JN0-451

Mist Cloud Architecture

Juniper Mist is a microservices-based cloud platform running on AWS that manages Wi-Fi, wired, WAN, and location services. Every AP, switch, and SSR device establishes a secure WebSocket (TLS 1.2+) connection to the Mist cloud on TCP 443. Configuration, telemetry, and Marvis AI inference all happen via this persistent connection.

Organization → Site Hierarchy

A Mist Organization (Org) is the top-level tenant. Under the Org you have Sites (physical locations), and under each site you have devices (APs, switches, gateways) and clients.

Organization: "Acme Corp"
  ├─ Templates (WLAN / RF / Switch / WAN Edge)
  ├─ Site Groups (HQ, Retail, Branch)
  ├─ Sites
  │    ├─ Site: HQ-London
  │    │    ├─ APs, Switches, SSR/SRX
  │    │    ├─ Site Variables
  │    │    └─ WLANs (site-level override)
  │    └─ Site: Retail-NYC-042
  └─ Admins / RBAC / API Tokens

Templates & Inheritance

Site Variables (Jinja-style)

Site variables let one template drive many sites. Reference them in template fields as {{VARIABLE_NAME}}.

{
  "SITE_VLAN_DATA": "100",
  "SITE_VLAN_VOICE": "200",
  "SITE_VLAN_GUEST": "300",
  "SITE_RADIUS_PRIMARY": "10.10.5.10",
  "SITE_RADIUS_SECRET": "{{vault:radius_secret}}",
  "SITE_NTP": "time.acme.corp",
  "SITE_DNS": "8.8.8.8,1.1.1.1"
}

RBAC: Admin Roles

Labels

Labels are tags used in WxLAN policies, analytics filters, Marvis queries, and reporting. Types include:

• Client Labels (MAC, Radius username, PSK name, user group from IDP)
• Resource Labels (hostname, IP range, app-name, GBP tag, AD group)
• Asset Labels (BLE asset name, named AP, Zone)
• Custom Labels (free-text for WxLAN matching)

Webhooks & Alerts

{
  "url": "https://siem.acme.corp/mist/events",
  "secret": "changeme-shared-secret",
  "enabled": true,
  "topics": [
    "device-events",
    "alarms",
    "audits",
    "client-join",
    "client-sessions",
    "location"
  ],
  "verify_cert": true
}

HMAC-SHA256 is included in the X-Mist-Signature-v2 header; verify before accepting payloads.

API Tokens & Basic Calls

Create API tokens under My Account → API Tokens (user scope) or Org → API Tokens (org scope). Token goes in the Authorization header.

# List sites in an org
curl -s https://api.mist.com/api/v1/orgs/$ORG_ID/sites \
     -H "Authorization: Token $MIST_TOKEN" | jq .

# Get site stats
curl -s https://api.mist.com/api/v1/sites/$SITE_ID/stats \
     -H "Authorization: Token $MIST_TOKEN"

# Create WLAN on a site
curl -X POST https://api.mist.com/api/v1/sites/$SITE_ID/wlans \
  -H "Authorization: Token $MIST_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ssid":"Corp","auth":{"type":"eap","eap_reauth":false},
       "vlan_ids":[100],"enabled":true}'

Python (mistapi SDK)

import mistapi
from mistapi.api.v1.orgs import sites as orgs_sites

apisession = mistapi.APISession(
    host="api.mist.com",
    apitoken="YOUR_TOKEN"
)
apisession.login()

org_id = "c0ffee00-dead-beef-0000-112233445566"
resp = orgs_sites.listOrgSites(apisession, org_id)
for site in resp.data:
    print(site["id"], site["name"])

Org-Level Settings Reference

SSO / SAML Federation

Federate admin login with your IDP. Mist acts as SP, IDP supplies role via SAML attribute.

{
  "idp_type": "saml",
  "nameid_format": "email",
  "idp_sso_url": "https://login.microsoftonline.com/TENANT/saml2",
  "idp_cert": "-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----",
  "role_attr_from": "Role",
  "role_attr_extraction": "mist-${role}",
  "role_mappings": {
    "mist-admin": "admin",
    "mist-helpdesk": "helpdesk",
    "mist-observer": "observer"
  }
}

Mist Edge

Mist Edge is an on-prem appliance (x86 or VM) that terminates mGRE tunnels from APs. It is used for:

• Tunneling user traffic back to a DC (classic WLC replacement)
• Anchor VLANs across L3 boundaries
• DHCP/DNS relay and policy enforcement at the edge
• 802.1X proxy / RadSec termination

WLAN config snippet (tunneled SSID):
{
  "ssid": "Corp-Tunneled",
  "vlan_ids": [210],
  "auth": {"type":"eap"},
  "mist_edges": ["edge-cluster-hq"],
  "tunnel_protocol": "mgre"
}

WLAN Fundamentals

Mist WLANs are logical SSIDs deployed via WLAN templates (org) or directly on sites. Each WLAN selects an authentication method, VLANs, WxLAN policies, rate limits, and optional WxLAN tunneling to Mist Edge.

Security Matrix

802.1X / EAP with RADIUS

{
  "ssid": "Corp",
  "auth": { "type": "eap", "eap_reauth": false },
  "auth_servers": [
    {"host":"10.10.5.10","port":1812,"secret":"{{RADIUS_SECRET}}"},
    {"host":"10.10.5.11","port":1812,"secret":"{{RADIUS_SECRET}}"}
  ],
  "acct_servers": [
    {"host":"10.10.5.10","port":1813,"secret":"{{RADIUS_SECRET}}"}
  ],
  "dynamic_vlan": {
    "enabled": true,
    "type": "airespace",
    "vlans": {"100":"corp","200":"voice","300":"guest"}
  },
  "coa_servers": [{"ip":"10.10.5.10","port":3799,"secret":"{{RADIUS_SECRET}}"}]
}

RADIUS attributes honored: Tunnel-Private-Group-ID (VLAN), Airespace-ACL-Name, Filter-Id, Session-Timeout, and CoA Disconnect-Request.

Mist Auth (Cloud RADIUS)

Mist can act as the IDP for WLANs without an on-prem RADIUS. Supports:

• Azure AD / Google / Okta / SAML IDPs for EAP-TTLS and Captive Portal
• Cloud PSKs and MultiPSK
• Cloud-hosted EAP-TLS via Mist CA or uploaded CA

Guest Portal

WxLAN Policy (Micro-Segmentation)

WxLAN matches client-labels to resource-labels and enforces allow/deny at the AP. Policy evaluation is first-match top-down.

Rule 1: [Label: Contractors]  -> [Label: Internet-Only]        ALLOW
Rule 2: [Label: Contractors]  -> [Label: Internal-Subnets]    DENY
Rule 3: [Label: IoT-Cameras]  -> [Label: NVR-Servers]         ALLOW
Rule 4: [Label: IoT-Cameras]  -> [Label: Any-Internal]        DENY
Default: Allow  (applied if no rule matches)

Rate Limits & QoS

• Per-SSID upstream/downstream kbps caps
• Per-client kbps caps (useful on guest SSIDs)
• DSCP mapping: 802.11e UP ↔ wired DSCP
• WMM (Wi-Fi Multimedia) enabled by default for voice
• Disable low data rates (2/5.5/11/6 Mbps) to reduce airtime waste

Band Steering & Load Balancing

Band steering nudges dual-band clients from 2.4 GHz to 5/6 GHz by delaying probe responses on 2.4. In the RF template:

{
  "band_24": {"enabled": true, "disable_11b": true},
  "band_5":  {"enabled": true, "channels":[36,40,44,48,149,153,157,161]},
  "band_6":  {"enabled": true, "preamble_puncture": true},
  "band_steer": true,
  "client_load_balance": true
}

Pre-Shared Key (PPSK / MPSK)

PPSK lets many users share one SSID but each with a unique key. Bound to role / VLAN / WxLAN policy. Great for IoT and BYOD.

# Create a PPSK via API
curl -X POST https://api.mist.com/api/v1/orgs/$ORG_ID/psks \
  -H "Authorization: Token $MIST_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
       "name": "john.doe-iot-camera",
       "passphrase": "IoT-Cam-#6a2f",
       "ssid": "IoT-Secure",
       "vlan_id": 77,
       "usage": "single",
       "role": "cameras",
       "expire_time": 1735689600,
       "notify_expiry": true,
       "notify_on_create_or_edit": true,
       "email": "[email protected]"
     }'

Key fields: usage (single/multi), max_usage, mac (MAC binding), expire_time (Unix), and role used by WxLAN policy.

Tunnel / Bridging Modes per WLAN

Fast & Assisted Roaming

Enable r/k/v on voice and real-time SSIDs. FT over-the-DS is preferred for lossy environments.

Marvis Virtual Network Assistant

Marvis is the AI/ML layer built on top of the Mist Juniper Networking AI engine (Mist AI). It ingests telemetry from APs, switches, SSR/SRX, and clients, applies unsupervised and supervised models, and answers questions in natural language. Marvis is licensed per device (Marvis for Wi-Fi / Wired / WAN / Client).

Ask Marvis (Conversational Assistant)

The chat box accepts plain English. Examples:

> How is Jim's MacBook doing?
> Troubleshoot SSID Corp at site HQ-London
> Show me clients with poor coverage in the last 24h
> List APs that rebooted this week
> Why did user [email protected] have bad experience yesterday?
> Compare SLEs for Site-A and Site-B
> Who is connected to AP-Floor3-12?

Marvis Action Framework

Actions are Marvis-identified root causes, each with a suggested remediation. Actions appear in the dashboard grouped by Layer (Connectivity, Network, Wired, WAN, Application, AP, Switch).

Service Level Expectations (SLEs)

SLEs quantify user experience as percentage of "good" user-minutes. Each SLE has classifiers (sub-reasons) and sub-classifiers.

Default good thresholds are adaptive; admins can set per-site targets (e.g., 90% for Coverage, 95% for Throughput).

Wired & WAN SLEs

Anomaly Detection & Baselining

Marvis continuously baselines each site and device. Anomalies surface when metrics drift multiple standard deviations from the learned norm (unsupervised learning). Examples:

• Sudden spike of auth failures on a specific SSID
• Coverage collapse after a floor plan change
• Roaming times increasing across a particular AP model
• Unusual client count drop (possibly AP down or building closed)

Marvis Minis

Marvis Minis are synthetic Wi-Fi clients baked into every Mist AP. They probe every SSID for auth, DHCP, DNS, and app reachability 24x7, detecting issues before real users complain. No hardware or sensor needed – just enable in the site.

Client Insights

# Pull client insights for a given MAC for the last hour
curl -s "https://api.mist.com/api/v1/sites/$SITE_ID/insights/client/$CLIENT_MAC?\
metrics=total_success,total_failures,time_to_connect,tput&duration=1h" \
  -H "Authorization: Token $MIST_TOKEN" | jq .

Marvis for Webhook / ChatOps

Marvis Actions can be piped into Slack, Teams, or ServiceNow via webhook. Example payload received for a Persistently Failing AP action:

{
  "topic": "marvis-actions",
  "org_id": "c0ffee00-dead-beef-0000-112233445566",
  "events": [{
    "category": "ap-health",
    "type": "persistently_failing_ap",
    "severity": "warning",
    "site_id": "a1b2c3d4-5566-7788-99aa-bbccddeeff00",
    "site_name": "HQ-London",
    "ap_mac": "5c5b:35aa:bb01",
    "ap_name": "AP-Floor3-12",
    "details": {
      "reason": "client_assoc_failures",
      "failure_rate_pct": 58.3,
      "last_seen": 1717170000
    },
    "suggested_action": "Reboot AP / check radio config"
  }]
}

Marvis Query Language (Advanced)

Under the hood, Marvis translates natural language into a structured query. You can bypass NLP and send structured JSON to the API:

POST /api/v1/orgs/{org_id}/nac_portals/search
{
  "entity": "client",
  "filter": {
    "site_id": "a1b2c3d4-...-ff00",
    "metric": "time_to_connect",
    "value_gt": 5000,
    "time_range": {"start": 1717000000, "end": 1717100000}
  },
  "group_by": "ap_mac"
}

Marvis for Client (Desktop App)

A lightweight agent for Windows / macOS that forwards device-side Wi-Fi telemetry (driver metrics, scan events, Wi-Fi disconnects) to Mist. Gives Marvis visibility into what the OS sees, not just the AP. Useful for troubleshooting VIP or helpdesk cases.

Wired Assurance (EX/QFX)

Juniper EX and QFX switches with Junos OS release 18.2R3+ (and a Mist Wired Assurance license) are cloud-ready. Once claimed they appear in the Mist portal and are managed entirely from the cloud – CLI remains available for operators.

Onboarding Options

Mist Agent on Junos

Junos runs mist-agent which establishes an outbound TLS connection to the cloud (port 2200/443). Config is rendered from the switch template + site variables + per-device overrides and pushed via NETCONF internally.

admin@ex4400> show mist-agent status
Connection state : CONNECTED
Cloud endpoint   : ep-terminator.mistsys.net:2200
Organization id  : c0ffee00-dead-beef-0000-112233445566
Site id          : a1b2c3d4-5566-7788-99aa-bbccddeeff00
Last heartbeat   : 3 seconds ago

Switch Template Example

{
  "networks": {
    "data":  {"vlan_id": 100},
    "voice": {"vlan_id": 200},
    "guest": {"vlan_id": 300},
    "mgmt":  {"vlan_id": 10}
  },
  "port_usages": {
    "ap": {
      "mode": "trunk",
      "port_network": "mgmt",
      "networks": ["data","voice","guest"],
      "poe_disabled": false,
      "enable_qos": true,
      "speed": "auto"
    },
    "user": {
      "mode": "access",
      "port_network": "data",
      "voip_network": "voice",
      "use_dot1x": true,
      "dynamic_vlan_enabled": true,
      "mac_auth_only": false,
      "bypass_auth_when_server_down": true
    },
    "uplink": {"mode": "trunk", "all_networks": true}
  },
  "radius_config": {
    "auth_servers": [{"host":"10.10.5.10","secret":"{{RAD_SECRET}}"}]
  }
}

Dynamic Port Configuration

DPC matches LLDP chassis-id, system-desc, or MAC OUI and assigns a port profile dynamically. Example rules:

match: lldp_system_name starts-with "AP"      -> profile: ap
match: lldp_system_desc contains "Polycom"    -> profile: voice
match: mac_oui = "00:1B:21"                    -> profile: iot-camera
match: radius_username contains "contractor"  -> profile: restricted

PoE Budget & Power

• EX4400: up to 2200W across 48 PoE+ / PoE++ ports
• Priority levels: critical / high / low – assigned per port profile
• Perpetual PoE / Fast PoE (EX4650/EX4400) keeps PD powered during reboot
• Mist surfaces PoE budget overrun as a Marvis Action

Campus Fabric

Mist can orchestrate EVPN-VXLAN campus fabrics in three topologies:

Underlay : eBGP, /31 fabric links, MTU 9216
Overlay  : iBGP EVPN family
VNI map  : VLAN 100 -> VNI 10100, VLAN 200 -> VNI 10200
VRFs     : CORP, GUEST (route-leak via Type-5 EVPN)

Virtual Chassis vs Fabric

Mist-Managed 802.1X on Switches

Port Profile "dot1x-user":
  mode: access
  authentication: dot1x
  fallback: mac-auth
  guest_vlan: 300
  auth_fail_vlan: 999
  server_reject_vlan: 999
  server_fail_vlan: 100 (bypass_auth_when_server_down)
  reauth_period: 3600
  supplicant_timeout: 30
  CoA: 3799/udp (shared secret from template)

Ensure persistent-mac + mac-limit are set on multi-host ports to avoid MAC flap storms.

Switch Troubleshooting Tools

• Port insights – per-port link events, errors, PoE, LLDP
• Dynamic packet capture on a port (initiated from UI)
• Ping / traceroute / cable-test from cloud UI
• Shell access (remote CLI) via Mist with per-admin audit
• Firmware auto-upgrade schedules per site

WAN Assurance & SD-WAN

Mist WAN Assurance manages two families of WAN Edge devices from the same cloud that runs Wi-Fi and wired: the Session Smart Router (SSR, formerly 128T) and the SRX series. Both appear under WAN Edges in the Mist portal.

Session Smart Router (SSR)

SSR uses Secure Vector Routing (SVR) – a tunnel-less, session-aware forwarding method that preserves the original 5-tuple via metadata in the first packet of each session. No VPN overhead per packet.

• Service-centric model: traffic is matched to services (name + address + ports)
• Tenants replace VRFs – deny-by-default between tenants
• Sessions are stateful; path-selection per-session based on SLA
• Runs as VM, container, or on SSR appliances (SSR120/130/1200/1300/1400/1500)

Application-Aware Routing

{
  "application_policies": [
    {
      "name": "MsTeams-realtime",
      "tenants": ["CORP"],
      "services": ["ms-teams","zoom","webex"],
      "paths": ["mpls-primary","internet-primary","lte-backup"],
      "path_preference": "mpls-primary",
      "sla": {"latency_ms": 150, "jitter_ms": 30, "loss_pct": 1}
    },
    {
      "name": "Bulk",
      "services": ["dropbox","onedrive","office365-sharepoint"],
      "paths": ["internet-primary","mpls-primary"],
      "path_preference": "internet-primary"
    }
  ]
}

If the preferred path breaches SLA, SSR fails the session over – per-session, not full tunnel.

WAN Edge Templates

• Global config applied to all WAN Edges in the org or a site-group
• Interfaces (WAN / LAN), IP addressing, DHCP pools
• Routing: OSPF / BGP / Static
• IDP, URL filtering, AV (SRX only)
• Security policies (SRX) / services & tenants (SSR)
• Hub-and-spoke or full-mesh overlays

SRX Integration

SRX devices running Junos with the Mist Agent can be managed as WAN Edges. Common patterns:

WAN SLA & Link Monitoring

Probe         : BFD / ICMP / TCP / HTTP
Interval      : 100 ms (BFD) / 1 s (ICMP default)
Thresholds    : latency, jitter, loss (rolling 30s window)
Hysteresis    : 3 probes up / down to change state
Actions       : switch path, alarm, Marvis Action

ZTP for WAN Edges

1. Install SSR/SRX and plug in a WAN that provides DHCP + Internet
2. Device reaches redirect.juniper.net and is told to phone home to Mist
3. Mist checks claim/activation code and assigns the device to an Org
4. Admin assigns the device to a Site and a template
5. Template is rendered with site variables and pushed

Secure Vector Routing vs IPsec

Hub Topologies & Traffic Steering

SSR CLI Quick Reference

admin@ssr# show router * node *  ... node status
admin@ssr# show sessions summary
admin@ssr# show peers        ... peer routers
admin@ssr# show paths        ... SLA telemetry
admin@ssr# show services     ... configured services
admin@ssr# show stats interface * * | grep rx_packets
admin@ssr# restore node ssr-branch-01 ...
admin@ssr# configure authority
admin@ssr# commit

Security Services (SRX)

WAN Marvis Actions

• Application SLA breached (e.g., Teams latency > 150 ms)
• Link flapping / BFD down
• Asymmetric routing detected
• Bad cable / negotiation on WAN port
• Certificate expiring for overlay

Mist Location Services

Mist pioneered Virtual BLE (vBLE): a software-defined 16-element antenna array on the AP that beam-forms BLE packets. Combined with directional RSSI from every AP, Mist computes sub-meter location for users and assets without external beacons.

Hardware & Radios

Floorplan & AP Placement

1. Upload floorplan image (PNG/JPG/PDF) per site
2. Set scale (2 known points / distance)
3. Drag APs to their physical locations, set orientation (ceiling/wall)
4. Run virtual survey / heatmap for planning
5. Enable location services on the site (vBLE engine)

Use Cases

RTLS / Location API

# Real-time asset location stream (WebSocket)
wss://api.mist.com/api-ws/v1/stream
▸ subscribe: /sites/{site_id}/stats/assets
▸ subscribe: /sites/{site_id}/stats/clients

# REST: named assets (BLE tags)
curl -H "Authorization: Token $MIST_TOKEN" \
  https://api.mist.com/api/v1/sites/$SITE_ID/assets | jq .

# REST: zones and occupancy
curl -H "Authorization: Token $MIST_TOKEN" \
  "https://api.mist.com/api/v1/sites/$SITE_ID/zones/$ZONE_ID/stats"

Wayfinding SDK

• Native iOS / Android libraries (Swift & Kotlin/Java)
• Blue-dot and turn-by-turn wayfinding indoors
• Triggers "zone entered" / "zone exited" callbacks for proximity notifications
• Privacy: no PII sent to Mist, device IDs hashed

Troubleshooting Toolkit

Dynamic Packet Capture

Mist automatically captures frames (EAPOL, DHCP, DNS, association) when a client has a bad experience. The capture is attached to the client event timeline and downloadable as pcap.

# Trigger a manual pcap on a specific client
curl -X POST \
  https://api.mist.com/api/v1/sites/$SITE_ID/insights/client/$MAC/pcaps \
  -H "Authorization: Token $MIST_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"duration":60,"include_mgmt":true}'

Zone & Virtual Beacon Definition

# Define a Zone on a floorplan
curl -X POST https://api.mist.com/api/v1/sites/$SITE_ID/zones \
  -H "Authorization: Token $MIST_TOKEN" \
  -d '{
    "name": "Lobby",
    "map_id": "$MAP_ID",
    "vertices": [
      {"x": 5.1,  "y": 10.2},
      {"x": 15.3, "y": 10.2},
      {"x": 15.3, "y": 20.4},
      {"x": 5.1,  "y": 20.4}
    ]
  }'

# Virtual beacon (proximity notification trigger)
curl -X POST https://api.mist.com/api/v1/sites/$SITE_ID/vbeacons \
  -H "Authorization: Token $MIST_TOKEN" \
  -d '{
    "name": "Welcome-Kiosk",
    "power": -65,
    "map_id": "$MAP_ID",
    "x": 10.0, "y": 15.0,
    "message": "Welcome! Check in at the kiosk."
  }'

Asset Tag Management

• Named assets: bind a MAC + BLE major/minor/UUID to a friendly name & category
• Bulk import via CSV or REST bulk endpoint
• Zones trigger asset enter / asset leave webhook events
• Optional battery level reporting for supported tags (AP scans adv data)
• Historical playback: 24h / 7d / 30d based on license

Dynamic PCAP JSON Example

{
  "id": "pcap-7788",
  "client_mac": "aa:bb:cc:11:22:33",
  "site_id": "$SITE_ID",
  "ap_mac": "5c5b:35aa:bb01",
  "started": 1717000000,
  "duration": 60,
  "reason": "auto_trigger_auth_failure",
  "frame_types": ["mgmt","eapol","dhcp","dns"],
  "download_url": "https://pcap.mist.com/..../pcap-7788.pcap",
  "expires": 1717604800
}

Best-Practice Checklist

• Place APs no more than 10-12 m apart for sub-meter BLE location
• Mount APs on the ceiling, not wall, for best vBLE geometry
• Keep floorplan scale accurate (< 2% error) – location depends on it
• Enable Marvis Minis and Dynamic Packet Capture on all sites
• Use site variables + templates; avoid per-device overrides
• Subscribe to webhooks for alarms and device-events into the SIEM
• Review SLEs weekly – set per-site targets and track trends