5. When prompted to reboot, allow the device to restart. Remove the USB drive before the next boot. + + ![Install Complete](/img/u-iso6_unpacker_complete.png) + +## Initialize the Conductor + +The SSR1200 exposes a web-based initialization interface on its LAN ports after the first boot. Use this interface to configure the conductor role, management IP address, and admin credentials. + +1. Ensure your laptop is connected to a LAN port on the SSR1200 and has a static IP in the `192.168.128.0/24` subnet. + + :::note + Assign your laptop a static IP address in the range `192.168.128.2`–`192.168.128.254` with a subnet mask of `255.255.255.0` before connecting. The initialization web interface is only accessible on the LAN-side ports prior to initialization. + ::: + +2. Open a web browser and navigate to: + + ``` + https://192.168.128.1 + ``` + + Accept the self-signed certificate warning. + + ![Initialization UI](/img/u-iso8_launch_gui.png) + +3. Under **SSR Managed**, select **SSR Conductor**. + + ![SSR Conductor Selection](/img/u-iso8a_initialize_conductor.png) + +4. Select **STANDALONE** for a single-conductor deployment. Select the **STATIC** address type, the **Provide Artifactory Credentials** checkbox, and enter the following information: + + | Field | Example Value | Notes | + |-------|--------------|-------| + | Conductor Name | `conductor1` | Used as the router name in the authority | + | Node IP Address | `192.168.100.10` | Static management IP | + | Node Gateway | `192.168.100.1` | Management network gateway | + | Interface Name | `mgmt-0-0` | Management interface | + | DNS Server | `8.8.8.8` | Optional; required for software downloads | + | Admin Password | _(your choice)_ | Minimum 8 chars, 1 upper, 1 lower, 1 number | + | Artifactory Username | _(your username)_ | Juniper software access | + | Artifactory Password | _(your token)_ | Juniper software access token | + + ![Conductor Configuration](/img/deploy_u-iso9_define_conductor.png) + + :::note + The admin, root, and t128 accounts are all set to the password you enter here. + ::: + + :::important + Record this password securely. It cannot be recovered if lost — only reset, which requires root access. + ::: + +5. Click **ASSOCIATE**. + +6. The SSR1200 reboots and comes online as a conductor. This process takes approximately 5–10 minutes. + +## Verify the Installation + +After the device restarts, connect your laptop to the management network and verify the conductor is running: + +:::note +At this point, it is good practice to remove the static IP previously set from your laptop. +::: + +Access the conductor GUI from the management network using: + +``` +https://192.168.100.10 +``` + +![Login to the Conductor](/img/dep-1200-cond-login.png) + +Log in with username `admin` and the password set during initialization. + +## Next Step + +Proceed to [Configure the Conductor](deploy_conductor_config.mdx). diff --git a/docs/deploy_guides_overview.md b/docs/deploy_guides_overview.md new file mode 100644 index 0000000000..7989d7ef96 --- /dev/null +++ b/docs/deploy_guides_overview.md @@ -0,0 +1,12 @@ +--- +title: Deployment Guides Overview +sidebar_label: Overview +--- + +Conductor and Router Deployment Guides are provided to help walk a network engineer through the steps required to stand up a conductor-managed SSR network. + +Conductor deployments currently include an SSR1200 and VMware ESXi. In each case, the conductor will have a configuration ready for a branch router to onboard and come online, managed by the conductor, forwarding internet traffic for LAN users, and reachable by the conductor over the same WAN interface used for internet breakout. + +Router deployments currently include an SSR130 and a VMware ESXi virtual router (vSSR). + +The deployment guides are intended to be used independently of one another, allowing you to mix and match conductor and router platforms. \ No newline at end of file diff --git a/docs/deploy_overview.mdx b/docs/deploy_overview.mdx new file mode 100644 index 0000000000..a1dfcd0d52 --- /dev/null +++ b/docs/deploy_overview.mdx @@ -0,0 +1,77 @@ +--- +title: Conductor-Managed Network Deployment Guide +sidebar_label: Overview +--- +import Mermaid from '@theme/Mermaid'; +import NetworkDesign from './_deploy_network_design.md'; + +This guide walks a network engineer through the steps required to stand up a conductor-managed SSR network using an **SSR1200 as the Conductor** and ready to onboard branch routers. By the end of the guide, the conductor will have a configuration ready for each branch router to bring it online, managed by the conductor, forwarding internet traffic for LAN users, and reachable by the conductor over the same WAN interface used for internet breakout. + +## Guide Sections + +| Step | Topic | Description | +|------|-------|-------------| +| 1 | [Install the Conductor](deploy_conductor_install.mdx) | Install SSR 7.1.5 on an SSR1200 and initialize it as a standalone conductor | +| 2 | [Configure the Conductor](deploy_conductor_config.mdx) | Set the authority name, conductor address, internet service, and corporate tenant | +| 3 | [Configure the Router on the Conductor](deploy_router_config.mdx) | Pre-stage each SSR130 router's configuration on the conductor before onboarding | +| — | [Appendix — Conductor Configuration](deploy_appendix_conductor.mdx) | Complete conductor PCLI configuration | + +## Network Topology + +The diagram below shows the logical network this guide builds. + +|"Management over\nForwarding (WAN)"| ISP + ISP <-->|"DHCP / Internet Breakout\n(service: Internet-Traffic)"| Router + LAN <-->|"LAN"| Router +`}/> + +## Roles + +| Device | Model | Role | +|--------|-------|------| +| `conductor1` | SSR1200 | Standalone SSR Conductor — centralized management and provisioning | +| `branch1` | SSR130 | Conductor-managed branch router — internet breakout and LAN services | + +## Network Design Reference + + + +## Prerequisites + +Before beginning, ensure the following are available: + +- **Juniper software access credentials** — Artifactory username and password for software downloads. +- **SSR 7.1.5 ISO image** — downloaded from [software.128technology.com](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/) using your Juniper software access credentials. +- **Bootable USB drive** — minimum 8 GB, prepared from the ISO. See [Creating a Bootable USB](intro_creating_bootable_usb.md). +- **Console access** — RJ-45 rollover cable or VGA/keyboard access to the SSR1200 for the initial installation. +- **Management network** — a network switch port providing DHCP or a known static IP for the SSR1200 MGMT port. +- **Static IP assignment for the conductor** — the IP address assigned to the conductor must be reachable from branch WAN links. +- **Mist portal account** — required for SSR130 Zero Touch Provisioning (ZTP). A free account suffices; WAN Assurance subscription is **not** required. +- **ISP WAN links** — each SSR130 branch requires an Ethernet WAN link providing DHCP. + +## Software Version Requirements + +This guide targets **SSR 7.1.5** on both conductor and routers. + +:::note +The router software version cannot be higher than the conductor software version. SSR130 routers that ship with an earlier software version are upgraded to 7.1.5 from the conductor after onboarding. See [Upgrading the Conductor](intro_upgrading.md) for general upgrade information. +::: + +## Related Documentation + +- [SSR Installation Overview](intro_installation.md) +- [Conductor Deployment Best Practices](bcp_conductor_deployment.md) +- [Service and Service Policy Design](bcp_service_and_service_policy_design.md) +- [Management Traffic over Forwarding Interfaces](config_management_over_forwarding.md) +- [Onboard an SSR Device to a Conductor](onboard_ssr_to_conductor.md) diff --git a/docs/deploy_router_config.mdx b/docs/deploy_router_config.mdx new file mode 100644 index 0000000000..18dcc6d2f8 --- /dev/null +++ b/docs/deploy_router_config.mdx @@ -0,0 +1,183 @@ +--- +title: Configure the Router on the Conductor +sidebar_label: Configure the Router +--- +import NetworkDesign from './_deploy_network_design.md'; + +It is a best practice to have a valid configuration staged on the conductor for this router — including a matching asset ID — before the router is powered on. When the SSR130 comes online and contacts the conductor, it downloads this configuration and applies it automatically. + +This section walks through creating the router configuration for `branch1` from the Conductor GUI. Repeat these steps for each additional SSR130 router in your network, substituting the appropriate router name, node name, asset ID, and addressing values. + +All steps are performed from the **Conductor GUI** at `https://192.168.100.10`. It is important that all steps be completed before committing the configuration. + +## Network Design Reference + + + +## 1. Create the Router + +1. Log in to the Conductor GUI. +2. Select **Configuration**. +3. Under **Authority**, scroll to **Routers** and select **ADD**. +4. Enter the router name `branch1` and select **SAVE**. +5. Set the following fields on the Router screen: + + | Field | Value | Notes | + |-------|-------|-------| + | Location | `+32.7767-096.7970/` | ISO 6709 coordinates; update for your site | + | Inter-node Security | `internal` | Required for SVR between nodes | + +6. Select **VALIDATE** and **COMMIT** to save. + +## 2. Create the Node + +1. Scroll down to **Nodes** and select **ADD**. +2. Enter the node name `node0` and select **SAVE**. +3. Set the following fields: + + | Field | Value | + |-------|-------| + | Role | `combo` | + | Asset ID | _(SSR130 serial number, e.g., `SSR130-ABC1234567`)_ | + +:::important +The asset-id must match the router-name that will be entered during the SSR130's initialization. The asset-id is how the device will be identified when it contacts the conductor. +::: + +4. Select **SAVE**. + +## 3. Configure the WAN Interface + +The WAN interface (`ge-0-0`, Port 0) connects to the ISP, obtains a DHCP address, and provides both internet forwarding and conductor management traffic via [Management over Forwarding](config_management_over_forwarding). + +### 3a. Create the WAN Device Interface + +1. Under the Node, scroll to **Device Interfaces** and select **ADD**. +2. Enter the name `wan-dev` and select **SAVE**. +3. Set the following fields: + + | Field | Value | + |-------|-------| + | Type | `ethernet` | + | PCI Address | `0000:04:00.3` | + | Forwarding | `true` | + +4. Select **SAVE**. + +### 3b. Create the WAN Network Interface + +1. Under the Device Interface, scroll to **Network Interfaces** and select **ADD**. +2. Enter the name `wan1` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `external` | | + | DHCP | `v4` | WAN IP is assigned by ISP DHCP | + | Conductor | `true` | Marks this interface for conductor connectivity | + | Default Route | `true` | Linux uses this interface as its default route | + | Source NAT | `true` | Required for management over forwarding | + | Management | `true` | Enables management over forwarding on this interface | + +4. Scroll down to **Management Vector** and select **ADD**. + - Enter name `mgmt-vec-wan` and priority `10`. + - Select **SAVE**. + +5. Scroll down to **Neighborhoods** and select **ADD**. + - Select `internet` as the neighborhood name. + - Verify **Topology** is set to `spoke`. + - Select **SAVE**. + +6. Select **VALIDATE** and **COMMIT**. + +:::important +`Source NAT` and `Default Route` must both be set to `true` on the management interface. Management traffic originates from the `169.254.x.x` range and must be source-NAT'd to a routable address before leaving the interface. The default route ensures Linux sends non-SVR traffic through the SSR forwarding engine. +::: + +## 4. Configure the LAN Interface + +The LAN interface (`ge-0-3`, Port 3) connects to the branch LAN and assigns the `corp` tenant to traffic arriving from that direction. + +### 4a. Create the LAN Device Interface + +1. Return to the **Node** level and scroll to **Device Interfaces**, then select **ADD**. +2. Enter the name `lan-dev` and select **SAVE**. +3. Set the following fields: + + | Field | Value | + |-------|-------| + | Type | `ethernet` | + | PCI Address | `0000:04:00.0` | + | Forwarding | `true` | + +4. Select **SAVE**. + +### 4b. Create the LAN Network Interface + +1. Under the LAN Device Interface, scroll to **Network Interfaces** and select **ADD**. +2. Enter the name `lan1` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `external` | | + | Tenant | `corp` | Assigns all LAN traffic to the corp tenant | + +4. Scroll down to **Interface Addresses** and select **ADD**. + - IP Address: `192.168.1.1` + - Prefix Length: `24` + - Select **SAVE**. + +5. Select **VALIDATE** and **COMMIT**. + +## 5. Configure DNS + +To enable the router to resolve FQDNs (for conductor connectivity and software downloads), configure DNS in automatic mode so that DNS servers are learned from the WAN DHCP lease. + +1. Return to the **Router** level. +2. Scroll to **DNS Config** and select **ADD**. +3. Set **Mode** to `manual` and enter DNS IP addresses such as `1.1.1.1` or `8.8.8.8`. +4. Select **SAVE**. +5. Select **VALIDATE** and **COMMIT**. + +## 6. Create the Internet Service Route + +The service route tells the router how to forward traffic matched by the `Internet-Traffic` service. In this deployment, internet-bound traffic is forwarded as a **service agent** (direct internet breakout) through the WAN interface. + +1. Return to the **Router** level. +2. Scroll to **Service Routes** and select **ADD**. +3. Enter the name `internet-route` and select **SAVE**. +4. Set the following fields: + + | Field | Value | + |-------|-------| + | Service Name | `Internet-Traffic` | + | Service Route Type | `service-agent` | + +5. Scroll to **Next Hop** and select **ADD**. + - Node: `node0` + - Network Interface: `wan1` + - Select **SAVE**. + +6. Select **VALIDATE** and **COMMIT**. + +## Configuration Summary + +The following objects have been created for `branch1`: + +| Object | Name | Key Settings | +|--------|------|-------------| +| Router | `branch1` | combo node, asset ID linked | +| WAN Device Interface | `wan-dev` | PCI `0000:04:00.3`, forwarding | +| WAN Network Interface | `wan1` | DHCP, conductor, default-route, source-nat, management, neighborhood `internet` | +| LAN Device Interface | `lan-dev` | PCI `0000:04:00.0`, forwarding | +| LAN Network Interface | `lan1` | tenant `corp`, address `192.168.1.1/24` | +| Service Route | `internet-route` | service `Internet-Traffic`, type `service-agent`, next-hop `node0/wan1` | + +:::tip +To add additional SSR130 routers to this deployment, repeat this entire section with a new router name (e.g., `branch2`), a new LAN subnet (e.g., `192.168.2.1/24`), and the corresponding device asset ID. +::: + +## Next Step + +Proceed to [Onboard SSR130 Routers](deploy_router_onboard.mdx). diff --git a/docs/deploy_router_onboard.mdx b/docs/deploy_router_onboard.mdx new file mode 100644 index 0000000000..5c439bd198 --- /dev/null +++ b/docs/deploy_router_onboard.mdx @@ -0,0 +1,177 @@ +--- +title: Onboard SSR130 Routers +sidebar_label: Onboard SSR130 Routers +--- +import SSR130Ports from './_deploy_ssr130_port_map.md'; + +This section covers the physical setup and initialization of each SSR130 branch router. Before beginning, confirm that the router configuration has been staged on the conductor as described in [Step 3 — Configure the Router on the Conductor](deploy_router_config.mdx). + +Repeat this section for each SSR130 in your deployment. + +:::important +It is a best practice to have a valid configuration staged on the conductor for this router — including a matching asset ID — before the router is powered on. +::: + +## SSR130 Port Reference + + + +## Onboarding Methods + +SSR130 routers running SSR 6.3.0 or later support two onboarding methods. Choose the method appropriate for your deployment: + +| Method | Best For | Requirements | +|--------|----------|-------------| +| [Web Workflow (Recommended)](#method-1-web-workflow) | Direct physical access at the branch | Laptop with Ethernet port | +| [Mist ZTP](#method-2-mist-ztp-zero-touch-provisioning) | Remote/zero-touch deployment | Mist portal account; conductor IP must be internet-reachable | + +--- + +## Method 1: Web Workflow + +Use this method when you have physical access to the SSR130 at the branch site. The device's initialization web interface guides you through the conductor association. + +### Physical Setup + +1. Connect **Port 0** (`ge-0-0`) to the ISP WAN Ethernet link. +2. Connect a laptop to **Port 3** (`ge-0-3`) using a standard Ethernet cable. + + :::note + Assign the laptop a static IP address in the range `192.168.128.2`–`192.168.128.254` with a subnet mask of `255.255.255.0`. + ::: + +3. **Power on the device**. + +### Initialize the Router + +1. Open a web browser and navigate to: + + ``` + https://192.168.128.1 + ``` + + Accept the self-signed certificate warning. + +2. Under **SSR Managed**, select **SSR Router Managed via Conductor**. + + ![SSR Conductor-managed router](/img/u-iso10_cond-mngd_router.png) + +3. Enter the following information: + + | Field | Value | + |-------|-------| + | Router Name | `branch1` _(must match the name configured on the conductor)_ | + | Conductor IP Address | `192.168.100.10` | + | Admin Password | _(the password set during conductor initialization)_ | + + ![Conductor Managed Association](/img/deploy_u-iso11_cond-mngd-assoc-new.png) + +4. Click **ASSOCIATE**. + +5. The SSR130 reboots, contacts the conductor at `192.168.100.10`, and downloads its configuration. This process takes approximately 5–10 minutes. + +6. Disconnect the laptop from Port 3 and connect your LAN switch to **Port 3** (`ge-0-3`). + +--- + +## Method 2: Mist ZTP (Zero Touch Provisioning) + +Use this method for remote or zero-touch deployments where the device must self-onboard without any physical laptop connection. + +### Prerequisites + +- A Mist portal account is required (free). WAN Assurance subscription is **not** required. +- The conductor IP address (`192.168.100.10`) must be reachable from the branch WAN link. + +### Step 1 — Create a Mist Account and Organization + +If you do not have a Mist account, create one at [https://manage.mist.com](https://manage.mist.com). + +Once logged in, create an Organization: + +1. Select **Organization** → **Settings** from the left menu. +2. Enter an organization name and save. + +### Step 2 — Create a Site with the Conductor IP + +Each physical location where an SSR130 will be deployed needs a Mist site. The conductor IP address is added to the site so that SSR devices can receive their conductor address via ZTP. + +1. Select **Organization** → **Site Configuration** from the left menu. +2. Click **Create Site**. +3. Enter a site name (for example, `Branch-Dallas`). +4. Scroll to the **Session Smart Conductor Address** field and enter `192.168.100.10`. + + ![Session Smart Conductor Address](/img/wanas_conductor_ip_mist.png) + +5. Save the site. + +### Step 3 — Physical Setup + +1. Connect **Port 0** (`ge-0-0`) to the ISP WAN Ethernet link providing: + - DHCP address assignment + - Internet connectivity (required to reach Mist) + +2. Connect your LAN devices to **Port 3** (`ge-0-3`). + +3. **Power on the device**. + +### Step 4 — Claim the Device + +Add the SSR130 to your Mist organization using the claim code on the device label: + +1. Locate the QR code / claim code label on the SSR130. + + ![Claim Code](/img/intro_wa_ssr130_quickstart_2.png) + +2. From the Mist portal, navigate to **Organization** → **Inventory**. +3. Click **Claim** and enter the claim code, or scan the QR code with the Mist mobile app. +4. Assign the device to the site created in Step 2. + +### Step 5 — Automatic Onboarding + +Once claimed and assigned to the site, the SSR130: + +1. Connects to Mist via Port 0 using the DHCP-assigned address. +2. Receives the conductor IP address from Mist. +3. Contacts the conductor at `192.168.100.10`. +4. Downloads and applies its staged configuration. + +No further interaction is required. Monitor onboarding progress from the Conductor GUI (see [Verify Onboarding](#verify-onboarding) below). + +--- + +## Verify Onboarding + +After the SSR130 connects to the conductor, verify the onboarding was successful from the **Conductor GUI**: + +1. Navigate to the **Routers** page. +2. The router (`branch1`) statuses may be **Re-Initializing**, **Synchronizing**, or **Running**. +3. Once fully synchronized, the status shows **Synchronized** and the router's asset ID appears under the router entry. + +From the conductor **PCLI**, verify using: + +```bash +show assets +``` + +The output should show the router in a **Synchronized** or **Running** state: + +``` +admin@node0.conductor1# show assets +===================== ============== =========== + Asset ID Router Status +===================== ============== =========== + SSR130-ABC1234567 branch1 Synchronized +``` + +From the router, verify the SSR service is active: + +```bash +sudo systemctl status 128T +``` + +The service should be listed as `Active (running)`. + +## Next Step + +Proceed to [Upgrade Routers to 7.1.5](deploy_router_upgrade.mdx). diff --git a/docs/deploy_router_upgrade.mdx b/docs/deploy_router_upgrade.mdx new file mode 100644 index 0000000000..8b34ff823b --- /dev/null +++ b/docs/deploy_router_upgrade.mdx @@ -0,0 +1,132 @@ +--- +title: Upgrade Routers to SSR 7.1.5 +sidebar_label: Upgrade Routers +--- +import UpgradeNote701 from './_upgrade_701_conductor_note.md'; + +Once a router is onboarded and synchronized with the conductor, upgrade it to the latest version of SSR software, or a version equal to or less than the version currently installed on the managing conductor. Upgrades are initiated from the conductor and executed without requiring physical access to the router. + +:::note +The conductor must be running **SSR 7.1.5 or later** before upgrading any router to 7.1.5. The router software version cannot be higher than the conductor version. If you have not already upgraded the conductor to 7.1.5, do so first using the procedure in [Upgrading the Conductor](upgrade_ibu_conductor.mdx). +::: + + + +## Software Availability + +The conductor downloads the router software image from the Juniper software repository. The conductor must have: +- Valid Artifactory credentials configured +- Internet connectivity on the management network + +## Upgrade Using the Conductor GUI + +This is the recommended method for upgrading one or more routers. + +### Download the Software + +1. In the Conductor GUI, navigate to the **Routers** page. +2. Select **Software Lifecycle** at the top of the page. +3. Select **Initiate Upgrade** → **Download**. +4. Choose version `7.1.5` from the dropdown. +5. Select the router(s) to download to from the router list (for example, `branch1`). +6. Click **Start**. + +Monitor the download progress on the **Software Lifecycle** panel. Wait until the download status shows **Complete** before proceeding to the upgrade. + +### Run the Upgrade + +1. Return to **Software Lifecycle** and select **Upgrade**. +2. Select version `7.1.5`. +3. Select the router(s) to upgrade. +4. Click **Start**. + +The upgrade runs to completion with no interaction required. The router restarts automatically at the end of the process. + +To view installation history, select **Lifecycle History** on the Software Lifecycle panel. + +## Upgrade Using the Conductor PCLI + +Use this method to upgrade routers from the command line. + +Log in to the conductor PCLI: + +```bash +ssh admin@192.168.100.10 +``` + +### Step 1 — View Assets + +Confirm the router is connected and show its current software version: + +```bash +show assets +``` + +Example output: +``` +===================== ============== =========== + Asset ID Router Status +===================== ============== =========== + SSR130-ABC1234567 branch1 Synchronized +``` + +### Step 2 — Check Available Versions + +```bash +show system software available router branch1 node node0 +``` + +Confirm version `7.1.5` appears in the output. + +### Step 3 — Download the Software + +```bash +request system software download router branch1 node node0 version 7.1.5 +``` + +Monitor download progress: + +```bash +show system software download router branch1 node node0 +``` + +Wait until the status shows `completed`. + +### Step 4 — Upgrade the Router + +```bash +request system software upgrade router branch1 node node0 version 7.1.5 +``` + +Monitor upgrade progress: + +```bash +show system software upgrade router branch1 node node0 +``` + +The router restarts when the upgrade completes. Allow 5–10 minutes for the router to come back online and re-synchronize with the conductor. + +### Step 5 — Verify the Upgrade + +After the router restarts: + +```bash +show assets +``` + +Confirm the router shows version `7.1.5` and a status of **Synchronized**. + +## Upgrading Multiple Routers + +To upgrade multiple routers efficiently: + +- From the GUI: select all target routers in the Software Lifecycle panel before clicking Start. +- From the PCLI: run separate `request system software download` commands per router, then upgrade each router after its download completes. + +:::tip +It is recommended to upgrade routers during a maintenance window. Internet traffic forwarding is briefly interrupted when the router restarts during the upgrade. +::: + +## Next Step + +Proceed to [Verify the Deployment](deploy_verify.md). diff --git a/docs/deploy_verify.md b/docs/deploy_verify.md new file mode 100644 index 0000000000..4969c11f4f --- /dev/null +++ b/docs/deploy_verify.md @@ -0,0 +1,132 @@ +--- +title: Verify the Deployment +sidebar_label: Verify the Deployment +--- + +This section confirms that the deployment is fully operational. Run each check in sequence to validate every layer of the stack. + +## 1. Verify Router-to-Conductor Connectivity + +From the **Conductor PCLI**, confirm all routers are synchronized: + +```bash +show assets +``` + +Expected output for a healthy deployment: + +``` +===================== ============== =========== + Asset ID Router Status +===================== ============== =========== + SSR130-ABC1234567 branch1 Synchronized +``` + +If a router shows **Disconnected** or remains in **Synchronizing** for more than 15 minutes, see [Troubleshooting Conductor Connectivity](ts_connecting_to_routers.md). + +## 2. Verify Router Software Version + +Confirm each router is running SSR 7.1.5: + +```bash +show system version router branch1 +``` + +Expected output: +``` +Fri 2026-04-17 10:00:00 UTC +=========== ============================== ============ + Router Version Status +=========== ============================== ============ + branch1 7.1.5-7.el7.x86_64 Running +``` + +## 3. Verify WAN Interface + +From the Conductor PCLI, confirm the WAN interface has received a DHCP address: + +```bash +show network-interface router branch1 node node0 name wan1 +``` + +Verify that: +- **Operational State** is `up` +- **Address** shows a DHCP-assigned IP address from the ISP + +Alternatively, from the Conductor GUI: +1. Navigate to **Routers** → `branch1`. +2. Select the **Interfaces** tab. +3. Verify `wan1` shows an IP address and is operationally `up`. + +## 4. Verify LAN Interface + +```bash +show network-interface router branch1 node node0 name lan1 +``` + +Verify that: +- **Operational State** is `up` +- **Address** shows `192.168.1.1/24` + +## 5. Verify Internet Service Forwarding + +From a LAN device in the `192.168.1.0/24` subnet, confirm internet connectivity: + +```bash +ping 8.8.8.8 +``` + +Or from the router's PCLI, trace a path for a LAN user to the internet: + +```bash +admin@node0.branch1# show fib router branch1 +``` + +Look for an entry matching `0.0.0.0/0` (the `Internet-Traffic` service) with a next-hop pointing to `wan1`. + +To confirm active session forwarding, from the Conductor PCLI: + +```bash +show sessions router branch1 +``` + +Traffic from LAN hosts (`192.168.1.0/24`, tenant `corp`) destined for the internet should appear as active sessions egressing `wan1`. + +## 6. Verify Internet Breakout with Source NAT + +From a LAN device, confirm that outbound traffic is source-NAT'd to the WAN IP: + +```bash +curl -s https://api.ipify.org +``` + +The returned IP address should match the WAN DHCP address assigned to `wan1` — not the LAN address. + +Alternatively, verify source NAT is applied from the PCLI: + +```bash +show nat entries router branch1 +``` + +Entries for LAN source addresses (`192.168.1.x`) translated to the WAN IP confirm internet breakout with NAT is working. + +## Summary Checklist + +| Check | Expected Result | +|-------|----------------| +| Router asset status | `Synchronized` | +| Router software version | `7.1.5` | +| WAN interface (`wan1`) | Operationally `up`, DHCP IP assigned | +| LAN interface (`lan1`) | Operationally `up`, address `192.168.1.1/24` | +| Management over forwarding | Default route via `kni254`; conductor SSH accessible | +| Internet service | FIB entry for `0.0.0.0/0` present, sessions forwarding | +| Source NAT | LAN traffic egresses with WAN IP as source | + +## Congratulations + +Your conductor-managed SSR network is fully operational. The SSR1200 conductor is managing the SSR130 branch router, which is forwarding internet traffic for LAN users and maintaining its management connection to the conductor over the WAN interface. + +## Appendices + +- [Appendix Full Conductor Configuration](deploy_appendix_conductor.mdx) +- [Appendix Full Router Configuration](deploy_appendix_router.mdx) diff --git a/docs/deploy_vmware_conductor.mdx b/docs/deploy_vmware_conductor.mdx new file mode 100644 index 0000000000..98c3922916 --- /dev/null +++ b/docs/deploy_vmware_conductor.mdx @@ -0,0 +1,82 @@ +--- +title: "VMware ESXi Conductor Deployment Guide" +sidebar_label: Overview +--- +import Mermaid from '@theme/Mermaid'; +import NetworkDesign from './_deploy_vmware_conductor_network_design.md'; + +This guide walks a network engineer through deploying a **VMware ESXi virtual machine as a standalone SSR Conductor**. When you have completed the steps in this deployment, the conductor VM will be running SSR 7.1.4-3r2, configured with an authority name, conductor address, and shared services that allow branch routers to onboard and begin forwarding traffic. + +## Guide Topics + +| Step | Topic | Description | +|------|-------|-------------| +| 1 | [Create the VMware VM](deploy_vmware_conductor_vm.mdx) | Create and configure a VMware ESXi VM to host the conductor | +| 2 | [Install SSR 7.1.4-3r2 and Initialize the Conductor](deploy_vmware_conductor_install.mdx) | Boot the ISO, install SSR, and configure the conductor role | +| 3 | [Configure the Conductor](deploy_vmware_conductor_config.mdx) | Set the authority name, conductor address, tenant, and internet service | +| — | [Appendix — Conductor Configuration](deploy_appendix_vmware_conductor.mdx) | Complete VMware conductor PCLI configuration reference | + +## Network Topology + +The diagram below shows the logical network this guide builds. + +|"Internet"| ISP + ISP <-->|"DHCP"| Router + Router <-->|"Internet Breakout\n(service: Internet-Traffic)"| Internet + LAN <-->|"LAN"| Router + Router <-->|"Management over\nForwarding (WAN)\nPort 930 / 4505 / 4506"| Gateway + ConductorVM <-->|"Management"| Gateway +`}/> + +## Roles + +| Device | Type | Role | +|--------|------|------| +| `Conductor` | VMware ESXi VM | Standalone SSR Conductor — centralized management and provisioning | + +## Network Design Reference + + + +## Prerequisites + +Before beginning, ensure the following are available: + +- **VMware ESXi 7.0 or later** — administrative access to an ESXi host. +- **SSR 7.1.4-3r2 Universal ISO** — downloaded from [software.128technology.com](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/) using your Juniper software access credentials. +- **Juniper software access credentials** — Artifactory username and password for software downloads and token provisioning. +- **Management network** — a VMware portgroup providing internet access for software downloads, with a static IP assignment available for the conductor VM. +- **Static IP assignment for the conductor** — the IP address assigned to the conductor must be reachable from each branch router's WAN interface (directly or via routing). This guide uses `192.168.100.10`. + +## Software Version Requirements + +This guide uses **SSR 7.1.4-3r2** on the conductor. + +:::note +The router software version cannot be higher than the conductor software version. +::: + +## Related Documentation + +- [System Requirements](intro_system_reqs) +- [Conductor Deployment Best Practices](bcp_conductor_deployment) +- [Management Traffic over Forwarding Interfaces](config_management_over_forwarding) +- [Onboard an SSR Device to a Conductor](onboard_ssr_to_conductor) +- [VMware Router Deployment Guide](deploy_vmware_router_overview.mdx) + + diff --git a/docs/deploy_vmware_conductor_config.mdx b/docs/deploy_vmware_conductor_config.mdx new file mode 100644 index 0000000000..75c25e120e --- /dev/null +++ b/docs/deploy_vmware_conductor_config.mdx @@ -0,0 +1,87 @@ +--- +title: "Step 3: Configure the Conductor" +sidebar_label: "Configure the Conductor" +--- +import NetworkDesign from './_deploy_vmware_conductor_network_design.md'; +import AuthorityName from './_set_authority_name.md'; +import SetConductorIP from './_set_conductor_ip.md'; +import ConductorAuthority from './_conductor_to_authority.md'; + +This step configures the authority-level settings on the conductor: the authority name, conductor address, internet service, and corporate tenant. These objects are shared across all routers managed by this conductor. + +All steps are performed from the **Conductor GUI** at `https://192.168.100.10` unless otherwise noted. + +## Network Design Reference + + + +## 1. Connect the Conductor to the Authority + + + +## 2. Set the Authority Name + + + +:::note +Use your organization's name as the authority name (for example, `Authority128`). The authority name cannot be changed after routers have been provisioned without re-onboarding them. +::: + +## 3. Set the Conductor Address + +The conductor address is the IP address that managed routers use to reach this conductor. It must be reachable from each branch router's WAN interface. + + + +For this guide, enter `192.168.100.10` as the conductor address. + +## 4. Create the Corporate Tenant + +Tenants logically partition the network. The `corp` tenant represents corporate LAN users and is referenced by the LAN interface configuration on each branch router. + +1. In the Conductor GUI, select **Configuration**. +2. Select **Authority**. +3. Scroll to **Tenants** and select **ADD**. +4. Enter the name `corp` and select **SAVE**. +5. Select **VALIDATE** then **COMMIT**. + +:::info +Tenants are authority-wide. A single `corp` tenant definition applies to all routers that assign it to a LAN interface. +::: + +## 5. Create the `Internet-Traffic` Service + +The *service* configuration element defines the IP destinations that the SSR routes. This step creates a single service representing all internet-bound traffic from corporate LAN users. + +1. Log in to the Conductor GUI. +2. Select **Configuration**. +3. Select **Authority** from the left panel. +4. Scroll down to **Services** and select **ADD**. +5. Enter the name `Internet-Traffic` and select **SAVE**. +6. On the Service screen, verify **Enabled** is set to `true`. +7. Scroll down to **Service Addresses** and select **ADD**. +8. Enter `0.0.0.0/0` and select **SAVE**. +9. Scroll down to **Access Policy** and select **ADD**. + - Set **Source** to `corp`. + - Select **SAVE**. +10. Select **VALIDATE** then **COMMIT**. + +## What Was Configured + +At the end of this step your authority contains: + +| Object | Name | Value | +|--------|------|-------| +| Authority | `Authority128` | | +| Conductor Address | | `192.168.100.10` | +| Tenant | `corp` | LAN-side user population | +| Service | `Internet-Traffic` | `0.0.0.0/0`, access from `corp` | + +The conductor is now ready to accept branch router onboarding. Continue to the appropriate router deployment guide to configure and onboard your branch routers. + +## Next Steps + +To deploy a branch router managed by this conductor, follow one of the router deployment guides: + +- [VMware Router Deployment Guide](deploy_vmware_router_overview.mdx) +- [SSR130 Router Deployment Guide](deploy_router_onboard.mdx) diff --git a/docs/deploy_vmware_conductor_install.mdx b/docs/deploy_vmware_conductor_install.mdx new file mode 100644 index 0000000000..419ec6e1a5 --- /dev/null +++ b/docs/deploy_vmware_conductor_install.mdx @@ -0,0 +1,109 @@ +--- +title: "Step 2: Install the SSR Software and Initialize the Conductor" +sidebar_label: "Install and Initialize" +--- + +This step boots the conductor VM from the SSR ISO, installs the software, and uses the web-based initialization interface to configure the VM as a standalone conductor with a static management IP. + +## Install SSR Software + +1. Select the VM in the ESXi Navigator and click the **Play** (Power On) button. + + ![Power On](/img/dep10-vm-start.png) + +2. At the Install menu, use the arrow keys to select **VGA Console**. + + ![Install Type](/img/dep10a-vm-vga.png) + +3. If you require FIPS mode, select Install Option 1 and press **Enter**. If FIPS is not required, press **Enter** without selecting an option. The download and installation begins. + + :::note + IDP is not compatible with systems running in FIPS 140-3 mode, including Common Criteria or JITC deployments. If you plan to enable IDP, do not enable FIPS mode. See [IDP Troubleshooting](ts_idp.md#fips-mode-and-idp) for information on disabling FIPS mode if needed. + ::: + + ![Install Options](/img/deploy-vmware-cloud-init-enabled1.png) + +4. The installation runs to completion automatically. This may take approximately 15–20 minutes. + + ![Install Progress](/img/deploy-vmware-cloud-init-enabled2.png) + +5. When prompted to reboot, allow the VM to restart. + + ![Install Complete](/img/deploy-vmware-cloud-init-enabled3.png) + +## Initialize the Conductor + +1. After the system boots, the SSR login screen appears. Login to the Conductor VM and run the command `su admin `to enter the PCLI. + + ![Install complete login](/img/deploy-vmware-init-login.png) + +2. From the CLI, run the command `initialize conductor router-name Conductor node-name node0 node-ip node-gateway dns-servers 8.8.8.8`, substituting your node ip address and node gateway ip address where appropriate. + + After a few seconds, the message `Device successfully initialized` is displayed. The conductor VM will reboot, and then reboot a second time. + +3. After the second reboot, log in to the Conductor VM and run the command `systemctl is-active 128T` until `Active` is displayed. + +4. Open a browser tab on your computer and navigate to `https://` in order to initiate a web session to the conductor GUI. + + ![Self signed Certificate warning](/img/dep11-vm-access-gui.png) + +5. Accept the self-signed certificate warning, and begin the intialization process. + + ![Initialization UI](/img/u-iso8_launch_gui.png) + +6. Under **SSR Managed**, select **SSR Conductor**. + + ![SSR Conductor Selection](/img/u-iso8a_initialize_conductor.png) + +7. On the Conductor Association screen, enter the conductor name you selected. + + ![Conductor Configuration](/img/deploy_u-iso9_define_conductor.png) + +8. Select **STANDALONE** for a single-conductor deployment. + +9. Select the **STATIC** address type, and enter the following information: + + | Field | Example Value | Notes | + |-------|--------------|-------| + | Node IP Address | `192.168.100.10` | Static management IP | + | Node Gateway | `192.168.100.1` | Management network gateway | + | Interface Name | `mgmt-0-0` | Management interface | + | DNS Server | `8.8.8.8` | Required for software downloads | + | Admin Password | _(your choice)_ | Minimum 8 chars, 1 upper, 1 lower, 1 number | + + :::note + The admin, root, and t128 accounts are all set to the password you enter here. Record this password securely — it cannot be recovered if lost, only reset with root access. + ::: + +10. Place a check next to **Provide Artifactory Credentials** and enter the username and token used to access the Juniper/HPE SSR software download pages. + + | Field | Example Value | Notes | + |-------|--------------|-------| + | Artifactory Username | _(your username)_ | Juniper software access | + | Artifactory Password | _(your token)_ | Juniper software access token | + +11. Click **ASSOCIATE**. + +The VM reboots and comes online as a conductor. This process takes approximately 5–10 minutes. + +## Verify the Installation + +After the VM restarts, confirm the conductor is accessible on the management network: + +1. Reconnect your laptop to the management network. Remove the static `192.168.128.x` address you assigned earlier and obtain a management network address. + +2. Open a web browser and navigate to: + + ``` + https://192.168.100.10 + ``` + +3. Log in with username `admin` and the password set during initialization. + + ![Login to the Conductor](/img/dep-1200-cond-login.png) + + A successful login confirms the conductor is running and reachable on the management network. + +## Next Step + +Proceed to [Step 3 — Configure the Conductor](deploy_vmware_conductor_config.mdx). diff --git a/docs/deploy_vmware_conductor_vm.mdx b/docs/deploy_vmware_conductor_vm.mdx new file mode 100644 index 0000000000..6002d85c93 --- /dev/null +++ b/docs/deploy_vmware_conductor_vm.mdx @@ -0,0 +1,28 @@ +--- +title: "Step 1: Create the VMware Conductor VM" +sidebar_label: "Create the VMware VM" +--- +import CreateVM from './_vmware_vm_create.md'; + +This step creates the VMware ESXi virtual machine that will host the SSR conductor. A standalone conductor requires a minimum of **one VMXNet3 network adapter** connected to the management network that will be reachable from all branch routers. + +## VM Minimum Requirements + +| Resource | Minimum Value | Notes | +|----------|---------------|-------| +| vCPUs | `4` | Expand for deployments with more than 25 managed routers | +| Scheduling Affinity | `0-3` | Set under CPU → expand | +| Memory | `8 GB` | | +| Disk | `60 GB` | | +| Network Adapters | 1 × VMXNet3 | Connected to the management network portgroup | +| Boot Firmware | EFI | UEFI secure boot disabled | + +:::note +For guidance on scaling the conductor for larger deployments, see [Conductor Scaling Recommendations](intro_system_reqs.md#conductor-scaling-recommendations). +::: + + + +## Next Step + +Proceed to [Step 2 — Install SSR 7.1.4 and Initialize the Conductor](deploy_vmware_conductor_install.mdx). diff --git a/docs/deploy_vmware_router_config.mdx b/docs/deploy_vmware_router_config.mdx new file mode 100644 index 0000000000..64066591cf --- /dev/null +++ b/docs/deploy_vmware_router_config.mdx @@ -0,0 +1,192 @@ +--- +title: "Step 4: Configure the Router on the Conductor" +sidebar_label: "Configure the Router" +--- +import NetworkDesign from './_deploy_vmware_router_network_design.md'; + +With the router VM initialized and connected to the conductor, you can now stage the full router configuration on the conductor. Once you commit the configuration, the conductor pushes it to the router and the router comes fully online. + +All steps are performed from the **Conductor GUI** at `https://192.168.100.10`. Complete all steps before committing. + +:::note +Your conductor must already have the following objects configured before proceeding: + +- **Authority name** — set to your organization's name. +- **Conductor address** — set to `192.168.100.10`. +- **`corp` tenant** — the LAN-side user tenant. +- **`Internet-Traffic` service** — with address `0.0.0.0/0` and access policy permitting `corp`. + +If any of these are missing, complete [Configure the Conductor](deploy_conductor_config.mdx) first. +::: + +## Network Design Reference + + + +## 1. Create the Router + +1. Log in to the Conductor GUI. +2. Select **Configuration**. +3. Under **Authority**, scroll to **Routers** and select **ADD**. +4. Enter the router name `branch1` and select **SAVE**. +5. Set the following fields on the Router screen: + + | Field | Value | Notes | + |-------|-------|-------| + | Location | `+32.7767-096.7970/` | ISO 6709 coordinates; update for your site | + | Inter-node Security | `internal` | Required for SVR between nodes | + +6. Select **SAVE** (do not commit yet). + +## 2. Create the Node + +1. Scroll down to **Nodes** and select **ADD**. +2. Enter the node name `node0` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Role | `combo` | Router acts as both control and data plane | + | Asset ID | `branch1` | The asset ID reported in [Step 2](deploy_vmware_router_install.mdx#find-the-router-asset-id) | + + :::important + The asset ID must exactly match the value shown by `show assets` on the conductor. For a VMware vSSR, this is typically the router name entered during initialization. + ::: + +4. Select **SAVE**. + +## 3. Configure the WAN Interface + +The WAN interface (NIC 1) connects to the ISP, obtains a DHCP address, and carries both internet forwarding and conductor management traffic via [Management over Forwarding](config_management_over_forwarding.md). + +### 3a. Create the WAN Device Interface + +1. Under the Node, scroll to **Device Interfaces** and select **ADD**. +2. Enter the name `wan-dev` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `ethernet` | | + | PCI Address | _(WAN PCI address from [Step 3](deploy_vmware_router_pci.mdx))_ | For example, `0000:0b:00.0` | + | Forwarding | `true` | | + +4. Select **SAVE**. + +### 3b. Create the WAN Network Interface + +1. Under the WAN Device Interface, scroll to **Network Interfaces** and select **ADD**. +2. Enter the name `wan1` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `external` | | + | DHCP | `v4` | WAN IP assigned by ISP DHCP | + | Conductor | `true` | Marks this interface for conductor connectivity | + | Default Route | `true` | Linux uses this interface as its default route | + | Source NAT | `true` | Required for management over forwarding | + | Management | `true` | Enables management over forwarding on this interface | + +4. Scroll down to **Management Vector** and select **ADD**. + - Enter name `mgmt-vec-wan` and priority `10`. + - Select **SAVE**. + +5. Scroll down to **Neighborhoods** and select **ADD**. + - Select `internet` as the neighborhood name. + - Verify **Topology** is set to `spoke`. + - Select **SAVE**. + +6. Select **SAVE**. + +:::important +`Source NAT` and `Default Route` must both be set to `true` on the WAN management interface. Management traffic originates from the `169.254.x.x` range and must be source-NAT'd to a routable address before leaving the interface. The default route ensures Linux routes non-SVR traffic through the SSR forwarding engine. +::: + +## 4. Configure the LAN Interface + +The LAN interface (NIC 2) connects to the branch LAN and assigns the `corp` tenant to traffic arriving from that direction. + +### 4a. Create the LAN Device Interface + +1. Return to the **Node** level and scroll to **Device Interfaces**, then select **ADD**. +2. Enter the name `lan-dev` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `ethernet` | | + | PCI Address | _(LAN PCI address from [Step 3](deploy_vmware_router_pci.mdx))_ | For example, `0000:13:00.0` | + | Forwarding | `true` | | + +4. Select **SAVE**. + +### 4b. Create the LAN Network Interface + +1. Under the LAN Device Interface, scroll to **Network Interfaces** and select **ADD**. +2. Enter the name `lan1` and select **SAVE**. +3. Set the following fields: + + | Field | Value | Notes | + |-------|-------|-------| + | Type | `external` | | + | Tenant | `corp` | Assigns all LAN traffic to the corp tenant | + +4. Scroll down to **Interface Addresses** and select **ADD**. + - IP Address: `192.168.1.1` + - Prefix Length: `24` + - Select **SAVE**. + +5. Select **SAVE**. + +## 5. Configure DNS + +Configure DNS so the router can resolve FQDNs for conductor connectivity and software downloads. + +1. Return to the **Router** level. +2. Scroll to **DNS Config** and select **ADD**. +3. Set **Mode** to `manual` and enter DNS server addresses — for example, `1.1.1.1` and `8.8.8.8`. +4. Select **SAVE**. + +## 6. Create the Internet Service Route + +The service route directs traffic matched by the `Internet-Traffic` service out through the WAN interface as a direct internet breakout. + +1. Return to the **Router** level. +2. Scroll to **Service Routes** and select **ADD**. +3. Enter the name `internet-route` and select **SAVE**. +4. Set the following fields: + + | Field | Value | + |-------|-------| + | Service Name | `Internet-Traffic` | + | Service Route Type | `service-agent` | + +5. Scroll to **Next Hop** and select **ADD**. + - Node: `node0` + - Network Interface: `wan1` + - Select **SAVE**. + +6. Select **VALIDATE** and **COMMIT**. + +## Configuration Summary + +After committing, the conductor pushes the following configuration to `branch1`. The router applies the configuration and comes fully online within approximately 2–5 minutes. + +| Object | Name | Key Settings | +|--------|------|-------------| +| Router | `branch1` | combo node, asset-id `branch1` | +| WAN Device Interface | `wan-dev` | VMware WAN NIC PCI address, forwarding enabled | +| WAN Network Interface | `wan1` | DHCP, conductor, default-route, source-nat, management, neighborhood `internet` | +| LAN Device Interface | `lan-dev` | VMware LAN NIC PCI address, forwarding enabled | +| LAN Network Interface | `lan1` | tenant `corp`, address `192.168.1.1/24` | +| DNS Config | manual | servers `1.1.1.1`, `8.8.8.8` | +| Service Route | `internet-route` | service `Internet-Traffic`, type `service-agent`, next-hop `node0/wan1` | + +## Next Step + +Proceed to [Step 5 — Upgrade the Router to SSR 7.1.5](deploy_router_upgrade.mdx). + +:::note +If you installed from the SSR 7.1.5 ISO in [Step 2](deploy_vmware_router_install.mdx), the router is already running 7.1.5 and the upgrade step can be skipped. Run `show system version router branch1` on the conductor to confirm the installed version before proceeding. +::: diff --git a/docs/deploy_vmware_router_install.mdx b/docs/deploy_vmware_router_install.mdx new file mode 100644 index 0000000000..1f16107b4e --- /dev/null +++ b/docs/deploy_vmware_router_install.mdx @@ -0,0 +1,103 @@ +--- +title: "Step 2: Install SSR 7.1.5 and Initialize the Router" +sidebar_label: "Install and Initialize" +--- + +This step boots the router VM from the SSR ISO, installs the software, and uses the web-based initialization interface to configure the VM as a conductor-managed branch router. + +## Install SSR 7.1.5 + +1. Select the new router VM in the ESXi Navigator and click the **Play** (Power On) button. + + ![Power On](/img/vmware_pwr-on.png) + +2. The VM boots into the SSR installation menu. At the boot image selection screen, select the SSR 7.1.5 image and press **Enter**. + + ![Choose Image](/img/u-iso2_choose_image.png) + +3. At the Install menu, use the arrow keys to select **VGA Console**. + + ![Install Type](/img/u-iso3_choose_install_type.png) + +4. If you require FIPS mode, select Install Option 1 and press **Enter**. If FIPS is not required, press **Enter** without selecting an option. The download and installation begins. + + :::note + IDP is not compatible with systems running in FIPS 140-3 mode, including Common Criteria or JITC deployments. If you plan to enable IDP, do not enable FIPS mode. See [IDP Troubleshooting](ts_idp.md#fips-mode-and-idp) for information on disabling FIPS mode if needed. + ::: + + ![Install Options](/img/deploy-vmware-cloud-init-enabled1.png) + +5. The installation runs to completion automatically. This may take approximately 15–20 minutes. + + ![Install Progress](/img/deploy-vmware-cloud-init-enabled2.png) + +6. When prompted to reboot, allow the VM to restart. + + ![Install Complete](/img/deploy-vmware-cloud-init-enabled3.png) + +## Initialize the Router + +After the first boot, the SSR software exposes a web-based initialization interface at `192.168.128.1` on all interfaces. Use this interface to configure the VM as a conductor-managed router and associate it with the conductor. + +1. Connect a workstation to the same VMware portgroup as the router's **LAN NIC** (NIC 2). Assign the workstation a static IP address in the `192.168.128.0/24` subnet — for example, `192.168.128.2/24`. + + :::note + The initialization web interface is accessible at `192.168.128.1` before initialization is complete. After the router reboots with its full configuration applied, this address is no longer reachable. + ::: + +2. Open a web browser and navigate to: + + ``` + https://192.168.128.1 + ``` + + Accept the self-signed certificate warning. + + ![Initialization UI](/img/u-iso8_launch_gui.png) + +3. Under **SSR Managed**, select **SSR Router Managed via Conductor**. + + ![SSR Conductor-managed router](/img/u-iso10_cond-mngd_router.png) + +4. Enter the following information: + + | Field | Value | Notes | + |-------|-------|-------| + | Router Name | `branch1` | Must match the router name you will configure on the conductor in [Step 4](deploy_vmware_router_config.mdx) | + | Conductor IP Address | `192.168.100.10` | IP address of the pre-existing conductor | + | Admin Password | _(your choice)_ | Minimum 8 characters, 1 upper, 1 lower, 1 number | + + ![Conductor Managed Association](/img/deploy_u-iso11_cond-mngd-assoc-new.png) + +5. Click **ASSOCIATE**. + +6. The router reboots, contacts the conductor at `192.168.100.10`, and waits for a matching configuration. If no configuration is staged on the conductor yet, the router remains in a **Waiting for Configuration** state until you complete [Step 4 — Configure the Router on the Conductor](deploy_vmware_router_config.mdx). + +## Find the Router Asset ID + +After the router contacts the conductor, it reports its **asset ID** — the identifier the conductor uses to match this device to its staged configuration. + +From the **Conductor PCLI**, run: + +```text +show assets +``` + +The router appears in the output. Note the **Asset ID** value — you will need it when staging the router configuration in [Step 4](deploy_vmware_router_config.mdx#2-create-the-node). + +Example output: + +``` +===================== ============================== =========== + Asset ID Router Status +===================== ============================== =========== + branch1 (unprovisioned) Connected +``` + +:::tip +For a VMware vSSR, the asset ID is typically the router name you entered during initialization — in this example, `branch1`. +::: + +## Next Step + +Proceed to [Step 3 — Find VM NIC PCI Addresses](deploy_vmware_router_pci.mdx). diff --git a/docs/deploy_vmware_router_overview.mdx b/docs/deploy_vmware_router_overview.mdx new file mode 100644 index 0000000000..a48d418454 --- /dev/null +++ b/docs/deploy_vmware_router_overview.mdx @@ -0,0 +1,94 @@ +--- +title: "Deploying a VMware Router" +sidebar_label: Overview +--- +import Mermaid from '@theme/Mermaid'; +import NetworkDesign from './_deploy_vmware_router_network_design.md'; + +This guide walks a network engineer through deploying a **VMware ESXi virtual machine as a conductor-managed SSR branch router**. By the end of the guide, the VMware router VM will be running SSR 7.1.5, managed by an existing SSR conductor, and forwarding internet traffic from LAN users with management traffic returning to the conductor over the same WAN interface used for internet breakout. + +:::note +This guide assumes a conductor is already installed and running SSR 7.1.5. If you have not yet deployed a conductor, complete one of the conductor deployment guides first: + +- [SSR1200 Conductor Deployment Guide](deploy_overview.mdx) +- [VMware ESXi Conductor Deployment Guide](deploy_vmware_conductor.mdx) +::: + +## Guide Topics + +| Step | Topic | Description | +|------|-------|-------------| +| 1 | [Create the VMware VM](deploy_vmware_router_vm.mdx) | Create and configure a VMware ESXi VM to host the branch router | +| 2 | [Install SSR 7.1.5 and Initialize the Router](deploy_vmware_router_install.mdx) | Boot the ISO, install SSR software, and initialize the VM as a conductor-managed router | +| 3 | [Find VM NIC PCI Addresses](deploy_vmware_router_pci.mdx) | Identify the WAN and LAN VMXNet3 NIC PCI addresses required for the router configuration | +| 4 | [Configure the Router on the Conductor](deploy_vmware_router_config.mdx) | Stage the router configuration on the conductor so it can be applied after onboarding | +| 5 | [Upgrade the Router to SSR 7.1.5](deploy_router_upgrade.mdx) | Upgrade the onboarded router to SSR 7.1.5 from the conductor, if the router is not already at 7.1.5 | +| 6 | [Verify the Deployment](deploy_verify.md) | Confirm connectivity, management, and internet forwarding | +| — | [Appendix — Router Configuration](deploy_appendix_vmware_router.mdx) | Complete VMware router PCLI configuration example | + +## Network Topology + +The diagram below shows the logical network this guide builds. + +|"Internet"| ISP + ISP <-->|"DHCP"| RouterVM + RouterVM <-->|"Internet Breakout\n(service: Internet-Traffic)"| Internet + Clients <-->|"LAN"| RouterVM + RouterVM <-->|"Management over Forwarding\n(WAN — Port 930 / 4505 / 4506)"| Gateway + ConductorVM <-->|"Management"| Gateway +`}/> + +## Roles + +| Device | Type | Role | +|--------|------|------| +| `conductor1` | SSR1200 or VMware ESXi VM | Pre-existing conductor — centralized management and provisioning | +| `branch1` | VMware ESXi VM (vSSR) | Conductor-managed branch router — internet breakout and LAN services | + +## Network Design Reference + + + +## Prerequisites + +Before beginning, ensure the following are available: + +- **VMware ESXi 7.0 or later** — administrative access to an ESXi host. +- **SSR 7.1.5 Universal ISO** — downloaded from [software.128technology.com](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/) using your Juniper software access credentials. +- **Juniper software access credentials** — Artifactory username and password for software downloads and token provisioning. +- **Pre-existing conductor** — running SSR 7.1.5 at a static IP reachable from the router WAN. This guide uses `192.168.100.10`. +- **WAN portgroup** — a VMware portgroup with an ISP Ethernet link that provides DHCP. +- **LAN portgroup** — a VMware portgroup connected to your branch LAN switch. +- **Internet access on the WAN link** — required for the router to contact the conductor and download software updates. + +## Software Version Requirements + +This guide targets **SSR 7.1.5** on the router. + +:::note +The router software version cannot be higher than the conductor software version. Ensure the conductor is already running SSR 7.1.5 before upgrading any router to that version. +::: + +## Related Documentation + +- [VMware ESXi Conductor Deployment Guide](deploy_vmware_conductor.mdx) +- [SSR1200 Conductor Deployment Guide](deploy_overview.mdx) +- [Management Traffic over Forwarding Interfaces](config_management_over_forwarding.md) +- [Conductor Deployment Best Practices](bcp_conductor_deployment.md) diff --git a/docs/deploy_vmware_router_pci.mdx b/docs/deploy_vmware_router_pci.mdx new file mode 100644 index 0000000000..d229c6e843 --- /dev/null +++ b/docs/deploy_vmware_router_pci.mdx @@ -0,0 +1,22 @@ +--- +title: "Step 3: Find VM NIC PCI Addresses" +sidebar_label: "Find NIC PCI Addresses" +--- +import FindPCI from './_vmware_router_find_pci.md'; + +The SSR router configuration binds each logical interface to a specific physical NIC using that NIC's PCI address. VMware assigns PCI addresses dynamically based on the VM's hardware slot configuration, so you must discover the actual values from the running router VM before configuring the device interface bindings on the conductor. + + + +## Record Your PCI Addresses + +Before proceeding to the next step, record the discovered PCI addresses. You will enter these values in [Step 4 — Configure the Router on the Conductor](deploy_vmware_router_config.mdx). + +| Interface | PCI Address | +|-----------|------------| +| WAN (`wan-dev`) | _(your value)_ | +| LAN (`lan-dev`) | _(your value)_ | + +## Next Step + +Proceed to [Step 4 — Configure the Router on the Conductor](deploy_vmware_router_config.mdx). diff --git a/docs/deploy_vmware_router_vm.mdx b/docs/deploy_vmware_router_vm.mdx new file mode 100644 index 0000000000..4bff80b96e --- /dev/null +++ b/docs/deploy_vmware_router_vm.mdx @@ -0,0 +1,24 @@ +--- +title: "Step 1: Create the VMware Router VM" +sidebar_label: "Create the VMware VM" +--- +import CreateVM from './_vmware_router_vm_create.md'; + +This step creates the VMware ESXi virtual machine that will host the SSR branch router. The VM requires **two VMXNet3 network adapters**: NIC 1 connected to the WAN portgroup and NIC 2 connected to the LAN portgroup. + +## VM Minimum Requirements + +| Resource | Minimum Value | Notes | +|----------|---------------|-------| +| vCPUs | `4` | | +| Scheduling Affinity | `0-3` | Set under CPU → expand | +| Memory | `8 GB` | | +| Disk | `60 GB` | | +| Network Adapters | 2 × VMXNet3 | NIC 1 = WAN portgroup, NIC 2 = LAN portgroup | +| Boot Firmware | EFI | UEFI secure boot disabled | + + + +## Next Step + +Proceed to [Step 2 — Install SSR 7.1.5 and Initialize the Router](deploy_vmware_router_install.mdx). diff --git a/docs/install_vmware_config.mdx b/docs/install_vmware_config.mdx index b3bdaac6c3..bd0f5671bf 100644 --- a/docs/install_vmware_config.mdx +++ b/docs/install_vmware_config.mdx @@ -115,42 +115,41 @@ After creating a new virtual machine, the screen returns to the VMware navigator ![VM Complete](/img/vmware_finish.png) -Ensure that the new virtual machine is selected and click the “Play” icon or the “Power on” button. +1. Select the new VM in the ESXi Navigator and click the **Play** (Power On) button. -![Power On](/img/vmware_pwr-on.png) + ![Power On](/img/vmware_pwr-on.png) -The virtual machine boots into the Juniper Install menu. Click in the Play window to expand it, and click in the window to activate the up and down arrows. Use the arrows to select **VGA: Interactive Install 128T (your version number)**. If you do not make a selection, the system will default to booting into the **Serial Console** mode. +2. The VM boots into the SSR installation menu. At the boot image selection screen, select the SSR 7.1.5 image and press **Enter**. -![VGA Boot with Interactive Install](/img/install_select_interactive_vmware.png) + ![Choose Image](/img/u-iso2_choose_image.png) -During the install process, the status is displayed on the screen. +2. At the Install menu, use the arrow keys to select **VGA Console**. -![Status screen](/img/vmware_install_status.png) + ![Install Type](/img/u-iso3_choose_install_type.png) -After the Linux installation completes, the SSR software installation begins. Note that this may take several minutes to complete (approximately 20 minutes). After the installation has completed, the following screen is displayed: Select “Yes” and press enter. +3. If you are installing a FIPS enabled system, select Install Option 1, then press **Enter**. -![Installation Complete](/img/intro_installation_bootable_media_install_complete.png) + If you do not require FIPS, skip the options and select **Enter**. The download and installation begins. -If the Installed Packages screen does not automatically display, select the window and press the Enter key. + :::note + IDP is not currently compatible with systems running in FIPS 140-3 mode, including Common Criteria or JITC deployments. -### Initial Boot and Next Steps + If after installation you require IDP, FIPS mode must be disabled on the target system if IDP is to be enabled. Refer to [IDP Troubleshooting](ts_idp.md#fips-mode-and-idp) for information to disable FIPS mode. + ::: + + ![Install Options](/img/deploy-vmware-cloud-init-enabled1.png) -From the VMware Navigator, select the new virtual machine and click the **Play** icon or the **Power on** button to launch the virtual machine. +4. The installation runs to completion automatically. This may take approximately 15–20 minutes. -![VMWare Power On](/img/vmware_pwr-on.png) + ![Install Progress](/img/deploy-vmware-cloud-init-enabled2.png) -When the system boots from the `Install 128T Routing Software...` Interactive Installation work flow, the system asks whether to configure initial Linux Networking before the SSR Initializer is started. +5. When prompted to reboot, allow the device to restart. -![128T NetManager TUI Start](/img/vmware_initializer1.png) + ![Install Complete](/img/deploy-vmware-cloud-init-enabled3.png) -Selecting `Yes` launches the NMTUI application to perform an initial network interface setup. +If you are installing a Conductor, please refer to [Step 3 Configure the Conductor](deploy_vmware_conductor_config.mdx) in the VMWare Conductor Deployment Guide. -![128T NetManager TUI Option](/img/vmware_initializer2.png)) +To install a Conductor-managed Router, see [Initialize a Conductor-Managed Router](initialize_u-iso_device.md#initialize-a-conductor-managed-router). -If you are installing a Conductor, please refer to the following documentation to complete the Linux configuration and Conductor initialization. - -- [Single Conductor Interactive Install](single_conductor_install.mdx) -- [High Availability Conductor Installation](ha_conductor_install.mdx) - -For Router installation information, see [Router Interactive Installation](intro_installation_bootable_media.mdx). +To install a Mist-managed Router, see [Initialize a Mist-Managed Router](initialize_u-iso_device.md#initialize-a-mist-managed-router). diff --git a/docs/intro_system_reqs.md b/docs/intro_system_reqs.md index 89a9742355..219e4388a4 100644 --- a/docs/intro_system_reqs.md +++ b/docs/intro_system_reqs.md @@ -8,7 +8,7 @@ The Session Smart Networking Platform runs on both bare metal servers and as a v ### Minimum Platform Specifications -These are the minimum platform specifications for running the SSR Networking Platform software, on bare-metal or for the host platform when running virtualized SSR. +These are the minimum platform specifications for running the SSR Networking Platform software, on bare-metal, or for the host platform when running virtualized SSR (vSSR). - 4 Core x86_64-v2 processor, single socket - 8GB Memory, ECC required diff --git a/sidebars.js b/sidebars.js index aab0d8075e..7f54653b54 100644 --- a/sidebars.js +++ b/sidebars.js @@ -7,6 +7,79 @@ module.exports = { "about_releases", "about_support_policy", ], + "Deployment Guides": [ + "deploy_guides_overview", + { + "type": "category", + "label": "Conductor Deployment Guides", + "items": [ + { + "type": "category", + "label": "SSR1200 Conductor", + "items": [ + "deploy_overview", + "deploy_conductor_install", + "deploy_conductor_config", + "deploy_router_config", + "deploy_appendix_conductor", + ], + }, + { + "type": "category", + "label": "VMware ESXi Conductor", + "items": [ + "deploy_vmware_conductor", + "deploy_vmware_conductor_vm", + "deploy_vmware_conductor_install", + "deploy_vmware_conductor_config", + "deploy_appendix_vmware_conductor", + ], + }, + { + "type": "category", + "label": "AWS Conductor", + "items": [ + "deploy_aws_conductor", + ], + }, + ], + }, + { + "type": "category", + "label": "Router Deployment Guides", + "items": [ + { + "type": "category", + "label": "SSR130 Router", + "items": [ + "deploy_router_onboard", + "deploy_router_upgrade", + "deploy_verify", + "deploy_appendix_router", + ], + }, + { + "type": "category", + "label": "VMware Router", + "items": [ + "deploy_vmware_router_overview", + "deploy_vmware_router_vm", + "deploy_vmware_router_install", + "deploy_vmware_router_pci", + "deploy_vmware_router_config", + "deploy_appendix_vmware_router", + ], + }, + { + "type": "category", + "label": "AWS Router", + "items": [ + "deploy_aws", + ], + }, + ], + }, + ], "Release Notes": [ { "type": "category", @@ -76,7 +149,7 @@ module.exports = { "release_notes_byol_3.0", "release_notes_byol_2.0", "release_notes_byol" - ] + ], }, ], "Hardware Support":[ diff --git a/src/pages/index.js b/src/pages/index.js index 618eb8cf10..16be8bece9 100644 --- a/src/pages/index.js +++ b/src/pages/index.js @@ -98,11 +98,11 @@ const features = [ ), }, { - title: <>Best Practices, - link: 'docs/bcp_sdwan_design_guide', + title: <>Deployment Guides, + link: 'docs/deploy_guides_overview', description: ( <> - Recommended guides and design patterns + Deployment Guides for virtual and physical SSR devices. ), }, diff --git a/static/img/conductor_address.png b/static/img/conductor_address.png index bf66400917..a6a85ecb75 100644 Binary files a/static/img/conductor_address.png and b/static/img/conductor_address.png differ diff --git a/static/img/dep-1200-cond-login.png b/static/img/dep-1200-cond-login.png new file mode 100644 index 0000000000..037b1ebe0d Binary files /dev/null and b/static/img/dep-1200-cond-login.png differ diff --git a/static/img/dep1-vm-create-vm.png b/static/img/dep1-vm-create-vm.png new file mode 100644 index 0000000000..16bedbfb60 Binary files /dev/null and b/static/img/dep1-vm-create-vm.png differ diff --git a/static/img/dep10-vm-start.png b/static/img/dep10-vm-start.png new file mode 100644 index 0000000000..109d8b4663 Binary files /dev/null and b/static/img/dep10-vm-start.png differ diff --git a/static/img/dep10a-vm-vga.png b/static/img/dep10a-vm-vga.png new file mode 100644 index 0000000000..e96b207b99 Binary files /dev/null and b/static/img/dep10a-vm-vga.png differ diff --git a/static/img/dep11-vm-access-gui.png b/static/img/dep11-vm-access-gui.png new file mode 100644 index 0000000000..1f96a70b1e Binary files /dev/null and b/static/img/dep11-vm-access-gui.png differ diff --git a/static/img/dep12-vm-conf-conductor.png b/static/img/dep12-vm-conf-conductor.png new file mode 100644 index 0000000000..c4ebd1b0f3 Binary files /dev/null and b/static/img/dep12-vm-conf-conductor.png differ diff --git a/static/img/dep13-vm-conductor-commit.png b/static/img/dep13-vm-conductor-commit.png new file mode 100644 index 0000000000..5e427900de Binary files /dev/null and b/static/img/dep13-vm-conductor-commit.png differ diff --git a/static/img/dep2-vm-creation-type.png b/static/img/dep2-vm-creation-type.png new file mode 100644 index 0000000000..56867fbc45 Binary files /dev/null and b/static/img/dep2-vm-creation-type.png differ diff --git a/static/img/dep3-vm-name-os.png b/static/img/dep3-vm-name-os.png new file mode 100644 index 0000000000..44d478036f Binary files /dev/null and b/static/img/dep3-vm-name-os.png differ diff --git a/static/img/dep4-vm-storage.png b/static/img/dep4-vm-storage.png new file mode 100644 index 0000000000..95b38b73ae Binary files /dev/null and b/static/img/dep4-vm-storage.png differ diff --git a/static/img/dep5-vm-params.png b/static/img/dep5-vm-params.png new file mode 100644 index 0000000000..ea09798b96 Binary files /dev/null and b/static/img/dep5-vm-params.png differ diff --git a/static/img/dep6-vm-nics.png b/static/img/dep6-vm-nics.png new file mode 100644 index 0000000000..8813614a92 Binary files /dev/null and b/static/img/dep6-vm-nics.png differ diff --git a/static/img/dep7-vm-selectversion.png b/static/img/dep7-vm-selectversion.png new file mode 100644 index 0000000000..65ed09a1b9 Binary files /dev/null and b/static/img/dep7-vm-selectversion.png differ diff --git a/static/img/dep8-vm-confirm.png b/static/img/dep8-vm-confirm.png new file mode 100644 index 0000000000..54a7b5bdab Binary files /dev/null and b/static/img/dep8-vm-confirm.png differ diff --git a/static/img/dep9-vm-summary.png b/static/img/dep9-vm-summary.png new file mode 100644 index 0000000000..fadb83bc76 Binary files /dev/null and b/static/img/dep9-vm-summary.png differ diff --git a/static/img/deploy-vmware-cloud-init-enabled1.png b/static/img/deploy-vmware-cloud-init-enabled1.png new file mode 100644 index 0000000000..da9007e801 Binary files /dev/null and b/static/img/deploy-vmware-cloud-init-enabled1.png differ diff --git a/static/img/deploy-vmware-cloud-init-enabled2.png b/static/img/deploy-vmware-cloud-init-enabled2.png new file mode 100644 index 0000000000..f0b454ae39 Binary files /dev/null and b/static/img/deploy-vmware-cloud-init-enabled2.png differ diff --git a/static/img/deploy-vmware-cloud-init-enabled3.png b/static/img/deploy-vmware-cloud-init-enabled3.png new file mode 100644 index 0000000000..a96ac88312 Binary files /dev/null and b/static/img/deploy-vmware-cloud-init-enabled3.png differ diff --git a/static/img/deploy-vmware-init-login.png b/static/img/deploy-vmware-init-login.png new file mode 100644 index 0000000000..8f33723c5b Binary files /dev/null and b/static/img/deploy-vmware-init-login.png differ diff --git a/static/img/deploy_u-iso11_cond-mngd-assoc-new.png b/static/img/deploy_u-iso11_cond-mngd-assoc-new.png new file mode 100644 index 0000000000..1b1fae2a17 Binary files /dev/null and b/static/img/deploy_u-iso11_cond-mngd-assoc-new.png differ diff --git a/static/img/deploy_u-iso9_define_conductor.png b/static/img/deploy_u-iso9_define_conductor.png new file mode 100644 index 0000000000..c1c57cb23b Binary files /dev/null and b/static/img/deploy_u-iso9_define_conductor.png differ diff --git a/static/img/u-iso2_choose_image.png b/static/img/u-iso2_choose_image.png index c584495e03..9b33f4728b 100644 Binary files a/static/img/u-iso2_choose_image.png and b/static/img/u-iso2_choose_image.png differ diff --git a/static/img/u-iso3_choose_install_type.png b/static/img/u-iso3_choose_install_type.png index ff772605d3..dd8e6567fe 100644 Binary files a/static/img/u-iso3_choose_install_type.png and b/static/img/u-iso3_choose_install_type.png differ diff --git a/static/img/u-iso4_install_options.png b/static/img/u-iso4_install_options.png index 37e606f3d7..3c8a5d79f4 100644 Binary files a/static/img/u-iso4_install_options.png and b/static/img/u-iso4_install_options.png differ diff --git a/static/img/u-iso5_begin_install.png b/static/img/u-iso5_begin_install.png index 2d3aee765a..03126bb6c0 100644 Binary files a/static/img/u-iso5_begin_install.png and b/static/img/u-iso5_begin_install.png differ diff --git a/static/img/u-iso6_unpacker_complete.png b/static/img/u-iso6_unpacker_complete.png index 4a3d6edf50..58d4067400 100644 Binary files a/static/img/u-iso6_unpacker_complete.png and b/static/img/u-iso6_unpacker_complete.png differ